Author Archives: Thrive

If you have read Thrive’s blog or other security blogs, you probably have come across patching. Everyone preaches patching. You should know where all your machines are, and you should patch these machines often. Also don’t forget routers, switches, firewalls and other appliances in your network.

I absolutely believe you need to patch all this equipment, and you should have a process and schedule for doing it. While it might look daunting, having a plan does make it a little easier, but not everything can be patched. Yes, I said that. While you should patch everything, for business reasons not everything can be patched. It might be that your mission critical application is running on outdated software or equipment, or patching causes something else to break. Whatever the reason, I’m sure there is some equipment somewhere that you can’t patch. That is where understanding the risk that unpatched equipment poses to your organization is critical.

If you have a public website running on a Windows server that can no longer be patched and it is the repository of your client data, that data is at an extremely high risk. Meaning you need to be prepared to have that client data stolen. Not only should management understand that there is a high risk of this happening, they should be working on a solution. If you have an old internal webserver that is only accessible to the marketing department, your risk is considerably lower; but if that marketing server also contains PII (Personally Identifiable Information) then your risk increases.

Understanding the risk your company faces is critical to keeping your business safe and out of the news.

If you want to learn more or need help securing your systems, please contact Thrive.

Thrive made strides in the MSP space in 2019, most significantly marked by the expansion of our offices and data centers from the Northeast into the Mid-Atlantic.

FOXBOROUGH, MA, March 3, 2020 – Thrive, a premier provider of NextGen Managed Services, proudly announced today that CRN, a brand of The Channel Company, has named Thrive to its 2020 Managed Service Provider (MSP) 500 list in the Security 100 category. This marks the fourth consecutive year that Thrive has been named to the MSP 500.

This popular list identifies North American solution providers that deliver operational efficiencies, IT system improvements, and a higher rate of return on investments for their customers. These accomplished MSPs work tirelessly to guide their customers and create solutions for complex IT issues. This annual list is divided into three categories: the MSP Pioneer 250 who are focused primarily on the SMB market; the MSP Elite 150, large data center-focused on- and off-premises, and the Managed Security 100 made up of off-premises-focused, cloud-based IT security services.

Thrive made strides in the MSP space in 2019, most significantly marked by the expansion of our offices and data centers from the Northeast into the Mid-Atlantic. The consultative approach that Thrive takes with each client means delivering unique and comprehensive NextGen solutions that keep businesses operating at peak efficiency while remaining secure.

“MSPs are the critical bridge for customers looking to assess, implement and migrate their IT and cloud solutions to drive efficiencies, lower costs and secure your environment,” said Bob Skelley, CEO of the Channel Company. “On behalf of our team at The Channel Company, I want to congratulate the accomplished companies on CRN’s 2020 MSP 500 list and thank them for their commitment to finding innovative solutions that move the IT channel forward.”

“We’re proud that CRN continues to recognize our services. The demand for NextGen Cloud and security continues to grow rapidly and we’re well equipped with the highest levels of security, technical expertise and industry leading customer service for our clients.” stated Rob Stephenson, Thrive CEO.

The MSP500 list is featured in the February 2020 issue of CRN and online at www.crn.com/msp500.

About Thrive

Thrive is a leading provider of NextGen managed services designed to drive business outcomes through application enablement and optimization. The company’s Thrive5 Methodology utilizes a unique combination of its Application Performance Platform and strategic services to ensure each business application takes advantage of technology that enables peak performance, scale, and the highest level of security. For more information, visit thrivenextgen.com

Follow Thrive: LinkedIn, Twitter and Facebook

MEDIA CONTACT:

Stephanie Farrell – Director of Corporate Marketing

774.276.1521 | sfarrell@thrivenextgen.com

John Holland, Chief Revenue Officer, and Erik Young, Vice President of Channel Sales, sit down to recap Thrive’s Channel performance in 2019 and introduce strategies for working in the Channel in 2020. Thrive’s key mission when working in the Channel is to enable our partners to become the trusted technology advisor their clients are looking for.

To learn more about our Channel Partner Program, email channelteam@thrivenextgen.com.

At some point in time, everything will fail — Simply acknowledging the possibility of a failure is never going to be enough. The real winners are the ones that have not only acknowledged the most remote possibility of a failure, but have set up a plan to address such a failure. This is the plan that eventually will help run businesses when everything else has failed. In the world of Information Technology, the failures of systems that incapacitate businesses or lead to massive financial loss due to their inability to perform revenue-generating or revenue-affecting functions is termed as a Disaster. The plan to address these scenarios is coined as the Disaster Recovery and Business Continuity Plan.

Every IT organization’s goal is to ultimately design an architecture that “never fails” or can gracefully respond to, any failure. Many organizations often confuse or misuse three core IT Disaster Recovery concepts:

1. HA = High Availability
2. FT = Fault Tolerant
3. DR = Disaster Recovery

The concept of HA means that you have more than one system for a business critical application available to use either in an active-active configuration where both systems are utilized during normal business operations or active-passive where only one of the two systems is available for use during normal business operations. In both configurations the key is to design each system such that it can function by itself, even if the other system or its “mirror” is not available. With such an architecture you would think that you have planned for a disaster, yes? No… you have planned for an outage that is not expected to last an extended period. Disasters are typically defined as instances in time when systems are not expected to be available for an extended period. This is when you plan to run your business-critical applications from a pre-built and sometimes, highly available “stand-by” platform that offers the same level of service and enables business continuity.

FT systems are usually classified as a component of HA designs, meaning that you have a separate system that is fully configured and available to be used in the event that the primary system goes down for any reason whatsoever. It is key to remember that your architecture for HA, FT and DR needs to be failure reason indifferent.

DR strategies are incognizant to the actual reason for the failure; they are designed to take over service. The actual reason for why they are being used cannot be a factor in a decision to activate the DR service components.

DR is a component of IT, but BCP = Business Continuity Planning is the umbrella over the 3 pillars of business governance despite disruptive events; namely people, processes and technology. You may have the greatest IT plans to activate in a disaster situation, but the plan is useless if you have not planned for how people and processes will be governed to continue running the business in the event of disasters. In the simplest sense, you can think about how your staff will connect to these systems if they are not able to come to their actual work location, need to work from home or operate remotely. If organizations don’t plan their people and processes around DR, they should expect a bit of chaos from their users and as a result, lost productivity. Declaring a disaster is stressful enough; make sure your DR plan is complete and thorough.

Protect your business from possible failure. Thrive has a team of Subject Matter Experts with expertise in the areas of Disaster Recovery as a Service (DRaaS), Cloud (Public/Private), Cyber Security, and Compliance.

To solidify your Disaster Recovery and Business Continuity Planning, CONTACT US today!

As we start the new decade it may seem surprising that some business leaders are still reluctant to embrace the public Cloud. For years they’ve been hearing about public Cloud data breaches and compliance nightmares. Others feel trapped by legacy systems or a corporate culture fearful of new technology. These are all valid concerns that warrant careful consideration and discussion among key decision makers. However, since Salesforce launched the modern Cloud era in 1999, Cloud technology has evolved to solve those concerns.

First and most importantly, Cloud data security has far surpassed the capabilities of legacy on-premise systems. Still, many organizations believe a “security by obscurity” philosophy outweighs the security benefits inherent in the public Cloud. In a fully connected world where data is its most valuable commodity, simply reducing the number of pathways to the data is no longer a sound security posture. Your data will be attacked by cybercriminals no matter where it is stored. However, public Cloud providers have the capability and resources to use AI to learn from and adapt to each attack. Furthermore, once data is in the Cloud, metadata categorization can be used for additional security and DLP (data loss prevention) measures.

Nonetheless, securing your data whether it be on-premise or in the Cloud is ultimately your responsibility. The same is true of any compliance or regulatory requirements. If you think of the public Cloud as an apartment building, the Cloud provider’s job is to secure the main entrances, and they do that very well. However, if a tenant leaves their apartment door wide open, is it the fault of the building owner that something was stolen? This is why it’s so important to use a trusted and experienced partner like Thrive to make a move to the public Cloud both successful and secure.

If you are still reluctant to embrace the public Cloud, consider these points:

• Microsoft is no longer a software company, they are a Cloud provider and will invest in their products accordingly
• The Department of Defense is fully leveraging the public Cloud for its Joint Enterprise Defense Infrastructure (JEDI)
• FINRA, the government organization tasked with protecting investors, was an early adopter of the Cloud and stores nearly 30 petabytes of data there

Still have doubts? Speak with one of Thrive’s Cloud experts to take the first step towards public Cloud migration today.

Firms in the alternative investment space have long confronted distinctive security challenges. After all, if you’ve successfully earned the trust of high-net-worth individuals and institutional investors, someone who breaches your IT environment will gain access to treasure troves of sensitive data and information about significant pools of capital—exactly what it takes to attract the eye of criminals seeking the quickest path to financial gain.

It’s no surprise that, according to Boston Consulting Group, financial services firms are 300 times more likely to be targeted in cyberattacks than companies in other industries, and those attacks are more costly to their victims than attacks in any other sector.

As we embark upon a new year and the start of a new decade, wealth managers face a critical imperative: they must adopt a strategic, risk management-based approach to the cybersecurity threats they now face. As attackers continue to grow more resourceful and sophisticated, this is the only way to protect a firm’s investors—and with them, its reputation.

Here are five key cybersecurity trends we’re seeing in the financial services sector today, and what they mean for the year to come:

#1: Phishing attempts are better targeted, succeed more often, and are more lucrative when they do.

Phishing attacks, which played a role in nearly a third of the data breaches that occurred last year, continue to generate increasing amounts of revenue for criminals. Global exposed losses due to this type of activity increased by 136% between December 2016 and May 2019 according to FBI reports.

Email impersonation attempts are more convincing and better targeted, and they remain difficult for today’s email security gateways to detect. Some criminals take over legitimate email accounts to exploit friends and business associates of their victims, while others send individual messages that are so carefully crafted that it’s near-impossible to distinguish them from legitimate communications.

#2: Criminals are getting up close and personal with their targets

As criminal organizations increasingly turn to automated tools to scan social media platforms and the wider Internet for personal information about potential victims, they’re getting better and better at socially engineering attacks. If, for instance, the son of one of your firm’s leading employees posts a series of family vacation photos on Instagram, criminals can now readily deduce that your employee is away from the office—and use that information to guide the timing of a spear phishing attempt.

Not only should financial services firms be mindful of the information about the company that their employees are making publicly available on social media, but they should exercise care in revealing information about their personal lives that could be exploited in a cyberattack. An executive or well-reputed employee known to be in the hedge fund or private equity sector makes an exceptionally attractive target.

#3: Nation-state level attacks are increasing in prevalence.

Not only have state-sponsored cyberattacks become more sophisticated, but they’re now targeting an increasing number of verticals. No longer motivated solely by the aim of gaining military or competitive intelligence, nation-state level attackers are now also seeking to disrupt business operations by targeting critical infrastructures, essential technologies, and the financial sector.

Because they’re well-resourced and highly professional, these attackers will easily be able to evade the majority of security controls in your environment. And because they operate at all times of day and night—or whenever their research shows they’re most likely to be successful—24/7 monitoring is now a must-have. Building a round-the-clock security operations center (SOC)—or engaging with a managed service provider with SOC capabilities—so that you can develop rapid incident response capabilities is essential for reducing your risks in this threat landscape.

#4: Attackers are sharing and selling information more regularly.

Because the Dark Web isn’t indexed by standard search engines, and because its content is encrypted, it’s challenging to determine the exact volume of activity, whether legal or illicit, that takes place there. Nonetheless, marketplaces for stolen personal and financial data have proliferated since cryptocurrencies such as Bitcoin have come into more widespread use in the past few years. It’s easier, too, for would-be cybercriminals to purchase exploit kits so that they can launch ransomware attacks even if they don’t have enough technical know-how to develop their own malicious software.

As cybercriminals have become more willing and able to exchange information about potential victims and systems’ vulnerabilities, it is incumbent upon all of us to take a more collaborative approach to building our defenses. This includes sharing threat intelligence. It’s particularly valuable for smaller hedge funds and private equity firms to keep track of the types of attacks that major banks and larger firms are seeing, since similar tactics may be used against them in the near future.

#5: Regulatory bodies are driving stricter controls, while investors demand more transparency.

The global regulatory landscape is growing in complexity, and firms are expected to deploy more sophisticated security controls, to better document procedures, and provide more detailed and granular reporting. For hedge funds and private equity firms, this means that what was once the sole responsibility of the IT department has become a priority for legal and financial decision-makers as well. Accordingly, cybersecurity concerns are being given more attention and better funding.

Investors are increasingly likely to scrutinize funds’ security practices closely when making final decisions about where to invest. Not only can a breach result in immediate losses, but it can damage a firm’s reputation to the extent that its portfolio value will be diminished.

Want to learn more about how to develop cyber resilience and a solid risk management strategy for your hedge fund or private equity firm? Contact us for more details about our cybersecurity solutions and services.

So far in 2020:

In Canada, Newfoundland was hit with a huge blizzard that produced 75 centimeters of snow in a single day with wind gusts of up to 150 kilometers an hour, knocking out power, unleashing an avalanche, and burying the Avalon and Bonavista peninsulas in deep snow. The storm caused a state of emergency and even the military has been called in to help dig residents out.

Meanwhile, the northeast US was hit with a huge storm including snow, rain, and then more snow, and left cities like Boston slick with ice.

Across the globe we’ve seen powerful winter snow, rain and windstorms in Spain, causing civilian evacuations to escape from heavy flooding of the coastal towns. Unfortunately, there’s no such escape possible for brick and mortar businesses. Crippling bushfires, ash rain, and flash floods have devastated huge swaths of land in Australia, destroying wilderness and towns alike. As if that wasn’t bad enough, the Australian winds produced dust storms and thunderstorms across central New South Wales , producing conditions and lightning that sparked even more bush fires in a self-perpetuating firestorm catastrophe.

It’s probably no surprise that these extreme and increasingly common weather conditions can make equipment maintenance more difficult, and power outages even more likely. The latest storms are winter’s friendly reminder, whether your region is facing record snowfall, or just one bad storm, that your organization’s disaster recovery plan needs to be ready.

Preparing for Winter Disaster Recovery

As natural disasters continue to grow in scale, longevity, and geographic footprint, companies of all sizes and all locations need to prepare for the chance of a weather-related natural disaster by turning to cloud for disaster recovery. Cloud disaster recovery provides geographical diversity along with quick recovery times to keep your company running reliably. If a winter disaster like a blizzard or flood strikes your main data center, your cloud resources will escape its effects.

Disaster Recovery as a Service (DRaaS) enables your company to replicate data and deploy a backup environment without needing to construct a second physical data center. Continuous data protection ensures that your production site and DR site are in sync, allowing you to meet Recovery Point Objectives (RPO). DRaaS also allows for full recovery in the cloud in just minutes, giving your organization the Recovery Time Objective (RTO) that you need for true business continuity.

Your Winter Disaster Recovery Plan should include:

• Identifying mission-critical business applications and data. These are services at the top of your recovery priority list when something goes wrong. Identifying the key services and applications you must get back online, the order of their recovery, and the process of recovery helps to ensure that your business can continue doing business with minimum downtime.
• Testing processes and equipment, even if you’ve never had downtime. Testing communications processes in a DR scenario and ability to access sites and systems through remote access. This also means including equipment testing as a part of your regular maintenance checks. This should cover physical on-site equipment such as generators. Work with your service providers to make sure that they’re doing the same.
• Being transparent with staff, even if they aren’t critical to your winter disaster recovery plan and protocol. When employees across all departments know exactly what to do when systems go down, you’ll be able to get back up and running as quickly – and efficiently – as possible.

Need more help with preparing your winter disaster recovery plan? Read our Backup and Recovery Plan blog article!

Winter-proof Your Business – Thrive Can Help!

After a natural disaster, you can feel confident that you are making decisions based on accurate, complete, and current data with Thrive’s services. Before Old Man Winter starts knocking the power out with blizzards, floods, ice storms, hurricanes, and other nasty winter hijinks, be sure to bring your disaster recovery plan up to date with the help of your Thrive experts. Contact us to learn more about the Old Man Winter Disaster Recovery Plan.

There is a wide range of options available to IT teams in choosing a backup strategy and system for their organization. At Thrive, we work to keep your environment protected and accessible. Our goal is to keep your organization open for business despite whatever adverse events come your way.

Thrive’s solutions and responsive support enable your in-house IT team to minimize disruptions and ensure smooth operations and business continuity, even in the face of Old Man Winter.

We make sure that your data and IT systems are available and ready to resume operations so that you can continue to provide uninterrupted service to your customers no matter what the weather brings. Contact us to learn more.

Chip Gibbons, cybersecurity expert, details elements he finds that organizations overlook in their security platform.

FDIC & OCC cite their top six controls for risk management. Does your firm have these in place?

The Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) issued an interagency cyber threat warning, citing a “heightened risk” to financial institutions amid increased geopolitical tension. Financial firms should re-evaluate the adequacy of safeguards to protect against a cyber security risk and focus on risk management principles that can reduce the chance of a cyber-attack as well as minimize business disruptions.

No matter how sophisticated the security solution, it is unreasonable to expect it to reduce the risk of a cyber threat to zero. However, security solutions combined with proper cyber hygiene can greatly limit exposure. Additionally, firms must also focus on risk management controls including detection and response. It is not enough to just have an incident response plan, firms should perform full incident response simulation training and crisis management. This immersive simulation training will identify cracks in your cyber preparedness.

The FDIC & OCC joint statement stressed the importance of the following key controls for Risk Management.

1. Response, resilience and recovery capabilities by (i) maintaining comprehensive resilience plans in order to respond and recover successfully from destructive cyber-attacks and (ii) establishing comprehensive system and data backup strategies;
2. Identity and access management to prevent phishing attacks that could compromise login credentials;
3. Network configuration and system hardening that (i) only provides access to approved ports, protocols and other services and (ii) are continually monitored;
4. Employee training on recognizing cyber threats, phishing and suspicious links, in addition to measuring the success of the training programs;
5. Security tools and monitoring procedures, such as (i) hiring qualified cyber security staff, (ii) reviewing system and network audit logs and (iii) implementing a sufficient internal and external testing programs to assess the firm’s ability to detect cyber threats; and
6. Data protection systems to implement (i) a data classification program and (ii) encryption and tokenization of confidential data.

Thrive has the resources to ensure that your firm adheres to the FIDC & OCC guidelines. Secure your sensitive data by contacting Thrive’s expert team of cyber security engineers today.