Recent Blog Posts

The use of remote access has skyrocketed as a result of the coronavirus epidemic. Many businesses are finding it lets employees connect more easily. They will want to keep it in the cases where it works best. Remote access has to be done right to produce good results. If it’s done haphazardly, productivity and security will suffer. Employees will complain about inconsistent treatment. What’s needed is a comprehensive, fair policy. It will let employees know what their company offers and what is expected of them. A good remote access policy gives management and employees guidance in unusual situations.     Eligibility Not every kind of job lends itself to remote work. Some tasks require an on-site presence. Some employees need to work at the business location to do their jobs well. Management may not want to trust inexperienced employees or ones with poor records to work remotely. A consistent set of criteria is necessary to avoid accusations of unfairness. If some people can’t use remote access, they deserve to know why. Sometimes remote work doesn’t work out well, and it’s necessary to withdraw authorization. Again, it has to be done according to clear rules, with a way to handle disputes. Family situations, Internet connectivity, and the requirements of the job can all be considerations in whether remote access is a viable option for an individual. Equipment The equipment for remote access needs to live up to certain standards. If the connection is too slow, work will be frustrating. If a device is too old for proper support, it’s a security risk. A company can let employees use their own computing equipment or lend its machines to them. Issuing equipment to employees is more reliable but more expensive. Providing employees with equipment requires setting clear terms. The devices have to be returned in good condition when requested. Employees may have to cover them with their household insurance, in which case the company needs to compensate them. Any restrictions on personal use need to be clear up front. If employees use their own equipment, the IT department should review it for suitability. If it’s too old to run modern operating systems and applications, it will cause problems. Not only will it fail to run required software, it could have security issues that can’t be patched. Any equipment which connects to the company network should meet some reasonable standards. Software For the same reasons, the software needs to be trustworthy. It has to be regularly patched, whether by local auto-updating or by being pushed from the company’s servers. There should be a requirement for anti-malware software on machines that access the network. In many cases, those machines will need to run software under the company’s license. Issues of license management may come up, and there might have to be limits on personal use. The employees need to understand that the software is on their computers only at the company’s discretion and could be removed when the situation changes. Internet connection Employees need a reliable Internet connection to do their jobs remotely. If employees are just working on files that they upload or download, the quality isn’t critical. If they’re expected to participate in video conferences, the connection’s reliability and bandwidth become important. Speed is less important than consistency; if an employee suffers from […]

  Why classify data All large organizations today, from corporations to universities, health care organizations, and nonprofit membership organizations, routinely practice data classification. Why? Data classification is the indispensable first step in ascertaining the required levels of security. The status of the data, as we will discuss, dictates the level of security. Why? Most organizations have requirements for data security imposed by governments, business groups, and associations. These requirements range from individual privacy and confidentiality to the highest levels of national security. Organizations face consequences that they categorize from “compromising,” to “seriously compromising,” to “catastrophic” when certain data security is breached. Think of the national news stories on the “catastrophic” breach of customer data security at Verizon. All employees require access to data and the easier the access the better. But not all employees require access to legally private, confidential, or proprietary data. Managing access to information is much simpler and cheaper if “public data”?the lowest level of data classification?is segregated from data at higher security levels. It costs money to keep data systems secure?and that should not include public data. The first step, then, is classification.  And the first decision to be made by a business is what classifications are relevant to the business. Let’s look at a classification system that is “classic,” but nevertheless does the job for even larger organizations. Each classification implies that the data in the class will require a different level of security. These are three data “sensitivity” levels or categories: Restricted Data (the highest level of security). This means that unauthorized disclosure, alteration, or destruction of this information could put your business at significant risk. For some organizations, this category includes, for example, data protected by state or federal privacy regulations. Or data protected by industry, association, or other confidentiality agreements. Private data (middle level). This means that unauthorized disclosure, alteration, or destruction of the data could result in a moderate level of risk to the business. In this category goes all data that is not restricted but not “public”?and thus essentially requiring no security. Public data (the lowest level). This means that unauthorized disclosure, alteration, or destruction of the data would present little or no risk to the business. Examples of public data might be press releases, catalogs, public announcements, and such. The only concern for a business’s public data is that the stored data not be deleted or destroyed. In many organizations, an employee (or a department in large organizations) is assigned responsibility for classifying data and protecting it with the requisite levels of security. This is sometimes called the “data steward,” but, whatever the title, the responsibility of the position is for the “life cycle” of the information. That means responsibility for the data from the time the business acquires it, through its applications to the business, to the end of the period of its usefulness when it is discarded. Making data classification work The two challenges to data classification and data security are reviewing and classifying large and constant influxes of new information and maintaining security of the classified information at appropriate levels. Computer data security at various levels is a well-develop specialty.  Here, we will focus on the specifics of data classification. Given the three broad classifications, and the need to associate all data with one of those […]

  Benefits of BYOD First, let’s dive into the pros of integrating employee devices into your workflow. BYOD is most appealing to startups and small to medium businesses that do not have warehouses of spare equipment or large budget margins. In most cases, your employees already own devices that are up to the job and many even prefer to use their personal, familiar, devices for work and personal means. Accelerated Mobility For companies that are expanding, mobility is key. Working through mobile devices gives you the opportunity to work in and out of the office, hire remote employees and allow telecommuting, and stay location-flexible. By encouraging your employees to work with their own devices, your company gains this mobility much sooner than if you were budgeting (and sometimes shipping) company devices. Lowered Hardware Cost Speaking of budgeting, a unified set of company devices is a considerable investment. Many companies completely side-step this expense by inviting employees to use their own devices. Because most professionals have smartphones and other devices already, there’s no need to invest in a rack of company devices that would only have employees carrying two phones. Increased Productivity Employees often use their phones for work on the side. By enacting BYOD policies and helping your employees configure and use their devices for work, you can increase the office’s natural productivity. A good set of BYOD policies let employees know they are welcome to use devices and make them more efficient when device-use is appropriate. Employee Device Comfort Finally, employees are generally more comfortable and independently efficient with their own personal devices. They are familiar with the interfaces, app collection, and how to quickly take care of tasks on their own devices.    Considerations of BYOD Policies If the benefits of a BYOD policy align with your business needs, then it’s time to consider logistics and implementation. BYOD, like any policy, has strengths and weaknesses to account for as you move forward. Employee Device Ownership The first consideration is that you can’t guarantee that every employee will have a sufficient mobile device. While it’s rare, not everyone owns a smart phone, a tablet, or a laptop. Most people have at least one, but you can’t necessarily require employees to buy a device or hire based on device ownership. It’s important to remember this when planning to implement BYOD policies.   Lack of Standardization Next, consider that not all employee devices will be the same. You will inevitably have devices of several brands, operating systems, and software configurations. Any operations that require devices to be the same, or similarly configured, are likely to fail. But if you don’t need homogenous devices, BYOD is quite effective. Conflicting Operating Systems In any BYOD office it is almost inevitable that there will be both Android and Apple phones. There may even be a few smaller-brand alternatives. The trouble is that different operating systems do not work with the same apps. You will need two versions of every app and function and a way to unify functionality between operating systems.  Unsynchronized Software Another concern is control and synchronization of software. From phone firewalls to accessing your work databases through a custom app, BYOD is more challenging to coordinate on a software level than company devices.   Reduced Security Employee-owned devices are also more challenging to keep secure. Data security is quite porous with most personal […]

  The Anatomy Of Social Engineering Attacks “Social engineering attacks” refers to tricking people into giving up sensitive information or access to systems. In many cases, social engineering attacks are far more successful than traditional hacking techniques because they exploit human weaknesses instead of technical vulnerabilities. This is because while more organizations are aware of the numerous threats posed by hacking, they’ve mostly upgraded their systems ? i.e., the technical aspect, and forgotten about the key and most vulnerable factor, humans?the most crucial cog in any enterprise or organization. Unlike computer hardware/software, humans have emotions that greatly influence their actions. For instance, a policy may prohibit downloading or opening attachments on company computers.  However, the urge to follow instructions from superiors may compel junior staff to download an attachment, even when they know organizational policy. In most cases, there’s the fear of being reprimanded for insubordination or the assumption that superiors know better and that their instructions/orders override standing policy. This is the gap/weakness attackers know and exploit. Attackers often use various forms of deception to gain their victim’s trust. They may pose as a customer service representative, for example, or pretend to be someone from the victim’s company. Once they’ve gained sufficient trust, they can start collecting sensitive information or gain access to an organization’s systems. Whereas soft-handed tactics have been the norm, attackers are getting bolder. They may employ brutal tactics like blackmail to force or manipulate victims into providing information or granting access to an organization’s systems.  All types of social engineering attacks share one common goal: trick or manipulate victims into knowingly or unknowingly revealing information or granting access that they would not typically give. Types Of Social Engineering Attacks They can broadly be categorized into four main types: Phishing attacks Vishing attacks Smishing attacks Impersonation attacks Each type of attack has its unique characteristics. Still, all are designed to trick victims into providing compromising information or carrying out an action that would grant the attacker access to an organization’s data or systems. Phishing attacks are the most prevalent social engineering attacks. They typically involve attackers sending out mass emails that look like they’re from a legitimate company or organization. Such emails usually contain malicious links that direct victims to login into what they believe are genuine sites, but in essence, the code would direct their login credentials to the attacker’s server.  Vishing attacks are similar to phishing attacks, but instead of using email, attackers will use phone calls to try and trick victims. They might pose as a customer service representative from a bank, credit card company, or IT support firm associated with the victim’s organization. Smishing attacks are social engineering attacks that use text messages instead of email. The ploy is that the message is from a trusted organization like a bank or government agency, and they usually contain a link that leads to a fake website. Impersonation attacks are more targeted than phishing or smishing attacks. In these attacks, attackers will pose as a trusted individual, like a co-worker or friend, and try to manipulate the victim into divulging privileged information or carrying out an action, i.e., clicking on a malicious link. Similarly, attackers may disguise themselves as IT support staff or maintenance crew to gain physical access to a company’s systems.   […]

What Used to Be: Break-Fix IT Businesses that struggle with technology management often cite a lack of resources or a lack of time as the cause. They might not have the funds to hire an in-house IT department or even a dedicated technician, and even if they do, they might not have the time to spend with general upkeep or the implementation of new solutions. And when general maintenance doesn?t happen, downtime is inevitable. It used to be the case that businesses would wait until their technology broke down and created downtime before problems were addressed, simply because it was not feasible for them to address them beforehand. The downtime caused by break-fix IT is staggering and unnecessary. Instead, you can opt for the preventative and proactive nature of managed IT services, which ultimately saves your organization time and money that it would normally be spending on recovering from problems like hardware failure or security breaches. What Should Be: Managed IT Services The rise of the managed service model has allowed organizations to take advantage of technology management and maintenance services that were previously unavailable to them. Essentially, a managed service provider and a business will work together to establish a service level agreement. This service agreement determines what the MSP is responsible for, how much they are compensated for their services, and the timeline expected for services rendered. Basically, a managed IT provider can do just about anything you would expect an in-house IT department to do, but instead of paying multiple salaries, you pay a monthly fee. Managed IT services can be used even if your business already has an established in-house IT department. If you ask anyone on your IT staff if they could use an extra pair of hands or someone to help out with their various tasks, they would probably thank you for thinking to ask them about it. Long story short, IT maintenance and management is an involved process with many moving parts, and it?s likely that even the most accomplished IT administrator is overwhelmed with work. You can make their life easier by bringing a managed service provider on board for routine maintenance or upkeep, if nothing else. White Mountain IT Services can help you get started with managed IT services by providing a comprehensive network audit to help you determine where our services can be best utilized. With this type of information at your disposal, you can then make educated decisions about the future of your technology infrastructure. To learn more about what we can do for your business, reach out to us at (603) 889-0800.