How to Perform a Cyber Security Risk Assessment in Five Steps

How safe is your organization from cyberthreats? The best way to answer that question is by performing a thorough cyber security risk assessment. A cyber security risk assessment—the process of identifying, analyzing and evaluating risk­s—is the only way to know which cybersecurity controls you need, and how to prioritize them. Without such an assessment you could waste time, money and resources on events which might have minimal impact, and be ill-prepared for events that might have significant ones.

These Are the Steps You Need to Perform Your Own Cyber Security Risk Assessment:

  1. Review Your Resources

Before you can assess risk, you should review all the resources you need to protect.  Don’t just audit the resources you think might be at risk. Assess everything that connects to your network. Hackers will.

For example, did you know smart watches can be hacked to steal ATM PIN numbers and passwords, merely based on your hand movements? Or that someone can take control of a presenter’s screen and screen controls by hacking into video conferencing technology? In your cyber security review include IoT devices, unused desktops, and everything you use on a daily basis including telephones (landline and smart phones), applications and routers. A cybersecurity risk assessment will identify not only hardware but customer data and software.

  1. Identify Threats

Threat identification should include anything that can damage your infrastructure, cost you money from lost revenue, threaten intellectual secrets or infringe customer (or employee, or student or family) privacy. While a professional will be able to identify those threats more thoroughly than you can yourself, you can still perform a cursory review of them. For example, malware and viruses are obvious network risks.

The hardest part, and why a professional cyber security risk assessment is important, is identifying those lesser known risks, such as from your printer or voice mail. A professional will check to see if firmware updates have been made, as well as the status of your firewall and antivirus software.

Don’t forget to consider threat assessment from an internal standpoint as well. As

Jorge Rey, chief information security officer for accounting firm Kaufman Rossin recently said, “I think small businesses [are] worried about threats that [aren’t] even affecting them. They’re all freaking out about hackers, but they’re not even looking at their own employees and their access to systems and … data.”

  1. Rate Risks

Not every risk listed in your cyber security risk assessment is a high priority, and determining the risks, and impact of those risks, will help you determine where to focus your security attention and dollars. You should rate each risk on a scale of low to high. This will help you prioritize your initial and longer term efforts. For example, you could rate your risks according to this scale:

  • High – Substantial, possible crippling and unrecoverable impact
  • Medium – Damaging, but recoverable or inconvenient
  • Low – Impact is minimal and easily worked around

An example of a high-risk resource would be your perimeter routers. A router with outdated firmware could let hackers run rampant. Conversely, a low risk resource might be data or documents that do not have sensitive information, or that is publicly available.

  1. Analyze Protection

You likely have basic protocols in place, but how much protection do they really provide, and where are you the weakest? Hiring a professional (like Single Path) may be critical in completely understanding how well you are protected from each possible threat. DDoS security, adequate cyber security monitoring services, and employee training are basic proactive protection measures you should be taking (and which we have written about many times before on this site).

  1. Calculate Risk

Calculating risk will also help you determine what areas to prioritize, and what threats need immediate financial support in order to implement. Two questions to ask are: What is the chance of each incident occurring, and what amount of risk, if any, am I willing to accept? Your type of organization, such as whether you are a business or school, or a public or private entity, will no doubt greatly influence that decision.

When determining the likelihood of each event, you will need to list every breach point and possible point of origin for an attack, both external and internal. Depending on network complexity, this could involve dozens of breach/source pairings.

Single Path Can Help

Creating a cyber security risk assessment is not an undertaking that can be finished in an afternoon. It takes careful analysis, and quite a bit of experience. After you finish your initial steps, and have a basic grasp of your potential risks and vulnerabilities, you will want an outside expert to fill the gaps and take an unbiased, knowing look. At Single Path, we’re well-versed at doing exactly this. Single Path can help identify trouble spots, give advice on how to prevent problems, and also provide guidance if problems do happen. Our impressive menu of security solutions will go a long way to protect your valuable assets, and your organization from risk. A cyber security risk assessment is a critical step in protecting your organization. Ask us how to get started.

Why DDoS Security is Critical for your School (and what is DDoS, anyway)?

If you regularly follow our blogs, you’ve read about the dangers of Phishing and Ransomware, but there’s a third method of cybercrime that can be just as damaging: a DDoS attack, or “Distributed Denial of Service.” A DDoS attack occurs when a hacker takes control of thousands of computers and aims traffic at a single server, overwhelming its network to knock it offline or slow it to a crawl. Without appropriate DDoS security protocols, an attack can cause mass and immediate disruption.

EdTech Magazine reports that DDoS attacks “are on the rise. For schools, the attacks can shut down websites, phone systems and prevent users from accessing the internet and applications.” Here are some recent examples of school-related DDoS security issues in recent years,:

  • The Miami-Dade County Public school system was unable to provide online testing for three days after a series of DDoS attacks crippled their new, high-touted computer-based standardized testing system.
  • Minnesota Department of Education twice had to suspend its state testing when a DDoS attack kept students from logging into its online assessment system.
  • The St. Charles, Illinois school district lost online access for employees and all of their 13,000 students. According to a report from eSchool News, “the hackers cut off the entire district’s internet access for four hours at a time and then repeated the process 10 more times over the following six weeks.” Eventually, two students were charged in the attack.
  • Rutgers, Arizona State and University of Georgia have all been victims of recent DDoS attacks. After an attack, Rutgers spent $3 million dollars and raised tuition 2.3% just to upgrade their DDoS security, and then became a DDoS victim again less than a year later.

The Simplicity of a DDoS Attack

Many schools, even those that are on the alert to cyberthreats, may not be paying much attention to their DDoS security. But it doesn’t take a cyber-genius to launch a DDoS attack. You can find relatively simple how-to videos on popular sites such as YouTube. The ease of launching such an attack, combined with inadequate DDoS security, makes this scheme popular with a wide variety of groups as a form of protest, as an act of “revenge,” as a distraction from another cyberattack, or even just for “fun.”

The lack of DDoS security can also harm schools through their vendors or partners. In September of last year, millions of families across 45 states were impacted by a DDoS attack on the app Infinite Campus, which provides a “Parent Portal” allowing parents and students the ability to check grades and other information.

How To Implement Your DDoS Security

Schools have become a target for cybercriminals, accounting for 13 percent of all data breeches in the first half of 2017, which involve nearly two billion student and parent records. But schools can incorporate numerous strategies to increase security, including their DDoS security, such as by switching to cloud networking, monitoring cyber-traffic for abnormal patterns, and adding backup internet service providers to keep networks up and running. School districts can also upgrade their firewall protection and their network architecture. Sounds like a lot of work? It can be.

That’s why Single Path partners with schools to help protect their IT technology from hackers, and to make upgrades and changes as easy and as turnkey as possible. We consult and implement, provide continual monitoring, and can also educate your staff on data security best practices. We also provide a wide variety of Managed/Cloud Services. DDoS security can be challenging, which is why you need a team like Single Path to help protect your organization from harm.

Ask us how to get started!

 

 

 

What You Don’t Know Can Hurt You: The Perils of Inadequate Cyber Security Asset Management.

cyber security asset managementWe’re often surprised at how frequently companies fail to adequately track their IT resources. But while tracking the life cycle of your IT devices is important to assure you maximize their value, it is also a critical safety issue. BYOD devices, mobile devices and third party cloud service providers only enhance the need for effective cyber security asset management.

A Wake Up Call

A recent, much read and passed around blog post from cybersecurity expert Daniel Miessler detailed many of the issues regarding lax cyber security asset management. Miessler wrote: “Asset management is arguably the most important component of a security program, but I know of virtually zero companies that have a single person dedicated to it.” He goes on to point out that, “Companies pay hundreds of thousands a year to keep snacks in the break rooms. They pay to send people to training and conferences that usually have very few tangible benefits … But pay 100K a year to have a list of what we’re actually defending? Nope.”

The Life Cycle of IT Assets

An IT asset life cycle refers to the stages that an information technology asset goes through during its time of ownership. Determining the current life cycle stage for each IT asset is a necessity for effective cyber security asset management and may look like this:

  1. Procurement. It should be a matter of course that, whenever an asset is purchased, it is recorded in your organization’s asset management system, and your IT devices and software should be no exception. Information should include model numbers, serial numbers, name of manufacturer and the department the equipment was purchased for.
  2. Distribution of assets. Recording to whom the assets are distributed, or redistributed, is the next necessary step to take for cyber security asset management. Many organizations lose track of who has what devices, and this can only get more muddled as employees leave, shift departments and so on. You’ll also want to tightly control what devices run which software assets; employees who have access to programs they won’t use or don’t need may only needlessly impair security.
  3. Maintenance and Upgrade. Software and hardware updates often have security patches (see our earlier post about the importance of patching). Each update or patch should be recorded, and verified. An organization should also record the last time a device was scanned or antivirus software run, or antivirus schedules.

Be thorough. In 2014, JP Morgan Chase overlooked one of their network servers when providing a security update. Hackers were able use this exposed server to steal data from roughly 83 million customers.

Maintaining devices also means making sure employees aren’t uploading or using unauthorized or unmanaged software. This software may be benign, or it could be an entry point for a hacker to invade

  1. A list of log-in users for each device. Even if a device is assigned to one specific employee, a device may be shared or passed around. Keeping a list of every user for each device can help protect them, especially when a staff member leaves, as a reminder their log in should be deleted.
  2. Disposal/Retirement. When a piece of equipment has run its course, don’t forget to verify that all the information on it has been wiped clean, so that company data is not vulnerable to hackers. You also may want to cancel or transfer licenses.

Keep in mind that cyber security asset management cannot be a one-time only chore; it’s success hinges on its continuity. You have to know when each asset changes hands, becomes outdated, needs updating and so on.

As cybersecurity company Compuquip says, “IT asset management is a lot of work—which may explain why so many companies fall behind on this critical task. But, the importance of asset management for your company’s IT components cannot be overstated.”

Let’s Get Started With Your Cyber Security Asset Management

Our recent blog post on cyber security monitoring stressed the importance of being proactive in keeping your organization safe form cyber threats. Cyber security asset management is a critical component of proactive security, and can be the difference between rebounding quickly after a cyberattack and not recovering at all. Understanding the importance of an active cyber security asset management system is a first and proactive step, but you also need to put that understanding into action. Single Path can help. We offer a wide selection of security offerings including infrastructure patch management, 24/7/365 network monitoring services, proactive desktop and server security and more.

Let us help get your asset management program started. Contact us for more information.

The Benefits of Proactive Cyber Security Monitoring

cyber security monitoring A business team can take a wait-and-see reactive approach to cyber security, delaying action until it is a victim. Or, it can play a proactive role in anticipating the risks, finding the weaknesses, and putting the processes in place that may prevent or soften a cyber crime from even happening. Cyber security monitoring is one such proactive move that can pay back an initial investment many times over.

Cyber security monitoring involves the collecting and analyzing of information to detect suspicious or unauthorized behavior or changes on a network, triggering alerts, and often taking automatic, precautionary actions. Think of it as a high quality security alarm. You can leave your doors unlocked and check every now and then to see if anything has been stolen and, if so, notify the insurance company. That’s reactive. Or, you can set an alarm and not only will you know when a break-in occurs, but the system can notify the police, lock doors, and stop the break-in its tracks.

Now, or never?

Even the most secure system can be broken into, and even the most experienced IT professional can leak a password. But with proactive cyber security monitoring you can find and respond swiftly to these mistakes, and threats. In contrast, a reactive cyber security policy leaves you vulnerable, and recovery can be slow. According to the Ponemon Institute, it takes an average of 191 days for a business to detect a hack. The consequences of being hacked for days, weeks or months before noticing it may be substantial, with data continuously compromised or leaked, used and shared across a broad network of cyber criminals. The immediate and long-term ramifications of such a delay is likely to far eclipse any cyber security monitoring investment. Just a few months ago for example, Marriott International announced their network had been hacked since 2014, and wasn’t discovered until September, 2018. Information from 500 million customers was compromised.

As one security industry company writes, “You need to assume that your business will be breached at some point and have appropriate monitoring controls and procedures in place to mitigate the risks.”

Cyber Security Monitoring Basics

Cyber security monitoring utilizes a variety of mechanisms to continuously keep tabs on network traffic, and then send out alerts or take action at the right moment. As international cyberthreat intelligence provider Blueliv reports, there are typically four stages to the lifecycle of a breach:

  1. Attempting to get the information, like passwords and network credentials (via phishing or other schemes)
  2. Collecting the information (from people falling for the schemes)
  3. Validating the information (to make sure the information works, often though an automated bot)
  4. Monetizing the information (selling it to a third party, using it to steal data, and so on).

With the right threat intelligence, however, an IT security team can step in and stop the lifecycle midstream. With cyber security monitoring, action can be taken while attackers are still attempting to validate the information, or before they’ve finished fully collecting it.

Proactive Help

From hackers to disgruntled employees, to outdated devices to third-party service providers, companies are routinely exposed to security threats, often from unexpected sources. Quick response time is essential, and automated, continuous cyber security monitoring is the key to fast threat detection and response.

At Single Path our proactive monitoring services have saved our clients countless times, not only from outside threats, but from a whole host of unexpected issues. For example, our proactive cyber security monitoring for the Chicago White Sox revealed signs of imminent failure within their Contact Center Server. We were able to apply a patch to the server before it failed, preventing any disruption to customer service. At Single Path, our 24/7 proactive cyber security monitoring and problem-solving are part of what make us an outstanding partner in the continual battle against cyber security breaches or issues, and is just one of our many IT as a Service offerings.

Contact us to find out more.

6 Ways to Improve Employee Cyber Security Awareness, for Businesses and Schools

According to Accenture’s Cost of Cyber Crime Study, the average cost of cyber crime in the United States reached $21.22 million per organization last year (compared to $17.26 million the year before). But you can’t depend solely on your IT department for your cyber security. After all, a chain is only as strong as its weakest link. Improving cyber safety means increasing employee cyber security awareness throughout your entire business or school.

Here are the 6 top ways you can get your employees on board to increase engagement and improve employee cyber security awareness.

  1. Education

Do your employees or staff know:

  • Working remotely using an unsecure Wi-Fi connection leaves computers vulnerable to attacks?
  • Using personal, unsecured devices for work can open the door to compromising an organization’s network?
  • What employees say and do on social media can be tracked by cybercriminals and used against them in the workplace?

Chances are, some if not all of those points may surprise some people on your team. Most experts agree that the #1 key to cyber security compliance at a business or school is educating staff on the risks. For example, in addition to the above bullet points, does everyone on your team know how to spot a Phishing email (see our earlier blog post, How to Spot a Phishing Email), or the risks of using a thumb drive (see our post, USB Security Risks: When Flash Drives Become Dangerous)? An educated team, with increased employee cyber security awareness, makes for a more secure organization.

  1. Assign Mandatory Training

Recently we came across an article in Forbes Magazine that recommended, “Employees and management from all industries should be assigned mandatory cyber security compliance training every year.” This requirement can be administered with computer-based training modules and tied into annual reviews. When implementing training you’ll want to ensure executive and management support, a way to measure success, and also consider incentivizing participation (for more information, check out our earlier blog post, We’re Only Human: The Importance of Security Awareness Training.)

You may want to work with an outside partner to implement training, such as Single Path. We’re well versed in educating and training staff in the most up-to-date cyber security best practices.

  1. Establish and Promote Simple Procedures

More often than not, employees are happy to follow procedures as long as they are aware of them, and they are easy understand. Create organization-wide procedures for your team to follow. Make sure they are functional, actionable and simple.

Once you have those procedures in place, figure out the best way to communicate them within the organization. Keep communication friendly, and avoid hard-to-understand cyberspeak. Says Ashwin Ramasamy, co-founder of marketing intelligence company PipeCandy, “We use comic book-like imagery and sci-fi and comic language in posters across the office that reinforces the message without being suffocating.” Choose a method of communication that will resonate with your team.

  1. Encourage Reporting of Incidents

The best-trained employees can still fall for a hacking ploy from time to time, such as opening a file or clicking a link without thinking. Even IT professionals fall for these tricks. But if a user feels foolish for falling for an attack, and are embarrassed, he or she is less likely to report it. Create a reporting system that rewards staff for reporting suspicious messages, and that allows them to share mistakes without penalty or stigma.

  1. Have Employees Manage Initiatives

Rather than protocols created only by management, make cyber security policy an employee-managed initiative. Create a committee with representatives from every department, and make it their responsibility to set procedure, communicate policy and enforce compliance. Department participation, where everyone feels included, helps ensure individual buy-in.

  1. Make Awareness a Part of New-Employee Orientation

Employees expect to learn rules and processes when they start a new job, and making cyber security a part of their new-employee orientation stresses its importance, and immediately lays the groundwork for your expectations. An employee handbook is also a great place to publish protocols and procedures.

Your Employee Cyber Security Awareness Partner

To implement an employee cyber security awareness program it helps to have a proven partner. Single Path has helped countless businesses, schools and other organizations create a robust, living program that connects employees and staff to best practices. We can help you create a functional and effective cyber-threat strategy for your school or business. Single Path Security offerings are extensive, collaborative and modern.

Ask us how to get started!

Five Top Cyber Security Threats for 2019

Cyber security concerns have been around for as long as there has been cyber-anything. The first computer virus was found infecting computers in the early 1970’s and the first malware author was convicted in 1988. Those early infections were primitive compared to today’s hacking threats, which continue to grow more complex and sophisticated. While it’s vital to be prepared against any contingency, no matter how remote, we consider these to be the top cyber security threats for 2019.

Cryptojacking Rising

Ransomware has grown by 350% according to a report by Dimension Data, and accounts for 7% of all malware. It has been reported that ransomware costs American businesses north of 75 billion dollars a year, with most attacks never publicly disclosed. The biggest increase in ransomware is expected to take the form of Cryptojacking, also known as “Cryptomining malware.” We discussed the problem of Cryptojacking in a recent blog post, in which we described how hackers can hijack computer processing power to mine cryptocurrency. We expect these cyber security threats for 2019 to continue to grow.

Software Subversion Expanding

As Security magazine reports, “While exploitation of software flaws is a longstanding tactic used in cyber attacks, efforts to actively subvert software development processes are also increasing.” In other words, the software you download may be infected, giving hackers a back channel into an entire network. Malware has even been detected in open source software libraries. Another variant is this: hackers may offer software that is spelled slightly different than a popular application (such as adding an “s” or leaving out a letter), with the only other difference being the inclusion of malware. So be careful what you download, even if it’s from a seemingly trusted source.

Cybercriminals Uniting

One of the top cyber security threats for 2019 is due to the expanding resources available to cybercriminals. Historically, many cybercriminals have worked alone, or in small groups. That’s starting to change. The proliferation of hacker forums and chat groups have launched a robust black market where cybercriminals buy and exchange malware, botnets and other criminal resources. The availability of these rogue offerings means that even inexperienced, or less able, hackers can launch sophisticated attacks. These “malware-as-a-service” opportunities will only continue to grow, which will result in an increased number of cyberattacks, especially in regards to identity and credit card theft. If you think the threats are numerous now–and they are–an aggressive and nearly overwhelming wave of attacks may be on the horizon.

Synergistic Threats Increasing

GandCrab has been in the news frequently. Discovered in January, GandCrab is a ransomware Trojan horse, encrypting files on a computer and then demanding payment to decrypt them. Just recently, the group behind GandCrab has targeted users visiting adult websites, asking for money to keep silent about their potentially embarrassing visits. This, however, is just a ruse to mask their real intent. When a user clicks on the email link, he or she inadvertently installs the GandCrab ransomware onto his or her computer.

GandCrab has grown to be so large, they are actually soliciting cybercriminals to partner with them. As McAfee reported, “At the end of September, the GandCrab crew started a ‘crypt competition’ on a popular underground forum to find a new crypter service they could partner with.” This will let the GandCrab organization expand its criminal activities in new, unforeseen, ways.

In 2019, many experts, including Security magazine, predicts attackers will continue to combine tactics to create multi-faced, or synergistic, threats. To combat them, organizations will also need to synergize their defenses.

Social Media Misinformation Mounting

The proliferation of Russian-originated Facebook pages influencing the 2016 U.S. presidential elections has been well documented by news sources across the world. So it shouldn’t be a surprise that cybercriminals are eyeing social media as offering rich opportunities for criminal enterprise, with posts and pages displaying an impressive degree of professional-looking design for dishonest purposes. Botnet operators are able to test messaging just like a marketer, including the use of hashtags, to determine the success rates of their misinformation.

Social media platforms are aware of the potential abuse, and are focusing their resources on stopping it, but with so many users, and so much data available on sites, criminals will further focus their resources on these big-scale platforms.

Protect your business from the Cyber Security Threats for 2019

These five cyber security threats for 2019 are just the tip of the iceberg. There are many more threats out there, many of which we may not even be able to imagine yet. The only thing an organization can do is to be prepared with smart, sophisticated technological resources and by adhering to best Internet safety practices. Consider Single Path your partner in anti-crime. Single Path Security Offerings run the gamut from employee training to insider threat solutions. We’ll help you be prepared for the cyber security threats for 2019 and also those still to come.

Ask us how to get started!

Six Steps to Creating an Effective Business Continuity Plan

You take all the recommended cybersecurity precautions. You back up. Your staff is trained on processes. You have firewalls in place, passwords that are hard to decipher, and the most recent security patches in place. Yet, you still worry. You’re not alone. According to a recent survey, businesses ranked cyberattacks as their #1 threat, with data breach a close second. But if you are victimized by a cybersecurity incident, what do you do now? If you have a business continuity plan in place, the answer to that question is easy: follow the business continuity plan.

A business continuity plan is not the same as a disaster recovery plan, although they have a lot of similarities. As CIO magazine explains, a BC plan is about “maintaining business functions or quickly resuming them in the event of a major disruption,” while DR “focuses mainly on restoring an IT infrastructure and operations after a crisis.” In other words, DR is specific to IT, while a business continuity plan is concerned with the continuity of the entire organization (we discussed the six things you needed to include in your disaster recovery plan in an earlier article).

When you create your business continuity plan, make sure you take into account these six criteria:

  1. Conduct a business impact analysis

As Ready.gov reports, your business continuity plan should start with a complete analysis of the consequences of a business disruption and can include:

  • Lost sales and income, or delayed sales or income
  • Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
  • Regulatory fines
  • Contractual penalties or loss of contractual bonuses
  • Customer dissatisfaction or defection
  • Delay of new business plans

Your Business Impact Analysis should also detail various risk scenarios and prioritize the order of events for restoration.

  1. Get everyone involved

If you are making the assumption that IT security is solely the responsibility of the IT department, think again. Your entire organization should be working together to protect its data and systems. Consider holding a brief workshop on IT security, create a business continuity management committee with members within and outside the IT department, and consider the impact and recovery on each member of your staff.

One crucial area of involvement is with your leadership team. As reported by Disaster Recovery Journal, it’s important for executives to support a culture of collaboration and to be transparent. “If executives support a culture of transparency, people will be more willing to reveal and troubleshoot problem areas in your organization’s processes. Down the road, this could help the organization mitigate a major vulnerability.”

  1. Establish work-arounds

Ready.gov paints this scenario: “Telephones are ringing and customer service staff is busy talking with customers and keying orders into the computer system. The electronic order entry system checks available inventory, processes payments and routes orders to the distribution center for fulfillment. Suddenly the order entry system goes down. What should the customer service staff do now?”

Developing manual workarounds eliminates uncertainty. For example, listing contact personnel (along with phone numbers and contact information) and providing specific details, such as how to document transactions manually, gives your team direction. You may need to reassign staff or even bring in temporary assistance if systems fail. How will you do that? Plan it all out now in your business continuity plan.

  1. Keep data on the cloud

The best way to ensure your business can continue to run, is by backing up all your data on the cloud. A cloud service ensures that an organization’s critical data and processes are secure off-site. An organization can then quickly ramp up their systems in the case of a disaster. If you’re not already on the cloud, check out our earlier posts, 12 Reasons to Move Your Business to the Cloud and 9 Facts to Know About the Risks of Moving to the Cloud, and How to Manage Them.

  1. Ready crisis communication efforts

How prepared is your organization to quickly and effectively respond to and communicate with the public—and each other–during or after a cybersecurity incident? If you are hit by a breach, you may need to issue statements to the press, customers, partners, vendors and staff. We recently posted an article about emergency communication preparedness, in which we stressed the importance of drafting some templates that cover various scenarios. As we wrote: “it’s faster and easier to tweak a message than to write one from scratch for a multitude of mediums, and even multiple languages, if needed.”

  1. Test your business continuity plan

The time to ensure your business continuity plan is effective is before you need it. Is it comprehensive? Are there gaps? For example, are contact phone numbers correct? Are you able to restore data from the cloud without significant barriers or challenges? Since the network may be down, are there hard copies of the business continuity plan, and are they distributed to all the members of the team?

As suggested by CIO magazine, testing options for your business continuity plan include a table-top exercise in a conference room with the team looking for gaps, a structured walk-through or “fire-drill,” often with a specific disaster in mind, and disaster simulation testing in which an actual disaster is simulated involving all the equipment, supplies and personnel (including business partners and vendors) that would be needed.

  1. Call Single Path

While all the steps above are important there’s a seventh step that may be just as vital: call an outside partner like Single Path. As experts in cloud services, IT security solutions and more, Single Path works with businesses, schools and other organizations to protect them from cyberattacks and help them recover when they’re hit. Planning, monitoring and adhering best practices go a long way to protecting your customers or clients, team members, vendors and your own business. Calling a partner like Single Path, and getting your business continuity plan published, are important first steps.

Ask us how to get started!

USB Security Risks: When Flash Drives Become Dangerous

Flash drive. Thumb drive. Jump drive. USB stick. Whatever you call it, most of us have at least one of these ubiquitous, simple devices. The very first USB drive—called the DiskOnKey—held a whopping 8MB of data. Today, they not only hold countless gigabytes, but they may also hold numerous USB security risks; so can charging ports, memory sticks and other common devices.

Beware the USB

Malware or a virus can be loaded into a flash drive, which can then automatically infect a machine when the user inserts the stick into it. Back in 2014 some security researchers showed how easy this was; and things haven’t changed much. Researchers have shown how malware from a USB stick can take control of a computer, upload files, track browser history, infect software and even provide a hacker remote keyboard control. In many cases the problems can’t be patched, infected files can’t be cleaned, and the infection almost impossible to detect.

Shared Data, Lost Data

Flash drives are convenient, but their size also makes them USB security risks. Recently, IBM banned workers from using them for work, along with any removable memory device. As reported by the BBC, IBM cited the possibility of “financial and reputational” damage if staff lost or misused the devices.

IBM is being cautious, and for good reason. A few months ago, the University of Toledo made news when a faculty member lost a flash drive filled with social security numbers (as reported by the Toledo Blade). In 2017, an insurance underwriter paid a $2.2 million HIPAA breach settlement after a USB drive containing sensitive health information of more than 2,200 people was stolen from its IT department.

Even deleting the information from a USB drive isn’t always effective for USB security, as the devices can leave traces of files behind, or even full copies, which an expert hacker can recover.

Charging Malware

Using a flash drive isn’t the only USB security risk. Many modern laptops can now be charged through the USB port, a tremendous convenience but one that can leave a machine open for attack. Much like thumb drives, these small USB chargers are borrowed and shared, and lost and replaced. Like USB chargers, they can also be booby trapped to inject malware, root kits and other malicious infections into a computer, allowing the hacker access to files and data.

Getting the Drop on USB Security

Not every trick is high tech, as shown in this simple ploy: a hacker drops an infected USB drive on the ground, which is then picked up and used, infecting a computer. According to an article by digital news company Mic, researchers dropped a few hundred USB devices around the University of Illinois, even going as far as attaching keys or a return mailing address to some of them. Incredibly, 48% of the 300 devices they dropped were picked up and plugged into a computer.

Laptop Leaving

USB devices aren’t the only portable devices that can put you at risk. Have you ever left a laptop on the table at a coffee shop while you stood in line, or ran to the restroom? Even if your laptop is where you left it when you return, that doesn’t mean it hasn’t been compromised.

A test of Google’s Chrome browser showed how easy and fast it is to steal passwords from an unguarded screen. One reporter for the Guardian says he tried exactly that: and stole 52 passwords in 57 seconds. If your computer doesn’t have a master password, it’s a simple procedure to access every web password you have.

USB Security and the GDPR

Recently, the GDPR (General Data Protection Regulation) was implemented for Europe, with a whole new set of rules regarding privacy protection and sharing of information. We reported on this in great detail in an earlier blog post. One interesting aspect of the GDPR is in regards to USB drive compliance. Keeping customer information safe and secure, with only limited employee access to this data, is at the heart of the GDPR. The failure to use an encrypted USB stick to transport data can be considered a breach of protocols and result in hefty fines.

Security Protocols

Instead of relying on antiquated USB devices to share files, most companies should switch to cloud computing, which allows for safe storage and accessibility of files across a secured network. We wrote a blog post recently in which we listed a number of practices small-to-medium sized businesses should implement immediately, including amping up their cyber security, going to the cloud, and finding the right tech partner to assist them in setting it all up.

As security experts, Single Path is that “right partner” for many organizations. We know a thing or two about USB security, and even more about network security and data security. We help our clients implement proactive infrastructure patch management, provide a security risk assessment and much more. We also offer a full slate of managed cloud services, giving you access to the best cloud technologies without high initial costs or ongoing investments in upgrades.

Ask us how to get started!

5 Spooky Network Security Hacks That Can Haunt Your Office

What’s making that icy feeling of dread crawl up your spine? Is it from a Halloween ghost haunting your supply closet? Or the fear that your fax machine has been taken over by evil spirits? Assuming those evil fax spirits are hackers trying to crash your network security, that last guess might not be so far-fetched.

The Threat of IoT to Network Security

With the influx of Internet devices, many of which we wear or use daily, the security issues related to the Internet of Things are growing. Garner analysts predict that more than 25% of all cyberattacks will involve IoT devices by 2020. We detailed IoT in a previous blog post, where we discussed how hackers can infiltrate network security through your HVAC system, Smart Watch and more. Here are five more spookily surprising devices that can be hacked and compromise network security.

  1. Your Fax is Lax

The problem with many electronic devices is that their manufacturers just aren’t paying very close attention to security. Even if you have a newer fax machine or printer, it may still use security protocols established in the 1980’s. More than 45 million fax machines are in operation worldwide, many as part of all-in-one printers. Healthcare organizations in particular use fax machines for the vast majority of their communication.

According to an article from Healthcare IT News, a hacker would only need a fax number to launch a malicious attack. The attacker could then transmit an image with an embedded code that would allow them to take over the fax machine. That might not sound horrible, until you realize “They would then be able to download and deploy other tools to scan the network and compromise devices.” In other words, the Fax machine becomes the portal into a network, and its data.

  1. A Call For Help

Employees use their mobile phones almost as often as their computers, if not more so. It’s easy to forget that these devices often have complete network access and can be used to compromise network security, too. We’ve warned about this before; an earlier blog post on BYO devices for businesses, and another one about BYO devices in schools explain the need to establish an organization-wide BYOD policy, creating cloud back-ups of data and the importance of antivirus and malware protection.

But hackers can also use a non-mobile phone system to access a network. According to workplace technology company Ricoh, hackers can get past some phone system security protocols with little effort, and then can:

  • Eavesdrop on conversations
  • Tap into your VoIP line to make high-volume spam calls to foreign countries
  • Flood your server with data, using up bandwidth and causing your connections to be shut off. This may be followed with a ransomware demand.
  • Infect your system with viruses and malware. Just like office computers, your internet phones are vulnerable to programs that can track keystrokes, steal passwords and destroy information.
  1. Hackers are Eyeing Your Surveillance Cameras

Ironically, the security cameras designed to protect your business, could end up hurting it. And that’s spooky. While it’s convenient to watch security footage off-site, anything you can watch at home, hackers can watch too. Hackers can also take over the cameras to record videos or do their own surveillance of your workspace, sell camera access to other parties interested in doing that, make systems unusable or threaten to sell their use unless a ransom is paid, or even use the cameras to furtively steal credit card numbers from customers. Internet security company Trend Micro reports that one web forum claims, “as many as 2,000 exposed IP cameras are said to be connected to cafes, hospitals, offices, warehouses and other locations.”

  1. Getting a Smart TV may not be so Smart

A haunted television for Halloween?  Sort of. A recent Consumer Reports article (February 7, 2018) details how millions of smart TV’s have security flaws that can be easily hacked. A hacker can change channels, play offensive content or crank up (or down) the volume. While they probably can’t steal anything too valuable, this still can be “deeply unsettling to someone who didn’t understand what was happening.”

  1. A Coffee Jolt

The threat of someone hacking your coffee maker seems very, should we say, eye-opening? A recent article in the online journalistic mag The Conversation discussed how hackers can infiltrate cars, toys, thermostats, medical implants and yes, coffee machines. “A hacker who succeeds in communicating with one of these device can then conduct any number of possible attacks. They could disrupt communications, which would be irritating in the case of a coffee machine, but potentially life threatening in the case of a medical implant.”

Your Partner Against Crime

These hacking examples are just the tip of the iceberg (or perhaps the ice-cold fingertips of a Halloween skeleton). At Single Path, we’re security experts and our Security Offerings cover a vast menu of services. We can perform a desktop security risk assessment, implement a proactive network security plan and ethical hacking/employee training, implement next generation firewalls and establish email/content filtering. The threat of hacking doesn’t have to be Halloween-level frightening—at least not if you call Single Path.

Ask us how to get started!

12 Cyber Security Tools to Keep Your Business or School Safe

Happy Hacktober! We’re already well into this, the 15th annual National Cybersecurity Awareness Month. NCSAM is a joint effort between the U.S. government and various businesses to raise awareness of cyber security, and emphasize the importance of protecting your organization with cyber security tools and education.

Make no mistake: the need for education continues and cyberattacks are still on the rise. According to data from the Department of Homeland Security, 600,000 personal and business accounts are hacked every day and 47% of all American adults have had their personal information exposed by cyber criminals. What’s surprising is that Millennials, despite having grown up in a digital world, are particularly vulnerable to cybercrimes, with 44% of them victims of online crime in the past year alone.

Get Smarter, Get Safer

The best protection is education. The principle behind Hacktober, which has remained the same since the beginning, is the need to promote proactive, smart behavior in organizations in order to foster a security-conscious culture. Fortunately, there are thousands of cyber security tools and resources available, whether for individuals, SMBs, schools or other organizations.

We’ve collected some of our favorite cyber security tools here. Some of these have been created specifically for Hacktober, and others are evergreen. We hope this list of resources can help you stay more secure.

Cyber Security Tools for Small Businesses

1. This Cybersecurity Awareness Toolkit for Small and Medium-Sized Businesses was published by the Cyber Security Alliance, Facebook and MediaPro specifically for National Cybersecurity Awareness Month. It includes a great deal of information on how to create your own internal company Hacktober awareness kit and, more importantly, tips on how to implement your own cyber security protocols.

2. This 30-minute online assessment tool from the Michigan Small Business Development Center (SBDC) helps small and medium-sized businesses evaluate their own cyber risks.

3. The U.S. Small Business Administration offers a free cyber security course for small businesses.

Cyber Security Tools for Schools

4. A resource library from the Higher Education Information Security Council contains cyber security tools specifically targeted for colleges and universities including brochures, banners and more.

5. k12cybersecure.com is a site filled with “a curated list of recent information and resources to help U.S. public K-12 school leaders and policymakers navigate cybersecurity and related issues.” There are lots of links to articles and reports.

Cyber Security Tools for Everyone

6. This 2018 Toolkit from the Department of Homeland Security was created for National Cybersecurity Awareness Month. This is a comprehensive report that includes government contact information, cyber security tips, a glossary of terms and a list of online cyber security tools.

7. The national STOP. THINK. CONNECT™ campaign is a “national public awareness campaign aimed at increasing the understanding of cyber threats and empowering the American public to be safer and more secure online.” The STOP, THINK, CONNECT website has materials you can display at your organization, plus videos and resources aimed specifically for small businesses and educators.

8. Staysafeonline.org is a website from the National Security Alliance that features a list of upcoming cyber security conferences, online safety basics, advice on how to get your organization involved in cyber security, and many other resources.

9. Create your own custom cyber security planning guide for your organization with the help of this cyberplanner tool from the FCC.

10. The U.S. Chamber of Commerce offers cyber security tools such as tip cards, videos and posters that provide business security essentials.

11. US-CERT (The United States Computer Emergency Readiness Team) provides “no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices.” They also offer a self-assessment package, information sheets, downloadable guides and more.

12. The National Institute of Standards & Technology developed a CyberSecurity Framework that recommends standards, guidelines and best practices to manage cybersecurity risk for organizations.

We know we promised 12 tools, a solid dozen online resources, but we have to add a few more—

13. While not specifically created for Hacktober, we’ve published many blog posts that detail cyber security across a wide range of topics including blog posts on Phishing Tactics (part 1 and part 2), How to Spot a Phishing Email, Why Password Security Is Important for Your Business, How to Create Your School Cyber-Threat Strategy, The Growing Threat of IoT, and We’re Only Human: The Importance of Security Awareness Training.

There are many more cyber security tools out there, and we hope you’ll find the ones listed here, or others, are exactly what you need to create a more secure organization.

The Best Resource: Single Path

Single Path is your cyber security expert, with both the experience and resources to protect your organization. We provide a comprehensive menu of security options including audits, penetration testing, vulnerability scans, data loss prevention, ethical hacking/employee training, managed security incident event management (SIEM), managed advanced malware protection, next generation firewalls and email/content filtering. We also can help you rebound from an attack or natural disaster with our incident response services. Of all the vast array of cyber security tools that protect your organization, one of the easiest steps to take is simply calling Single Path.

Ask us how to get started!