premiere pc circle logo

There are many to consider. Depending on your industry and the type of data you collect and store, some are more critical than others.

Home networks: Usually residential networks rely on consumer grade routers with no intrusion protection or advanced security services. In addition, they have other unsecure devices like IoT devices, games systems attached. They may offer weak WiFi protection as well.

All these open these networks to additional risk of attacks, often without any awareness.

Secure VPN Connections: These should be used in ALL cases where access back to a central office is needed. In most cases, connecting to the VPN will then filter traffic for that device though the corporate router.

Single-Sign On (SSO):
While cloud services can be a wonderful way to stay connected and access work, ensuring that it is secured is critical. Where possible, get as many cloud applications talking to a central identify provider. There are solutions for clients with and without servers. When a user is added or removed access is then updated accordingly across all systems. This method also allows you to maintain password rotation and other high-level security policies.

Employee vs Corporate devices:
What is your team computing on? If corporate owned and managed devices, then you can ensure those are secure and have your security solutions loaded. When staff begins to use their own devices, you lose control of security and risk your data being stored on devices you do not own or manage. Based on your industry, this can be a huge issue.

Remote working policies and procedures:
Does your team know what you expect and how to move forward? Most firms raced to work from home but spent little time on formally documenting expectations around data security and privacy risks.  Take some time to meet and get everyone on the same page around how to work smart from home.

Social engineering attacks:
With more of your team working from home, its easier for attacks to seem more legitimate. Phishing attacks are on the rise as many have their guard down do to changed routines. Routine training and awareness about company procedures, especially around financial transactions and access to systems is a must. If your team is not using instant communications software to stay in touch, consider it as email is still the most effective conduit for attacks. Use phone calls, virtual meetings, or instant messaging to confirm critical actions.

premiere pc circle logo

Yes and no, it really depends on the type of gear and if its mission critical or not. Let’s review a few types of hardware and answer with more specifics.

Servers:

Absolutely. Obtain NBD service directly from the manufacturer when purchasing., opt for the longest term they have available., 5 years is the average lifespan of mid to high end servers. For entry level servers, a 3 year term is more reasonable.

Network gear:

Most routers and switches will come with a 1-year warranty. Meraki for example will offer hardware replacement as long as you maintain your security services. For small business gear, the cost of warranty exceeds the risk. For higher end switches in the thousands, this makes more sense.

Workstations / Laptops:

We advise that all new systems be ordered with the 3 year NBD depot warranty option for any business user. Having techs come to you vs you having to shop your unit off waiting weeks is always smarter. The average laptop or desktop will last about 3 years when choosing mid to high end gear.

Monitors and Accessories:

We skip these options as we have seen very few monitor failures due to manufacture defects over the last decade. If there is a problem, it will usually manifest in the first year. Stay away from the cheap brands and pay a little more for quality to avoid any issues.

Within the IT support industry there are no real standards in terms of what or how a company provides IT services. There are differing models such as break-fix, contracts, or hybrid offerings.

With 20+ years in the IT support space, we feel that the Managed Services approach works best for both client and provider alike.

Managed Service Providers (MSPs) exist to collect and manage an array of services and solutions for their clients. Within that designation, there can be a focus on vertical or niche industries.

A true managed service provider is one that exists to service a client in many parts of their business, whereas a break-fix firm is available on demand as needs arise.

What we have observed over the last two decades is that clients with an MSP are much better prepared for changes, have a higher security posture, and have better performing networks. To this end, that is our approach. Think of an MSP as your IT controller.

Questions you should ask a potential IT provider should include:

  • How many employees do you directly hire? (Stay away from franchise firms that use back office techs to supplement the owner.)
  • Do you carry full professional liability insurance?
  • Do you focus on proactive work and what can be expected?
  • What is the average wait time to talk to a technician?
  • Can you advise and consult on security and compliance? Is this part of the contract?
  • Do you have a long-term commitment? (Stick with firms that offer you month-to-month pricing as they will scale with you and offer more flexible options.)
  • Can you support all of our business functions? [For example, our MSP will handle just about everything for a client (domain, dns, email, av, help desk, hosted phones, file sharing, etc) Try to get a single source to tie all of your critical business IT needs together.]
  • Get client references, ask for more if needed. Call them, get honest feedback.

Most of all, find a provider you can trust, one that will act on your company’s best interests. As an example, our firm does not add margin to hardware or software sales. We are not here to upsell gear, instead we focus on our service relationship.

Schedule regular meetings with your new IT team and fill them in on your thinking and plans. A good IT provider can be a critical part of your overall leadership team and help you save time and money with smart solutions.

premiere pc circle logo

If you suspected your business was compromised by a cyber attacker, what would you do first to find help? If your first thought is to search online, what would your keywords be in the search?

We encounter this all the time and would like to offer some concrete suggestions.

First, contact a local IT firm that either specializes in cybersecurity instead of a local break-fix shop. Usually, you will be searching for Managed Service Providers. MSP’s are better suited to both understand and have the tools readily available to best assist you.

With any compromise, there are two immediate goals. Identify the ingress point and sever access. This process includes looking at your network equipment, servers, and computing endpoints.

Once the entry point has been determined and blocked, it’s time to complete a network forensics review. During this time, each machine is run through several virus and malware scans. In addition, we utilize a threat hunting service that can detect current and past malware footholds.

An often-overlooked part of the process is reviewing the firewall and server configuration to ensure no external access is permitted to internal systems. Eight out of ten times the main ingress point is a firewall rule allowing access to an internal server or other computing resource.

A common error is getting a compromised server cleaned, then putting it back into service too soon. Checking the network level rules before placing servers back in operation is a best practice to avoid more downtime or re-infection.

Ensure that all of your computing devices have next generation anti-virus solutions. Have an enterprise class router with active security services. Always use a VPN to access internal systems from outside instead of Remote Desktop Connections or other similar software, especially when dealing with PII or your own financial data.

Double check your backup policy and data retention rules. Test your backup with a fire drill at least quarterly. Use a company, like us, that offers fully managed backup with human monitors.

With a few simple steps, you can improve your security posture, mitigate your risks, and recover faster from an attack.

 

premiere pc circle logo

What are you guys doing to protect important information on your networks (site, backend files, customer information etc)?

As with any intelligent Backup and Disaster Recovery (BDR) planning, a layered approach is always best.

The first step is to identify what is important. You nay have an idea, but test this out be simulating a loss. Turn off your server or shared resources and see what you truly can’t live without.

Once you have a firm idea of what you need, we can focus on how to secure it.

We utilize several tools.

Utilizing cloud services is a great start, but they are not immune to data loss. A common misconception about Google and Office 365 is that your data is backed up. It’s not. It is far less likely to be lost due to hardware failures like local data, not to mention human error. Do you backup your cloud email service?

Where possible, use intelligent file sharing solutions. We offer such a service that acts as your file share, revision platform, and can help drive compliance.

We also provide our clients with access to a human managed backup platform where we can store server images, system states, and file level backups. When something does go wrong, we are quickly able to get them back up and running.

premiere pc circle logo

How would you deal with a website developer who is holding your website information hostage and can’t update information?

We think it’s regrettable that certain firms or professionals would behave like this, but we have seen it occur far too often.

Since 2006, our team has been actively helping clients manage their domains as part of the IT stack for this very reason. Your domain is a critical part of your identity and overall IT infrastructure as it directly relates not only to your website, but your email.

A web host should never NEED to own your domain or even register it for you. Having a central IT controller like PremierePC in the mix can help as we manage the domain, and then any vendors who need access to records or changes.

With this in mind, let’s focus on the problem listed. First, attempt to gain access to the website control panel or hosting account. This is the root level of access and will be your best bet to re-gain control. If that is not possible, then a local admin account to the CMS or FTP account could be used.

If the provider is unwilling to provide access to services that you pay for then legal action may be needed. While this process is going on, if possible, securing your domain before brining any legal challenges will be a wise move.

In closing, keep your domains registered yourself and where possible purchase your own hosting and have your web team build your site there. Use a trusted third party like PremierePC to help manage and control these items and act as your trusted advisor and consultant to ensure no changes are being made that will have adverse consequences. Most importantly, your domain never NEED to move to your web host for them to host a website, we firmly believe that whoever provides and manages your email platform should be in charge of the domain and DNS.

You can learn more about our domain and managed DNS program using the links below.

https://www.premierepc.net/business-hosting/domains/

https://www.premierepc.net/business-hosting/managed-dns/

premiere pc circle logo

I have been struggling to get my website up and running. Do you think it’s actually necessary to have a website? Do you judge people off their websites?

Short answer, YES!

Longer answer. A web presence is critical to being found online and having a site this is mobile responsive or optimized is even better for SEO.

With that said, you do not need to invest a fortune. For many small business sites, a few pages with a list of services, contact info, as well as some history and context if all that people are looking for. You can easily use web page builders to help get the basics. We advise clients to stay away from proprietary platforms like Squarespace, Weebly, and the GoDaddy website builder as these builders will not allow you to easily port your site. Instead, opt for managed WordPress sites which are more difficult to get into, but will allow you to port and move your site as you grow and add new features.

PremierePC offers a full array of business hosting solutions to our service plan clients. We can handle the domain, dns, hosting, and WordPress build and ongoing management.

If you need help crafting a way forward, give us a ring and we can help guide you on the journey.  

How are you protecting the PII (Personally Identifiable Information) of your clients, customers or members?

As others are stating, sharing the specifics of these plans can open you up to risk, so it is best to share generally about this topic.

PII is a big deal and you can be responsible for it even though you didn’t initially send it.

Let’s cover the basics of what PII is and isn’t.

Personally Identifying Information (PII) is defined as any information about an individual maintained by an agency, including:
(1) any information that can be used to distinguish or trace an individual’s identity, such as: Name, Social Security Number, Date and place of birth, Mother’s maiden name, Biometric records

2) any other information that is linked or linkable to an individual, such as: Medical, Educational, Financial, Employment information.

PII can be sensitive or non-sensitive.
*Non-sensitive PII information:
– Can be transmitted in an unencrypted form without resulting in harm to the individual.
– Can be easily gathered from public records, phone books, corporate directories and websites.

Sensitive PII information:
– When disclosed, could result in harm to the individual whose privacy has been breached.
– Should be encrypted in transit and when data is at rest.
Personally identifiable financial information (PIFI) is any information that a consumer provides to a financial institution that would not be available publicly.
PIFI may include information such as:
– An individual’s name
– Personal contact details
– Bank account number
– Credit Card number
– Social Security number
– And more
PIFI generally contains private and confidential data visible only to authorized personnel.
The term is mainly applied in an operating environment where security, privacy and authenticity of financial information is the primary objective. The data stored within PIFI is used for a set of different applications and/or business services.
For example, an online e-commerce site may contact a consumer’s bank and use PIFI from the bank’s server to identify and validate a buyer’s credit card.
Under the Gramm-Leach-Bliley Act, financial institutions must alert their customers to privacy policies and practices and avoid the disclosure of nonpublic personal information about consumers to third parties without consumers’ consent.
Financial institutions must also establish appropriate standards for protect PIFI.

OK, you still there? I know that was a lot of text, but it’s a great guideline to helping you understand WHAT you need to protect.

So, HOW do we protect PII? A few best practices include:

Identify where you are storing PII. Many file management services will offer this, you can also purchase software audits or have a professional consultant come in.

Determine the sensitivity of the PII you store.

Remove any legacy PII that is no longer needed for active work. Use a retention policy and retire data as quickly as you can.

Encrypt PII in transit and at rest.

We strongly suggest that you NEVER EVER EVER email PII. Consider scans to encrypted network folders or secure cloud services like Egnyte with proper roles and permissions.

Email compromise is the number one method for bad actors to gain access and steal PII. Having strong inbound and outbound email compliance solution can help prevent attacks and mitigate leaks.

PERMISSIONS. Not everyone in your organization needs access to PII, properly storing this data by user role and access permissions will help mitigate many risks.

Educate your team on the critical nature of PII. We suggest at least an annual security awareness training session or PII refresher.

Have a standard onboarding and offboarding process for your team. Do not COPY permissions from users.

If you can, have a dedicate compliance officer who can check and audit your internal process at least quarterly.

There is a lot to understanding and protecting PII. Having a trusted partner like PremierePC can help you avoid many pitfalls, implement complicated solutions, and assist your team in driving compliance.

What are the biggest challenges when working remotely or from home?

How Has Your Business Overcome Spear Phishing under these new circumstances?

Remote work, deemed the “next normal,” increases productivity and employee retention while reducing environmental impact.

The COVID-19 pandemic has increased remote work dramatically; one source finds 88% of organizations have encouraged or required employees to work from home.

Enter hackers.

Remote work + distracted employees + new scam opportunities = a hacker’s dreams come true.

Coronavirus-related spear-phishing attacks have increased by 667% since February.

So, what can you do to protect your business?

Email security, encryption, archiving, and backup
We offer a full compliance platform and can also custom craft a plan based on your needs. Inbound filtering can be enabled in a matter of days, outbound encryption for the users that need it, archiving for compliance or even layering on backup for your cloud email to protect against data loss.

Awareness around dark web compromises.
Monitor your entire domain for users and credentials which have already been compromised. Get alerts on new activity. Priced per domain, setup same day with no changes needed to your technology setup.

Scheduled end-user security awareness training
At no additional cost to our dark web monitor, we offer automated awareness training and testing. We help you detect staff weakness and provide training to build them up.

Pair this with a 90 minute virtual training session with our team to give yourself a jump start.

Remote monitoring and management for managing and protecting networks and devices
Having a Managed IT provider on call to help with problems large and small can give your team  the confidence they need to work smart and safe.

What antivirus do you use for protection, and why do you trust it?

The field of anti-virus has expanded significantly in the past few years. Most business owners and consumers alike are aware they need something. The legacy solutions use database signatures to protect endpoints (devices). This older technology relies on updates from the vendor to keep you safe.

Owing to this fact, very few compromises are made with file-based virus intrusions or trojan programs these days. Instead, the majority of bad actors are focusing on social engineering and what is now known as fileless malware and script-based attacks to compromise endpoints.

In fact, the Majority of Successful Attacks are Fileless

54 % of companies experience successful attacks that compromise data and/or IT infrastructure

77 % of those attacks utilized exploits or fileless techniques

*The 2017 State of Endpoint Security Risk Report

So, what should you be doing to protect your business?

Most experts agree that no single solution is 100% effective against all threats, so a layered security approach is the best defense.

At PremierePC, we think that means 4 layers of protection.

  1. An enterprise grade security appliance or firewall with active security services.
  2. Managed endpoint protection which utilizes next generation threat intelligence.
  3. Threat hunting services which seek out and report on any footholds or malware remnants.
  4. Security Awareness training for your team, humans are still the best defense.

Using the model above, a business can mitigate most compromises. No solution or combination of solutions is 100% effective, humans still are your best defense. Hosting regular security awareness sessions with your team can go a long way to preventing a compromise.

Whatever you choose, make an informed decision and be sure to understand the real-world risks.