By: Jake Schulte, IT Manager

This week Microsoft detected multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.

Before panic sets in, it’s important to note that Exchange Online is not affected.  If you’re currently using Microsoft 365 services through Networks Plus and using Exchange Online – no action is needed.

Microsoft released patches for multiple on-premises Microsoft Exchange Server zero-day vulnerabilities being exploited by a nation-state affiliated group. The vulnerabilities exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019.

To minimize or avoid impacts of this situation, Microsoft highly recommends that you take immediate action to apply the patches for any on-premises Exchange deployments.  To patch these vulnerabilities, you should move to the latest Exchange Cumulative Updates and then install the relevant security updates on each Exchange Server.

Microsoft published a blog providing an overview of the attack and a link to the security updates that were released. You can view that information here: Microsoft Blog – New nation-state cyberattacks. 

A record number of businesses said goodbye to the traditional in-office work model in 2020. They embraced the remote work model as they adapted to the new COVID-19 reality. It was a huge shift that came with many challenges, and some of those challenges are still felt today.

One of those challenges was – and is – cyber security. Businesses wanted to get their remote workforce up and running, but there were a lot of questions about how they would keep their newly remote employees secure.

So, how can you enable remote work while keeping your business and your employees secure? How do you keep cybercriminals out? The answer is multifaceted. There is no one-size-fits-all approach to cyber security — that would make things much easier! But there are several steps you can take to help your remote team stay productive while keeping the cybercriminals out. Here are three things you need to do:

1. Skip the public WiFi. This is Cyber Security 101. Never use unsecured, public WiFi, especially when working. For remote employees who have the option to work from anywhere, using public WiFi is tempting. It’s just so easy to access, but it comes with huge risks, including the potential to expose your device to intruders.
   Thankfully, there are plenty of options to help keep employees connected without having to worry about snoops. The most popular is the VPN, or virtual private network. VPNs allow remote workers to securely access the Internet, even through public WiFi. VPNs are ideal for remote workers who need to routinely access your network.
   Another option is the personal hotspot. This is a portable WiFi access point, usually paired with data service through a telecom like Verizon, AT&T or T-Mobile. It gives remote workers flexibility to work anywhere they can get high-speed data service. Because the remote worker is the only person on the hotspot (and should be the only person), there is less worry about hackers snooping for your data.
2. Have a strong device policy. When it comes to cost-cutting, it can be appealing to let employees use their own devices while working remotely. Avoid this, if possible. The bring-your-own-device (BYOD) approach has its benefits, including keeping costs down, but the security costs could be massive, especially if an employee gets hacked or misplaces crucial data. In short, BYOD can get complicated fast, especially for businesses unfamiliar with the BYOD approach.
   That said, many businesses work with an IT services company or managed services provider to create a list of approved devices (PCs, laptops, tablets, smartphones, etc.) that employees can use. Then those devices are loaded up with malware protection, a VPN, and other security solutions. So, while employees may be using a variety of devices, they all have the same security and other necessary software in order to perform their duties.
   The best device policy, however, is to provide employees with work devices. This ensures that everyone is using the same hardware and software, and this makes it much easier to keep everyone up-to-date and secure. It takes a little more effort logistically, and it has a higher up-front cost, but when it comes to keeping your business secure, it’s worth it.
3. Don’t forget about physical security. While a lot of businesses are focusing on digital security right now, they’re not putting a similar focus on physical security. They may have a team of people working remotely spread across different neighborhoods, towns, states or countries. This mobility comes with the risk of device theft or loss.
   If employees will be carrying their work devices with them for any reason, those devices should be kept nearby at all times. That means never leaving work devices in vehicles or unattended at a café or airport (or any location). Never leave a device where it has the potential to be taken.
   It’s also important to remind employees to not only keep their doors locked but also keep work devices out of sight. You wouldn’t want to set up a home office in a room facing the street outside while leaving the windows open and the door unlocked, because you never know who may walk or drive by. Just as cybercriminals are always looking for ways to break into your network, criminals are looking for opportunities to walk away with high-value items.

The way we work is changing, so we must be prepared for whatever happens next. Implementing these three steps will give you a starting point, but they aren’t the end point. Work with an experienced MSP to get the most out of your remote work approach. Many businesses will not be returning to the traditional in-office model, so the more steps we take to secure our businesses and our remote teams, the better off we’ll all be.

By: Paul Facey, Managed Services/Advanced IT Technician

It’s that time of year where many of us are working on building new habits, getting organized, and starting the New Year off on the right foot. If you are looking to clear out clutter in the new year, we urge you to look beyond what is filling up your cabinet spaces. Clutter in your network could cause you some serious vulnerabilities, especially when it comes to expired user and PC accounts.

So, what are the risks associated with not disabling or removing expired accounts? Let’s first dig into the basics:

What is considered an “account”?

An account is generally a paired set of information (usually an ID and password) that is used to control access to something. For our purposes, it gains access to data in an organization. Most users are aware of user accounts. What users may not be aware of is that not only do users have accounts, but the PCs they are working on have additional accounts as well (this is especially true in an Active Directory Environment). When a computer is functioning in an Active Directory environment it is constantly verifying itself to domain controllers (servers) just like users do to ensure it has permission to access data and resources.

Why is this important?

Account maintenance is an often-overlooked part of organizational health and maintenance that can lead to data breaches. If a user leaves an organization, or a system has retired the accounts for that user, the system should be disabled or deleted as well. If those accounts are left active, that is an easy opportunity for an attacker to try and compromise those accounts and gain access to company data. Attackers can have “all the time in the world” to try and compromise these accounts as they are no longer in use and can go unnoticed for extended periods of time.

How do we prevent or limit this?

1. Physical account management when a user departs or a system is replaced. The account should either be disabled or deleted at this time. For users it is recommended they be disabled and moved to an isolated “no-permissions group” for a period of time, then deleted once it is confirmed the account no longer contains any useful data.
2. To protect the organization, the administrators or IT team should be conducting periodic audits of all accounts (user and system accounts) to identify old or stale (not frequently used) accounts to determine if they should be disabled or deleted.
3. Account policies should be deployed that enforce password age, account lockout, and other security features. This ensures that even if an account is forgotten, it can no longer be accessed after a set amount of time. This way, if an attacker is attempting to compromise an account they will be locked out after a set number of attempts. This is a recommended practice for active accounts as well.

Account management is only one piece in the overall goal of protecting your organization and data, but a vital one. Each organization should define its needs and security goals, then implement the action steps whenever possible. The Networks Plus Team is standing by to assist your organization in evaluating and implementing these measures, and to help make your organization and data as safe and protected as possible.

Want to read more on this topic? Paul recommends you check out this article from InfoSecurity Magazine.

By: Jerry Horton, IT Director

“You can’t defend. You can’t prevent. The only thing you can do is detect and respond.”  -Bruce Schneier

Bruce Schneier is a guy you should listen to. He is widely recognized as a cybersecurity expert, wrote the book on cryptography, and is a respected thought leader about digital privacy and the surveillance economy. While I don’t entirely agree with Bruce here – I think defense and prevention to some degree is possible – the final sentence of this quote should be everyone’s focus. Detection and Response are key to minimizing the effects of all cybersecurity incidents. That being said, all of the detection and response in the world aren’t worth much if you don’t do basic prevention/defense strategies. Installing a great intrusion detection system in your office won’t yield results you intended if you don’t first prevent intrusions by locking the doors.

Last month, this blog (read it here) focused on the fact that a cybersecurity incident (or more than one…) is inevitable and began building the foundational elements for good cybersecurity. As a quick recap, you should:

• Change your mindset
• Stop being your own worst cyber-enemy
• Figure out what to protect and what to protect against
• Practice good basic cyber-hygiene, including passwords, patches, least privilege, and touching on backups

This month, we are digging into the basic elements you need to help you do the best detection and response for your business. Next month we will explore security without boundaries, such as work-from-home and a mobile workforce.

Let’s get started!

From this point forward, the assumption is that you have put all of the steps from the first blog into place. If you haven’t yet, go back, re-read that blog, and finish checking those boxes. That being said, you can implement them at the same time you start working through this section, but it is a lot easier if all of the simple things are done first.

Lock the outer doors

The first thing to talk about is the perimeter of your business. In a brick-and-mortar facility, you have doors for both staff and customers. Each of these doors will be treated very differently. Areas for inventory, offices, or workspace are restricted for staff members that have been assigned access, perhaps using a physical key or code, but that door will remain locked 24×7 as it is only intended for authorized personnel; the public entrances are a different matter. Such entrances will need to be open during business hours and locked outside of them. Sounds obvious, right?

Think of your network as the digital brick-and-mortar building. You have areas where only employees should be able to operate, but you still have email servers or websites which the public will need to access in order to communicate with you. The way you lock and monitor these digital doors is with a business-grade firewall, coupled with a secured wireless network.

By default, a firewall is effectively a one-way door, allowing authorized traffic out and blocking all entry attempts by unauthorized traffic. You need to add specially locked ‘doors’ to allow staff members in when they aren’t physically in the building through a Virtual Private Network (VPN) and some doors that allow certain types of traffic to communicate with your email or web servers. Add a firewall for inbound and outbound traffic and you have a top notch first line of defense.

A business-grade firewall is the first technical control you have to put into place. While it may seem that a consumer-grade router, like the one you have at your home, will do the same job, let me assure they do not. Comparing the two in sports terms, the consumer-grade router is a weekend ball player and a business-grade firewall is an Olympic level athlete. Put another way, using a consumer-grade router in your business is like locking your doors with Velcro strips – sure, it will keep the door closed, but they easy to open.

Lock the inner doors

Now that you have traffic controls in and out of your digital building, think about how best to protect each area. You may have traffic flowing freely between areas, but you still need to know who is going where, when they go there, and what transpires. In a brick-and-mortar building, that means adding additional locks for secure areas, putting in video cameras to watch traffic, or even putting RFID tags on equipment or inventory so you can track it more efficiently.

Your digital building has a lot more openings than your physical one. Each and every workstation, laptop, server, or smart device is a door for the cybercriminals to try to open. Patching, which we talked about last month, is only the first step. You need to have robust protection on every one of these devices, which is an advanced endpoint solution. An advanced endpoint protection product needs to have some of features of traditional anti-malware, but it needs to go much further. New versions of ransomware and other malware are created at far too fast a pace for traditional methods alone to completely protect your environment. A solution that can look at the behavior of your machines and the software on them, make intelligent decisions, block potential malicious actions and record an audit trail of the incident is what is required.

But wait – there’s more!

Lock your inner doors – Part II

If you followed the advice I’ve given so far, there is one more thing that will make cybercriminals give up in disgust – Encryption. There is no slick building metaphor I can think of here, so this is straight up geek stuff…

You’ve probably seen movies where a villain steals digital data and brilliantly cracks the encryption in the nick of time using nothing more than a beefy laptop, chewing gum, and grim purpose. While encryption is crackable, it is also really, really hard to crack, even with the right tools.

You need to protect your data with encryption both in-transit (while it is moving from one location to another, both inside and outside of your network) and at-rest (when it is just sitting around on a hard drive, not doing much of anything.) The ability to encrypt your data is built into the Windows operating systems and so is easy to implement.

Get Virtual Security Guards

Okay, you made the perimeter and offices of your digital building as tightly locked as you can, so you are done, right? Not at all! The time has come to put a few more elements in place to detect and respond to events that will occur. Think of these as the security guards.

Email Security Gateway

Since the vast majority of cyberattacks begin with phishing emails, this is a critical element. An email security gateway acts as that security guard sitting at the desk who only allows authorized traffic and blocks all other attempts to enter or exit the building. A well-designed email security gateway will do that job and more; including blocking spam, checking every URL in an email, preventing spoofed emails, and checking outbound emails to make sure you aren’t sending credit cards or Social Security Numbers.

File Integrity Monitoring

You have your files stored, secured, and encrypted – all snuggled down and safe, correct? Not entirely. How can you be certain this is the exact same file with all of the exact same attributes you stored away? There are thousands of files on your computer before you even turn it on for the first time. The system files are critical to keeping your machine running and secure. These system files will be updated with patches and others are dependent on dynamic content that is specific to the user and the machine. Add the files created or installed when you add applications or hardware, your files, and it is safe to say that there is no practical way for you to determine what might have been modified. Enter File Integrity Monitoring: an automated method of tracking changes made in your system with a complete audit trail of what occurred, when it happened, and who did it. Detection accomplished and responses made quicker and simpler.

System Logging and Auditing

Since your digital building consists of many machines and traffic going every direction, you would be hard pressed to constantly review the logs of all of the machines, firewall rules, file changes, logon/logoff, emails, print jobs, etc. Those logs are generated on every machine all day long. Trying to find an indication that a bad guy was attempting something nefarious would be essentially impossible, especially if the logs are not centralized and filtered to only show critical or suspicious events. This is why Security Incident Event Manager (SIEM) was invented. Needless to say, having all of these logs collated, tagged, and sorted by importance means auditing those records becomes significantly less painful.

Implementing a SIEM is a pretty advanced and expensive step for most organizations, but also the most advanced best practice in cybersecurity.

Get Smart!

No, we aren’t bringing in references to a hilarious 1960’s sitcom, we are talking about building your knowledge and awareness of cybersecurity. If nothing else I have written resonates with you, this one must – you cannot neglect regular cybersecurity training for you and your staff. Our good friend, Bruce Schneier, says “The user is going to pick dancing pigs over security every time.” It is sad to say that Bruce is correct. You have to learn how to recognize social engineering and phishing attempts in order to combat the evil intentions of cybercriminals.

No matter how many technical safeguards you put in place, the bad guys will walk right in if someone holds the door for them.

Wrapping it up…for now…

“The nature of computerized systems makes it easier for the attacker to find one exploitable vulnerability in a system than for the defender to find and fix all vulnerabilities in the system.”
-Bruce Schneier

Bruce is not exactly the most optimistic voice when it comes to cybersecurity, but he is accurate. As I said at the beginning, you can and should do as much as you can to lock your doors and minimize the effect the bad guys can have when they inevitably get to you. Even if Bruce and I disagree on basic protections, we see eye to eye on the fact that we have to get everything right every time and the bad guys only have to be right once. The advantage is theirs, so let’s make sure to make it as tough for them as we can.

By: Jerry Horton, Technology Director 

Earlier this month, an estimated 2,000 people who use the popular Robinhood stock-trading app had their accounts hacked and looted. Hackers infiltrated trading information, trading account numbers, and bank account numbers.

A New York college student who uses the app said it took just minutes for $4,020 to disappear from his bank account. Another victim in Chicago said she woke up to alerts that her investments were being sold and discovered she was locked out of her account.

Robinhood claims the attack did not stem from a breach of their systems, but was due to compromised email accounts. Because the FTC and SEC will likely weigh in, we don’t have all the details on this breach just yet. We do know that Robinhood is advising clients to step up their account security. Let’s take a look at how each of us should be securing all of our digital accounts to protect ourselves from a cyber-attack. 

Improve Your Cyber Hygiene

Cyber hygiene refers to steps taken to improve cybersecurity and prevent common threats. Here are a few of those key steps that will help strengthen your defenses online. 

1. Password Discipline 
   • The average online user has somewhere in the vicinity of 130 digital identities. I’d be willing to bet you aren’t using a unique password for each one. When it comes to passwords, length is far more important than complexity. So, to follow this rule and remember your passwords, use a passphrase (i.e. I’m dreaming of a white Christmas). This is easy for you to remember and difficult for others to figure out. From a password cracking ability, brute-forcing is almost impossible. (A brute force attack is when a hacker submits many passwords or phrases, hoping to eventually guess correctly. The longer the password, the more combinations they need to test to guess correctly. More than 15 characters is virtually impossible to guess.)  
   • To make things even more difficult for them, don’t use the same username (especially email) for every account. This is true for business and personal accounts. 
   • Pro Tip: Password managers can randomize passwords for your accounts. In addition, if you pay for a good one, you can set up a rescue account, which allows a person of your choosing to have your passwords in case something were to happen to you. 
2. Turn on multi-factor authentication (MFA) 
   • When you have the option, turn it on. In fact, as part of their efforts to encourage clients to step up account security, Robinhood is suggesting all users now turn on multi-factor authentication. MFA considers 2 or more of 4 factors: something you have (i.e. a token: one-time password, authentication app push notification, etc.); something you know (password); something you are (i.e. thumbprint, facial recognition, retina scan); or somewhere you are (geolocation). 
   • Pro Tip: When it comes to using a token for multi-factor authentication, using an app that sends you push notifications for approval authentication is more secure than using a one-time password. 
3. Keep track of your records, especially when it comes to finances 
   • Look at transaction logs. Check your credit report occasionally. Check your email on a regular basis for unusual traffic. Make sure that if you have signed up for something you’re not using anymore, you disable or delete that account. In order to be successful as an identity thief, the cybercriminal only needs one entry point. Do not leave any “entry points” hanging out in the cyber world unmonitored. 
   • Even if you take all these steps and sew everything you have up tightly, that doesn’t mean someone can’t come in through a backdoor and wreck your account. It happens. But, taking all the precautions you can will help minimize your odds of becoming a victim, and help minimize the damage if you do become one. 
   • Cyber breaches have become a real problem as we have moved toward software–as–a–service and cloud-based services. Most of it is due to people not turning on two-factor authentication. When you realize what bad people can do with information that you have unintentionally left out there to be found, they can wreck your business, drain your bank account, file for loans as you… the possibilities are literally endless. Yes, companies have a responsibility to secure their systems, but we as consumers have a responsibility to track and secure our information. 

Part One of a three-part series on Best Practices for Keeping Company Data Secure 

By: Jerry Horton, IT Director 

“One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks. Fix the basics, protect first what matters for your business and be ready to react properly to pertinent threats. Think data, but also business services integrity, awareness, customer experience, compliance, and reputation.”
―Stephane Nappo, Global Head of Information Security, Société Générale 

Over the last several years, I have written many blogs, presentations, and articles regarding cybersecurity. In each of them, I have stressed that modern businesses live or die based on the digital records we keep and that cybercriminals really are out to get you, one way or another. As you can see from the above quote, cybersecurity is still the topic and I very much agree with Stephane – we have to fix the basics and protect what matters most. 

This three-part series will look like this:  

• Part 1: We will explore this topic again from the viewpoint of getting those basics covered. 
• Part 2: We will move to building up from your foundational basics into more robust defense in depth.  
• Part 3: We will discuss how to address security without boundaries, such as work-from-home and a mobile workforce.  

Laying your security foundation 

It may come as surprise, but the very first brick of the security foundation doesn’t involve technical geegaws, doodads, or wizardry; it is about changing your way of thinking. I cannot count the times I’ve heard phrases such as, “No one cares about hacking my systems” or “I don’t have anything worth taking” or “We are too small of a target”. Let me be perfectly clear – those sentiments are dead wrong. Even if the typical cybercriminal may not be all that interested in your inventory lists, marketing material, current orders and projects, or payroll information, every cybercriminal understands a brutally simple truth: they know that every bit and bite of that information has value to you. Furthermore, they know that you will pay handsomely to get that data back should something happen to it. This is exactly the reason for ransomware going from a brand new phenomenon in 1989 to a $20 billion-dollar criminal enterprise in 2021. Since virtually every ransomware attack begins with a phishing email or some other social engineering technique, a lack of caution or awareness on the part of a human being is directly responsible.  

Change your mindset 

At the risk of sounding like an old codger, we live in a world that is radically different than the one in which I was born and grew up. Business then was often conducted face-to-face and the transaction completed with a handshake, a result of interpersonal trust that developed naturally. Today, we frequently communicate and do business with people that we never meet in person and may, in fact, not even reside in the same hemisphere. To wax philosophic for a moment, technology that was intended to “connect us faster and more widely than ever before possible” has actually driven a wedge between us because digital identities are easily spoofed, manipulated, or manufactured out of nothing.  

What does this mean for cybersecurity and changing my mindset, you ask? Simple. The old adage of “Trust, but verify” has to change to “Trust nothing until vetted. Verify everything.” Even after you can establish a level of trust, you have to be continuously vigilant because digital identities are not 100% trustworthy and security conditions are fluid. 

I’m not recommending total paranoia, but a healthy dose of both wariness and skepticism will take you quite a way down the road toward cybersecurity. 

They really are out to get you. 

The title of this blog states it plainly – you will be hacked. Accept the fact that whether you are specifically targeted or just a chance opportunity for a cybercriminal, they will get to you. Even if your business is locked down tighter than a CDC biohazard lab, you still do business with companies like Target, Home Depot, Marriot Hotels, or Equifax. Hacked, one and all, and every one of these breaches exposed millions of records. Some of that data might be specific to you or your business. 

This is not a defeatist rant – rather see it as a wakeup call. You have to take steps in your personal life, business environment, and interactions with other companies to limit your exposure to the best of your ability. 

How to stop being your own worst cyber-enemy 

It is well-known that the weakest part of any secure system is the human, including the one looking back at you in the mirror. Trust is a deep human need – both needing to receive it and give it; however, building cybersecurity means that you have to limit trust and then constantly check to make sure that the trust given is still valid. There are behaviors that have to be deliberately modified to achieve this goal. 

In cyber-geek speak, these are known as administrative controls. This includes policies and procedures, but most importantly, it expresses the core security principles to keep your business, customers, employees, and your personal life as safe as possible by limiting what we ethical hackers call the ‘attack surface’. Here is a list of best practices you should adopt: 

• Know what you need to protect – This isn’t just about the computers on desks and servers in the data room; ask yourself: 
  • What data/systems/people/processes need to be protected? 
  • Where is it located? Is it in more than one place? 
  • Who can access it? Who requires access in order to do their jobs?
  • What is critical to keep my business operational and my customers secure? 
• Know what threats are real – It is impossible to protect against everything, so make sure you are putting your efforts and resources where they will do the most good. Spending money for hurricane insurance makes sense if you live on the Gulf Coast, but not if you are located in Arizona. On the other hand, you should spend money on an emergency generator if you have perishable inventory or operate a life critical equipment. 
  • Were you aware that your email is the easiest way for a cybercriminal to get to you? According to Verizon, 94% of all malware arrives in your inbox and phishing email is on the rise yet again. Make sure that you can tell phish from foul (couldn’t resist the pun J) by engaging in security education and phishing tests on a regular basis. 
• Practice good cyber-hygiene – Cyber-hygiene is about all of the old tropes you’ve heard a million times, but probably still aren’t doing. There is a reason you’ve heard these things a million times – these are the basics of cybersecurity. 
  • Manage your account identities – According to Dashlane, the average person has 130 accounts to track and maintain. That’s a lot… 
    • Use a password manager. Don’t be one of those people who use the exact same credentials for every account. That’s just begging for identity theft. 
    • Delete/disable unused accounts on a regular basis and limit social media accounts. Social media is free and legal intelligence gathering for cybercriminals. 
    • Use multifactor authentication (MFA) every time it is offered. If you don’t have MFA at work, especially for Office 365, get it. 
    • Keep your business and personal credentials completely separate. Cybercriminals look for the easy way into businesses and a CEO or secretary or janitor who reuses their business credentials is the easiest. 
    • Track your financial records and email accounts tied to the various accounts. The only way you will know if something is odd is to look on a regular basis.
• Principle of least privilege – Don’t give access for anything to anyone who doesn’t need it to do their job. That includes the CEO. Just like a janitor probably doesn’t need access to payroll, a CEO probably doesn’t need access to engineering plans or logins for the firewall. This isn’t just for people: don’t give machines more access or services than they need to do what they are intended. Generally speaking, a server doesn’t really need direct access to the internet and a workstation doesn’t need to share files or printers. 
• Keep things patched – The manufacturers don’t write updates because they are bored. Those updates fix tons of security vulnerabilities. The latest Microsoft ‘Patch Tuesday’ fixed 87 of them. 
• Back it up – Having known good, offline, and offsite backups are often the ‘Hail Mary’ pass that save a business from total loss and bankruptcy. I’m not talking about the ‘whenever I think about, I’ll copy this to my Google Drive’ kind of backup (boy, I really hope that isn’t your backup plan); this means you need a real backup infrastructure. If you aren’t sure what that means, stay tuned as we will go into depth in the next installment. 

And finally… 

“The five most efficient cyber defenders are: Anticipation, Education, Detection, Reaction and Resilience. Do remember: “Cybersecurity is much more than an IT topic.”
―Stephane Nappo, Global Head of Information Security, Société Générale 

Cybersecurity isn’t a buzzword to sell you goodies, nor is it a fad. It is a way of life that you have to adopt in today’s always-connected world. Our friend, Stephane, gives more great advice in this quote. Today, we’ve scratched the surface of Anticipation and Education, as well as some of the best practices of good cyber-hygiene. I look forward to sharing more with you in Part Two. In the meantime, if you have any questions or want to explore some products and services we offer to help you build your cybersecurity, please contact our Business Consulting Team.

By: Paul Facey, Advanced IT Technician

Remote work became a necessity for many businesses this year due to the COVID-19 pandemic. With much of the workforce using their own devices to do their work, many employers have taken a new look at what is known as a bring your own device (BYOD) environment. This is nothing new – some companies had already enabled a BYOD environment pre-pandemic. As it suggests, BYOD means employees are allowed to use their own devices (i.e. laptops, tablets, smartphones) for work. A BYOD Environment is a compromise between the organization’s needs, the total cost of ownership, and the risks the organization is willing to accept or mitigate.

While this is a good fit for some organizations, it is not for all. For others, a combination of the two is what works best. In any case, a good understanding of how information is secured and stored, as well as the limitations of the applications involved (not all applications support a distributed environment) is critical to developing the organizations BYOD environment, if one is possible.

What to Consider

There are benefits and challenges to going BYOD.

Pros:

1. Reduced cost to employer
2. User is familiar with the device/equipment (phone, etc)
3. Can isolate Corporate data using a Terminal or Remote Desktop Environment (RDP) if primary user portal is a web interface
4. Flexibility – employees can work from anywhere with an internet connection

Cons:

1. User-provided equipment may not meet minimum system requirements
2. Employers cannot set rules for privately owned equipment
3. Active Directory enforcement may interfere with a user’s personal preferences
4. There’s risk of mixing personal and corporate data, unless users are using RDP or Terminal Sessions (Recommended)
5. User may uninstall corporate security features provided by employer

When a company is considering implementing a BYOD policy – whether by choice or necessity, there are several items to consider:

1. How are users going to be accessing corporate data?
   • Terminal/RDP Local server (more secure)
   • Microsoft Azure Environment (many options)
   • Direct Access on Local Server (easiest for users to steal/compromise data if using BYOD)
   • Web Interface/Portal (most secure for BYOD model)
2. What are the security requirements of the data?
   • Does data need to be maintained locally?
   • Can it be maintained off site either by a vendor (Web Based Apps) or Web Storage (Azure, Amazon Web Services)?

3. How much control does the organization want over the user PCs?
   • Complete Control (user has direct access to data)
   • Minimal Control (users connect through web interfaces or terminal/RDP sessions)

4. What are the user’s applications hardware requirements?
   • General Data Entry/Web Based Apps – minimal PC requirements $
   • CAD / Drafting/Photoshop – more powerful PC requirements $$$

Risks

When users provide their own equipment, they have the right to install or remove whatever software they choose. The organization cannot control what web sites or apps employees install outside of the work environment or what external devices they connect (HDs, thumb drives, etc).

If a system becomes infected with a virus or other malicious software, how does the organization prevent the user from infecting the rest of the corporate network? Even if the organization provides the user with AntiVirus or Antimalware software, what prevents the user from uninstalling it?

How to protect your network

If an organization is using Remote Desktop Connections (RDP) or Web Based portals, the security risk to the network is greatly reduced (as is the hardware needs of the user devices). These types of connections also lend themselves to working remotely, however, the initial investment to set them up can be significantly higher. In the case of environments like Microsoft Azure, this expense is usually monthly-based as well as usage-based, so the cost can fluctuate from month to month, but resources can be allocated or reduced quickly if needed.

Networks Plus is experienced in setting up and maintaining a broad range of environment types. We support environments that are completely organization-owned, from the user PC to every Server, as well as environments where users provide their own equipment (Laptop / Desktop) and work completely remotely in a cloud-based environment. We also have experience in managing a hybrid environment of the two: some users work remotely while others are onsite using organizational equipment.  We are positioned to provide both the onsite needs of the customer as well as to deploy and support cloud-based environments through our Azure partnership.

Give us a call to talk about your needs.