The 2019 Guide To Securing Microsoft Office 365

Securing Microsoft Office 365

Securing Microsoft Office 365

The importance of fully securing Microsoft Office 365 cannot be overstated. Recent statistics show that a hacker attack occurs every 39 seconds. Government agencies and retail, technology and healthcare industries are among the most popular targets, but the truth is that cybercriminals are more than willing to hack into any vulnerable business to obtain valuable customer information and company data.

Thankfully, Microsoft offers an array of tips and tools to help businesses and individuals keep Microsoft Office 365 fully secure. There are also some practical steps a company can take to maintain a high level of security at all times. Following is a comprehensive overview of steps any business can take to fully secure Microsoft Office 365 in 2019.

Use Multi-Factor Authentication

Microsoft highly recommends setting up multi-factor authentication, and it’s not hard to see why as it is perhaps one of the most natural yet most effective ways to protect a Microsoft Office 365 account from hacks. With multi-factor authentication in place, employees will be required to not only type in a password but also acknowledge a text message on their phone to access the company account. Using multi-factor authentication ensures that valuable company data is not compromised if an employee uses an easy-to-guess password and/or leaves the company password written in a visible location. While it is crucial for employees to understand the importance of using strong passwords, a compromised password on its own would not enable a malicious third party to access your data as one would need an employee’s phone as well to gain entrance into the Office account.

Use Administrative Accounts with Care

An administrative account provides managers and executives with additional options, privileges and security features to keep Microsoft Office 365 safe from unauthorized access. However, it is crucial for administrative accounts to be used with care or they can cause more harm than good. Following are some steps every business should take to protect admin accounts from breaches:

  • Set up regular accounts for each admin user. Admin users should utilize their regular account for non-administrative tasks and reserve the admin account for functions that cannot be completed with a periodic report.
  • Have admin users close all unrelated browser sessions and apps before logging onto an admin account
  • Instruct admin users to record out of the admin account after each session.
  • Provide clear guidelines regarding which data can be viewed and downloaded using an administrative account.
  • Use a Cloud Access Security Broker (CASB) to monitor admin user actions. A CASB can detect high-risk activities involving sensitive data and identify unauthorized admin account access attempts.
  • Immediately shut down admin accounts for administrative users who leave the company.

Secure OneDrive

OneDrive has much to offer any business. It enables users to synchronize data across various devices as well as share files with other users. Unfortunately, OneDrive can also provide hackers with easy access to company files. It is not uncommon for employees to download files from a secure OneDrive account only to save the data on an unsecured cloud account or personal device. To prevent this scenario, companies should clearly mark files that should not be downloaded from the OneDrive account. It is also essential for the IT department to:

  • Know what data is being uploaded to and downloaded from OneDrive
  • Be aware of which users have access to information
  • Know which files or folders have shared links
  • Be able to see which devices are being used to access the company’s OneDrive account and pinpoint the geographical location of the devices in question

Protect Email Communications

Every company should use all the tools that Microsoft Office 365 provides to protect the company from email-based threats. The Office 365 Security & Compliance Center enables admin users to block certain types of file attachments that are commonly used for malware or ransomware. It also allows managers to enable Advanced Threat Protection to check email attachments for malware. This protection extends to files in OneDrive, SharePoint and Microsoft Teams, protecting employees who use cloud-based software from breaches.

Furthermore, Office 365 Security & Compliance Center can be used to create an Advanced Threat Protection plan that will stop email phishing attacks

The Office 365 admin center enables IT, professionals, to set up pop-up warnings for employees who are about to download an email attachment. The warning, which clearly states that employees should not open certain types of files from users they do not know as the files may contain malware, can prevent devastating consequences should an employee click on an attachment without thinking. This handy tool also makes it possible for companies to choose which types of files activate a pop-up warning, thus creating an efficient work environment for employees who can freely access safe files without automatically opening ones that could potentially be harmful.

The Office 365 admin center also has tools that can enable companies to disable auto-forwarding for emails. Many hackers who gain access to one company account use this account to automatically forward emails in an attempt to gain access to other user accounts. The emails can be forwarded without the compromised account user being aware of what is going on, making it impossible for him or her to put a stop to the forwarded emails. By disabling auto-forwarding, companies can limit the damage caused should a malicious third party compromise an Office 365 account.

It’s also wise to enable Office Message Encryption. The program is included with Microsoft Office 365 and can be enabled in Outlook for PC. The encrypted email message program allows users to send encrypted emails both inside and outside the organization and it works not only with Outlook but also common email platforms such as Gmail and Yahoo Mail.

Provide Employee Training

An astonishing 95% of all breaches happen due to human error. Busy employees who are unfamiliar with IT guidelines can make deadly mistakes that will cost companies millions of dollars to rectify. Alternatively, many employees who are familiar with IT security procedures may disregard them because they are time-consuming to comply with or because they do not understand the importance of these guidelines in the first place. It is imperative for every single company to provide its workers with comprehensive, ongoing security training to keep systems secure at all times.

What type of training do employees need to fully secure Microsoft Office 365? Following are some important points that should be emphasized:

  • Never use personal devices for work-related tasks. It is all too easy for company employees to merge work-related and personal matters. Important company files may be downloaded onto an unsecured personal laptop, which is then unknowingly breached. A personal smartphone containing valuable business data may be stolen, compromising the company by exposing vital data. Additionally, employees should never email company files to their own personal email account. Many employees do this to work on holidays or on the weekends; however, this move exposes company data to hackers who may be able to access a personal Gmail or Yahoo email account with a weak or easy to guess password.
  • Work devices should never be used for personal matters such as checking a personal email account or social media site. It is all too easy for employees to compromise a company’s entire network by downloading a malicious attachment from a personal email account or social media site.
  • Employees should be taught the right way to communicate with colleagues and superiors. Internal communications should be secure and follow proper protocol to prevent important data from falling into the wrong hands. Employees should also be taught how to spot fake communications ostensibly from management but actually sent by a hacker attempting to access company data.
  • Knowing how to back up important data is yet another aspect of employee security training. Data should be backed up regularly yet in a secure manner so that unauthorized third parties cannot access files as they are being copied to or from a cloud server.
  • Companies should also create a plan for handling a malware, ransomware, DDoS or any other type of cyberattack. Even the best Microsoft Office 365 security guidelines cannot guarantee that an attack will never occur. Employees should know how to recognize the signs of an attack and what to do to limit the damage.
  • New employees will need industry-specific training on how to handle important data. Healthcare companies, for example, will need to ensure that all employees are aware of current HIPAA guidelines regarding patient data privacy. Government entities will need to train employees to handle sensitive or classified information by existing laws and regulations.

Cybercriminals are always on the job, looking for new ways to access company data from Microsoft Office 365 and then misuse this data by offering it for sale on the dark web or demanding a ransom in exchange for returning company files. Given this fact, it is important for businesses to have a plan in place to keep their Microsoft Office 365 accounts secure at all times. The tips mentioned above are an ideal starting point; at the same time, companies will need to customize their approach to Office security to ensure their files remain safe from unauthorized access. It’s also wise to re-examine security guidelines from time to time to ensure that they are still are effective and efficient as they are meant to be.

What Should Be In Your 2019 Technology Strategic Plan

2019 Strategic Plan

2019 Strategic Plan

Making an Ultimate Technology Plan for the New Year

Times are changing. Apparently, this is the case considering we’re about to head into 2019. How is your current technology holding up at your company? If you feel like there are certain things that you need to change up to stay competitive, it might be time to confront this challenge head-on with an ultimate technology plan.

You may not be familiar with how to implement one, but once you learn the basics, which we are going to show you here today, it’s a smooth process that will have you on the road to an overall improvement in every aspect of your offices’ technological needs.

Let’s get started with how to create a technology plan for your company or small business so that when you head into the new year, you’ll be thoroughly prepared to be on the cutting edge tech-wise.

Step #1: Look Over Your Existing Technology

When you look around your small business or office setting, what do you see? Do you see old computers, old printers, and another dinosaur related tech that you aren’t even using anymore? Part of your plan should be to clear out old and outdated tech stuff that you probably aren’t using anymore.

Now is the time to recycle all of that and remove it for good from your workspace. It’s like a breath of fresh air when you clean out old technology this way. The beginning of the new year is the perfect time to do this. You’ll be pleasantly surprised at how much this can help to improve the overall attitude of an office or another work setting.

Step #2: Create an Ideal Budget

Mention the word budget and it always feels a little bit “heavy.” What can you afford? What can you really really afford? Sometimes what you need and what you can afford are two different things.

Create an ideal budget in mind that fits in with your revenue plan. You don’t want to overspend, but you do want to achieve your ultimate technology plan with the right budget in mind. Do the best you can with this.

It may require some research to figure out how to afford the technology items you need, but with the right focus, you should be able to obtain great technology that fits into your set budget.

Step #3: Plot Out What You Need

Figure out everything you need tech-wise and the cost for each item. Put all of it into your plan so that you can visualize having the full scope of your new tech at your disposal.

Don’t leave anything out to figure out later. Make this ultimate technology plan as detailed as possible so that you know exactly what you will end up with to ultimately suit your needs.

Step #4: Implement a Realistic Timeline (3-6 Months)

Most of the time you are going to want to get your new technology purchased over a few months. If you can afford it all at once, fantastic. If not, it’s okay to set up a realistic timeline to obtain everything you are going to need to have updated gear that works for you.

Many companies look for a timeline that extends around 3-6 months. If you need it to be shorter or longer, according to your individual company’s needs, that’s fine too. It all goes back to your budget and what you can afford to do at any one time. Or over a few months if need be. Your finance department will be able to assist you with this part of the technology plan.

Step #5: Write Your Plan Out in Detail

Your plan is known as your “technology vision statement.” Sounds pretty fancy, right? This is going to help you achieve your mission to be updated entirely going into the new year with your brand new technology in place.

You’ll be amazed at how much fresh tech will energize your team. Don’t underestimate the power of renewed vigor and the new year is the right time to have your technology planning accomplished. Set out and do it right so that you are ahead of the game in your industry.

It just makes everything you need to get done go a lot smoother for you and your team. After all the last thing you want as a cutting edge company is to look like you are lagging behind tech-wise. Your clients will pick up on your overall image and tech that isn’t up-to-date looks like an eyesore.

What Are The Top Tech Events in 2019?

Tech Events 2019

Attending the top tech events in 2019 is mandatory for managed IT service companies. While it may be impossible to stay ahead of cybercrime, IT professionals should invest time and money to stay proactive to help their clients plan for unidentified threats.

Tech Events 2019

Keynote speakers at these top teach events provide valuable insight on how to communicate the very real threats that continue to evolve for every business so that your clients invest in technology to help protect themselves from security breaches.

Calendar of Tech Events

Find top events in the United States and abroad. Make plans to attend several.

January 15, 2019 – January 18, 2019, Austin, TX.

RStudio Conference 2019. Host and RStudio Chief Scientist Hadley Wickham and confirmed keynote speakers David Robinson, Felienne and Joe Cheng will be updating attendees with the state of the art and future of data science.

February 25, 2019 – February 28, 2019, Barcelona, Spain.

MWC Barcelona. This is the “original” World Congress of mobile. Explore mobile topics from AI to Digital Wellness and Digital Trust.

March 4, 2019 – March 8, 2019, San Francisco, CA.

RSA Conference USA. Industry expert keynote speakers and seminars on the latest cybersecurity enhancements.

March 8, 2019 – March 17, 2019, Austin, TX.

SXSW. The mother of all conventions – from music and culture to technology. You’ll find coding, cryptocurrency, medical technology and VR/AR/MR.

March 18, 2019 – March 21, 2019, Orlando, FL.

Enterprise Connect. Discover your options when replacing or upgrading a legacy system. Get unbiased, vendor-neutral advice on implementing next-gen communications.

March 18, 2019 – March 20, 2019, Ponte Vedra, FL.

AGENDA19. Especially designed for C-level, VPs, Directors and Managers as they plan to lead their businesses in changing times.

April 9, 2019 – April 11, 2019, Las Vegas, NV.

Atlassian Summit. From training and certifications to a diverse group of speakers, you’ll change the way your teams work.

April 9, 2019 – April 11, 2019, San Francisco, CA.

Google Cloud Next. Google shares its latest cloud technology so you can choose the appropriate cloud-native devices for yours or your clients’ needs.

April 23, 2019 – April 25, 2019, San Francisco, CA

Slack Frontiers 2019 (SF). Attend this event to study teamwork development skills you can use to lead your team toward more productivity.

May 28, 2019 – June 1, 2019, Taipei, Taiwan.

Computex Taipei. This giant Asian show is especially for those interested in ICT supply chain and IoT ecosystems.

July 14, 2019 – July 18, 2019, Las Vegas, NV.

Microsoft Inspire. All of Microsoft’s partners in one place at one time.

August 3, 2019 – August 8, 2019, Las Vegas, NV.

Black Hat USA. Arrive early for four days of hands-on security training followed by a two-day conference concentrating on security development and trends.

October 22, 2019 – October 24, 2019, Los Angeles, CA.

MWC Americas. Emerging technologies and trends as “mobile” changes the world.

November 19, 2019 – November 22, 2019, San Francisco, CA.

Dreamforce. Annual symposium for Salesforce customers. See the newest devices and apps that connect to your client’s customers.

TBA. San Jose, CA.

WWDC. Experts expect a spring meeting to showcase new hardware and software, perhaps with a focus on Apple TV and media-related hardware including new AirPods or over-the-ear headphones.

TBA. Mountain View, CA.

Google I/O. Developers worldwide look forward to this annual conference for hands-on learning and seminars with Google experts. Attendees also get the first look at Google’s newest developer products.

TBA. Seattle, WA.

Microsoft Build. Everything Microsoft all in one place – over 350 sessions that cover Azure, Visual Studios and Microsoft 365 plus emerging technology.

Begin planning now. Book hotels and flights early to ensure a stress-free tech event. Register early to earn early-bird discounts on fees. Follow these 13 tips to get the most of every tech event you attend.

The Guide To Increasing Labor Efficiencies With Managed IT Services

Managed IT Services

Efficiency is one of the most challenging objectives for most companies to achieve. To be efficient, a firm needs to focus on optimizing limited resources to achieve the best results possible at the lowest cost. As you probably know from experience, this is far easier said than done.

Managed IT Services

To boost efficiency, a company needs to craft a strategic plan. In many cases, this strategic plan involves outsourcing. The term outsourcing refers to the business practice where a company contracts the services of an individual or another company to perform specific tasks, provide services, or handle operations that would otherwise be performed internally by employees. Outsourcing solutions are incredibly popular among companies these days. When utilized correctly, outsourcing solutions allow firms to operate at a higher level of efficiency.

Companies of all sizes are recognizing the cost- and time-saving advantages of contracting with independent service providers to provide services that don’t fall within the realm of their primary expertise. Small and mid-sized companies are turning to outsource solutions for remote IT support and management services as well as IT hardware maintenance.

This partnership between client organizations and managed IT service providers allows the client organizations to enjoy efficiency, productivity, lowered costs when it comes to IT operations. Best of all, the organization’s IT systems continue to run at the highest level of efficiency possible. This frees up valuable time and resources within the client organization, which are then directed to serving the needs of customers.

One primary reason so many small and medium-sized companies are turning to outsourcing is that they are finding themselves pressured to deploy the same level of technology functionality as larger companies merely to keep up with the competition. As you can imagine, it is often difficult for small IT teams to keep up with this pressure. This also causes small budgets to become strained. While some organizations may initially be hesitant to turn to a third-party for infrastructure support, these organizations can benefit significantly from such a move. These benefits come in the form of reduced costs and boosted revenue and efficiency.

Here is a guide to increasing labor efficiencies with managed IT services.

1. Focus on their Core Mission

One way that managed IT services increases labor efficiencies is by allowing companies to focus on their core mission. Organizations that spend most of their time and resources on their core expertise can pay more attention to boosting sales, building a strong brand, and increasing revenue. Your employees can focus on providing the best customer experience possible to your clients. The third-party company that you are in a partnership with can concentrate on keeping your organization’s IT systems in tip-top shape. Most managed IT service providers are flexible enough to increase their services when business volume rises and then decrease their services when business slows down.

2. Reduce HeadCount and Overhead

After you form a relationship with a provider of managed IT services, you should focus on reducing headcount and overhead. Now that you have a third-party that provide some or even all of your IT needs, it is likely that you will be able to reduce overhead costs and headcount significantly. Your provider of managed IT services will serve as an extension of the internal team within your company. Your company will benefit significantly from the expertise and resources of the managed services team. Economies of scale are one significant advantage of managed services. Managed IT Service companies provide high volumes of manpower and technology, which implies that they have the means to significantly reduce the cost of both factors.

3. Economies of Scale and Pass-Along Savings

One way your organization will enjoy increased labor efficiencies with managed IT services is through pass-along savings and economies of scale. Managed IT services provide client organizations with access to world-class assets at a fraction of how much it would cost to acquire these assets on their own. Managed IT service companies also pass on cost savings to their client organizations.

4. Consider Data Safety and Confidentiality

When choosing a managed IT services partner, one of the main factors that you should consider is their knowledge of reporting requirements that are industry-specific. Some examples of such reporting requirements include SOX, PCI/DSS, and HIPPA. You should also take into consideration their knowledge of personal clearances like DOD and technology partner certifications. If you don’t take these factors into account, it may end up hurting your organization’s labor efficiency. While you shouldn’t thrust the responsibility of data safety and confidentiality entirely on a managed IT services partner, working with a managed IT services company that takes data security and privacy into consideration will help labor efficiency. Some of the pressure that your IT team currently faces when it comes to keeping data secure and confidential will be alleviated.

For more information about how to increase your company’s labor efficiencies with managed IT services, don’t hesitate to contact us.

2019 Cyber Security Guide: Emerging And Enhanced Threats

In Part 1 and Part 2 of the 2019 Cyber Security planning series, we looked at the evolution of technology and the future of cybersecurity defense systems. There has been a steady evolution of defense options to curtail the rising efforts to commit cybercrimes. In this segment, we look at emerging and enhanced threats moving forward.

Cyber Security

Four Primary Cyber Security Risk Areas For 2019

Cybersecurity preparedness relies on year-over-year planning and strategic implementation. That means corporate decision-makers must cull together key staff members who include IT support team leaders, department heads and primary stakeholders. Determined preparation for 2019 relies on a rich, interdepartmental understanding of company goals, system needs and actionable knowledge of cybersecurity policy and protocols.

Knowledge equals power in the cybersecurity sector and arming employees with information about how and why measures are taken to protect vital information remains job one. That being said these rank among the biggest anticipated threats facing companies in 2019.

Ransomware Expected To Thrive In 2019

Cybercriminals have steadily made a shift away from direct systems hacks and are more inclined to plant encrypted files that take over a company’s data and require payment to send a code to unlock them. The FBI reportedly claims that upwards of 4,000 ransomware attacks are carried out every day. That figure is expected to escalate in the coming years.

Most ransomware attacks are conducted by prompting a user to inadvertently click on a malicious link or website that results in infection. Although only a fraction of ransomware incursions are reported, cybercriminals generally ask for $200 to $3,000 in bitcoin payments to send a cure. These are some of the ways an IT support team can mitigate ransomware attacks.

  • Incident Plan: Create an actionable ransomware protocol that employees can initiate in the event of an infection.
  • Critical Backup: Allow for multiple backup iterations of data in secure system locations.
  • Anti-Virus: Maintain cutting-edge preventative antivirus programs and conduct timely system scans.
  • Restrict Internet: Ransomware attacks commonly occur by employees visiting unsecured sites and opening spam emails. Each workstation requires appropriate restrictions.

Third-Party Risk Heightens In 2019

Consider for a moment that more than half of all breaches are initiated through third-parties, often vendors. Organizations generally have hundreds of business partners on a variety of levels. Many of these enjoy daily engagement through electronics and direct links to an outfit’s systems. From ordering products to pay invoices to basic communication, there could be thousands of points of contact between your servers and third-parties.

Moving forward, hackers will be increasingly targeting vulnerable systems to steal sensitive information to sell or ransom. Companies that do not secure their data at a high level can act as a backdoor into other servers. Once today’s hacker has infiltrated one of your vendors, they can email ransomware and other infections programs undetected. Cyber theft efforts are more likely to be successful because employees open vendor communications with confidence. These are some of the key steps organizations may want to consider for 2019.

  • Personnel Changes: Work with business partners to communicate staff turnover and take cybersecurity measures to prevent technology access after departure.
  • IT Glitches: Monitor systems appropriately and avoid support gaps.
  • Share Responsibility: Develop an agreed upon cybersecurity policy and protocol with vendors and other third-parties to minimize potential cross-company breaches.

Terminate BYOD Policies In 2019

We are all well aware of the headlines regarding high-ranking government officials using personal devices. In many instances, the federal government considers using a personal electronic device for work purposes a direct and discernable security threat. Despite that glaring warning, the number of companies that allow employees to Bring Your Own Device (BYOD) has grown exponentially in the last few years.

The convenience of a values staff member having tangible connectivity 24-7 seems to outweigh any risk. In the past, this policy may not have brought about a negative result. But cybercriminals are well aware that an employee Smartphone is now a doorway into a company’s system.

What makes BYOD even more problematic moving forward is that an average of 22 percent of workers misplaces their electronic device. Compounding that misstep, only about 35 percent use a password or PIN to secure it. This vulnerability does not even account for purposeful theft of a staff member’s device. Businesses would be wise to change course on the BYOD practice in 2019 by taking the following steps.

  • Stop: End the practice of BYOD entirely.
  • Company Only Devices: Issue secured company devices that are maintained by the IT support team.

Common Cyber Security Threats Expected To Increase In 2019

Cybersecurity breaches have proven to be costly for companies and organizations in every sector. The loss of time, productivity, and damage to reputation are exponentially expensive. Many of the seemingly low-level nuisances are expected to become high-level threats in the coming years. Decision-makers would do well to address these issues with the same determination as others in 2019.

  • Flawed Software: Glitchy programs are emerging as a gaping hole for hackers to infiltrate otherwise secure systems. It’s imperative that all applications are patches and updated accordingly. Outdated programs should be promptly removed.
  • Phishing: A reported 76 percent of all businesses are the target of phishing ploys at some point. It’s imperative outfits train employees to recognize and alert the IT support team when suspicious emails are received. Phishing scams are expected to become more sophisticated moving forward.
  • Update Passwords: The lack of complex passwords has lured hackers to attempt to breach systems through staff logins. It’s crucial to plan routine password changes at set times during 2019. Company systems should also require passwords to include at least one number and one symbol.

Cornerstones Of 2019 Cyber Security Planning

It takes strong cyber Security planning to minimize the growing threats to innovation, productivity, and profitability. With hackers using every conceivable means to gain access to critical data, it’s easy to lose sight of the forest through the trees. In terms of planning cybersecurity in 2019, an organization’s leadership team would be wise to consider their efforts under these four foundational ideas.

  • Deter Threats: Consider a 2019 cybersecurity plan in term of its potential success at avoiding data and systems breaches. Ask the simple question: How does this policy or protocol make hacking more difficult?
  • Protection: When implementing a 2019 cybersecurity plan, it should serve to insulate systems, infrastructure, components and data from intrusion. Does the plan effectively achieve these goals?
  • Detection: Thwarting a data or systems breach often begins by recognizing the imminent threat. Each facet of the cybersecurity plan should include measures of detection.
  • Adaptability: Each year, companies across the world take strategic measures to stop cybercriminals from negatively impacting their organization. Each year, hackers counter IT support strategies to commit crimes. A well-conceived cybersecurity action plan should include ongoing oversight, articulate new and emerging threats and have the agility to withstand them and make necessary changes.

It’s essential for an organization to understand cybersecurity as a process. Cybercriminals are continually looking for creative ways to steal valuable data, and industry leaders are tasked with ongoing cybersecurity planning.

Don’t Let a Disaster Destroy Your Holidays

The festive season is fast approaching, and it is a well-deserved opportunity to celebrate with friends and family. However, the joy of the holidays can quickly turn tragic if you are not careful. Emergency rooms visits and the number of calls to first responders see a sharp increase during the final few weeks of the year. It is possible to avoid a holiday disaster by following a few simple guidelines to help safeguard you and your family.

Happy Thanksgiving

Ways to Stay Safer During This Year’s Holidays

Avoiding Decorating Disasters

  • Inspect your holiday decorations before putting them out. Even if you took the time to double check your decorations before storing them, look again. Check for frayed wires, loose connections, broken bulbs, and other fire hazards.
  • Ensure outside decorations are weather-resistant. Never assume that all decorations are suitable for hanging both indoors and outdoors. Look at the tag and make sure that the item has an outdoor rating from Underwriters Laboratory (UL) before using it anywhere it may get wet.
  • Don’t put yourself at risk for injuries. While decorating your entire home in lights and figures may look amazing, don’t try to do more than you can do safely. Make sure you know what you are doing before you try to climb a ladder or secure a holiday scene to the top of your roof.
  • Stay away from candles. While no one can deny that real flames add a magical warmth to your home, burning candles can significantly increase the chance of a house fire. You are more at risk if you have young children or pets at home. There are many LED candle lights which offer a similar, but much safer, candlelight effect.
  • Don’t leave your decorations on the entire night Besides saving energy and money, using a timer switch to turn your decorations off at a reasonable time each evening can prevent a fire from breaking out while you sleep. Homeowners who have plans to go away for the holidays should completely unplug decorations until they return home.

Don’t Cook Up a Disaster

  • Keep kids out of harm’s way. Cooking with your kids during the holidays can be a great experience. Prevent little ones from being injured by ensuring they stay away from the stove and never allowing them to use sharp knives. Instead, give them simple, safe tasks like kneading dough or decorating cookies.
  • Watch your food temperatures. Many cooks only cook large roasts or whole turkeys during the holidays. For cooks with less experience, it is easy to undercook the meat resulting in serious illnesses. Always follow a recipe and use a meat thermometer to ensure the food thoroughly cooked.
  • Make sure your stove and oven are off. It is easy to become distracted and forget to turn appliances off. Do yourself a favor and double check before going to bed for the night.

Keeping Healthy and Secure During Holiday Travels

  • Give yourself plenty of travel time. Driving during the holidays often means huge delays, so leave early enough so you won’t need to rush to get to where you are going on time. Take the time to plan out food and bathroom breaks before hitting the road. This step is particularly helpful if you are traveling with children or other passengers who may need special considerations.
  • Always use seat belts and properly installed car seats. Seat belts and car seats save lives, so there is no excuse not to use them correctly. Buckle up even if you are only heading down the street to pick up a last-minute gift.
  • Never use a cell phone while driving. Increasingly people are depending on driving apps to find the best way of getting to their destinations. Although these apps work well, they can become a distraction if you need to interact with your phone physically. Set your destination before leaving or have a passenger handle the navigation and concentrate on the road.
  • Be extra careful when driving in neighborhoods. During vacations from school, expect to see more children outside at all hours of the day and night. Reduce your driving speed and stay alert for people who may dart out in front of your vehicle.
  • Even one drink may be too much. If you are planning to attend holiday parties where they serve alcohol, imbibe responsibly and never drive unless you are completely sober. It is always a better idea to have a designated driver or use an alternative means of getting home to avoid a life-changing accident.

Keep these tips in mind this holiday season, and we wish you a joyful time full of beautiful memories.

Top 8 Questions To Ask Your Financial Controller

Financial Controller

The controller plays an essential role when it comes to driving profitability and growth through enhanced financial visibility. Therefore, chief financial officers should strive to collaborate closely with controllers. Successful CFOs make it a priority to make sure their organization takes full advantage of the experience and knowledge of their controller.

Financial Controller

Here are the top five questions to ask your controller to ensure they are operating at the highest level of accuracy and efficiency possible.

1. How Many Manual Journal Entries Are Made During the Closing Process?

Too many manual journal entries can extend the duration of a closing period significantly. A large number of manual journal entries made during the closing process is also often a sign of hidden issues. It can hide errors and anomalies that have roots that are broad and systematic. An excessive number of entries can also be an indicator of variable accounting processes.

2. Is There An Integrated System for Both Operating Metrics and Financial Information?

It is in the best interest of most organizations to have just one reporting system. If you have more than one reporting system, a significant amount of time will be spent dealing with conflicting definitions and reconciling differences. Therefore, a good question to ask your controller is if there is an integrated system for both operating metrics and financial information. If there is not an integrated system in place, you should inquire about what steps your organization should take to establish such a system. For cohesiveness and simplicity, it is well worth the effort to work towards having just one reporting system.

3. Why Are There So Many Reports?

If the financial department, for example, distributes dozens of reports on a periodic basis, it may be a good idea to ask your controller why there are so many reports. Your controller may find that many of the individuals who had requested the reports are no longer with the organization. It will save your organization a significant amount of time and resources to stop producing the reports that are no longer valuable or in use.

4. What Are We Doing in Excel?

Millions of people across the world use Excel due to its versatility and ease of use. However, while Excel certainly has its advantages, it also has its disadvantages. Excel is difficult for collaborative purposes, for example. Also, it is easy to make mistakes in Excel and these mistakes are often very difficult to find. Excel is ideal for prototyping new processes rapidly. Once a process has been stabilized, it’s best to move to an environment that is more automated, secure, and collaborative than Excel.

5. How Many Transactions Are There in Each Department?

Inquire about how many vendor payments and invoices there are. You should also ask about how many lines items for each are in existence. Ask about how quality is measured. You can use this information to focus on improving quality and efficiency in the long run as well as to plan staffing levels.

6. Who Has Access to the Accounting System?

Ideally, only one administrator should have access to the full functionality of the accounting system. There should be a documented approval process in place for the purpose of making changes to the system.

7. How Many Invoices and Sales Orders Have Been Re-Billed or Canceled?

Not only do you want to know how many sales orders and invoices have been canceled or re-billed, but you also want to find out the reason behind these cancellations. A high number of canceled or re-billed invoices and sales orders is an indication that your system needs to be redesigned.

8. Which Areas Should We Invest in First?

Your controller will know best which areas should be invested in first when it comes to your finance department. You want to focus on the biggest problem areas and redirect resources to the places that need them the most. Focus on adopting new technology to automate and simplify processes.

If you want to be a successful CFO, you should take advantage of the knowledge and experience of your controller. Pick your controller’s brain by asking them the eight questions discussed above.

US Weapon’s Systems: Weak to Cyberattacks?

GAO Cyber Security Report

A recent report has revealed that there are many US weapons systems that are susceptible to hackers. This news is disturbing on many levels, including the attitude exhibited by Department of Defense officials. What does the report reveal, and how serious is the threat?

GAO Cyber Security Report

GAO Report

The US Government Accountability Office (GAO) just released a report that reveals that almost all weapons that were tested by the Department of Defense (DoD) between 2012 and 2017 have serious vulnerabilities that make them very open to cyber attack. These vulnerabilities have been labeled mission critical, which makes this news all the more serious. The report had been requested by the Senate Armed Services Committee in connection with expected DoD spending in excess of $1 trillion in order to develop weapons systems.

Examples of Weaknesses Detected

The vulnerabilities were discovered by penetration tests performed by employees of the DoD. In one example, a penetration tester was able to partially shut down a weapons systems by merely scanning it. In another test, it only took nine seconds for DoD testers to guess the admin level password on a weapons system. Failure to make changes to default passwords connected with open source third-party software installed on systems resulted in several instances of vulnerability.

Those performing these tests were not making any efforts to hide their presence, but the systems they tested had a difficult time detecting their presence. These systems should have been able to detect the presence of intruders and alert those in charge. A few of the automated systems did detect the presence of the penetration testers and alerted those monitoring the systems. However, in an even more disturbing turn, the individuals monitoring the systems didn’t seem to understand what the intrusion alert meant and thus did not take any action.

Failure to Take Basic Cybersecurity Precautions

What makes this report distressing is that many of these potential open doors exist in part because of a failure to follow basic cybersecurity rules. Guidelines such as the use of encryption, robust passwords, and basic employee training are foundational to a security system. Because such guidelines have been neglected, hackers equipped with even simple techniques and tools would be able to not only take control of key systems associated with these weapons but do so almost undetected. What could a skilled hacker with the latest tools accomplish inside such a poorly secured system?

Is There a Valid Reason for the Lack of Concern?

The subtitle of this GAO report was “DoD Just Beginning to Grapple with Scale of Vulnerabilities.” Surprisingly, those in charge of such systems do not seem very concerned about these susceptibilities, perhaps because they feel the GAO is exaggerating the seriousness of the problems discovered. For example, the report does remind readers that some of the findings may no longer be a problem once a system is deployed in the field.

In addition, these officials have indicated that in the past they believe the systems were well-secured. The authors of the report, however, strongly imply that there’s a disconnect between what these officials may believe and what the reality is.

Another possible cause of the DoD’s lack of concern is the belief that the types of tests that were run would be practically impossible for any system to pass. The GAO, however, insists that the tests were not extreme and represented realistic threats to these critical systems.

The DoD may also be resting on its laurels: it received praise last year for a bug-bounty program that led to many different bugs being patched. On the other hand, the GAO report points out that only one of 20 vulnerabilities discovered in previous risk assessments had been fixed by the time the report was written.

Implications of the Report

One of the implications of the report is that a number of US weapons systems could be susceptible to a disabling cyber attack. Considering that so many adversaries of the United States have established reputations for extremely talented hackers, this is all the more disconcerting. And hackers are not subject to the same constraints as DoD penetration testers. Malicious actors may well have access to funding, state-of-the-art equipment, and would intentionally keep their activities hidden.

Another implication of the GAO report is that their testing merely revealed the proverbial “tip of the iceberg” when it comes to vulnerabilities that exist in US weapons systems. The penetration tests performed were far from exhaustive. For example, categories that were not tested included potential weaknesses related to counterfeit parts or industrial control systems.

Conclusion

The incidence of cyber attacks are on the rise, and the techniques and tools available to malicious actors are continuously evolving. It makes sense that the security of a nation’s existing weapons systems should be a very high priority. The revelations of the GAO’s report are disturbing, yet there is hope that the DoD will respond to the vulnerabilities discovered.

Infections That Can Survive The Most Extreme Cleaning 

Ransomware

Technology has unlocked a world of potential for businesses everywhere. But with these advances comes a new set of problems, like malware. While it’s common knowledge that computers are susceptible to viruses, today’s breed of hackers are more creative than ever. They’re utilizing new, innovative techniques to infiltrate systems of businesses big and small.

Ransomware

Not all malware is created equal. Just like infectious disease, there are different strains of malware, many with the potential to wreak havoc on your business network. In today’s business landscape, tech departments are faced with the task of not only stopping these attacks before they happen, but with quickly repairing networks in the event that an attack has hit.

The Problem With LoJax

One recent attack has IT departments up in arms. A Russian hacking group created the Rootkit, named “LoJax”. According to ESET, a leader in IT security, the campaign delivering LoJax targeted certain organizations in the Balkans and other countries throughout Central and Eastern Europe.

The problem with LoJax is that it isn’t just any ordinary malware. It’s used to gain persistent access to a computer, and with its reputation for being hard to detect, it’s causing quite the problem for users. Much to the horror of IT professionals, this hacking technique is so complex that it can withstand a variety of common fixes. Some of these include a reformat, a complete OS reinstall and a hard-disk swap.

This unique type of malware lives in a system’s flash RAM, meaning the only way to clear it is to over-write the infected machine’s flash storage. This presents its own set of challenges, and isn’t even a guaranteed fix unless you’re armed with the right code.

What Is Spectre?

Spectre is the name of an underlying vulnerability affecting the vast majority of computer chips manufactured within the last two decades. If this vulnerability is exploited within a system, it could enable attackers to gain access to data that was previously deemed protected. Lojax directly leverages this vulnerability, making it all the more difficult to detect before it hits.

If attackers are successful, they can they utilize LoJax to access systems remotely, and on a constant basis. This allows them to inject it with additional malware. This type of malware can also be utilized to track a particular system’s location, and potentially the owner’s location.

What’s At Risk?

UEFIs are particularly at risk. UEFI, Unified Extensible Firmware Interface, is a specification for the interface between a computer’s operating system and its firmware. It runs pre-boot apps and is responsible for booting the OS. By re-writing the rootkit, the malware is able to stay hidden within the computer’s flash memory, making it difficult to repair.

How To Protect Your Network

Businesses can implement a series of additional security measures to minimize the risk of a cyber attack on their network, especially one as severe and unpredictable as LoJax.

One of the single biggest mistakes businesses are making is running their operations on old, outdated equipment. Not only can this hinder productivity, but it can also leave businesses more susceptible to a cyber attack. Investing in new equipment that runs the latest and most improved hardware means security measures are often built in.

Keeping equipment up-to-date can become costly, but it can also minimize the chances of an even costlier network revamp in the event that a catastrophic cyber attack takes place and compromises everything a company has worked so hard to build.

Exercise Caution With Emails

Malware can gain access to your system through one of several ways. One of the most common methods is e-mail. It’s wise to take a cautionary approach to e-mail when utilizing your work network. Be wary of e-mails from strange e-mail addresses and also be cautious of what websites you are visiting, taking care to only visit safe, reliable sites.

Implement A Secure Boot

While malware like LoJax are especially hard to combat, IT departments can take comfort in the fact that not all hope is lost. One method of prevention is Secure Boot. This mechanism ensures that only securely signed firmware are able to boot up and run on a particular system. With signature verification required, Secure Boot makes it possible to prevent uniquely complex malware like LoJax from successfully infecting a system. Businesses are encouraged to review the Secure Boot configuration throughout the entirety of their hardware.

Malware Cleaning

Once you suspect a computer within your network is infected, it’s important to take action immediately. Be sure to back up your files before you attempt any type of intensive cleaning. Also, don’t attempt to repair complex computer issues alone. Your IT department can help you create a comprehensive game plan to address the problem and prevent similar incidents in the future.

Your system can come under attack when you least expect. Given that phishing is still a go-to strategy for hackers to penetrate systems, security awareness is more important than ever. Create a solid line of defense, and an effective response strategy, to ensure an attack doesn’t compromise your business. Security awareness training can serve an important role in helping your organization stay protected from hackers.

Another Uber Data Breach – It’s Never The Crime, It’s The Cover-up

Uber Data Breach

In 2016, Uber suffered a data breach that exposed the personal information (names, email addresses, and phone numbers) of 57 million users. In the same breach, some 600,000 driver’s license numbers of Uber drivers were exposed.

Uber Data Breach

So, What Was The Response?

The Federal government and state governments have laws protecting data privacy. Most of them require rapid reporting of data breaches to both the governments and the individuals whose data was exposed. Instead of following the laws, Uber decided to bury the bodies. With a careless indifference toward the rules and regulations that Uber has shown previously, the company got caught in a most unusual manner this time.

In this data breach, hackers first proved to Uber that they had stolen their data, then they demanded $100,000 not to reveal it. That’s a new twist for cyber-thieves.

How Did The Hackers Get The Data?

GitHub is a site where programmers and systems architects publish code and other information, both to store it privately and to show it off to others. The hackers got into the private side of Github and obtained user credentials of the Uber development team. Once they had those, they had free run of Uber’s systems.

What Did Uber Do?

Rather than reporting the breach as required, Uber’s Chief of Security paid the bounty of $100,000, got the hackers to sign a non-disclosure agreement, and disguised the $100,000 payout as a bug bounty on Uber’s internal records. The affected individuals were not contacted. The whole incident was covered up (hopefully).

Uber was already under investigation by the Federal Trade Commission (FTC) for failure to protect consumer information. In the course of that investigation, the 2016 hack was uncovered. The first settlement where Uber confessed to failing to protect customer and driver information was dated August 2017.

Then in November, Uber’s new CEO disclosed the massive breach. At that time, Uber had agreed to pay reparations to exposed individuals and various states to the tune of $148 million. One state attorney general called Uber’s behavior “Just inexcusable.”

Uber agreed to follow relevant laws in the future and hired outside counsel and an outside data firm to assess its security practices and safety measures. The results of those efforts have not been disclosed.

It was also learned that Uber paid the hackers to delete their copy of the data. That potentially violates a law that forbids companies from destroying any evidence in cases of cybercrime. Uber eventually fired their chief of security and several others.

It is the nature of the beast that Uber could not, in fact, confirm that the hackers had deleted every copy of the data. They could have, for example, made another copy and sold it on the Dark Web. Cyber Thieves are not known for their honesty. So, Uber’s efforts to conceal the breach and repair the damages may have been overshadowed from the start.

What Are The Lessons We Can All Learn From This?

Ever since the resignation of Richard Nixon in 1974, the phrase, “It’s not the crime, it’s the cover-up” has been well-known and understood.

The home décor and cooking guru Martha Stewart was convicted and imprisoned, not for a stock transaction that was, in fact, legal, but for lying to the FBI about it. Aside from their general legal and public relations futility, cover-ups usually do not succeed. Somebody leaks, or (as happened in this case), law enforcement stumbles across the cover-up while investigating something else.

When an incident like this happens, companies need to proceed on the assumption that the cover-up will be, at best, a temporary patch on a continuing problem.

What else can be learned from this?

Another lesson is that things that are supposed to remain private may not. The hackers were able to penetrate a supposedly private area of Github. In addition, the database they stole was on a third-party server, not one directly managed by Uber.

Even though the credentials stolen from GitHub were valid for the third-party server, had something like two-factor authentication been in place, the hackers would not have been able to access the server even though they had the proper credentials. There is more than enough blame to go around here. And, of course, the data on the third-party server was not encrypted.

Funding Hackers Is Not A Good Idea

In addition to everything else that was wrong in Uber’s response, the company wound up, in effect, rewarding the hackers with additional funding, enabling them to hack even more victims. Cybersecurity experts agree that funding hackers, no matter how desperate the situation seems, is never a good idea.

Uber’s response here can be compared to the similar reactions of Experian, a credit reporting agency, to a hack of its database that exposed the data of several hundred million users. First, it concealed the breach, then it denied it every happened, then Experian confessed that it did happen. Finally, they tried to monetize the breach by creating and advertising several “security” products to consumers.

Every move was deceptive and demonstrated just how little Experian cared about the privacy of its users. The lesson from Uber and Experian for the general business community is simple: “Don’t handle breaches the way we handled ours.”