Ready to Ditch the Protocol? Reasons to End Remote Desktop Protocol

Remote Desktop Protocol (RDP)has been known to IT professionals for years, added into our arsenal since the original release with Windows NT 4.0. This provided the technical people the ability to treat any system or task as though it were local. Before we go further, it’s worth noting most Ransomware attacks occur through the open-ports in your network. These ports are what leadership sometimes use to remote into a work machine. You’re internal IT uses this to assist in taking control of your work PC to troubleshoot a problem.

Quickly, the productivity tool was adopted, widely seen by many as an initial attack vector. From a security standpoint, any software or program that takes remote control of your PC is worth of severe scrutiny. In the wrong hands, RDPs can assist cybercriminals in deactivating device’s in the organization’s network, concerning endpoint protection, and deliver nasty payloads of malware.

Using a publicly accessible Remote Desktop Protocol session to reach systems creates major concerns surrounding your network vulnerability. Public sessions are targets, with cybercriminals discovering new ways of conducting port and IP sweeps. According to Tyler Moffit, Webroot’s Senior Threat Analyst and partner “It’s a matter of when not if.

Recent reports suggest the state of banking security as half of all banks in the SF Bay Area have left remote access and control interfaces like Remote Desktop Protocol, openly accessible from the internet. Shocking finding for many in an industry built on securing customer information.

Turning Remote Desktop Protocol into an Attack Vector

Although most cyber attacks are from the results of lateral movement through your IT network, malicious payloads will spread between each system, fully compromising and stealing each PCs data. By adding pubic accessible Remote Desktop Protocol, you compromise those with weak credentials, using password breakers to easily accomplish these lateral movements, from user to user.

With four high-level options for securing your environment, and managing them with more security:

  1. Consider eliminating the Remote Desktop Protocol access by changing the default TCP ports and leveraging a virtualized network, or VLANs to critical systems. A more secure option would be to block all RDP connections through none whitelisted IPs. Additional solutions are available when it comes to logon monitoring and activity summaries with heightened visibility utilizing multi-factor authentication.
  2. Secure all systems and endpoints first, with solution designs to monitor and remedy any network anomalies. Similar to that of an RDP session from other workstations and notify your technical team or leadership.
  3. Utilize paid encryption Solutions for remoting into work systems. Some of the most popular remote solutions are TeamViewer, LogMeIn, and Screen connect all companies through encrypted connections to release communications as need.

Ready to Ditch the Remote Desktop Protocol?

With security threats and attack vectors mounting, remote desktop options are out there, and your Managed Service Provider or IT Consultant should be attending to the major attack vector. Companies must begin to recognize the security dangers across their network, and how to best leverage their current technology investments. Paired with our award-winning suite of solutions, better secure the access to RDP, the data, or black all remote sessions until further notice, per security posture.

To learn more about what Managed IT Support can do in terms of your networks RDP, contact us today to get started in discovering network vulnerabilities, the criminals will leverage.

Retention Best Practices: What to Do with All of That Data

Your data retention and customer information are the lifeblood of your business – there’s no denying data’s importance, especially in day-to-day operations. Today, organizations across all industries are tasked to protect this vital info, retain it, and provides access at all hours. Yet, all we’ve seen was a lack of the appropriate archiving and retention policies upon initial inspection.

Building Data Retention

As your MSP, it’s our job to be your strategic advisor and help them understand exactly what their retention requirements are for various business needs. By looking to clean up your IT environment and implement retention policies for more secure, and accessible data you can gain an edge on the pitfalls of errors and mistakes.

By establishing data retention policies, here are some key points you should consider. Keeping in mind, that not all data is created equal—the first step in establishing appropriate retention policies, which data needs to be archived, and for how long.

 

Step 1: Classifying

Strike a balance between what’s optimal for your business needs vs. cost-effectiveness, by asking some of these questions before classifying or deleting data.

– Is this info critical for the customers’ business operations?
– Would your data be classified as a permanent document of any kind?
– Is your data considered proprietary intellectual property?
– Does your data reflect the current, legitimate and useful information or needs?

Data that fits none of these criteria may be suitable for deletion – although most data is generally retained for at least a twelve-month period, with a very small percentage needing to be retained after that period for legal holds. Assess value and risk before deleting anything and consider cost and storage requirements when choosing to keep anything else. There should be no arbitrary or ambiguous data—everything must be accounted for.

Step 2: Compliance

There is a hierarchy to follow when determining which data must be stored. Ensure data retention policies align with any of the following compliance or regulatory restrictions:

Regulatory Compliance
Whether it’s HIPAA, FINRA, PCI, or other regulatory concerns, know your verticals, and know the law. What data must be kept (and for how long) can vary significantly from one industry to the next.

Legal Concerns
Retain all data that could be subject to legal discovery or would be needed in legal action should it arise.

Pro Tip: If you need a long-term storage solution for less time-critical data, you can leverage our series of cost-effective data retention and BDR solutions.

 

Step 3: Deletion

Once your identified data no longer serves any useful purpose, there’s more to do than simply emptying your desktops recycle bin. Set expiration dates for all data when establishing retention policies unless it’s designated to be retained in perpetuity. It should be noted, that when data has exceeded the retention limits, it should be deleted immediately.

Finally, data that is retained must be data that is accessible. Choose a fast and searchable archival method to access data and determine what frequently-used data (if any) should be kept “live” outside of archival applications.

For anyone unsure of their backup and disaster recovery technology, and its configuration, we can help. With over 30 years of experience, with information technology, our trained IT consultants can get you started down the right path.

 

8 Warning Signs You’re Using The Wrong IT Service Solution

Dreading your company’s technology review because you can’t show how your technology is performing? Have a provider suffering from a lack of ideas on how to truly accelerate technology?  You’re not alone – these are common symptoms for Bay Area businesses having selected the wrong managed IT service solution.

Read more

Uncovering the Gaps: 7 Proactive Cyber Security Best Practices for Bay Area Businesses

For businesses, the traditional approach towards cyber security is focused on defending against threats, and prevention. As criminals become bolder, and tactics grow in sophistication, defense and prevention aren’t enough. Over 80% of businesses are looking for third-party help with cybers ecurity. By following these practices, you can securely position your company from a secure-data standpoint.

Focus on Risk – Instead of achieving a 100% fully-secured business, shift the conversation towards how much risk to a business, and it’s data, each employee’s faces. Come to terms with the idea “100% Secured” is unattainable. Cybercriminals can and will always find new ways to attack. By implementing cybersecurity metrics that track logs and security patching. By uncovering how many applications lack the latest security patching, your team can uncover any security vulnerabilities that have not been addressed.

Prioritize the Data – Each business has that information, that remains at risk. For many of your businesses, it would be employee health records, customer information, bank routing numbers. This sensitive data should get the highest level of security. This ensures a harder time for hackers to access info, and work to educate employees on protecting these valuable assets.

Cyber Clean-up – It’s always good practice to stay vigilant about security maintenance, to prevent commonly overlooked threats, such as ransomware, and phishing attacks. These “housekeeping” tasks are typically strengthening endpoint security, administrative rights for hardware access, and folder structure, schedule and automate patching roll-ups, data backups, and overall response planning in preparation of an event.

Security Stand Out – While it’s obvious for most business to leverage security as a differentiator, it might be less clear for employees, who interact with multiple businesses each day. From financial firms to outsourced HR, or even healthcare, all of them require strong security, to protect employee data or their clients.

Regulatory Churn – New regulations, such as Europe’s recently released, General Data Protection Regulation (GDPR) often cause concerns for businesses based in the United States, but selling in Europe. Businesses are told to comply but lack the tools and know-how to bring systems, and processes to standards. Compliance managers were force-fed regulations, in hopes to determine how best to position the tools and services needed. As a trusted IT service partner, we assist companies in the discovery, and remediation of non-compliant networks to meet business needs, and compliance standard, making for great security.

Boosting Security Expertise – With a threat landscape, similar to that of the wild west, cyber security must change with it. Shrouded in secrecy, the threat landscape has never been more open to knowledge sharing. If your company doesn’t have the time to research the specific threats linked to your business, maybe it’s time to meet with us.

Build a Culture – Due to the constant threat of cyber attacks, security awareness training should employ best-of industry security habits, such as password changes, encrypting mobile devices, and avoiding public Wi-Fi, when accessing sensitive data. It’s ok to work while on-the-go but use a VPN, or a remote desktop receiver with 2-factor authentication.

Something most businesses lack and your competition forgot about. Win more business and increase your bottom line, by keeping network uptime maxed, and efficiency within your processes intact.

Realize the Power of Technology with the help of a trusted IT service provider. Contact us to begin an uncovering the gaps in your cyber security today.

3 Considerations When Planning Your Future Information Technology

I’m sure many of you have heard of the age-old adage, “If you fail to plan, you plan to fail.” No business owner should see this as a surprise. Yet, when we chat with new clients and their peers, it seems like they were winging information technology(IT) until now.

Many local businesses are surviving on a day-to-day basis. Some even feel they barely have time to plan for what is going on this afternoon. Tomorrow will begin to seem overwhelming, and the recipe for disaster is born.

Here Are the Three Important Reasons Why You Should Take the Time to Plan for Tomorrow:

1. Your Business Depends on It:  How many of us have thought about businesses growing in a healthy, reliable fashion when executing your sales efforts consistently. It’s critical that you and your team understands the full capabilities and metrics tied to your business efforts. By planning for your technology future, employees will begin to thrive, finances become more predictable, and the stress levels around technology drop. Your internal staff members aren’t left with trial and error. By preparing your information technology today, you can battle the fires of tomorrow.

2. Putting-Out Fires Isn’t Productive:  Many local business owners become regularly stuck fighting information technology fires. That’s unfortunate because, in the larger scope of things, it feels like work is being accomplished, but no situation has been remedied. Your information technology partner should be working within your business, not on your business. This path of neglect is also one leading to high stress and minimum growth.

3. Life Happens:  Employees can get sick, or decide to leave the business unexpectedly, even with proper planning, there’s absolutely no margin for error at this point. Sometimes, businesses are faced with opportunities, that demand immediate action, again delaying the time to think about what advantages, and needs your business now has for technology.

How Can WE Fix This?

As IT people and not miracle-workers, we can create a fully-encompassing management solution for your technology. Putting out the fire, of one of the largest problem with local companies today, aging technology.  As a trusted IT partner in the Bay Area, we understand that there are many substitutes that come close to the care, and customer satisfaction provided by our staff.

If your business has been having technical issues, you owe it to yourself, and your work, to give an expert a call. To begin a no-cost conversation regarding your information technology, feel free to reach out to any of our friendly staff for further assistance.

 

Security Awareness Training Takes Business Protection to New-Heights

Security awareness training is seen by many as something “nice to have,” while several SF Bay Area business owners have begun implementing our on-site training in a necessity to any business looking to protect their network and backups from encryption.

Your decision to adopt user-based education has been passed over year-after-year due to budget constraints or a lack of in-house experts to demystifying technology. Small to medium-sized businesses have suffered from these types of constraints for years when compared to larger, resource-heavy organizations.

Though it’s clear end-user education doesn’t have to be a need for many business owners, as recently as August 2017, a Better Business Bureau study uncovered almost half of SMBs with 50 employees and under, regard security awareness training among their top 3 most proactive IT expenditures, alongside, firewalls and endpoint protection.

This increase comes as no surprise, as the cybersecurity landscape has become more dynamic than ever. The average small to medium-sized business faces annual losses of over $80,000 when everything is said and done. Your staff is the front line to your business, and even the most advanced security stacks, have limitations. If you’re not educating end-users by now, you’re putting your organization into harm’s way.

Here are a few tips and trips for SMBs looking to get started with end-user training, or security awareness training:

Gather Company Buy-In

As with any new programs, starting at the ground level will ensure success. Start with building a culture of security. Yes, it might require multi-factor authentication, or additional hoops to jump through. Begin generating the “buy-in” from the surrounding management teams, sending out an email explaining the value of security awareness, phishing details, and the latest in security trends, and reports for your information technology(IT) team.

Starts with Phishing

In the current technology landscape, security awareness should begin with the MOST COMMON attack vector, email phishing campaigns. With thousands of interactive tools and designs built to mislead and steal your credentials, there is no shortage of examples, and videos showing the intricate workings. Begin with the basics, and go through the varying amounts of phishing threats. Your staff should be able to identify and mitigate any phishing attempts after your training concludes.

Share results with End Users

Use this feedback to inspire smarter habits among staff, identifying key objectives for security awareness training to engage in at a later point. Who knows, maybe you will uncover security gaps left behind by a past managed IT, provider. Raise the level of cyber awareness throughout your organization, sharing the latest encounters internally with your staff. Chances are these criminals are working more than one of you at work and this can help employees understand the impact of poor online habits and motivate them to practice better behaviors.

Continuous Training: Set up your phishing and training program

Once your users are engaged and understand the value, the next step is setting up a training program for new employees. There is no one-size-fits-all program, but we recommend running at least one training courses per year. Depending on the needs of each organization, presentations can be tailored to highlight industry-specific security.

As the business scales, you will want to scale the frequency and adjust intervals throughout the year. Our Security Awareness Training includes real-world phishing scenarios that have been defanged from the wild.

When you start seeing the impact that proven security awareness training has on your employees, you’ll wonder how your business ever managed without it. Contact us to schedule your no-cost, no-obligation security awareness training for your organization.

 

How to Devise a Budget that includes your Disaster Recovery Plans

Planning and disaster recovery, more importantly, budgeting, is one of those tasks few business continuity managers look forward to completing every year. After all, it can become a pretty involved, and complicated processes for anyone, often seen as sobering to tally-up the final bill. Love-it or hate-it, devising a business disaster recovery (BDR) budget is a necessary evil which nobody can avoid. On the bright side, there are some simple steps you can take to ensure you spend wisely on a disaster recovery budget.

Rally the Troops

Call in the troops with a rallying cry for disaster recovery to protect the entire organization. By design, planning and budgeting should involve the CEO, or top-level management, and department leaders across the company — not only IT. Key members from varying departments like sales and customer service can drive budgeting needs by contributing valuable insights on how systems and resources are used, performing, and the maintenance needed. Business owners and CIOs can see what the plan entails, and decide how to best execute the proposed strategies while staying within the budget.

Know What’s Important

After you’ve rallied the troops and the advocates, your next step would be to focus the bulk of your disaster recovery planning efforts around your most precious asset. For most, business begins and ends with data. Data can be perceived as analytical, or informational bits and bytes that make up the information that runs your business.

Commonly, these budgets should be structured in a way, to cover vital company information from various angles. An example of this can be found at some level of most businesses. The entire organization uses a firewall(s), to ward off network attacks at the perimeter level. Anti-virus and end-point protection halt threats on production servers or prevent data encryption. Although the equipment varies from one company to another, but eventually technology breaks. Having an on-site, and an off-site backup plan will ensure that your business line data can be recovered fully, and reliably.

Business Risk Weigh-out

Now it’s time to hone in on actual disastrous scenarios. This is when your staff can assist in identifying the biggest threats to your business. Begin to engineer strategies to minimize the exposure and risks to data. Your hardware and data’s physical location is always a factor, but most organizations should thoroughly plan for both natural and accidental disasters. Although you might have prepared a comeback from fire or flood, have you given thought to disgruntled employees? What about cybercriminals, and hacking?

From here, we can begin working on a budget that properly reflects, the tools and resources needed to put your strategy in place. Our managed service partners have the freedom to budget in anything from training internal-staff in advanced cybersecurity measures to our network monitoring process. Your budget must cover the workforce needed to spring into action during these disaster recovery scenarios.

Prioritize Your Assets

One of the biggest mistakes you can make in disaster recovery planning is treating each system and process as equals. Why? Because it often leads to employing “grade-A” protection across your infrastructure. Not quite sure where your resources rank in the pecking order? Well, this is where a detailed business impact analysis (BIA) comes in handy. A BIA will identify each resource in your environment. It will also help drive your budgeting efforts based on their order of importance.

Fund Your Budget Wisely

Smart budgeting is about setting your limits and staying within those very boundaries. Your ability to stay within that safe zone will largely depend on your organizational structure, but some companies are already allocating a sizable portion of their budget towards disaster recovery services. Typically, we see those that operate disaster recovery as its own separate line-item, taking a more targeted approach for every department.

Your Peace-of-Mind

Unfortunately, things don’t always go according to plan. Failed backups or lapses in communication, these roadblocks can lead to stumbling over the hurdles to recovery. Your disaster recovery can be seen as an ongoing process, without a time constraint, you can periodically test your solutions along the way.

If your company is struggling to get over any of the hurdles on the road to successful disaster recovery, contact us to begin a no-cost, no-obligation conversation with one of our friendly staff members.

Educating Partners on Risk Management & Disaster Recovery

According to the data, there were a total of 3 natural disasters in the state of California in 2018, resulting in $180.8 billion in insured losses. That’s up from the $23.8 billion last calculated in 2016. With a bad wildfire season just around the corner for the Bay Area, we’ve already seen an active Winter, with mudslides, and flooding through-out, followed by that sweltering California heat.

Despite their frequency, natural catastrophes aren’t the only disasters you and your customers have to worry about. The rest is attributed to instances such as data corruption, system failure, and human error. In fact, hardware failure is responsible for half the downtime that small to midsize businesses experience.

When Risk Management Meets Disaster Recovery

Unfortunately, ideal scenarios and real-world scenarios are two different things. While it sounds good in theory, trying to protect against every possible catastrophe is cost prohibitive and therefore impractical for most businesses. Helping develop a Risk Management and Disaster Recovery Plan for the most likely “disastrous events.”

Risk Management Plans assist in spending wisely, by budgeting for disaster scenarios that pose the biggest threat to the business. For instance, if a data center is located in Southern California, then earthquakes are a legitimate concern. On the other hand, if you’re in the Northeast–then snow storms are something you should plan for during the winter months.

Whether your risk management efforts uncover one type of event or another, there are certain disasters every organization should plan for. Educating employees on the importance of security, data backup, and consistent testing being cornerstones of any disaster recovery plan.

When onboarding our managed services clients, we remind them that solidifying a commitment to security can help prevent disasters, while a best-in-class backup and recovery plan is essential when disaster does strike. Periodically test procedures within your organization to make sure staff as prepared and data can be recovered–because just a plan itself, is all but useless.

In Closing

You never know when disaster will strike or in what form. What you can do is anticipate the biggest risks for customers and help them prepare for the worst. At the end of the day, disaster preparedness is the key to risk management.

Have a question regarding your organization’s disaster recovery plan, or any risk management surrounding your business?  Contact us – for a no cost, no obligation conversation, with one of our friendly staff members.