Shooting Yourself in Your IT Foot

We got a call recently from an MIA client who was trying to save money by relying on their “resident IT expert.” They could have shot themselves in the foot, but somehow, a few dance steps worked in their favor. They dodged this bullet, but not everyone is that lucky.

Our client is a multi-generational company, and one of its long-time employees served as their “resident IT expert.” A couple of members of the younger generation called us in because something didn’t seem to be right with their system. They thought their system was beyond repair for all intents and purposes. What concerned us most were two answers that we got for most of our questions:

  1. “I don’t know.”
  2. “We don’t have that information.”

When we logged into their system, we looked at their router and firewall and started to look at their setup. This time, we got some answers.

“Do you have another office?”

“Yes.”

“Does it connect to your system here?”

“Yes.”

The connection was made through a desktop computer that was sitting in a corner of the office – a computer that nobody ever touched. It was wide open; they allowed remote access to the desktop, and there was no protection against any kind of intruder. The hacker was able to get in and hijack their software by encrypting it.

We made phone calls to all of their application software vendors to learn how everything interacted, and we learned that they used Carbonite to back up their data. Trying to recover it was useless because all the data was corrupted, but we were able to get in. What we saw was eye-opening.

It turned out that they were hosting one small application that opened the door. Then we saw that nothing had been backed up for the entire year – and the ports were wide open. They also had an antiquated email system that was hijacked. Their in-house person never foresaw any issues with their setup and didn’t know the consequences of any settings that were tweaked or ignored.

We recommended they contact the hacker and see what it would cost to ransom their data, but they preferred to re-enter all of their data for the year. They had hard copies.

Before they began their recovery, we installed a new server and firewall, and while working with one of their software companies, we learned they had a copy of the data up to Aug. 1. Before they began any work, we set up a new email system and new log-in credentials.

It looked like they had dodged a hail of bullets, but within a day, their in-house person was already compromising their system by installing a bunch of utilities and other software. We put a stop to that, and that halted their system leaks and plugged their gaps. However, the whole process of investigating their processes and systems and buying and installing their new systems cost them almost $7,000 – plus their internal cost to re-enter what now amounted to one month’s worth of data. You could also add in a cost factor for aggravation.

In today’s age of a hacker-happy internet, you need a security audit to make sure your vulnerabilities are shored up. Call us – 973-433-6676 – or email us to set up your security audit. It will take an hour or two and cost less than $200. Hackers are highly sophisticated. How much could a breach of your system cost you? Don’t be penny wise and pound foolish.

How Does Your IT Consultant Handle Your Info?

Today’s interconnected world is an interdependent world. No matter how many precautions you take to protect your data’s security, technology has forced you to depend on other people’s diligence to share your passion for protection. You don’t have a lot of control over the weakest link in your online chain. But asking how your IT consultant handles your information can help you gain better control where it’s possible.

So, here’s the question you need to ask: How do you handle my information, including your access to my systems?

And, here’s the discussion that needs to follow:

Your IT consultant must follow the strictest protocols available to protect all the information you provide. This includes access to your servers, routers (including repeaters or boosters for Wi-Fi networks) and computers that store your information or have access to wherever you store information.

An individual provider, such as Sterling Rose, can handle your data security differently from a large support organization. It’s not that one type of provider is better for a particular client; it’s more a matter of tailoring protection procedures to meet real-world needs and being diligent about following them.

We can keep all of our clients’ information in one place that can be accessed by only one person, and that helps us build a strong wall around (and roof over) the user names and passwords for your systems. With the ability to securely access the information from a desktop computer or mobile device, we can service a client from anywhere.

We protect that information in a number of ways. These are just a few of them:

  • We regularly use two-factor authentication, which requires more than just a password. Every two-factor system has its own set of additional requirements, but the net result is that a hacker or robotic system cannot provide the necessary response. (We’re sure somebody is hard at work to defeat two-factor authentication, but right now, it works.)
  • We use long, complex passwords with upper- and lower-case letters, numbers and special characters. Those are always impossible to crack using the latest available algorithms – at least for now.
  • We use systems that require us to re-log in every 14 days and change our passwords and authentication information. It’s a major inconvenience for us, but it’s much more convenient than having to explain why we need to react to a security breach.

A larger IT service provider with multiple technicians available to service a client can also store information securely in one place, but all the technicians need to access it. Some questions you should ask include:

  • Where do you store my information?
  • How do technicians access my information?
  • What protocols do you follow for user names, passwords and other authentication?
  • Are you notified when my information is accessed, and are you able to track who accessed it?

Your IT consultant must be able to advise you on the best security measures to take within your own organization. They should be able to help you design and install a set of procedures for any point at which information is accessed, such as:

  • Accessing specific files or categories of files from within your office or offices that are stored on your own server or on a server hosted by a third party (a cloud provider)
  • Accessing that information from a remote location, such as a home office, where you can install and monitor security measures
  • Accessing that information from a remote location, such as a customer’s place of business or a public place, such as a coffee shop or airport, where you cannot verify the security of a network.

You may also need to set up encrypted email, which we did for an insurance business. Our client reasoned that while they can control exchanges with their clients, they cannot control what happens when their clients communicate with others. Our client needed to be able to show that their security measures would stand up to an outside audit.

If you have any questions about how we handle your information, feel free to contact us at any time by email or phone – 973-433-6676. We would be more than happy to review our policies and procedures in general and for your information in particular. We can also help you develop and implement a security program for your business – or home – system.