Category: Uncategorized

Hackers Know How to Steal Money Anonymously

In West Barnstable, Massachusetts, Cape Cod Community College recently fell victim to a phishing scam that resulted in the school losing more than $800,000. The money was taken out of the school’s bank accounts. While this kind of scam is common these days, there are measures a business can take to prevent it. In the case of Cape Cod Community College, experts believe endpoint security solutions using next-generation technology would have prevented the monetary loss for the school.

The hackers of today are quite sophisticated, and if a business falls victim to one of their scams, there is often very little they can do about it. Hackers know how to remain anonymous, and leave few if any, digital footprints to follow. This means the likelihood of recovering one’s money is little to none. That is why it is so vital to prevent these things before they happen by using proper technology.

The president of Cape Cod Community College, John Cox, revealed the financial loss via a digital theft to the staff and faculty of the school in an email on December 7. By working with the bank at which the school’s accounts were held, the school has been able to recover about $300,000 of what was stolen, which is more than most smaller businesses would be able to do. It is unlikely they will be able to recover the entire $800,000, but they might be able to get some more of the money back by working closely with the bank, as they are doing.

Details of the Digital Theft

Cox gave an interview with a local newspaper after informing the workers at the college of the theft. In the interview, he revealed many interesting details about the theft, including:

• The email that allowed hackers access to the school’s bank account information appeared to come from another college, so it seemed safe to open the attachment that came with it.
• After opening the attachment, the person who initially opened the email believed the attachment was suspicious and alerted the school’s IT department. Alerting the IT department is standard protocol at the school when it comes to suspicious emails and attachments.
• When the IT department did a diagnostic on the attachment, they found a polymorphic computer virus embedded in it. They quarantined the virus, but it had already gotten into the school’s computer network.
• The scammers had a fake URL that seemed to go to TD Bank, where the college has its accounts. By placing phony calls to school employees to validate transactions, the scammers were able to make nine transfers out of the college’s bank accounts, totaling $807,103.
• The scammers attempted 12 transfers, but workers at TD Bank recognized three of them as suspicious and did not allow them to go through.
• Cape Cod Community College has recently installed next-generation endpoint protection software, but only on some of their computer networks. If it had been installed on all of them, the hackers likely would not have been able to gain access to the school’s bank account information and use it to transfer out the money.

Other Schools Have Had This Issue, As Well

Cape Cod Community College is not the only school to have this kind of issue in recent times. In June of 2018, hackers stole around $1.4 million from 21 account holders in the Connecticut Higher Education Trust.

Hackers are not just after money, either. They are out to cripple the schools they target. Sometimes, they don’t steal any money at all, but instead, generate outages of the computers at a particular school. This happened to a college in Wisconsin in June of 2018, and it resulted in classes having to be canceled for three days because the computer infrastructure to support the classes, students, and employees wasn’t there.

It hasn’t just been colleges being targeted, either. K-12 schools are also targets. A public K-12 school in New Jersey lost $200,000 in September of 2018 in a phishing incident similar to the one experienced at Cape Cod Community College.

Technology Companies are Stepping Up to Help Prevent This

Technology companies are stepping up in light of such incidents, creating phishing simulators to help schools teach their employees to avoid allowing their workplaces to become the next phishing victims. They are also reaching out to schools to increase awareness of the need for next-generation endpoint protection software, and to help schools install and use it.

Even though the word App is relatively new, it has become popular in everyday terminology as its uses have changed lives in the modern world. Almost all mobile phones are now smartphones, so even those individuals who were apprehensive about using new technology now use apps on a daily basis. That is why we now celebrate National App Day every year on December 11.

What is an App?

The word “App” was listed as the word of the year by the American Dialect Society in just 2010, showing just how quickly apps have become a regular part of society. But people already use the word so much they don’t really think of where it comes from. While the term “app” is short for “application,” common usage has changed the meaning.

An app is actually a kind of computer software or a program, and now usually refers to a very small one used on mobile devices like smartphones and tablets. Initially, the term could have meant any mobile or desktop application, but the term has quickly evolved to conform to the way people use it. Now there are thousands of apps, and some individuals and businesses design and run their own apps to make specific tasks easier.

Kinds of Apps and Main Uses

There are three basic kinds of apps, but Web Application Apps are used through a browser and Hybrid Apps have characteristics of both Web Application Apps and Native Apps. Native Apps are the ones used on mobile devices, and they only work on certain devices and have a special source code.

Of course, once someone understands how apps work they can create a new one to perform specific functions. Apps are available on Google Play for Android users, Apple’s App Store, the Windows Phone Store and BlackBerry App World. There are currently millions of apps, and prices range as widely as uses. Some apps are entirely free, while others have a recurring rate.

• Apps can be used for communication, including encrypted phone calls or video phone.
• Apps can be used for entertainment, providing movies, books and music.
• Travel apps provide needed information and tools, helping with everything from transportation to finding the closest restaurant.
• Many people use apps for games, playing simple games like solitaire or complicated games with players around the world.
• Many apps provide important tools, helping people organize their homes or perform essential functions at work.

There is no reason to think the proliferation of apps will slow down any time soon, if ever. It only remains to be seen how many people will adopt these handy tools to perform more and more specific jobs. Hopefully, people will be thinking of the endless possibilities as they celebrate National App Day on December 11.

No matter the line of business you’re in, outsourcing your IT services to a managed service provider (MSP) provides a world of benefits. Both your internal systems and your online presence will be optimized and streamlined, tech problems will be taken care of right away, and you’ll have more time to focus on what matters.

Aside from providing excellent customer care and competency in their field, great MSPs employ the best IT experts, are there for you when you need them, stay up-to-date on new technology, and … they do one other important thing.

They conduct Quarterly Technology Reviews.

What are Quarterly Technology Reviews?

Quarterly Technology Reviews or QTRs are meetings your IT services company regularly conducts with you to assess the effectiveness of your current tech investments and them, your managed service provider.

A QTR occurs quarterly or four times per year, and it’s up to your MSP to book the appointment; you shouldn’t have to. When you see that your MSP is taking the initiative with QTRs, it’s a great sign that you’re working with a leading company. At a QTR meeting, you’ll be able to provide feedback to your MSP about the service they’ve been providing and the technology you’ve been investing in.

What are the specific benefits of a Quarterly Technology Review?

For you, the client, the benefits of QTRs are numerous. You’ll have an open platform to discuss any bugs or issues you’ve been having with your technology or possible problems with computer systems, email, the website, etc. Just remember that for immediate problems, you shouldn’t wait for the QTR and should merely contact your MSP right away — that’s what they’re there for.

In the end, if your MSP conducts QTRs with you, your business will see the following benefits:

• Improved current technologies and/or the implementation of new systems where needed
• Saved money when you limit spending where it’s not required
• Enhanced compliance with regulations and security
• Improved productivity
• Streamlined efficiency

For your MSP, the most significant benefit of Quarterly Technology Reviews is showing you that they care and are monitoring your success. This goes a long way in maintaining their clientele.

QTRs also allow a tech firm or MSP to highlight your company’s return on investment or ROI (your investment being them, for the most part). As a client, they want you to be alerted to the fact that their company cares about you and that their services are worth it. Whether there are problems to fix at a QTR meeting or not, your MSP wants to reiterate that you need them.

This isn’t necessarily a bad thing for you, the client. After all, you hired them and are paying them for their services. Allow them to show off for you, and don’t be hesitant about voicing any issues you have so that they can be fixed quickly. A tech firm who conducts QTRs with you wants to keep you as a client.

When will your first QTR meeting be as a new client?

Naturally, as a new client, you won’t have a quarterly technology review right away.

Even after a few months post-contract signing, there just won’t be enough time to verify that your new systems, technologies, and other implementations are working correctly and providing you with the necessary benefits.

Therefore, your MSP will likely schedule your first QTR for at least 90 days after you go live.

But keep in mind that your MSP shouldn’t wait too long to conduct your first QTR. After all, the first review meeting is the most important because most problems will have become evident at this time.

While you can certainly contact your MSP right away whenever you need them throughout the first 90 days, as a client, it’s likely you’ll feel better bringing up issues in a formal meeting — especially when the problems are rather large or pervade several types of technology.

You want to know that your MSP is on the ball and ready to ameliorate any issues right away.

Where are most QTRs held?

In a perfect world, you’d meet one-on-one, face-to-face with your MSP for your quarterly technology review. However, this won’t necessarily be possible, and that’s probably okay.

After all, if your MSP has numerous clients and is conducting QTRs with everyone, they would always be at QTR meetings. And on your end, too, you’ve got work to do and may not have time to schedule formal sit-down meetings four times a year — just to check-in on technology that’s already been established and working.

Instead, it’s likely your first QTR will be face-to-face, if possible. If you’re a large client, your MSP should definitely make this effort. After that, however, most QTRs are held via video or phone conference.

In the end, Quarterly Technology Reviews remain one of the absolute best ways to stay in touch with your MSP about the efficacy and benefits of your current technological investments. As you search for a high-quality managed service provider in your area, be sure to ask about QTRs. Those companies who provide them are likely to take a better interest in their clients’ success — and that means good things for you.

Anyone who owns or runs a business knows that there is always more work that could be done, and there are almost endless ways to improve or help the business. Running a business is a full-time enterprise, and a good leader will need to learn how to be efficient to meet the company’s goals.

The bottom line is crucial to keeping any business alive. Resources are by nature limited, so it is essential in saving money without sacrificing quality or results. IT is one of the areas which, if not managed correctly, can cost unnecessary time and money and lead to problems down the road. Using managed IT services is a way that many businesses save time and money, protecting their investment while offering more efficient services.

How Managed IT Services Save You Time

As a manager, you need to use your time in your business. Your business is your business, and other issues and problems keep you from doing the important and necessary work you do every day. Companies have become increasingly dependent on tech, using it for everything from human resources to security to finance or manufacturing. Unless your business is IT, you probably don’t know how to manage, troubleshoot and upgrade all those systems without help.

You are probably like most people who try to fix computer problems yourself first. If your solution doesn’t work, you may have made it worse, and you may have just wasted time spent trying to diagnose your own computer problems. If you use specific IT vendors for certain tasks, you probably spend too much time talking to them and trying to get them to fix your problems.

With managed IT services, you have a system where problems are assigned to technicians who are professional in their field. They don’t spend as much time working on a solution, because they have experience with those kinds of problems and have a pool of experts to call on. Your business isn’t left waiting while you try to solve computer issues. Perhaps more importantly, your clients and customers don’t see the chaos which can be created when you are struggling with problems outside your area of expertise.

How Managed IT Services Save You Money

While your company has its own values which define it, such as the core values which define your vision, you also cannot stay in business forever if you’re not making money. That means not funneling money down an endless black hole when you encounter a security breach or a problem with your hardware or software.

When you use managed IT services, you get the benefit of all the experience your IT service has. With the best IT jobs being competitive, you can choose an IT company which has recruited the best of the best. Instead of paying these top techs full-time salaries with benefits, you only have to pay for the services you specifically order. The IT company makes sure they are compensated as needed so they can help a broader range of clients.

You can choose the level of service you want and what kinds of problems you need help with. When you need an upgrade or new software, the IT company can seamlessly install the new product and assist if training is required.

Employee Tech Preferences

Surprisingly, the people who work at your business probably already have brand loyalty as far as the kinds of tech they enjoy using. Many of those who work in business bring in their own tech when possible, or introduce tech they are already familiar with to the company. This is especially true for those who work from home.

As long as everyone is able to communicate their needs, this is actually a positive thing. If employees collaborate, they can usually find common ground and solve their problems more efficiently. Almost half of professionals or business team members have introduced technology into the workplace, meaning they brought in products which work for them and which they’re comfortable with.

Flexibility is an excellent quality to have while working out any conflicts you have when personal tech is integrated into the workflow. In the end, you may have to make compromises or force some changes. Using managed IT services may also solve some of these problems as the wide variety of experienced techs may have more familiarity with popular alternatives. The most important thing is making sure that you are taking advantage of the resources you have while giving your employees the job satisfaction they deserve.

Looking for a new computer for your home office?

Year-end sales and tax returns often lead to boosted sales in computers. But purchasing a new computer can feel overwhelming. The technology changes quickly and the jargon can be confusing. Here is an explanation of what you want to consider when looking at getting a new home computer.

Central Processing Unit: The faster the CPU (central processing unit), the faster your computer can complete tasks. Currently, the i5 and i7 for Intel are the best choices for average users. The i9 is likely too expensive for the value, but the i3 is pretty low end. The number of cores tells how many parts are doing different functions, so getting a CPU with multiple cores is a good thing. The CPU is really the backbone of the entire computer and an inferior processor is going to limit any other features you get. Start with a robust system.

Storage/Disk Space: The disk space on your computer is what stores your information. There are both solid state drives (SSD) and hard disk drives (HDD). The SSD is far faster than HHD and purely electrical (no moving parts). You want to get a drive that is at least double the amount of space you are currently using, with most getting 500GB or 1TB (1,000GB) of storage. You can also get external drives that plug in when needed and store information or pictures in a second location as a backup or to free up space on your computer.

Memory (RAM): To support newer OS and programs, you will want at least 8GB of RAM. This is how your computer operates temporary tasks quickly. If the RAM is used up because the computer too many things are running at once, a temporary working space has to be set up in the storage system. Too little RAM and you will notice the sluggishness. You can’t have too much and there are options for 24GB, 32GB, 64GB or more.

Operating System: Whether you are going with Mac or Microsoft, you will want to make sure you get an updated version on your system. For MS, Windows 10 offers Home or Professional versions. You really only need the professional OS if you are joining your computer to a corporate network. The operating system is going to dictate a lot of the programs you can use, the control you have as the computer administrator and the interface you are working with on the computer.

Support: You can get warranty protection when you are purchasing your machine. You will want to look over what the fine print says and what the warranty includes. A one-year warranty is enough in most cases—just something to make sure the computer isn’t wired wrong. A security system for anti-virus protection is also something you should have included. Some of the excellent AV systems include, Panda, MS, Trend Micro, Bitdefender, Webroot, ESET and F-Secure. Watch out because many anti-virus software is subscription based and you will only be given one year of a subscription before you have to decide if you are going to pay for the security service or not.

Extras: Depending on what you want to use the computer for, you will want to consider what extra features come with your system. The optical drive is going to include CD, DVD, Blu-ray or a combo. Some computers now aren’t including drives at all since so much is downloaded, but buying an external drive is relatively cheap and plugs in quickly when you need it. Some computers come with special graphics cards for gaming or art programs. Many computers now offer WiFi connectivity, but not all provide a hardwired port for a direct internet connection. The programs you need are another point to consider and some computers will even come with some software pre-loaded. Most computer deals are really going to try to wow you with the “extras” you receive. Most of the time, the extra software is only going to be a subscription for one free year. One year after the computer is purchased, you may lose your access to those programs and have to pay to get them operating again on the computer.

If you are looking for IT support, call {company} first. We help small home businesses and large corporate offices outsource their tech for additional support as needed. Let us make your computing smoother, easier and more efficient.

As the year-end sale adverts come flooding into our Inboxes and delivered to us in print form, it can often be confusing as to which computer you want to buy.  Here is an explanation of most of the jargon you’ll want to compare when looking at pre-built computers.

Processor / CPU: This is the “Central Processing Unit” or otherwise the “main chip” of the computer.  The faster the CPU is, the overall greater speed at which the computer can complete tasks.  The CPU speed is measured in gigahertz (GHz).  Modern CPUs will have a number of “cores” built into them.  Grotesquely oversimplifying it, a core is a processing unit of CPU.  One physical CPU chip, that you can hold in your hand, will have multiple cores.  All cores work together to complete the functions the computer has to do (running Word, browsing the web) – think of the phrase “many hands make for short work”.  It’s common for a CPU to have 4, 8 or more cores.  Each core can also support multiple “threads”.  Think of a core as a person and each person can do up to two things at once.  It’s easy to get too deep in the weeds.  You will want an Intel i5 or i7 CPU.  Intel makes an i3 CPU but it’s low end.  Intel is on their 9^th generation of CPUs: i3, i5, i7 and new this year, the i9.  It doesn’t make sense to get an i9 CPU.  Sure, it has the fastest running speed at 5GHz but speed:price is extremely high.  An i5 or i7 running at/near 3GHz+ is what you’re looking for.  AMD is Intel’s direct competition.  The CPU to look for from AMD is their Ryzen family of CPUs.

Hard Drive Storage:  Disk space for storing user-generated content (Word, Excel, Outlook files) and installing programs to is what I’m referring to here.  Not to be confused with RAM.  RAM is volatile – meaning, when you turn off the computer, everything in RAM is erased.  Disk storage is non-volatile.  The two types of disk storage are solid state drives (SSD) and hard disk drives (HDD).  SSDs are new in the past few years and are extremely fast compared to a (now what we call “legacy”) platter, aka HDD, drive.  HDDs are mechanical – meaning, they have little platters that look like CDs that are enclosed within the disk enclosure and a head, sort of like a record player, reads the content off the platter as the platter spins at 5,400, 7,200, 10,000 or 15,000 RPMs.  Desktop HDDs are in the slower range of RPMs.  Even a fast HDD can’t compare to the speed of a SSD.  SSDs are purely electrical – no moving parts.  Navigating and playing an MP3 is faster than navigating and playing content on a reel-to-reel system.  Once again, mechanical vs electrical.  When looking for a new computer, spend a few extra dollars and opt for an SSD.  Storage capacity is measured in gigabytes (not to be confused with gigabits) or GB for short.  If your home PC has 1,000GB, also called 1TB (terabyte) for storage and you’re using 50% of that or, 500GB (roughly) then when you get another PC, you’ll want to get an SSD with 500GB or more.  Manufactures are still using the “Hard Drive” nomenclature to describe SSDs as well as SSD’s replacements: M.2 drives.  Briefly: M.2 are basically the same as SSD – just a much smaller physical size and usually faster than SSDs.

Memory (RAM): With Windows 10 you’ll want at least 8GB of RAM.  RAM is the temporary work space the CPU uses to perform tasks in very quickly.  When the RAM is all used up (meaning the computer is working on a lot of different things all at once and it needs temporarily space to work in) it then creates temporary working space within the storage system.  Ideally, you’ll want enough RAM to never have to use your disk storage as RAM but often times the consumer doesn’t want to purchase 24GB, 32GB,64GB of RAM, or more, to accomplish this goal.  Years ago, when HDDs were “king”, you could always tell the time when the computer began to use temporary swap space on the HDD because the machine felt “slow”.  Now with the introduction of SSDs, this is hardly ever noticed.  RAM is faster than SSDs.  RAM is also measured in gigabytes (GB), the capacity, and megahertz (MHz), the speed at which it runs.  You can never have too much RAM but you’ll definitely feel it when you have too little.  Start with 8GB as the minimum.

Video Card:  With general business use, excluding CAD, medical and other specialized fields, the built-in video card of the computer is sufficient for use.  The exception comes in when you want to hook up multiple monitors to the computer.  It can get confusing when hooking up a new monitor to an old computer and vice-versa.  With today’s modern computers you’ll want to make use of HDMI or DisplayPort connections.  These are digital and send a very clear, crisp picture to the monitor.  If the monitor supports this format then you’ll want cables for this.  Most computers will have the ancient VGA, analog, output port as well as a modern type plug.  Some monitors still support VGA and some only support new hook up types.  You’ll need to pay attention to this: computer output vs monitor input.  There are always adapters to convert if needed.  Next is the video card itself.  If the computer has discrete graphics, meaning an add-on card, it will either be from Nvidia or AMD.  In the NVidia family you’ll want something in the GeForce 1050+ family.  In the AMD camp, you’ll look for Radeon 500 series.  And of course, the graphics card also has RAM on it.  This really only gets important when you’re gaming or using one of the specialized fields mentioned above.  Built-in graphics, meaning the graphics chip is soldered to the motherboard, are usually of the Intel brand, but others do exist, including AMD and Nvidia.  For the Intel family of built-in video cards, you’ll want something in the 600 series.

Operating System: Windows 10 – do you go with Home or Professional?  The difference is that if you’ll be joining the computer to a corporate network, you’ll need Pro.  Otherwise, stick with Home.  There are no performance gains or losses for either version.  I doubt you’ll find a new computer with Windows on it that is not 64-bit, but I’ll just throw this in to make you aware of it.  You’ll want the 64-bit version of Windows.

Optical drive: This is in reference to your CD, DVD, Blu-ray or combo there of drive.  It used to be common to always include an optical drive in a new computer but now everything is downloaded so use of this technology is fading – fast.  More than likely the computer manufacturer will include this in their build.  If you absolutely need an optical drive and the PC you want doesn’t have it, it’s simple to buy an external unit and plug it in when needed.  If you keep important backup files on CD or DVD, you’ll have to have an optical drive (optical drive means it shoots a laser at the media in order to access data stored there on.  Not to be confused with a hard disk drive which uses magnetism to access data on its medium.).

Office:  You will want to get Office 365 Home.  It allows you to have the Office suite of applications at your fingertips.  It allows for 5 installs of the suite using one license.  It’s $99/year.  If you don’t want the recurring payment and if staying current for the latest version of Office isn’t important then do a one-time buy of Office 2016 or latest version, 2019.  That will cost you approximately $230 to $400 depending on which Office suite you need.  These can both be purchased from the Microsoft store after time of purchase.  Amazon also carries the one-time-purchase version of Office.

Wireless:  Wireless connectivity makes connecting to your home network easy if a wire doesn’t already exist.  Wireless, by nature, will incur a slight lag in the connection compared to a hard-wired system.  Will you notice that lag?  Really only if you’re playing an online game.

Warranty Support:  Personally, I never buy the “big box” add-on warranty at time of purchase.  The only warranty I will ever get is from the manufacturer.  If purchasing your computer directly from the manufacturer, read the fine print on what each warranty plan includes.  Normally, a one-year warranty is enough: if the PC doesn’t die within 90 days of turning it on, it holds a strong chance it will live many more years.  This used to be especially important and true of computers with, legacy, HDDs.  If the price is good on the warranty, go for it.  With Dell, and probably with others, you can buy a machine from a big box store and then purchase an additional warranty from Dell just as you could if you were to have bought from Dell direct.

Anti-Virus:  Go with a good anti-virus (AV) system right off the bat.  What are good anti-virus systems?

Webroot, ESET, Panda, F-Secure, Trend Micro, Bitdefender and believe it or not, the Microsoft built in AV.  Microsoft has really stepped up their game of late.  Ones to avoid: McAfee, Quick Heal, Emisoft, Kaspersky Lab, K7, Norton, Symantec.

As a business owner, it’s up to you to make sure that the information and data collected by your company are secure and protected against the many different types of cyber threats lurking within the dark web. Many people believe it is the responsibility of their IT company to handle this type of situation. While that may be true to an extent, they can only do so much. It is up to the company’s management team to understand what threats are out there and take proactive measures to prevent their clients’ information from falling into the wrong hands.

Social Responsibility Starts With You!

As a company, you are responsible for your client’s information. If they provide it to you, it’s up to you to make sure it remains secure. Enlisting an IT company to create a strong, security network is ideal. If you don’t take matters into your own hands and include a few measures of your own, however, your system will still have gaps. Multi-factor authentication, firewalls, and intrusion detection systems are just the beginning. Your clients depend on you to give them quality products and services, not internet liability risks. It’s up to you to be socially responsible when it comes to maintaining security protocols and protecting the sensitive information that you use during your business.

Owning Your Risk

Hardening your own environment by implementing cybersecurity protocols over and above what your IT management offers is essential if you want to truly protect your client base. Owning your risk is more than just taking control of your internet security. It involves working with your IT company to create a multi-level security network. You can start by working within the NIST (National Institute of Standards and Technology) framework which includes features that:

• Identify potential risks and issues
• Protect against cyber attacks
• Detect possible intruders
• Respond to possible breach or risks
• Recover after an attack

By using this framework and adding your own security measures, it will be more difficult outsiders to access your system and steal your client’s or company’s confidential information. The key is using the tools and resources provided by your IT company and then expanding your efforts to achieve a level of automated security that doesn’t rely solely on human interaction.

Competitive Advantage

Companies that take the initiative and work to harden their cybersecurity often gain a competitive advantage over those who are lax and at a higher risk of cyber attack. Small to mid-size businesses can’t afford the danger of being breached. The fact is that once a small business experiences a breach, the majority of them end up going out of business after just a few months. As a business owner, if you want to maintain that competitive edge, you need to be proactive regarding cybersecurity. It means working hand in hand with your IT company on a regular basis to ensure you are doing everything possible to protect all of the data your company uses.

Perform cybersecurity audits. Beef up your firewalls. When it comes to internal data and information like financial reports and a client’s confidential information, use multi-factor authentication. This limits who has access to the data within the company, preventing those who don’t need the information from accidentally (or intentionally) tapping into it. Your IT company can help you find the right protection features so that there is little risk of any type of breach.

Regarding social responsibility, it’s up to you to ensure your company’s information is protected. If you aren’t socially responsible, then you’re overall liability dramatically increases and your business can find itself in jeopardy if a breach occurs. As a business owner or member of a management team, It is your responsibility to hire the right IT company and to also ensure that you are doing your part. It’s your responsibility to maintain accountability for your company’s assets. Separately, risks can tear your business apart. When you work with your IT company, you are better able to manage your company’s information and dramatically reduce your risk of a cyber attack.

The Department of Homeland Security and the Federal Bureau of Investigation issued a critical alert Dec. 3, warning users about SamSam ransomware and providing details on what system vulnerabilities permit the pernicious product to be deployed.

According to the alert, which came from the DHS’s National Cybersecurity and Communications Integration Center (NCCIC) along with the FBI, the SamSam actors targeted multiple industries—some within critical infrastructure—with the ransomware, which also is known as MSIL/Samas. The attacks mostly affected victims within the United States, but there was also an international impact.

As pointed out in the alert, organizations are more at risk to be attacked by network-wide infections than individuals because they are typically in a position where they have no option but making ransom payments.

“Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms,” the alert states.

That does not mean individual systems cannot or are not attacked, but they are targeted significantly less by this particular type of malware.

How do SamSam actors operate?

Through FBI analysis of victims’ access logs and victim-reporting over the past couple of years, the agencies have discovered that the SamSam actors exploit Windows servers and vulnerable JBoss applications. Hackers use Remote Desktop Protocol (RDP) to gain access to their victims’ networks through an approved access point and infect reachable hosts. From there, the cyber actors “escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization,” the report states.

RDP ransomware campaigns are typically accomplished through stolen login credentials—sometimes purchased from darknet marketplaces—or brute force attacks. Since they do not rely on victims completing a specific action, detecting RDP intrusions is challenging, according to the alert.

Ransom notes instructing victims to establish contact through a Tor hidden service are left on encrypted computers by the SamSam attackers. Victims are assured that once they pay the ransom in Bitcoin, they will receive links to download cryptographic keys and tools for decrypting their network.

Where did SamSam originate?

The Department of Justice recently indicted two Iranian men who allegedly were behind the creation of SamSam and deployed the ransomware, causing approximately $30 million of damage and collecting about $6 million in ransom payments from victims. The crippling ransomware affected about 200 municipalities, hospital, universities and other targets during the past three years, according to an article from Wired.

Keith Jarvis, a senior security researcher at SecureWorks, reiterated the sophistication of the SamSam ransomware and how it gains access to systems through weak authentication or vulnerabilities in web applications, methods that don’t require the victim to engage in a particular action. Hackers also go out of their way to target specific victims whose critical operations rely on getting systems up and running as quickly as possible, making them more likely to simply pay up.

What technical details about SamSam are important?

In the joint DHS and FBI report, the federal agencies provided a list, though not exhaustive, of SamSam Malware Analysis Reports that outline four variants of the ransomware. Organizations or their IT services administrators can review the following reports:

MAR-10219351.r1.v2 – SamSam1

MAR-10166283.r1.v1 – SamSam2

MAR-10158513.r1.v1 – SamSam3

MAR-10164494.r1.v1 – SamSam4

What mitigation and prevents practices are best?

In general, organizations are encouraged to not pay ransoms, since there is no guarantee they will receive decryption keys from the criminals. However, relying on a contingency plan or waiting out an attack, as advised by the FBI, is difficult when an entire operation has been compromised.

The best course of action is for organizations to strengthen their security posture in a way that prevents or at least mitigates the worst impacts of ransomware attacks. The FBI and DHS provided several best practices for system owners, users and administrators to consider to protect their systems.

For instance, network administrators are encouraged to review their systems to detect those that use RDP remote communication and place any system with an open RDP port behind a firewall. Users can be required to use a virtual private network (VPN) to access the system. Other best practices, according to the report, include:

• Applying two-factor authentication
• Disabling file and printer sharing services when possible, or using Active Directory authentication or strong passwords for required services
• Regularly applying software and system updates
• Reviewing logs regularly to detect intrusion attempts.
• Ensuring third parties follow internal policies on remote access
• Disabling RDP on critical devices where possible
• Regulating and limiting external-to-internal RDP connections
• Restricting the ability of users to install and run the unwanted software application

This just scratches the surface of actions that administrators and users can take to protect their networks against SamSam or other cyber-attacks. The National Institute of Standards and Technology (NIST) provides more thorough recommendations in its Guide to Malware Incident Prevention and Handling for Desktops and Laptops, or Special Publication 800-83.

Information technology specialists can also provide insight and advice for how organizations can detect gaps or vulnerabilities in their cyber-security that leave them susceptible to SamSam or other malware infections.

If you own or run a healthcare organization, you probably have someone on staff who acts as your security compliance officer. However, is it their primary job or area of expertise? Having a knowledgeable and experienced security compliance officer or resource is very important since the consequences of violating privacy regulations can be quite serious.

For example, did you know that federal regulators can fine an organization up to $50,000 per HIPAA violation and as much as $1.5 million per year in fines for releasing a patient’s protected health information (PHI)?

That’s why you need to know what a security compliance officer does and if it makes sense for you to work with an external company to help your organization comply with security regulations to avoid hefty fines.

What are a security compliance officer’s responsibilities?

According to the American Health Information Management Association (AHIMA), a healthcare security compliance officer oversees activities for developing, implementing, maintaining, and following an organization’s privacy policies and procedures. This is to ensure a patient’s PHI is kept secure and you’re complying with federal and state privacy laws.

Some of the compliance officer’s responsibilities include:

• Understanding government privacy regulations, especially HIPAA rules, to make sure your organization is complying with them.
• Assessing your organization’s risks and what steps are necessary to prevent and minimize exposure of your patients’ PHI.
• Creating, testing, and reviewing an organization’s information security systems to protect PHI.
• Setting up a security awareness program to meet HIPAA reporting requirements.
• Overseeing a reporting and management system to record and investigate a data breach, and prevent future violations.
• Maintaining a budget to fund information security management programs and processes.
• Managing a training program for employees to help prevent a privacy breach.

Who should be your security compliance officer?

Since this is such an essential role in your organization, it’s critical to have the right person for this job. It shouldn’t be just a part-time or extra job for one of your employees, such as an office manager or human resources director. As mentioned, the consequences of a data breach can be very serious and expensive.

While having IT experience can be helpful, this position also includes auditing, training, handling an incident, and managing business associate agreements with external partners and vendors. Other responsibilities may consist of making and updating a disaster recovery plan and overseeing facility security.

An ideal candidate is someone with the ability to organize, understands HIPAA and other privacy rules, and is knowledgeable about IT and computer systems.

In addition to picking the right person for the job with the relevant experience, the position should have the authority and power to implement needed changes to ensure compliance with HIPAA and privacy rules.

What if you use a cloud-based IT service?

You might assume if you use a cloud-based service for your IT systems, then you don’t need to worry about HIPAA compliance. However, an organization must ensure such services are secure and perform a risk analysis before using a cloud service for storing or transmitting electronic protected health information (ePHI).

In 2015, St. Elizabeth’s Medical Center in Brighton, MA had to pay $218,400 in penalties for violating the HIPAA Security Rule when they uploaded data without doing a risk analysis of the cloud service. An organization needs to set up risk management policies to lower the chances of a data breach as much as possible, even if they use a cloud-based service.

If you manage a healthcare organization, a cloud service provider is considered as a “HIPAA business associate.” This means they must sign a business associate agreement (BAA) before patient data is uploaded to the cloud service. You must have a signed BAA even if the information you upload is encrypted and the cloud service doesn’t have a decryption key.

What can happen if you don’t have a signed BAA from a cloud-based service provider? In one case, Oregon Health & Science University was fined $2.7 million by the Department of Health and Human Services’ Office for Civil Rights because they didn’t get a signed BAA from a cloud-based IT vendor.

The business associate agreement should outline how ePHI is used and disclosed and that both parties have security procedures to prevent the unauthorized release of PHI. This includes verifying that the cloud service vendor:

• Has reliable systems so information is readily available to a healthcare organization.
• Maintains a back-up and data recovery system in case of a natural disaster, ransomware attack, or other emergencies.
• Allows you to obtain data from their systems if you stop using their cloud services.
• Keeps information as secure as possible.
• Limits the use, retention and disclosure of PHI.

Should you work with a consultant or IT provider?

In some cases, you may decide that you need to work with an IT professional or consultant to assess your IT systems and infrastructure for potential weaknesses that can lead to a privacy breach.

Also, it may not be ideal for your internal staff to perform a risk assessment since it can be a challenge to objectively evaluate their practices and identify weaknesses. If you decide to contract with a third party for a risk assessment, make sure they’re experienced and knowledgeable about HIPAA and privacy rules.

Another option is using compliance software that’s customized for your organization’s needs and structure to help perform a risk assessment, train employees, and handle other functions.