We’re receiving calls from our cybersecurity customers when the IT Team discovers that ordinary users have given third-party applications access to all their organization’s files, email messages, calendar events, Teams chats and channels, and other data.

How can ordinary users have that much power?

By default.

Situation: This configuration affects most companies. While the default settings for your Microsoft 365 system allow your users to approve third-party access, Microsoft recommends the following more restrictive settings to increase security.

The Risk: Without this setting, workers may override protections without oversight and allow any application to access your company data, create and delete files in SharePoint and OneDrive, read and send email messages, edit calendar events, access and modify Teams chats and channels, update user profile information, and perform other tasks. While some applications might need this level of access, it must be granted only after the appropriate authorities, including your IT Team, thoroughly consider it.

Reality Check: This setting catches many IT Teams by surprise. Microsoft is updating its security controls quickly, and it is nearly impossible for IT Teams to keep up with the changes. And when defaults promote ease-of-use over security, like this one, your systems can become at risk quickly without the team realizing it. Know that your IT Team’s level of expertise can be excellent, and situations like this sneak up on them anyway.

Urgent Quick Verification: Your IT Team can quickly access the Microsoft Entra admin center > Enterprise applications > Consent and permissions > User consent settings. There are three options:

• “Do not allow user consent.”
• “Allow user consent for apps from verified publishers, for selected permissions.”
• “Allow user consent for all apps” (the current risky default value)

Update If Necessary: Microsoft recommends you select “Allow user consent for apps from verified publishers, for selected permissions.” Different organizations have different data access needs. Your IT and compliance teams must determine the appropriate level for your situation. Smaller organizations might choose the first option if they don’t want users to expose data to third-party applications without checking with the IT team. Larger organizations with more complex needs often prefer the middle option with careful permission management to take some of the workload off busy IT professionals while providing protection.

Next Step: Your Administrators will also need to specify which permissions are low-impact, as detailed in Microsoft’s article “Overview of user and admin consent.”

Facilitate the Approval Process: Your team can optionally set up an admin consent workflow that users must follow when they want to provide permissions.

Forward this to your friends who are executives at other organizations so they can give their teams this heads-up, too.

The post Executives – Any User Can Accidentally Expose All Your Data Unless IT Changes This Default Setting appeared first on Foster Institute.

The post Executives Appreciate it when IT Professionals Communicate Effectively appeared first on Foster Institute.

You assign your IT team the responsibility to secure and manage the keys to the vehicles, so you give each member of your IT team a copy of the master key.

Here is where it gets crazy: Suppose that there is a well-known tradition, in all companies, for IT professionals to store their master keys in the top drawer of their desks. Unfortunately, if someone wants to steal a vehicle, they know right where to find a master key. They can take all the cars once they gain access to the master, and they know exactly where to find it.

In the real world, your IT team has the responsibility to secure and manage your most sensitive data. In doing so, they have the master keys that unlock all the other keys. It is a tradition to give all IT professionals, and even outside consultants, keys to the master lockbox. The shocking part is that all IT professionals are encouraged to store the master keys in the same place, in the default well-known security groups named schema, enterprise, and domain admins.

Your IT team must create new security groups, with different names, in which to store the master keys. It is crucial that the new groups only provide specific privileges to member users on a need to know basis. It is ok if this strategy is new to them.

To measure this, ask your IT professionals to show you what users are members of those default security groups. Discuss moving those users into specific groups that provide the least amount of access they need to perform their work. Depending on the complexity of your system, this may take more time. IT professionals are always busy, so discuss with them their current projects, then prioritize this essential security improvement accordingly.

Storing master keys in a well-known location is absurd, and it is likely that you are doing that now.

The post The Insanity of Your Network – Storing Keys in the Same Place as Everyone Else appeared first on Foster Institute.

When your IT team logs onto a server, the server’s screen looks similar to what you would experience looking at a Windows workstation’s screen. The display on the server’s screen would remind you of your desktop or laptop computer’s screen.

Your IT professionals can remove this desktop experience and produce significant benefits. Your servers need less storage space, are faster, need fewer security patches, and are more reliable. Additionally, there is a smaller attack surface for attackers to exploit. Those benefits will help you, as an executive, sleep better at night.

Your IT team will install the server’s core software, and omit all of the programs that produce the desktop experience.

For your IT team to control and configure the server, they can use a server manager program that runs on their computers. Your IT team might use Windows PowerShell or even Project Honolulu too.

Please forward this message to fellow executives who want to make changes that will help them sleep better at night and, in the future, save money too.

The post A New Opportunity for Your IT Pros to Protect your Servers appeared first on Foster Institute.

Most IT professionals will, and do, fix the printer first. They care about you and your organization. They want to ensure that your team can serve your customers.

But, postponing the repair to the firewall may significantly increase the risk of your organization experiencing a major cyber attack.

The printer being broken is a visible condition. It is possible that nobody, other than members of your IT team, knows that the firewall is broken.

Your IT team will receive approval for fixing the printer. But, if they spend time fixing the firewall first, everyone will think they are wasting time, sitting around, doing nothing.

What device or activity consumes your IT team’s time? What do they have to invest a lot of time fixing, when there are perhaps more critical, often invisible, cyber security issues that must be addressed?

If it is the printer that takes up their time, buy a spare printer. If one printer goes down, everyone can use the other printer.

Do what you need to do in order to ensure that your IT team will have time to take care of your IT security. You will reap the benefits if they stop an attack.

The post How Buying a Spare Printer can Vastly Improve Your Cyber Security appeared first on Foster Institute.

First, IT Professionals need to know that the boss is always right. If the executives say that they do not want to use passwords, then that settles it. Of course, IT Pros should make recommendations, but let the boss decide. IT Pros need to document the executive’s decisions, especially decisions that go against what the IT Pro feels is best, and move on. They should not bring them up again. If bosses feel unsupported in the decisions they make, the IT Pro will soon be looking for a new job.

Second, bosses get frustrated when they feel a project is moving slower than they believe it should move. It is necessary to keep them up to date on existing projects. Otherwise, the boss may decide to hire someone else that they perceive as being able to bring more value and get things done. IT Pros need to send the boss a monthly, if not weekly, bulleted list of completed, current, and planned projects; even small ones. If the boss even hints that they would like to know more about a project’s progress, the IT Pro needs to jump on reporting that. A verbal conversation is often faster and much more effective than an IT Professional writing and re-writing a long defensive email.

Third, IT Pros need to ask the boss how they can improve their service to the organization. They need to ask how IT fits into the big picture, and ask how they can support the business strategies. They need to listen and do what the boss says to do. They need to have that conversation every month or so. They need to ask themselves what they would want if they were in the boss’s shoes.

Many IT Pros are confident that, and maybe they are, so valuable to an organization that they would never be fired. The only thing that feeling guarantees is that there will be no advance warning to the termination, because the executives of an organization don’t want to risk any kind of retaliation from an IT Professional that feels so indispensable.

Forward this to all IT Professionals that you care about.

The post IT Professionals: 3 Things IT Professionals Must Do to Avoid Being Fired appeared first on Foster Institute.

At a client’s office this week, one of the IT Professionals had an interesting idea. He can configure two-step logon to contact him, not the consultant, for login verification.

If you configure this at your office, here is how it would work: First, the consultant would enter their username and password to login to your network. Then, an app on your smartphone would indicate that the outsourced consultant is trying to gain access. Then, you will be able to choose to allow or deny the consultant’s login attempt.

This IT Professional wants to know, in real-time, when someone is attempting to log on to his network. If you use this arrangement, you will have the capability to permit them or deny them access each and every time.

It is an interesting idea.

The post A Way to Control Consultant Access – Every Time appeared first on Foster Institute.

As demonstrated last week, attackers attempt to guess usernames and passwords on systems in an attempt to gain access to those computers.

The most concerning part, since your network is already under attack, is that one or more of the attempts might have been successful.

Those thousands of unsuccessful login attempts on a computer are, in a way, reassuring because the attacker was having difficulty finding a combination that worked.

The reason that some computers have fewer attack attempts can be because an attacker successfully gained access after a smaller number of guesses.

This is often the case since the attacks are automated so an attacker will not usually get tired of trying. Once one of the tries is successful, then that’s when the attacker stops guessing usernames and passwords. At that point, they already have access.

Have your internal, or outsourced, IT Pro examine failed logon attempts and see if the usernames seem random like the list published last week. If the usernames are similar to those on that list, then that’s an indication that an attacker was attempting to gain access. If there are a small number of attempts, then that attacker may have gained access to the computer.

Now that’s concerning.

Please forward this to your friends and associates so that they can be more aware of how to protect the security of their organization.

The post How To Know if a Password Attack Succeeded appeared first on Foster Institute.

IT Professionals have approached me to say they feel unhappy with their compensation. And some executives ask how much is enough pay. There are ways to know…

Websites such as Pay Scale dot com, Career Builder dot com, and Salary Expert dot com provide estimated pay ranges based on location and skills.

Executives: Quality IT Professionals are really difficult to find these days. So you don’t want to lose the ones you have. HR specialists have said that money is not the primary motivation for someone to keep their job, as long as the compensation meets a minimum. Your IT Professionals are likely very loyal to you and will invest a great amount of energy to help you. Just know that they may be receiving job offers from others.

IT Professionals: Keep up with certifications – those new skills will help your organization too. You enjoy learning or you’d never have selected an IT career anyway. One source of training and certifications is CompTIA dot org. They offer hardware, networking, security project management, and other certifications referred to with names such as A+ Computer Technician, Network+, Security+, etc. Talk to your employer about ways you can become more valuable to them. Some of you are very good about putting the needs of the organization that you serve, before your own needs. Be careful. If you give too much, and feel undercompensated, the resulting unhappiness can be bad for you and the organization too.

The difficulty executives face is not realizing how much a dedicated IT Pro does. When an IT Professional performs a miracle by breathing life back into a crashed server, it is sometimes difficult for non-IT Professionals to appreciate the level of accomplishment. What IT calls a miracle, executives consider the accomplishment as being part of their job description. They have no idea what is, and is not, involved.

Executives, I’m not saying that every IT Professional needs a pay raise. If you are unhappy with your IT Pro, you may be looking forward to when another company hires them away. In fact, if you aren’t happy with their performance, there is no reason to keep them around. They do, as many executives have said, hold the keys to your kingdom. Or, as I like to say it, they have their fingers on the jugular vein of your company. Do not let them hold you hostage with that power, and don’t be worried about kicking them out if you need to.

But if your IT Professional is someone who you like, and appreciate, and you can see that they are good at what they do, keep in mind that good IT Professionals are a hot commodity these days.

The post Are You Paying IT Pros Too Much? appeared first on Foster Institute.

Mark these dates on the calendar:

8/5/2016    Fri       DEF CON®
8/6/2016    Sat       DEF CON®
8/7/2016    Sun      DEF CON®
8/8/2016   Mon     SuperTech 2016
8/9/2016    Tue      SuperTech 2016
8/10/2016  Wed    SuperTech 2016

DEF CON® is the famous security and hacking convention in Las Vegas. This is an exciting event for all IT Pros.

The Foster Institute “SuperTech” experience in Napa Valley empowers your IT Professionals to grow in ways that will propel your organization’s success to new levels.

Invest in your IT Pros – sometimes their future is your future.

IT Pros give so much energy, long hours, and are dedicated to the success of your organization. They show patience with end-users.

Reward them with this awesome experience in return. They’ll look forward to it all year!

Forward this to other executives who want to show more appreciation to their IT Professionals too. It is a win-win for your organization.

Save the dates. They’re the only ones until 2017.

The post Your IT Pros Deserve This appeared first on Foster Institute.