Third party VPN services do not secure your data.  They may provide an additional brick in your security bunker but they are not the invisibility cloak they claim to be and in some cases they may actually do more harm than good.  For starters, who is your third party VPN service provider?  Are they trustworthy?  Are they subject to US or EU privacy laws?  Or, did you just decided to pipe 100% of your data through an unknown third party?

Three very popular third party VPN service providers, NordVPN, VikingVPN, and TorGuard, were recently breached due in part to poor security practices that resulted in leaked expired TLS (encryption) keys.  Now users of these services may be sharing their data with an unknown criminal instead of the third party service provider.

Just like all security measures, they are only as good as the weakest link.  Businesses and individuals need to discover their vulnerabilities, prioritize their vulnerabilities, and then systematically work to layer security to mitigate the risk.  Start by securing corporate networks with a good Unified Threat Management (UTM) appliance, making sure 100% of your devices have good business class endpoint protection software that is automatically updated, patch all of your hardware and software on a routine basis, BACK UP YOUR DATA, implement phishing prevention measures, and TRAIN YOUR PEOPLE.  This is just a start.  If you don’t know how to do this, put something in your budget to work with someone who can help and get started on the path to better security.

– Go West IT

Today the FBI issued a renewed Public Service Announcement (PSA) warning to businesses regarding cyber crime, and more specifically ransomware risk.  If you are not taking action, you are going backward.  All businesses should be regularly reviewing their cybersecurity posture and seeking to make incremental improvements.  Start making improvements today and use the FBI’s PSA as a blueprint.

The PSA can be found at https://www.ic3.gov/media/2019/191002.aspx.

Cyber defense best practices include:

  • Regularly back up your data and verify backup integrity.
  • Focus on awareness and training for employees.
  • Patch your operating systems, software, and firmware on devices.
  • Ensure antivirus and anti-malware is in use on all devices and routinely updated.
  • Implement access controls to limit access based on the principle of least access required to limit potential impact/spread of an attack.

More best practices are listed in the FBI’s PSA. Go West IT helps businesses do all of these things and more every day.  The choice is yours, stand still and go backward or choose to mitigate the known risk to your business.

Please reach out to Go West IT if you have any concerns for your business.

– Go West IT

I’m often contacted by CEOs or managers after a business experiences a cyber incident that results in real damages. After describing the event, they often ask if they should fire an employee who fell victim to a social engineering attack (vishing, phishing, credential harvesting…).  In most cases the answer is a resounding NO! First, the business just spent the amount of the loss training the individual because that person will never again fall for the same type of attack. Second, it is HIGHLY likely that the manager and/or company failed this individual by not implementing the proper controls and providing the proper training to prevent the breach in the first place. Third, if you do fire the employee, they will likely go to a competitor who will be happy to have a good employee who is more savvy than most about cyber risk.

If you own a business or have responsibility for managing business risk you need to take steps to protect your business, your shareholders, your employees, your vendors, and most importantly your customers. It’s on you! It is likely that you’ve delegated responsibility for IT support and cyber security, but you are the leader and you are responsible for defining your expectations and supporting the initiatives to implement controls, procedures, and training. If you haven’t implemented controls and trained your people, it’s on you. Don’t fire the employee who fell victim to an attack. Step up and protect your employees.

– David Lewien, President

 

I really hate hearing from customers and prospective customers that we were right and that they wish they had taken our advice to harden their systems and implement tighter security controls before their breach. Feedback from customers suggests the inconvenience of implementing additional controls is often what keeps them from taking action as opposed to the cost, which is negligible for some of the most effective controls like Multi-Factor Authentication (MFA). If you think the controls are inconvenient, you should spend some time visiting with someone who has been through a breach.

The most likely cyber-attack a small business will experience is an email breach which quickly lead to real payment fraud losses, reputational damage, and compliance risk. Once a criminal organization (yes, there are organizations attacking your small business) has success breaching one email account, you can expect the attacks to increase in volume and sophistication. Businesses can dramatically reduce email breach risk with relatively little cost and yes, some minor inconvenience.

Take the Next Steps

If you own a business or have are responsible for managing business risk, you need to take steps to protect your business, your shareholders, your employees, your vendors, and most importantly your customers. You must take action to implement additional controls. Start by asking your IT professionals to implement controls for yourself so you can understand first-hand how the controls protect your business and the level of inconvenience the controls may cause. This puts you in the best position possible to make informed decisions about how to protect your business and champion initiatives to tighten controls.

If you’ve done nothing to date, start with implementing MFA for your business email and then work with an IT professional to constantly review and improve security controls around all your systems and data.

I’m right and I hope I never have to tell you “I told you so”.

Your business is vulnerable to cybercriminals, period. So, workforce security should be top of mind for you and your business.

Workforce security matters

The truth is that no business is fully “secure”. Rather, businesses assume various amounts of acceptable risk. Your responsibility is to figure out where your organization lies on the workforce security spectrum, how much cyber risk you are willing to comfortably assume, and continually act to reduce your risk to those levels.

We understand that most businesses, especially SMB’s, can’t and won’t do everything their IT provider may recommend. This is true for a myriad of reasons including operational efficiency, timing, focus on your core business, and of course budget considerations. We also believe that most businesses do not realize the amount of risk which they currently assume. If you did, you would likely already be doing more!

To this end, Go West IT has developed our “Top Ten Task to Mitigate Cyber Risk”

Review your workforce security posture with your current IT provider and discuss how to implement the next best thing you can do to reduce your risk (HINT: If you’ve done nothing to date, start with backups, patching, and multi-factor authentication). If you need help please give us a shout, our experts will help you recognize, plan, and take the steps to mitigate your risk.

Understand where you are today… know where you want to be tomorrow… build the roadmap to get you there. You can reduce your risk, get started today! Give us a call, email us, or contact our support. You can get secured today! You can check out more about our Go Managed Security Plans here. If you have any questions, please reach out to us.

David Lewien
President, Go West IT

Download the PDF: Top Ten Tasks to Mitigate Cyber Risk
303-795-2200
info@gowestit.com
www.gowestit.com

Go West is providing this security alert as a cautionary measure for users with a consumer grade router or network attached storage device at their home or small business.  Due to a recent malware attack known as VPNFilter, the FBI and US-CERT are encouraging users with home devices from Linksys, MikroTik, NetGear, TP-Link and QNAP to reboot the device.  Users should also ensure device firmware is up-to-date and change passwords on these devices.

What Is It
VPNFilter targets small home and office routers and network attached storage devices.  Once infected, the device allows criminals the ability to launch further attacks, collect personal website information, block network traffic, or they can render the device completely unusable.

Official US-CERT alert statement: https://www.us-cert.gov/ncas/alerts/TA18-145A

Manufacturers LinksysMikroTikNetgearQNAP and TP-Link have posted instructions for users to follow to update their device software.

How Does It Impact Me
There is very little risk associated with this malware attack for commercial organizations utilizing business grade devices.  However, it is vital that organizations be aware of the vulnerability for remote users connecting from a home office.  Those users are more likely to be using a consumer grade router and should follow the recommended procedures.

If you have concerns or questions regarding a potential consumer grade router at your business please reach out to Go West support at support@gowestit.com.

I recall a time when IT professionals adopted the “if it’s not broken, don’t fix it” approach to patching. To be sure, there was a time when patching firmware and software might have introduced more problems. That time is long gone. Aggressive patching is the new normal. Gone too are the days when a diligent IT person might go around to all the computers, servers, firewalls, switches, and other network attached devices and get them patched. That manual approach is no longer feasible and adhering to a manual patching plan is foolish. The nature of the modern cybersecurity landscape requires a platform which identifies patches that are needed, facilitates automated patching, and provides reporting & alerting to uncover anomalies.

Look no further than the Intel chip security vulnerabilities (Meltdown & Spectre) publicized this first week of 2018 for evidence of this new norm. When Operating System patches are released to mitigate this newly divulged flaw it will be critical that the patches are applied as quickly as possible.

Go West IT offers managed service plans that utilize state of the art remote monitoring and management platforms designed to keep systems updated and rapidly apply patches when new vulnerabilities are divulged. Stand on our shoulders and use the systems we have already built to keep your business ahead of the curve. Please contact us today at 303.795.2200 or info@gowestit.com.

David Lewien – President