Nashville Web Design | Programming | IT | Atiba.com

Archive for the ‘Security’ Category

What a Nashville Azure Consultant Can Do For You

nashville azure consultant

Atiba is Nashville’s Leading Azure Consultant

Originally published December 24, 2019. Updated October 21, 2020.

Do you have your head in the clouds lately? For those looking at cloud migration services, you’ve probably had your head stuck in the clouds for more than a few weeks now.

That’s OK, we often have our head stuck in the cloud as well.

One of the hardest steps is determining which cloud service you’re going to choose. The main players in the business are Microsoft Azure, Amazon AWS, and Google Cloud Platform. For businesses, you want to make sure you choose one and stick with it. After all, that’s where all of your business data and information is going to be stored. Plus, you’re going to want the added security now that your employees are working from home in their pajamas.

As die-hard computer nerds, our crew at Atiba likes them all!  All three provide similar services and all three have proven to be reliable and cost-effective.

But, we’ve found a lot of people like to go with Azure. Not just because it has a cool name (OK, maybe that’s part of the reason). Below, we’re going to run over what makes Azure so great and what you need for a Nashville Azure consultant.

Our Favorite Things About Microsoft’s Azure

nashville azue consulting

Azure is Highly Secure

We’d be lying if we said we weren’t looking forward to using that rhyme all day.

In a nutshell, Azure is the most secure cloud platform out there. Microsoft prides itself on having a secure model and uses a Detect, Assess, Diagnose, Stabilize, and Close model. Maybe a bit too long for a catchy title, but the proof is in the pudding with how secure their service is.

Azure takes extra steps into protecting your data from unauthorized access, including Microsoft personnel. In a world where data is a commodity and big tech companies are often under the microscope for what they do with your data, it’s reassuring to know that Microsoft is taking the step to leave your data in your hands.

One feature we really like is the Customer Lockbox. It’s a way for you and your clients to upload and securely download documents. It’s better than sending things over email or meeting in a sketchy alley

Top-Notch Scalability

Those who have been browsing cloud options have no doubt come across this word. What exactly does it mean?

Let’s say that your business is running reports daily and 25 out of the 30 days of the month, these reports are normal and require minimal computing power. However, on those other five days, you notice a huge uptick in reporting which requires an influx of computer power.

Azure really shines here and makes it incredibly simple to scale your computer power depending on your needs. Just how easy do they make it? You only have to click a button. That’s it.

While some of Microsoft’s other tools may not be as flashy or simple to the everyday user, Azure makes it easy for you to scale your power based on your business needs.

Extremely Low Downtime

Think about the last time your internet went out. Even if it was just for five minutes, it was annoying and a pain. We rely so much on technology and we need our devices and items to be working all the time.

Azure goes a step further and offers a service level agreement, or SLA, guaranteeing 99.95% of uptime over the course of the year. For those keeping track at home, that’s about 4.5 hours of downtime for the entire year or only 40 seconds for every day. About the same amount of time that it takes us to daydream about our dream vacation.

That’s because Microsoft has data centers all around the globe, meaning that their services are guaranteed to be up and running whenever you need them.

Cost-Effectiveness

It’s all about the money, right?

We know that IT costs can skyrocket if left unwatched and a bill can come out of nowhere to surprise you (oh yeah, we did sign up for that service).

Another reason Azure has been a favorite with many of our clients is that it offers a pay-as-you-go pricing option. This means that small and medium-sized businesses can finetune their budgets and only use as much of the cloud as they need to.

Plus, costs can be reduced because both customer applications and internal apps can be launched in the cloud. This will save money on IT infrastructure while also lowering any costs of hardware and overall maintenance.

Why Your Business Needs a Nashville Azure Consultant

With all of those benefits, why do you need to hire a Nashville Azure consultant? While we love Azure, it does come with some drawbacks. That’s where we come in. As leading Azure consultants in the Nashville area, we provide a number of different services.

It Requires Expertise

Although Azure does have some easy parts, getting the most out of Azure does require significant platform expertise. In order to make sure that everything is working together efficiently, you do need a consultant to maximize your platform.

One of the most common rookie mistakes we see is administrators over-provisioning their cloud services. This can lead to a huge financial setback for a business, oftentimes in the thousands of dollars range. Since Azure is used by so many small and medium-sized businesses, those extra costs are burdens you don’t want to pay for.

It Requires Consistent Management

Unfortunately, Azure isn’t as plug-and-play as other services out there and requires consistent management, especially when working with a large number of end-users.

Azure, like most other cloud services, requires regular patching and server monitoring. Does this mean that you need someone monitoring it 24/7? No, of course not, but it helps to have someone be managing your cloud on a consistent basis.

Atiba Can Serve as Your Azure Consultant

As you can see, there are lots of reasons why you want to go with Azure. Its scalability, cost-effectiveness, and high levels of security make it one of the best cloud service options for all types of businesses. If you’re looking to get set up with Azure or just want to know more, feel free to reach out to Atiba. We offer the best Azure consulting services in Nashville and have been working with various businesses for nearly thirty years.

Not only are we Azure experts, but we also pride ourselves on same-day response time. We offer 24/7 support and 1-hour response time on critical issues.

Interested in learning more or want to see how we can help? Reach out for a free quote today!

 

 

 

 

 

 

Ransomware: A Real Threat in the Digital World

ransomware

Shadowy figures, cryptic notes, demands for money, a ticking clock, and absolute terror. With a recipe like that, it’s no wonder the ransom plot has been a Hollywood film trope for decades. But as fun as it is to watch in a theater, ransom plots are crippling when they’re real.

And in the modern digital world, they play out most often as hacker programs that steal data and access to critical systems before demanding payment….or else. Threats to expose confidential information or to destroy networks happen more frequently than you may think to large and small organizations around the world.

Ransomware attacks can bring a business to its knees overnight. Hackers exploit employees or unprotected systems, worm their way into the digital infrastructure of a business, then hold data or access hostage until a ransom is paid. Over the past decade ransomware attacks worldwide have grown tremendously

The Cost of Ransomware Attacks

Just how much are hackers demanding from businesses? According to a 2017 report, the average cost of a ransomware attack was just over $700,000. Many small and medium-sized businesses simply can’t afford such an attack.

Even if businesses can survive, there will likely be certain sacrifices that have to be made and it could take the business years to recover, if at all.

The City of Atlanta’s Ransomware Attack

While that number might be shocking, take the 2017 attack on Atlanta as an example. In March of 2018, the City of Atlanta was hit with SamSam malware. It devastated city systems, including court scheduling, online bill payments, police dash-cam video, and even wi-fi systems. The attackers demanded a payment in bitcoin that equaled about $52,000. Mayor Kisha Lance Bottoms refused to pay, opting instead to rebuild the systems at a cost estimated somewhere around $2.6 million

In the months and years since the attack, Atlanta has instituted security protocols and systems enhancements to avoid future attacks. But if organizations with data as critical as city governments like Atlanta are vulnerable, it seems almost anyone is. The same malware that hit Atlanta, SamSam, hit 200 other victims as well, extorting over $30 million in Bitcoin from their victims. And that’s just one malware group. There are hundreds, if not thousands, of others. 

Ransomware Payments Can Put You in Legal Trouble

If someone is holding information and you’ve exhausted every option, you might think about just paying the amount of money and getting it over with. If you’re going down that road, then you may want to think twice.

Recently, the United States Department of the Treasury’s Foreign Assets Control (OFAC) issued a special advisory to companies that pay ransom during an attack. Specifically, the advisory warned that victims and any third parties who assist in payment could be in violation of federal law. Even if you do so unintentionally, there may be sanctions headed your way.

You can check out the advisory here.

A Global Problem

In a May 2020 report by Verizon, there were over 6,800 global attacks on public organizations with over six thousand of those considered large attacks. The same report totaled all cyberattacks in 2019 over 32,000 globally, or once every 16 minutes.

It’s a fool’s game to think “oh, this could never happen to me”. What can be done to protect your systems from ransomware? 

How to Protect Against Ransomware

computer-security

The good news is, some steps can protect you, your systems, and your business.

  1. Systems
    • Backups
    • Blocks
    • UTD
  2. People
    • Phishing
    • Access
    • Password Management 

Systems

Let’s start with what you can do to fortify systems. There are steps you can take to ensure your systems aren’t laid bare by design and management practices, leaving them easy targets for hackers.

Backups

Let’s start with the importance of a well-designed and well-maintained backup system. Why start there? Because even if everything else goes wrong with your plan, a backup might be your last ray of hope if you’re impacted with an attack. So if you do nothing else, set up a backup process. 

What’s a good backup process? It should include your most important business data. It should run often. And you should consider a trustworthy, cloud solution. 

What’s your most important business data? If a hacker contacted you tomorrow threatening to destroy or make data public, what data would you think of first? What customer data do you have that if exposed or lost would jeopardize your customers or your business? That’s your sensitive data. Your business depends on it and you likely have an obligation (likely a legal one) to protect and manage that data. 

Your backup should run often. Whether that’s hourly, daily, weekly, or monthly is up to your business needs. But the more often it can run, the better. The frequency of your backups will depend on the backup solution you choose and the costs associated with the backup process (automated or manual).

As you find the right solution for you, make sure you ask how backups happen and when they occur. The more information you backup, the better.

Cloud Solutions

Cloud solutions have become widely available, affordable, and trusted over the years because they add layers of protection that on-premise solutions just can’t match. If your data is important enough to store, you want a solution that’s scalable and protected from any physical threat your systems could experience.

A reputable cloud solution is often competitively priced, easy to implement (even if you need some help), and offers more security than other options. 

Barriers 

protect-your-business

There’s a reason yards have fences, castles have moats, and China built a wall. Barriers thwart attacks. The harder you make it for hackers to access your data, the less likely it is they’ll get it.

Installing firewalls, anti-virus software, and VPNs for employees are all effective and affordable measures to protect yourself. Don’t leave your doors open to threats. 

And that also means you should know where your network boundaries are. Know what’s connected to your network and ensure that connections are monitored and regulated. Consider working with a network management professional to ensure that you’ve intentionally designed and managed your systems. 

Updates

It’s tempting to hit “remind me later” when those update pop-ups interrupt your work. Sometimes it’d be better to have a “go away and never come back” button. But updates, patches, and fixes pushed to you for a reason. 

In 2017 the WannaCry attack hit high profile targets using Microsoft Windows including Britain’s National Health Service with an encryption program. Before the attacks began, Microsoft identified the vulnerability in their system and released a patch. But because patches were not installed promptly, many users were left vulnerable and were subsequently attacked. 

Providers diligently monitor for vulnerabilities that hackers could use to attack customers. Knowing that the reputation of their products is threatened by hackers, providers work hard to create patches, updates, fixes to protect their users. Ignoring those system updates leaves your systems vulnerable. 

Update your systems. You probably have one that you’ve been putting off for weeks. Why not quickly check after you finish reading?

People

Hackers know that systems are only part of your business. They know that your team has access to systems and data and that they can be compromised as well. Ensuring that your team does their part in protecting against ransomware is crucial. 

Phishing

We all know by now that you shouldn’t give your bank account information to any princes from remote parts of the globe with poor grammar and offers of shared fortunes. We know that emails and other forms of unsolicited contact requesting sensitive and personal information are red flags for malicious attacks known as phishing. 

In other words, it’s bad guys dangling an offer in an attempt to snag an unsuspecting (usually well-intended) victim to gain access or data. It’s cybercrime and a common tool used by ransomware attackers. 

While phishing emails have seen a small decline in the past few years, the trend towards remote work seems to have ushered a re-emergence of the tactic

A few easy ways to avoid falling for a phishing attack: 

  1. Don’t open emails from senders you don’t recognize or email addresses that seem off. 
  2. Don’t send personal information through email. Just don’t. 
  3. Don’t click links or open attachments from unsolicited or unrecognized sources. 
  4. Report any suspicious emails to your security team.

Access

If your employees don’t have access to customer data, they can’t accidentally give access to thieves. Creating and managing access controls is a crucial element of any security program. Profiles and access levels create layers of protection to sensitive data and system controls. 

This is another place where working with a professional network manager can be immensely helpful. The process of creating a functional, scalable, and manageable process to control who has access and when is not a small or simple process. Experience and knowledge are huge here. 

Password Management 

password-management

You’re probably sick of hearing that you need strong passwords that are 34 characters long, contain a number, a capital, a special symbol, and a drop of blood. But the rationale is simple. The harder a password is to crack, the better it works. 

There are lots of ways hackers attack password protected systems. From guessing, to what’s called brute force, hackers will try to gain access through passwords. Ohio State University explains how the complexity of passwords works.

OSU says “The time to hack a password increases exponentially with each character added to your password. For a password that consists of randomized characters of all types, the difference between 6, 7, 8, and 9 characters is days, years, centuries, and millennia!!!”

Nobody has time for an entire millennium of guessing. 

And reusing passwords is just a no-no. Passwords used in more than one place (like your bank account and your favorite coffee app) mean that if it’s guessed once they have access to everything. Maybe it’s not the end of the world that a hacker steals all your coffee stars. But is it OK if they get their hands on your savings account? Definitely not. 

And while passwords are important, consider a multi-factor authentication if you really want to double down on protection. 

Now more than ever, ensuring employees have the knowledge and skills to protect your business and your customers depend on smart and intentional actions. For more on what to consider when employees work remotely, check out our blog on 10 Important Remote Work Security Tips.

Conclusion

Criminals will always look for new ways to lie, cheat, steal, and ransom money out of people. Knowing what you can do to reduce your risk, and educating your employees can help protect you and your business.

If you need help identifying your risk points or creating security solutions, Atiba is here to help. Our experts have been helping public and private businesses create and monitor security programs for years. We’d love to help you, too. Reach out today for a free quote!

10 Important Remote Work Security Tips

remote work security

A few years ago, remote work was seen as a luxury for many employees. While there were remote work companies around the globe, hearing that someone worked remotely was somewhat surprising. For many, working remotely just didn’t seem feasible or a proper long-term solution.

My oh my, how the times have changed.

 

Lately, there has been a huge increase in the number of companies working remotely.  More and more employees are able to work from wherever they want, whether that be their kitchen table or their favorite coffee shop. From the outside, there seem to be a number of benefits such as flexible scheduling, more family time, and cutting the commute. Remote working is part of the new normal.

However, there are also a number of risks that come with remote working. We’re not talking about the questions over productivity or lack of focus, but the issues revolving around remote work security.

With your employees spread around the state, country, or even globe, how do you make sure that your employees are on secure networks, company data isn’t being compromised, and employees are following the best security practices?

Today, we’re going to dive in and check out just what your company needs to do in order to make sure your workforce is staying safe and secure.

Remote Work Security Issues

When it comes to implementing a remote work security plan, what are the things that you most need to watch out for?

Phishing Emails

phishing-emails

If you’ve used email in the last decade, you’ve no doubt received more than your fair share of phishing emails. Phishers don’t stop at just personal emails but will go after work emails as well in order to try and obtain sensitive information.

Estimates say that around 90% of all cybersecurity attacks are phishing emails.

Unsecured Networks

Your home internet was originally going to be used for streaming Netflix or letting your kids play Minecraft. But now many workers are going to be working from home on these family-friendly WIFIs. Are they up to the proper security standards?

Delaying Updates

Device updates are annoying and they often come at the wrong time (AKA, just about any time). While some of those updates have cool new features, the bulk of those updates are there to patch security flaws and holes.

Devices always need to stay updated, even if they do come at inopportune times.

Computer Sharing

If your employee is using the family computer for work, how many other people have access to that device? While a five-year-old is more likely to care about funny YouTube videos than exploring the documents folder, you never know what random clicking around may do.

The more people that share a computer means there is a bigger risk for potential threats or mismanagement.

What Your Business Should Do

Since we’ve covered the most basic and common issues facing a remote work team, what can you and your company do in order to make sure you’re protected now and in the future?

Set up Two-Factor Authentication

Two-factor authentication, also written as 2FA, is an authentication method where the user must present two pieces of identification in order to access an app, website, program, etc. If you’re someone that’s used Google recently, you know that Google has been pushing 2FA for quite some time and even more so recently.

2FA is one of the easiest things you can do to bolster your remote security.  Not only do employees have to enter their password, but they also must enter a code or approve the login with their cell phone.

It takes very little time to set up but the security benefits are very real and immediate.

Ensure Everyone has Secure WIFI

secure-wifi

This, undoubtedly, will be the biggest challenge when it comes to your remote work security. While you can rest assured knowing your in-office WIFI is secure and stable, how do you make sure that all of your employees are working on proper WIFI?

Their home may be secure, but the local coffee shop down the road may have free and public WIFI. Using public WIFI to check the weather or your fantasy football score is fine but logging on with personal or company information is dangerous. It’s best to just avoid public WIFI altogether.

The most logical step is to encrypt your internet connection somehow, either through a VPN or hotspot if you’re out in public. VPNs are slowly becoming the norm globally as more and more individuals are wising up to protect their data.

Lastly, you can set up encrypted remote connections to a remote desktop to ensure that data not only stays on a work computer, but all work is “done” on the work computer. More on this later…

Have a Response Plan In Place

In our post about security audits, we talked about the importance of having a disaster recovery plan in place. No one ever expects the worst to happen but you’ll be happy you were prepared for it ahead of time.

When it comes to remote security, you need to make sure you have an incident response plan ahead of time.

Admittedly, this is much harder with remote workers. Not only is your employee where the incident occurred in one place, but your response team is likely in another.

But if an incident does occur, here are the things you need to have in mind:

  • What kind of security breach was there?
  • Do passwords need to be changed?
  • Does any software need to be updated?
  • What patches need to be installed?

If you respond quickly, you may be able to contain the issue or at least educate the employee on the best practices.

Speaking of that…

Educate Your Employees

When it comes down to it, your employees need to know the basics of internet security. They’re probably all too familiar with not opening emails from unknown senders (or at least their spam filter will sort that out for them), but they might not be mindful of other items.

You should be educating them on the following practices:

  • Using strong passwords (using different passwords for personal and work use)
  • Keeping work devices safe and secure (no laptops left in the car)
  • Being cautious with work emails, sending and opening from unknown addresses
  • Keeping personal internet use on personal devices
  • Being mindful of who is around you in public places

While your employees may not follow all items to the T, they need to be aware of potential security risks. If anything, host a web meeting or have a hard copy of a document you can hand to your employees.

Use a Password Manager

No one can remember all their passwords these days and with password regulations like they are, can you blame them?

One of the best things to do is to have all employees install a password manager on their browser. That way, all passwords are in a secure location and if you have multiple team members trying to access one site, they can easily look up passwords.

That eliminates the possibility of employees messaging or emailing passwords in unencrypted messages or emails.

Develop a BYOD Policy

remote-work-devices

Party-goers and BBQ fans are all too familiar with BYOB, but what is BYOD?

This four-letter acronym stands for Bring Your Own Device. We’ve all used our own cellphone to check an email or respond to a message in teams, but you should be careful about what other information is being kept on those devices. While there isn’t a huge risk to check work items on a personal device, there needs to be a proper policy in place ahead of time.

After all, employees are probably going to be a bit more willy-nilly when it comes to security on their own device. If those two are crossing over, it’s vital to be mindful of this and ready.

Besides giving your employees a handy-dandy guide to follow, you will also have a strict policy on data management. This will quickly settle any disputes that may arise between you and your employees about data protection and management. Protecting your data is a big part of remote work security, after all.

And, it’s going to clear up any issues when an employee resigns or is fired. You don’t want your data to stay in the hands of a disgruntled employee.

Use the Cloud

Here at Atiba, we’ve been singing the cloud’s praises for quite some time. The cloud is great, but what does it have to do with remote security?

Quite simply, the cloud is going to be much safer than your average worker’s device. Plus, it’s much easier to share and edit across multiple users and multiple devices. Keeping your content stored in “one” place is going to keep you sane and keep your information secure.

Use a VDI

VDI, which stands for virtual desktop infrastructure, is becoming a more popular technology that implores the use of virtual machines. Desktop environments are hosted on a centralized server and then distributed to users on request. One of the most popular VDIs out there is VMWare, which we happen to be experts in.

A VDI comes with a load of advantages, such as improved flexibility, ease-of-access, and user mobility. Plus, it increases security for users across the board.

There are two different types of VDIs: persistent and nonpersistent.

With persistent VDIs, the user is going to connect to the same desktop each time they make a request. Even though the link is virtual, a user can claim a computer as their own.

Nonpersistent VDIs, on the other hand, are when users connect to a basic, generic desktop that doesn’t save any settings or files. It’s like going to a library or internet café and booting up the first computer that you see available.

Generally speaking, nonpersistent VDIs are more common in companies that have a large number of workers who perform basic, non-complex tasks. Persistent VDIs are for dedicated workers that perform more complex tasks.

VDIs are incredibly popular among remote workers as it allows users to use their own device but want to “do their work” on a work computer.

But what makes them secure?

Data, content, and information all live on the server rather than your employee’s personal device. So even if a laptop is stolen, the thief won’t have access to sensitive information or data.

VDI can be quite expensive, however. There is a large upfront cost and setup can take a while, especially for a larger company.

Check Out DaaS

No, we didn’t stutter through our German lesson, DaaS stands for data as a service.

From the outside, they function similarly to VDIs but come with a few differences.

They are able to distribute virtual apps and desktops to essentially any device. So your employee can stay at home on their own device but connect to a virtual desktop in order to perform their work.

The primary difference between the two is while VDI is hosted by on-premise data centers, DaaS is hosted in the cloud. It takes the hardware management out of the hands of your IT staff and is generally less expensive but you probably won’t see that ROI until way down the road.

One of the more popular DaaS options out there is Amazon WorkSpaces provided by AWS (Amazon Web Services). It’s a great option for those running on Windows or Linux and can be scaled to use 1000s of computers around the world.

Just Be Smart

remote-work-security

Fans of The Office will undoubtedly remember one of Dwight Schrute’s most famous quotes:

“Before I do anything I ask myself, would an idiot do that? And if the answer is yes, I do not do that thing.”

While not everyone can be as blunt as Dwight (or as receptive to his bluntness), he does have a point. So much of remote work security is just making sure you make smart, sound decisions. Don’t share passwords with anyone. Don’t leave devices unattended.

On the tech side, invest in a business VPN and look into cloud management and virtual machines. Some of those steps can be costly, but trying to recover from a data breach can be the most costly of all.

Conclusion

As we’ve seen, there are plenty of things you have to watch out for and plenty of things you can do. The best advice we have is to start small and then look into upgrading systems or devices. If you’ve already experienced some kind of breach or attack, then your timeline may have to be sped up just a little bit.

If you’re looking at making use of VDI, DaaS or a question about remote work security, we’d love to hear from you. Not only are we a remote team ourselves, but our experts have years of experience developing secure systems for businesses of all sizes. Reach out today for a free quote!

The Ultimate IT Security Audit Checklist

it security audit

In life and business, many tasks can be divided up into things you can control and things you can’t control. In the search engine optimization world, you can’t control when Google may release an update and tank your rankings. In sales, you have a level of preparation over your sales pitch. You can’t control what the client will say to you (unless you slide them a couple of front-seat tickets to the upcoming concert).

Your IT security, however, is one area that you need to be in complete control. You don’t want to leave your business’ security up to chance or hope. Attacks can happen at any time and they can be costly. Even if they weren’t costing you six figures (or more), can you afford to spend lots of money on something that shouldn’t have been an issue anyway?

In order to make sure that you are safe from any potential breaches or attacks, you need to be performing regular IT security audits. Today, we’re going to go over what an audit is, how often you need to perform one, and the important items you need to make sure are on your checklist.

What is an IT Security Audit?

security audit reasonsWhen it comes to your business, there are plenty of audits you can (and should) be running. SEO audits, content audits, network audits, and of course, the ever-fun third-party financial audits. All of those are important but perhaps none are more important than your IT security audit, usually performed by a professional security auditor.

Within an IT security audit, there are two primary assessments. The first of which is the review of automated assessments. This involves an examination of system-generated reports, software reports, server changes, and file settings.

The second part, and the more laborious of the two, is a manual assessment of well, just about everything else. That involves physical hardware examination, vulnerability scans, access control review, resource overview, and even interviewing employees.

An IT security audit is a large process and is not something that can be done within a week. For some businesses, it’s a multi-day and even multi-week undertaking.

Why is this Assessment Important?

You can probably guess that one of the most important parts of such an audit is finding security issues and patching them quicker. However, there are also a number of other benefits that come with regularly-performed audits.

#1-It Helps Streamline IT Work

After an audit is complete, the report can tell you which areas need improvement or closer examination. This lets IT personnel make proactive decisions to their network and security instead of always responding to attacks. If everyone has their work set for them ahead of time, maintaining security and dividing up tasks will be more efficient and boost productivity.

#2-It Helps Explain IT Costs

The financial auditors aren’t due here for another month, why are we talking about money?

Hopefully, your company hasn’t experienced a data breach or security issue. If this is the case, there might be others in the company wondering why so much money is being spent on network infrastructure security. We haven’t had an issue in a decade, what’s the point of allocating X amount of dollars to our security? Would that money be better spent in another area?

These audits can show that such expenditures and justified and necessary to safeguard an organization. Plus, they can show the potential of what might happen if such measures were taken away.

#3-It Promotes Teamwork

While your IT staff is in charge of everything from setting up people’s emails to network security, they cannot always be a watchdog ensuring that everyone is adhering to security guidelines. In order for implementation to be successful, everyone needs to buy into the basic ideas of security.

An audit can help show workers in various departments the primary areas of risk and what actions they should be mindful of. While they might be tired of hearing warnings and advice through company emails, an audit will give them something a bit more tangible to see.

How Often Should a Company Do IT Security Audits?time for security audit

Generally speaking, you should be conducting this type of audit at least once a year. Some may prefer to do it more, such as every six months or even once a quarter. If you do decide to do them on a more frequent basis, then you’re going to find possible security holes or other issues quicker.

More often than not, the size of a business is what will determine the frequency of such audits. Large companies with thousands of employees may take weeks while a small company with a handful of employees can be completed in a matter of days.

The IT Security Audit Checklist

Alright, we’ve covered the basics of an IT security audit, let’s move onto the checklist. Dust off your clipboards, notebook paper, and #2 pencils, let’s get started!

Start at the Beginning

Before you jump right into solving security threats, you need to get a bird’s-eye view of the company’s security plan. Read over what the security policies are, how employees are trained on them, and how often they are reminded of such policies. You should review business processes such as disaster recovery plans, restoration paths, and response plans for a cybersecurity attack.

You’ll also want to have a comprehensive list of what software and hardware a company has and who has access to these devices.

Going through the policies and framework first will ensure that security measures are in line with business objectives. The last thing you want to do is go through with an audit only to have it hinder business efficiency. Your objective should be to make things more secure without disrupting everyday activities.

If this is the first time you’ve performed such an audit with this company, you’re going to want to see the last audit and its findings as well as actionable steps the company took.

You can consider this as a “Step Zero”. It’s quite important, however, so you can layout a plan of attack and gauge which areas you will have to focus your efforts on.

Discussion with Management

One might think that a security audit is simply testing systems and interacting with computer software and hardware, but there is a personal element to the whole process. Part of this goes hand-in-hand with Step Zero above, but it’s also necessary to find out the goals.

  • Is there one area of particular concern?
  • What do they expect the audit to find?
  • Have there been any significant issues in the past?
  • Are there any current threats out there?

This way, you uncover many issues before they pop up and surprise you later. You might also find out if there have been recent employees who have left that never had their credentials revoked or a former disgruntled employee who has access to sensitive data (like a certain Bruce Willis film).

Remember, management may not be IT experts and what seems like a harmless issue to them could be such a huge red flag.

security audit threatsFind Potential Threats

There is no shortage of threats, but there are some major ones that you need to keep your eyes out for.

One of the most common threats is malware. This includes your spyware, viruses, worms, and ransomware. One of the biggest recent attacks was WannaCry, ransomware which infected thousands of computers worldwide. The vast majority of computers affected were ones that had not been updated to Microsoft security patches or were end-of-life machines.

You should also be on the lookout for DoS (denial of service) attacks. DDoS attacks (targeted at multiple systems instead of one), are on the rise and some of the larger-scale attacks have brought down the internet across the country.

Other areas of concern include data leaks, social engineering, and account hijacking. These are often the result of negligence or poor decisions by users, showing just how important it is for all members of an organization to be on the same page when it comes to security.

Additionally, you’ll want to perform a physical check as well. Make sure server rooms are locked, rooms are safe from unauthorized users, and items such as shredders and dumpsters are secure to prevent divers.

Security Performance Evaluation

There are a few things you should be checking out when it comes to security performance. The first one is the most basic: password testing. While long, super complicated passwords aren’t a necessity anymore (the guy who invented them even apologized), they do need to be unique.

Make sure users are using long and unique passwords for their log-ins. At the very least, ask them to ensure their personal and work passwords differ.

The second, a security framework review, is used to identify the security measures currently in place. That means first checking out which devices need protection. Typically, that involves checking devices, emails, software, and the network people are working on. If your company is remote, this presents a bigger challenge. Workers may be using their own personal devices and their home internet.

One of the most important parts of the evaluation is what we like to call “rockin’ the boat” (not just because we’re big fans of Stubby Kaye’s rendition of the song in Guys and Dolls).

stubby kaye

“The security specialist said sit down, you should delete that obvious phishing attempt. The security specialist said sit down, you should delete that obvious phishing attempt.”

You need to carry out penetration testing and a security awareness assessment. You should be testing how current employees respond to email scams, carrying out simulated attacks on the system, and testing employee security knowledge. Sometimes, this involves an actual white-hat hacking attempt. Just beware, however, that this could end with serious repercussions.

Plan a Defense Strategy

Now that you have identified threats and performed a successful evaluation of your security, it’s time to set up a defense plan in the audit report.

At the top of your strategy to-do list should be monitoring tools. Set up a monitoring schedule and testing for all aspects of security. Having these in place will make future audits that much easier.

What your defense strategy will look like is going to differ on the threats you’ve found. If DoS attacks are becoming more frequent, then you should look to strengthen your network infrastructure. If devices are being infected with malware, then look at how to upgrade your virus protection.

Lastly, part of your defense strategy should be planning future security audits. Will you be doing them quarterly? Bi-annually? Annually? Whatever your plan is, stick to it and keep detailed records of your findings and changes. Track progress over the year as well to make sure your recommendations are having their desired effect.

What About Special Audits?

Sometimes, even with the most diligent of preparation, a security breach can occur. When that happens, should you perform an audit right away or simply investigate the issue?

It’s highly recommended to perform a full-scale audit as the breach may have uncovered an issue that wasn’t obvious during the first audit. In addition to sporadic or new attacks, you should also make sure and perform an audit if one of the following occurs:

  • System upgrade
  • Sudden business growth (more than 5+ employees or contractors)
  • Loss of multiple employees (especially if those employees had sensitive information)
  • Business acquisition or merging
  • Business re-branding
  • New software implementation

You want to make sure your security is not compromised when there are big changes to your business. Start off with the right foot.

Conclusion

One of the most important things you can do for your business is to perform routine IT security audits. It can be hard to look at our flaws but by being diligent about internal performance, you can catch errors, resolve issues, improve security, and educate employees on the best practices.

A security audit is not one area you want to take lightly. While you should be performing internal audits, the best way to make sure you’re getting the results you need is to hire an expert. Here at Atiba, we have been helping companies with technical and IT audits for years. We have an experienced team ready to help you make your business more secure.

Reach out to us today for a free project quote. We look forward to hearing from you!

Is Remote-Only the way of the future?

A day in the life of a Nashville computer geek:   Remote-Only

Published April 12, 2020, in The Tennessean – JJ Rosen

It was just a few short weeks ago that a day-in-the-life at work meant shaking hands with people, meeting over coffee, flying places, and grabbing an occasional beer with some co-workers.   Online meetings were not uncommon, but face-to-face was always preferred and often needed to be efficient.

Flash forward to today.

With an ongoing global pandemic, everything about work has changed.  This change from our daily norms has not only been drastic, but it’s also been sudden.  For most of us, the transition to being  100% isolated at home, doing all meetings virtually, and having work and family-life become one and the same has been challenging to say the least.

For me, a creature of habit (for better or worse), I was completely out of whack for the first couple of weeks of this new life.  But as time has gone by, new routines and work habits have formed. Although it’s taken a bit of getting used to, I’ve started to settle in and somehow feel comfortable.  The whole situation is still weird, but I guess I’ve managed to adjust.

But what’s been interesting and unexpected is that some of the friends and co-workers I talk to are not just feeling more comfortable working only at home, but they’re also beginning to feel more productive working only at home.

I don’t think there are any silver linings to a global pandemic that is causing so much suffering.  But in the context of work, the situation we all find ourselves in these past few weeks is presenting some alternative ways of doing business.

Virtual meetings over Zoom, Slack, or Microsoft Teams, have cut down on the amount of time it takes to physically gather.  All of a sudden, it’s become acceptable to video conference with co-workers and clients in faraway places rather than to deal with the time, expense, and hassle of travel.   And even meetings that you would normally have face-to-face in your office have become faster and more efficient when they are moved online.

Commutes have alternated from 30 minutes of driving to 30 seconds of walking from the kitchen to the quietest place in the house to get some work done.   There is now more time in the day to manage as each person sees fit.

Business phone calls have become less formal and less stressful.   Who would have thought I could take care of several business calls while simultaneously walking around my neighborhood getting some exercise?   Where it used to be embarrassing to have your kid crying or a dog barking in the background of the conference call, it’s now no big deal.

Will these new ways of working stick?

No one knows how long we will need to stay home.  But, if working this way makes employees happier, more productive, and more efficient, we may be in for a transformation from the way business has always been done.  At least for some sectors, fancy conference rooms and corner offices may become obsolete in favor of simply working in an old chair at the dining room table.

There are some companies, especially in the tech world, that we’re already seeing the upside of being a completely remote workforce before the pandemic was forced upon us.  Studies of these early-adopters have revealed that ditching the office and making an entire company remote-only does indeed increase employee happiness and productivity.   Which in turn increases retention and profits.

As technology advancements make it simpler and easier to keep us connected no matter where we work, we can expect our new norm to become a permanent change to the way many of us work.

 

While you’re here, be sure to check out our blog on how to stay safe as a remote worker or head to our services page to learn more about what we do.

JJ Rosen is the founder of Atiba, a Nashville IT consulting and custom software development firm.  Visit Atiba.com or AtibaNetworkServices.com for more info.

 

GDPR: What Your Organization Needs to Know

man with computer

The European Union Parliament is set to enforce the most significant piece of European data protection legislation in 20 years. The General Data Protection Act (GDPR) goes into effect on May 25 of this year and could impact any organization that has or plans to have website/app visitors from the EU.

The GDPR replaces the Data Protective Directive of 1995 with the intention to harmonize data privacy laws across Europe. It is a comprehensive data law written to protect all EU citizens data privacy, and it applies to any organization that processes personal data of those residing in the EU, such as tracking their online activities. It does not matter if an entity does not have a physical location in the EU or is not based in the EU, if that entity is currently servicing people in the EU, or plans to, it must comply with GDPR.

Personal data applies to any information that can be used to directly or indirectly identify the person or subject.

Key Changes

The biggest changes that the GDPR incites are an increase in territorial scope and a change in consent laws

  • Territorial Scope: The GDPR encompasses a large amount of people as it does not matter where the company is located that is processing information as long as users reside in the EU.
  • Consent: The GDPR will strengthen the conditions for consent. Under the GDPR, conditions for consent must for given in an intelligible and easily accessible form. People need to know what they are giving consent for without having to decipher legalese. Explicit consent will be required for processing sensitive personal data, but for non-sensitive data unambiguous consent is permissible.
  • Data Protection Officer: A DPO is only required for public authorities, organizations that engage in large scale systematic monitoring, or organizations that engage in large scale processing of sensitive personal data.

Additional Rights

The GDPR also grants additional rights to data subjects, which includes:

  • The right to be informed. Data collectors must be transparent about how they are using personal data and must inform subjects of their data usage.
  • The right of access. This right improves data transparency and empowers the data subject to be informed whether a company is using their personal data, and how and why it is being processed.
  • The right of rectification. When possible and reasonable, data subjects will be allowed to have their personal data edited if they believe it to be incomplete or inaccurate.
  • The right to erasure. Data subjects have the right to have their personal data permanently deleted upon request. Reasons for deleting data include, but are not limited to, a withdrawal of consent or a lack of relevance of the data to the original request.
  • The right to data portability. Data subjects have the right to the data they have previously submitted concerning themselves, and the ability to resubmit that data to another controller.
  • The right to object. Data subjects are allowed to object to their personal data being used.

Steps to Prepare

To prepare for the implementation of GDPR come May 25, 2018, organizations should take the following steps:

  1. Determine where data currently comes from and resides. Figure out what is done with that data.
  2. Determine what data the organization needs to keep and what data no longer suits its needs.
  3. Put security measures in place to guard against data breaches.
  4. Review all privacy statements and disclosures to ensure they are in compliance with GDPR.
  5. Establish procedures for handling the new rights available to data subjects under GDPR.

Not complying with the GDPR will result in fines of up to 4 percent annual global turnover or $25 million, depending on which is higher.

World Backup Day

satellite dishes

lighthouse in a stormIt is estimated that 32% of all critical data loss is because of human error and 44% is from hardware or system malfunctions. No on expects massive data loss, and it can happen at any time and bring your business to a standstill.

Since 2011, March 31 has been declared to be World Backup Day. Now, we obviously recommend you backup your business data more often than once a year, but having a yearly reminder of the importance of backing your data up is never a bad thing.

If your data is stored on some type of hard drive, back it up to a separate physical drive, preferably in a different location, and as an additional safety measure, use a cloud based backup service. Also, you might consider migrating to the cloud entirely, where a company like Atiba that offers Network Management Services will make sure your data is always secure and available.

5 Key Attributes For a Nashville Custom Software Development Company

nashville custom software

What Should You Be Looking for in a Custom Software Development Company?

There are a variety of reasons people seek out a custom software solution for their business, and it is sometimes the biggest decision a business might make. The most common reason is that there is no software solution that solves the problem(s) they are trying to solve.

It could be that there are software solutions, but they have poor functionality or just don’t fit exactly what they’re trying to do. It could be that there is a solution out there that is prohibitively expensive with many features the company would never use. If you find yourself starting on the journey to find a custom software development company, here are five thoughts to keep in mind as you get started.

Communication Is Key

It’s the key to any healthy relationship and it’s also the key to developing successful custom software.

Rare is a software development project that doesn’t require consultation and advice along the way. Look for a software development company that has been around a while and has the battle scars to prove it. And make sure they are good communicators so that if you request something they have tried in the past and found doesn’t work, they will not hesitate to communicate that experience to you.

At Atiba, we’re often lauded for our quick response time. We’ve always offered 24/7 support and we don’t want any questions laying there unanswered.

They should also be able to recommend ways to solve your specific requirements. If you lay out your vision and come away thinking, “I have no idea what they are talking about, I guess I’ll just have to trust them,” you’re setting yourself up for possible trouble down the road.

Experience Counts

custom software development companyIf you’re looking for a custom software solution, you’ve probably reached your last nerve trying to deal with all the available products that don’t quite solve your problem. That means you need software that will do exactly what it is you want it to do.

This is where experience is an advantage for a software development firm. A company with leaders who have solved a variety of problems over the years brings institutional knowledge and wisdom to the table that greatly increases the chances that your new software will be successful.

They don’t necessarily have to have already built exactly what you want for someone else, but they may have experience with some of the components and processes you are requesting. Plus, if they’ve been around, it shows that they’ve encountered plenty of problems and been able to come up with solutions.

Look For A Strong User Experience Development History

A user-friendly interface is vital to your new software’s success. The backend can function beautifully, but if users can’t figure out how to use it, the software is useless. Many developers fall into a trap thinking that the users will figure it out. Unfortunately, users are impatient and fickle. If they can’t make sense of what they have in front of them, they’re just going to go to the next piece of software.

One thing we love to do at Atiba is to set up regular progress meetings with our clients. That way, you can see for yourself how the project is coming along and make sure it makes sense to you. Even though we’ll be along for the post-launch period and ongoing support, we believe it’s important that you have a solid focus on your software as well.

Make sure the custom software development company you choose places an emphasis on user experience (UX), which includes rigorous quality assurance (QA) all along the development cycle.

Speaking of support and the development cycle…

They Have A Clear Support Policy

Support is a big part of any software release. If a software development company isn’t going to stick with you through the release and foreseeable future, it doesn’t sound like they really care about what happens to you or the outcome.

You’re getting a software solution that is being built from scratch, so you need to expect some bugs and quirks upon deployment. Bugs, although unpleasant, are often just a natural part of the development process. Make sure the company you choose gives you a clear picture of what support is included, and how much support that is not included is going to cost.

Check Their Work

A good indicator of future success is a rich history of past success. Take time to have them show you custom software development projects they’ve done in the past, explain the process and problems they went through, and, if possible, show you the end result. Not only is this an important step in your due diligence, but it will also give you peace of mind moving forward that your project is in the right hands.

Sometimes, it can be hard to find specific examples but it’s necessary to ask a few questions about their past work. If you’re not sure where to start, you should think about asking:

  • Have you ever done any similar projects?
  • What issues have you run into with projects?
  • Have you worked with clients of our business size before?

Although there are plenty of other questions that will naturally come up the rest of the way, it’s a good idea to start out with these basic ones.

Atiba is Nashville’s Leading Custom Software Development Company

We know that your business needs more than an out-of-the-box solution and we offer more than out-of-the-box ideas and strategies. With nearly 30 years of experience in the custom software industry, we’re ready to build you a solution that’s just for you.

We’ll break down the process into three distinct parts:

  • Consulting and Strategy
  • Development
  • Launch and Support

We’ve worked with plenty of businesses, both large and small, against tight deadlines. No matter what custom software project you have, we’re here and ready to help. Reach out to us today for a free quote or if you just want to know more. We can’t wait to hear from you!

Foil phishermen with two-factor authentication

Check out Atiba founder JJ Rosen’s latest column for The Tennessean:

Foil phishermen with two-factor authentication

“It’s a big idea, but we have to set a new standard for security.  The combination of a username and password is not enough.

Rosen’s column appears twice a month. You can view an archive here.

Based in Nashville, Tennessee, Atiba serves as a one-stop shop for strategic web design, web development, CIO consulting services and business intelligence, custom software development, mobile app development, IT support, network services and security. Atiba’s service divisions include Atiba Network, Atiba Software and Wheelhouse Marketing.

Atiba Network Alert: Beware new ransomware

We would like to alert our clients to a relatively new form of malware that can encrypt your entire hard drive.

The virus is called “Petya” and you can read more about it by clicking here.

If you are currently set up as a managed services client of Atiba Network Services we will be updating anti-spam and anti-virus systems to attempt to block Petya, but be aware that these types of attacks are often difficult to block.

The simplest way to prevent such attacks is to stay alert and decline to open files in messages from people you don’t know

Atiba Network Services provides a one-stop shop for computer consulting and expertise allowing companies of all sizes to have a single reliable source for client/server application development, internet browser based applications, web site and intranet coding, networking and support, and general computer consultation.