Giant data breaches at giant corporations make headlines just about every month. But small businesses have become the favorite target of hackers. Fight back: Defend your small business’s IT network by following our annual 11-point IT security checklist. Read more
It’s a seller’s market for Minnesota small businesses. But Andy Kocemba, who counsels small business sellers, says you can still leave big money on the table. Before putting your business on the market, answer four critical questions — one of which relates to your IT infrastructure. Read more
Scheduling meetings can be tricky when you run a small business, especially when you include people from outside your business. If you use Microsoft Office, learn how to share your Outlook calendar. Here’s a quick guide, plus tips on two free apps that help you set up meetings quickly. Read more
May 1, 2018,
We are excited to announce the release of an Official TechGen Amazon Alexa skill.
This application will allow our customers to open a support request with a voice command through any Amazon Echo device or through the Alexa mobile app. Alexa is a virtual assistant program developed by Amazon, designed to help with hands-free interaction. We are now utilizing this technology to provide clients with more options for getting technology help.
Installation is as simple as saying the phrase “Alexa, Enable TechGen” into the Alexa app, and then authenticating the account. Our app even supports personal email addresses and Amazon accounts if you alert us you plan to use them ahead of time. After that, anyone can simply say “Alexa, Open TechGen” to start a speech-to-text email that will be sent directly to our support staff. For example, someone could say “Our copier is not working” and that message will be emailed to a support technician who can begin working to fix the issue. In order to best protect client privacy, this skill does not send actual recordings.
TechGen’s founder Reid Johnston was quoted saying “Voice search and interactions are becoming so popular, I’m excited we’re able to offer this to our clients!”
More information about the skill can be found here: http://i.techgen.com/alexaskill
We all have favorite apps that we use every day. Here are a few that will make you more productive and efficient.
Jog.ai – This is a neat web service that you can use to take meeting notes for you. Jog.ai acts as a middle-man recording your telephone calls. It not only gives you a high-quality recording, but will also transcribe your call, so it is searchable later. While you’re on a call, you can use the jog.ai web app to ‘mark’ important parts to refer back to later. Best of all, it will “listen” for keywords like “action item” and automatically highlight that part of your call. Just make sure you let the other caller know if you’re talking to someone in a state that requires that kind of notification.
LastPass – Lastpass stores your passwords securely behind a super-strong “master password” and also supports multi-factor authentication to further protect your credentials. Lastpass syncs between your different computers, and mobile devices, so you can always access your important sites. Other really useful features; securely sharing credentials with others, and storing credit card and bank information – automatically filling out web-forms so you don’t need to track down your wallet!
Boomerang – A great plugin for Outlook or gmail.com Boomerang reminds you to follow up on emails at some point in the future if the recipient doesn’t send you a reply. But – one of the most powerful features is the ability to “share” preferred meeting dates with someone via email. For example; if you’re trying to setup a conference call, you can pick a couple of dates/times that are available on your calendar and include those in the message. Boomerang will automatically send an invite to both of you with the time-slot that the recipient selects. I find this to be a little more personal than services like Calendly.com
Calendly – This is a great service that automatically syncs with your calendar and creates a simple website that shows your availability. You can create different “booking templates” for things like 30-minute calls, 60-minute face-to-face meetings. Calendly will let you specify specific minimum & maximum availability ranges, as well as custom fields that are added to the meeting. Now when someone says; “Hey are you available next week?” You can reply with your Calendly link, and they can pick a time that you’re available – that works for them too!
Interested in trying out any of these apps? We can help you install them and integrate them with your existing systems! Just contact us and we’ll be happy to help!
PCI-DSS, ISO, HIPAA; you have probably heard many acronyms like these in reference to IT security. There are so many laws and organizations these days, it can be difficult for a person to know where to begin looking. This blog post will help introduce you to the topic so you can consider what might apply to you.
There are three different categories of acronym you will typically see: Legal requirements, organizations, and specific standards.
HIPAA is an example of a legal requirement. HIPAA is short for the Health Insurance Portability and Accountability Act of 1996. HIPAA is a law applying to certain kinds of healthcare companies. Rather than detailing specific requirements, HIPAA lists broad security objectives and leaves companies to decide how to implement them. This allows the law to scale for company size and with changing technology. Some other examples of legal requirements are: HITECH (Short for “Health Information Technology for Economic and Clinical Health,” an amendment to HIPAA), GLBA (Short for “Gramm–Leach–Bliley Act” which governs financial companies), and FISMA (Short for “Federal Information Security Management Act of 2002” which regulates federal agencies and their contractors).
ISO is an example of an organization. ISO is an abbreviation for the International Organization for Standardization. ISO is an international effort to come up with standardized terms and measurements for everything from timber sizes to laboratory glassware to fingerprint image data. One set of standards is ISO 27001, which details specific IT security requirements. TechGen is ISO 27001 certified, which means we have demonstrated that we meet those security standards. Other examples of organizations that publish their own standards are: The SANS Institute (“SysAdmin, Audit, Network and Security Institute” which is a private company that offers security training), ISACA (Formally the “Information Systems Audit and Control Association” which is a professional association), and HITRUST (The “Health Information Trust Alliance” a joint creation of several healthcare companies).
PCI-DSS is a specific list of standards. It was created by and utilized in the Payment Card Industry to offer a Data Security Standard across businesses that accept credit cards to keep consumers safe and meet government regulations. Lots of organizations have their own list of security standards or certifications, which adds more acronyms to the mix. The SANS Institute offers GIAC or the “Global Information Assurance Certification.” ISACA publishes COBIT, which stands for “Control Objectives for Information and Related Technologies.” HITRUST regularly updates what they call the CSF or “Common Security Framework.” Some organizations use their name in their list of controls, such as CIS (the “Center for Internet Security”) which writes “CIS Controls” and “CIS Benchmarks.”
When looking at IT certifications, it is important to look up what a company claims to have. A company that says they are “HITRUST Certified” is saying that an auditor has evaluated them and found they meet the CSF standards published by the HITRUST organization. That also means there is no such thing as “HIPAA Certified” because HIPAA is a law, not a list of standards or certification. A more accurate designation would be “HIPAA Compliant.”
If you are interested in increasing your level of IT security, you should research what organizations specialize in creating standards for your industry. Unlike some kinds of certifications, there is no “one size fits all” standard for technology, and there are multiple different ways to address a security problem. One sure-fire way to increase security is to utilize vendors that have their own IT certifications, that way you can trust a third party has evaluated their security.
Hopefully, this guide has given you a good start for where to begin your investigations into IT certifications. Thank you for reading, and have a secure day.
Another large Ransomware attack this month forced an Indiana hospital to pay four Bitcoins, or $55,000. This is unfortunately an increasingly common story, but this one has a twist – they had backups of their data but still chose to pay. Why? Restoring their backups could have taken weeks, and it would have been too expensive to be closed for so long.
This hospital learned two lessons the hard way. They learned not only that employee training is vital to preventing Ransomware and other hacks, but also how critical it is to test your disaster recovery plans. Backups are extremely important, but like any medicine, you want to prevent the illness before you have to use it; and like any treatment, they are of limited value if there is no plan to implement them in a reasonable amount of time.
Business Continuity plans for dealing with common hiccups, and Disaster Recovery plans for major outages are two sides of the same data safety coin, collectively known as “BC/DR.” When a hacker attacks, or the power goes out your employees should know how to respond to minimize negative impact. Backups are one piece of that puzzle, but the written plans are essential to implementation.
We here at TechGen want to help keep your data safe and your business running StressFree. That’s why we do regular testing of your backups. We ensure your backup works, so when the worst happens, your technology will be ready. Because backups are just one piece, we’re helping our clients implement a BC/DR plan or improve their existing one. Please, let us know if you are interested in discussing ways to improve your security. We also encourage you to read through some of the other posts on this blog that offer useful tips to prevent hackers from getting on your network in the first place.
It’s the end of the year, and with the holidays wrapping up it means “time to get back to work” for most of us, but it means “time to kick into high gear” for hackers. With many companies running with partial staff, identity thieves see them as prime targets. When employees have extra workloads, they can’t spend as much time carefully reading emails, but that just means we need to train ourselves to be cautious.
Every year scammers start bringing out their old standbys for year’s end because people still respond to them. Here are some of the most common tactics, so you and your users can be ready:
- Employee benefits/Health Savings Account scams
These types of scams rely on employees not being informed of company policies. The scammer will send an email telling the employee that their benefits are about to expire, or they need to renew them for the new year. They provide a fake website to “log in” and steal credentials. Avoid this by making sure to ask the appropriate person in your organization about anything benefit related – don’t rely on random emails.
- Microsoft (or other software) End of Year upgrade:
This type of scam involves an email telling you that your software is about to expire, and you need to send money to renew it. Typically, they will try to scare you and tell you that your email account will be closed by Microsoft or something similar. Always ask your IT vendor about the status of your licenses. TechGen will be happy to work with you to manage your software licenses and keep you in compliance.
- Phone call scams (“Vishing”):
With staff overworked, hackers are more likely to try to leverage employee exhaustion by calling directly instead of sending an email. These types of scammers will pretend to be from the IRS, or Microsoft, or some other group that needs credentials, passwords, or access to a computer. None of these organizations will call you out of the blue and make you resolve an issue on the spot.
- Charity scams:
Lots of people want to contribute to charities toward the end of the year, and who doesn’t like making the world a better place? Scammers will utilize this to send fake charity emails, hoping people will send them money. You can avoid these by navigating directly to the website of the charity you want to go to. Don’t send money to people who ask for it over email.
Finally, scammers have been watching the news as well, and they’ve seen the confusion resulting from the new tax law that congress has passed. Expect there to be lots of phishing emails sent out on this topic. Hackers may be sending fake articles for you to click, asking for your information to “help you calculate your new tax liability” or most dangerously, pretending to be government agents and demanding money. The IRS has released a page talking about fake IRS communications and how to avoid them. You can see that here https://www.irs.gov/privacy-disclosure/report-phishing
Stay warm, and stay safe.
No matter how secure your network is, the first line of defense is always your employees. They are the gatekeepers to your network – deciding which emails are opened and allowed in. Hackers know that they can’t do anything until they get inside. Just like someone who wasn’t invited to the party, they will pretend to know someone, pretend to be someone else, or make up whatever other lies they can to get inside. In the computer world, those fake and malicious emails are called “phishing emails.” Because of how dangerous they can be, the ability to recognize phishing emails is critical to network security.
Here are some things to look for to help you and your employees determine if an email is legitimate, or a party crasher.
Make sure the email is something you were expecting to get. Unsolicited requests, invoices, and links should be suspicious.
Hover your mouse over every link before you click it. You will see a small popup that tells you where the link goes. Make sure the link goes to the correct place before you click. One way to always be safe is to navigate to the website yourself in your browser and don’t click the link at all.
Double check the email address that the email is coming from. Sometimes fake emails will use addresses similar to real sites (e.g. “Techgem.com” instead of “techgen.com”)
Did they misspell my company name or make other mistakes on the email? Do they use a generic name instead of mine?
Do you know the person sending the email? Is this the type of email they usually send? Look at the signature of the email and make sure it matches their usual signature. If their identity is in doubt, you can always call them and verify the authenticity of the email.
Phishing emails will try to make you click without reading. Check to see if the email implies urgency or extreme importance. For example: “IMMEDIATE ATTENTION – YOUR ACCOUNT WILL BE CLOSED”
Look for misspellings and poor grammar. Many people who send phishing emails don’t speak English as a first language.
There can be other, subtle red flags. For instance, does the email have a strange subject line, signature, or layout?
Sometimes, a legitimate email may have one of the above, but by looking at a combination of the above, you can usually tell a phishing email from a normal one.
Attached below is an example of a real phishing email, with the suspicious features we used to identify it pointed out. Take a look at how we applied the tips mentioned above.
Stay safe out there.
Once again high profile hacking is in the news.
Accounting firm, and security advisor Deloitte was illegally accessed by unnamed hackers last month who had managed to compromise an administrator account and used it to access one of Deloitte’s Microsoft Azure accounts. So far, at least six of their clients have been informed that data including usernames, passwords, IP addresses, architectural diagrams and health information was accessed by the hacker. Deloitte is still reviewing the breach and contacting affected parties.
A question many are asking is “How did such a large company with so much experience in cybersecurity get breached?” and the answer is simple. “They didn’t have two-factor authentication.”
Two-factor authentication is a tool used for added security when it comes to important accounts. The name comes from using two factors to log into an account – your usual password and a separate factor such as a cell phone message, remote FOB, or biometic data like a fingerprint. In general, using multiple steps to log is referred to as “Multi-Factor Authentication” or MFA. With MFA enabled, even when a hacker manages to discover your password, they still can’t access your account without also having your other factor, like your phone. Deloitte didn’t use it on one administrator accounts, and as a result the hacker merely needed to get one password in order to gain the keys to the kingdom.
Increasingly, two-factor authentication is being considered a basic security step, and we here at TechGen highly recommend all of our clients look into MFA solutions.
- Microsoft has step-by-step instructions for setting up MFA for Office 365. You can read those here.
- Another good password solution, LastPass, also supports MFA. Specific instructions are here.
We would be happy to help you set up MFA for your important accounts; if you are interested, please let us know.