New Zealand small businesses are currently facing a new and often misunderstood threat to their livelihood. COMPUTER SECURITY. Over HALF of all small businesses in New Zealand was targeted by ransomware in 2020. (Ref.) That's 50% of us! As cybercrime cannot be seen, and can be hard to imagine, we tend to think, is it really that bad?
Small business computer security is an often overlooked challenge, by both IT providers and small businesses owners themselves, but we have made it our mission to improve the security of New Zealand Small Businesses. "...there are approximately 530,000 small businesses in New Zealand representing 97% of all firms. They account for 28 per cent of employment and contribute over a quarter of New Zealand's gross domestic product." (ref.)
We think this sector of our community should get the same protection from cybercrime as big business gets. So we are going to show you how to achieve this for yourself.
Step One: Maintenance
Maintenance. This word can seem a little to much like the word 'Housework'. Its a bit boring, a bit repetitive, and really who knows what you should actually do. But, it is the first step to securing your network, and without it, your network will never be secure. Security vulnerabilities are found daily, so to keep your equipment safe, manufacturers release patches and updates to their software to keep up to date. Equipment and software that is out of date becomes insecure over time, so keeping up to date is a vital part of your security protocol.
1. Create an Asset Registry
The first step to maintaining your equipment is to establish what equipment you have. Write down a list of every computer, laptop, server and any infrastructure equipment you have. This can include:
2. Add in Applications to your Registry
Once you have established a registry of equipment, you need to add into the list your applications, as these often need to be considered separately.
Start with the Operating Systems. Likely these will patch themselves automatically, but if you are not often connected to the internet, then this will need specific attention.
Then consider your infrastructure applications, such as Antivirus, SPAM or Malware applications, and Backup software. These will likely require manually updates. Antivirus software will require definition updates as well as software updates.
Lastly add in your industry software, such as Payroll, Accounting, Creative and Productivity software.
Note: You will not need to include applications that are solely accessed via the web (such as Xero) as these are updated for you.
3. Purchasing Application Maintenance
Applications will often not be able to be updated if they are not on a maintenance agreement, or simply may require the upgrade to be purchased once available. This particularly applies to antivirus software, backup software and operating systems, but can also apply to payroll, accounting and other industry software. Include details of the purchasing requirements in your register.
An example of an application registry.
4. Determine what needs updated
For each type of equipment or application, you will need to determine what requires updating on a regular basis. This will be different for each type of equipment or application.
For example, a workstation requires the O/S to be updated (patched) but most likely the O/S will update itself. A router or switch will likely require the firmware to be updated.
Check the user manual for each piece of equipment/application to assess what maintenance tasks are recommended.
5. Make a Roster
Many, many hours can be lost in maintaining equipment, so we recommend creating a roster for these tasks. Some equipment/applications will require patching regularly, such as operating systems or firewall appliances. Other things, such as Access Points, NAS, or switches likely only require firmware updates once a year.
An example of an update schedule
Now that you have a clear indication of the equipment and applications that you need to update, what you need to update, and a schedule to stick to, all you need to do now is follow your schedule to ensure your network is kept up to date and secure.
Check out for Secure Your Small Business Network Part Two: SECURITY MEASURES for the next stage to securing your network.
New Zealand has just passed a law making data breaches notifiable. This update to our Privacy Laws has a profound impact on New Zealand small business as your responsibility to keep your customers data safe has just increased significantly.
You can read about your responsibilities in more depth here:
Privacy Commissioner Data Breach Responsibilities
This means that you must take extra precautions to ensure a data breach of your customer and employee data is kept safe.
Small businesses (ie your business) in general are not taking data security seriously, and the New Zealand government has just given us all a wake up call.
Many, many of us have been the victim of a phishing or ransomware attack. As from the 1st December 2020, these breaches will need to be reported to the government, under the newly updated Privacy Act.
I don't collect that kind of data!
No small business wants to be in a position where you are declaring a data breach to the privacy commissioner, so how do you avoid it? Do you even collect information that would warrant protection? If you collect customer information in any way on your computer, such as names, addresses, phone numbers, email addresses etc (spoiler, you do), then this act is directed exactly at you.
My data is already safe!
Most small businesses are already under the impression that their data is safe already. "My IT guy has it sorted" is a common misunderstanding between business and IT provider.
IF YOU ARE NOT PAYING YOUR IT PROVIDER FOR SECURITY SERVICES (Go check your contract) THEN YOU ARE NOT PROTECTED.
Data security is a complicated task. Unless your contract (do you even have a contract?) specifies security services, then YOU ARE NOT PROTECTED.
Are you sure we are not protected?
If you can answer YES to ALL these questions, then you are on the right track. If not, then you have some serious work to do:
Looks like I might not be compliant...
If you have answered NO to any of these questions above, then you need to act now. Business data security is now a major threat to your business.
As always, we can help you resolve these challenges. Email us at firstname.lastname@example.org or call us on 0800 471 8232.
Phones v2.0 with Microsoft Teams
Microsoft365 users can start calling right now...
Add external calling...
Add a calling plan to be able to make outside calls to landline and mobile phones and receive calls back from them. All of this is done over your internet connection. This is fully integrated into your network, giving you additional advantages.
As TEAMS runs over the internet, you can be at your phone extension wherever you have an internet connection. This means working from home just means plugging your headset into your PC at home. You can even run TEAMS as an app on your cellphone and be on your work phone extension anywhere with cellular data coverage.
Keep your existing numbers...
And you can keep all your existing phone numbers. Porting over your current numbers is an easy push of a button. Give us the word, and it can be scheduled to happen.
Halve your phone bill...
Customers that have moved to this solution not only get all the features of a sophisticated phone system, but they are finding that overall it is about half the price of their existing phone system.
Some of the best features are...
If you would like more information about Teams Calling, give us a call on 0800 471 823 or email us at email@example.com.
This past week we have witnessed four separate phishing attacks on small businesses. These attacks are pervasive and scary, but you can fight back. The trick is to be prepared.
A phishing attack is a cyber attack that uses your email as a weapon against you. The goal is to trick you into believing that the email is something you want or need such as a request from your bank or a note from someone in your company, so that you will click a link or download an attachment.
We have outlined for you what you can do to prepare yourself and your business against these types of phishing attacks.
One Recent Phishing Attack
One attack we witnessed this week came in this format. You can see it looks like any other email. The person this email is from is known to us (we have changed the name for this example), and it reads like a normal email. The email address is from a legitimate email. The link included in this email is a genuine one-drive address. So how did we know it was a phishing attack??
There are clues. 1. We haven't heard from this person in several years, 2. We have no knowledge of the project they are talking about.
Phishing attacks such as this one, tricks you into opening multiple links, then you are asked to confirm your identity by entering your email address and password. These credentials are not being entered into a legitimate authorisation source, instead you are actually entering them into the phishers' website disguised to look like the real thing.
Once they are in possession of your credentials, malware is installed onto your machine, giving them full access to your contact list. Then your own email system (Outlook etc) is then used to send on emails to all your contacts, looking for new victims of this scheme.
What's The Worst that Could Happen?
So what if the phisher has my email address and password. I will just change it, then they don't have it anymore.
Sure you can change your password. But by the time you realise you have been scammed, your email address and password has already been a valuable tool for the phisher. The whole interaction has told the phisher many things about you that are handy later:
Additionally, if you are a global admin on your network, they will have spent a little time setting themselves up a back door into your network, so they can send you something even more nasty, like a cryptolocker, which disables your network entirely.
What Can We Do to Prevent This?
There are two things you need to do, Prevention and Training.
Ideally, your email should be guarded from the internet as best as possible by implementing a SPAM and phishing protections.
Office 365 users have several options:
These tools will limit the number of phishing emails arriving in your inbox,
If you don't yet have Office 365, then there are tools for your network too. Drop us a line or give us a call for details.
No tool is perfect, so for those emails that do sneak into your inbox, your last line of defense are your users. Encourage your users to understand what a phishing email is, and what one will typically look like. Top ways to spot a phishng email is:
IF YOU ARE UNSURE IF AN EMAIL IS LEGITIMATE, DON'T CLICK IT, CALL THE SENDER AND CONFIRM. DO NOT EMAIL THE SENDER, IF THE EMAIL IS PHISHING, THE EMAIL ACCOUNT MAY BE COMPROMISED, SO ANY RESPONSE YOU GET MAY BE FROM THE HACKER.
Additonally, there are tools that you can use to test your users knowledge and understanding, so that they can improve such as:
If security is not on your radar right now, it should be.
Cyber attacks have increased 300% since COVID-19 has taken hold of us. We are vulnerable right now while we are worried about other things, so hackers are taking advantage. We are seeing this in real terms in our ticket list. Get some protection now. Don't wait.
Further reading from Microsoft:
Protect Yourself From Phishing
Protect Yourself From Phishing Schemes and Other Forms of Online Fraud
Your firewall is a generally forgotten piece of your networking equipment, but we would like to remind you of the amazing things that it does for your network, and why you should LOVE your firewall.
As June is Firewall month (and so is November!) we wanted to tell you all about why we love your firewall, and why you should too!
COVID-19 and Your Firewall
The coronavirus pandemic of 2020 has sent us all reeling, but it has highlighted some surprising things, such as how our slowdown has positively impacted our environment. (How the Climate is benefiting from Covid-19) Similarly, your firewall was quietly working hard, making your work-from-home experience seamless.
What is a Firewall?
Your firewall is a small device that will likely be sitting under the stairs, or in the cupboard at the back of your office, with all the other equipment you are assured is important, but you are not really sure what it does. Your firewall is one of those light-flashing mystery appliances.
Your firewall is an internet traffic device. Every time you send something by email, or look at something on the internet, your firewall processes that request, and checks it before it sends the signal onto its destination. Your firewall also checks traffic coming in, such as received mail and remote access. Your firewall checks everything, including web browsing, email, music streaming and video conferencing.
Your firewall has the power to deny access, either in or out of your network, if it decides that the traffic doesn't adhere to its strict rules, or if it suspects that the traffic is not doing what it claims to be doing, such as malicious threats to the network.
Your firewall can also check the traffic for viruses, malicious content in emails and it can also check which websites you are travelling to, and deny you access. If you don't want users on your network to be scrolling through facebook or going to the TAB site, or any other non-work approved site, the firewall can stop them.
Thank Goodness for VPN's
Due to Covid-19 we have all been encouraged to work from home, and we have taken this onboard in our droves. However, this meant getting access to the information on the network at the office as quickly as possible. Luckily your firewall was at the ready with its VPN capabilities. Your firewall can create for you a Virtual Private Network (VPN) which allows a secure connection from your PC at home to the firewall at the office and then onto your work PC or to your server.
Your Firewall VPN secures this connection using encryption and tunneling (sorry, what!?). Let me explain. A VPN prevents your data from being intercepted, monitored, or altered by anyone. The tunnel hides your IP address, which can otherwise be used to identify you. Instead of your real location, the sites you visit will only see the location of the VPN server you are connected to. The encryption scrambles the data being transmitted, so only the intended destination can read the data. If your data gets intercepted, it can't be read.
Once connected via a VPN to the office, its just like being at the office. You can see your mapped drives, you can access network resources, you can clear your mail and print to your home printer, all while at home, in your pjamas (we wouldn't do that, would we?!).
There are other methods to remotely connect to the office but the connection from home using the Firewall VPN is the most secure and reliable way to go about this and the best part is that there is no additional cost, as it is built into your firewall.
Image courtesy of the Fortinet Cookbook: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/724772/ssl-vpn-multi-realm
Show Your Firewall Some Love
As with any technology, your firewall needs occasional updating to keep up to date with the latest threats and to get the benefit of the enhancements manufacturers create, so they can keep ahead of their competition.
If your firewall is under Managed Services, or Universal Support, these updates will happen without an intervention from you (we will let you know when they will happen).
For those not under contract, we have a firewall blitz every June and November, so if you have updates ready, we will let you know they are ready to be installed. If you haven't heard from us in a while, check in with us, just in case you have been missed from our list, and check out what updates you may need installed.
Updates, What Updates?
In June, we concentrate on firewall firmware, backing up your firewall rules and checking your open ports. Firmware should be updated to make sure there are no vulnerabilities on the firewall itself that can be exploited by malicious users. The firewall rules should be backed up regularly, so that if a problem happens on your firewall, we can easily restore you to a version of the rules we know worked well. The open ports on your firewall should be checked at least once per year, to make sure changes haven't happened over the year. This can happen when a temporary service requires a port to be opened, but the port is not closed once that service has stopped. These errant ports can be used as a stepping stone into your network, so its best to keep them closed if they are not being used.
In November, we concentrate on the firmware again, and also the Antivirus & AntiSpam definitions. If you are using them, the Antivirus and Antispam firewall technologies acts as an additional check (on top of your usual Antivirus & AntiSpam protections), and while these definitions don't require constant updates, updating them annually is good practice.
Do You Love Your Firewall as Much as We Do?
Ok, probably not. But hopefully you now have some idea why we love them, and why you should keep them up to date!
If you have any questions, as always, drop us a line at firstname.lastname@example.org.
New Zealand small business has an enduring love for Pay-As-You-Go IT support. When it breaks, I call you. Easy. The costs are low, and you feel like you have some control. If I don't have a need for you, or I can work it out myself, then there are no costs to me. But pay-as-you-go support is bad for business, so we are moving away from it.
How We Got Here
In the last 20 years, technology has changed exponentially. In the year 2000, we were mostly concerned with Y2K. Would our computers make it through the change of the century. Companies feverishly bought Y2K compatible machines to ensure their business wouldn't suffer any ill-effects from the year-2000-bug. Nokia released one of their first mobile phones. Windows 2000 was released (but we were all still on Windows 95 & Windows NT). Networks as we know them were in their infancy. The Internet was just coming into its own. Most companies didn't yet have a website. Computer viruses were just starting to take off. IT service companies were starting to come into their own. If you ran an organisation of just about any size, you better be able to pick up the phone and get an IT guy to come and fix your broken PC when you need them. Your PC breaks, the IT guy fixes it. Simple.
And it was simple. It was a system that made sense for all involved. Once a fix was applied, or an upgrade was installed, there was very little need for the IT guy in between times, unless you were a large organisation that had these queries all the time, where it made sense to hire someone onto your staff to take care of these things full time.
Technology Has Moved On
Security Has Moved On
Or rather, those with malicious intent have become increasingly sophisticated. They are constantly on the lookout for networks that have security flaws, trying to find an easy source of income. We make their job easy, by not paying attention to the maintenance of our network. Maintaining your network is also no longer a straightforward task.
In the past, basic maintenance of a network meant making sure servers were patched, and the antivirus was checked. Now that devices, software and cloud services are so interconnected, maintenance now looks like patching, upgrading, remediation, skill building, research, documentation, monitoring and auditing. All of these tasks are vital, and if one is not completed, then security flaws start to appear in a network.
Security and Maintenance are now the same thing. One does not happen without the other.
Maintenance, Maintenance, Maintenance
You Need to Move with the Technology too
In a Pay-As-You-Go support arrangement, the maintenance of a network is left up to you. If you are in this arrangement, and you are not performing the maintenance tasks yourself, then your network is not secure. In this case, you have either already been attacked, or will be in the future. Its a case of when, not if. If you are in this arrangement you are a the highest level of security risk you can be. Change this now. Don't wait.
In a partial Pay-As-You-Go arrangement which includes server maintenance, you are in a better position, but its still not great. Your network is more than just your server, and if you are not maintaining your other devices, then you are still very, very, vulnerable.
In a network with a Fully-Covered server, with everything else on pay-as-you-go, then your situation is also better, but you are still vulnerable, as you have closed one door, but left many others open.
It can not be expressed more strongly, if digital security is something vaguely important, (and it should be your top business priority) network maintenance is your only option.
Don't Get Caught
Don't get caught with old technology, and old ideas about what the technology can do for your business. Technology is considered an asset in most organisations. It provides us with a wonderful array of functions, that most of us would not do without anymore. Don't allow your technology to be a detriment to your business. Get your network maintained and get it secured.
What Is The Answer?
Our solution to this problem is Universal Support. Monitoring, Maintenance, Security & Support are all rolled into one service.
It is rolled into a single service, because separating the services is no longer a good choice.
It is rolled into a single service because separating the services is no longer possible, as each service crosses paths with other services.
It is rolled into a single service so knowledge about the network and how it serves the organisation can be built up over time.
It is rolled into a single service so skills specific to the network can be built up over time.
It is rolled into a single service because everything works better when a network is approached as a single entity.
Like most companies, we are rather quiet while we wait out the end of the COVID-19 level 4 lockdown. So, while we have unprecedented time on our hands, we have been busying ourselves with improving our services and service delivery. Our main focus is network security, and how the services we deliver can improve security strength. Its a complicated subject, so we are taking this time to improve our skills and knowledge.
Many of us have already had a brush with a security breach of some kind. There is increasing concern that New Zealand is no longer hidden from would-be international hackers, and that we are now an active soft target. This makes us vulnerable, so more than ever its important to secure our networks, and make ourselves a much harder target.
We worry about the worst case scenario, and in this case it is warranted. How would your business fare if your company data was destroyed? Would you recover? How long would your recovery take? These scenarios are becoming more and more likely, so we best try to prevent them.
Using security best practices is a must to ensure our networks are as protected as possible, which delivers a good level of confidence to us and you, that together we are doing everything we can to secure your network. But what are Best Practices? And who determine what makes a best practice? And what isn't a best practice?
Best practice is mostly a combination of observation, research, reading, skill building and experience. These combine to form a strong idea of what a best practice looks like, and what it delivers. But the disadvantage to this process, is that best practices are mostly the same across providers, but there can be marked differences in delivery. Given the large differences there can be in the skills and experience from one provider to another, debates are common. Often times leading technical figures can hold very different opinions on one approach vs another. The most public debate of this type is the Windows vs Mac vs Linux operating system debate. Each operating system has its pro's and con's, but who is right? And what implications do each of them have on network security?
These types of debates can cause providers to pick a "winner", and proclaim that their pick is the best option for x, y and z reason. But as in all debates, its just not that simple.
So what is the answer? How do you figure out what is the best path for your network? We don't have the answer, however, there are many national and international organisations that have given this great thought, and they can provide guidance on prevention and responses to cyber security events or cyber-security frameworks, on which to overlay your vulnerabilities, functions and services.
CertNZ is the New Zealand governments security resources and guides for businesses of all sizes.
We highly recommend reading through their resources, as they are an excellent resource.
National Cyber Security Centre
The NCSC helps public and private sector organisations to protect their information systems from advanced cyber-borne threats.
National Institute of Standards and and Technology (NIST)
The NIST framework is a guide, based on existing standards and practices for organisations to manage and reduce cyber-security risk.
If you were brave enough to click any of the links above, well done! These are daunting topics, and the security jargon hits you quickly and hard. However, you should read through CertNZ. Their resources are easily consumable, and are reliable sources of information.
How We Are Using this information
As part of our duty as a service provider, we have reviewed the links above and many more, with a view to helping us do a better job for you.
We currently complete an annual Security Assessment for our customers as part of Universal Support, which is a deep dive into a network looking at all the points where security vulnerabilities exist. We look at 92 individual areas, which allow us to give you an overall check of compliance, and a check list of recommendations to improve any vulnerabilities we find. We complete this assessment annually, and is the easiest way to get a clear overview of how secure your network is.
Up until now, our security assessments have been based on best practices. Soon, however, they will be based on the NIST framework. This framework uses Identify, Protect, Detect, Respond, and Recover tiers to guide organisations in managing and reducing their cybersecurity risks in a way that complements existing risk management processes. This framework is comprehensive, and is based on the functions and workflows of an organisation, making it applicable to all organisations, regardless of size, type or function.
However, unless you are fortunate enough to employ security specialists on your staff, you are unlikely to have the time to apply the framework yourselves in any meaningful manner. So, we have done this for you. By using this framework to overlay our Security Assessment, your network benefits from an internationally recognised security structure. If your business is under tight compliance, such as the FMA, you may already be subject to these requirements, who require your security policies to follow a recognised framework such as NIST.
The NIST framework includes in it:
IDENTIFY: Asks you to detail how you identify your assets, your business environment, the governance, your risk assessment and management.
PROTECT: Queries your control over access, the training of your personnel, your data security measures, your processes and procedures, your maintenance operations, and management of general protection.
DETECT: Asks you to detail your approach to understanding events and activities, what monitoring you employ and what is you process of detection.
RESPOND: Asks what your process is to respond to events, how this process is communicated, how the event is analysed, what steps are taken to mitigate the event, and what process you have for improvements.
RECOVER: Queries what your process is to recover from an event, what plans are made during a recovery for improvements, and how communications to staff, customers and other stakeholders are handled.
The Security Assessment outlines which part of your security policies covers each of the NIST tiers, and which part is covered by Universal Support. The Security Assessment also details your level of compliance, which areas need improvement, and recommendations for improvements.
Armed with this framework, we can help you understand not just how to protect, detect and respond to security breaches, but also how to identify what areas need the most protection, and how to plan a recovery.
With all this information at your fingertips, you are better placed to feel confident that you have done everything you could to protect your business interests, and that of your staff and customers. Maybe a Security Assessment will save your business.
Due to the COVID-19 Alert Level 4 lockdown, many of us are working from home, including us! Lately many of our client discussions have centered around security, and how we need to change the way we approach security, so that we can be better protected from the new threats we encounter daily.
Now that many of us are working from home, how has that impacted our security? Has our haste to get back up and running ignored our need to be secure? Now is the time to revisit the security for our work-from-home staff.
Connection Back to the Office
Your first consideration for security is the connection back to the office. If you have had a connection setup for a while, you should consider having that connection reviewed. If you have taken home your work machine and you are connecting back to your work server, the current standard is to use a VPN from your firewall. If you are connecting to your your business workstation from your home workstation the current standard is to use a third party tool, such as Teamviewer or Logmein, which creates a secure connection on your behalf.
If you are in doubt, please give us a call.
Staff Using Their Personal Machine?
Many staff are now working from their home pc's, and this can create a few challenges security wise.
Does their home machine have paid antivirus installed? Many home machines have a free antivirus installed. This is not enough protection when connecting back into a corporate network, (or corporate cloud resources) as key-loggers can be used to gather information on remote connections, VPN connections and cloud credentials.
Help is at hand though. We are offering a FREE 60-day installation for BitDefender Endpoint Security. Just send us an email at email@example.com, subject "Free Antivirus" and we will get you set up!
Many home computers aren't strict with their updating policies. Unpatched machines are easily breached, and pose an enormous risk to your network.
Because this risk is so high, we are offering FREE patching for your work-from-home users for the next 60 days. If you would like to take advantage of this offer contact us at firstname.lastname@example.org, subject "Free Patching".
Make sure MFA is enabled for all your cloud resources, especially bank accounts. This ensures that even if your credentials are breached, those details cannot be easily used to gain access.
If you are using Office365 for your mail, then you already have great SPAM protection, regardless of whether you are checking mail from home, or work. If you are not using this, and you are not sure what your Spam protection is, drop us a line or give us a call to work out if your protection is adequate for working-from-home.
Many home routers are rather insecure, so we recommend checking your router for firewall features and password security. Some routers have firewall features built in, but not all do and routers are often sent to homes with default manufacturer passwords loaded. These passwords should be updated to a non-default password. If you would like some help with this, please give us a call and we can check these items out for you.
Hackers Busier than Ever
Hackers are pretty good at sensing weak points in the security fabric of the world, and a global crisis is an ideal time to strike vulnerable and otherwise occupied minds. Hackers have ramped up their efforts to catch you with your guard down. Phishing Attacks have increased enormously, (667%!) as have COVID-19 themed scams. Be on the lookout as your technology can not always keep pace, so some of these scams will make it into your inbox.