1. Assemble Your AI Implementation Team

• Choose a person or team to lead AI implementation
• Include representatives from leadership, legal, and IT

2. Educate Your Team on AI Applications

• Watch the 7-minute educational video showcasing 23 Business Uses for Chatbots in 7 minutes
• Alternatively, schedule a “lunch and learn” webinar or workshop to explore practical AI uses

3. Collaborate and Brainstorm

• Discuss insights from the video/workshop
• Identify potential AI applications relevant to your business

4. Explore Multiple AI Tools

• Test various chatbots (e.g., Perplexity, Anthropic Claude, ChatGPT, Microsoft Copilot, Google Gemini)
• Consider paid plans, privacy of sensitive information, and the ability to create custom chatbots
• The setting to make the model better for everyone means your data will be less private

5. Review Industry-Specific AI Tools

• Investigate AI solutions tailored to your industry
• Consult a curated list of AI tools for practical options

6. Consult with Your IT Team

• Discuss potential added support requirements
• Address concerns about job complexity
• Develop strategies to integrate AI without overburdening your IT team

7. Engage Your Legal Counsel

• Address privacy concerns
• Review automatic ingestion vs. uploading of data for different AI tools
• Analyze privacy and security policies of prospective AI solutions
• Consider internal data access and permissions per user or department
• Evaluate potential implications for mergers and acquisitions
• Consider that data from recordings of meetings will be discoverable during the due diligence phase

8. Assess User Access Control

• Discuss with IT about controlling access to AI tools
• Implement measures to manage access to AI on company networks and devices

9. Establish an AI Ethics Framework

• Develop guidelines for ethical AI use within your organization
• Address issues like bias, fairness, and transparency

10. Create a Data Governance Strategy

• Establish protocols for data handling, storage, and access in AI systems
• Ensure compliance with relevant data protection regulations (e.g., GDPR, CCPA)

11. Implement Security Measures

• Work with IT to set up necessary security protocols for AI systems
• Consider encryption, access controls, and monitoring systems
• Utilize sensitivity labels and permissions to limit employee access by role, etc.
• Establish data retention time policies

12. Plan for Ongoing Monitoring and Evaluation

• Establish KPIs to measure the effectiveness and impact of AI implementation
• Set up regular review processes to assess and adjust AI usage

13. Develop a Crisis Management Plan

• Prepare for potential AI-related incidents or breaches
• Outline response procedures and communication strategies

14. Draft an AI Policy

• Based on input from IT and legal, create a comprehensive AI usage policy
• Define the scope and purpose of the AI policy
• List approved AI tools and outline acceptable use cases
• Establish guidelines for data handling and privacy compliance
• Specify required security measures for AI use
• Address ethical considerations like bias and fairness
• Clarify ownership of AI-generated content and intellectual property
• Outline required AI literacy training for employees
• Define monitoring procedures and consequences for policy violations
• Set criteria for selecting and evaluating AI vendors
• Provide a framework for responding to AI-related incidents
• Establish a schedule for reviewing and updating the policy

15. Conduct User Training

• Train employees on approved AI resources
• Educate staff about the new AI policy, including ethics and protecting sensitive information
• Encourage users to look at their daily tasks and see which tasks AI might streamline or improve in other ways

By following all these steps, you’ll be more prepared to deploy AI in your organization while addressing some essential security, legal, and operational concerns. Successful AI implementation is an ongoing process requiring continuous attention and adaptation. AI is here to stay; you want to be thoughtful sooner to avoid costly problems later.

The post AI Implementation Roadmap: The Executive’s Guide to Avoiding Million-Dollar Mistakes appeared first on Foster Institute.

Common questions on insurance applications include:

Do you use MFA? Multi-factor authentication means users must go through a second step when logging in. A prevalent method for the second factor is using an authentication application on users’ phones. It is essential to use a number-matching requirement so that a user must type in a code displayed on their phone into their computer before authentication. Another second factor is time-based one-time password (TOTP) apps on phones that display a number on the phone that the user enters as part of the authentication process. The number displayed in the app resets periodically, typically every 30 seconds. Other factors include using hardware keys that plug into USB ports and biometrics, including fingerprints or facial recognition. A typical second factor is receiving an SMS text message with a code, but that method is vulnerable to attacks such as SIM Swapping. In the interest of security, you should enforce MFA everywhere possible, including VPN, Remote Desktop, and SaaS offerings.

Do you provide ongoing cybersecurity awareness training and periodic phishing simulation emails to measure worker proficiency? Your users must receive regular security awareness training, such as once per month and perhaps a comprehensive webinar or other presentation once a year. Additionally, services can send users a fraudulent or email phishing message once a month to measure their response, such as if they open the message, click on the simulated fraudulent link, and are duped into entering credentials. One often overlooked aspect of training and simulated phishing is that it might take time for your already overworked staff to configure, send, monitor, and produce reports about the results every month. You’re welcome to contact us to provide that service, and we do 100% of the work, so there is no additional burden on your workers. Training for new employees is available. We also provide comprehensive yearly training webinars and other presentations. Whatever training you use, be sure that it adapts to keep your users current with the rapidly evolving threat landscape.

Do you provide password management tools to users? Tools that remember and automatically enter users’ passwords can help encourage users to use different passwords for every login. Users with the habit of reusing passwords pose a risk to your organization. Once attackers compromise a password, they will attempt to use that same password at popular sites. This practice is sometimes called credential stuffing, and attackers can be very successful at breaking into sites if users reuse passwords. An added benefit is user productivity and user happiness. Ensure the company’s password manager uses strong encryption to store your passwords securely. Single Sign-On (SSO) is becoming more popular, allowing users to log in once to access multiple sites or resources.

Do you utilize geo-blocking or geo-filtering? These technologies identify computers, users, and email messages based on geographical locations. You will be more secure if you block email and login attempts from geographical areas where you never do business and block user logins from countries without users. While attackers can bypass these protections using VPNs, the protections are still helpful.

Are users local administrators? When you set up a new Windows or Apple computer, the user has local administrator access and can perform many activities, including installing programs. If an attacker manages to compromise that user’s account, the attacker has tremendous power to compromise that computer and potentially your entire organization. This topic is complex, but the goal of every organization must be to ensure all workers are “standard users” on their computers. Being a standard user limits what an attacker can damage and makes the user account more difficult to compromise in the first place. Privilege Access Management (PAM) solutions help manage local admin rights by controlling and monitoring privileged access to critical systems.

Do you segment your network? Network segmentation splits your network into smaller parts based on the purpose or type of device. For example, suppose you isolate your security cameras from your servers on a different network segment, such as a subnet or VLAN. If an attacker breaks into a security camera, segmentation can block their ability to hack your servers through the camera. Common segments include:

-Servers
-Desktops and Laptops
-Wireless Network
-VPN users
-Security cameras
-VoIP systems
-Different floors in your building or different buildings on your campus

It is possible to over-segment and create too much work for your IT Team, but that rarely happens. Your team will set up Access Control List (ACL) rules that limit communications between the segments to block unauthorized activities.

Have you established a security baseline for your systems? Have a documented standard configuration for security controls you enforce on your servers, workstations, and mobile devices.

How soon after release do you apply critical security updates to your devices? Microsoft, Apple, your firewall manufacturer, and other providers release security updates to programs to block attackers from using previously undetected security holes. You must apply the patches quickly to prevent attackers from exploiting the vulnerabilities. Testing patches before deployment is essential to avoid errors. Staging patches allows you to help ensure they don’t disrupt your production network. Zero-day patches and updates fix problems that attackers are already using to compromise systems.

Do you allow workers to use family computers or mobile devices to access email and work from home? Family computers are significantly less secure than company-issued devices that your IT Team manages, monitors and protects 24×7. It is relatively common for organizations to permit users to use their BYOD phones to access company email. Your insurance company could see that as a red flag against providing or renewing a policy. You’ll want to demonstrate other safeguards you use to minimize the risk.

Do you enforce EPP on all devices? Endpoint protection is a tool your IT Team can use to protect each device on your network. Ask your IT Team. Chances are they’ve implemented this solution. They might use Security Information and Event Management (SIEM) to enhance visibility and response. SIEM systems aggregate and analyze activity from different resources across your IT infrastructure.

Do you utilize EDR/XDR tools? Using Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), or Managed Detection and Response (MDR) agents on the laptops can increase security by monitoring for malicious behavior known as an indicator of compromise (IoC). EDR/XDR tools provide many benefits, including continuously monitoring network devices and watching for suspicious activities or evidence that an attacker is compromising a system. EDR/XDR is designed to identify, isolate, and mitigate threats. EDR and XDR must be effectively monitored, managed, and updated. One way many organizations ease the burden on their internal IT Teams is to utilize a third-party MSSP to perform these tasks. Managed Detection and Response (MDR) means you pay a third-party provider to manage your EDR/XDR. One key point to remember is that attackers can also obtain these protection tools and continually seek ways to bypass them. We perform Red Team Exercises at companies to test the capabilities of the EDR and XDR protections. Do not make the common mistake of letting your guard down in other security areas after implementing EDR or XDR.

How frequently do you conduct internal and external security audits, vulnerability assessments, penetration tests, and Red Team Exercises? These tests identify previously undiscovered weaknesses in your security. Please get in touch with us if you need these services as part of a comprehensive security advisory service for executives to help them secure their organizations. We guide and become a resource for your existing IT team rather than replacing them.

Does your spam filter scan messages and attachments for malicious links? If the answer is no, you need to add these features immediately.

Do you use web filtering and DNS filtering? Web filtering features, often integrated with firewalls, allow your IT team to block known malicious sites, gambling, and other categories of websites. Domain Name Service (DNS) maps URL website names to addresses of servers on the web. DNS filtering services strive to identify malicious web servers and automatically block communications from your network to them. As a bonus, some services permit you to hinder users from accessing sites you might deem inappropriate.

Do you use SPF for email messages? The Sender Policy Framework is a protective solution that your IT Team can enable to permit your email servers to confirm that inbound email messages came from an approved server rather than a fraudster impersonating or spoofing a legitimate source. While they are at it, your IT Team can enable DKIM to help other organizations’ mail servers confirm that messages they receive from you are legitimate and unaltered. They can configure DMARC to tell remote email servers to throw away messages from fraudsters attempting to impersonate your organization. It is essential to regularly review your SPF, DKIM, and DMARC records to adapt to the changing configurations and threat landscape.

Do you identify storage locations and isolate PII, PHI, and other sensitive data? Determining where you store Personally Identifiable Information (PII), Protected Health Information (PHI), Cardholder Data (CHD), and other sensitive information is essential. Knowing where to store sensitive information is a fundamental step in protecting it. Do you keep the information isolated and protected? This identification and isolation is becoming even more critical due to the integration of AI into organizations, which might give AI access to company information.

Do you use role-based access control (RBAC) to limit user access based on their job functions, and how do you manage and monitor privileged accounts? Role-Based Access Control (RBAC) ensures that users only have access to the data and systems necessary for their specific job functions. This minimizes the risk of unauthorized access to sensitive information. Privileged accounts with higher access levels are managed through Privilege Access Management (PAM) solutions that monitor and control their use, reducing the risk of misuse or compromise. Regular audits and real-time monitoring of these accounts are essential to detect and respond to suspicious activities.

Do you encrypt sensitive data at rest and in transit, and what encryption standards do you use? Encryption is critical for protecting sensitive data when it is stored (at rest) and transmitted (in transit). Encryption standards such as Advanced Encryption Standard (AES) with 256-bit keys are commonly used to ensure robust security. Data at rest is encrypted to protect it from unauthorized access, even if physical security is breached. Data in transit is encrypted using protocols like TLS (Transport Layer Security) to prevent interception during transmission over networks.

How do you assess and manage third-party vendors’ cybersecurity risks and ensure vendors follow appropriate security practices? Third-party vendors can introduce significant cybersecurity risks. Assessing these risks involves regular security evaluations and audits of the vendors’ practices. It’s important to have contracts that require vendors to follow appropriate security practices tailored to their roles and services. Continuous monitoring and periodic reassessments ensure that vendors maintain the required security posture over time. Organizations can manage risks by working collaboratively with vendors to meet security expectations without imposing stringent certification requirements.

Do you use firewalls, intrusion detection/prevention systems (IDS/IPS), and other network security measures? Firewalls act as a barrier between the internal network and external threats, controlling incoming and outgoing traffic based on predetermined security rules. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor network traffic for suspicious activities and take action to prevent potential breaches. These network security measures are crucial for protecting against unauthorized access and cyberattacks.

How do you secure remote access to your network? Securing remote access involves implementing measures such as Virtual Private Networks (VPNs), which encrypt the connection between remote users and the corporate network. Your IT professionals must manage remote devices to help increase security. Multi-factor authentication (MFA) adds an extra layer of security by requiring additional verification steps beyond just a password. Additionally, restricting remote access to only essential personnel and monitoring for unusual login activities are critical components of a secure remote access strategy. This is an extensive topic; please let us know if you want more information.

What physical security measures do you have in place to protect your data centers and offices? Physical security measures are essential to protect data centers and office premises from unauthorized access. These measures include access control systems like key cards or biometric scanners, surveillance cameras, and security personnel. Secure facilities should also have environmental controls such as fire suppression systems and backup power supplies to safeguard against physical threats and disasters. The Foster Institute offers full-scale Physical Red Team Exercises to test your physical security measures.

Are you compliant with relevant regulations and industry standards, such as GDPR, HIPAA, PCI-DSS, or ISO/IEC 27001, and how do you ensure ongoing compliance with these standards? Compliance with regulations and industry standards demonstrates a commitment to maintaining high security and privacy standards. Regular audits and assessments help ensure compliance with frameworks such as GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), PCI-DSS (Payment Card Industry Data Security Standard), and ISO/IEC 27001. Ongoing compliance is maintained through continuous monitoring, employee training, and updates to policies and procedures as standards evolve. Please let us know if you need help with achieving or maintaining compliance. The Foster Institute, Inc. can simplify and manage the process for you.

How do you secure mobile devices employees use to access company data and use mobile device management (MDM) solutions to enforce security policies on mobile devices? Mobile Device Management (MDM) solutions enforce security policies on employees’ mobile devices that access company data. These solutions can remotely manage and secure devices, ensuring they comply with organizational security standards. Features include enforcing strong passwords, encrypting data stored on the device, and remotely wiping data if a device is lost or stolen. This ensures that mobile devices do not become a weak point in the company’s overall security posture.

Do you store backups offline or on immutable storage? If an attacker gains access with the intent of encrypting or deleting data to demand ransom, they might attempt to destroy your ability to restore. They know you’re more likely to pay the ransom if you cannot restore sensitive data. So, you must isolate some backup data so the attacker cannot damage it. It is essential to have backups that threat actors cannot delete or damage if they break into your network. Immutable storage is data stored where you can access it, but no users, not even your administrators, can delete or alter the backup files. Cloud providers, such as Microsoft, offer immutable cloud storage. Other devices use write-once-read-many (WORM) technology to store data immutably. Offline backup is disconnected from your network. Some companies might use backup tapes or hard drives disconnected from the network and store them in a safe location for offline storage. Other organizations have a secondary network, isolated from the primary network, dedicated to their backup servers; the only connection is a server that transfers production network data to the backup network. It is best to store backups in diverse locations for redundancy and eliminate any single points of failure.

Do you encrypt your backups? If an unauthorized person accesses your backup data, it is useless if they cannot read the contents. Encryption is a setting in your backup software. There was a time when people wouldn’t encrypt backups because the backups would take much longer. With today’s technology, there should be little added time.

How often do you practice the restore process? If you have never practiced your complete restore process, do it now. Many organizations find out they cannot restore from their backups. Often, their failed attempt was the first time they’d ever tried to restore. It can be complicated to perform a test restore, so be prepared to give your IT Team additional time. If you outsource your IT, it is understandable that they’ll charge you for practicing the restore. Always perform restore tests in a controlled environment, separate from your production systems.

How long will it take to restore your data from backups? When you practice your complete restore process, measure the time it takes to restore. If you find out the duration is too long, you can take steps to speed up the process.

What steps do you take to prevent ransomware attacks? This space on the insurance application allows you to list the items above in statement form. Almost all security measures you use can protect against ransomware attacks or limit the impact.

Do you have a documented Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) in place? Documented disaster recovery plans demonstrate that you’ve thought through the processes required to recover from disruptive events. These plans should outline specific procedures for data recovery, system restoration, and maintaining business operations during and after an incident.

Do you conduct disaster recovery drills? Regular drills ensure your team is prepared to execute the DRP and BCP effectively. These drills can be as basic as tabletop exercises, where team members discuss their roles and responses to hypothetical scenarios, or as comprehensive as full-scale exercises that simulate actual disaster conditions and involve all aspects of the organization.

These are some of the most common questions on our customer’s insurance policy application and renewal forms. If you find others, please reach out for guidance.

The post Demystifying Questions Cyber Insurance Companies Will Ask You appeared first on Foster Institute.

In North America, System Intrusion (Now up to 80%) attacks surpass Social Engineering (down to 20%). System Intrusion is when attackers gain access to networks, plant ransomware, establish remote access, and otherwise compromise data and processes in a network.

90% of system intrusion attacks in North America were performed by threat actors external to the company. But the 10% of internal attacks highlights the concern of insider threats. Insider threat is when someone working for an organization accidentally or intentionally gives attackers access.

In North America, the motivation for attacks are:
For financial gain: 96%
Espionage and spying: 3%
Grudges and anger: 1%

Of attacks in North America, 14% were caused Primarily by Cloud Security Misconfigurations, highlighting the need to ensure IT professionals are familiar with the complex security settings related to cloud services. An excellent resource for Microsoft Cloud Security is https://learn.microsoft.com/en-us/microsoft-365/solutions/setup-secure-collaboration-with-teams?view=o365-worldwide#securing-teams-for-sensitive-and-highly-sensitive-data

To see statistics in other parts of the world and overall, you can find the report at https://www.verizon.com/business/resources/reports/dbir/

The post Short List of Essential Cybersecurity Statistics Exposes Attackers and Can Help You Secure Your Systems appeared first on Foster Institute.

An exception will be if you feel held hostage by them, or if there is some other outstanding reason they’ve failed you. Yes, we’ve seen horror stories. In those extreme cases, the executives had already decided to fire their outsourced firm.

When we perform cybersecurity consulting, unless the executives ask us to approach it differently, we give the outsourced firm the benefit of the doubt that their intentions are always to provide you with the best service possible. If we encounter a grave security mistake, that’s one purpose of the audit – for us to catch things like that so your IT providers can fix it. We almost always find at least one gaping hole, which is our specialty. After all, third-party IT companies are responsible for many aspects of your IT operations, while our focus is cybersecurity. Once outsourced IT firms realize we’re there to help and not replace them or their services, they relax, welcome input, and ask questions about the best way to protect you.

If you move to a new provider, there could be a steep learning curve before they can serve you at the same level. Keep in mind that your IT provider is already familiar with your systems and understands the unique challenges you face. Unless their turnover is high, the professionals that serve you know your team members and maintain a friendly, professional working relationship with them.

If you consider changing providers because some well-meaning person says you have the wrong brands of products, find out if their personal bias is evidence-based. If the specific solution your provider prefers meets all the functionality criteria, it is almost always best to allow your IT Professionals to select brands and vendors they like. They typically prefer particular brands and solutions for important reasons.

For example, their engineers might be most familiar with Cisco, Juniper, SonicWALL, WatchGuard, or one of the many other firewall brands. Most brands, if configured properly, will serve you well. As with automobile repairs, you want a technician familiar with your car’s brand. If you ask your outsourced IT company to support an unfamiliar product, you’re putting them in an uncomfortable position. They want to consistently produce excellent outcomes for you, and if you insist that they support a brand they are unfamiliar with, you could be setting them up for failure.

Your outsourced IT firm almost certainly has you set up with specific vendors for your anti-virus, anti-spam, backup solution, etc., because they have automated tools that allow them to monitor and manage your solutions. That efficiency of scale facilitates them taking optimum care of you. Deviating from their standard brands creates unnecessary expense and frustration. For this reason, if you do decide to change providers, prepare yourself for needing to replace some of your software and hardware to conform to the new IT provider’s preferred configuration.

If your provider is too slow to respond, perhaps they’re understaffed but have an expedited service option you could invest in to get priority access to their best engineers. Or maybe they have a different brand or product solution that permits them to use streamlined tools, but you’re still using products a previous IT firm installed.

Without knowing the brands you are using, I cannot say if you’ve got great ones. I can share that most brands have excellent products and solutions that work well when appropriately configured by knowledgeable professionals who’ve proven their proficiency by earning certifications on those brands.

Executives sometimes ask if they should seek a cheaper provider. We rarely see third-party IT companies overcharging for services. They are aware of the competitive nature of their business. Consider how much it would cost you if all your systems were down, and the investment you pay your IT support firm is probably worth it.

Yes, your IT provider might be priced higher, but consider their level of professionalism too. Are they quick to reply when you need them? Do they fix issues the first time?

It can be an excellent sign if you feel you don’t need your provider because you never have any problems. That can indicate that your IT firm is taking such good care of the inner workings of your systems that everything runs smoothly for you. If you did terminate your IT provider, things could start falling apart slowly, without being observable, until everything stacks up to the point when you suffer a disaster.

If you wonder if they are competent, consider asking them for a list of certifications they’ve earned from Microsoft, Cisco, or the brands and technologies they provide and support for you. If they’re not certified, encourage them to take the training and pass the tests. Certifications often involve significant expense and time, so don’t expect them to earn the credentials overnight. Passing the certificate will be a breeze if they’re already knowledgeable about the products they support. And during the training, they might find new ways to help your organization without you needing to buy more stuff. Everyone benefits.

Your firm may not have top-level cybersecurity certifications. Cybersecurity is a complicated and rapidly evolving field that requires intense specialization. We never have expectations that third-party computer services companies know everything there is to know about cybersecurity. We expect them to be open to cybersecurity recommendations. We’re thrilled to discuss and answer their questions as they tune the solutions from brands they sell and support.

As cybersecurity advisors, it is rewarding to see and facilitate, if necessary, our customers strengthening their relationship with their MSPs and other third-party IT firms. Sometimes it is a matter of us helping you identify the pros and cons of the add-on cybersecurity packages your provider offers. Or, if their package isn’t the perfect fit, sometimes you can negotiate the offerings to get the best solution.

Please forward this to your friends if they wonder if they should change to a new outsourced IT consulting firm. As long as they’re well-staffed, competent, and professional, there are many advantages to staying with the company with whom they have an established working relationship.

The post Reasons to Keep Your Same Outsourced Computer Consultant or Managed Service Provider appeared first on Foster Institute.

Some organizations, including Microsoft, give you the option to skip the password component altogether. Your users will be so happy not to need passwords anymore. Your IT Professionals will be so happy not to deal with resetting users’ passwords. Learn more at https://fosterinstitute.com/microsoft-lets-you-stop-using-passwords/

You can let your IT Pros choose which service. Options include Duo Security, PhoneFactor, Entrust, SecureID, Google, and more. (The Foster Institute doesn’t receive any kind of compensation for mentioning brand names, nor do we endorse any of those organizations.)

Please forward this to your friends, so they know how logging in can be more fun.

The post Make Logging into Websites and Networks a Happier Experience Using One-Tap Login appeared first on Foster Institute.

Once, a CEO told me that he thought he should fire all three of his IT Pros because they never did anything. I asked him about the stability of his network. He responded that nothing ever goes wrong. I gently smiled and explained that if everything is working fine, that means his team is working diligently behind the scenes to keep it that way.

In some organizations, IT professionals rarely get noticed until something is wrong. They may be working many more hours than you pay them for or that you expect from them. COVID creates constant challenges for them, too, as they keep your systems flexible to meet demands. And your workers sometimes ask for help on the same day your IT team planned to implement a significant update or reconfiguration.

Your internal and outsourced IT professionals are courageous, patient, experienced, and have bulldog tenacity to solve every problem you assign. They must research and be in a constant learning mode because technology changes so rapidly.

You’ve got superheroes supporting you! Remember them every time you log in. As you make new year’s resolutions, consider scheduling IT appreciation days for 2022! They deserve them.

Happy Holidays!

The post Executives: Celebrate IT Appreciation Days appeared first on Foster Institute.

None of these are unreasonable for you to request. You and your IT team can customize the letter to fit the relationship best. These recommendations apply even if a company doesn’t have servers and do all of their work in the cloud.

Dear – you fill in the blank,

We are checking in with all of our valued service providers, including you. If your organization suffers a significant security incident, you might not be able to provide the service we count on from you. A security breach at your organization could impact our business too. In the interest of helping you protect your organization, here are some guidelines:

You must have a robust disaster recovery plan. You must be able to recover quickly if you lose access to your information. Your IT team needs to practice restoring because experiencing ransomware is not the best time to practice restoring all of your data for the first time.

It is essential that your IT team, or IT company, manage the security of all of your computers, including the computers any work from home employees use. Your IT professionals need to monitor the security update status, manage anti-virus, and perform other administrative functions that help protect the computers that your workers use.

Please discuss with your IT team or IT company how quickly they deploy critical security updates to your computers. Security updates sometimes cause issues, so it is best to test updates, especially server updates if you have servers, before deploying them. Because the updates often prevent attacks, there is a level of urgency.

Remove programs you aren’t using. Attackers sometimes gain access to your systems through programs, and they cannot exploit a program that’s not installed. Flash is an example of a program installed on many computers, but it provides a security risk. Your IT team can give you the details and identify other programs they can remove from computers to increase security.

Ask your IT team to make sure to make your user accounts a “standard local user” on your computers. This one step can increase your security immensely. By default, users are local administrators on their computers. This setting applies to Mac and Windows computers. If an attacker breaks into their computer, they will have elevated abilities to conquer your security protections if the user is a local administrator.

Enable two-step verification on all the websites that require a login. In its most basic form, once a two-step login feature is enabled, when a user enters a username and password, their phone will receive a text message with a code to complete the login process. This added protection helps you tremendously if an attacker steals one of your website passwords. The setting is usually in the security settings of the website. Three places two-step login is essential:

-SaaS programs your users run in the cloud. Zoom, QuickBooks Online, an ERP, G Suite, Office 365, and SalesForce are SaaS offerings.
-VPN Connections
-Remote Desktop Connections

Realize that connecting from public networks, including coffee shops and hotels, is risky, even if the user uses a VPN. It is more secure to use a phone or personal hot-spot to connect a computer to the Internet. The added phone charges may be lower than you expect, especially if you change to a plan with unlimited data.

Please forward this to your service providers; it can help prevent big heartaches and expenses for you and them.

The post Help Your Third-Party Providers Be More Secure Because Your Security is Only as Good as Their Security appeared first on Foster Institute.

I admire seeing how he communicates, and I’ve asked his secret. He tells me he focuses on his responsibility to protect his workers’ and customers’ sensitive information. Everything else falls into place.

If the consultants need to charge money to implement changes, he asks us if we feel the price is fair and then decides. He makes sure his consultants know he’s holding them accountable by bringing us back every year to audit the systems and provide new recommendations.

The outsourced computer consulting company was never upset and eagerly followed the executive’s directives. The IT firm has great respect for the executive because of his bold leadership. I admire the proficiency of his IT consulting firm in meeting requirements, even when they are surprised a customer has higher expectations than most of their other customers.

Fast forward many years: This company is, and continues to be, one of the most secure customers we have. The leader’s no-nonsense approach to cybersecurity works best. Thieves might have stolen the air conditioning compressor units from outside their buildings, but no hackers have broken into their network!

If you outsource IT, your consultant company respects that you make the decisions. They’ll welcome audit recommendations and your directives if you’re willing to pay a fair fee. Their goal is to keep you happy, not the other way around.

The post If You Outsource Your IT, it is Their Job to Keep You Happy, Not the Other Way Around. appeared first on Foster Institute.

If any users connect via VPN to your office, be sure your IT team isolates or filters the data that travels from the VPN connections to your primary network. Filter the data going back too. If the VPN data comes directly, or unfiltered, into your network, that facilitates an attacker gaining access to your primary network if they compromise a remote worker’s computer.

(The rest of this message is a bit technical. You can forward this to your IT team if you wish. Please forward this message to fellow executives so they can consider this strong security protection.)

Their router or firewall might already provide an option to filter the traffic. Default settings are usually weak, so ask your IT team to enable the feature. The filtering must happen, not in a computer, but in an infrastructure device such as a firewall, router, or switch.

You can share this example with your IT team: If the IP address for the primary network is 10.10.10.0, then it is dangerous for the VPN connections to connect to the same subnet. It is helpful, for cybersecurity, to use separate filtered subnets. Here is an example of segmenting the VPN connections away from the primary network:

10.1.1.0 – Primary Network
10.1.2.0 – VPN Connections

The addresses might start with 172 or 192.168, and that isn’t important. Your IT team knows the significance of using different classes of numbers.

Your IT team must establish robust filtering rules in the firewall, router, or switch to limit the VPN connections and the internal network traffic. Rules are sometimes called ACLs (Access Control Lists).

When creating the rules, your IT team must only allow traffic essential for remote users. They can filter using parameters including source IP, destination IP, protocol, and ports. Sometimes, the only protocol remote users need is RDP (Remote Desktop Protocol).

If the rules permit, ask your IT team to block connections from countries other than where your remote users will connect.

The post Protect Against Work From Home Computer Attacks Compromising your Primary Network appeared first on Foster Institute.