Law Firms Hot New Target for Hackers

The legal industry is facing its most challenging obstacle to date and it’s not from judges, court cases, the mafia, felons or any of those things you might guess. Instead, these attacks against law firms are coming from hackers. Once viewed as impenetrable to hackers, today’s law firm is just about as likely to be hacked as any other business.

Lawyer Hackers

John Sweeney of LogicForce explains: “Law firms are the subject of targeted attacks for one simple reason,” he recently said. “Their servers hold incredibly valuable information. That includes businesses’ IP, medical records, bank information, even government secrets. For hackers looking for information they can monetize, there is no better place to start.”

His comment highlights a growing problem for the legal industry. Each day, they are faced with new and practically unstoppable cyber-crimes. One of the most startling aspects of this troubling trend is that many times, the law firm doesn’t even know it’s been hacked. A 2016 study done on this topic showed that 40 percent of the law firms that were breached had no idea that a crime had been committed. This is disturbing on several levels.

If you’ve recently done business with a law firm, there is a possibility that your business, personal and/or financial information could already be in the hands of hackers on the other side of the world.

A global problem for law firms

The fourth largest law firm in the world, Mossack Fonseca lost 11.5 million files from its database. The information was eventually shared with journalists, the BBC and newspapers. This offshore law firm specializes in helping wealthy clients hide their money. The documents that were leaked contained highly sensitive information about wealthy clients and their offshore tax schemes.

Mossack Fonseca’s client base also included national leaders and well-known politicians. The documents that were leaked held clear evidence of how and where large amounts of money were hidden by illustrious leaders like Vladimir Putin. Embarrassing revelations were made public such as how British prime minister, David Cameron’s father, had been avoiding paying taxes in Britain for many years. Any law firm would find it difficult to recover from such a devastating breach of security.

Solving the problem

For most companies who are breached by cyber thieves, the recovery process begins with contacting those who were affected while stopping any other data leaks. With law firms, this process usually begins with helping the firm to find out whether they’ve already been a victim of a cyber-crime. This requires experts in cybersecurity who will run a series of tests looking for specific anomalies. Once they find out whether data has been lost, the experts will recommend a course of action. This typically includes securing the data so that no other intrusions will occur, while notifying those who were affected.

Law firm hacking on the rise

In spite of all the hype about hacking and cyber-security, a new report says that 14 million businesses were, in some way, affected by cyber-crimes last year. The experts believe that the reason the number is so high is that most small business owners do not believe they are at risk. This is also true of most law firms. They simply think they are exempt from data breaches. This leaves them even more at risk because they are unprepared.

Senior attorneys don’t fully understand how hacking is done and what types of weaknesses a hacker looks for. The principles at a law firm are often not up to date on the latest techniques that hackers are using. This leaves them defenseless. If you want to defeat an enemy, you must first learn everything you can about that enemy. Very few people including attorneys, understand the science behind hacking.

In addition, lawyers use a wide range of devices from smartphones to laptops and desktop computers. Each device is a potential gateway for cyber-thieves to enter and steal information. With the Internet of Things (IoT) now growing, even appliances in the break room can be hacked.

The recent rise in law firm breaches proves that professionals are still not fully aware of the dangers lurking around us on the internet. Attorneys may be reluctant to spend the money and time on a security team that will come in and create the proper security protocols. But waiting to see will place all customer data at risk. People often tell their attorney sensitive information that could harm their clients in many ways. A data breach is embarrassing and hard to explain to those clients who have entrusted you with personal information.

Preparing for data breaches

A good place to start for a law firm that does not have proper security in place is the American Bar Association’s guide. This comprehensive document includes a great deal of information about preventing cyber-attacks. It also addresses ways to respond once an attack has occurred. Employees should be trained about phishing attacks and this training must be ongoing because the method that hackers use evolves with each new attack.

The managers at a law firm can begin by engaging an outside IT security expert that specializes in legal data. The team of security experts will assess your current level of protection against intruders, then recommend new initiatives. They should institute a regular training program that teaches employees how to spot phishing attacks in emails. Even trained employees may get careless, but continual training helps everyone to remember how important it is not to click on suspicious links or give away passwords.

What a law firm can do today

Many law firms are also writing their own policies about password protection, log-in credentials, and web-surfing. Once you have policies in place that your employees are aware of, you can begin to enforce them and this will help to eliminate threats. Your onsite IT people should be checking weekly for patches and updates to software. New updates should be downloaded as soon as possible.

Regardless of the time and expense of these security initiatives, the alternative could be devastating. One of the most important assets a law firm has is its reputation. Once a data leak has occurred, it’s too late. Legal professionals must do everything possible to prepare and prevent these leaks.

There’s every reason to believe that this digital age will continue to expand across the world. Businesses and the legal industry are facing unprecedented challenges for the future, but there are solid remedies that work. It all begins with realizing how vulnerable you are and how important it is to protect your client’s information. Regardless of the cost, the alternative is just too costly.

How to Simplify Microsoft Outlook 2016

Microsoft Office 365 now has over 60 million active users each month and has become a favorite of large and small business owners. Just about every task that business people complete each day can be accomplished using Office 365. From Excel spreadsheets to professional word processing, users say they get more done with Office 365.

Their flagship email program is Outlook and this program can handle much more than your average email tasks. It integrates perfectly with the other Office 365 programs and it features a similar look and feel. The “Ribbon” that everyone has become so accustomed to has many of the same commands as you might see in Word. That makes it much easier to learn how to become an expert user.

Outlook 2016 features so many good shortcuts and handy tricks to make every project go smoother. However, sometimes users simply want to sort through their emails, answer them and move on to something else. For those times, you can follow a few easy steps to create a much more streamlined Outlook experience.

Simplifying the Home Page

The home page of Outlook 2016 contains six major areas. The ribbon runs across the top, then across the middle are four sections. On the far left is the folder pane, next is the Inbox and then the wider section is your reading pane. On the far right is the calendar. Here’s where you can set appointments. Down below, across the bottom is a new area that Microsoft has recently incorporated in the design called the Navigation Pane. This area contains links for your Mail, Calendar, People, Tasks, and More.

This new area replicates some of the other areas on the page. Therefore, you can just close the whole right-hand section where the traditional calendar is located. To do this, simply click on the small “X” in the upper right-hand corner. This makes the Calendar area disappear. When you’re ready to restore that area, simply click that X again and the pane reappears.

In addition, you can minimize the whole Navigation Pane by clicking on More (represented by dots). Select “Navigation Options” from the drop-down list. A small dialog box appears where you can check the box that says, “Compact Navigation.” This reduces the Navigation Pane to small icons that are barely noticeable. They will still work the same as the original, only now they’re inconspicuous.

Following along that same concept, you can also remove the left-hand pane which contains your folders. Now, you’ve effectively reduced the Home Page from six sections to three. This is a good idea for anyone who just wants to comb through their emails, see what is important and respond. Your attention is no longer drawn away by a busy-looking page. Now things appear much simpler. If you need to look at any of the sections you’ve removed, it’s very easy to restore each section. For the folders, you can click on the word “folders” and they will appear until you click the word again. In many Microsoft programs, hovering over a word or section causes additional information to appear. This is a good way to learn more about a section or get a quick look at what is contained in an area. These pop-outs usually appear when you hover over them and then disappear once you move your cursor.

Working with the Ribbon

The Ribbon in Outlook 2016 contains four major tabs with various tools available. It’s easy to remove the Ribbon if it seems distracting. Simply click on the arrow on the far right side and this collapses the Ribbon. The keyboard shortcut for this action is Control+F1. If you need to quickly show the Ribbon, then click on the View tab and it will appear until you click away. It’s often just that easy to make a section appear or disappear. This makes it fast to remove areas you might not need and it’s a good method of personalizing your Outlook program.

If you’d like to just completely get rid of the Ribbon, there’s an icon in the upper right-hand area next to the question mark. Click on that and you’ll see that they are three options for the Ribbon. You can Auto-Hide, Show Tabs or Show Tabs and Commands. The last one is the most commonly used. The other two allow you to have as much of the Ribbon at the top as you need. If you click on Auto-Hide, the whole Ribbon disappears leaving you with a very clean looking page that deals only with your Inbox and Reading Pane. You can quickly move through emails or read over longer emails that require more attention. When you need to temporarily view the Ribbon, just place your cursor over the colored bar at the very top and the Ribbon will reappear.

Personalizing your Program

Once you get the hang of how easy it is to close and open areas, you can adjust your Outlook email program so that it displays only those things that you work with most often. Microsoft purposely builds software programs that can be easily modified by the user to give each person their own personalized experience.

One thing that many users probably know but may forget is that all Microsoft programs have one thing in common: you can right-click in whatever area you’re working and get a list of options. Often, on this list, you’ll see the action you want to take, thus preventing you from having to completely restore an area of the page. This is a quick, easy way to accomplish almost any task.

Reading Emails

The new Outlook also allows you to click on “Reply” and then start typing your email. There’s no longer a new window that appears. This has proven to be a huge time-saver. Let’s say you’ve clicked reply but you want to add some bolding to your typing or use a larger font. Highlight the text and the font section appears next to your typing. This works exactly the same as it does in Word. You can quickly change fonts, colors, add underlines or bolding, highlight text or even add indenting to your paragraph. If you right-click the Inbox, you’ll see a different set of commands that pertain only to the Inbox.

Attachments can be viewed just by clicking on them. If you’re reading an email that has a Word doc attached, just click it once and it opens in the Outlook program. If you double-click on the attachment, it will open up in Word. This is also true for PDF attachments. This can save lots of time if you only need to take a quick look at an attachment someone sent with their email.

Keyboard Shortcuts

One of the big time savers in all Office 365 programs involves learning the keyboard shortcuts. People who use these daily say that it improves their speed and prevents them from losing focus. If you print them out and keep them handy, you’ll quickly learn the most commonly used ones. Below are a few that everyone uses in Outlook, but there are many more that you could learn if you want to be an over-achiever:

  • Alt+S: send email
  • Ctrl+R: reply to email
  • Ctrl+M: or F9 to Send/Receive all
  • Alt+R: reply to all in email or switch to work week calendar view
  • Ctrl+G: open the “Go to date” dialog and jump to any date in the calendar
  • Alt+W: forward email or switch to weekly calendar view

More Shortcuts

Press Ctrl + [the place number of the item] to switch between email, contacts, calendar and other items in Outlook. This is a quick way to move from one task to the next. Create a reminder by pressing Ctrl + Shift + N. This creates a virtual sticky note that you can drag anywhere on the screen.

When setting appointments go to your calendar and just type a phrase like, “next Thursday” or “one week from now” and your calendar will automatically open there.

You can block annoying emails that you don’t want to receive by going to Home>Junk email options and selecting the sender you wish to block. View long emails as a conversation by clicking on the message and then selecting View>Show as Conversation. Flag a message for further inquiry by pressing the Insert key to toggle the flag off and on.

Learn to Make Outlook Work for You

Outlook 2016 includes so many great time-savers like these. If this is a program you use daily, it’s a good idea to become a pro at using them. You can cut precious minutes from your busy day simply by learning how to streamline and personalize Outlook. As Microsoft continues to update its Office 365 programs, they will build in many more shortcuts. They’re easy to learn and the company offers a number of great video tutorials and training videos to help even a novice learn all the helpful features.

Microsoft Office 2016

Hacking Alert – An Employee Of Your Manufacturing Company May Be Sending Intellectual Property To a Criminal and Not Know It!

Your manufacturing company is in the crosshairs of hackers. Cyber-spies are using backdoor viruses to steal intellectual property from businesses like yours.

Manufacturing Hackers

According to Verizon’s 2017 Data Breach Investigations Report, these cyber-spies are supported by nation states.

  • 620 of data breaches hit the manufacturing sector last year, and 94% were committed by state-affiliated actors.
  • 91% of the intellectual property (IP) that was stolen was proprietary data owned by manufacturing businesses.

China in particular expanded their state-sanctioned hacking of US manufacturers in 2017. It’s expensive to do the R&D necessary to design and build a product. It’s a lot less costly just to steal it. Nation-state cyber-espionage is the predominant cause of breaches in the manufacturing industry.

In February 2018 the Worldwide Threat Assessment of the U.S. Intelligence Community confirmed that some nation-state actors are continuing to use cyber attacks to “acquire U.S. intellectual property and proprietary information to advance their own economic and national security objectives.” They say that advances in manufacturing, particularly the development of 3D printing, almost certainly will become even more accessible to a variety of state and nonstate actors and be used in ways contrary to our interests.

The problem is that while manufacturing increasingly involves high-tech processes, in many cases manufacturing businesses don’t have the right IT security in place.

40% of manufacturing security professionals say they don’t have a formal IT security strategy in place. And 37% say they don’t have an incident response plan. This makes manufacturing businesses a prime target for hackers who want to steal IP.

A Backdoor Could Be Secretly Leaking Your IP

The Verizon report reveals that most computer intrusions in the manufacturing industry began with a spear-phishing email that was sent to a company employee and which contained a malicious link or attachment. The malware comes in the form of a backdoor that gives the hacker secret remote access to the computer.

A backdoor is an undetectable technique where a technology system’s security is bypassed without anyone knowing so a thief can steal data. Hackers use backdoors to install malware to modify a code or detect files and gain system and data access. Any connected device in the manufacturing process is at risk.

Social engineering and malware-based cyberattacks combined for a whopping 73 percent of all data breaches in the manufacturing sector last year. Spies favor email phishing techniques with malware to compromise victims.

A recent article in the CIO Journal stated: “Almost any connected device, whether on the shop floor in an automated system or remotely located at a third-party contract manufacturer, should be considered a risk.”

Manufacturers aren’t asking their Technology Service Providers to perform cyber risk assessments on technology they use on the factory floor. If they did, these backdoors could be detected and “closed.”

This is a nightmare that will only get worse if manufacturing companies don’t perform their due diligence where IT security is concerned. If this doesn’t scare you, these statistics should. In 2017:

  • 21 percent of manufacturers lost intellectual property to hackers.
  • Four of the top ten cyberthreats facing manufacturing organizations are caused by their employees.
  • 28 percent of manufacturing organizations lost revenue due to cyber threats.
  • Over 35% of manufacturing executives believe IP theft was the primary motive for the cyber attacks in their businesses.

To change this paradigm requires buy-in from leadership. However, although the manufacturing industry is focused on innovation, updating and enhancing technologies on the factory floor is a cumbersome, slow process. Hackers know this.

It’s time to protect your intellectual property. Develop a cyber-risk management program with the help of your Technology Solutions Provider. They can do a complete IT risk assessment and detect if there are any backdoors installed on your systems.

The right Technology Solutions Provider (TSP) will customize an IT strategy for you that includes protection for your intellectual property.

Data Security: With ever-increasing threats from cybercrime, your manufacturing business requires risk assessments, data protection, data recovery, staff awareness training, and maximum security of your critical data. You must be able to backup, protect and recover your proprietary and confidential information. To do this, you should outsource your disaster recovery and backup solutions to an expert TSP who will analyze your current state of preparedness and offer guidance on potential courses of action.

Disaster Recovery/Business Continuity: You must be able to recover data after a power outage, disaster, or when IT services are compromised. This requires backing up data to a secure, offsite location so it can be retrieved anywhere you have an internet connection. This way, your employees can continue working.

The right TSP will:

  • Develop and deploy a complete Business Continuity and Disaster Recovery Plan, a customized program to integrate the policies and procedures into your corporate culture, and conduct training sessions to ensure all employees are comfortable with procedures.
  • Maintain an on-going program designed to ensure the validity of the Business Continuity and Disaster Recovery Plan and keep the plan up to date and communicated to all key personnel.

Security Enhancement Via Continuous Monitoring and Maintenance: The right TSP provides continuous monitoring to remotely view your technology network, identify risks and halt IT attacks and breaches. They will address IT issues before they cause downtime or data loss.

Identity and Access Management: They will help you comply with security and regulatory requirements, allowing only authorized individuals to access confidential information.

Virtualization—Servers, Desktop, Storage, Applications, Data Center: Virtualization in information technology refers to the use of virtual servers, desktops, storage devices, applications, and computer network resources. It allows you to virtualize your entire IT infrastructure or specific aspects of it. Virtualization simplifies technology to promote security and efficiencies and reduce costs for your manufacturing business.

The right Technology Solution Provider will ensure the security of your intellectual property. They will also be available 24/7 to provide the specialized and customized IT Service and Support you need to succeed.

New Threat Alert From The FBI – Password Spraying

Secure SSL Certificates

7 Steps To Protect Yourself

You probably use a number of personal identification numbers (PINs), passwords, and passphrases to get money from ATMs, to use your debit card when shopping, or to log in to your personal or business email. Hackers represent a real threat to both your personal and business password security and confidential information. Now, these criminals are using a technique called Password Spraying to steal your information.

Password Spraying

According to information derived from FBI investigations, malicious cyber actors are increasingly using password spraying against organizations in the United States and abroad. In February 2018, the Department of Justice in the Southern District of New York indicted nine Iranian nationals, who were associated with the Mabna Institute, for computer intrusion offenses. However, password spraying isn’t limited to this group. Other hackers are using it to gain access to both personal and business confidential information.

Manhattan U.S. Attorney Geoffrey S. Berman said: “Today, in one of the largest state-sponsored hacking campaigns ever prosecuted by the Department of Justice, we have unmasked criminals who normally hide behind the ones and zeros of computer code. As alleged, this massive and brazen cyber-assault on the computer systems of hundreds of universities in 22 countries, including the United States, and dozens of private sector companies and governmental organizations was conducted on behalf of Iran’s Islamic Revolutionary Guard. The hackers targeted innovations and intellectual property from our country’s greatest minds. These defendants are now fugitives from American justice, no longer free to travel outside Iran without risk of arrest. The only way they will see the outside world is through their computer screens, but stripped of their greatest asset – anonymity.”

How Does Password Spraying Work?

Password spraying is a type of brute force attack where hackers use a username with multiple passwords to gain access to your IT system. With traditional brute force attacks, the criminal uses one username with multiple passwords. Employing a lockout functionality, which locks the criminal out after a set number of login attempts, is an effective means of dealing with traditional brute force attacks.

However, with a password-spray attack (also known as the “low-and-slow” method), the malicious cyber actors use a single password against many accounts before moving on to another password. They continue this process until they find one that works. This strategy works for them because they can avoid account lockouts. It circumvents lockout functionality by using the most common passwords against multiple user accounts until they find one that works.

Password spraying targets single sign-on (SSO) and cloud-based applications using federated authentication. A federated authentication identity provides single access to multiple systems across different enterprises. Criminals target federated authentication protocols because it disguises their activities and ensures their anonymity.

Attackers use password spraying in environments that don’t use multi-factor authentication (MFA), rely on easy-to-guess passwords, or use SSO with a federated authentication method.

 

Your Email Is Also At Risk

Hackers also prey on email accounts that use inbox synchronization (which pulls emails from the Cloud to inboxes on remote devices). Malicious actors use inbox synchronization to obtain unauthorized access to your organization’s email directly from the Cloud. Then they download email to locally stored files, identify your company’s email address list, and secretly apply inbox rules to forward your sent and received messages to them.

The United States Computer Emergency Readiness Team (US-CERT) details how hackers use password spraying, what you should watch out for, who is at risk, and the impact this type of attack can have on your organization.

Your Technology Service Provider can explain this to you and your employees in plain language, and help you protect your organization against password spraying and other attacks.

 Traditional Tactics Techniques & Procedures

  • Using social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password spray
  • Using easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication method
  • Leveraging the initial group of compromised accounts, downloading the Global Address List (GAL) from a target’s email client, and performing a larger password spray against legitimate accounts
  • Using the compromised access, attempting to expand laterally (e.g., via Remote Desktop Protocol) within the network, and performing mass data exfiltration using File Transfer Protocol tools such as FileZilla

Indicators That You’ve Been Attacked

  • A massive spike in attempted logins against the enterprise SSO portal or web-based application;
  • Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String).
  • Attacks have been seen to run for over two hours.
  • Employee logins from IP addresses resolving to locations inconsistent with their normal locations.

Typical Victim Environment

The vast majority of known password spray victims share some of the following characteristics:

  • Use SSO or web-based applications with the federated authentication method
  • Lack multifactor authentication (MFA)
  • Allow easy-to-guess passwords (e.g., “Winter2018”, “Password123!”)
  • Use inbox synchronization, allowing email to be pulled from cloud environments to remote devices
  • Allow email forwarding to be set up at the user level
  • Limited logging setup creating difficulty during post-event investigations

The Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

  • Temporary or permanent loss of sensitive or proprietary information;
  • Disruption of regular operations;
  • Financial losses incurred to restore systems and files; and
  • Potential harm to an organization’s reputation.

7 Steps You Can Take To Mitigate Password Spraying Attacks

  1. Enable MFA and review MFA settings to ensure coverage overall active, internet facing protocols.
  2. Review password policies to ensure they align with the latest NIST guidelines and deter the use of easy-to-guess passwords.
  3. Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT helpdesk password procedures may not align with company policy, creating an exploitable security gap.
  4. Many companies offer additional assistance and tools that can help detect and prevent password spray attacks, such as the
  5. Make sure your employees change their corporate passwords every 60 days.
  6. Establish a password policy that prohibits easy-to-guess passwords. Enable multi-factor authentication (MFA) for all web-based applications. If MFA practice is already in place, review current protocols thoroughly to ensure it is maintained well
  7. Ask your Technology Solutions Provider to conduct Security Awareness Training for your employees at all levels.

The FBI Reporting Notice

The FBI would like you to report any suspicious or criminal activity to your FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at CyWatch@ic.fbi.gov.

Your report should include:

  • The date,
  • Time,
  • Location,
  • Type of activity,
  • Number of people affected,
  • Type of equipment used for the activity,
  • The name of your company or organization, and
  • A designated point of contact.

We Provide Security in the Cloud That Keeps Law Firms Free of Embarrassing Security Breaches

The question of the hour for attorneys and law offices is clear: What do law firms need to do to make sure they aren’t making headlines with a security breach? A good follow-up to this question is, who provides security in the cloud that keeps law firms free of security breaches that can cause reputation damage and even liability?

For {company}, that’s an easy one to answer.

We provide all the security in the cloud for law firms who want to stay free of data breaches.

How do we do this?

Well, it begins and ends with a strategic IT manager like {company} who can successfully guide you to Total Data Security in the Cloud that provides round-the-clock data protection.

What Do Law Firms Need to Know About Cloud Computing?

Cloud computing, broadly defined, is a category of software and services delivered over the Internet rather than installed locally on a user’s computer.  The cloud offers a variety of potential advantages including:

  • Low upfront costs.
  • Easy mobile access.
  • Simple setup and configuration.
  • Built-in disaster preparedness.

Because of cloud computing places data–particularly client data–on remote servers outside of the lawyer’s direct control, it also causes for some concern regarding client confidentiality and the applicable rules of professional conduct.

We’ve collected a variety of excellent resources from the ABA Legal Technology Resource Center and the ABA Law Practice Management Section to help you address the questions and concerns you may have regarding cloud computing.

Why Do Law Firms Need Security in the Cloud?

Every law firm has two major challenges. One of them is the storage of the sheer volume of data their business creates and the other one is the protection of that data, via security in the cloud and other systems. The last few decades’ have seen a rise in technology which has presented very solid solutions to these challenges (if you know where to find them).

A small computer disk, for instance, can hold terabytes of data inside an enclosed drive. If that seems like too much, the cloud has offered an off-site solution to the problem that eliminates hardware maintenance. Before these solutions came along, information could only be saved on paper that filled boxes and boxes.

Security in the cloud is a much more complex challenge. Before, you could lock those boxes of papers in an office, turn on the burglar alarm and go home. Someone would have to physically go there and break into your office to steal that information, and it would be noticeable when they walked out carrying boxes.

Now, all that’s required is some knowledge of computers and software, and someone can hack into that material from afar. They don’t even have to be in the same country, much less in the same city or neighborhood. Therefore, the unintended consequence of a solution for one problem has resulted in the creation of another, yet much more serious problem: the loss of data security.

Now the technology must be managed systematically and monitored very closely. That is why law firms need security in the cloud – and, we propose, managed IT services via a trusted IT partner.

Security in the Cloud Advantages for Law Firms

Here are some advantages of having a Managed Service Provider or MSP handle your IT and cloud security needs:

Given the nature of the information that law firms are entrusted with, security can’t be overemphasized. Breach of that information can ruin lives, sometimes irreparably. That means damage to your professional reputation as well as the bottom line. So how can managed services for law firms prevent that from happening? By being proactive. Your core business is to provide legal services to your clients.

Worries about security in the cloud and in your IT systems should be the last thing on your mind. That’s why we’re there to prevent viruses and any other suspicious activity that might bring your systems down. Their software applications are capable of alerts whenever something unusual is taking place inside your networks.

With secure cloud computing, you also get:

  • Accessibility: As an attorney, you need to have the ability to access your files anytime and from anywhere. Let’s say you are in a court and suddenly you discover that an important document is needed. You should be able to retrieve that on-demand from any device you carry. Managed IT could have all the files available to you through in-cloud storage.
  • Compliance Regulations: Law firms deal with a lot of client information that is protected by law. For example, HIPAA has very stringent regulations protecting medical records. Laws provide for stiff penalties and fines if the security of those records is breached (by Covered Entities and Business Associates alike). Outdated software and hardware may expose those records to hackers because your in-house IT team is behind with updates.
  • Multiple Offices: Many law firms operate from more than one location. IT managed services can bring uniformity and the necessary coordination between multiple sites. Your in-house IT team may not have the ability to do that or the budget to maintain it. Also, some firms that work in coordination with other organizations may allow access to some of their systems. Your IT management company should be able to ensure that other firm’s systems don’t create risks for your network because of lack of compatibility or security flaws.
  • Outsourced Technical Experience: You may know the law, but you can’t be expected to also keep up with ever-evolving technology, can you? With new complexities emerging, such as Bring Your Own Device (BYOD) to work, must be implemented if businesses want to survive in a very competitive environment. It is also important for revenue growth due to the efficiencies it brings to your environment. As a law firm, it is in your best interest that you let an MSP take care of your IT needs.
  • Better Growth Management: Your law firm probably started with a couple of computers, printers, copiers and a fax machine. It was easy to take care of all your hardware. Also, during those good old days, nobody was trying to hack into your computers. Your business is now growing. You have a staff of dozens and many desktops, servers, and software packages. Every day it gets increasingly difficult to keep track of new technologies. So, having managed services with cloud security services is not negotiable, really. It has become a necessity for the revenue growth and business continuity of law firms nationwide.
  • Monitoring: One way for your law firm to avoid critical breakdowns and security breaches is through 24/7 monitoring. This is the surefire way to avoid and control security breaches, viruses and hacker attacks, but it isn’t something a small firm can do on its own. It requires the presence of 24/7 labor plus investment in exceptionally sophisticated software and as well as hardware. This sort of investment is not practical for smaller firms.
  • Business Continuity: In the long run it makes good financial sense to have someone who is proactively monitoring your systems day and night, preventing system breakdowns, especially with extremely sensitive information on your computers and servers. You do not want to wait for disaster to strike to fix the problem. Some of the damage may be irreparable. In addition, breakdowns are costly in terms of lost productivity and business disruption. MSPs like ours specialize in BDR (Backup & Disaster Recovery), which is important for minimizing downtime and maintaining business continuity.

In short, the peace of mind that an MSP can provide will not come from the “break-fix” computer services guys – it’ll come from seasoned experts who can objectively assess and remedy all IT contingencies, long-term.

Get Your Law Firm Security in the Cloud It Can Trust.

9 Time-Saving Tricks for Microsoft Outlook 2016

Microsoft Office 365 offers a number of useful tools for today’s busy professionals including some new shortcuts for Outlook 2016. With so many companies now using Outlook as their major email program, Microsoft works to improve its operation with each annual update. A number of the great features in this program are also found in other MS Office programs. For instance, if you’re familiar with Word, then learning how to use Outlook will be much simpler.

New Changes for Outlook 2016

Using Outlook 2016, you can do a lot more than send and receive emails. You can also manage your calendar, set appointments, schedule meetings, and create/manage groups. In addition to being able to set up various types of groups, you can set up groups in Yammer. Yammer has become a central place where teams can exchange files, get updates and have conversations with others.

In Outlook 2016, distribution lists are now known as contact groups. Though the instructions for setting up each type of group vary a bit, they’re very similar. Users can find the instructions for setting up each type of group online or by using the F1 key in Outlook. The new Outlook has many helpful features like this to make your workday go smoother and help you improve efficiency. Below are our top 9 Tips and Tricks for getting the most out of Outlook.

One-Turn Off Notifications

There are several ways to turn off notifications in Outlook. This is an easy way to stop all those interruptions that prevent you from getting your work done each day. Go to the taskbar and click on the triangle. The programs that are already available will show up. Right-click the Outlook icon and you will get a list of things you can do. One of them is turn off notifications. Uncheck the box that says “Show New Mail Desktop Alert”. If you have Outlook open, you can also go to File>Options>Mail. Here, there are many options. Click on, “Turn off notifications”. You can also personalize your mail client here. Most workers report that they’re a great deal more efficient with notifications turned off.

Two-Setting up Meetings Automatically

One of the favorite shortcuts in Outlook 2016 is the one for setting up a meeting. There are actually several good ways to do this. Drag an email from your Inbox to the Calendar icon at the bottom of Outlook. This will automatically set up a meeting. You can turn any email into a meeting by doing this. Another effective method, with your email open, click on “Reply with meeting”. This is found on the ribbon in the “Respond” group. Clicking on “Reply with meeting” will send out an invitation to everyone who was addressed in the email.

Three-Blocking off Some Private Time

We all need private time each day to get special projects finished or just take a breather from a busy day. An easy way to do this is to pull an email into your calendar to block off some time, perhaps an hour or so. You might need to read a proposal or document sent by someone. You might simply want a few moments of peace and quiet. The blocked off time appears as a meeting in your calendar so that coworkers can see that you are busy and will not disturb you.

Note that you can now set the time simply by typing the numbers. You don’t have to type the colon and a.m. or p.m. Type a number, such as “11” and the program fills in the time as 11 a.m. This can be a real time-saver. You can also enter time using military times. For instance, type 800 for 8 a.m. and 1600 for 4 p.m. No matter how you type it, time will automatically update so that it looks correct.

Four-Ignore Button

We all get emails that are not important but they still take valuable time to look over and they can clog up your Inbox with correspondence that isn’t relevant to what you’re doing. Let’s say you’ve been getting emails and reminders about an upcoming luncheon for your department, but you know you will not be able to go on that particular day. So open one of these emails and click on the “Ignore” button. From then on, you will not see any emails about that topic.

Five-Quick Access Toolbar

Customize this toolbar located at the very top left portion of Outlook. You can add the commands that you most often use so that they’re handy. This can be done in any Microsoft Office program. Go up to the very top left portion of the screen where you’ll find the quick access icons. Click on the triangle at the end. This opens a drop-down list. One of the options is “more commands.” Once at this dialog box you can filter commands by clicking on:

  • Popular commands
  • Command not in the ribbon
  • All commands
  • Macros

Choose whatever commands you most frequently use and add them to your Quick Access Tool Bar. For instance, work offline allows you to work without the constant interruption of emails and notifications from team members. This can be helpful if you are up against a tight deadline and every moment counts. Experiment with various ones and you’ll soon find your favorites.

Six-Instant Messaging a Group

This is a good way to get a fast answer from team members who may be involved in an important project with a fast-arriving due date. Open your last email about this topic or from one of the members of the email. Next, click on IM>Reply All. This will send out a response as an instant message. Team members who are online will get notified immediately via instant message.

Seven-Quick step

Quickstep is a handy way to set up an email message so that several actions are taken in one step. The message can be marked as read, flagged and then moved to a specific folder. Quickstep can be used to set up one or more emails and you can set it up with any combination of steps that you want to be completed with one click.

You can set up certain emails to go into specific folders. You can also set up a folder for a special project and then designate which emails will automatically go into that folder. This is an easy way to organize emails by project title or by the supervisor who is in charge of the project. There are many ways to arrange them.

Begin by clicking on “More”, found in the Ribbon, then “Manage Quick Steps”. You can do this for existing or new emails. To create a new Quick Step, go to the Quick Steps portion of the Ribbon (found in the middle area) and click on “Create New”. In “Edit Quick Steps” you can choose a category and then create a new action. There is almost an endless number of steps you can accomplish with one quick step and that’s the goal of this timesaver. It allows you to take multiple actions with just one click. For instance, copy an email, pre-populate the “Send to” line, and include information that’s constant throughout similar emails. With daily use, you’ll become a whiz at making this timesaver work well for you.

Eight-Set Automatic Replies

Did you ever go on vacation and forget to set up your automatic email for your vacation? This happens to everyone. To avoid this happening, go ahead and set up your Vacation Out of Office email weeks ahead of time.  Go to the file menu and click on send automatic replies, then fill in the dates and times when you will be leaving and when you will return. You can set up a message for both external and internal emails. By setting this up in advance so that it’s ready to go when you are, you won’t have to worry about forgetting or having to do it at the last minute.

Nine-Search Mailbox

All email programs now have a search box that allows you to search through your emails using a single word or phrase. It’s much easier to find all your emails pertaining to any name or topic. Once you click on “Search”, this opens a whole menu of Search tools that can be helpful if you know certain things about the email. You may be looking only for emails with an attachment; specify that in search tools. If you know a name and that the email had an attachment, this can filter your results even more.

Getting Help

These are just a few of the many ways that Microsoft Outlook 2016 will help you get all your work done without too much extra labor and stress. Learning these shortcuts, tips, and tricks can help you modify Outlook so that it’s customized just for you. If you take a little extra time each day to learn one Time Saving Tip, you’ll get the most out of the program. In addition to the articles and tutorials found at Microsoft, you can also find hundreds of YouTube videos that will show you exactly how to do something.

Of course, within Outlook or any Microsoft program, you can get help by pressing F1 or clicking on the question mark in the upper right-hand corner. Type a few words about what topic you need to get instructions for, such as how to use Quick Steps and a whole list of helpful instructions will come up. Once you get Outlook 2016 set up and organized especially for your workflow, you’ll find that Outlook can be a great tool to help you get more done each day.

Microsoft Outlook Tips

Starting a New Company? Doing Business in the EU? Don’t Forget the GDPR! The May 25th Deadline Is Right Around The Corner!

If you don’t know what the GDPR is, and if you’re not ready for it, you’d better read on or watch our webinar on demand by clicking here.

GDPR

The General Data Protection Regulation goes into effect May 25, 2018. It’s a privacy law the European Union is enforcing to protect the personal data you collect from the individuals you do business with. Even if your company isn’t in the EU, if you do business there you must comply.

What Data Does The GDPR Cover?

The GDPR applies to personal data you collect from the individuals you do business with. This means from the time you collect it and as long as you keep it. This includes data like names, email addresses, physical addresses, and even IP addresses – anything you collect and add to your database including information from surveys, questionnaires or quizzes. If you segment information in your CRM database, it includes this too.

The GDPR Protects:

  • Information such as names, addresses, and ID numbers
  • Web data such as locations, IP addresses, cookie data and RFID tags
  • Health and genetic data
  • Sexual orientation
  • Biometric data
  • Racial or ethnic data
  • Political views

What Businesses Does The GDPR Affect?

It affects any organization that stores or processes personal information about EU citizens who reside in the EU. For example, it covers any businesses:

  • Located in the EU.
  • Located anywhere in the world that collects the personal information of EU citizens located in the EU.
  • Businesses of any size.

Does It Apply To Startups, Businesses With Only One Or Two Employees Or Businesses Outside the EU?

Yes –Even if you’re in the U.S., an entrepreneur or a one-man (or woman) office, you still must comply. The GDPR will apply to any relationship or business transaction in the EU no matter where you are, or how small your business. It’s based on where the people are you’re collecting data from. Plus, if your business is in the EU and you’re collecting data from someone in the U.S., you also must also comply. Essentially, any data collected in the course of doing business to or from the EU must adhere to the GDPR regulations.

And here’s what most businesses don’t know! The GDPR applies to collecting personal data EVEN IF YOU GIVE SOMETHING AWAY FOR FREE. It doesn’t necessarily apply to paid-for products. If you collect personal data for business purposes for ANY REASON, you must comply. Once you save a name or information in your database, you must follow the GDPR regulations.

Are You Unknowingly Collecting Personal Data?

If your business has a Facebook, LinkedIn or Twitter page, and you gather personal information from people in the EU (or if you’re in the EU and collect personal data from anyone, anywhere) you must comply. For example, if your business is in the U.S. and you have an ad on one of these social media pages, and a person from the EU responds with their personal information, you must comply with the GDPR. Even if you add a disclaimer saying what you’re advertising is only for people in the U.S., and someone from the EU provides their personal data, you’re not exempt. You must comply.

More Rules You Must Follow

  1. Process data lawfully, fairly, and in a transparent manner. In other words, you must be open about what data you’re collecting and what it’s for.
  2. Data must only be collected for explicit, legitimate and specified purposes. You must be able to explain why you’re collecting it and how you plan on using it.
  3. Data collection should be limited for legitimate purposes. In other words, if you don’t need someone’s address for the specific reason you’re collecting personal information, you shouldn’t collect it. And, once you collect the data it can only be used for its intended purpose.
  4. You must keep the data up to date and ensure it’s always correct. This is especially for businesses like Facebook and Google and others like them.
  5. You shouldn’t keep this data longer than necessary. If you’ve completed the project or sale, and don’t need the data for marketing purposes, you must erase it all.
  6. Data must be kept secure with appropriate data protection solutions and kept behind a secure wall and encrypted. You should already be using SSL certificates and adhering to other security policies. (Ask your Technology Solutions Provider to help you with this.)

What About Soliciting Leads?

The personal information you collect from leads for marketing purposes also falls under the GDPR rules. This means that you must get their consent. And this consent should be given freely and applied for specific and clear purposes.

This also means that you can’t automatically add personal information to your marketing lists if someone fills out a form. You must get their consent to do this. Plus, you can’t require that they give you their personal information for something you’re giving away (like a webinar registration or a free white paper, or another freebie).

AND EVEN MORE CONFUSING is the fact that you can’t require that they be added to your list to obtain the free item. The only way you can require that individuals give you the authority to keep their personal information is if they purchase something from you.

The rules aren’t totally clear, but you may be able to send a nurture sequence after someone downloads your free item. (This is called an expanded processing.) However, what you must consider is the link between the reason for the collection of the information, the purpose for expanding the process, and the potential consequences of doing this.

What About Existing Lists?

The GDPR regulations also apply to your CURRENT lists. If you can’t prove that you have specific consent to store or use their personal information you will be in breach of the GDPR rules. If you don’t have this consent, between now and May 25, you must get it to keep their personal information. You’ll want to do this if you plan to re-engage with these individuals.

Begin by segmenting your list into two parts:
1) Non-EU individuals

2) Individuals from the EU and any of unknown origin (treat these as if they are in the EU)

Many email service providers can help you with this.

You should delete anyone from your lists who hasn’t provided consent by May 24th. You cannot store or process this information without their explicit consent.

Many businesses are running re-engagement campaigns to the individuals who need to provide fresh consent. You can no longer offer a lead magnet to EU citizens and add names to your marketing lists without consent.

What About Technology? Are There Changes You Should Make To Your IT Infrastructure?

The following are steps your organization should take to prepare your technology for the GDPR.

  • Perform a thorough inventory of your personally identifiable information, where it’s stored–in onsite storage or in the Cloud. And determine in which geographical locations it’s housed. Don’t forget about your databases. PII is often stored in databases.
  • Perform a Gap Analysis. This is a process where you compare your organization’s IT performance to the expected requirements. It helps you understand if your technology and other resources are operating effectively. By doing this, your Technology Solution Provider (TSP) can then create an action plan to fill in the gaps. The right TSP will understand the GDPR regulations and how your IT must support your compliance efforts.
  • Develop an Action Plan. Your TSP should document a detailed action plan for how to use technology to meet the GDPR if you experience a data breach. This should include individuals’ roles and responsibilities. Conduct tabletop exercises to practice how the plan will work with specific timelines and milestones.
  • Ensure data privacy. If you don’t have a Technology Solution Provider, then you need one for this. Data protection is key for organizations of any size. Consumers have the right to have their data erased if they want. This is called “the right to be forgotten.” This is a concept that has was put into practice in the European Union in 2006, and it’s a part of the GDPR. You won’t be able to do this if their data is stolen.
  • Be sure to document and monitor everything that you do that’s related to GDPR Compliance. This includes any changes or upgrades that your Technology Solutions Provider makes to your IT environment. You may need to demonstrate that you’ve done your due diligence when it comes to protecting citizens’ private information and that you practice “defense-in-depth” strategies where you use multiple layers of security controls when it comes to your technology.

If a breach occurs, and you have all these processes properly in place, you should be able to meet the GDPR breach notification 72-hour period. The organizations that have met most of the International Organization for Standardization information security requirements should also be ready for the new regulations.

Don’t Forget To Publish Your Privacy Policy

You need this regardless of whether the GDPR applies, but it’s a MUST now. Along with the EU, California laws are very stringent in this regard.

The following is a sample Privacy Policy:

PRIVACY POLICY – YOUR PRIVACY RIGHTS

Effective Date: {effective date}

Last updated: {last updated}

This Privacy Policy applies to the sites and apps where it appears.

This Privacy Policy describes how {company} treats personal information collected through the websites and applications where it appears (sometimes referred to collectively as our “website”) and how {company} treats personal information transferred pursuant to the E.U.-U.S. and Swiss-U.S. Privacy Shields.

{company} serves its client base in and around {location} from our office(s) in {address}. We may also refer collectively to these entities as “we” or “us”. This Privacy Policy applies only (1) to personal information collected through the websites and applications where it appears, including the sites and apps for our brand, as well as information collected at our call center pursuant to the E.U.-U.S. and Swiss-U.S. Privacy Shields. This Privacy Policy does not apply to information collected through other channels.

Your Consent

Please review this Policy before using this website or mobile app. By using this website, you are consenting to the collection, use, and disclosure of your information as set forth in this Policy. If you do not agree to be bound by this Policy, you may not access or use this service.

We collect information from and about you.

We collect contact information. For example, we might collect your name and email address. We may also collect your phone number or mailing address.

We collect demographic informationWe may collect information such as your gender, age, and language preferences.

We collect payment information. For example, we may collect your credit card number for products or services.

We collect business information. For example, we collect contact and other relevant information about your business if your business signs on for our services, or if your employees or agents use a corporate account to do business with us.

We collect information you submit or post. For example, we collect feedback about our services that you submit to us. We also collect information if you apply for a job.

We collect other information. If you use our website, we may collect information about the browser you’re using. We might look at what site you came from, or what site you visit when you leave us. We may collect your precise, real-time location using GPS, cell phone towers, Wi-Fi signals, and/or beacon technology (including Apple’s iBeacon), and/or future technologies. We might look at how often you use an app and where you downloaded it. We collect this information using the tracking tools described below and in compliance with the applicable local law. To control those tools, please read the choices section below.

We collect information in different ways.

We collect information that you give to us. For example, if you sign on for our services.

We collect information about you automatically. Where permitted by law we use tracking tools such as browser cookies and web beacons to collect information from you. We collect information about users over time when you use this website.

We may have third parties collect personal information this way. We also collect information from our mobile apps.

We get information about you from third parties. Where permitted by law, we may share information with third parties with whom we do business. We may get information from persons acting on your behalf. We may also get information from social media platforms and advertising and analytics providers.

We combine information. For example, we may combine information that we have collected offline with information we collect online, to the extent covered by the transactional purpose or your consent. Or we may combine information we get from a third party with information we already have.

We use information as disclosed and described here, subject to any consent required by applicable law.

We use information to respond to your requests or questions. For example, we will use your information to provide the services you request, such as to fulfill a request for IT services or solutions, or to ask you to participate in a customer survey. Where legally permitted, we may use your personal data to personalize your experience with us. We might use your information to respond to a question about our services or products. We use social security numbers and tax ID numbers to process tax documents.

We use information to improve our websites and services. We may use your information to make services better. We might use your information to customize your experience with us. Where legally permitted, we may combine information we get from you with information about you we get from third parties.

We use information to administer our site and for internal operations. For example, we may aggregate or anonymize your information for analytics, research or other business purposes.

We use information for security purposes. Where legally permitted, we may use your information to protect our company, our customers, and our websites.

We use information for marketing purposes. For example, we might send you information about new services or special offers. We might tell you about new IT solutions or updates. These might be third-party offers or products we think you might find interesting. If you register with us, we’ll send you our promotional emails. We obtain consents as required by law before marketing to you. To manage this, read the choices section below. We may also use push notifications on our mobile apps.

We use information to communicate with you about your account or our relationship. We may contact you about your account or for feedback. We might also contact you about this Privacy Policy or our Site Usage Terms and Conditions.

We use information as otherwise disclosed or permitted by law.

We may share information with third parties.

We will share information with our branch offices unless legally prohibited. For example, we will share your information to facilitate services or to customize offers to your preference.

We will share your information with data processors that perform services on our behalf. For example, we share information with vendors who send emails and other communications for us. We also share information with companies that help us operate our sites or run promotions and advertisers and advertising networks that assist us in marketing and advertising our products and services. Some vendors may be located in a country other than where you live. We may also share information with analytics and search engine providers who act on our behalf.

We may share information with our business partners unless legally prohibited. For example, we might share information with third parties who co-sponsor a promotion. Some of these partners may send you information about product or services by mail or email where legally permitted or based on your prior consent.

We will share information if we think we have to in order to comply with the law or to protect ourselves, our customers or others. For example, we will share information to respond to a court order or subpoena, or in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. Or, when required by law, we may share your information if you are the winner of a contest or other contest with anyone who requests a winner’s list. We may share information in order to enforce our Site Usage Terms and Conditions or other agreements and to protect the rights of others. We might share if we are investigating potential fraud. This might include fraud we think has happened during a promotion.

We may share information with a successor to all or part of our business. For example, if part of our business or assets is sold, we may disclose user information as part of that transaction. You have certain choices about sharing and marketing practices.

You can opt out of receiving our marketing emails. To stop receiving our promotional emails, you can visit your account settings on the site or follow the instructions in any promotional message you get from us. Even if you opt out of getting marketing messages, we will send you transactional messages. These include responses to your questions.

You can control participation in our iBeacon program. iBeacons are electronic devices that broadcast signals that can be received by mobile devices on which one of our mobile apps is installed. If you have voluntarily installed one of our apps on your device, and if you have granted permission for the app to track your location, then iBeacons installed in our offices may send a signal to the app on your device about the precise, real-time location of the device. The app may use this information to deliver special offers and promotions to you, at a time and place when the information is most relevant. As a convenience to you, receipt of the iBeacons signal and delivery of the special offer or promotion may occur even if you are not currently using the app. To make our mobile apps and services operate better, we may also collect other information based on iBeacon signals, for example, the strength of the signal between the iBeacon and your device, the duration your device is near the iBeacon, or the battery level of the iBeacon itself. To avoid having us receive or use your precise, real-time location, do not opt-in to location services. If you did opt in and have changed your mind, you may opt out of location services through your device settings or by deleting the app.

You can control cookies and tracking tools. To learn how to manage how we – and our vendors – use cookies and other tracking tools, please visit: INSERT LINK

You can control tools on your mobile devices. For example, you can turn off the location services or push notifications on your phone. Choices you make are device specific.

EU and Switzerland Residents.
Information about European Union and Switzerland residents may be sent to the U.S., where it is processed in accordance with this Privacy Policy and our Ad and Cookie Policy, the U E.U.-U.S. and Swiss-U.S. Privacy Shields. {company} complies with the E.U.-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland (please note that the Privacy Shields principles do not necessarily apply to the collection, use, and retention of personal information from other countries). {company} has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. The Federal Trade Commission shall have enforcement jurisdiction over {company} compliance with the Privacy Shield. {company} may have potential liability in cases of onward transfer to third parties. To learn more about the Privacy Shield program, and to view our certification page, please visit www.privacyshield.gov/.

Inquiries and Enforcement of Compliance.

In compliance with the E.U.-U.S. and Swiss-U.S. Privacy Shield Principles, {company} commits to resolve complaints about your privacy and our collection or use of your personal information. European Union and Switzerland residents with inquiries or complaints regarding this privacy policy should first contact {company} at the address provided below.

{company} has further committed to refer unresolved privacy complaints under the E.U.-U.S. and Swiss-U.S. Privacy Shields to the American Arbitration Association, http://go.adr.org/privacyshield.html. Finally, in certain limited circumstances and as a last resort, it may be possible for individuals to invoke binding arbitration before the Privacy Shield Panel to be created by the U.S. Department of Commerce and the European Commission.

Please note that if you are not a European Union or Switzerland resident, then Privacy Shield requirements regarding the handling of complaints may not apply to you and Privacy Shield enforcement mechanisms may not be available to you.

Russian Citizens.
In accordance with Russian Federal Law “On Personal Data” No. 152-FZ we collect, record, systematize, accumulate, store, update (renew and modify), and extract personal data about Russian citizens using databases located in the territory of the Russian Federation. If you indicate that you are a Russian citizen of the Russian Federation, we will process your personal data in compliance with this requirement and your profile will be maintained on databases in the Russian Federation. If you do not indicate that you are a citizen of the Russian Federation, we are not able to process and maintain your personal data under these requirements and will not be liable for that. You are solely responsible for indicating the country of your citizenship. Information containing personal data of Russian citizens may be transmitted from the Russian Federation to countries that ensure an adequate level of protection for personal data, including member states of the European Union and other countries which Russian law recognizes as ensuring adequate to protection, and also to other countries that may not ensure adequate level of protection for personal data. By submitting information to us on our sites and apps, submitting forms to us, or registering on our sites, programs, and apps, or scheduling services, you grant us consent to process your personal data.

Your California privacy rights. 
If you reside in California, you have the right to ask us one time each year if we have shared personal information with third parties for their direct marketing purposes. To make a request, please send us an email at {email} or write to us at the address listed below. Indicate in your letter that you are a California resident making a “Shine the Light” inquiry.

Our sites and children.
Our sites and apps where this Privacy Policy is found are meant for adults. We do not knowingly collect personally identifiable information from children under 18 without permission from a parent or guardian. If you are a parent or legal guardian and think your child under 18 has given us information, you can contact us at {email} or write to us at the address listed as the end of this Privacy Policy. Please mark your inquiries “COPPA Information Request.” Parents in the United States, you can learn more about how to protect children’s privacy online at www.consumer.ftc.gov/articles/0031-protecting-your-childs-privacy-online.

We use standard security measures. The Internet is not 100% secure. We cannot promise that your use of our sites and apps will be completely safe. Any transmission of your data to our site is at your own risk. We encourage you to use caution when using the Internet. This includes not sharing your passwords.

We retain data. We keep personal information as long as it is necessary or relevant to the practices described in this Privacy Policy. We also keep information as otherwise required or permitted by law.

We store information both in and outside of the U.S. Information we collect from you may be transferred to or stored at, a destination in the United States or another destination outside of United States. It may be processed by staff operating in these locations who work for us or one of our suppliers. Such staff may be engaged in, among other things, the processing of your payment details and the provision of support services. If you live outside of the United States, you understand and agree that we may transfer your information to the United States. U.S. laws may not afford the same level of protection as those in your country.

We may link to other sites we don’t control. If you click on a link to a third-party site, you will be taken to a website we do not control. This Privacy Policy does not apply to the privacy practices of that website. Read the privacy policy of other websites carefully. We are not responsible for these third-party sites or their policies.

Feel free to contact us if you have questions. If you have questions about one of our branches or the information it retains, please contact it directly. If you have any questions about this Privacy Policy, or if you want to correct, update, reasonably access or delete, your information with us, please email us at {email}

For your safety and ours, we may need to authenticate your identity before fulfilling your request.

We may update this Privacy Policy. 
From time to time we may change our privacy policies. We will notify you of any material changes to our Privacy Policy as required by law. We will also post an updated copy on our website. Please check our site periodically for updates.

© 2018 {company} All rights reserved.

I know this is a lot to consider and to do. But you make GDPR compliance a priority. Contact us if you need more information or assistance.

Are Local Businesses Ready For GDPR?

As of May 25th, 2018, if local businesses aren’t ensuring the highest possible level of data privacy, they’re risking serious financial consequences. The General Data Protection Regulation (GDPR) is coming into effect. What does this mean? All local businesses MUST be ready to take security more seriously than ever before. The EU Parliament approved GDPR in April of 2016 with enforcement set to start in a couple of weeks on May 25th, 2018.

GDPR

Who Must Comply with GDPR?

All businesses storing or processing data of people living in the European Union must comply, regardless of where you’re located in the world. The EU is very consumer-focused and always has been. As data travels beyond the borders of the EU, GDPR is designed to help protect citizens as any company, anywhere in the world, is bound by its rules as long as they’re holding data on citizens.

Businesses of all types and sizes – from small one or two person shops to multi-national corporations – must comply. There are no exceptions. For those businesses already complying with the Data Protection Act (DPA), they’re one step closer to being in compliance with GDPR.

What’s the Risk of Non-Compliance?

Local companies who fail to comply with face fines – up to $24 million OR 4% of annual global turnover, depending on which number is higher. In addition to fines, local companies who fail to comply will also face the devastating impact of reputational damage as most consumers won’t feel comfortable working with a company that doesn’t prioritize data privacy.

What Do Local Companies Need to Know About GDPR?

First and foremost, local companies need to know that compliance is not optional. Every organization should become familiar with the provisions of GDPR so they’re aware of the requirements.

Here are a few key facts to know about GDPR:

  • Strict parameters must be followed to receive consent for the use and/or storage of data. These parameters require an easily accessible form and withdrawing consent must be simple.
  • The right to be forgotten enables consumers to request their personal data be deleted and/or erased immediately with all third-parties halting any processing of said data.
  • In the event of a breach, notification must be done within 72 hours of becoming aware of the breach. This means all affected parties must be notified and offered information on the incident.
  • Consumers may request to receive their personal data, in order to transmit said data to another data controller as needed. Companies must ensure data is easily accessible to provide upon request.
  • Data protection must always be considered when designing any system or solution, which means it cannot be an afterthought or addition done after the system or solution is designed.
  • Specific protection is in place for children as they are generally more vulnerable. When storing data relating to or involving children, parental consent must be received for children up to age 16.

Essentially, local businesses will have to review their marketing processes in terms of data mining and remarketing. However, those who have already prioritized data privacy will have less work to do to ensure compliance.

What Steps Must Be Taken to Ensure Compliance?

  1. Assess what needs to be done: Review all requirements of GDPR to understand how the provisions impact your company and/or which departments will be affected.
  2. Perform a complete audit: Audit what personal data is collected and stored, where the data came from, and who the data is shared with, then record your processing activities.
  3. Update all privacy notices: Privacy notices must be updated to communicate how personal data will be used and collected, as well as explaining the lawful basis for processing personal data.
  4. Verify data accessibility and portability: Verify that access requests can be accommodated in 30 days and data can be received in a commonly used, machine-readable format.
  5. Review instructions for receiving consent: These instructions will help you properly seek, record, and manage consent for the use and/or storage of data.
  6. Work with all third-party providers: You can be held responsible for breaches resulting from non-compliance on a third-party providers part, so work with email service providers, CRM providers, and more.
  7. Educate every single staff member: ALL staff members must be educated in case they come into contact with information relating to customers.

Lastly, make sure you’re working with a trusted team of technology experts who can help you put all of the tips above into action. You almost certainly WILL require some changes to your information technology environment in terms of how data is stored and processed. A good {city} IT support company will help with this.

You need a technology services company {city} businesses trust to help them comply with GDPR. {company} is that technology services company. Call us now at {phone} or email us at {email} to get started.

Is Your Technology Company Talking to You About GDPR Compliance?

The European Union’s General Data Protection Regulation goes into effect on May 25, 2018. Many U.S. and Canadian businesses have been working hard to meet the new GDPR guidelines., but it’s not clear if others have the technology in place to notify individuals that their data was breached within the required 72-hour period. This is one of the primary components of the 2018 GDPR. No matter how you look at it, three days can go by very quickly when it comes to sending out data-breach notifications, especially if you haven’t planned in advance.

Watch Our Free GDPR Training Online

GDPR ComplianceMany U.S. and Canadian businesses, even large enterprises, don’t always plan ahead and, instead, operate in a reactionary mode. Security professionals in the U.S. and Canada are concerned–The mandatory 72-hour GDPR breach-notification period has them worried because they don’t think most businesses are prepared.  The U.S. doesn’t have a national data-breach notification requirement. However, most states do require notification within 30 to 45 days. If businesses don’t comply, they will be fined 4% of their global revenue up to $20 million. Plus, the consumers whose data is breached can file class-action suits against them for noncompliance.

Experts know that the GDPR is something to take very seriously.

They believe that the regulators in the European Union will impose the largest fines they can and that they’ll make an example of organizations that lack compliance–and will do so within the first 90 days of the breach. This is much like the U.S. Health, and Human Services/Office of Civil Rights does with their “Wall of Shame” and HIPAA breaches of personally identifiable information (PII).

The GDPR requirements apply to any organization that does business in Europe and collects personally identifiable information on European citizens. It doesn’t only apply to large multi-national corporations; it applies to any business that has 250 or more employees. Smaller companies are typically exempt, except in the case where a data breach results in a risk to the rights and freedom of individuals, isn’t an occasional occurrence, or where the processing of data includes special categories like those relating to criminal offenses or convictions.

The 2018 GDPR replaces the old Data Protection Directive of 1995. The most recent GDPR breach notification requirement was enacted in April 2016.  It set a higher compliance standard for data inventory, and a defined risk management process and mandatory notification to data protection authorities.

Breach notification is a huge endeavor and requires involvement from everyone inside an organization. In-house tech support and outsourced Technology Service Providers should have acquired a good understanding of the consequences a data breach causes and the data breach notification requirements for their organization.  They must be prepared in advance to respond to security incidents.

Is your technology ready for the GDPR?

Smart CIOs and CEOs in the U.S. and Canada have been preparing for the GDPR for the last year. And many larger enterprises, especially those that regularly do business in the European Union, have seen this on the horizon for a while and have taken advantage of the two-year implementation period to seriously prepare for GDPR. These organizations are ready and won’t need to worry that they can’t meet the 72-hour notification deadline.  Many U.S. financial organizations and banks are already prepared as they are accustomed to notifying regulators and customers, and they have the IT infrastructure in place to respond quickly. Plus, banks in the U.S. have been functioning under more stringent regulations since the 2007-2008 financial crisis–They’re already well prepared.

The following are steps your organization should take to prepare your technology for the GDPR.  

  • Perform a thorough inventory of your personally identifiable information, where it’s stored–in onsite storage or in the Cloud, and determine in which geographical locations it’s housed. Don’t forget about your databases. PII is often stored in databases.
  • Perform a Gap Analysis. This is a process where you compare your organization’s IT performance to the expected requirements. It helps you understand if your technology and other resources are operating effectively. By doing this, your Technology Solution Provider (TSP) can then create an action plan to fill in the gaps. The right TSP will understand the GDPR regulations and how your IT must support your compliance efforts.
  • Develop an Action Plan. Your TSP should document a detailed action plan for how to use technology to meet the GDPR if you experience a data breach. This should include individuals’ roles and responsibilities. Conduct tabletop exercises to practice how the plan will work with specific timelines and milestones.
  • Ensure data privacy. If you don’t have a Technology Solution Provider, then you need one for this. Data protection is key for organizations of any size. Consumers have the right to have their data erased if they want. This is called “the right to be forgotten.”  This is a concept that has was put into practice in the European Union in 2006, and it’s a part of the GDPR. You won’t be able to do this if their data is stolen.
  • Be sure to document and monitor everything that you do that’s related to GDPR Compliance. This includes any changes or upgrades that your Managed Service Provider makes to your IT environment. You may need to demonstrate that you’ve done your due diligence when it comes to protecting citizens’ private information and that you practice “defense-in-depth” strategies where you use multiple layers of security controls when it comes to your technology.

If you have all these processes properly in place, you should be able to meet the GDPR breach notification 72-hour period. The organizations that have met most of the International Organization for Standardization information security requirements should also be ready for the new regulations.

Watch Our Free GDPR Training Online

Unfortunately, many organizations won’t do this, simply because they’re not educated about the new GDPR, or they’re so busy they don’t think they have the time to make it a priority. Some think that the GDPR doesn’t apply to them. And others who don’t undertake proactive technology methods, in general, simply “bury their heads in the sand.”  These organizations have waited too long now to make the May 28th deadline. Hopefully, yours isn’t one of them.

10 Major Reasons Small Businesses Are Still Vulnerable To Malware Attacks

We have seen firsthand the common errors and oversights that lead to infections and intrusions – and we want to help your business learn from those mistakes.

Malware Attack

When it comes right down to it, cybersecurity best practices are not nearly as complicated or confusing as they seem on the surface. That’s not to say that security is simple, but rather that the best precautions have more to do with common sense and practicality than anything else. Yes, the software and safeguards you choose matter, but the best way to avoid something like malware damaging your business is to be smart about all aspects of your cybersecurity – not just the technological parts.

Here are the 10 main reasons businesses like yours are still at serious risk of suffering a malware attack.

1) You Still Think It Can’t Happen To You – Smaller businesses have a habit of assuming that just because they’re not a Fortune 500 company, a cybercriminal would have no interest in disrupting their operations or stealing their data. The reality is that couldn’t be further from the truth. It takes minimal effort on a hacker’s part to successfully target an SMB that has invested very little in their IT security, letting them use your business for practice or sport, and profit off of your stolen data. Most of the new malware variants are automated and target ANY business that lacks protection from a particular vulnerability.

2) Threats Evolve Faster Than You Realize – Like any other aspect of technology, malware and other cyber threats are constantly changing and evolving. Hackers are continually coming up with new ways to target businesses, and are creating more advanced threats. If you’re not up to date on the latest malware strains and zero-day exploits, you very likely have a gaping hole in your cyber defenses. This level of vigilance is all but impossible to achieve without full-time IT security staff at your disposal.

3) Your Staff Isn’t Up To Date With Security Best Practices – Your employees are both your best defense and your biggest weakness. Just about every cyber threat out there relies heavily — if not entirely — on the unwitting assistance of someone inside your organization to be effective. If your staff isn’t well-educated on security best practices and offered ongoing training and information to keep them up to date, any number of threats can target your business with ease.

4) Your Policies And Protocols Are Lacking – Your policies need to focus on more than just password control. At the minimum, you should have two-factor authentication and access controls in place to protect mission-critical data. By tightly regulating access to your files, folders, and systems, you can reduce the odds of an unauthorized users getting their hands on your data or finding a way inside your network.

5) You’ve Got Major Exposure To Multi-Vector Attacks – A standard firewall or antivirus will only protect your network against certain types of infections or attacks. If your security measures and protocols don’t take into account email, web browsing behaviors, file sharing, and network activity, your defenses won’t hold up under a multi-vector attack.

6) Your Technology Is Too Complex For Your Administrators To Manage Effectively – When you leave the responsibility for your business’ cybersecurity in the hands of a single in-house IT person or designate a staff member the administrator of these systems, you could be setting your business up to fail. A solid IT security system is far too complex for a single individual to manage on their own. Automating as much of your cybersecurity as possible can help to lighten the load, but these systems still need oversight to run effectively.

7) Your Systems And Software Are Out Of Date – An alarming number of malware infections — including the now-infamous WannaCry ransomware virus — use pre-existing system or software exploits to gain access to targeted systems. More often than not, security experts are aware these exploits exist, and release patches and updates designed to rectify the problem long before a hacker figures out how to make use of said exploit. However, if you’re not keeping on top of these patches and updates, you’re essentially propping a door open for a cybercriminal to waltz right through.

8) You’ve Got Zero Network Visibility – If you’ve got little to no idea about what’s going on inside of and around your network, it’s more than a little difficult to spot threats. Network monitoring tools can quickly detect both internal and external threats, and contain them before they can cause damage.

9) You’ve Got Lackluster Data Backup Practices – The most terrifying malware infection to date has been ransomware, and no other infection makes a better case for the importance of data backups. Without current and complete backups available for your business to restore from – specifically offsite backups that are insulated from threats that target your network and systems – it’s next to impossible to survive a ransomware attack. Businesses that don’t have reliable and up to date data backups to count on will typically close their doors within six months of a major data loss incident.

10) You’re Falling Short Of Compliance Requirements – Any compliance regulations your business is subject to – whether that be HIPAA, PCI, or any other industry-specific guidelines – will make strict recommendations for security. Simply by working to make sure you’re meeting these requirements, you can take a huge step towards better cybersecurity practices.

At the end of the day, great cybersecurity is not impossible to achieve. Often, it just comes down to having the right support in place. The true value of working with an MSP like {company} comes not from the specialized tools and support we can offer, but from the guidance and advice, you can only receive from experienced and knowledgeable technology professionals who understand your world, and the threats present in it.

Want to learn more about the industry-leading cybersecurity solutions and support we have to offer? Contact us at {phone} or {email}.