Are you considering using a password manager?
When you think about it, a password can be the barrier that stands between a hacker and your important data, patient information, or even unwanted entry into your medical practice’s network.
Sure, there are several things you can employ to make it harder for cybercriminals, including multi-factor authentication. But the password is the primary obstacle.
Too many passwords to remember
Many people are aware they need to be creating and using complex passwords – but in reality, many aren’t doing this. Why?
Most business workers have to juggle numerous passwords just to maintain their job functions. Add to that all the other passwords they have to keep in mind from outside of work, and that typically equates to a large number of credentials to memorize.
Practice managers and physicians have a high responsibility to ensure they have hard-to-penetrate accounts and computers. Their systems have all manner of sensitive data, such as patient histories, medical billing information, personally identifiable information (PII), and more. You don’t want any of these getting into the wrong hands.
It’s no wonder password managers are gaining popularity. A password manager is an application that securely stores your passwords.
Here are 4 reasons why you might consider using a password manager for your medical office.
1. Password managers enable you and your staff to effortless wield complex passwords
When you have to memorize a password, many people will use strings of words or things they can remember – passwords a hacker may be able overcome with time or ingenuity.
With a password manager, you can use a computer-generated string of unrelated characters that can be nigh impossible to beat.
Medical practices can be big targets for cyber criminals. Stronger passwords across the board can help harden your overall cybersecurity.
2. Password managers can help cut down on password sharing
Does your staff members share passwords? This study regarding sharing credentials in electronic medical records seems to indicate that it may very well be an issue. Over 70% of respondents in that survey indicated they used a password from a fellow medical staff member.
With proper use of a password manager, your staff can be more confident in using their own credentials for EMR and other medical areas and functions.
3. Password managers help users maintain unique passwords for each of their accounts
As you get your staff (and yourself) to start using more complex passwords, you may start to reuse these complex passwords across more than one account because it’s just so hard to remember these longer passwords. This, of course, is not recommended.
If a cyber criminal gets a hold of one of these passwords on the dark web or some other means, they would be able to access your other accounts where you recycled the password.
By using a password manager, you can keep a completely unique set of passwords.
4. Less fumbling for passwords and password resets
It’s inevitable. You forget a password. At the most inopportune moment.
You try several incorrect passwords. Perhaps you lock yourself out of the account.
A password manager can simplify the process and allow you to remember just one set of credentials for all your work. As you go through your day and need to access multiple systems and applications, you can do so more confidently and securely, with less hiccups.
With great convenience comes some risk
Thinking about using password managers for your medical practice?
A password manager can certainly be a boon to your practice. But, as they say, be careful when you put all your eggs in one basket.
Be sure to have a very secure password for your password manager account. And, of course, make sure you can remember this master password and associated security keys.
If you do lose access, there should be a password reset feature, but it can be a bit of a headache.
Ready to use a password manager?
There are multiple password manager applications to choose from, and browsers can have their own. These can certainly make it easier to navigate through your day-to-day at the your practice, but be sure to weigh the risks and keep the drawbacks in mind as you evaluate whether to use password managers.
Whichever way you go, just remember that good passwords are paramount to the health of your practice’s network.
Business Email Compromise Schemes: 5 Ways to Stay Safe From ThemBusiness email compromise schemes sound like something you’d never fall for. But it happens. A lot.
Business email compromise (or BEC) occurs when a scammer targets a business or individual In order to fraudulently transfer funds. The scammer grooms the victim via email, sophisticated social engineering, and pressure. This grooming process can continue over a couple of days or even weeks. The scammer eventually attempts to fool the victim into transferring funds into the wrong hands.
It’s happening to businesses, large and small. And there are no signs of it slowing down.
First, what is social engineering?
Social engineering is one of the keys to the success of these BEC schemes.
In order for many types of fraud to work, a type of deception known as social engineering is employed. The criminals have done their homework, and they know the ins and outs of your industry and even your particular business.
The BEC emails can look like they’re coming from a trusted business partner, a co-worker, or even the CEO of your company!
These BEC emails can have language that jives with your industry and work function. The images, names, and even email addresses may look genuine. Thus, if you’re in a hurry, multi-tasking, or otherwise preoccupied, you may be susceptible to a BEC scheme if it hits your inbox.
It can take a keen eye, patience, and a healthy dose of skepticism to stop BEC dead in its tracks.
Increased use of cryptocurrency in Business Email Compromise schemes
The FBI released a public service announcement on their Internet Crime Complaint Center website regarding their observance of increased complaints involving business email compromise schemes and cryptocurrency.
What is cryptocurrency? According to the FBI’s public service announcement:
Cryptocurrency is a form of virtual asset that uses cryptography (the use of coded messages to secure communications) to secure financial transactions and is popular among illicit actors due to the high degree of anonymity associated with it and the speed at which transactions occur.
In the article, the FBI mentions cryptocurrency first started to be identified with BEC schemes in 2018 – this involvement continued to rise through 2019, eventually reaching record highs for reported numbers in 2020.
At the end of the public service announcement, there are multiple suggestions for protecting against these business email compromise scams, all of which are applicable to just about any type of financially motivated cybersecurity scam.
Below are some key takeaways from that list.
Business Email Compromise (BEC): 5 ways to protect yourself against this menace
1. Check that URL
If there’s a link in a questionable email, make sure the URL is genuine and associated with the business. Sometimes it’s easy to tell if the email or URL are fake – it may contain unrelated words or even gobbledygook. If the URL seems genuine but you’re not sure, don’t click on the link and try to go to the site directly. You can also consult with your IT department or Managed Service Provider before taking further action.
2. Avoid providing sensitive information via email
Emails that request login information are typically fraudulent – even if they look like legitimate communication. Remember, social engineering can mask fraud attempts, making them appear to be something from your line of business or directly from your co-worker, industry partner, vendor, or boss. Email spoofing can certainly make it difficult to discern what is legitimate, as an email can very well appear to be really coming from your partner or co-worker.
3. Take advantage of two-factor authentication
Utilize two-factor or multi-factor authentication as an additional verification method for account changes. These measures are certainly becoming more prevalent as an extra layer of cybersecurity to combat increasing fraud. Remember, although there’s no single piece of hardware or software that can defend against all threats, using multiple layers of security can help thwart even the most focused cyberattacks.
4. Regularly review your financial accounts
Not monitoring your accounts? It’s a good a idea to do so. Check for anomalies – like missing deposits – to ensure nothing fraudulent is going on. As soon as you see something odd, follow up with it immediately. Don’t put off something like this.
5. Be aware!
Awareness of potential attacks like business email compromise – and other tactics and threats, like ransomware, phishing, malware, email spoofing, and more – can go a long way toward protecting your business from fraud. Ensure you and your staff stay up to date on the latest types of attacks. And always think before clicking.
Read the FBI public service announcement to learn more about business email compromise schemes, the involvement of cryptocurrency with BEC, additional tips for protecting yourself against scams like this, and some suggestions if you fall victim to a scam.
Warning: Airline Booking ScamsWith summer approaching and with more and more people getting vaccinated, it’s inevitable that the travel industry will get a jump-start.
But beware of airline booking and travel scams.
Cybercriminals are opportunists, and they will jump on any trend, whether it be a specific holiday or the emergence of a new season.
One of our team members recently got an email confirmation for tickets he booked at a major airline… Sounds exciting, right?
Only thing is, he didn’t book the tickets.
4 things to look for when examining potential airline booking scams
While the fact he didn’t book them is reason enough not to click on any links or otherwise interact with this piece of communication, there are other signs the email is fraudulent.
- URL
The URL is a convoluted version of the actual airline’s web address. This is a huge red flag. If you’re unsure if the URL is correct, don’t click within the email. Open your browser and search for the specific airline’s website. - Nonsense
When unsure about an email, look for any nonsensical things. The email is pretty clean, with no misspelled words or blatant grammatical errors. However, the disclaimer at the bottom doesn’t make any sense. It states the email is a “customer opinion survey” designed to help the company better serve its customer. This is not something that would be seen on an airline booking confirmation email. - Attachment
When you get an email with an attachment – especially when the email is unsolicited – be extremely cautious. This particular email had a Word document attached, so that is a huge red flag. Official receipts are typically not sent in a Word document file. In fact, Word documents and other Microsoft Office files are a popular vehicle for macro malware. - Branding
Yes, the fraudsters have done a good job of mimicking the branding. Graphics and logo look genuine. But a quick trip to the company’s website (typed directly in a browser, of course, and not via any clicking with the email!) and you’ll see the website has a new branding style. The one in the email looks like it’s a generation or two behind. Not exactly an easy thing to notice, but an astute eye can assist in this discovery.
What Data Availability Means and How Your Business Can Achieve It
Maintaining data availability is essential for most modern organizations today. Luckily, by following data availability best practices, your modern business can take advantage of all the benefits sufficient data availability delivers. Learn more here about what data availability is, why it’s important, and how modern businesses can achieve it to align with consumer demands and stay secure.
What is Data Availability?
Data availability is the process of ensuring that data is available to end-users and applications, when and where they need it. Availability has to do with the accessibility and continuity of information, thus accessibility is a key component. It defines the degree or extent to which data is readily usable along with the necessary IT and management procedures, tools, and technologies required to enable, manage and continue to make data available.
Why is Data Availability Important?
Data availability is critical to your business and its reputation with customers. If consumers can’t access your online presence due to a deficit of data availability, they’ll likely go to a competitor’s site.
Ensuring sufficient data availability is also a smart financial move. Every moment that you’re down, not only are the obvious costs to your business there (customer loss, reputation damage, etc..) but it also costs your employees time since they can’t get their work done. In fact, studies point to the cost of data center outages being as much as almost $8,000 per minute!
Data Availability in Cloud Computing
It might seem odd to think critically about availability in a cloud scenario as we might presume the cloud has endless capacity. After all, isn’t cloud computing a solution to availability problems?
Yes and no. Virtually all cloud providers use effective data backup and restore solutions, but backing up and restoring data is only part of what you really need. Availability is a different area of focus, as this is needed before storage can happen.
When you’re selecting a cloud provider and service package, you must first define the value of service availability to your business. Here are some questions to consider:
- Is it better to lose the data permanently or have it fall into the wrong hands? This is a balance between availability and confidentiality.
- Is keeping the data tamper-free more important than unplanned data loss? The answer helps you decide whether to focus on integrity or availability, or to balance between them.
- Are all of these decisions unacceptable, and I need absolute confidentiality, integrity, and availability? If so, plan on spending time and money to make that happen. Such comprehensive no-compromise solutions are rarely cost-effective, even in a cloud scenario.
- How long can my company operate without access to cloud data and services? This question gets right to the point. If the cloud is down, does that result in a minor inconvenience or a profit-shaking catastrophe? Would you gladly risk your data going public in order to get access restored?
Top Tips for Achieving Data Availability in Your Business
To help achieve sufficient data availability in your business, follow these best practices below:
Have a Plan
Maintaining data availability should be a central element in your company’s disaster recovery and business continuity plan. This should include RPO (recovery point objective) and RTO (recovery time objective) targets that define, respectively, exactly which data must be restored, and when it must be accessible, for operations to resume after a disruption.
Utilize Redundancy
Having backup copies of your data ensures that the failure of a storage component, or the deterioration of stored data over time, won’t result in permanent loss of the information.
Eliminate Single Points of Failure
You should not only have multiple copies of your data, but also multiple access routes to it so that the failure of any one network component, storage device, or even server won’t make the data wholly inaccessible.
Institute Automatic Failover
When an operational disruption occurs, automatic failover can ensure continuous data availability by instantly swapping in a backup to replace the affected component.
Take Advantage of Virtualization
Since storage system functionality is accessed through software and is independent of the underlying hardware, you are less vulnerable to component failures or operational disruptions in a local facility.
Use the Right Tools
Rather than attempting to increase data availability in your IT infrastructure through home-grown initiatives, employ tools specifically designed for that purpose.
Data Availability Metrics You Should Be Monitoring
There are a few essential metrics to monitor when evaluating the data availability of your operations:
1. Security Alerts
Availability isn’t just about application monitoring and recovery – it’s also about ensuring your information is protected. If you aren’t monitoring security alerts and warnings, your applications may be running perfectly while your intellectual property is being stolen.
2. Idle Connections
Idle connections suck up resources and threaten to fill database pools, congest networks, and stymie performance. Furthermore, idle connections can indicate a problem in the application layer or database configuration.
3. Long-running Queries, Commands, or Jobs
This applies not just to database queries or jobs, but also to commands and backups. These types of digital actions can be an indicator of poor system health, slow disk speeds, CPU or other resource contention, or even deeper systematic problems.
4. Disk Input/Output
Disk IO typically refers to the input/output operations of the system related to disk activity. Tracking disk I/O can help identify bottlenecks, poor hardware configurations, improperly sized disk or poorly tuned disk layouts for a given workload.
5. Memory
Memory monitoring goes beyond measuring and looking at space that’s either free or used. Monitoring memory helps you look into traffic jams or leaks, identify improperly sized systems, understand loads, and spikes. In addition, knowing about memory-intensive patterns can help you anticipate availability demands.
6. Disk Space
Disk space monitoring is available in many forms, and utilizing it as a metric can prevent unnecessary problems and costly last-minute scrambles to add more space.
7. Errors and Alerts
Errors, alerts, and recovery messages in the logs are another good metric to consider. Adding log monitoring for FATAL, PANIC, and key ERROR messages can help you identify issues that your availability solution is frequently recovering from, such as database crashes, application panics or core dumps, or fatal errors requiring a cold restart.
8. Recovery Numbers
Similar to monitoring errors and alerts, the recovery numbers can tell you a lot about the quality and status of your system’s availability. If you are averaging more than one application recovery per week, you’re likely experiencing something more than your normal availability protection. And while the recovery was successful in restarting your application or system, too many of these false or even real recoveries aren’t normal and should be investigated.
Ensure Data Availability With Help From Thrive!
Ample data availability can have a direct impact on your business’s bottom line. To ensure your data is consistently available at the required level of performance, during the typical business day or a disaster, you need a cloud solution that’s a perfect fit for your unique organization.
For all your data availability needs, turn to the experts at Thrive! Whether you need a safe and affordable journey to the cloud, or looking to migrate your data to a CJIS-compliant data center, look no further than Thrive. Contact us today!
Data Backups: 4 Reasons Why They Are Essential for Your BusinessData backups are important these days.
But before we talk about data backups, let’s answer this question: what is data? It can be your customer and patient information, QuickBooks numbers, sales analyses, product photos, videos – all the various files and bits and pieces that essentially comprise the lifeblood of your business.
Losing it can be detrimental in a number of ways , from relatively minor annoyances (accidentally deleting important work and having to backtrack) to potentially business-ending catastrophes (data breaches and theft of customer data and information).
And then there’s Mother Nature and the mortality of hardware. An unexpected flooding, natural disaster, or even sprinklers ruining your equipment could be back-breaking without any backups to restore.
Read on to see why data backups are so important in this digital age.
1. Cybersecurity risks
You hear about it in the news all the time: cyber attacks causing havoc on businesses of all sizes the world over.
Whether it’s through social engineering, phishing emails, business email compromise, ransomware, brute force attempts, or any number of attacks, hackers are after your data, plain and simple.
Cleanup after a successful attack can certainly be costly. But there are other costs, both monetary and otherwise, that business owners may not be thinking about. These include compliance violations, losses due to downtime, and a hit to one’s reputation.
The sheer number of ways your network can be attacked makes it difficult to anticipate what can come. But awareness of the threats and trends, good digital hygiene, and layered cybersecurity can all help minimize the risks.
And having good backups can be one of the best ways to deal with cybersecurity threats. After a successful attack, you will have the option to essentially go back in time and restore a stable version of your data – and get back to business!
2. Natural disaster
Human adversaries may pale in comparison to the sheer destructive capabilities of Mother Nature.
A tornado, earthquake, or other calamities may befall your facilities, and your computers may be completely destroyed. This possibility underscores the need to have not just backups, but also off-site replication. If your backups are in the same location as your data, that data can be destroyed at the same time.
In the unfortunate event of total disaster, if you have backups off-site, you’ll be able to restore your data and systems to new hardware.
3. Hardware failure
Don’t overestimate your computers and hard drives.
They aren’t invincible.
Business-critical functions, customer data, and your staff’s work can be lost if a key piece of hardware decides to finally fail.
Having your data backed up can be the perfect “insurance policy” for your computers and hardware.
4. Human error
We’ve all done it.
Accidentally deleted files. Botched an update (or neglected to do one). Caused irreparable damage to an actual piece of hardware.
Humans aren’t perfect. Backing up your important data can be the perfect failsafe for potential blunders. And blunders will happen.
Ready to get on the path to good data backups?
With so many ways for data to get damaged, deleted, or outright destroyed, it’s important for businesses of all sizes to consider data backups.
Getting on the path of data backups is just the first step. You’ll also need to ensure you use the correct type of backups.
As mentioned above, off-site replication is critical to ensuring your data doesn’t get wiped out in one fell swoop. And backup verification is crucial. You must be sure all that data you’re backing up is error-free and ready to go should you need it.
You’ll want to develop an action plan for data recovery for your business, outlining a list of possible threats, your IT assets, policies, contingency plans – basically, what you need to take care of when disaster strikes.
Because there are numerous variables to contend with and options to consider – and careful, comprehensive planning to make – many business owners are choosing managed data backups from a good managed service provider.
Get help from the data backup experts at Thrive
Thrive is an experienced MSP. We’re nationally recognized and have many years of focusing on data backups for small and medium businesses. By honing our skills in SMB and within select industries such as healthcare, manufacturing, legal, and finance, we know the ins and outs of not just data backups, but also compliance and other related, significant matters.
Ready to learn more about managed data backups? We’d love to help! Contact us today for a free backup consultation.
How Government Agencies Can Benefit from DPaaSWith growing concerns regarding data loss, an increase in the need for data backups, and complex compliance requirements for government agencies, the global data protection as a service (DPaaS) market is expanding.
While the popularity of DPaaS continues to grow among managed service providers, government agencies are also realizing that DPaaS offers numerous advantages when providing secure IT services for internal organizations. To fully take advantage of this service, learn more about what exactly DPaaS is, why the market is rapidly expanding, and how government organizations can harness its value for the best results, continue reading below.
Why is Data Protection Essential for Government Agencies?
The current IT landscape is constantly evolving, with malicious attackers continually devising new ways to attack. Data protection safeguards data from compromise, loss, or corruption, which could include virus and malware attacks, identity theft, scams, and more. Since government organizations may contain sensitive information that is not intended for the public, a security breach could put the privacy of officials, clients, and sensitive data at risk.
With ever-expanding advancements in data protection technology, malicious attackers are also developing new ways to compromise information. In the first six months of 2019 alone, data breaches exposed 4.1 billion records. Since then, the need for data protection has only grown more apparent. With the COVID-19 pandemic further accelerating cyberattacks and data breaches, government organizations need the best protection to prevent a potentially devastating attack. A recent survey found that almost half (46%) of global businesses have experienced at least one cybersecurity incident since moving to a remote workforce due to COVID-19 lockdowns, while the FBI has reported that the number of attack complaints in their Cyber Division has reached as many as 4,000 a day – a 400% increase from pre-COVID-19 months. With malicious software continuing to grow as a threat, government agencies need continuously comprehensive data protection to prevent the risk of data being compromised.
What is DPaaS?
Data protection as a service (DPaaS) is what it sounds like, a cloud-based service for protecting organizational data. With DPaaS, organizations can secure archival data for long-term retention requirements and enable quick data recovery in the event of a disruption to avoid business interruption. The service also provides enhanced security and stability for when your data is most vulnerable.
When compared to buying storage hardware and paying to keep it operational, DPaaS is an affordable option. Organizations pay a monthly subscription for the peace of mind that they have everything they need to recover their data.
How Does DPaaS Work?
DPaaS can secure sensitive information by creating copies of the data and storing it in a separate location. This can include online in the cloud, or through an external device. Providers offering DPaaS may also include additional options to enhance data protection, including VPNs, firewalls, system health monitoring, incident response, and audits.
DPaaS is ideal for organizations facing the following challenges:
- Backups often fail
- Backup windows often run into the next day
- Multiple backup solutions need to be managed
- Backup space constantly needs to be freed up
Under the umbrella of data-related as-a-service offerings includes disaster recovery as a service (DRaaS), backup as a service (BaaS), and storage as a service (STaaS). These services offer government organizations the protection they need in an increasingly unpredictable world.
Top Drivers Growing the DPaaS Market
The DPaaS market is predicted to have accelerated growth as more organizations accept the cloud and services-based storage options, as well as the continued operational challenges due to malicious attackers. The service is predicted to reach nearly $29 million by 2022, with a CAGR of 31.5% from 2016 to 2022. Several drivers of the growing global data protection services market include growing concerns of data loss, the increasing need for data backups, and the integration of recovery and backup services.
Data loss due to disruption can be devastating for government organizations in terms of costs, and the consequences from lost sensitive data. DPaaS offers tools that can prevent loss and mitigate disruptions if they indeed occur and makes retrieving earlier versions of files much more efficient when compared to traditional backup methods.
These advantages have led to the increasingly rapid adoption of cloud computing and the soaring of the DPaaS market to be a $46 billion industry by 2024. As more organizations desire management and high scalability for their services, the DPaaS market will only grow.
DPaaS Benefits for Government Agencies
Government agencies, in particular, have much to take advantage of from DPaaS services. Here are some of the benefits of choosing DPaaS for government solutions. By encompassing backup and disaster recovery, data protection, and storage, DPaaS allows for a resilient data protection approach that can be scaled as your demands evolve.
Faster Backup & Recovery Process
Whether it’s due to a natural disaster, or a malicious human actor, disruptions are inevitable. When they do happen, government agencies need to be back up and running in no time! One of the most valuable benefits DPaaS delivers is a quick and resilient backup and recovery process to avoid extended downtime. Hosted cloud backups run continuously, enabling an accurate and quick backup when needed.
Reduced Overall Costs
When budgets are tight and you need to optimize what funds you have available for IT, you want to prioritize the areas that need it most. Choosing DPaaS as a cloud-based solution from a trusted advisor is an efficient and budget-friendly option. Instead of having to allocate large portions of funds to keep off-site facilities operational, DPaaS only requires a monthly service fee charged by a provider who manages the operation – freeing up your own internal team.
Enhanced Data Protection
Choosing DPaas services from a trusted provider allows your government organization to take advantage of resilient and agile data protection. In today’s current IT climate, managing data protection is essential, but many internal teams can be overwhelmed when balancing data protection and the organization’s own strategic initiatives. Being overworked or understaffed in IT makes your entire agency vulnerable.
Depending on what your unique needs are, your DPaaS strategy can include everything from:
- Both local and remote storage hardware
- IT support
- Licensing
- Regularly scheduled test restores
- System health monitoring
- Incident response (failed jobs)
- Request response (restores)
- Software and hardware upgrades
- Co-management
- Immutable copies to prevent data loss
- Reporting
- Audits to ensure all data is protected
Additionally, choosing a DPaaS provider not only allows your government organization to enjoy secure data protection, but also receive the expertise and vigilance of IT professionals who can help with compliance concerns and expert advice regarding your data.
Leverage DPaaS Powered by Thrive in Your Government Agency!
Thrive has been supporting government agency IT needs for years. Thrive’s Data Protection as a Service offering provides backup and restore capabilities of your data that are integral to your organization, including physical, virtual, NAS, office 365, etc. Wherever you store your data – on-site, off-site, in the private or public cloud, or even in hybrid environments – Thrive can deliver the protection you need. For systems of all sizes, Thrive ensures ready, reliable access to your sensitive information.
For more information on how Thrive can provide your government organization with the data protection you need for today’s ever-evolving IT environment contact our team of experts today.
5 Key Priorities for Technology in Social HousingTransforming The Role of IT
There is definitely a need for both the perception and the role of IT to change in organisations with a greater focus on the ‘digital’ agenda rather than a traditional IT management ‘cost centre.’ It is believed that IT needs a mantra of ‘digital first.’ They have to work closely with the business to identify disjointed processes and develop ways where a digital thread can connect teams and information together to drive far more efficient ways of working.
The IT teams need to be focused on creating a foundation infrastructure that is agile and fit for purpose and that will enable their organisation to change at pace in adopting new technology that can have a transformational impact.
Accelerate Cloud & SaaS Adoption
Whereas many social housing organisations have already adopted a ‘cloud first’ approach, the migration to cloud needs to accelerate. There is a need for a clear plan for cloud that breaks the perpetual cycle of ‘capital purchase’ and moves organisations forward to a scalable and flexible utility model where they purchase IT infrastructure on a consumption model.
This plan is likely to embrace a hybrid cloud model where some legacy systems are migrated to private cloud environments while the public cloud is utilised for new applications and to provide additional capacity and capabilities.
Core Infrastructure & Security
The move to cloud combined with the fact that post pandemic we will have a more virtualised workforce, is driving the need to address core network infrastructure to ensure that digital services can be delivered where they are needed.
Social Housing organisations will need to embrace the new software-defined world where services are more agile and can adapt faster to required change. SD-WAN will play a key role in linking decentralised functions and cloud-managed wireless networks will enable estates to be connected to drive digital inclusion and support field-based workers.
Embracing Strategic Partnerships
There was recognition from all those spoken to that it is not possible to drive the rapid change needed alone. Forging strategic partnerships with managed service providers is key in order to inject specific expertise when required and augmenting often small internal teams with the skills and capacity to execute change programmes.
Having the right partners in place is key and these partners need to have invested the time to truly understand the business and bring with them the important experience of working in the Social Housing sector.
Placing ‘Agility’ First
We have learned a significant lesson in 2020 and that is the need to be agile. What has been proven over a roller-coaster of a year is that rapid change can happen, processes that were believed to be ingrained in the organisation can be adapted at pace and new more efficient ways of working can be adopted.
The level of agility that has been shown in 2020 should not be lost when our world re-emerges from the pandemic. We should continue to have the same level of ambition and match this with an appetite to change and maximise technology to enable us to be agile.
What Factors Are Hampering Digital Transformation In Social Housing?When creating our recent report on ‘The Future of Technology within Social Housing’, the people within the sector we spoke to all had an appetite for change and clear views on the critical role that technology will play in digitally transforming the sector.
Some of their thoughts and collective vision was outlined in our previous blog ‘5 Predictions for the Digital Future of Social Housing’ which definitely sets out a path of exciting times for the sector. However, there are a number of factors that we identified in our research that are hampering progress and slowing the pace at which digital transformation can be achieved.
The consensus of those we spoke to is that the sector is not moving fast enough to embrace digitalisation and maximise the full potential impact of the technology available. There are many factors that are hampering progress that starts with the executive vision and cascades all the way through to the legacy infrastructure currently in place.
Executive Vision & Direction
Change is not something that just happens; it must be driven by clear vision, it needs ‘buy-in’ from all involved and people need to be missioned and resourced to affect change. Traditionally, IT has been seen as a cost centre across the Social Housing Sector and has not had a ‘strategic’ seat on the top table. As a result, IT spend is determined by the savings it can make within its function rather than being viewed in terms of the positive impact it can have on the wider organisation and service delivery.
Aversion to Risk
A common theme running through our consultations was that the Social Housing sector is inherently risk adverse. Where some of this stems from the origins of the sector and the need to carefully manage costs and deliver immediate value for money, a string of failed technology projects across the public sector has led to a more cautious approach. Although the sector does not need to be at the bleeding edge of technology innovation, it does need to be bolder in making technology decisions. A more balanced evaluation of risk is required that considers level of investment, potential risk but, more importantly, what the investment will enable you to achieve.
Legacy Infrastructure
It is felt that legacy infrastructure in place within the social housing sector is now fundamentally holding back the digitalisation of the sector. A consultant operating in the sector speaks of 9 out of 10 issues they come across pointing back to failings in legacy infrastructure that is neither agile, nor capable of coping with the demands being placed on it. New applications are being loaded onto servers that simply do not have the power to support these and legacy networks do not have the capacity to flow the amount of data required around the organisation. Creating the scalability and agility in the underlying infrastructure is critical to enable digitalisation.
Lack of Application & Data Integration
It is often said that organisations are data rich but information poor and this is a sentiment we found within social housing. Many organisations are utilising a diverse range of applications that operate in non-integrated silos. This means that data is fragmented and cannot flow seamlessly across the organisation which is critical to digitalising tenant engagement and automating processes. There is a very real need to focus on data and creating digital threads across the organisation and turning data into insights that can affect change.
IT Mission, Mindset & Capability
Probably the most fundamental area that is holding back the digital journey in social housing which came out from our study related to IT mission, mindset and capability. One of the participants spoke of the sector having more ambition (to improve services and systems) than it has the capacity and capability. There is a view that IT need a new ‘mantra;’ a mission and mindset that moves from just ‘keeping the lights on’ to one that is focused on digital innovation.
The Social Housing sector is at a critical cross-road that it cannot ignore. To move the sector forward and achieve their aim of meeting the demand for decent homes, they need to embrace digitalisation but in order to do this, they must first address those factors that are currently holding them back.
FBI Releases Annual Internet Crime Report, Outlines Record-Breaking Year of Cybercrime Complaints and Losses Amid PandemicThe 2020 Internet Crime Report was recently released by the FBI’s Internet Crime Complaint Center.
The Internet Crime Complaint Center, or IC3, provides a way for the public to report Internet-enabled crime to the Federal Bureau of Investigation, and to also provide awareness to both the public and law enforcement.
This latest annual crime report unsurprisingly delves into the effects the global pandemic had on worldwide cybercrime activity. From the report’s introduction:
“In 2020, while the American public was focused on protecting our families from a global pandemic and helping others in need, cyber criminals took advantage of an opportunity to profit from our dependence on technology to go on an Internet crime spree. These criminals used phishing, spoofing, extortion, and various types of Internet-enabled fraud to target the most vulnerable in our society – medical workers searching for personal protective equipment, families looking for information about stimulus checks to help pay bills, and many others.”
With many people working remotely from home or otherwise more dependent on the Internet for both business and personal needs, cyber criminals certainly took advantage of this increased Internet usage.
The IC3 received the highest number of complaints in a year, with 791,790 reported criminal acts in 2020 – with losses over $4.1 billion!
Some of the prominent attacks of 2020 were:
- Business Email Compromise (BEC) attacks represent the most costly. 19,369 BEC attacks were reported via the Internet Crime Complaint Center, with a whopping total loss of approximately $1.8 billion. Learn more about Business Email Compromise attacks.
- Phishing attacks are some of the most prevalent, with 241,342 complaints entered in the IC3. The losses from these phishing attacks totaled over $54 million. Learn more about phishing.
- Ransomware continues to be a menace; there were 2,474 complaints filed through the IC3, with losses totaling over $29.1 million. Learn more about ransomware attacks.
- Elder Fraud is still plaguing seniors; victims over 60 have encountered numerous scams because criminals believe they have more financial resources. Some of the schemes targeting seniors include tech support scams, computer or home repair scams, sweepstakes and lottery scams, romance scams, and more. Complaints from seniors on the IC3 website numbered 105,301, with total losses of over $966 million.
- No cybersecurity discussion centered around 2020 would not be complete without mention of COVID-related scams. The IC3 website received 28,500 complaints surrounding these. Internet fraudsters capitalized on people and businesses trying to get coronavirus aid and economic relief. There was also plenty of opportunity for criminals to phish for personally identifiable information (PII).
“As criminals continue to evolve their game, increasing the sophistication of their social engineering and cyber scams, the harder it can become to withstand these attacks,” said Brian Walker. “Awareness of these tactics is key to defending your home and business, especially when we’re dealing with other important matters like COVID-19.”
“Keep your staff informed of the various threats,” stressed Aaron Allen. “Cybercriminals are aware that people can be the weakest link in your network security. Don’t make it easy for them!”
“And when it comes to your actual network security and cybersecurity, layers are of utmost importance,” explained Walker. “There is no single piece of hardware or software that can block every possible threat. But layering your defenses can certainly make it harder for criminals to get in.”
Read the 2020 Internet Crime Report directly on the FBI’s Internet Crime Complaint Center.
The CJIS Security Policy Areas You Need to Be Aware OfKnowing what your organization needs in order to maintain compliance with CJIS security standards is difficult enough, but actually putting the necessary procedures into practice is an altogether different feat.
Since it’s critical to maintain the CJIS security policy protocols and requirements to access sensitive information, understanding what exactly the Criminal Justice Information Services is and what its thirteen security policies mean for your business is essential! Let’s dive in.
What is CJIS?
Known as CJIS, the Criminal Justice Information Services division of the FBI is a high-tech intelligence hub established in 1992. Linking nearly 18,000 law enforcement agencies across the country to a massive database of crime reports, fingerprints, and other agency data, the CJIS allows law enforcement, national security, and intelligence community partners to access the information they need to protect the United States, while preserving civil liberties.
As the largest division of the FBI, the CJIS comprises several departments such as the National Crime Information Center (NCIC), Integrated Automated Fingerprint Identification System (IAFIS), and the National Instant Criminal Background Check System (NICS). Due to the ever changing rate and sophistication of cybersecurity threats, CJIS has developed security standards for organizations to follow for utmost protection.
Which Industries Must Maintain CJIS Compliance?
Essentially, Criminal Justice Management and Law Enforcement Agencies. But, others that maintain similar types of data as those agencies, and the IT providers that serve them must adhere to CJIS compliance standards as well to make sure best security practices are being upheld for data encryption, multiple-step authentication, remote access, and wireless networks.
If your agency must ensure CJIS compliance, then it’s imperative you understand the thirteen CJIS security policy areas. Meeting these key requirements is necessary to satisfy CJIS compliance needs.
Understanding the 13 CJIS Security Policy Areas
There are thirteen policy areas which CJIS compliant organizations must be aware of and uphold. These include:
1. Information Exchange Agreements
Organizations sharing criminal justice information (CJI) with another such organization or agency must establish a formal agreement with each other to ensure that they are complying with CJIS security standards. These written agreements should document what compliance safeguards should be in place to ensure safety.
2. Security Awareness Training
All employees who have access to CJI will be required to have basic security awareness training within six months of initial assignment. Training should be conducted annually for all personnel with access to CJI information.
3. Incident Response
Organizations must have an Incident Response Plan (IRP) in place in the event of a malicious attack. This includes capabilities in order to identify, contain, analyze, and recover from a data breach or attack in a timely manner. Any incidents must be tracked and documented to be reported to the Justice Department.
4. Auditing and Accountability
Organizations must be capable of generating audit records of all systems for defined events. This includes monitoring all access to CJI, such as who is accessing it, when they are accessing it, and why the user is accessing that data. Access to files, folders, privileged mailbox accounts, login attempts, permission changes, password modifications, and similar should be monitored by administrators.
5. Access Control
Access Control is the practice of securing and managing certain users’ access to information and systems within the network. For organizations, this will look like implementing Role-Based Access Control (RBAC), and enact other controls for Wi-Fi and Bluetooth, for example.
6. Identification and Authentication
Users must comply with CJIS authentication standards to access sensitive data. This includes using multi-factor authentication (MFA), which uses two or more factors to authenticate users. According to CJIS requirements, a maximum of five unsuccessful login attempts are allowed per user, after which their credentials will need to be reset. Passwords should reset periodically using best security practices.
7. Configuration Management
Only authorized users are allowed to make configuration changes to systems with sensitive CJI data. This includes configuring changes to software updates, and adding or removing hardware. During any changes to configurations, all procedures must be documented and protected from unauthorized access.
8. Media Protection
Organizations with CJIS must ensure the protection and safe disposal of CJI when they are no longer in use.
9. Physical Protection
All physical locations of CJIS must have physical and personnel security control to protect the CJI data. This may look like server rooms secured with cameras, locks, and alarms.
10. Systems and Communications Protection and Information Integrity
This policy area refers to an organization’s overall network security and related components. Pervasive perimeter security solutions must be implemented by organizations handling CJIS, such as firewalls, anti-virus software, encryption, and Intrusion Prevention Systems (IPS). All CJI must be encrypted at certain standards. For instance, organizations must use a minimum of 128 bit encryption with decryption keys that are at least 10 characters long with a combination of upper and lowercase letters, numbers, and special characters.
11. Formal Audits
All CJIS compliant organizations will be subjected to formal security audits once every three years to ensure all CJIS security measures are being followed. These audits will either be enacted by the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA).
12. Personnel Security
Organizations must provide security screenings for all employees, contractors and vendors that will have access to CJI. This includes a state of residence and national fingerprint-based record checks with the Integrated Automated Fingerprint Identification System (IAFIS).
13. Mobile Devices
All mobile devices, including smartphones, laptops, or tablets with access to CJI, must adhere to “acceptable use policy” and may include additional security policies including the pre-existing security measures for on-premise devices. For instance, this may mean there are certain restrictions regarding applications that employees can install or websites they can access with mobile devices. Or, this may look like requiring employees to use Virtual Private Network (VPN), to maintain that all data transmissions are encrypted.
How a CJIS Data Center Can Simplify Maintaining Compliance
While ensuring CJIS compliance may seem like a difficult feat, many of these necessary policy areas can be simplified with the right tools and solutions. One of the most effective ways to ensure your organization is upholding CJIS security standards is by working with a CJIS compliant data center.
Data centers who maintain CJIS compliance are experts who understand the ins and outs of compliance policy areas. This ensures that your organization maintains the right protocols, while allowing your internal team to focus on more pressing tasks at hand instead of devoting time to compliance.
Failing to be CJIS compliant can be a critical blow to your organization or agency – as well as jeopardize sensitive information. Finding a data center you can trust can be an effective long-term solution for organizations looking to streamline your CJIS security compliance efforts without devoting the time and money to the necessary infrastructure and energy needed to follow all necessary requirements.
Turn to Thrive CJIS-Compliant Data Centers!
If you’re considering migrating your data to a CJIS-compliant data center, look no further than Thrive. As the only private disaster recovery data center contracted by the State of Florida, you can experience peace of mind in our CJIS security solutions! We ensure strict security protocols, 99.99%+ uptime, and meet compliance requirements for CJIS, HIPAA, PCI, SOC, and more.
Learn more about the Thrive cloud difference here, or contact one of our IT experts today for a free consultation.