The Tech Blog
Technology That Fits Your Business

Your source for the latest in IT Security, Support and Solutions.

Since mobile devices such as tablets and smartphones contain their own native IT security measures, some business leaders and IT managers question the need for the additional security that can be provided by a mobile data management system.  The simple answer to this question is that mobile data management programs can serve to both enforce and provision the native security present on handheld devices.  A more nuanced answer, however, would point out that MDM products could produce an "integrated security" environment in which mobile devices become not only more secure, but also far more useful to the organization.

With electronic payments now outnumbering cash transactions, the Point-of-sale (PoS) system hack is becoming a more common in the world of cyber crime. In recent years, there have been several high profile cases including the notorious $10 million Subway PoS breach, where at least 150 franchises were targeted, as well as the breach of Barnes & Noble, where credit card readers in 63 stores were compromised. Almost all modern businesses now make use of an electronic PoS systems, and with the hacking of these devices on the increase, it is more important than ever to take appropriate steps to secure your customers’ data.

According to a recent draft of mobile security guidance from the National Institute of Standards and Technology (NIST), businesses should seriously consider the deployment of software that can provide centralized management for mobile devices.  This recommendation appears in "Guidelines for Managing and Securing Mobile Devices in the Enterprise," also known as Revision 1 of NIST Special Publication 800-124.  The draft guidance goes beyond a mere recommendation of such IT solutions; it also provides detailed suggestions that SMBs can use to help them select a centralized management program for mobile devices, as well as guidance with regard to installing and using such a system.

Internal IT security personnel at SMBs may have their work cut out for them when it comes to integrating the newest version of Microsoft Office into existing security procedures.  According to Microsoft, Office 2013 represents a significant departure from the traditional IT risk management paradigm.  According to the company's recently released security overview of the product, Office 2013 presents companies with "a fundamental change from computer-centered identity and authentication to user-centered identity and authentication.  This shift enables content, resources, most recently used lists, settings, links to communities, and personalization to roam seamlessly with users as they move from desktop, to tablet, to smartphone, or to a shared or public computer."

Firewalls remain a critical component to every business' IT security posture. Much like a firewall in a physical building, they are designed so that if one part of the network is under attack, other systems on the same network are able to remain unharmed. Let's look at some interest facts about firewall protection that give weight to their importance.

Small and medium-sized businesses trying to create and maintain systems that will meet HIPAA standards for privacy and IT security may have their work cut out for them. Initial audits have been conducted this year, with more still scheduled to take place, but according to the audit protocol itself is likely to evolve in response to the findings from the program so far. According to Linda Sanches of the Office for Civil Rights, the protocol itself is a "living document".

Odds are if you aren't one of the million cloud users already, you've figured out that this whole cloud computing trend is probably worth looking into. One of the first things you'll run across when you begin your search for information is the choice between public versus private clouds. Sure, each of these cloud types has its own advantages. But when you look at all the angles and filter each solution using your specific needs, you may reach the same conclusion as many other SMBs; a private cloud computing network is safer and more reliable in the long run than a public one.

Research in Motion, the producer of the BlackBerry smartphone suffered a blow last month when Yahoo! offically switched all employees a new iPhone 5, Samsung Galaxy S3, HTC One X, HTC EVO 4G LTE, or Nokia Lumia 920, including a company-paid data and phone plan. Yahoo! will also discontinue IT support for the BlackBerry.

In the press release announcing the popular decision, new Yahoo! CEO Marissa Meyer wrote, "We'd like our employees to have devices similar to our users, so we can think and work as the majority of our users do."

Most Yahoo! employees are happy with the switch, more than ready to get rid of their BlackBerrys, which have been waning in popularity for some time now. Most have praised the decision, but some IT security experts are questioning the safety of these devices over the uber secure BlackBerry.

BlackBerry vs iPhone vs Android Smartphones -- Which Is More Secure?

BlackBerry is and remains a highly secure mobile device platform. It was originally designed with corporate-grade security in mind, and RIM has worked hard to maintain that focus with all of the new versions of the BlackBerry operating system.

The BlackBerry 7 OS was recently rated the "most secure OS" in a report by software security specialists Trend Micro. Blackberry 7 scored 2.89 out of a possible score of three, with the iPhone 5 OS coming in a distant second with a score of 1.7, and the Android 2.3 OS coming in at the bottom of the heap with a security score of just 1.37.

The report praised the BlackBerry 7 OS both for its robust security-conscious design and the ease of use in the set up of security features. The iPhone was mentioned positively in that it did allow easy app "sandboxing," and because it does not include any type of removable storage (always a major security risk). The particularly low score that the Android 2.3 OS received was due to the fact that although "sandboxing" of apps was possible, it was very cumbersome, so the majority of users did not bother. This, of course, is a major security vulnerability, and hopefully most corporate users will be savvy enough to know to keep their apps out of their OS.

Although earlier versions of the iPhone OS were notably lacking in security features, the iPhone 5 OS offers users all of the security basics. An iPhone 5 is probably secure enough for your needs, but there are definitely some risks involved. Some analysts have questioned Yahoo!'s timing of the switch to smartphones in terms of security, possibly exposing themselves to security risks by pulling the trigger too early. The iPhone OS 6 is rumored to include several major security upgrades.

If the highest level of security is vitally important to you, you can feel the most secure with a BlackBerry.

Want to learn more about mobile security and how it can affect your business? Contact iCorps today.

Encryption -- turning a message into code before sending for security reasons -- has become standard protocol for sending the majority of email transmissions today. This trend can be seen in both the private and public sectors, but it is especially the case in the public sector, where 83% of federal agencies have policies allowing employees to encrypt emails.

While this sounds like a positive development, unfortunately, encryption is a double-edged sword. Encrypting messages does add a significant level of security, as encrypted messages have to be unencrypted, which takes time and makes them much less valuable to hackers. But emails that users encrypt at their desktop before sending cannot be subjected to any kind of content verification by network security, which makes it almost impossible to trace unauthorized data transmissions. In practice, the encryption that is used to guarantee the security of data actually becomes a method to send unauthorized data undetected through the email gateway.

The Encryption Conundrum

This encryption conundrum puts IT managers between a rock and a hard place. Nobody wants to give up the high level of security provided by encrypting employee emails, but IT security experts almost all say that significantly more unauthorized data is lost from networks by email than flash drive, disc or any other method.

The problem is just going to grow as more businesses and agencies move to encrypting most or all of their email traffic. A recent study suggested that over 80% of IT security managers were concerned about loss of sensitive data through encrypted email.

Advanced Email Security Technology

The only way to effectively solve this encryption conundrum is with advanced email security technology. Thorough training of employees on encryption protocols and other software analytics methods will help control the loss of sensitive data through encrypted emails, but these measures will not thwart a smart and resourceful individual.

To be sure that no one is sending out unauthorized data in encrypted emails, IT managers must have the ability to unencrypt files before they are routed to your Exchange server for outbound transmission. This is obviously a more laborious and time consuming process, but protocols can be set up so that only certain messages or a certain percentage of messages are unencrypted before outbound transmission.

This kind of advanced email security takes some significant expertise to set up properly. Federal agencies will likely staff up their IT departments and take on the task in-house. But that idea can be a little daunting for small and medium-sized businesses. Small and medium businesses should consider working with a high-end local IT services provider to get the results they want. Learn more about how to secure your email from a data leak.

If your organization falls under any of the types of government compliance, it’s crucial that employees follow the proper protocol to be compliant with IT security policies. Executives designate the process of ensuring that compliance standards are followed to IT leaders generally. The IT department determines where there are compliance gaps and applies the necessary measures and policies. However, for these measures to work efficiently, everyone in the organization must follow them. Unfortunately, employee non-compliance with policies can happen and when it does, security breaches are possible.

Here are the top five causes of breaches due to non-compliance: 

1. Employee exits: Employees often have access to sensitive information within an organization. When an employee leaves an organization, either voluntarily or otherwise, damage to confidential information can occur. Therefore, even when a trusted employee leaves, the same protocol must be followed – immediate removal of access to all areas of data, including networks, email, and company intranet. Though it may sound extreme, it’s better to be safe than sorry when critical information is at stake.
2. Unintentional misuse of company data: While everyone wants to be helpful to both current clients and potential ones, sometimes that eagerness can have negative consequences. For example, providing confidential information to potential clients, vendors, or simply answering general inquiries can mean that sensitive data could be exposed. To ensure that sensitive data remains private, each department should regularly review security policies with its staff and encourage employees to ask when unsure.
3. External attacks: Virus infiltration, spam, and other external attacks can easily threaten any area of a business and affect business continuity or access to data. Keeping a checklist of the tasks that need to be done to prevent against attacks, and also actions to take in the case of a successful attack, can help prevent or minimize intrusions.
4. Insecure networks: Hackers seem to enjoy finding loopholes in networks and exploiting them in order to hinder a company's ability to function. In addition to attempting to prevent external attacks, an organization should constantly monitor its networks. Using server monitoring, an organization can understand the most likely areas for a breach to occur and proactively take measures to prevent one from happening.
5. Phishing (Social Engineering): Brute force hacking isn’t the only way that hackers can access to networks. A special type of attack, called phishing, occurs when hackers send legitimate looking "emails" from someone in the network to employees, hoping that they will open them. This form of social engineering can allow access to a business's entire network through one click of an employee. By implementing specific email format standards, applying backend rules, and using virus scans, the number of phishing attacks that make it to the email stage can be dramatically reduced.

IT policies are only as good as the employees who follow them. Not following security policies can result in a severe loss of productivity, damage to an organization’s brand and reputation, and possible financial and legal repercussions. Aside from this accountability, implementing strong and customized solutions is paramount to the successful compliance and security of a business.

iCorps is a leader in IT and government compliance consulting, helping satisfy the unique IT needs of businesses in Boston, Philadelphia and New York. Don't let a breach due to non-compliance disrupt your business. Contact iCorps today for a free consultation, then read our whitepaper on data backup and disaster recovery.