TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Security

Mobile Devices: BYOD Deserves Special Consideration

by Jeremy Miller,Technician
A good majority of people now bring a device of their own to work and many even use their own device at work. There are many reasons that this could be good or bad or down right terrible.

There are always inherent risks when employers allow employees to use a personal device at work especially if the device attaches to the network or has confidential data stored on the device.

Allowing employees to bring their own device can be very beneficial to your organization.

If you choose to allow devices you must understand the risk and create rules that keep the device from being used maliciously.

It is best practice to create an Acceptable Use Policy for Devices. This will cover a variety of things including:
• Proper use during and after-hours.
• What types of apps are allowed to be installed?
• Which type of data will the device be allowed to use.
• How to prevent abuse.

A good AUP will allow a business to allow users to bring in their own devices and use them to increase their productivity without letting the employees abuse the privilege of being allowed to use a personal device at work.

Allowing employees to bring their own device can: increase productivity at a low-cost to the business, make employees happier, and allow users to be reached at any time.

Allowing employees to bring in their own device can be bad as well. The first reason is employees’ abuse devices all the time.

In every workplace there are employees that will use their devices in a matter that is not related to work such as checking Facebook or texting when it is not necessary.

Then there are employees that will want to use their device at work and at home, but will not want to follow the Companies Acceptable Use Policy.

This is not only disobedience but risky, because many of the stipulations in the AUP are to protect the Company’s business flow. Allowing employees to bring in a device that connects to email will sometimes require an IT person to help get the email to sync with the device.

If you do not have onsite IT this can cost you money every time there is an issue with the email not syncing. The ugly part of allowing users to bring their own device is the lack of control and security.

With the lack of standardization each device is at least a little different. On top of that each app installed is a potential risk, especially the free apps that include advertising.

Risks emerge every day, this means that in order to be sure that the device is secure you will have to continuously assess the risk for each device in use.

There is always a risk that your employees could fall victim to social engineering.This is when they either knowingly or unknowingly give away confidential information to a party that is not allowed this information.

This can be mitigated by educating users on a continuous basis, a good way to do this is a lunch and learn style of meeting. All employees with a personal device being used for work should be restricted to which applications they are allowed to download.

This is because each app has its own code and permissions that are required to run it. If the permissions for the application can compromise any data at any point it should be reviewed and then allowed or disallowed.

In conclusion many companies already allow the use of a personal device for work. Trying to implement a plan after allowing the devices is much trickier because you are further limiting a user on their own device.

A plan is absolutely necessary to protect you from legal implications, and to be up front and informative of the consequences for breaking any rules outlined in the Acceptable Use Policy for Devices.

Letting your employees know what is expected will reduce the legal and liability risk that a company may face.

Can Employers Ask For Your Facebook Login Info?

A current case that is attempting to define privacy in the era of social media deals with the question of whether your social media account should be visible to current and prospective employers.

The next time you’re asked the typical “name your greatest weakness” interview question, remember it could be much worse: Job seekers applying to Maryland’s Department of Corrections were asked for their Facebook logins and passwords.

Savvy employers already check an applicant’s “digital footprint.” Some companies, like the Maryland Department of Corrections, have gone even further, requesting or even demanding individuals’ social media passwords to look at data not open to the public. Whether this practice is legal remains unclear.

The ACLU filed a written protest in the Maryland case, and the corrections department stopped asking for the information. They then had job candidates log into their Facebook accounts while the hiring manager looked over their shoulder at the Facebook content hidden behind privacy filters.

The officials at the Maryland Department of Corrections said that they did this to make sure job candidates didn’t have any gang affiliations.

The agency told the ACLU it had reviewed the social media accounts of 2,689 applicants and denied employment to seven because of items found on their pages.

One state is banning the practice, and at least 10 other states have bills that have been introduced. A few courts have ruled that such requests violate the federal Stored Communications Act, but the US Supreme Court has not addressed this issue. This legal uncertainty leaves many workers on shaky legal ground.

It’s always good advice to carefully manage the public information posted to your social media sites. For anyone looking to change careers, a review of your privacy settings and friends list is also good advice.

Ensure any sensitive things are limited to your friends (or even a group of just very close friends). It might make sense to have only your basic contact information available to non-friends.

Employers will undoubtedly rely more and more on Internet searches and social networking sites to screen job seekers.

Senators Charles Schumer (New York) and Richard Blumenthal (Connecticut), are planning to ask the Department of Justice to investigate whether employers demanding access to Facebook accounts are violating the law.

In the meantime, review your privacy settings, update so that only the things you want to be available can be seen by the general public.

Security Risks Of Employee Owned Devices

Employees using their own mobile devices for work may seem like a good idea at first – it’s less expense for you, the employer, and they can also make employees more productive.

However, it also means that you are allowing potentially unsecure devices to access your company’s data. The solution? An effective IT security policy that balances personal freedom to use these devices and your need to secure important business information.

As technology continues to become more affordable and accessible to consumers, it’s an inevitable fact that employers will see more and more of their employees using  their own personal devices such as laptops and mobile phones to access the company’s IT system.

This can be a dangerous thing. Since these devices aren’t company owned and regulated, you have limited access and control over how they are used. Employees could download all sorts of malware and viruses on their devices and pass the infection along to your IT system when they access it.

The solution: a comprehensive IT security policy. It’s important that you find a compromise between the freedom of the employee to use the device as desired and your need to keep your IT system safe from viruses and other threats to your data’s security.

Steps such as having employees run mobile device management (MDM) software on their devices is one of many actions you can take to lessen the risk of security breaches. You may also want to implement applications and software that check and screen for malware, both for laptops and mobile devices. And don’t forget that while Android seems to have a bigger problem with malicious software, Apple isn’t exactly virus-free, either.

Employees have a right to use their personal devices as they see fit, but not at the expense of important company information stored in your IT system. Running a tight ship in terms of security is an effective way to protect your business interests and your sensitive company data.

If you are interested in knowing more about developing a concrete and effective IT security policy for personal device use as well as general system access, please don’t hesitate to give us a call so we can sit down with you and discuss a custom security blueprint tailored for your company’s network.

New Year’s Resolutions For Problem Free Computing

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Even though we’re a few weeks into the new year, it’s not too late to take a look at your company’s network and make a few resolutions for better computing in 2012. Here are a few suggestions.

Better backups – now!
Implement a better, more reliable backup system to ensure your critical business data is properly protected. If you’re still using tape drives or not employing the latest professional-grade backup software, there’s no bigger New Year’s resolution that you should have.

You should have both an onsite and offsite backup of your data that allows you to restore files fast. Your backup should also be image-based, not just file-based.

Data loss can happen from human error, hardware/software failure, fire, flood, theft or other disaster. Every hour that you’re without your critical business information could cost you thousands of dollars.

Check out the cloud
Is cloud computing is right for you? In many cases, parts of your IT infrastructure can easily be put in the cloud to save you money and give you better service. It is important to talk to someone who can honestly assess your situation and tell you the pros and cons of making the switch to the Cloud. It’s not for every business but it’s worth exploring closely.

Dump the old PCs
I know that no one really likes spending money on new computers but think about how much unproductive time your staff spends waiting for their slow machines.

You can get an entry-level business desktop now for as little as $600, and speed upgrades to newer machines are very reasonably priced. What’s the cost of staff sitting around waiting for their computer or dealing with computer problems?

Upgrade your server
New servers are light years ahead of the ones made three, four and five years ago. Your company is less productive and less profitable with a server that slows everyone down.

Change your passwords
Most businesses regularly have employees leave, including those who were involved with supporting the computer network. Changing passwords regularly will improve security and protect your valuable customer and business data.

Perform a security review
We’re seeing all sorts of increased threats from hackers these days and you need to make sure your security approach is up to date. There are many parts to your security that you should examine including password strength; anti-virus software; and getting a strong firewall that will prevent intrusions, attacks and other malicious activity.

Keep up with your preventive maintenance
Downtime and annoying IT problems can be prevented with regular maintenance on your computers and network. If you’re not doing this now, it’s time to start!

Start the year right with a full audit of your network to develop your IT plan for the year.

Our top of the line network audit is a 27-point review of the security, performance and reliability of your network, and includes a full hardware and software inventory, plus checks on the health of your server, firewall, and network backup.

Data Management: From Storage To Security

One of the most important aspects of maintaining a smooth running safe and secure network comes down to data management.

How you or your company manages its data is important because if managed improperly, or not managed at all, you risk losing years of important confidential data due to failed hardware or even worse, theft.

Data management needs to begin with an audit of your various assets and how they should be managed properly.

This is the first step because you need to know what you have to manage and more importantly how it needs to be managed (can you use a simple flash drive backup, do you need a NAS, how secure does the data needs to be, should data be encrypted, etc.)

An audit should take place at the beginning of your data management plan as well as at the end which will be touched on later.

During your data management audit you need to first lay out what data is being used, when it is in use, when your slow periods are, and how securely you need to store this data.

For example client credit card data requires much more security than say your pictures from the company party.

After establishing what data you have as stated above you need to separate it into its various classes.

Generally people will store all of their data together so if that is your plan, you need to plan your security based on your most important and confidential data sets.

Some people may have a very large amount of data and smaller data sets that need more extreme security.

In these cases backup sets can be separated to allow less confidential data to be backed up to a less secure and much cheaper backup device while you could have a more secure setup for your confidential data.

One major consideration when it comes to backing up your  data is encryption.

The stronger the encryption on data the longer it will take to recover in the event of a data loss.

Encryption is one of the best methods to store data, determined by level of security – it can be high or low.

Again the amount of encryption contributes greatly to recovery time. Data can be managed and stored in many different manners.

Some of the various storage solutions are; a network drive to another computer, a NAS, a flash drive, an external hard drive, data drives and tapes, offsite backups, etc.

Depending on your needs and the amount of recovery time needed, your choices can vary.

For instance, if you have 1 TB of data you are backing up chances are you would be doing an onsite backup rather than offsite to decrease down time in the event of a crash.

A terabyte of data in an offsite backup is going to take a very long period of time to download to your server if your only recover option is to download from the Internet.

A much better solution for this amount of data would be a data drive like a “REV” drive. A REV drive in combination with good backup software offers plenty of space to backup and encrypt your data.

Backups via tapes or data drives should have at least the previous night’s copy taken offsite each night to ensure that you keep one data set safe at all times. It is a horrible idea to store all data onsite.

After you have a plan in place, run through the audit again once things seem to be running smooth to see what is in place, how its running, how secure it is in the event that a data set is stolen, and is the backup time/recovery time acceptable.

If the answer to any of these questions makes you feel your backup solution may be inadequate, it may be a good idea to try something different.

Even though it would cost more money to change data management solutions, it will save you money and hassle in the long run if you find it does not meet your company’s needs.

For a full data management audit give us a call today and we can happily sit down and discuss with you possibilities for your backups and data management as this only touch on a very small portion of data management.

Your data is very important and generally people do not realize just how important it is until they’ve either lost it or had it stolen due to poor management practices.

Feature Article Written By:
Tech Experts

For Small Businesses, Smartphone Security Is As Important As PC Security

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Although there aren’t any prevalent security attacks or threat mechanisms associated with smartphones in the market today, security vendors and analysts are urging mobile device users to use security best practices on them, just as they would with their computers.

With recent advancements around mobile devices and technologies, particularly smartphone devices, more and more people are staying connected both in the home and office environments.

Analysts at Forrester Research, a leading authority on security in the small business IT space, say the new breed of smartphones, such as Android and iPhone-based devices, are built on operating systems that are “fairly-well locked down.”

However, although they said using these types of devices are generally safer than PCs because malware can’t run on them (yet), there are still privacy and data risks to be aware of.

GPS hacking is just one concern – a rogue phone application sending your location to an outside service without your permission.

Privacy-related issues will emerge as third-party “fake” applications access more of your personal data.

These would be apps that look legitimate, but are designed to steal your personal information.

Fixing this type of issue will be simpler than a PC, though: The operators of the “app stores,” (Apple and Google) can find the offenders and remove them from the sites in a matter of minutes.

Security and privacy are a concern especially for users who bring and work with their personal devices in and out of the workplace.

The safety of the data on those devices becomes an even larger issue.

Smartphones allow business owners and employees to be more connected with each other. Users are sending information via e-mails and through attachments, all of which are susceptible to loss or theft.

Smartphones that are used for business communication should be treated like office PCs when it comes to data protection. The security threat is there – you have to protect the data that’s on the device.

One of the biggest security mistakes customers make with their mobile devices today is that they fail to use even the most basic security protection methods such as passwords.

Most users don’t set up passwords on their mobile device because they think of their smartphone as just a phone.

But really, it’s a small, low-power computer that happens to let you make phone calls, too.

For small business, it’s time to start thinking of smartphones as another entry into your business’ data. If they’re used for business communication, they need to be monitored, protected and updated just like a PC on your network that attaches to your server and financial data.

Industry Standard Security Best Practices

Network security is a must in any network, but when it comes to a business network, there are a number of security standards and best practices that ensure you have control over your network.

Businesses in certain industries secure. Many different companies require different security standards; one organization for instance is the PCI (Payment Card Industry). The payment card industry has very a strict network security standard.

The below practices are fairly strict and will offer you a great deal of control and protection against data theft and network intrusion.

Modem
We will start from the outside edge of your connection of your network and work our way in from your modem on into client workstations.

The modem is probably the simplest device on the network – you can’t really secure it (beyond performing regular updates), but some ISP’s feature a built in firewall in the modem. This can be turned on or off to work in conjunction with your company’s firewall.

Firewall
The next item to take a look at is your router/firewall. Generally you would have a router that offers several ports you can connect to via a direct Ethernet connection as well as WiFi access.

This firewall will add another layer of protection for when your network connects to the Internet. When configured properly, you would block all unauthorized network connections. As far as protecting the WiFi goes you are best to enable MAC filtering.

Each piece of network hardware has a unique identifying numerical code, called a MAC address. Filtering by MAC lets you set up WiFi so that only devices you explicitly define are allowed to connect to your network.

Once you have MAC filtering in place, you can also encrypt network traffic and use a long secure password. Since the clients on the network will not need to type this password in all the time, it is best to make a complex password containing both capital and lower case letters, numbers, and symbols.

Another option to further increase security when it comes to WiFi connections is to set the access point to not broadcast it’s SSID. This will make it look to the normal person as if there is no wireless connection available.

Server
There are a lot of features that can be enabled at the server to further improve network security. The first item to review is the group policy. Group policy is part of the server operating systems that allows you to centrally manage what your client workstations have access to and how.

Group policies can be created to allow or deny access to various locations on your users’ desktops. You can get as granular as defining a group policy that sets standards on user passwords.

By default, Windows Server 2008’s password policy requires users to have passwords with a minimum of 6 characters and meet certain complexity requirements.

While these settings are the defaults, generally 8-10 characters is recommended as well as mixing upper and lower case letters, numbers, and special symbols. An example of a complex password might be @fF1n!ty (Affinity). This password would meet all complexity requirements and is fairly easy to remember. Passwords should also be forced to reset every so many days. A good time period is roughly 30 days.

One other possible option is to have firewall software installed on the server itself to regulate traffic in and out of the server.

The nice thing about having a firewall on the server itself is that you have the ability to log failed connections to the server itself as well as what that connections is and where it was coming from.

This feature alone gives you a lot more control over the network. For example if you noticed in the firewall logs on the server that a connection you didn’t want getting through was making it to the server you can go back and edit policies on the router/firewall to attempt to further lock down your network from that point as well as blocking it at the server.

One final quick thought on server security is physical security.

Generally it is a good practice to have the server physically locked in a room that only specific people have access to. If you really wanted more control as well you can have the server locked using a system that logs who comes in and out of a room via a digital keypad and their own passwords.

When it comes to your workstations, employees should only be logging into the workstation via their domain login and not using the local admin login.

This will allow you to centrally control via group policy what they can access like stated above. You can also configure roaming profiles so that if someone was to steal a physical workstation they would not have access to any company information as it would all be stored on the server and not that workstation – which is another great reason to have your server locked up.

Employee logins to workstations should also have account lockout policies in place so that if a user attempts to login too many times with an incorrect password, the server would lock them out on that workstation for a time period set by the administrator. One other item you could have in place for various employees is specific time periods their credentials will allow them to log into the systems.

One final step in network security is having good antivirus software installed on your workstations and your server. A compromised machine can be giving your passwords and information away to hackers making it possible for them to waltz right into your network undetected.

You are best protected by having as many of the above security steps configured and working properly on your network.

Determine what your network needs, evaluate the practice after it has been in place for a month and make the proper adjustments to ensure your network is safe. You should also preform regular security audits.

If you would like to see how secure or unsecure your network is give us a call and we can perform a network security audit for you and let you know where you stand!

Featured Article Written By:
Tech Experts

How To Shop Online More Safely And Securely

These tips can help you determine that you’re shopping at a secure and trustworthy website.

Look for signs that the business is legitimate. Buy only from reputable stores and sellers. Here are some ways to check.

Find out what other shoppers say. Sites like Epinions.com or BizRate have customer evaluations which can help you determine a company’s legitimacy.

Look for third-party seals of approval. Companies can put these seals on their sites if they abide by a set of rigorous standards such as how personal information can be used. Two seals to look for are the Better Business Bureau seal, and the TrustE certified privacy seal.  If you see the seals, click them to make sure they link to the organization that created them. Some unscrupulous merchants will put these logos on their websites without permission.

Look for signs that the website protects your data. On the web page where you enter your credit card or other personal information, look for an “s” after http in the web address of that page. This shows that the web page is encrypted. Encryption is a security measure that scrambles data as it traverses the Internet.

Also make sure there is a tiny closed padlock in the address bar, or on the lower right corner of the window.

Use a filter that warns you of suspicious websites. Find a filter that warns you of suspicious websites and blocks visits to reported phishing sites. For example, try the SmartScreen Filter included in Internet Explorer.

Keep your web browser updated.

It helps protect you when you shop online.

Internet Security: What Are They Surfing At Work?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

A recent survey of business owners and IT managers found that employees are using company computers, Internet access, e-mail, and other resources to conduct hours of non-work related activities.  And the problem is on the rise.

Some of these activities simply waste time, like day trading and monitoring eBay bids. However, some of the activities are malicious and can cause serious issues with a company’s server and network.

Here are a few incidents that were reported by the IT managers that were surveyed:

• One employee was caught running a gambling website and acting as a bookie for his co-workers.

• To bypass the company’s web filter, one employee was caught using his desktop computer as an FTP server for the other employees. He had downloaded and saved over 300GB of material, all on his work computer, using his company’s Internet connection and undoubtedly slowing down their systems.

• One employee was caught giving away confidential information such as price lists, contracts, and software code for application development.

• Another employee had a pretty lucrative side business stealing and selling company inventory on eBay.

• One woman was caught running an online “outcall” service from her desk.

• One employee was caught renting the corporate IP address to hacker friends to attack other company’s computers and networks.

While these scenarios seem outrageous, they are not uncommon. Of the 300 companies surveyed, almost one-third have fired an employee in the last 12 months for violating e-mail policies, and 52 percent of companies said they have disciplined an employee for violating e-mail rules in the past year.

Educating your employees through an acceptable use policy is simply not enough. If the requirements are not enforced, employees will accidentally or intentionally violate your rules.

That’s why every company needs to invest in good e-mail and web filtering software. Just having it in place will act as a deterrent for such activities. If something really is going on – like an employee leaking confidential information to a competitor or sending racial or sexist jokes through your company’s e-mail – you’ll be able to catch it and resolve the issue proactively, instead of reacting to it after the fact.

Additionally, a good web filter will prevent employees from accessing inappropriate material online, wasting time on non-work activities, downloading viruses and spyware, and using up company bandwidth to download photos and music.

Professional Email Addresses: How “Free” Email Could Cost You

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

There are lots of ways you’ve worked to build positive brand and inspire trust with your clients.

Pleasant phone greetings when client calls in, a professional sign over the office entrance, even stationary on a nice paper stock are important to let your clients know that you’re serious about your business.

But what about having your own domain name for email?

How does it look after a great conversation with a potential customer when you hand them your card and your email address you expect to have important business conversations with belongs to one of the big email providers offering free service?

Put another way, imagine a lawyer with an email address of consultantpat@hotmail.com. Do you think Pat’s clients would be comfortable knowing that private correspondence with their consultant was being transmitted through a free email service?

How would their perception change if Pat’s email were pat@robinson¬consulting.com?

Professional branding aside, there are some great reasons to have your email at your own domain name for business email:

Who’s going to help? Delete an important email? Can’t log in to your account? Have a question about the number of emails you can send from your account?

The free email service providers have self-service tools to help you figure out your problem, but what can you do if you still have a problem? Who will you talk to and how long will you have to wait for help?

Will your emails be delivered? “I didn’t receive your email.” Does this sound familiar? Free email accounts are very popular with spammers. Did you know that some mail services started blocking mass mail delivery from free email accounts with these domain names?

The switching cost to a domain-based email address later is higher. There’s a strong benefit to having people know where to find you. Changing your email address can be a lot like a retailer relocating. All the business built over the years could disappear, as customers can no longer find you at the address.

Unintended communication could be embarrassing, even damaging. Jon Smith is our hypothetical accountant with a free GMail account at jon.smith@gmail.com. Can you guess the number of times his clients have emailed their sensitive documents (even tax returns) to john.smith@gmail.com?

Sure, it’s the client’s fault for the mistake, but could this have been prevented if he were Jon@ReliableAccountants.com?

Free email accounts are very popular these days. But if you’re serious about your business and your brand, it might be time to consider how current and potential clients are judging you by a simple email address.