Learn from Marriott’s Example: Notification Responsibilities After a Data Breach

Most states, the District of Columbia, the Virgin Islands and Puerto Rico have passed legislation regarding notification of security breaches. Know the laws in your state.  

Cyberbreach Marriott

To answer this question, let’s start with the example experienced by Marriot International recently when a breach exposed the social security numbers of the hotel chain’s associates. Then, we’ll look at the federal and state requirements for notifying those impacted by a breach that involved their data.

How Did Marriott International Employees Fall Victim to a Data Breach?

Marriott International told some of its employees that their social security numbers (SSNs) had been exposed to an unknown person. The risk came from a vendor that handled documents for the hotel chain.

On September 4, 2019, Marriott found out that someone access information recorded on those documents, which included subpoenas and court documents. The notification, which came two months after the incident, merely stated that someone may have accessed the records, which is all hotel representatives claim to know. The potential breach impacts over 1,500 Marriott employees. On October 30, the hotel started sending notifications via regular mail for anyone it hadn’t been able to find.

Those impacted will receive free credit monitoring as well as identity theft protection for one year at the company’s expense. Notification and credit monitoring services are part of recent data breach laws, but one must wonder what took Marriot so long to notify the victims.

Why Did Marriott Have a Difficult Time Finding Victims?

Marriott received a list of those impacted, but most had no address. This may be the most significant factor in the delay. And, it’s not an unusual one. Company records breached by hackers may be incomplete in the best of circumstances, and this information was sitting in several external systems.

The unnamed firm said all Marriott employee data was deleted from its system. One of the problems in cases like this is storing data in multiple systems, which increases the risk of theft and data breaches. Marriott no longer partners with the vendor.

What Are Your Company’s Responsibilities in Case of a Data Breach?

The FTC recommends following these steps, some of which are legally required.

Secure your Operations

Move quickly to take whatever steps are needed to secure your systems. Otherwise, your data breach can result in a series of breaches. Mobilize or form a breach response team to shore up your network against further loss.

Fix Vulnerabilities

As part of the fix, you need to anticipate questions that clients, associates and the authorities may have. Put together clear questions and answers to post on your website. Direct communication may ease frustration and concerns, especially if it takes some time to identify those impacted, as in the Marriott cases.

Work with forensic experts to track to determine what records were at risk.

Notification

Most states, the District of Columbia, the Virgin Islands and Puerto Rico have passed legislation regarding notification of security breaches. You must notify the affected parties when personal information is involved. Check the laws in your state as well as the federal laws and consult with your legal team regarding your responsibilities.

What Are Your Company’s Responsibilities Following a Data Breach?

November 11th is Veterans Day… 

A day where we stand united to honor those who are currently serving and those who have served – those who sacrificed for the common good of our country. 

And for all they’ve done, we say thank you. 

Thank you to those who have and those who continue to place themselves in harrowing situations in the name of protecting our freedom. 

However you’re planning on spending the day, remember to take a moment to think about these exceptional men and women.

Veterans Day

For those who deserve our utmost respect… 

Weak Points in Cybersecurity Hackers Love

Do you know where hackers are most likely to gain access to your private data? Discover the favorite entry points and how you can stop them.  

Cybersecurity Threats

It seems like every week that there are reports of another massive data breach hitting the news. The number of users affected is almost unimaginable. Cybercriminals accessed 983 million records at Verifications.Io and 885 million records at First American Financial Corp., alone. Its scary stuff, but what’s even more terrifying is the majority of compromised companies never show up in the papers.

During the first half of 2019, there an average of 30 data breaches per day. So, how are hackers stealing so many records so quickly? They have their ways.

Four Places Cybercriminals Love to Steal Your Data From

1. Old Websites. The internet is a graveyard of abandoned and unprotected half-built sites which are the favorite hunting grounds for hackers who are on the lookout for easy and virtually risk-free hacking opportunities. Although it is true that most of these sites contain nothing more than a few email addresses and dummy accounts, every so often, a cybercriminal can strike goldmine. On occasion, legacy and demo sites for large businesses are still connected to the company’s servers and provide a nice backdoor to confidential data.

You can protect your business by completely removing old sites from online and limiting which sites have access to your servers.

2. Free Code. Many sites offer free code snippets that you can use for free on your website. All you have to do is download it and you can save hours of time and thousands of dollars. Good deal, right? Well, have you ever heard the Japanese saying, “There is nothing more expensive than something free?” When it comes to the code for your website, it is a motto you should take to heart. Using someone else’s free code for your company’s website could be the most expensive mistake you ever made. While clean, secure codes for free does exist online, the majority of what you will find is usually poorly written, and as solid as a sieve.

Stop hackers from using embedded backdoors in public code by not using it for mission-critical websites.

3. Unsecured Cloud Storage. Everyone is talking about the benefits of cloud computing and cloud storage, and it seems like businesses can’t wait to make the jump to working on the cloud. But before trusting your company’s confidential data to any third-party cloud storage solution, you better make sure the vendor has tight security. Many big-name companies like Facebook and Microsoft forgot to ensure their third-party vendors had the proper security, and the results were embarrassing and costly data breaches.

Carefully choose who you use for outsourcing and take an active role in protecting your data, even if it is hosted on a third-party’s server.

4. Unprotected APIs. Does your business use custom apps that utilize APIs? If the answer is yes, you may be exposing your confidential data to hackers without knowing it. While in-house app developers spend a great amount of time safeguarding your app itself, from exploits, the APIs you are using from an outside developer to power your app may be a gaping hole in your defense.

Review the end-user agreements for the APIs you use and conduct penetration tests to check for vulnerabilities.

In the end, protecting your data and the confidential information of your customers falls on your shoulders. No one can be perfect when it comes to online security, but every single business can do better.

Stop Hackers Cold: Eliminate These Common Entry Points

No matter how secure you may be right now, you could always be doing more. Have you double-checked your cybersecurity lately? Review the best practices below to strengthen your small business cybersecurity.

When everything is going well, the last thing you want to do is think about what will happen when something goes wrong. It’s not necessary to dwell on the potential for a security disaster though – you know that it’s a possibility, so let’s just leave it at that. What’s important about this is that you know to cover your bases.

Cybersecurity Small Business

No need to assume the worst – just plan for it, so you know you’re protected. As that old saying goes, “An ounce of prevention is worth a pound of cure”.

Do what you need to do to “prevent” now, so you don’t have to pay for the “cure” later.

Use A Firewall

Your firewall is your first line of defense for keeping your information safe.

A firewall is a particular type of solution that maintains the security of your network. It blocks unauthorized users from gaining access to your data. Firewalls are deployed via hardware, software, or a combination of the two.

A firewall inspects and filters incoming and outgoing data in the following ways:

  • With Packet Filtering that filters incoming and outgoing data and accepts or rejects it depending on your predefined rules.
  • Via an Application Gateway that applies security to applications like Telnet (a software program that can access remote computers and terminals over the Internet, or a TCP/IP computer network) and File Transfer Protocol Servers.
  • By using a Circuit-Level Gateway when a connection such as a Transmission Control Protocol is made, and small pieces called packets are transported.
  • With Proxy Servers: Proxy servers mask your true network address and capture every message that enters or leaves your network.
  • Using Stateful Inspection or Dynamic Packet Filtering to compare a packet’s critical data parts. These are compared to a trusted information database to decide if the information is authorized.

Train Your Staff

Your staff can have a significant effect on your cybersecurity – either they know enough to keep your assets secure, or they don’t, and therefore present a serious threat to your security.

So, which is it? Do your employees and volunteers have the knowledge they need to spot cybercrime scams, avoid common pitfalls and keep your data secure?

If you’re not sure, then they may need training. Security awareness training helps your employees and volunteers know how to recognize and avoid being victimized by phishing emails and scam websites.

They learn how to handle security incidents when they occur. If your employees and volunteers are informed about what to watch for, how to block attempts and where they can turn for help, this alone is worth the investment.

How Do I Train My Employees For Cyber Security?

A comprehensive cybersecurity training program will teach your staff how to handle a range of potential situations:

  • How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
  • How to use business technology without exposing data and other assets to external threats by accident.
  • How to respond when you suspect that an attack is occurring or has occurred.

Strengthen Your Passwords

Passwords remain a go-to tool for protecting your data, applications, and workstations.

They also remain a common cybersecurity weakness because of the careless way employees go about trying to remember their login information. Weak passwords are easy to compromise, and if that’s all that stands between your data in the cloud and in applications, you could be at serious risk for a catastrophic breach.

That’s why protecting your login processes with an additional layer of security – multi-factor authentication – is recommended. Multi-factor authentication requires the user to utilize two methods to confirm that they are the rightful account owner. It is an available security feature in many popular applications and software suites.

There are three categories of information that can be used in this process:

  • Something you have: Includes a mobile phone, app, or generated code
  • Something you know: A family member’s name, city of birth, pin, or phrase
  • Something you are: Includes fingerprints and facial recognition

Protect Mobile Devices

Implement Mobile Device Management and Bring Your Own Device policies that allow employees to use their own devices in combination with the business’ without compromising your security:

  • Require password protection and multi-factor authentication for mobile devices.
  • Deploy remote access software that allows you to locate lost/stolen devices, and remotely wipe their data if need be.
  • Develop a whitelist of apps that are approved for business data access.

And don’t limit yourself to desktops, laptops, and phones – there’s more out there for you to take advantage of. Have you considered what the Internet of Things and wearable devices can do for workplace efficiency? Now’s the time to get on board – up to 20.4 billion IoT devices will be online by 2020.

Manage Account Lifecycles And Access

This is one of the more basic steps on the list, but no less important. It can’t really be automated or outsourced to any technological aids; it’s just about doing the work. You need to have a carefully implemented process to track the lifecycle of accounts on your network.

  • Follow a careful system for how accounts are created for new members, how their security is maintained and verified through their life, and how they are removed when no longer needed.
  • Implement secure configuration settings (complex passwords, multi-factor authentication, etc.) for all accounts.
  • Implement controls for login and use, such as lockouts for too many unsuccessful logins, unsuccessful login alerts, and automatic log-off after a period of inactivity

Protect Your Wireless Networks

Wi-Fi is a necessary part of doing business. Your staff cannot go without it, so it becomes your responsibility to make sure it’s secured, simple as that.

  • Turn off broadcast so that your SSID is not available for others to see.
  • Use WPA2-Enterprise security, which forces per-user authentication via RADIUS for access.
  • Double-check your radio broadcast levels at default to make sure they don’t extend outside your building.
  • Create a Guest Network that’s segmented and has a limited bandwidth so that those visiting your building don’t have any chance of access to your data.
  • Monitor your network, and log events to track any activity by your employees and other contacts with network access.

Limit Unnecessary Physical Access

Your cybersecurity measures won’t amount to much if your laptops, tablets, smartphones and other devices are left out in the open for anyone to take.

It’s one thing for a cybercriminal to hack into your system remotely. It can be significantly easier if they’re doing so directly on a business device.

  • Keep business devices under lock and key when not in use.
  • Maintain a detailed inventory of who has authorized use for specific business devices.
  • Don’t leave the login information on a sticky note on the keyboard of the device.

Follow Payment Card Best Practices

If you accept payment through credit and debit cards, make sure to follow established security policies and practices to mitigate any potential risks.

  • Work with banks and other financial industry contacts to make sure you’ve implemented the right cybersecurity tools and anti-fraud services.
  • Double-check your compliance requirements for FINRA, GLBA, and SOX.
  • Segment networks involving a point of sales and payment systems from any unnecessary aspects of your IT infrastructure. No unnecessary software or web access should overlap with these systems.

Want To Drastically Enhance Your Small Business Cybersecurity?

Downtime is bad for business.

Whether you agree or not, it’s a fact – just a couple years ago, small businesses with up to 50 million in annual revenue reported that just a single hour of downtime cost them $8,600.

Computer Network Downtime

Why Does Downtime Cost So Much?

The main cost of downtime is not the fix itself, it’s the halt in your business’ productivity. If an IT-related or natural disaster occurs and takes critical systems offline, employees will be unable to complete their tasks, yet your normal business expenses will carry on.

During that time, you incur all the expenses of running a business without the revenue you would usually generate. Even if downtime does not grind everything to a halt, some of your staff will have to divert themselves from their normal work to mitigate the problem – again reducing productivity. Furthermore, while your systems are down, you can’t deliver services or sell products to current and potential new clients.

Not all of the costs associated with downtime have a tangible price tag. The trust of your clients and the reputation of your company are invaluable assets that can erode with prolonged or frequent downtime issues. A diminished reputation can negatively affect your future business opportunities.

Some downtime is inevitable, but much of it can be prevented and mitigated.

What Are The Primary Causes Of Downtime?

  • Power Outage: If your power source fails, that can lead to a long list of complications like servers going down and lost, unsaved data.
  • Cybercrime: Cybercrime has increased in recent years and is still on the rise. All it takes is one employee opening a malicious attachment and your business data could be held hostage.
  • Human Error: Accidentally unplugging key equipment, overloading the system, and improper installations can all cause downtime, but maintaining certain policies and procedures can cut down on human error.
  • Natural Disasters: Hurricanes, tornadoes, floods, and earthquakes happen. Having a plan for getting back to business if the unthinkable happens is the fastest way to recover.

What’s The Best Way To Prevent Downtime?

…by stopping it in the first place.

The best way to approach downtime prevention is proactively – you need to keep an eye out for system issues that can spiral into total stoppages. You need to implement backup technologies and best practices to prevent outages. You need to enhance your cybersecurity to protect against cybercrime.

Unfortunately, that’s a lot for you to handle on your own, especially when have other work to see to. That’s why a managed IT services company can be so helpful. They’ll provide 24/7 active monitoring of your systems, business continuity best practices and cybersecurity services that will keep costly downtime at a minimum.

 

Downtime Is Extremely Expensive – Can You Actually Afford It?

Businesses nowadays collect an incredible volume of data from various sources, including online sales, in-store-transactions, social media, and various other places.

So how do you find value in that data? The simple answer: Organizing it properly within worksheets.

Ready to unlock the potential of your data? If you want to analyze and make sense of the information you’re storing, here’s how…

Watch Our Microsoft Excel Tips and Techniques Video

In the video above, we teach you how to link several worksheets together within one workbook AND how to link data across multiple workbooks to:

  • Reduce errors
  • Save time
  • Improve data integrity

Click here to watch online

Questions? Feel free to reach out to us at any time.

Microsoft Excel Training

Microsoft Excel Experts SWEAR By This…

Don’t Be Confused When It Comes to Cloud Storage Options

Cloud storage helps your employees share and collaborate like never before. Check out these three popular cloud storage solutions to find the one best for you!  

Cloud Storage

Businesses are making the switch from physical servers to cloud storage to increase productivity and streamline file-sharing capabilities. This short review looks at three of the most popular cloud storage options, OneDrive, Dropbox, and Google Drive, comparing their storage capacity, file-sharing capabilities, and pricing.

All three of these cloud storage solutions offer various plans for both personal and business use. OneDrive and Google Drive also have options to bundle cloud storage along with access to online versions of standard office applications. In this review, we will look only at the lower-priced standalone cloud storage business solutions available from OneDrive and Dropbox and the Business and Enterprise solutions from Google Drive that do include access to GSuite applications.

OneDrive from Microsoft

OneDrive has two tiers of dedicated cloud storage. Plan 1 costs $60 a year and gives you 1 TB of cloud storage. You can opt for Plan 2 at $120 per year if your business has five or more users, and you need unlimited storage. OneDrive does not offer per month pricing. There is a 15 GB limit per individual file.

When it comes to collaboration, OneDrive shines. It is easy to access stored files directly from the Microsoft ecosystem of products, or use the built-in search and discovery tools to find the files you need. Share individual files securely with a link and set permissions to prevent unauthorized changes. Plan 2 also comes with upgraded security, including data-loss prevention, to help you to monitor and protect your confidential information.

Dropbox

Businesses with three or more users can choose either the Standard or Advanced business plan from Dropbox. The Standard plan comes with 3 TB of cloud storage and costs $150 a year or $15 monthly. The Advanced plan is $240 a year, or $25 monthly. With a file transfer limit of only 2 GB per file, Dropbox’s Standard plan may not fit your needs, but its Advanced plan does allow up to 100 GB transfers.

Many, but not all, popular business applications are already configured to connect with Dropbox. Users have the option to share files through a secure link or to use Dropbox Spaces to allow other employees access. Administrators can create private groups for members to share their work.

Google Drive

Google Drive offers a Business plan for $12 a month and an Enterprise Plan for $25 a month. Both come with only 1 TB of storage unless you maintain five licenses. Then you receive unlimited storage. The maximum size of an individual file is 5 TB.

Both plans let you share files with links, and admins can set security controls to manage file permissions. The Enterprise plan offers data loss protection and improved security options.

For most businesses, OneDrive makes the most sense. It is already optimized to work with the Microsoft applications you probably already use. The only major drawback is the 15 TB limitation on file transfers, but this restriction won’t affect most businesses.

Which Cloud Storage is Right For Your Business

Incredible Ways Technology Has Changed How We Do Business

How has technology transformed your industry? Explore 5 important ways technology has recently changed how we do business, delight customers and grow businesses  

Technology Transformation

It doesn’t matter which industry we’re in. Technology is a must. It makes things faster, safer and better when used right. It can propel our businesses and leave competitors in the dust. But many businesses are simply unaware of what’s out there and just how accessible it is to any size business. Here are five incredible types of technology that are completely reshaping how we do business.

1. Big Data Revolutionizes Data-Driven Decisions

As business leaders, we’ve always made decisions based upon the available data. But more recent advancements in data collection and analysis have made it easier and more cost-effective to gather data and put it to work. We can make smarter decisions about the direction of our companies where we once had to rely solely on gut instinct.

We can enhance customer experiences to not only increase sales but to raise that net promoter score, building trust, loyalty and powerful word-of-mouth.

2. We Reach Customers in More-Effective Ways

87% of purchases now begin online. This doesn’t mean they buy online, just that they found the product or service online.

Digital marketing technology is a business technology that has transformed how we connect with customers. We can now more precisely target audiences to enhance the relevance of our ads to specific customer bases.

Thanks to the pay-per-click model, we don’t pay for advertising that doesn’t work. And thanks to optimization tools we continually improve strategies to find what does work.

Digital marketing allows us to reach customers where they find new products and services through:

  • Search engines
  • Social Media
  • Review Websites
  • Influencers

3. Virtual Reality Gives Employees Real-World Training

From healthcare to aviation to manufacturing, virtual reality (VR) and augmented reality (AR) are helping schools and businesses train employees in very lifelike situations. Employers can help employees become more comfortable in likely scenarios by allowing them to experience it in an artificial environment first. They can learn how candidates may perform at their jobs before sending that job offer to get the best people into important roles.

4. Enhanced Business Continuity Tools Reduce Down-time

From more effective ways to keep business and customer data safe to data backup to re-routing of important functions to remote locations, advancements in technology are making it easier for businesses to both avoid disasters (physical and virtual) and keep moving when disaster strikes.

Developing a strategy, deploying tools effectively and putting a plan into action, of course, take know-how, but those involved in business continuity planning now have a wider range of tools for the business continuity tool belt.

5. Better Technology for Less Cost

It’s not news to anyone that technology gets cheaper the longer it’s in use. And by now many amazing technologies have been around long enough that they’re getting very affordable, even for small business. Yet, many businesses still aren’t taking advantage of them because they don’t know what’s out there.

That’s why it’s important to work with technology experts who can introduce you to technology you’ll find useful to cut costs, enhance productivity, delight customers and more. To learn more about how technology is disrupting every industry, follow our blog.

5 Ridiculous Ways Technology Transforms Your Industry

Happy Halloween!

What better time than now to tell some scary stories?

Happy Halloween

Ok, so they’re not “scary stories” per se, but facts that will alarm AND spook you.

Here’s Your Special Halloween Treat

Take action to protect against cybercrime. Hit the reply button to schedule your free cybersecurity consultation with us.

In the meantime, have fun this year, whether you’re taking the kids out trick-or-treating or heading to a few parties.

Have a great day!

Happy Halloween 👻

MSP Customer Communication Leads to Deeper Long-Term Retention

Discover why it’s important that your managed services provider develops a regular communications schedule with each customer and what messages to convey.

MSP Communication

Managed services providers (MSPs) know that customer retention is a critical element of business success.

Communicating with your MSP customers is a must. But knowing how, when and what to communicate makes a difference.

How Frequently Should We Communicate with MSP Customers?

The frequency of communication is as much an art as it is a science. There may be some customers, especially those who are new, in the midst of a major project or in the throes of strategic planning, when more frequent contact and communication is necessary.

Face-to-face communication is the most effective means of communication, allowing for both a better give-and-take and a clearer interpretation of body language.

Ideally, you’ll schedule at least monthly in-person communication with your customers, meeting both with principals and other employees to understand what’s working and what could be improved. This communication, which includes a healthy dose of active listening, helps your customers feel heard, valued and respected, even if it’s an informal conversation over coffee and doughnuts.

What Brings Value to MSP Customer Communications?

Your customers look to you as more than a service provider. You’re also a valued advisor. You want your communications to have several elements that can bring value to your customers and how they perceive their relationship with you. These do not need to be a sales pitch, and usually should not be, but rather opportunities to demonstrate your expertise and insights, including:

  • Identifying solutions before you’re asked. If your client has, for example, recently had several cyberattack attempts that were the result of phishing attempts, you may want to suggest a heightened approach to employee education, including campaigns that test their responses to sample attack emails.
  • Looking forward. You want to provide insights on technology trends, emerging solutions and challenges, whether it’s a new version of software, regulatory changes affecting their business or the sunsetting of an operating system. Providing information that helps the customer consider the possibilities is a compelling way to demonstrate your value. These conversations can often unearth concerns and priorities that previously were not expressed.
  • Find synergies and partners. Look for connections and introductions you can make among your customers. You can also identify opportunities for partnerships or bartering opportunities, such as working with a printing company client to produce signage and business cards in exchange for a discount on provided IT services.

Value-added conversations that help your customers think in new ways are a powerful way of deepening customer relationships.

What Points Are Worth Repeating to MSP Customers?

One of the greatest outcomes of better customer communication is the opportunity to reinforce high-value and valuable services that are already being used or possible. Your communication should regularly reinforce some of the core values of working with a managed services provider. Driving these points home helps to make renewals, upgrades and the purchase of new services much easier.

Those key points are small reminders of why it makes sense for your customers to work with you, including:

  • Cost savings. Produce and walk your customers through how their managed services are reducing costs through improved efficiency, fewer downtime costs, lower operational costs for data centers and reduced internal IT staffing
  • Predictable costs. Customers need to be reminded that a fixed monthly cost for a range of IT services — help desk, vendor management, storage, disaster recovery, cloud hosting and security — means more budget certainty and fewer unanticipated technology expenses.
  • Less downtime. MSPs should tout their reliability and the high levels of uptime for services and systems. While these may be contractually mandated, it’s still an effective reminder of how committed your company is to their business operability levels.
  • Insurance. People and businesses purchase insurance to protect what matters most. That’s one way to frame managed services: insurance for your most critical systems, operations, processes and data.

A strategic approach to customer communications pays major dividends with regular, trusted and valued discussions.

Communicate Consistently With Customers About Their Technology Needs and Your Value