Some executives at my keynote presentations say, “I wish AI would give me answers based on what is happening in our company. I would get so much better results than my generic answers now!”

Their wish is granted. Retrieval-augmented generation (RAG) means that AI can retrieve your organization’s information to provide relevant responses, including what’s happening in your organization. The process is designed to keep the information within your company and not leak it to other companies or third parties.

Some newer workplace AI assistants, like the one you may use today, look at a user’s permissions and then access documents, meeting transcriptions, and email messages that the user can access, all in real time. If you remove a file, usually within minutes, the data is no longer available for AI retrieval. The rest of this article will refer to this newer type of retrieval. If your organization uses an internal vector database to store information for AI retrieval, deleting a source file won’t automatically remove the information from AI responses until the tool explicitly refreshes its index.

But the dark side of this fantastic feature is reduced privacy. The AI tools with document or email access permissions are designed to enhance AI’s responses with information from meetings, emails you send and receive, and files you’ve saved. The AI tools examine all information, including files saved in your online storage that have accumulated over many years. If someone with the right privileges asks AI a question about a topic or person, unless you deleted all instances of the old meeting notes, email messages, files, and other sources of information, what you said in a meeting or typed into an email or a saved document might appear in the results. Angry messages, failed plans, and long-forgotten mistakes can be resurrected even though you’ve put them behind you. Undeleted inappropriate jokes a friend emailed you or private conversations with your loved ones through company email could be exposed, too.

Before going any further, let’s explain what this article covers. When people talk about AI privacy, they are often concerned that what they type into an AI chat tool will leave their organization and show up somewhere else in the world. That’s not what we’re covering here. We’re covering the situation where, although the data stays within your organization, other people in your organization might find out more than they need to know, even without trying. Given a request, AI can quickly return data based on the user’s privileges without the user needing to find a specific file, message, or meeting. Unfortunately, they might see content they never expected or intended to see, perhaps private or sensitive information they shouldn’t have access to, a phenomenon dubbed AI “oversharing.”

This article focuses on companies with multiple users sharing data instead of a single user or a tiny office with users not using shared storage. However, everyone, including single-computer organizations, should read the section below entitled “Potentially Dangerous Third-Party AI Assistants.”

Using AI assistants, information stored in your organization may be available to anyone else in your organization possessing the right access privileges. People no longer need to invest energy to search; as long as they have access rights, they can ask a simple natural language question using AI and find the data in the blink of an eye.

It’s becoming apparent that humans will be forced to accept this reality. Humans must be very cautious about what they say in a meeting or type into a file they save or in an email. Of course, you have no control over what information someone could send you in an email, making the situation worse.

The good news is that AI tools cannot retrieve data once it is permanently deleted from all systems and backups, assuming the tool you are using for RAG only accesses current content and does not save old content. As of this writing, most reputable tools from organizations with household names respect that once a file is deleted, it is no longer eligible for access by workplace AI assistants. However, due to the sheer volume of information accumulated over the years, finding and deleting old files, meetings, and messages could be nearly impossible.

Software and operating systems that support gathering your and your organization’s data to provide more relevant answers (RAG) usually include multiple privacy safeguards. However, protections can be bypassed in certain circumstances, such as an official e-discovery.

The way it typically works is for the AI tools to verify the user’s permissions to data before considering augmenting the response with additional information. When a user asks for information, the system is designed to provide information that the user has permission to see, a process called trimming.

For example, workplace AI assistants integrated with your organization’s email applications have access to your messages. When you ask for information, the AI tools are designed only to give you information based on the contents of your email. Unless you’ve delegated email access to someone else, random people in your organization should be unable to receive answers augmented with information from your sent and received email messages.

However, a technology leader at a leading provider told me that their AI tool does not respect the privacy of a user’s email when there is a misconfiguration or the interested party has elevated roles. He explained that all user email content is available to other users with enough privileges. He explained the trade-off between data access and privacy with this metaphor: Before AI augmentation, he said, finding sensitive data in a company was “like looking for a needle in a haystack” – scattered across random files and email messages. Now, he explained, with AI-powered tools, “you find the needle immediately just by asking a question.” He reminisced about asking one of his technical pros, “Show me email messages where anyone praised our competitors.” He said the results appeared instantly, with sender information fully visible. “The AI tool doesn’t give you a haystack,” he concluded. “It gives you a stack of needles.”

A member of my team and I eagerly visited with AI technology leaders, hoping to persuade them to make conversations completely private for sensitive meetings such as coversations related an M&A, personnel matters that require confidentiality, trade secrets, and new competitive products or services that would harm a company if the details are discovered prematurely.  The most senior person we visited, who influences AI privacy at a huge software company, was surprised to hear that I suggested that executives sometimes want discussions in online meetings to remain private forever.

He is not alone in believing that all executive communications should be discoverable. Executives’ knowing that their conversations could be disclosed helps ensure corporate accountability and is a strong deterrent to executive misconduct. Transparency is required by some regulations and even by law in certain circumstances. Some people feel it is unfair for executives to enjoy privileged communications with immunity from e-discovery.

The senior executive with the power to set privacy related to AI emphasized that the whole point of AI ingesting meeting conversations and other data is to make information available for AI processing; any restrictions reduce the tool’s functionality. He explained that this reaffirms the position that productivity outweighs privacy. He acknowledged that there are concerning incidents of oversharing sensitive data to users, and he accurately pointed out that those are often due to their customers not properly preparing, deploying, or maintaining the AI tools and data governance privacy controls.

He retorted that executives who want to have private meetings with undiscoverable content should use some encrypted messaging apps like Signal and not his company’s online meeting platform. He also told me he appreciated my feedback about leadership sometimes needing absolute privacy, and that they’ll consider it.

Yet their position is firm, and companies that use workplace AI assistant tools that access company information must now accept the specific privacy controls of that tool, which may include a significant drop in the privacy of sensitive company information within their company. While I acknowledge that many application providers build in protective controls, the reality is stark: complete privacy of workplace communication is in jeopardy.

There are many examples of data augmentation across the industry. One is Microsoft’s 365 Copilot, which can use RAG to augment responses using information in email, meetings, and files. It provides many advanced privacy controls, including those described below. Some more advanced protections, such as automatically labeling data sensitivity, are unavailable unless your organization invests in the top-tier “E5” license of 365. Companies with the “E3” license must manually label content or risk unexpected disclosure.

Microsoft’s free “Copilot with Enterprise Data Protection” differs from the free consumer version of Copilot in that it requires users to log in with work (Entra ID) credentials. It doesn’t automatically access your organization’s data, and users can only upload files manually for tasks like summarization. Your IT team can configure data loss prevention policies to prevent sensitive file uploads, but the protections aren’t enabled by default, so initially, any file can be uploaded. This free version doesn’t integrate with Microsoft 365 apps like paid Copilot, so it doesn’t provide real-time document editing, Teams meeting summarization, or Excel formula suggestions within your apps. However, it does provide web searches, document summarization, and general chat interactions. While it offers some enterprise protections when configured by IT, it’s not a complete company solution like paid 365 Copilot versions.

Google Gemini is now integrated with Google Workspace and can review and consider information in Google Workspace as it responds to user prompts. Google does not release information to the world by training Gemini on your data, and they provide strong security measures to help keep private data private. But, even with the provided settings, a qualified person in your organization must configure and keep those measures current. Sometimes the default settings favor functionality over privacy, so your team must be familiar with the settings and keep up with them as they change.

From now on, you must carefully choose your words in online meetings and never say anything you don’t want discovered. Content discussed in meetings may be captured in AI-generated transcripts, summaries, or recordings, making even previously casual conversations potentially discoverable in legal proceedings. By default, permissions for AI to return results from the transcript are typically given to all meeting attendees. If someone is invited but late or a no-show at the meeting, avoid the temptation to say something joking or make an offhand comment about them. That person could later want to know if they’d missed anything important and ask AI, “Did anyone say anything about me?” Your comment will be disclosed. Depending on what you said and their level of sensitivity, you might find yourself in an HR nightmare. There is no such thing as ‘off-the-record’ in meetings where AI transcription or summarization tools are active. With some commonly used operating systems and tools, this recording is always enabled and difficult to block.

Distributing AI-generated meeting summaries to participants without a human reviewing them first for accuracy is dangerous. AI is prone to hallucinations and errors in transcription, especially if the audio quality is poor. AI also makes errors when people use ambiguous language, such as “They said it was approved.” Who is “they,” and what did they approve? AI will try to decide, but could get it wrong. Other examples are “We need to address the issue” or “Send it to them.” AI must make a guess, based on the context of the conversation, what “we,” “they,” “issue,” and “it” refer to. Sometimes AI, understandably, guesses wrong, and meeting summaries can include inaccurate information and topics never discussed.

After Abraham Lincoln died, historians discovered in archives that he had written scathing letters to his generals but never sent them. If you sometimes type emotion-filled documents while “venting,” even if you never intend to share the information, the AI tools may index and analyze everything you type in the draft file you save. In an e-discovery situation, or if someone with elevated privileges asks a question, the AI tool could reveal what you never intended to share.

One major provider of applications automatically saves a version history of the previous content, but their tool will use only the current content of the file to respond to a question entered by someone with a high enough security level. Break any habits of saving individual files in names such as “AngryLetter-v1,” “AngryLetter-v2,” etc. If you update a file for tone or accuracy, do so in the current file or delete old versions to keep previous content from showing up in AI answers. These strategies only work if your workplace AI assistant tool only accesses current data and does not store old content. Remember that if your system makes backups of your files, and someone with the capability restores a file you deleted or restores a version before you removed objectionable content, the information in that restored file may be available as if you never erased it.

Removing old email messages from showing up in responses can be slightly trickier since AI may respond with information stored in your deleted items folder. You must remember to empty your deleted items folder, or your IT team can set up specific retention policies that permanently delete email messages after a set date or message age. Of course, as with files, if the email messages are backed up somewhere and restored, the restored versions may appear in responses to AI prompts. And this also assumes that your workplace AI assistant tool does not save old messages elsewhere for retrieval. As of this writing, one of the largest workplace AI providers respects that boundary and doesn’t save snippets of data after the source is deleted.

The goal isn’t to scare people away from using AI tools. It isn’t easy to turn off AI’s reading and recording anyway. Your safest bet is to behave as if everything you type or say will be available for easy retrieval by unexpected people.

Let’s cover some things you can do.

Be sure your IT team uses governance and privacy protections such as:

DLP: Major enterprise software providers have highly effective data loss prevention (DLP) tools that help keep private information private and allow access only to people with specific or enough privileges. However, DLP systems are only as effective as their configuration and upkeep. IT professionals, compliance officers, and other privileged users typically have access to the DLP system and can circumvent restrictions and access data anyway. If users save documents in unprotected locations, DLP might be unable to protect the data.

Data Sensitivity Labeling: Most enterprise AI assistant providers explain that their tools respect file permissions and features like Data Sensitivity Labeling. You and your users can specify data labels for your content, such as “private” or “confidential,” to further restrict who can see what data. However, if someone opens an e-discovery, all undeleted data is potentially available. Thus, nothing you say or type is wholly protected if the data still exists.

Retention Limits: A representative from a major tech company suggested that executives can avoid e-discovery exposure of what they say in sensitive topic meetings by setting retention limits on meeting notes, files, and email. After the retention period, the system will erase the data after a mandatory holding period. Erased data will no longer appear in results if your AI assistant doesn’t save snippets of data elsewhere. However, it can be frustrating not to have access to old documents and meeting summaries after a retention policy triggers their deletion. He pointed out that if a meeting attendee puts notes or a summary in the meeting chat, that chat information will not be purged. If someone asks about the meeting in Copilot or during an e-discovery, the process will access the data saved in the chat. Remember to ensure the automatic deletion includes deleting all logs, training data, and monitoring records when setting retention policies. These may contain sensitive data in prompts or summaries, even after the original content is deleted.

Why Deletion May Not Be Enough: As mentioned throughout this article, remember that one of your best protections is deleting files, chats, messages, meetings and backups you don’t want AI to use in responses. However, the effectiveness of this strategy depends on whether the tool’s RAG features save information elsewhere even after you’ve deleted it.

Potentially Dangerous Third-Party AI Assistants: An IT Professional at one of our best customers called me last week in alarm because he noticed a new app on their system had rights to scour their email messages and file storage. What used to be a third-party meeting assistant tool has “upgraded” its feature set to include a system that performs an AI search across documents, notes, and email messages. When a third-party meeting tool accesses your file systems and mailboxes, do they save any snippets of your information on their company’s servers? If so, do they encrypt the data and automatically erase the data from their systems when you delete a sensitive file or remove an email from your account? Can they provide a log or audit trail of who accessed your data? Do they train their tool based on your data, potentially exposing your data to their other customers? What happens to your data if you stop using their product? How do they define what data is yours vs. their data? The tools may also offer to gather information from other third-party note-taking tools, CRMs, and users using other operating systems. From a functionality perspective, there is great allure to having an AI assistant so familiar with everything in your work life. However, it is also a privacy nightmare if the system ever over-shares sensitive information, if the third party gets compromised by threat actors, or if your organization loses visibility into where your sensitive data is stored and who can access it. Before enabling tools like this, you must thoroughly vet the third party to determine if they have the necessary security controls in place and will maintain the security of your data. Remember the saying, “your organization’s security is only as good as your third party’s security.” To help stop employees from unknowingly giving outside apps access to your company’s emails, files, and other sensitive data, ask your IT team to change the “Allow User Consent” Settings from the default to require administrator approval before any third-party app can access company data.

Outside Parties: Another risk is that if any of your workers sent the data or made it available to an external person, it might be in their system too and be exposed by their AI someday.

AI Incident Response Plan: Develop a thorough incident response plan for AI incidents. Plan now how you will manage situations related to AI crises, such as unauthorized data leakage, undetected hallucinations, discrimination (bias), security issues such as prompt injection, and insider misuse. Include your legal and regulatory advisors during planning, as they can address their appropriate obligations.

Security Considerations for Incident Response, HR Investigations and more: Many organizations use ticketing or helpdesk systems that weren’t originally designed to handle sensitive issues, including cybersecurity incidents, HR complaints, and insider threats. Examples include Jira, ServiceNow, or Teams/Outlook. Those systems are integrating AI features. If you allow AI tools to automatically index your primary helpdesk system, they may unexpectedly augment responses and disclose sensitive investigation content to unauthorized users. This creates risks such as exposing privileged communications with legal counsel, compromising the integrity of confidential evidence, and disclosing sensitive employee information. Instead, use a completely separate access-controlled case management system for incident response, HR investigations, and other sensitive matters. Ensure this system is excluded from AI indexing and augmentation. Work with your legal and compliance teams to isolate the systems, enforce strict access policies, and apply appropriate retention and audit log controls.

In case it comes up in a conversation with your IT pros, Microsoft allows administrators to configure “Azure AI Search” indexing restrictions to help prevent AI from accessing specific data, such as files, emails, calendar events, and meetings. However, blocking indexing has negative consequences such as breaking searches for text in email message bodies in Outlook on the web, content inside documents such as Word, Excel, and PDFs in the web apps, and Teams online.

Know that your IT team is already very busy, and adding AI governance to their responsibilities may require removing something else or outsourcing.

As time passes, AI will gather more information from your existing documents and data (this gathering is called RAG), including what AI thinks was said at all meetings. People will become more aware of the new normal in privacy. Unless you are positive that you can and will permanently delete all history, be careful about anything you say in online meetings or type into documents or email. Use words and sentences that will reflect well on you and others in case someone with enough permissions asks AI what you said.

For better, worse, or both: AI is listening. Protect your privacy before it is too late.

The post AI is Listening: What Executives Must Know about Privacy in the Age of Workplace AI Assistants appeared first on Foster Institute.

AI chatbots – ChatGPT, Claude, Gemini, and Perplexity – bring unique strengths to business tasks, from data analysis to strategic communication. Why have just one star player on your team when you can have several? While many executives have found remarkable success with one platform, utilizing multiple chatbots can unlock even greater value. As you become familiar with more chatbots, you will naturally develop your preferences for example, you might choose:

• ChatGPT for versatile tasks and data visualization
• Claude for emotionally aware communication
• Gemini for technical troubleshooting
• Perplexity for research

The goal here is to inspire you to explore chatbots you might not have used.

Introduction:

When associations and organizations hire me to present about AI, audiences frequently ask me which chatbot is best. After presenting to thousands of executives across diverse industries, I’ve discovered something fascinating: each person develops their own preferences based on their unique needs and experiences.

There are many chatbots, each trying to earn your favor. If you only use one, you will benefit tremendously from trying others.

A great strategy is to give the same prompt to several chatbots and see which response you like best. Enter a prompt into one chatbot, copy it to your clipboard, and then paste it into other chatbots.

Capabilities change frequently with updates, so what works best might change tomorrow. As of today, here are some specific benefits you might appreciate as you multiply the number of chatbots on your team. Please adapt the example prompts to your specific industry or goals:

Expert Strategy:

For the best results, always give the chatbot context and detail. Describe yourself, the interests relevant to the project, your role, your audience, and what you want to accomplish. For example, instead of asking, “Review this email draft,” tell the chatbot your industry, what your organization does, your role, and the challenges you’re addressing. Then say something like, “I wrote this follow-up email after yesterday’s board meeting. Review it and suggest if there are clearer ways to explain our quarterly results. The board members reading this want both the wins and challenges clearly explained, and they prefer brief, to-the-point documents.” The difference in response quality will amaze you. You can attach examples of previous successful communications you’ve written and tell the chatbot to use a similar tone and style.

ChatGPT: Amplify Your Productivity:

Chatgpt dot com. Almost everyone has heard of this popular chatbot’s vast range of capabilities. In addition to what it has always done, I use ChatGPT when processing documents and generating or analyzing graphs.

• Manufacturing: “Generate a workflow to reduce downtime by analyzing machinery data and prioritizing maintenance schedules.”
• Healthcare: “Create a patient satisfaction survey based on current trends in healthcare delivery.”
• Finance: “Summarize key takeaways from a quarterly earnings report for a stakeholder presentation.”
• Distribution: “Using the attached spreadsheet, generate a graph of Lead Time (Days) vs. Monthly Usage (Units) with data points colored by criticality. Label the material names using a large font.”

For executives on the move, ChatGPT’s voice mode transforms travel time into productive strategy sessions. While driving, you can brainstorm solutions to business challenges, rehearse important presentations, or analyze competitor strategies – all hands-free. You have a knowledgeable thought partner ready to explore any topic. For safety, please only use voice mode while driving.

Claude: Transform Your Business Communications:

Claude dot ai. For written conversations and reviewing documents, Claude often causes me to pause and think, “Wow! That response is surprising in a good way!” Experienced business people know success comes through professional relationships. Claude seems the best at considering human attitudes, sentiments, and reactions. If you want to write a persuasive document, Claude might help you best refine the text you’ve already written.

• Manufacturing: “Refine a message to factory staff emphasizing the importance of new safety protocols while maintaining morale.”
• Healthcare: “Draft a memo to staff addressing a sensitive policy change with a positive and empathetic tone.”
• Finance: “Rewrite an investment pitch to highlight potential ROI while addressing client concerns about risk.”
• Consulting: “Analyze this email conversation and tell me how this person feels frustrated, and gently suggest benefits to them by sharing examples of how other professionals have benefited from our practices. Do not strive to convince them since they will push back harder.”

Think of Claude as a collaborator. Converse back and forth about how the recipient or audience will react to specific words and phrases and refine them accordingly. Ask Claude if there are parts that can be left out. This process can produce emotionally intelligent content that produces results.

I find that Claude often provides unsolicited suggestions that are very helpful. For example, while reviewing a business proposal, Claude will often point out valuable opportunities to strengthen the key benefits. Claude often thinks beyond the immediate request, offering insights and recommendations as a trusted strategic advisor would.

Gemini: Solve Technical Challenges:

Gemini dot google dot com offers another option for technical information and troubleshooting steps. Many users appreciate Google’s extensive data repository for technical questions.

• Manufacturing: “Provide troubleshooting steps for a PLC system showing error codes X, Y, and Z.”
• Healthcare: “Outline the process to integrate a new Electronic Health Record (EHR) system with existing software.”
• Finance: “Explain how to configure advanced security settings in a new financial analytics platform.”
• IT Director: “Identify potential pitfalls in the transition to cloud-based services.”
• Executive on the Weekend: “I am a non-technical executive, and my help desk is busy. Walk me through setting up a mail merge using a list of contacts and a form letter.”

Perplexity: Power Your Strategic Research:

Perplexity dot ai excels at providing stunningly useful results searching the web. Other chatbots can provide citations for where they obtained their information, but what attracts me the most to Perplexity is how quickly it allows you to access the sources and see summaries of the content if you click the “show all” citations button.

• Manufacturing: “Find and summarize case studies on how AI optimizes supply chain management.”
• Healthcare: “Research emerging telemedicine technologies and their potential ROI.”
• Finance: “Identify recent regulatory changes affecting the fintech industry and summarize key implications.”
• Expanding your AI Toolkit: “What are the best AI tools this year that will help me (fill in the rest, such as analyzing trends in my inventory turnover to identify ways I can improve my supply chain)?”
• Strategic Planning: “Research top competitors’ strategies for market expansion.”

Perplexity has almost replaced my use of search engines since I receive the answers I need and can drill down to sources when needed. The sources earned their place in the list based on their content rather than which sites use the best search engine optimization techniques.

Perplexity is excellent at crafting documents and generating lists of instructions, too.

Free vs. Paid:

All these chatbots have free and paid versions. Some chatbots have elected to provide advanced features to free accounts, limiting the number of times unpaid users can use those features per day. As you use chatbots, evaluate the time savings or added value to decide when to upgrade to a paid version. Many executives find the ROI on paid versions substantial.

Risks:

Chatbots can produce inaccurate results, known as hallucinations. For example, when generating financial projections or analyzing marketing insights, they might fabricate results. Always verify chatbot-generated information and avoid expensive mistakes.

Feel free to challenge the chatbot’s biases. Sometimes, a good argument can be constructive.

Always use privacy settings to help ensure sensitive data isn’t stored. Understand the chatbot’s privacy policies.

Customization:

Some chatbots allow you to preload information about yourself and your company in settings or attached files.  Sometimes, you can generate custom profiles or unique chatbots. This can be very productive, saving you time and achieving specific results.

AI Ethics and Integrity:

Excellence in AI requires the same principles that guide all business practices: honesty, integrity, and ethics. Just as we use presentation software to communicate clearly and CRM systems to build stronger customer relationships, AI tools help enhance our natural capabilities. They can analyze data more quickly, provide valuable insights, and help us communicate more effectively with our teams and customers.

Any powerful business tool, from email to social media, can be misused. However, responsible leaders use AI to enhance human judgment and creativity. Use AI tools to create value, improve efficiency, and drive success for your organization and the people you serve.

Conclusion: Using Multiple Chatbots is a Force Multiplier:

Issue your prompts to multiple chatbots to see which resonates best for specific tasks. Remember that chatbots are continuously improving. If you keep experimenting with all of them, you might update your preference for specific tasks. Other fabulous chatbots are available, too; don’t feel limited to the four I discussed here.

I’d love to hear about your journey with AI tools. Whether at a conference where I’m speaking or through email, share which chatbots have transformed how you work and how. Your insights help me bring fresh perspectives to organizations worldwide, and I might feature them in a future blog. As chatbots continue to evolve, I’m committed to helping executives and their teams unlock the full potential of these powerful tools!

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post Which AI Chatbot is Best? The Executive’s Guide for When to Use ChatGPT, Claude, Gemini, and Perplexity appeared first on Foster Institute.

It makes sense that malware uses strategies to infect and hide inside of networks undetected. Here is some fascinating insight into that self-preservation: The malware related to SolarWinds attack looks for specific security related software, including a free program named WireShark, before installing itself. If Wireshark is running in Windows, the virus installation terminates itself.

Should you run WireShark on your computers 24×7? Ordinarily, IT Professions remove WireShark in case attackers installed it. Paradoxically, running WireShark will stop the initial activation of the SolarWinds attack. WireShark is not the only choice. Open this Microsoft article and use CTRL-F search for the word WireShark to see the other security related tools that will horrify some malware: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

But, after SUNBURST installs itself, it is too late. It doesn’t look for security related tools after installation.

This message is not a recommendation to run these applications, nor is it intended to dissuade you. If organizations start adopting this strategy to thwart cautious attacks, it will be interesting to see how malware responds.

Forward this article to your friends so they receive this insight into how bad actors strive to avoid detection and discuss implementing this unconventional approach to stopping malware installations.

The post Tips and Tricks: An Unconventional way to Protect Yourself from SolarWinds and Future Hacks appeared first on Foster Institute.

SolarWinds is a well-respected organization, and many organizations utilize their products. Not enough details are known to discredit their organization. Clearly, attackers see them as valuable enough to use as an infection vector.

This is called a supply chain attack because bad actors use a trusted product in an organization’s supply chain to attack the organization. A similar well-publicized attack happened with a popular tool, with many benefits, called CCleaner. The attackers successfully compromised 2.3 Million PCs.

The CCleaner supply chain attack is an illustration of dwell time. Attackers waited five months from the time they gained access to CCleaner before they launched the attack on CCleaner users. Many computers were safe, but not 2.3 Million of them.

Remember: Just because your organization fixes a vector through which the infection came does not eliminate damage already done. As an analogy, if you were the king or queen of a castle, and you found that attackers entered your castle walls to attack your city, raising the bridge over your moat does not eliminate the attackers who already made it inside.

Supply chain attacks are one of many reasons to eliminate as much software as possible at your organization. If a program is not essential, remove it asap. SolarWinds is vital for many organizations.

Please forward this to your friends so they can alert their IT departments to address this situation, and know to remove all non-essential software from all computers.

The post Emergency Update if Your IT Team Uses SolarWinds Products, and How to Protect Against Supply Chain Attacks appeared first on Foster Institute.

More often than ever before, bad actors infiltrate organizations in a slow, methodical way. They can remain undetected for weeks, months, even years. The FBI uses the term dwell time to designate the period from when attackers infiltrate systems until you discover them. The FBI warns businesses that attackers can cause significant damage during dwell time. Bad actors quickly establish backdoors to ensure access, even if you block their first point of entry. They deploy keyloggers on systems to record keystrokes. If your cyber assets are compromised, the bad actors can potentially monitor your messages to find out when you discover their presence in your network, computers, applications, cloud resources, websites, or anywhere else.

Once attackers know you’ve discovered their infiltration, that triggers them to move forward with their next phase, often contacting you to demand a ransom. Sometimes they threaten severe consequences if you attempt to recover your system in any other way than paying them. Since they are in your systems, you must take the threats seriously.

Establish a protocol for workers to communicate suspicions in some method other than email.

Even your IT department must avoid emailing each other questions such as, “I received an alert that someone is resetting an administrator password. That’s odd. Is that you?” Instead, they must communicate by mobile phone or radio.

If you suspect a breach and contact us, consider phoning. If you must email, use a personal account outside of your company account, and use a phone or some device other than a company computer’s keyboard to send the message.

I’m not talking about when users receive a phishing message. I’m talking about if they receive a phishing message that includes customer account information, if an important file is missing or won’t open, or if they receive an unexpected login request on a website or to open a file. IT needs to investigate these early-warning signs.

Please forward this to other executives who you care about to establish a mobile hotline number for users to reach the IT team to report suspicious activity. Help avoid triggering attackers’ responses before your IT team has time to react and, hopefully, mitigate a potential cybersecurity disaster.

The post If You Get Hacked, Do Not Email Anyone About It appeared first on Foster Institute.

Here is another essential tactic to help protect your remote workers.

There’s a company in Saint Louis that ran into a problem your organization might face too.

Their remote workers must attend many video conference calls, online meetings, webinars, and online training sessions. Their IT Pro doesn’t want to install different programs on his users’ computers if he can avoid it.

As you know, a significant way to improve cybersecurity is to uninstall nonessential software, not to add more programs.

The company’s savvy IT Pro discovered an excellent solution. He found that all of the video conferencing and training tools his team needs can run inside their already-installed browsers. They don’t need to download and install extra software. They have Zoom already, but workers use their browsers for other kinds of meetings. They may not get all the advanced functionality, but they can still participate in the sessions just fine.

Please forward this to your friends so that they know, to improve cybersecurity, avoid installing software or apps whenever possible. Their IT Pro may find that workers can participate in many meetings using their browser only, without needing to increase the attack surface by installing more software.

The post Video Conferencing – Avoid Installing Meeting Programs When Possible appeared first on Foster Institute.

The post Executives Appreciate it when IT Professionals Communicate Effectively appeared first on Foster Institute.

The work they do is often so complicated, yet they make it look easy. Unless you are a high-tech executive, it can be difficult to appreciate how sometimes your team accomplishes a miracle.

In some organizations, the only time the IT team gets noticed is when something technology-related stops functioning correctly.

IT pros, by nature, need to invest more than 40 hours a week to keep up with rapidly changing technology. That doesn’t include responses to the helpdesk crises and completing the projects assigned to them.

Executives reading this newsletter already feel compassion for and support their IT teams. But just in case you know an executive who doesn’t, or the gift slipped their mind, please forward this message to them. And why not add an IT Appreciation Day to company calendars?

Happy Holidays – and you deserve a bunch of credit too!

The post Remember to Give Your IT Pros a Holiday Gift appeared first on Foster Institute.

Any of your computers that you purchased six years ago came with Windows 7 installed. Unless you paid for new licenses and gave your team time to upgrade them, those computers run Windows 7 today.

Some of your options include:
– Buy new computers
– If the computer is strong enough, upgrade Windows 7 to Windows 8.1 or Windows 10
– You can ask your IT team if you use a technology called VDI. If so, they can uninstall Windows 7 completely. They can install Linux, or make a bootable thumb drive, or use a No Touch Desktop program. The computer can function as a screen and keyboard to a server where Windows runs

If, for any reason, you need to keep Windows 7 on some workstations, be sure to give your IT team time to implement compensating controls. For example, they can isolate the computers from the rest. Ask them to install Microsoft’s downloadable EMET security tool that works in Windows 7.

Support for Windows 8.0 ended in 2016.
Support for Windows 8.1 ends on January 10, 2023.

Please forward this to your friends and business associates, so they know January 14 is the when Windows 7 becomes a severe security risk to their networks.

The post Microsoft Will Stop Protecting Windows 7 on January 14, 2020 appeared first on Foster Institute.

Patching VMware, which is often used as a platform for many of your other servers, can be frustrating. If the patch causes a problem, there is a risk that all your servers hosted on that machine will go down.

This is one of those risk vs. benefit decisions that is so important, business executives must be involved.

On the one hand, the patch could interrupt business, but not applying the patch could be considered reckless.

Test the patch prior to deployment, when possible. Having a pre-planned, if not pre-tested, roll-back plan is crucial in case the patch causes a problem.

Preferably patch one server at a time so that, if the patch does cause a problem, at least the interruption is limited to that server.

Without the patch, someone could run programs on your computer, potentially taking control of the server.

The patch fixes a vulnerability in the VMware Customer Experience Improvement Program, even if a customer is not participating in the program.

Please emphasize the last phrase to your IT pros.

Ask your IT pros to look at VMware’s information by searching for VMSA-2017-0007.

Please forward this to everyone who may be using VMware, so that they can alert their IT pros just in case they don’t know already.

The post Alert Your IT Team – Urgent Patch for Network Servers appeared first on Foster Institute.