News relating IT security issues and current trends and products.

Data Secuirty Weakest Link

You (and your employees) Are the Weakest Link When It Comes to Data Security

Most organizations that have taken their Cybersecurity even slightly seriously have taken steps to put in place some sort of perimeter defense to try to stop the bad guys from getting inside their network.  However, that is just the beginning.  Many data breaches today are caused by a company’s employees, and often quite innocently.  Even owners and CEO’s are not immune.  Attacks have grown increasingly sophisticated and can fool even the most vigilant employees.

At DTS, we have seen this trend not only grow, but actually accelerate dramatically.  To help organizations educate their staff and stay ahead of the ever creative hackers, we now offer customized training for everyone in your organization.

INTRODUCING: End User Security Training and Simulated Phishing services…

Employees are the weakest link in your network and systems security. To combat this, we are offering our customers the best online security awareness training in the industry. Our awareness training program provides you with a comprehensive approach that integrates baseline testing using mock attacks, engaging interactive web-based training, and continuous assessment through simulated phishing, vishing and smishing attacks to build a more resilient and secure organization. Our typical program starts with a baseline assessment of each of your users to determine how adept they are at identifying phishing and other security thwarting attempts. We then work with you to select appropriate awareness training content, and then we electronically deliver that content to your users. They are invited to take the courses via email, and they are reminded frequently as the completion deadline approaches. We usually schedule two core courses (20 min each) to be completed during the first month, and then another single 15 minute course every subsequent month. All of the progress and results are tracked and reported to management.

IT Security Like Playing Cat & Mouse

Keeping ahead of the bad guys…

In the field of Cybersecurity, keeping ahead of the bad guys is a never ending battle.  Cybersecurity experts develop advanced software and hardware defenses, and then the bad guys find ways around and through them. Traditional software based solutions claim to be secure, but hackers always find new vulnerabilities and strike unsuspecting companies – and often remain undetected. Organizations install firewalls and antivirus like they have been told, yet hackers, malware, and Ransomware get inside. What can a small or mid-sized company do to keep up with the never-ending challenges of data security?

The answer is our CloudXSecurity services which include customized protection services that extend beyond just the traditional hardware and software. Our comprehensive solution covers all the bases including ongoing risk analysis, policies and procedures, Cybersecurity awareness training, behavior analysis, routine vulnerability mitigation, mobile device management, encryption, and incident detection and response – just to name a few. Our solutions help companies meet and exceed industry requirements including GDPR, PCI, GLBA, and 23 NYCRR 500.

We keep you protected, so you can sleep at night.

Chrome 68 insecure site warning

Google’s Chrome 68 Browser Update and Your Website

Website Security Alert: Your Site Might Display A Scary Looking Warning Starting July 2018

According to Google, starting sometime in July 2018, they will unleash Chrome 68 – their pending web browser update.  Updating Chrome is not that newsworthy, except this update ups the ante for websites that have not yet added an SSL certificate to all their web pages.  As you may know, Google has been pushing strong (and others) to have SSL on all websites.  At first, they only wanted SSL on pages that shared information that was sensitive.  Then they wanted all info shared on SSL pages, and now, they are upping the ante.

In everyday terms, if you see https://yoursite.com then you are fine.  If you do not see the ‘s’ in instead see http://yoursite.com, then starting in July Google will show a very in your face warning to users that this site may not be secure and your personal data may be at risk.  Any page that is not SSL compliant, will now show a scary warning like the one below.

 

Chrome 68 insecure site warningImage Source: Google Security Blog

 

In everyday terms, if you see https://yoursite.com then you are fine…

I am sure you can guess that this is not ideal for websites that are not secure, and even though the site pages will load, many users will most likely be scared off.  Some longtime users or customers may even be worried that such a site was hacked.

Compared to past release updates to Chrome, this version will shout out “Danger Will Robinson, Danger… Do Not Proceed To This Website…”  It does not take a space-traveling robot to recognize that this will most likely result in users leaving your site, and will put your company’s reputation into question.

 

“Danger Will Robinson, Danger… Do Not Proceed To This Website…”

 

Chrome 68 includes a more detailed security check to detect whether your entire website is encrypted. If it is not, Chrome will immediately display a security warning indicating that your site is not secure.

As an example, imagine after this update, a customer goes to your website to look up your phone number, and instead, the first thing they see if a rather obnoxious security alert.  They may think that your company was compromised by a hacker, and worry that their private client information was stolen as part of a security breach.

Similarly, if you sell products or are driving marketing efforts to landing pages and contact forms, visitors who are looking to fill out your contact form, or buy something online could very well be inclined to leave your site.

 

How Do I Test a Site for SSL Encryption?

You can tell whether your site (or any site) is encrypted quite easily. As mentioned prior, your web browser will either display http: or https: in front of a sites url (web address) to indicate a secured or unsecured website.

Chrome also provides a visual indicator:  if there is a green lock next to a website address, the site is encrypted.

ALternately, a visitor can click the information button next to a websites address.  This displays a message stating that a site is or is not secure. Currently, Chrome’s security warning is somewhat hidden (unless the page collects passwords or credit card information).

Starting in July, if any page on your site is not encrypted, your visitors will see a red triangle with the words “not secure” warning visitors about your site.  As mentioned earlier, this warning can cause your website traffic to decrease and cause customers and clients some concern.

 

How Do You Encrypt Your Website?

In everyday terms, you need to apply an SSL Security Certificate on your web server.  This is not as hard as it may seem but does need to be done correctly, and there are important SEO considerations such as mixed content and website versioning to be considered .  It will not affect your SEO if done correctly, and in fact, it may help.

If you have not already secured your website, the good news is that it is normally under 20 minutes of work for a web developer to do, sometimes much less.  Even better, for those with basic web hosting knowledge and are on a host that uses cPanel, you can probably do the basics on your own in under 30 minutes for free (depending on your host it may be as little as 5 to 10 minutes).  Just remember to fix mixed media errors as well as set your version to load only the https:// version if the site.  I did a quick study the other week and some surprisingly big companies got this wrong.

Click the link to the right to learn –> how to set up auto SSL in cPanel 

Do not ignore this, you still have plenty of time to avoid a bad situation.  If you are not comfortable doing this internally, contact your current web host or webmaster and ask them to do it for you.  If you prefer, you can also contact us and we can help as well.

 

Keeping All Your Company Data Safe

If a hacker discovers that your website is not secured, they may use that as an indication that your company has other vulnerabilities that they can exploit. Computers and servers that do not have the latest security patches or modern software can be penetrated using malicious code that can cripple your business.

One of our company strengths is helping our clients set up advanced defenses for cybersecurity threats,  both internally and externally.

We have an entire product line launched in Q1 2018 that helps companies monitor internal networks, behavioral based monitoring of system access, block penetration attempts, educate employees about things like phishing, correct password usage and much more.

Click the link to learn more about our Advanced Cybersecurity Options with our CloudXSecurity Product Suite.  Please get in touch with us if you want to have a more in-depth discussion.

We can run a complimentary security audit on your systems to see if there are issues that should be addressed.

 

A Complete Solution for Your IT Management

If you are not already a customer, Delval Technology Solutions can help your business manage all your day to day IT needs including enhanced network security, keeping your systems updated with the latest patches, increased productivity, on site and off site backups and more. Your can Contact Us HERE

Cloud X Security Rollout

Introducing Our Newest Service – CloudXSecurity

DTS offers comprehensive security solutions that extend beyond the traditional services offered by most service providers. Our solution to Cybersecurity covers the three critical areas of Cybersecurity Risk Management- End User TrainingResponsible Systems Management, and Incident Detection and Response. Our solutions extend beyond just installing the latest security software. At DTS we actually partner with our customers to develop a comprehensive security program and then provide the oversight and resources to implement and run the program.

This month we are highlighting our End User Training. DTS has partnered with an industry leader in Cybersecurity Awareness Training. Not only do we have dozens of courses that we can deliver electronically, we also have a Phishing simulator that allows us to send safe Phishing emails to our customers employees. This allows us to establish a baseline and get a better understanding of how susceptible and organization is to Phishing scams.

 

Cyber Regulations Affecting Business

How Do GDPR and 23 NYCRR 500 Affect My Business?

Although GDPR and 23 NYCRR Part 500 do not affect most small businesses in the US, there is mounting pressure from many sides urging businesses to take Cybersecurity more seriously. There are compelling Cybersecurity regulations already on the books for the defense, financial services, banking, and healthcare industries, but many businesses that are not in these sectors have been slow to adopt formal Cybersecurity programs. Consensus across the industry, however, is that it is only a matter of time until most states and/or the federal government impose requirements similar to 23 NYCRR Part 500 on all organizations.

Even if your business doesn’t fall under specific Cybersecurity regulations like the ones mentioned above, you are still expected to employ Responsible Systems Management. If you have a security breach or other Cybersecurity incident, the authorities and lawyers can’t claim that you were acting with “negligence” as long as you are making some legitimate effort to be a responsible corporate citizen.

At a minimum, you should have End User Security training, some basic policies and procedures documented, and current firewall and antivirus solutions in place. Unfortunately, many small businesses do not even have these basics covered, and they are leaving themselves wide open for attacks and the resulting consequences.

If you would like more information about how you can start taking some of the basic steps towards implementing a Cybersecurity program, please contact us.

Cyber Security Attacks In The News

Recent CyberSecurity Attacks

Allentown Struggles with $1 Million Cyber-Attack
https://www.infosecurity-magazine.com/news/allentown-struggles-with-1-million/

UK top 500 legal firm credentials leaked on the Dark Web
http://www.zdnet.com/article/uk-top-500-legal-firms-credentials-leaked-on-the-dark-web/

OnePlus hacked; credit card info of 40,000 customers compromised
https://securityboulevard.com/2018/01/oneplus-hacked-credit-card-info-of-40000-customers-compromised/

Nearly Half of the Norway Population Exposed in HealthCare Data Breach
https://thehackernews.com/2018/01/healthcare-data-breach.html

Hospital pays $60,000 to the bad guys to cure malware infection
https://www.theregister.co.uk/AMP/2018/01/16/us_hospital_ransomware_bitcoin

Forever 21 Breach Lasted Over Seven Months
https://www.infosecurity-magazine.com/news/forever-21-breach-lasted-over/

Phishing Exposed Medicaid Details for 30,000 Floridians
https://www.bankinfosecurity.com/phishing-exposed-medicaid-details-for-30000-floridians-a-10563