I’m in the cybersecurity business and I get overwhelmed with my daily feed of the advertisements all boasting to have the “must have” security tool. I can only imagine how difficult it is for IT directors or business owners to navigate through this marketing war. Truth be known, you probably have most of what you need already. We get fixated on thinking we can address our security concerns with a bolt on solution instead of focusing our attention on our critical security assets: people and processes. You need all 3 but history shows that under investing in people and process is by far the biggest risk and the most common cause of system compromise.

Most data breaches are caused by something someone did or something someone should have done. We can look at some of the high-profile breaches to learn from them and figure out how we can do better. Here are some of the most common methods hackers use to compromise systems and gain access to sensitive data:

• Weak or Stolen Credentials (poor usernames and passwords)
• Application Vulnerability (unpatched systems)
• Malware (ransomware or any other malicious software typically distributed via email)
• Social Engineering (methods like phising or vishing that exploit human psychology)
• Too Many Permissions (system complexity or lack of security controls can allow for easy access to hackers)
• Insider Threats (malicious insiders, contractors, 3^rd party service providers, disgruntled employees etc.)
• Improper Configurations (user error)

There is no such thing as a “silver bullet’ when it comes to cybersecurity but if you are looking for a great place to start you should look at your people and processes. Make sure you have the right people in the right positions and ensure they receive the proper training. Work with them to build effective processes and procedures and you are well on your way to developing a solid cybersecurity program. This will also help you identify which tools are necessary to supplement your team (not the other way around). Don’t waste money on tools until you understand what you already have, starting with your people.

I hope this was helpful and as always, feel free to reach out to us to find out more about how to build an effective cybersecurity program or if you just want to learn more about what people are doing to protect their company’s digital assets and customer data.

4 tips to help you and your co-workers to stay secure during this unfamiliar work-from-home physical distancing that is going on. It’s tough enough when you’re in a business environment to remember the security tips that your IT team keeps talking about but, when you’re at home with kids running around and dogs barking, it’s probably the last thing on your mind. The hackers know this too which is why we’ve seen a been a big increase in ransomware attacks and very clever phishing emails going around. Now more than ever you need to be vigilant about cybersecurity and team up with your co-workers to figure out creative ways to securely communicate.

• Don’t trust anyone

If you receive an unexpected email, text or social media request from someone, treat it as suspicious unless you can validate it through known good methods. Now is the time to be overly cautious and take a zero-trust approach to everything. If you get an email from someone that you haven’t heard from in a while, reach out to them on Facebook messenger or text to make sure they did send you the email. Don’t assume that just because you know the “sender” or an email at first glance looks OK that it is good. The phishing emails are getting very difficult to detect so start out assuming its bad until you prove it’s good.

• Don’t click on links

Malware typically needs you to execute something to trigger the bad stuff. Sometimes it’s just an email with a malicious attachment disguised as a document or picture that they want you to open. Other times it is an emailed link to an infected or bad website that will trick you into disclosing information or downloading “updated drivers’ for your computer.  These emails will also use time sensitivity to get you to rush your decision and perhaps bypass your verification process because you “must act now!”. If your bank sends you an email asking you to update your security information immediately or risk getting locked out of your bank account, phoning them would be an appropriate response NOT clicking the link and filling in the form!

• Get creative to stay in touch

Most people are used to being near the people they interact with daily. With everyone working from home, they can’t lean over and tap them on the shoulder or see when they are off the phone. Technology that has been around for a while that is getting close to offering that in-person experience while being physically distant. Zoom has become very popular lately for video web conferences as well as Microsoft Teams (and many others). We’ve seen full classrooms going online, professional sports teams doing group workout sessions and bands practicing online from different cities. It can be a lot of fun and helps to bring people much closer together than just emails or daily conference calls. There are several Chat tools available as well to replace some of the watercooler talk and if you are collaborating on documents start getting familiar with SharePoint Online. With any new technology there is a new protocol on how and when to use them so be courteous and have fun exploring new ways of working together.

• Secure your home network

Typically, your home network isn’t as secure as it should be. After all, it was only designed to surf the internet, watch movies and play Fortnite. Now you have work information being transmitted to and from your home network and you don’t have your IT team monitoring and protecting it. You probably share home computers with other family members that really don’t care much about what is going on in the office. What should you do? That’s a whole article on its own but you should at a minimum: patch all your computers, firewalls, printers and wireless access points. The owner’s manuals will help you with this (they can usually be found online). Make sure you have a good antivirus/end-point protection software that is updated automatically. Something like Sophos is great for both Mac and Windows. If in doubt, ask your IT team or a cybersecurity expert (not your neighbor – unless they happen to be a certified cyber expert! 😊).

Working from home has always been a desirable option for employees but a nightmare for IT managers. The days of the IT team securing your corporate network by locking down access to keep the bad guys out are over. Cybersecurity these days has no borders and requires everyone to own the responsibility of keeping your business safe. IT managers must adjust to a new way of securing company data and employees/contractors need to be active members of the cybersecurity team. This COVID-19 Pandemic has accelerated this shift to a flexible workforce, and I’d be very surprised if it doesn’t stick around after life returns to “normal”. You might as well get used to it and start doing your part as an active member of the cybersecurity team if you want to keep it this way.

While it’s true that the provincial and federal governments are stepping up to help those in need by offering some generous relief funding, we all know that it isn’t going to cover much. Everyone is going to feel the financial effects of COVID-19 for weeks and months ahead. For the small business owner, it can be a real concern trying to figure out how to pay the bills when you’ve been asked to close your doors indefinitely. Now is not the time to sit on your hands and panic. It’s the time to get creative and build new capabilities into your business.

Many of us are stuck in our old school ways, and why not, it’s worked so far. But has it? Have we been missing out on opportunities by being complacent in our ability to adapt? The lockdown being mandated to prevent the spread of COVID-19 is just forcing us to look at our business in new ways. Those that sit back and wait for this to end will fall behind those that look at this as a new opportunity. We need to look at our business through a new lens and figure out a new way to deliver our services.

We know that we can’t do anything about social distancing and people must be able to work from home. We also know the same constraints apply to the consumer so how can we overcome these challenges? Technology is likely going to play a big factor and budget constraints are clearly top of mind for everyone. Here are some cheap ideas and consideration that might help you think about new ways of delivering your services and building new capabilities into your business that you can leverage beyond COVID-19.

Work from Anywhere – This is almost an expectation of the modern workforce. Certainly, it is for those jobs that don’t require you to be physically present to perform your duties. There are several solutions that are available for free on small scale or have extended trials available to accommodate remote workers during the current lockdown. This is a capability that should be part of any business and if nothing else should be something that you’ve invested in to help you through the current crisis and will benefit from after this is all over. Look into simple and secure solutions like TeamViewer, RemotePC or ConnectWise to get connected right away.

Collaboration Tools – Online collaboration tools are not meant to replace face to face meetings, they supplement them. Video conferences are the next best thing when people can’t get together in the same room. Solutions like Teams, Hangouts, Zoom, Slack, and Webex are meant to solve specific problems like time, distance and communications.  You no longer need to find a time in everyone’s calendar where they are free, in the office and you have a room available. Using a video collaboration tool lets you start a meeting on short notice, add users on the fly and they can join from anywhere on any device. Most of these tools also include virtual meeting rooms and chat so you can continue to collaborate well after the meeting has ended.

File Sharing – SharePoint Online or Google Drives are a good way share information. These tools also allow multiple people to collaborate on the same doc at the same time. This is a great way to share ideas and collaborate on group presentations. The best part of this is you can always maintain access controls over your information. People still email around documents to multiple people and then have the onerous task of trying to merge them together in the end. As well, once you send your document via email, you lose control over who can see it or share it. Keep it in your SharePoint or Google Drives and only allow people access that need access. You’ll love this once you get the hang of it.

Modernized Website – Your website is your virtual access to your business. There are some simple solutions that add functionality to your website that can dramatically improve your online customer experience. What are the common things that people walk into your business for and I bet you can replicate most of it online? I remember when realtors thought that open houses and scheduled walk-throughs were the only way to sell a house. Now people can do virtual walk-throughs from the comfort of their own home and get most of the experience of the open house and its far more efficient. Get creative and talk to the experts at SVICE and Shopify to convert your old website into your new online store front.

I do not endorse any of these products and there are many more that I didn’t mention. The point of this blog is to emphasize that now is the time to look and ways to modernize your business and leverage technology to deliver your services in new ways. If you do this now, you will create new business capabilities that will help you through the difficult times and they will propel you past your competition once things get back to “normal”.

Please don’t forget that any time you introduce new technology you introduce new risks so stay on top of your cybersecurity program to safely and securely adopt these new technologies.

When life hits you with a basket full of lemons, you might as well start making some lemonade!… or something like that! 🙂

Dream Technology Solutions

 Things to consider…

I’ve been getting quite a few requests about setting companies up to support the “Work from Home” program that most companies are doing to reduce the spread of Covid-19. This is a fantastic way for all of us to help the cause and stop the spread of this nasty virus. While we do this, lets make sure that we understand the new risks being introduced and don’t let good intentions turn into a big problem.

Top 6 things to consider when implementing a work from home policy:

1. End Point Protection on home machines

You probably have corporate standard end point protection on all company machines but now you may be opening the door to unprotected devices. Depending on the type of access that you are allowing will dictate what you need to consider. If you are setting up your users with direct VPN access, you will have to be more vigilant over what protection these home computers have. If you are using a 3^rd party remote desktop solution like TeamViewer, your exposure is far less. In this case, the home computer does not have direct access to your corporate network and therefore presents low risk of introducing malware or unauthorized access.

2. Remind people of your Acceptable Use Policy

People may not be used to working from home and it does introduce a few distractions that aren’t around at the office. It’s a good idea to remind everyone about your Acceptable Use Policy and to ensure they are accessing systems and working in the same manner as they would at the office. Don’t forget, people are often the weakest link in your cyber defense and the distraction of working from home could lead to human error and this is the #1 cause of data breaches!

3. Make sure providing remote access does not increase risk

Assuming the people factor has been addressed, make sure your technical solutions for remote access meet your cybersecurity standards. There are many ways to allow a user to access your network from remote locations but not all are secure. I have seen IT staff open remote desktop ports to allow users easy access to their network. This is also an easy way for bad actors to access your network. Ransomware attackers are constantly scanning for open RDP ports and targeting anything listening on well-known port numbers like 3389. Changing ports doesn’t fool them so keep your guard up and your network secure.

4. Add security with 2 Factor Authentication

Many remote access solution offer and additional layer of security by including 2 factors authentication. This improves your access security by doing a double check on your authentication. You require at least 2 of 3 things to gain authorization: Something you know (password), Something you have (a token such as SMS to your phone), or Something you are (biometrics like a fingerprint). Adding security is always a good thing and many of the remote solutions have this included as part of their service offering. If it’s available, use it!

5. Use up to date VPN solutions

Using a VPN client to encrypt traffic to and from your corporate network is always advised. If this is something that hasn’t been used in a while, make sure the software is up to date. There have been many vulnerabilities identified in VPN software so dusting off an old VPN client still may work but may not be your best option. Make sure any VPN software/solutions being used are fully supported and up to date with their security patches.

6. Shut things down and clean up when this is all over

I think we all hope that this is going to be a short-term solution to a bad problem. Remote access should only be enabled as needed and where possible set remote accounts to expire after a given period. No doubt there will be some cleanup to do once things return to normal so be diligent about making sure you leave things better and more secure than before. I’m sure everyone is practicing good cyber practices and part of that would be to disable remote access once it is no longer needed.

In general, everyone should be reminded that while we go through this difficult time, the criminals are using this as an opportunity. Ransomware and phishing emails being masked as critical Covid-19 information have been flooding the internet. The bad actors manipulate human behavior and emotions to trick you into getting what they want. Do not fall for any of this and delete any unsolicited emails and texts. If you want information on Covid-19, do your own research and only go to reputable web sites. Be safe and continue to be diligent about practicing good cyber hygiene.

If you need help, contact Dream Technology Solutions:

support@dream-techs.com

Small and Medium Businesses are face a growing cybersecurity problem that isn’t going away on its own!

We live in a difficult time for business owners. With the added complexity of IT systems and the increase in criminal activity, it can be difficult to know how to secure your business or even where to start. Large enterprises are way ahead and have been taking proactive measures to upgrade their cyber defense for many years (likely because they were the primary target from the onset of cyber-crime). Due the rapid increase in malicious activity, SMBs are lagging way behind on their cybersecurity capabilities and quickly becoming the popular target for bad actors.

People that know me, know that I love stats, facts and figures. While some may say that stats can be made up or biased, they still tell a story and start the right conversations. With that in mind, I’d like to share some stats that I hope will get you thinking about how you are protecting your business today and asking the right questions about whether or not you are doing enough to protect your company data from breaches or damage.

Did you know:

• 43% of all data breach victims are small businesses (Verizon – 2019 Data Breach Report)
• 424% increase in authentic and new breaches of small businesses in 2018 (4iQ Identity Breach Report – 2018)
• 25% of SMBs filed for bankruptcy and 10 percent went out of business following a data breach (National Cyber Security Alliance)
• Smaller organizations (1–250 employees) have the highest targeted malicious email rate at 1 in 323 (Symantec)
• 92% of malware is delivered by email (Verizon – 2019 Data Breach Report)
• 54% of SMBs believe their companies are “Too Small” to be targets (Ponemon Institute)

You can, and should, fact check this information but the one that really seems out of place is the last one. If the above information is correct, then shouldn’t this indicate that small and medium sized businesses are being targeted? This is probably the number one response I get when speaking with SMB owners that haven’t engaged in building a cybersecurity program – “we are too small to worry about it” or “we don’t have anything they (the bad actors) would want”. The other common response is “my MSP (or IT staff) take care of my computers and have my security covered”… but do they? This is exactly what the criminals want you to believe and why the target has shifted from large enterprises to SMBs.

Hopefully by the time you get to this part of the blog, you’ve already checked a few of my facts and did a little more fact finding of your own. SMBs are the target for cyber-crime and you need to take steps to avoid contributing to the 43% that fall victim. Clearly the methods being used to protect SMBs today are not adequate to protect against the complexities of the current IT environment and the sophistication of the attacks being launched by the cyber criminals. We are losing the battle resulting in a growing number of business owners losing their dream and innocent victims having their private information stolen and sold on the dark web for malicious and fraudulent purposes.

What can you do about it?

Consult a cybersecurity expert.

This shouldn’t be viewed as a trust issue with your current IT staff or MSP. They are doing a great job of what they were employed to do. Cybersecurity has evolved so rapidly that traditional IT methods are no longer effective in keeping the bad guys at bay. Traditional IT is still great at keeping day to day operations up and running but it falls well short of effectively detecting and safeguarding against modern attacks. A cybersecurity consultant can work with you and your team to identify where you are doing a good job and where you may have gaps and how to address them.

For many SMBs, the elephant in the room is the perceived costs of cybersecurity. The truth of the matter is that it is far less expensive to prevent a breach than it is to recover from one. In many cases, there is an opportunity to streamline processes and technology to the point that you can achieve savings. Simplicity is the partner of cybersecurity so reducing risks while reducing costs is a realistic goal of a good cybersecurity program.

Contact Dream Technology Solutions today for a free consultation and find out more about the current trends in cyber and what you can do about it.

What is Cyber Insurance?

Like Auto or Home Insurance, cyber insurance protects a business against damage caused by cyber-attacks. A security breach can become very costly and Cyber Insurance is a way to mitigate this risk by transferring the liability to a 3rd party.

Do I need Cyber Insurance?

If you process payments online, store customer or employee data, or use cloud systems to store company information, you need Cyber Insurance.

Do I Qualify for Cyber Insurance?

The bigger question is are you doing enough to protect your business against a cyber-attack? If you take this very real threat to heart and implement processes and technology to protect your business, then you will most likely qualify for Cyber Insurance.   Dream Technology Solutions can help you determine if you qualify for Insurance with our Cyber Insurance Readiness Assessment. 

What is a Cyber Insurance Readiness Assessment?

A Cyber Insurance Readiness Assessment is an in-depth review of your ability to protect your information assets against relevant threats.

Cyber Insurance doesn’t eliminate the need to have a good cybersecurity program in place, it supplements it. Insurance companies will determine your eligibility, coverage and rates based on several factors such as:

• Existing Business Continuity and Disaster Recovery Plan
• Effective firewalls, access controls and security procedures
• Use of encryption to protect sensitive information
• Secure use of cloud services

How does it work?

Dream Technology Solutions will work with your key stakeholders to evaluate your current cybersecurity posture. We compare your current practices to industry best practices and Cyber Insurance requirements to provide an informative and detailed report that you own.  It’s a quick and cost-effective way to help you protect your business and save you money by securing the best insurance rates and coverage possible for your company.

What do you get?

You will get a professionally prepared document that will report our findings. The document will include:

• Where you meet Cyber Insurance requirements
• Where there are gaps that need to be addressed in order to get Cyber Insurance
• Recommendations to help you address any Cybersecurity gaps that need to be addressed beyond obtaining Cyber Insurance

Dream Technology Solutions is a local, experienced, knowledgeable and professional service provider that can help you qualify for the Cyber Insurance coverage you need at the best rates.

All of this for a fixed rate of $1,500

Contact us today to find out how we can help with your cyber insurance needs.