Conducting business operations in the digital world is prone to security risks. Mitigating them would be impossible if you don’t have an IT compliance policy.
Setting up a robust IT compliance policy in your business is more important now than ever and it’s because most organizations now depend on digitized services.
Online companies rely on e-commerce websites to do business by taking orders and receiving payments. Even brick-and-mortar organizations utilize software to perform various activities, such as order management and back-office accounting.
In such tech-driven environments, a lack of proper security measures jeopardizes the business leader’s position. Their IT systems get abused and their technology often becomes a source of scandals.
The only way to avoid this possibility is to create a strong IT compliance policy.
This article will cover key considerations when developing your system of IT compliance and how Databranch can help you implement an IT compliance policy.
WHAT YOU NEED TO CONSIDER FOR IT COMPLIANCE POLICIES
FACTOR #1 – PEOPLE, PROCESSES, AND HOW THEY ALIGN TO TECH
IT compliance isn’t just about technology – it also involves people and processes. And the reality is that many organizations focus heavily on their tech, resulting in failed audits due to their failure to consider the other two aspects. This makes the compliance world more complex.
Taking the correct approach can help ensure your enterprise abides by the necessary standards.
FACTOR #2 – RELEVANT LAWS AND REGULATIONS
Laws and regulations stipulate the policies that govern IT compliance requirements. Here are the most common ones:
The Sarbanes-Oxley Act – regulating financial reporting
The Gramm-Leach-Bliley Act – governing non-public personal information and financial data
The Health Insurance and Accountability ACT – regulating health information that healthcare organizations process
Ultimately, you can’t start your compliance process without understanding the laws and regulations applicable to your organization.
You should also ascertain the controls that apply to these laws and regulations. They are process-oriented and technical means to adhere to your policies.
There are various industry and government standards that specify them, including:
Control Objectives for Information and Related IT
National Institute of Standards and Technology
Payment Card Industry Data
These can have a massive bearing on your sector. Therefore, make sure to familiarize yourself with all relevant controls.
FACTOR #3 – RAISING EMPLOYEE AWARENESS OF THE IMPORTANCE OF THE POLICY
One of the biggest threats to your data security is having untrained employees. Their actions can have a huge impact on cybersecurity. For instance, improper software upload, sharing, download, and storing can jeopardize critical information.
The reality is, many employees opt for insecure data transfer methods due to their convenience. Some of the tools they use are personal emails, consumer-grade collaboration apps, and instant messaging. All of these are ideal targets for cyber criminals.
To prevent your business from becoming a victim, your users must learn and understand where various threats originate from. They should especially understand the actions that can give rise to vulnerabilities.
Making file sharing a top priority and investing in proper education demonstrates the significance of IT compliance. Your efforts can help team members willing to adopt the best practices in this field.
When developing your training plan, make sure to include several key topics:
How insecure file transfer methods expose your company to risks
Avoiding phishing scams
Precautions to exercise before using or downloading unsanctioned applications
The conditions for using and creating strong passwords.
FACTOR #4 – HOW YOUR IT POLICY ALIGNS WITH THE COMPANY’S SECURITY POLICIES
Aligning IT compliance with your business operations involves understanding the culture of your organization. For example, your environment can revolve around either processes or ad-hoc ways of doing things.
Enterprises aligning with the former are best off issuing in-depth policies to ensure compliance.
By contrast, companies that match the latter require detective and preventive controls. They need to address specific risks associated with your policy. It helps various auditors understand why you’ve deployed a particular control or decided to face certain risks.
FACTOR #5 – UNDERSTANDING OF THE IT ENVIRONMENT
IT environments directly affect your IT policy compliance design. That said, there are two main kinds of environments:
Homogeneous environments – These consist of standardized vendors, configurations, and models. They’re largely consistent with your IT deployment.
Heterogeneous environments – The other type uses a wide range of security and compliance applications, versions, and technologies.
Generally, compliance costs are lower in homogeneous environments. Fewer vendors and technology add-ons provide less complexity and fewer policies. As a result, the price of security and compliance per system isn’t as high as with heterogeneous solutions.
Regardless of your environment, your policy needs to appropriately tackle new technologies, including virtualization and cloud computing.
FACTOR #6 – ESTABLISHMENT OF ACCOUNTABILITY
IT policy compliance doesn’t function without accountability. It entails defining organizational responsibilities and roles that determine the assets individuals need to protect. It also establishes who has the power to make crucial decisions.
Accountability begins from the top and encompasses executives and the best way to guarantee involvement is to cast IT policy compliance programs in terms of risks instead of technology.
As for your IT providers, they have two pivotal roles:
Data/system owners – The owner is part of your management team that’s responsible for data usage and care. Plus, they’re accountable for protecting and managing information.
Data/system custodians – Custodial roles can entail several duties, such as system administration, security analysis, legal counseling, and internal auditing.
These responsibilities are essential for IT policy compliance. For example, auditors need to carefully verify compliance activity execution. Otherwise, there’s no way to ensure the implementation is going according to plan.
FACTOR #7 – AUTOMATION OF THE COMPLIANCE PROCESS
Your IT continually evolves and grows. Internal auditors can only review a small number of user accounts and system configurations.
Automation is the only way to ensure you can evaluate enough systems regularly.
BREEZE THROUGH YOUR BUSINESS’S IT COMPLIANCE
Setting up well-designed IT compliance may be a long process, but it can make a world of difference in terms of business security. It keeps your business reputation intact and allows you to avoid penalties and fines.
However, you’ll need to pay special attention to several aspects and one of the most significant ones is your IT provider.
If your IT isn’t living up to its potential, you’re bound to face compliance issues. This can cause tremendous stress and halt your operations.
Luckily, there might be an easy way out of your predicament. Schedule a quick chat with Databranch to discuss your IT problems and find out how to get more out of your provider.
Some of us attack and engage in our holiday shopping with a plan that rivals the most well thought out strategies. We scour weekly fliers, online ads, and research who will have the best price and coupon code for us to use. In order to shop smart, yes, keeping track of prices is important, but being a genius means that you include cybersecurity and personal limits in your plans.
Here are a few tips that you should include on your shopping list.
Shopsecure. Look for websites that have the https in their address. While this isn’t a surefire bet that you’re on a secure and safe site, it’s a good first step in ensuring you’re at the right Especially if you’re providing your credit card.
Deals, not steals. Rebates, coupons, and in-store specials are a great way to save money. Make sure that if you are offering up any information it’s to reputable stores, and don’t give out personal information in return for a ‘future offer’. Read the fine print on all deals. Especially if they sound too good to be true.
Review and research. Don’t assume because a product is on a review website that it is legitimate. Many of these sites are called affiliate sites and merely put up content that redirects you to a page where they receive compensation for the sale, like a referral program. Look at more than one site, read multiple reviews, and if possible, go to the actual store to see the quality of a product.
Stay on the NICE list. Make a budget and stick with it. You don’t need to overspend to impress. It’s only a good deal if you need it.
Get started on next year’s list. After holiday sales are a great time to stock up for next year’s gift-giving, but again, only if it is something that you can actually gift and not just an item that you will store away because it is a great price.
WinRAR, a Windows data compression tool that focuses on the RAR and ZIP data compression formats for all Windows users (win-rar.com), recently announced that it had patched a 19-year-old security vulnerability that allowed cyber attackers to install malicious files on users’ hard drives. The problem many users will face is that the software does not auto-update so they will need to go through the manual update process to ensure their computer is no longer exposed to the security vulnerability.
What Should I Do?
Databranch recommends users uninstall WinRAR from their systems. WinRAR is a program that used to be needed to create zip folders and unzip folders but now this function is built into the Windows Operating System.
How Do I Uninstall WinRAR?
Find the Control Panel in your Windows Explorer.
Click on Programs & Features
Select WinRAR and Press Uninstall Program
How Do I Find Out About Vulnerabilities Like This Sooner and Protect My Business From Being Affected By Cybercrime?
Databranch offers managed service plans to proactively monitor, detect, and remediate identified security vulnerabilities like this. We were able to remove this program from our managed client’s machines as soon as it became a known issue and our clients were able to continue working without interruption.
To learn more about becoming a Databranch Managed Services client, call 716-373-4467, email firstname.lastname@example.org, or fill out the form below to get started!
Phishing continues to be a top exploit for small business breaches, and companies should take notice. Of the 360,000 spear phishing email attacks examined over a three-month period, the most common types were brand impersonation (83%) and business email compromise (11%). Such breaches can be leveraged to steal payment and personal information.
Here are some best practices for protecting your business:
1) Take advantage of AI
2) Don’t rely solely on traditional security
3) Deploy account-takeover protection
4) Use multi-factor authentication
5) Conduct proactive investigations
6) Train staffers to recognize and report cyber-attacks
7) Conduct proactive investigations
8) Maximize data-loss prevention
Call 716-373-4467 x 15 to review with a Databranch Security Expert!
There was an article that came out this week written by the previous CIO of the New York City Law Department (which is also the world’s largest public sector law firm, fun fact), discussing the best ways to avoid ransomware. In the article he discussed 3 key points:
Cyber Hygiene: This is an obvious one but cannot be underrated! Passwords must be changed regularly, and everyone must remain diligent while browsing their inbox.
Best practices: Best practices in this context covers updating existing tech, using preventative technologies, and communication. To have the best practice for updating existing tech, put a priority on pushing out patches, use cloud web application firewalls and credential monitoring to stay a step ahead with preventative tech, and communicate with your security team and employees about what they should be doing as individuals and as a team.
Testing disaster recovery plans: This point is self-explanatory, you need a test to see if your backup plans work. You wouldn’t leave the fire alarms untested!
With ransomware being seen all over the world from Atlanta to Moscow to Sydney, it is something every business should take into account.
Request your free security risk assessment and consultation with a Databranch Security Expert here:
1) In 2013, 37 critical updates were released for Windows 2003. As of July 14, 2015, no new updates will be released for Windows Server 2003 and Windows Small Business Server 2003.
2) Unsupported products are more likely to be attacked by malicious parties, which may increase the cyber security risk to your business.
3) Payment processors may not do business with you if your payments are going through an unsupported server. Your business may not pass a business audit if you do not transition from unsupported software
4) An average security breach costs an SMB $50,000. Running unsupported software and old hardware can be more expensive than upgrading to a modern technology platform
5) Improved performance, simplified management, and more affordable storage choices.
Our July Client of the Month is Jackie Gregg, Controller at Control Chief, a manufacturer of industrial crane remote control and locomotive remote control solutions. We have had the pleasure of working with Jackie since the early days of Databranch and have enjoyed partnering with Control Chief for their IT needs since 2009. Our mission is to help our clients succeed through effective planning, implementation and management of their technology and as Jackie says in the video below, “What do I have? I have peace of mind. I can go on vacation for a week and know that my servers are going to run and my people are going to keep working. If there’s a problem all I have to do is pick up the phone and I’m going to have someone here onsite with the problem fixed and that’s well worth the price we pay you every month. Would I recommend Databranch? Highly.”
Recently, a few of our Office 365 Exchange Online clients have been receiving correspondence from Microsoft concerning the version of Outlook they are using. The message is Outlook 2007 and 2010 are out of mainstream support and their users might start experiencing reduced functionality. In this post, I’ll answer the two biggest questions we have been receiving from our clients, “What does this mean for me? and What do you recommend I do?”
What does the end of mainstream support for Outlook 2010 mean for my organization?
In general, there are two levels of end of support Microsoft products move into: End of Mainstream Support and End of Extended Support. When a product enters into the end of mainstream support it means Microsoft will no longer be releasing any non-security updates or new software design changes. The program will still function and is not a security risk to your network since Microsoft keeps releasing security fixes until the End of Extended Support date but because new features will not be added the software may not be as compatible with newer programs like Office 365 Exchange Online which is constantly being updated and improved to provide the highest level of service to subscription customers. This is why Microsoft is urging clients using their hosted email platform to upgrade their Outlook clients. Even though you will still be able to use Office 365 and connect to the platform for email, your experience will diminish over time and Microsoft won’t provide code fixes to resolve non-security related problems.
What does Databranch recommend our clients to do?
We recommend that organizations start upgrading their Outlook to a client that is still in Mainstream Support like Outlook 2013 or 2016 or start budgeting for Office upgrades. Like Windows 7, Outlook 2010 will be in Extended Support until 2020 and all users will want to be upgraded prior to the end of support date in October of that year.
Is your organization looking to migrate your email platform to Office 365? Databranch is a Microsoft Certified Silver Small and Midmarket Cloud Solutions Provider and is ready to assist with your migration. A Databranch Cloud Solutions specialist can be reached at 716-373-4467 ext. 15, email@example.com, or click here to get started.
Small businesses are under attack. Right now, extremely dangerous and well-funded cybercrime rings in China, Russia and the Ukraine are using sophisticated software systems to hack into thousands of small businesses to steal credit cards, client information, and swindle money directly out of your bank account. Some are even being funded by their own government to attack small, virtually defenseless businesses.
Don’t think you’re in danger because you’re “small” and not a big target like a Target or Home Depot? Think again. 82,000 NEW malware threats are being released every single day and HALF of the cyber-attacks occurring are aimed at small businesses; you just don’t hear about it because it’s kept quiet for fear of attracting bad PR, lawsuits, data-breach fines and out of sheer embarrassment.
In fact, the National Cyber Security Alliance reports that one in five small businesses have been victims of cybercrime in the last year – and that number is growing rapidly as more businesses utilized cloud computing, mobile devices and store more information online. Quite simply, most small businesses are low-hanging fruit to hackers due to their lack of adequate security systems.
As a local IT support company, we work day and night to protect our clients from these attacks – and unfortunately we see, on a regular basis, hardworking entrepreneurs being financially devastated by these lawless scumbags – We are determined to WARN as many businesses as possible of the VERY REAL threats facing their organization so they have a chance to protect themselves and everything they’ve worked so hard to achieve.
Free Report Reveals The Critical Protections Small Businesses Need Today
We want to do everything that we can to stop cybercrime, so we have put together a FREE Executive Report titled “7 Urgent Security Protections Every Business Should Have In Place Now” that we have made available at no charge here on our website at www.databranch.com/sittingduck.
Today we’re launching a new monthly series on the blog called “Ask a Databranch Engineer”. During these posts we’ll compile frequently asked questions from our clients and answer your top questions about information technology in the workplace.
Anyone who watches the news has become all too familiar with this headline, “Data Breach at Company X”. From Target to the FBI, personal identifying information is being exposed at a rapid rate and a top question from our clients is, “What is one thing I can do as a small business to protect my organization’s valuable company data?” Here’s what our team had to say:
Aaron Duell (Systems Engineer): “If you’re not expecting an email and you don’t know the sender, don’t open the email!”
Jason Aderman (Systems Engineer): “Set-up a password protected screen saver. Users should never step away from their computer without locking their desktop and if you do happen to leave your computer unattended an automated screen saver with a password will ensure your computer is protected.”
Matt Hillman (Senior Systems Engineer): “I would rate the need for a complex password as a high security priority. Too many times we find the password is “password”, or the name of the person’s pet, or worse yet, written down right at their desk! A password should be at least 8 characters long, include a combination of upper case, lower case, and numbers, should not be a word easily identified in the dictionary, and is not a variation of the user’s name. Best practice now is to also include spaces and create a phrase, rather than use a single word. Recent operating systems require more complex passwords, but applying these basic rules will make it even more difficult for someone with malicious intent to guess a user’s password. And, it seems to be common sense, but a password should never be shared!”
David Prince (President): “If you get an email with an attachment (doc., PDF., etc.) be very careful and suspicious. If it appears to come from someone you know, I recommend contacting the sender to confirm they sent you an email with an attachment.”
Have a technology question you’ve always wanted answered? Reach out to Amanda Lasky at 716-373-4467 ext. 15 or firstname.lastname@example.org.
Next month our engineers will be answering the following questions, “Should I turn my computer off when I leave the office at night?” and “How can I be sure my data is protected in the cloud?”,as well as any other questions we receive in February.
By submitting this form, you'll be subscribed to Databranch's monthly newsletter and will be alerted when we share new technology content and offerings with our clients. You may unsubscribe from these communications at any time.