Strategy, Management, Info System Security, Households, Commercial Russell Mickler Strategy, Management, Info System Security, Households, Commercial Russell Mickler

Remote Workers are Significantly Vulnerable to Hacking

Everyone is working from home. But what about the risks to our computers and company data? What kind of countermeasures can you take to help protect your small business from disaster?

The COVID-19 pandemic has forced millions to work from home.

In the tech industry, we call home computers and home networks unmanaged endpoints - unmanaged because we don’t control those devices and we have no idea how they’re configured.

There’s a whole bunch of risk that comes with unmanaged endpoints:

  1. The operating system of home computers are often neglected. They could be lesser versions of Microsoft Windows or MacOS and haven’t received critical updates or patches.

  2. The software or settings that we introduce into corporate environments to safeguard our computers aren’t implemented with unmanaged endpoints.

  3. Disaster recovery options on unmanaged endpoints is challenging because data may be stored on the local hard drive of these machines. There may not be any data backups.

  4. Privacy and confidentiality of corporate data may also be at risk because, again, such data is stored on an unmanaged hard drive. Who knows if the local admin password on the PC is set to a reasonable level as to disallow root-level access.

  5. The use case of home machines are very different from business machines. There’s likely to be more risky behaviors (browsing, downloading, installing by end users) associated with these endpoints taken on by teenagers and children.

  6. The networking equipment - like the home router and wifi access point - likely hasn’t been patched, updated, or even its root password rotated from its default setting.

And all of this spells big trouble for the small business.

The challenge is to transform these unmanaged assets into managed ones, and, to inspect the networking environment for potential risks and, well, you know … do something about it!

We help small business use technology better. That includes three critical solutions to help protect small business while distance-working.

  1. Ongoing Endpoint Monitoring and Protection.

  2. Online Backups.

  3. Remote Support.

Our Endpoint Monitoring and Protection software reports vulnerabilities back to us so we can take corrective action. It turns an unmanaged endpoint into a managed one. It helps identify areas where the operating system may be vulnerable, or, when somebody installs a risky program. It also includes an antivirus, anti-malware, safe browsing, and intrusion protection system that counters typical threats to a user’s machine.

Our Online Backup solution is all about recovering the company’s data in addition to the user’s data while they’re using their own PC for company business. In the event of failure or if their machine is hit by a ransomware, we can recover the user’s data to a restored machine.

Our Remote Support is part of what we offer. It’s a human eye to look at the user’s network and can make recommendations to improve their security posture. We can red-flag issues that are unmitigated risks so that they can be dealt with; otherwise, we can help safeguard the remote employee with a few simple changes. And of course, if the user gets in a jam with their tech, we’re there to help so they can get back to work.

In all, our approach is to mitigate risk to the small business and to the employee by taking preventative measures. Instead of just reacting to failure - hoping that everything is okay with an unmanaged asset - we help our clients move beyond hope. We help small businesses have confidence in their ability to function and serve their customers.

That’s how we add value.

R

Read More
Management, Info System Security Russell Mickler Management, Info System Security Russell Mickler

Small Businesses At Increasing Risk of Cybercrime

Sure, there's been a lot of chatter about the OPM hack recently. But let's not forget how vulnerable the small business is to cybercrime, either.

This week, the US Office of Personnel Management admitted that over 5.6 million fingerprint records were stolen in a hack perpetrated earlier in the year; that's significantly larger than what they first imagined was 1.1 million compromised records.

If your head is reeling from the enormity of such a breech, and if you somehow figure that only large corporations or government systems are the target of serious hacks, think again. Recent reports show that small/micro businesses aren't doing enough to protect themselves, either.

Phishing attacks, credit card fraud, virus infections, data compromises; malware, espionage, password compromises, shareware exploits. Sage recently released a good infographic claiming that up to 90-percent of data breaches impact small firms, and that 30-percent of businesses under 250 employees are the intended targets of cyberattacks; 1 in 5 small businesses fall victim to cybercrime every year, and 60-percent of those affected businesses go out of business.

Half way through 2015 and cyber risks continue at an alarming rate. The criminals continue to become more sophisticated and have quick ‘go to market’ capabilities ...
— Carolyn Schrader, Cyber Security Group, Inc.

The bottom line is that thinking about information system security isn't just for the enterprise: it's something every mom and pop shop should be doing, too. We can't fool ourselves. Larger corporations may provide a more inciting, data-rich environment, but the reality is that small businesses don't secure their systems in the way corporations would, which makes them easier targets. They don't have the talent or expertise to understand the safeguards they're implementing, let alone verify their suitability and functionality.

And if we somehow believe that free software downloaded from the Internet will solve our problems, we should probably think again. Every small business owner or manager should be finding a trusted cybersecurity partner. Mickler & Associates, Inc. - a computer security consultancy in Vancouver, WA - is uniquely positioned to help small businesses improve their security posture and audit their safeguards. Learn more about how we could help you today.

R

Read More
Strategy, Info System Security Russell Mickler Strategy, Info System Security Russell Mickler

There's No Such Thing as Privacy

What is Privacy?

This image of a button makes it look so easy,  doesn't it?

Well, first off, privacy doesn't exist. Privacy is a subjective feeling in that there's no specific measurement anyone can use to suggest absolute privacy; what is private to one party may be inherently public to another.  

All the word means that it's a state or condition that we believe is free from observation or eavesdropping. In terms of technology strategy, privacy reflects the confidence we have in systems to protect confidential information about individuals.

Let's break a few of those components down for a minute.

  • Confidence. Yet another subjective feeling, confidence reflects how assured we feel that our safeguards are thorough, comprehensive, and resilient to attack. Example: we have confidence in a deadbolt on our front door to protect us from an intruder; we have confidence that a locked file cabinet will prevent unauthorized inspection of classified data. Confidence reflects only our intellectual and emotional trust in our safeguards.
     
  • Systems. These are the policies, processes, training, controls, and automation that we've put in place to guarantee outcomes, to provide us with greater assurance that privacy can be maintained. Systems help ensure confidence.
     
  • Individuals. In technology, we collect information all the time. That information is usually aggregated and reflects many anonymous data points that help paint a picture over a problem. This kind of data and its collection yields competitive advantage: we want this data, need it, collect it, and utilize it, to maximize profitability for shareholders. That's different than the information of individuals which is specific and representative of personal details that uniquely identifiable. It's about understanding what uniquely identifiable information we maintain and what we're responsible for.

 

So, in terms of information sciences, we look at privacy as an artificial and subjective construct. It's not an absolute thing - flip a switch, a button to press, and, hey: your stuff is private! Rather it's a feeling that we have that the systems we've put in place give us the confidence that information about individuals remains confidential.

The degree to which that feeling can extend is relative.

  • If you want a feeling of maximum assurance and the highest confidence, we must come to thoroughly understand the information of individuals we maintain, and, to implement very rigorous systems to control it.
     
  • If you want reasonable assurance and reasonable levels of confidence, we implement the bare minimum of systems to protect and control the information in our care. 
     
  • If you're unsure of what information you're responsible for, and, aren't aware of the systems put in place to protect it, then your confidence is misplaced - you're blindly believing everything is okay. You've taken no action to understand what you're responsible for, then you can't have any reasonable expectation of privacy.

 

Further, privacy isn't a defined thing in the United States. It isn't even a right. There isn't a consensus in this country of what degree of systems are sufficient, what specific information about individuals should be confidential*; there's nothing written into the Constitution or Bill of Rights that guarantees citizens a right to privacy (in fact, just the opposite, with the 1st Amendment); aside from a smattering of Federal and State laws, case law has attempted to define what privacy actually means. In this country, there is a limited legal framework that defines what is private and what your obligations are (as a business owner) to maintain it.

So privacy isn't a right; what information about individuals should be private hasn't been universally defined; safeguards to elevate confidence haven't been universally defined; privacy is just a subjective feeling. 

Beyond that, there is not an absolute economic imperative behind privacy.  It won't improve shareholder equity; it won't return on investment. You're simply investing in safeguards. And for individuals, implementing inconvenient systems to safeguard their privacy may be perceived as too tedious or time consuming. Why should any business or individual what to do something that costs money, delays action, or causes irritation, when the payoff seems so limited?

So surely, privacy doesn't exist. It's a feeling that resides only in our minds.

Yet, ephemeral as privacy may be, the recent data breach from the Federal OMB affecting 7-percent of all Americans should remind everyone that the threats are real and the impacts are material. Indeed, a return on privacy does exist in the form of damages, losses, trust, and reputations. 

The question is: in witnessing this massive failure of privacy within the Federal Government, will you - today - overcome your base assumptions about your company's safeguards, verify their integrity, and implement stronger safeguards, as to validate the confidence that you have in systems that keep the personal private information of individuals confidential? Will you change your habits as an individual? Or, will you keep doing what you've always been doing, presuming your systems and habits should never have to change?

R

* With exception to some classified forms of information determined by Federal and State Governments. Example: Data subject to the Federal Privacy Act, FERPA, HIPAA, GLB, Matter Subject to State Data Breach Laws, etc. These pieces of information have been defined as classified and there are system requirements to raise our confidence levels.

Read More