Category: Uncategorized

Today’s small business owners are tasked with managing operations, employees and a wide range of things pertaining to the modern day business. It’s no surprise, then, that amid the hustle and bustle, some areas of importance are thrown to the wayside. Cybersecurity is often one of them.

According to studies, the majority of small business owners don’t believe their businesses are at risk of a cyber attack. This mindset is dangerous for business owners because they will not be prepared for a cyber-attack. In the event of an attack, it can wreak havoc on a small business that hasn’t yet armed itself with proper security protocols.

According to the Ponemon Institute, cyber-attacks cost small and medium-sized businesses an average of $2,235,000 in 2017. In order for small businesses to form a strong line of defense against cyber attacks, they’ll first need to evaluate their risk, and what’s at stake. Here are a few things small businesses should consider when preparing to amp up their data security.

Securing Your Data

Implementing solid data security for your business is a complex task that requires manpower. And although it can present quite the conundrum for small business owners, it’s something that, according to the FCC, must be done.

First, you’ll need to evaluate your current system. Which data do you actually need? While keeping customer data is important, it’s just as important to only ask for customer information that will actually be utilized. For instance, don’t ask for a social security number if you don’t need it.

The same notion applies for how long to keep this data. Don’t store your customers’ data longer than needed. The longer you keep it, the longer you are liable in the case of a data breach. And if you don’t have a retention policy in place, it’s time to implement one. Don’t forget that hand-in-hand with a retention policy is a process for how to delete the data. Do keep this in mind.

Strengthening Your Passwords

Implementing a strong password policy can make all the difference in keeping your data protected. Complex, unique passwords are paramount to data security, but how can you be sure those you’re using are really up to par?

You may want to look to the NIST for a list of digital identity guidelines that can help clarify what you should and shouldn’t be doing when setting new passwords. From two-factor authentication to the inclusion of symbols and capital letters, there are plenty of ways to strengthen your passwords to minimize the risk of an attack.

Establishing Network Segmentation

While, yes, one of the main goals of a small business should be to have a reliable network set up for operations, there’s a lot more to be done to ensure adequate data security. If your office frequently has customers traveling through your space, it’s best to implement a separate network that will prevent access to your data by just anyone. Doing this both minimizes the impact on your employees’ network and keeps internal data safe.

Don’t Ignore Updates

A constant bombardment of update notifications is annoying, and can even hinder productivity. And although it’s tempting to ignore these and push on with your work, updates are important in keeping your systems working properly. This is why it’s so important to stop ignoring them. In fact, small businesses should adopt a policy for updates and scheduled maintenance to ensure things aren’t falling through the cracks. A service provider can help you keep all your devices inline with the most current standards, and ensure updates are carried out accurately and within the proper timeframe.

Training For Success

If your business is one that employs mobile workers, data security becomes a bit more complicated. You’ll need to ensure these mobile workers’ devices are as secure as those within your office. Keep in mind that deleting company information in the event of a lost or stolen device is crucial.

A company may have the very best security in place to protect their data, but all it takes is one employee incident to destroy the reputation you’ve built. If your company’s salespeople do not require access to secured customer ddatabases don’t authorize them to use it. Giving access to crucial data only when it’s needed can help you minimize the chance of a cyber-attack.

You may be doing a fantastic job at training your employees for proper data security, but human error will always be an issue. This is not something you can prevent entirely, but you can teach your employees what to look out for. You can also help them understand the negative consequences associated with data breaches and the true impact of failing to be alert.

Data security for your small business is definitely not something you want to ignore. As an entrepreneur, you are likely both excited and weary of what’s to come. Don’t let a data breach put an end your empire before it starts.

If you are old enough, you may remember when making phone calls from an airplane was an expensive luxury, with sound quality so bad that conversations at times were impossible. Times have changed. Calls from planes are usually clear and carried over satellite connections. The big electronic question mark in the sky is not whether Wi-Fi is available, it is, how good is it?

So How Do We Rate The Quality Factor?

Different flight amenity rating services use various methodologies, so one has to dig to get useful information. Traveloka, a major booking site for Southeast Asia, ranks the top 50 carriers on aspects like speed, quality of signal, availability of USB ports, etc. According to them, the top three airlines for Wi-Fi service are Qatar, Emirates, and Delta, in descending order.

Digging a bit, one finds out that the fastest Wi-Fi available is on British Airways, which has speeds up to 20 Mbps (your mileage may vary.) In contrast, Emirates, Etihad, and Eva offer a top speed of only 2 Mbps. Obviously, this is not going to support streaming from Netflix and video conferencing.

Theoretically, even HD video conferencing should require only 384 Kbps (see here.) But we’ve all had the experience of video conferencing where lagging was an issue, even on connections that are high speed. The devil is in the details; the need for bandwidth goes up with each separate device used for the video conferencing, and for the bridge that ties it all together. The bridge has to have access to adequate bandwidth to provide all the images and sound streams at the same time. Of course, the speed with which it goes to the PC or phone depends on the bandwidth from the Wi-Fi transmitter to the user’s device.

The most important question in choosing an airline for Wi-Fi service is knowing what you need. On airlines though, you may not have much of a choice, especially if looking for low airfares. If you will absolutely need video conferencing during the flight, Qatar is about your only choice. Qatar pledges speeds up to 50 Mbps, but Traveloka rated the average speed as only 8.

(See this article from CNN travel for a summary that is a bit easier to interpret than Traveloka’s. )

What Does It Cost?

Emirates Air offers the first hour free and unlimited usage for the rest of the flight is only $10. Delta offers unlimited access for the entire flight for $16. Surprisingly, JetBlue, known as a discount airline, is now offering Wi-Fi but there are no details yet as to cost.

Singapore Airlines, rated the best in the world, offers only 1.17 Mbps for $8.80, but oddly, does not offer the ability to make phone calls. All-Nippon Airways (ANA) offers only 0.56 Mbps at a cost of $9.43. On Hong Kong Airlines and China Southern the service is free. Emirates does offer 20 Mbps, but it has to be used within two hours.

What’s The Underlying Technology?

In-flight Wi-Fi is provided by satellite. The plane has an antenna that picks up the signal and broadcasts it inside the cabin. Since all airlines get the same quality and speed of the signal from the satellite, the speed, and quality within the cabin depends on the hardware that the airline has installed.

If an airline wants to provide 50 Mbps, which is comparable to home or business internet service from a cable provider (not fiber optics) in the United States, it can do so. It’s just a matter of will. Since the equipment needed to offer 50 Mbps and the equipment needed to offer 0.56 Mbps are similar in price, it is a bit of a mystery why all airlines that provide the service do not offer the higher speeds.

And if some airlines provide it for free, why not all? No immediate answers forthcoming. One item of note is that with satellite Wi-Fi, as with many earthbound internet service providers, uploads are much slower than downloads.

Incidentally, virtually all the reporting on Wi-Fi availability and quality on airlines comes from the 2016 Traveloka report.

What’s The Upshot?

Even if you’re on one of the airlines that Traveloka rated as among the best, your Wi-Fi speed will vary. Some things that are easy to do in the office will be difficult to impossible while in the air. It’s best to plan accordingly. Do not schedule a critical meeting with the chairman of the board while you’re on a flight on Singapore airlines; this is just not going to work. Even email may be dicey in flight.

The moral of the story is that doing serious business that demands strong connectivity is best done on the ground, not while in flight. If it’s absolutely necessary, then plan accordingly before you leave the office and take to the road. People who travel a lot will understand.

October Is Cyber Security Awareness Month
Tune In At Any Time To Watch Our 15 Minute On-Demand Training

Cyber Criminals Have A 6 Month Head Start.

Is Your Business Protected?

Find Out.

Tune Into Our October Free Online Training By Clicking Here.

Every 39 seconds, a hacker is attacking someone. 

Are you next on the list?

You can’t afford to miss October’s free online training.  Why?

{company} takes cybersecurity seriously. This is why we have put together this free online training for everyone.  During this online training, our cybersecurity trainers will share how your business can defend itself from becoming another statistic.

During this 15-minute on-demand training we’ll show you many quick and very important tips you and your team must know in order to protect your business from cyber threats and how employees can keep all your confidential and critical information secure.

Google+ Social Media App Will Soon Move Off Into The Sunset

Google+ has never really been a popular social media network. In fact, most people say they’ve never used it and don’t know how it works. So it’s not too surprising to hear that Google has finally decided to pull the plug.

Google just announced a ten-month sunsetting period, which begins now and will end in August of 2019.

Besides the site simply not being popular, Google has had serious security issues. Project Strobe discovered a bug in Google+ that may have leaked the personal information of thousands of users. Though Google says the vulnerability was not discovered by hackers and that no profiles were compromised, their senior executives felt that rumors of a breach would likely trigger “immediate regulatory interest.” So they simply didn’t tell anyone.

Other Social Media Data Breaches

For several years, Facebook has been under scrutiny for allowing the data firm Cambridge Analytica to access their user information. This data was in turn used to create targeted social media ads that eventually swayed the presidential election of 2016. Since that incident, Americans have become much more aware of the effects and dangers of data breaches and social media manipulation.

Given the fact that almost no one was using the Google+ app and the high risk for potential data leaks, Google execs said they simply felt that it was best to discontinue Google+. Users will have 10 months to migrate their data before the platform is officially dissolved in August of next year. However, the company has decided to continue supporting the Enterprise version of Google+ so businesses using that app will not be affected.

More About the Google+ Security Breach

Last March, Google discovered a privacy breach, which allowed third-party apps using their programming interface to access the personal data of users. This data includes usernames, addresses, email addresses, birth dates and other bits of personal information.

The Wall Street Journal reported some details about the security breach and said that Google executives had been informed about the breach soon after it occurred. These executives made the decision not to disclose the breach to its users for fear of tarnishing their reputation.

Reporting Security Breaches

In a blog post, Google said that it decides when and if the organization should notify users of data breaches. They take into consideration the type of data that was leaked, whether there’s evidence of misuse and whether there’s anything that users can do about it.

According to security breach laws, any organization that experiences a data breach must inform those affected. And they only have a specific amount of time to do so. This varies by state but there are severe penalties for not correctly reporting a security breach.

Executives at Google say that the gap has been fixed and that users do not need to worry about any further data leaks. However, there is ample evidence that Google did not follow the law once they learned of the data breach. This can result not only in penalties from the federal government but also users can file individual lawsuits if they believe their personal info has been compromised.

How Data Breach Laws Are Changing

With the new European Union GDPR (General Data Protection Regulation), more countries and organizations are implementing stronger security measures. The GDPR affects anyone who does business with an entity that resides within the European Union. This has caused many business owners to revamp the way they collect and store personal information from their users.

Once a company has collected an individual’s personal information, they have a legal responsibility to keep that data as secure as possible. In spite of these advances in data security regulations, hackers seem to be one step ahead. Their tactics change, improve and evolve making it necessary for all organizations to be more cautious.

Senate and House Committees Get Involved

This past year, many social media and technology companies have come under scrutiny due to their data and privacy practices. Executives from Twitter, Facebook and Google have testified before various Senate and House committees. Under fire are their security measures, but also their political biases. The government is considering types of regulations that would prevent these companies from meddling in important things like the elections.

Now that everyone is fully aware of how easy it is to sway voters in one direction or the other, there is a very real fear that future elections may be manipulated by these companies. They not only have the knowledge, but they have the resources to influence the way people vote. And this ability holds within it a great deal of potential power to change our society in ways that can only be speculated about at the moment.

What Should Google+ Users Do?

In the meantime, if you are a Google+ user, it’s best to go ahead and make copies of any content you have on the site, then delete your account. Once it has been deleted, you’ll no longer have to worry about losing it to hackers who have found yet another weakness in the site’s security protocols.

Happy Thanksgiving From Our Team To Yours!

Why Not Show Your Thanks By Helping Another Business Use Technology To Succeed?

As the days get shorter, and the nights get cozier, Canadians across the nation turn our minds to gratitude. It’s a season where we take a little time to appreciate the best things in our life.

We’re thankful for family, for friends, for a job we love, and for you, our clients who make it all worthwhile. Thank you for putting your trust in us as your IT service company.

We know that you have options for your IT service. And to show our thanks as your technology service provider, we’d like to offer a complimentary assessment to a local business that you refer.

Why Are IT Assessments Important?

An IT Assessment is a comprehensive view of your business and technology needs. It reveals the health of your IT assets and infrastructure. Routine assessments mitigate the risk of downtime and security breaches. They also ensure your technology is running at peak performance, so your workers can too.

What Do IT Assessments Reveal?

An IT assessment will optimize your system to improve security, mitigate the risk of computer crashes, interruptions and inefficiencies. It also ensures you’re getting the ROI from your technology investments that you expect.

It tells you:

• If technology is truly supporting your business goals and objectives.
• If best practices are being employed in when using technology solutions.
• The strength of your IT security posture and if there are any gaps in your defense.
• If your business could stay up and running after a disaster like a fire, flooding, accidental data deletion, or malware infections.
• If you are getting the most value and use from your IT investments.
• If your IT solutions are integrated properly.
• What steps to take to improve your IT environment.

Why Are Regular IT Assessments Valuable?

An IT Assessment will tell you what is working and what isn’t. The ever-evolving nature of technology and rapid changes and advancements make IT Assessments more important than ever. You won’t always need the latest applications or solutions, but it’s essential to detect any deficiencies that may be impacting your efficient and secure operations.

The most technically knowledgeable companies continually evaluate the status of their IT operations and whether they match their organizational goals. Assessments provide insight into what you will need for the future as your company grows and changes. It’s like an IT business plan that helps you stay on course and use the tools that will help you succeed.

Are You Wasting Money On Technology Solutions?

Are you getting the most value from your current technology? An IT Assessment will reveal if you’re paying for software and hardware you don’t need. It determines what technology is required to fill gaps without you buying more (or less) than you require. Plus, it helps you better control your IT spending.

Newer technologies like cloud computing can significantly lower your technology costs. Software-as-a-Service and Hardware-as-a-Service and other pay-per-user solutions can provide the technology you need without the upfront costs. They also provide flexibility and scalability as they can be increased as your company grows or decreased in slow times.

Is Your Technology Properly Integrated?

It’s not enough to know what applications you have and how they work, you must understand how well they integrate. With so many types of software and hardware being used today, integrating them correctly can be a challenge. And, if they’re not properly integrated, this can negatively impact your operating efficiencies.

For example, say you purchase a new software application. If it’s not supported by your operating system and web browsers, it won’t work as it should. Or perhaps you’re using a VoIP business phone system. Does it integrate with your data network as it should? It’s essential that all elements of your technology infrastructure work together seamlessly.

What Can You Expect After An IT Assessment?

We’ll provide a written report detailing your current IT standing and any suggestions we have for improvement. If during the course of the Assessment we detect backup failures, security gaps or misconfigurations, we’ll report on these right away and how they can be cost-effectively remediated.

Your leadership team will be apprised of our findings, so they can make decisions and work with us to develop an IT Plan that prioritizes recommendations based on their importance and impact on your business.

An IT Assessment Is The “Gift That Keeps On Giving”

Referring a business associate or other organization for an IT Assessment will not only help them succeed through the best use of technology but it will build goodwill between your companies. And once they realize the value an IT Assessment provides, they’ll refer another business, and so on, and so on.

So, give thanks by sharing your knowledge about technology and how it can help others succeed. Contact us, and we’ll get the process going. And thank you again for your business.

Happy Thanksgiving.

Everyone has Wi-Fi. We all expect to see it wherever we go, and most of us have more than one Wi-Fi-enabled device. Grocery stores, fast food restaurants – even your mechanic has Wi-Fi. But does that mean you REALLY need it in your school? Isn’t it less secure than wired?

To answer the first question: “Don’t be coy.” You know how backward wired-only connections look. You’re either a Luddite or unbelievably cheap trying to avoid the expense and work of building a new network. You are now out of time. The government itself says you need Wi-Fi, and in this 2017 report plainly states that a reliable, fast wireless connection is a necessity on par with other utilities such as gas, electricity, or water.

As to the second question: Well, no. Not so much anymore. With advances in encryption, Wi-Fi networks that are properly safeguarded offer security comparable to that of wired set-ups. If you still prefer to use wired internet for select devices, such as a handful of desktops and a designated copier/printer/fax machine, you can enjoy the advantages of a wireless network. Wired is a bit faster and more reliable than Wi-Fi, but this is more because of how easy it is to ensure that only a handful of users are on that hard-wired data line. Employees must literally be plugged into a wired network, so there is no issue of people overloading it by all signing on and demanding bandwidth at once.

So the advantages of wired over wireless can really be solved by properly planning out the wireless network. From there, advantage is all wireless: portability, ease-of-use, and, if you plan for it, scalability.

Why use a scalable wireless network?

Setting up a scalable wireless network means looking at the present with an eye to the future. You know that you’ll potentially have more students or employees, or even more devices per person, or more demanding apps. If you’ve built scalability into the network in the first place, you’ll easily adapt to the increased demand on your connectivity. Re-wiring not only costs money, it’s disruptive. Contractors can come out when school is not in session, but off-hour calls often cost more. To do everything more or less at once, having access points ready for later expansion allows for a nearly seamless expansion when it becomes necessary.

Adding people in will not be a matter of climbing around above the ceiling tiles, drilling holes in walls, but just a matter of entering a new user and password and updating the server. Oftentimes, it won’t even cost anything to do it.

Scalable Wi-Fi Saves Budgets In Situations Where:

• Schools are growing
• Private or charter schools with variable populations
• Schools under construction, adding more devices as they go
• Anyone in the current technological climate where new innovations increase user numbers every year
• Variable income
• BYOD programs

Factoring in the potential for future expansion will pay off in the long run when the entire network doesn’t require a re-design within a couple of years. By planning for scalability, using multi-purpose devices that can handle increased connectivity and streaming demands, you are ensuring that the initial investment pays off. The more manageable maintenance budget will be easier to get approved, and you can plan for a complete overhaul when it becomes truly necessary, rather than prematurely, due to an initial refusal to plan for growth.

Devices Are Everywhere

Smartphones have risen in popularity at a pace that’s nearly alarming for its potential ramifications. In fact, the amount of active mobile phone subscriptions in the US is 349.9 million – more than the total US population of 325.3 million. These consumers are using their phones for far more than phones. They’re on apps that often require data usage, which allows for less memory and storage use on their phones. Even apps that do not apparently require internet connection often do for this reason. People have grown to rely on their phones as a connection to their families, coworkers, and also as a means of keeping themselves organized, of keeping their emotional well-being up through habit-changing apps, diaries, and more.

As the mobile devices, we use speed towards true ubiquity, it will not do to simply watch as the tide rises. Plan for the eventuality of increasing connectivity needs by designing a scalable wireless network. This direction offers better services for the future, along with lower overall budgetary requirements. It removes some of the stress of growing. All school administrators understand the need to reduce stress and lower the budget.

Health information technology is more talked about than really understood. Part of the reason for this is that providers and their staffs usually interact with a restricted subset of health IT – the Electronic Health Record (EHR), the radiology imaging system, the billing system, and so forth. Only the organization’s IT staff and Chief Technology Officer (CTO) are in a position to see the big picture. Even they may not see all of it. This blog post tries to cover at least the larger components of Health IT.

What’s The Most Important Piece?

The EHR is arguably the central component. In an ideal system, all the information a provider or patient wants, from demographic information to lab results to radiological images to records of office visits should be there. Making the EHR the centerpiece is one way to avoid “siloing” of information that makes research and analysis difficult or impossible. If the EHR is complete, every other component—statistical reporting, radiology, billing, appointment scheduling, and lab results are present, and can be used to drive other systems.

This, of course, is an ideal situation. One barrier to accomplishing this is money. Putting in a new EHR system can cost a lot. Recent figures for installation are around $33,000 per full-time physician. Maintenance runs $1,500 per month per full-time physician. A hospital system with 500 physicians is looking at a minimum of around $17 million for initial installation and around $9 million for annual maintenance.

If the system is hosted in the cloud, storage, input, and “egress” fees (sending data to the providers for use from data stored in the cloud) have to be considered. Cloud hosting can run around $165 per “seat” per month, where “seat” is a computer linked to the cloud. Assuming an employment of 3,000, this will run around six million dollars per year. But cloud hosting may well be cheaper than buying and maintaining hardware and paying a large IT staff. Cloud hosting offers better security and offloading a lot of IT headaches as well.

What Are Some Other Components?

There will be radiology and lab subsystems, at least, plus billing and accounting. How tightly these are integrated into the EHR system and the cloud will vary. Analytical systems may include big data handling and artificial intelligence. Of course, if a physician is a hospital employee or a member of an affiliated group, it makes sense for their in-office IT systems to be integrated with, or be part of, the hospital IT operation.

What’s So Great About AI?

Artificial intelligence (AI) is still in its infancy. Studies have shown that AI systems are better at reading radiology imagery than human radiologists, and of course better at catching prescription errors and medication conflicts. But many legal questions, particularly about liability, remain unanswered. In addition, AI is intelligent only within a limited sphere. It will be far into the future before AI is able to display the kind of general intelligence that a human physician can bring to a patient.

What AI is good for now is dealing with well-defined tasks and helping to narrow down the “unknown unknowns” – interactions, sources of error, and opportunities for improvement that humans would never have suspected. Their principal role in the near term most likely will be relieving the “cognitive overload” that all physicians, no matter how narrow their specialty, have to deal with.

What Are Patient Portals?

Patient portals – interfaces, usually web-based, are systems that allow patients to see their lab results, talk to their providers, make appointments online, find providers, and do other things that patients would normally do over the phone. If properly designed and implemented, they can have a major impact on operational efficiency and patient satisfaction. On the other hand, a patient portal that is too complex and too clunky to be easily used can drive patients away.

What Are The Incentives For Using All This Stuff?

The Affordable Care Act (ACA) and the Health Information for Economic and Clinical Health Act (HITECH) provide billions of dollars for providers who implement EHR and other health IT systems and “meaningfully” use them. They are a de facto requirement for any provider which receives Federal funds, which is virtually all of them.

What Are The Downsides?

The biggest one, of course, is the expense. Even though it is large, it may well be cheaper than maintaining one’s own equipment and IT staff. It also permits renting out a lot of headaches. The downside is that, for HIPAA purposes, one has to devote as much attention to the vendor’s security practices as to one’s own. Also, system modifications and customizations necessarily involve the vendor’s staff and consulting services, which may be very extensive.

And, of course, there is training. This is not so much expensive as extensive. The example of one Pennsylvania health system that changed EHR systems three times in one year probably represents an extreme outlier, and training the entire staff three times in one year was no doubt a task worthy of being avoided if at all possible.

Finally, if the organization is moving from primarily paper-based systems to health IT, the organization’s culture needs to be adjusted, and the transition may be wrenching. Still, the advantages of health IT outweigh the disadvantages, and all providers should be making the switch as soon as possible.

Are you aware of a potentially serious data breach involving Facebook? 

According to many top news outlets, 50 million users accounts may have been impacted and Facebook now faces potential huge fines in the EU.

Read more at https://www.theguardian.com/technology/2018/oct/03/facebook-data-breach-latest-fine-investigation.

Need steps to protect your Facebook account? Here’s an interesting article containing steps to protect your personal information and security. https://www.experian.com/blogs/ask-experian/facebook-data-breach-how-to-protect-yourself/

We are continuing to follow this news and will update more on our blog as we learn more.

When you think of cybersecurity, protecting credit card numbers or government files might come to mind, but your students’ PII (Personally Identifying Information) is a target for hackers, too.

Young people make great targets because they’re a clean slate. They’re not using their identities to get a mortgage or credit card or anything, so no one is checking up on them. They also have a tremendous amount of personal information being shared – including medical, mental health, contact information, and performance evaluations in academia and sports or the arts – and it’s being saved in various, often poorly secured, locations. And finally, but perhaps of the highest utility to hackers, children are great targets because people will do ANYTHING to protect them.

It CAN Happen Here

If you’re thinking to yourself that you live in a quiet small town with no crime, no draw for a terrorist plot, think again. Yours might be the ideal spot to stage a crime like this. Look to a small Montana school district Columbia Falls in Flathead County. Home to nearly 16,000 students, the district’s parents and administrators received text messages and a seven-page letter containing threats, repeated references to Sandy Hook, creepy quotes, and claiming that the FBI could not help anyone.

Hackers generally don’t target specific cities, but instead are constantly searching for vulnerabilities wherever they may occur, security experts said. “The trick about ransomware right now is that it’s typically not a targeted, focused attack,” said Christopher Krebs, a senior official at the Department of Homeland Security, at a recent mayors’ conference in Boston. “You’re not special.” Source: WSJ

This came seemingly from nowhere, but as the extortionists explained, the choice was deliberate: the district had vulnerabilities that made it easy to gain access to confidential files. With all of the other concerns that educators have, it can be easy to overlook securing digital information properly. You may not even understand the threats that exist, and it’s hard to find qualified Information Technology professionals willing to stick it out for the comparatively low salaries school districts offer.

2017 Cyber Terrorism Attacks

A recent FBI briefing regarding attacks across the country at multiple school districts describes a terrifying ordeal: people all over the district awoke to find text messages informing them that their students’ information was up for ransom. Hackers had taken advantage of vulnerabilities in web-facing district servers to extract student PII (Personally Identifying Information). Victims received physical threats, were told that this information would be used for bad ends unless the district paid a ransom.

The extracted Information included:

• Parent, guardian, and student phone numbers
• Education plans
• Homework assignments
• Medical records
• Counselor reports
• Grades or other testing records

The hackers also demanded their ransoms in cryptocurrency, making it hard for local authorities to follow the trail (for now).

How Is PII Being Used?

PII can be used to forge false online identities, to launder money or get bad actors into the country. And once the information is out there, how do you safely get the genie back into the bottle? A child’s entire future (financial, academic) or even their physical safety is under threat if their identifying information ends up sold to bad actors. When you hold transcripts, grades, and achievements for ransom, you’re waving the flag at a future that’s quickly disappearing into the distance. Prevention is best. So where are your areas of vulnerability, and how can you shore them up?

Common Vulnerabilities

Phishing Scams

These are communications from supposedly friendly senders meant to entice you to open an email, text message, or oother messages or to click on a link. A “social engineering” hack, phishing attacks are meant to gather confidential or personal information. Make sure graphics look normal, hover over links to read their description, and check for any suspicious formatting or wording.

Phishing attacks can also come by phone. Do not give confidential information over the phone to someone who has called you first. Instead, agree to call the company back from the number that you have in your records. Don’t just click “ok” on an unexpected pop-up.

Non-school devices – your network should be configured to recognize new devices.

• Educational apps that store student identifying information
• Carefully read through privacy and security information from new software or EdTech websites.
• Improperly shared or stored PII
• Make sure everything is encrypted and password-protected.
• Ignorant or non-compliant personnel – not updating software, not checking edtech vendors out, not understanding what looks or is suspicious, not reporting suspicious activities.

Below is a list of cybersecurity measures you can take:

• Research privacy acts like FERPA, COPPA, and the PPRA as well as any state laws regarding privacy and educate staff and faculty so that everyone understands what is expected of educators and vendors of EdTech services.
• Do a survey of teachers, librarians and IT staff to see what software is being used in the school, and what information is being collected. It might be helpful to see all in one reports on how much information is being collected, and how many different services are collecting it.
  • Bonus: if anything happens, you know where leaks may have come from.
    • If parents want more specific information about these services, you’ll be able to tell them what services or websites their child’s teachers use.
• Review the privacy policies of EdTech companies that are being used in your district.
• Check for vulnerabilities in your data storage procedures.
  • Are you updating software when you’re supposed to?
    • Does everyone have their own passwords to get into high-value/confidential data storage locations?
    • Do you have a plan for how to react to a breach?
• Research school-related cyber breaches.
• Back up important data.

If you have evidence your child’s data may have been compromised, or if you have experienced any of the Internet crimes described in this PSA, please file a complaint with the Internet Crime Complaint Center at www.ic3.gov.

Federal regulations are usually complex and can have unintended consequences. If you are a lawyer, they are a goldmine both for prosecutors and consultants for clients. When it comes to the Health Insurance Portability and Accountability Act (HIPAA), there are, however, just a few (relatively) simple steps you can take to avoid violations, fines, and bad publicity for your healthcare organization. HIPAA is not a paper tiger. Healthcare organizations have been fined millions of dollars for breaches and violations so far.

Download a very informative infographic here.

What Is A Violation? What Is A Breach?

For once, there’s a nice, simple distinction which does not require a legal mind to understand. The definition of a violation is:

“A failure to do what HIPAA requires to keep protected health information (PHI) secure.”

Basically, PHI is data that HIPAA requires be protected by following the steps suggested below. There are a few simple steps one can take to avoid violations. These are things that you should be doing already to protect data in general. All HIPAA does is specify them. They are:

• Records must be secured. This means limiting access to the data that employees and providers need to do their jobs. Records can be secured by passwords, biometric identifiers, swipe cards, fingerprint readers, etc. PHI must be encrypted. Enough said. While you’re at it, what rationale do you have for not encrypting all data?
• PHI must be encrypted against hacking and breaches. This means that if there is a breach and encrypted records are stolen, you are still liable. Encryption can be broken, and every method of securing data, except for quantum encryption, which is not generally available, has vulnerabilities.
• Devices must be secured. This generally means that portable devices, such as smartphones and laptops that could be lost or stolen must be secured via encryption and passwords or have other limitations on access. The theft of a device should not enable the one who stole it (or finds it) to access PHI. If the chief of surgery leaves his or her smartphone in a cab, there must be a way to remotely erase all data on it.
• Finally, employees must be trained, not only on the importance of security, but also on the organization’s specific methods of maintaining PHI.

A breach is disclosure of PHI to parties that are not authorized by HIPAA to access it. A breach has occurred if PHI is accessed by an unauthorized party, even if that data is actually stolen.

How Do I Prevent A Breach?

• Train employees on why security is important and how to minimize risks.
• Maintain possession and control security on mobile devices.
• Enable firewalls and encryption.
• Ensure that files are encrypted and stored correctly.
• Move towards a paperless operation and properly dispose of paper files.

How Do I Plan Ahead?

HIPAA regulations require that a healthcare organization regularly audit its security and have a risk mitigation action plan. If you take the following steps, you will have gone a long way towards ensuring that your organization can pass audits and show that you have already taken steps toward risk mitigation:

• Encrypt PHI both in storage and transmission.
• Use secure access controls including strong passwords, access limited to job functions, auto timeouts, and screen locking.
• Use firewalls and antivirus software on all desktops and mobile devices.
• Keep track of incoming, as well as outgoing, data. Know where data comes from.
• Keep your risk mitigation plan updated to deal with new threats. The “threat surface” is constantly changing.
• Keep software and firmware updated. Many new attacks are aimed at hardware as well as software vulnerabilities.
• Keep employee training up-to-date.

How Can My Organization Respond to Breaches?

Your organization should have a written post-breach action plan that is regularly updated. It is foolish to assume that a breach will never occur. The plan should be updated and reviewed at least annually. What is most important is transparency. HHS needs to be notified. Those whose data has been exposed have to be notified. Your legal staff should be notified. And anything resembling a cover-up should be avoided.

Concealment of a breach is a violation of the law and regulations, and can be guaranteed not to work. Breaches will eventually be exposed, and the delay in reporting them or attempts at concealment will only make the organization look worse than would otherwise be the case.

Any breach – or even detection of an attack – should be used as a lesson for future security efforts. The first task is to figure out what went wrong. Where did your security measures fail? Once that is known, you need to determine the root cause. The root cause is usually a bit of a surprise.

In one case, the organization’s own security efforts were perfect. But it used a cloud vendor whose security practices were much laxer. Data was encrypted and communications between the organization and the cloud vendor were secure and encrypted. But the cloud vendor stored decrypted data on one of its own servers that were not even protected by a password and exposed to the public internet. The lesson here is that security audits should cover both your own organization and all of your vendors.