The Tech Blog
Technology That Fits Your Business

Your source for the latest in IT Security, Support and Solutions.

Businesses today struggle more and more with IT compliance demands that are required of them from all areas. The fact of the matter is that these demanding regulations are here to stay. The bright side is that accomplishing compliance goals are relatively straightforward and once they have been implemented effectively, they contribute in enhancing and enabling the business in a big way. The key is to understand what IT compliance can accomplish and how all its various areas can contribute to further enhancing and complementing business operations and reducing information related risks. The most notable benefits of having an IT governance strategy in place are not just to avoid fines and penalties but also to enhance and measure business performance.

At some point, your business may need to consider (or reconsider) an IT governance model. IT governance refers to a set of IT practices that align with your business strategies to ensure compliance and security.

• Protect confidential data and critical IT systems, prevent loss of data, and automate an organization's compliance policies and processes
• Develop solutions that increase a healthcare organization's business and IT agility
• Automatically identify and protect databases and storage devices that contain sensitive and private data like social security numbers and credit card information
• Create practical policies that ensure patient privacy
• Secure IT systems while meeting compliance requirements

Implementing a virtualization solution for HIPAA or any other compliance can be time consuming for many organizations, especially those with limited resources. Outsourcing to an experienced IT provider can also help with the ongoing process of compliance by setting policies and making sure that they are followed by the organization as whole.

If your organization falls under any of the types of government compliance, it’s crucial that employees follow the proper protocol to be compliant with IT security policies. Executives designate the process of ensuring that compliance standards are followed to IT leaders generally. The IT department determines where there are compliance gaps and applies the necessary measures and policies. However, for these measures to work efficiently, everyone in the organization must follow them. Unfortunately, employee non-compliance with policies can happen and when it does, security breaches are possible.

Here are the top five causes of breaches due to non-compliance: 

1. Employee exits: Employees often have access to sensitive information within an organization. When an employee leaves an organization, either voluntarily or otherwise, damage to confidential information can occur. Therefore, even when a trusted employee leaves, the same protocol must be followed – immediate removal of access to all areas of data, including networks, email, and company intranet. Though it may sound extreme, it’s better to be safe than sorry when critical information is at stake.
2. Unintentional misuse of company data: While everyone wants to be helpful to both current clients and potential ones, sometimes that eagerness can have negative consequences. For example, providing confidential information to potential clients, vendors, or simply answering general inquiries can mean that sensitive data could be exposed. To ensure that sensitive data remains private, each department should regularly review security policies with its staff and encourage employees to ask when unsure.
3. External attacks: Virus infiltration, spam, and other external attacks can easily threaten any area of a business and affect business continuity or access to data. Keeping a checklist of the tasks that need to be done to prevent against attacks, and also actions to take in the case of a successful attack, can help prevent or minimize intrusions.
4. Insecure networks: Hackers seem to enjoy finding loopholes in networks and exploiting them in order to hinder a company's ability to function. In addition to attempting to prevent external attacks, an organization should constantly monitor its networks. Using server monitoring, an organization can understand the most likely areas for a breach to occur and proactively take measures to prevent one from happening.
5. Phishing (Social Engineering): Brute force hacking isn’t the only way that hackers can access to networks. A special type of attack, called phishing, occurs when hackers send legitimate looking "emails" from someone in the network to employees, hoping that they will open them. This form of social engineering can allow access to a business's entire network through one click of an employee. By implementing specific email format standards, applying backend rules, and using virus scans, the number of phishing attacks that make it to the email stage can be dramatically reduced.

IT policies are only as good as the employees who follow them. Not following security policies can result in a severe loss of productivity, damage to an organization’s brand and reputation, and possible financial and legal repercussions. Aside from this accountability, implementing strong and customized solutions is paramount to the successful compliance and security of a business.

iCorps is a leader in IT and government compliance consulting, helping satisfy the unique IT needs of businesses in Boston, Philadelphia and New York. Don't let a breach due to non-compliance disrupt your business. Contact iCorps today for a free consultation, then read our whitepaper on data backup and disaster recovery.

Hackers have stolen credit card information from 63 Barnes & Noble stores across the US, reported the New York Times yesterday.

Healthcare is a necessary evil in most American's lives - if you're lucky enough to have it. With the possibility of manditory national healthcare on the horizon, it is imperative for IT departments and healthcare professionals alike to be aware of the link between HIPAA and email encryption.

Need for HIPAA

The Securities and Exchange Commission, simply known as the SEC, has guidelines (also known as compliance standards) which tell companies when to divulge information on cyber attacks. This act is called Cyber Disclosure. Recently, the SEC has demanded that six high profile public companies divulge information regarding cyber breaches to their investors - Amazon Inc, Google Inc., Hartford Financial Services Group Inc., American International Group Inc., Eastman Chemical Co., and Quest Diagnostics Inc.

1. Adjust the scope of the anticipated solution: After investigation, an organization may have detailed all of the steps that they need to perform so that they can adhere to PCI compliance standards. However, sometimes a business cannot do it all, or at least not right away. Prioritize the tasks that must be done immediately down to those that are nice to have. Keep in mind the technology and resources required to complete the tasks as well as the timelines for completion. 
2. Tap into expertise: If an organization knows what they want to achieve but may not have the knowledge to do it thoroughly or efficiently, it is a good idea to look into vendors who do have that knowledge and expertise. They can also advise about upcoming security advancements, protect against new and insidious cyber attacks, and advise about what can be done to protect sensitive data both quickly, professionally, and affordably. 
3. Encrypt all data: Most importantly, every organization wanting to be PCI compliant needs to encrypt all data that they receive and transmit. Review all types of data to make sure that they are actually encrypted, and then determine if they are encrypted well and how the encryption can be strengthened. By monitoring encryption techniques on a regular basis, any business can help ensure that the data is well protected and less vulnerable to attacks.

It is imperative that any organization dealing with sensitive credit card data be PCI compliant as soon as possible and as strongly as possible. This maximizes the trust of clients and vendors, and helps ensures the continuity of a business. By realizing that one size doesn’t fit all, an organization can determine the best course of action to take, engage expertise in a range of areas, and then use this expertise and its accompanying technology to implement rock solid solutions.

In today’s world of free data exchange, it is an interesting thought to be addressed on whether network security really hold the importance as it used to be a few years earlier? But this is of great priority for corporate management and top level management to have a better understanding of the real need for professionally-managed network security.

One of the biggest problems for an officer retained to monitor compliance with data protection law is that, unlike the European Union, there is no overarching government regulation. Instead, the United States takes a piecemeal approach that relies on regulation, self-regulation and legislation written to address specific issues such as the Fair Credit Reporting Act.