Cybersanitize before reopening

13 May 2020 · Business & Strategy

Business Sanitization

For health sanitization and employee protection, please see alberta.ca/bizconnect. However, it’s important to remember that cyber threats also threaten your company’s productivity and reliability.

Update and Detect

Many computers were off for a few months. As a result, most are missing patches and have outdated antivirus. If you don’t already have a comprehensive patching system in place (one that patches everything, not just Microsoft), now’s a great opportunity to get one! At the least, turn on and restart your computers before re-opening to install patches. In addition to speeding up computers, this will also help you avoid having to wait for an install on opening day!

Most ransomware today includes a time delay to wipe out old-fashioned backups on tapes or rotated external hard drives. Starting up computers will likely trigger some dormant attacks. If you don’t already have it, consider subscribing to a breach detection service to detect unusual programs that are waiting to run when computers restart or people log in.

Know the Risks

Every business is different. For this reason, we recommend customized annual vulnerability assessments to understand the business risks associated with the technical vulnerabilities that your organization faces.

Many IT providers offer free or low-cost “Network Assessments” or “Security Assessments” as a sales tool. However, these are typically automated and don’t reflect the true risks and vulnerabilities that your business faces.

Ensure that the assessment team includes experienced Certified Information Systems Auditors (CISA) and Certified Information Systems Security Professionals (CISSP). If you accept credit cards, a certified Payment Card Industry Professional (PCI-P) or Qualified PCI Security Assessor (QSA) should also be part of the team.

Your assessment should go beyond checking for breaches that your antivirus missed and vulnerabilities that could let ransomware in. A comprehensive review will also look at policies, procedures, and business continuity concerns that could threaten your business as much as — if not more than — sick staff.

Training

While employees are preparing to return to work, now’s an excellent time to provide them with security and safety training. In addition to COVID-19 sanitization procedures and mandatory Payment Card Industry (PCI) credit card security training, consider phishing and cybersecurity awareness training.

91% of successful cyber attacks on small to medium-sized businesses involve phishing, and we’ve seen phishing increase by 667% over the pandemic.

We’re including Coronavirus training as part of all of our security awareness training packages. You can request more information at threeshield.ca/training.

Credit Card Machines

Alberta’s re-opening requirements require disinfecting practices that include a log of daily cleaning. It also requires regularly cleaning and disinfecting any surfaces and equipment touched by workers and patrons.

If you already have credit card machine inspection procedures, add PIN pad sanitization to your credit card machine inspection procedures. If you’re using Lavawall procedures, you’ll receive updated procedures that include this step.

As business owners review their insurance and bank merchant agreements as part of pandemic cost-cutting, many have discovered that they haven’t covered their Payment Card Industry (PCI) obligations. In particular, many are missing PCI policies, procedures, training, and network security requirements.

Fortunately, the Lavawall service provides an easy way to cover off all of these requirements. We’re hand-delivering Lavawalls throughout Alberta and shipping elsewhere as businesses prepare to reopen. You can also request the Lavawall service at lavawall.com, which includes everything you need to meet credit card compliance requirements, including:

  • Training
  • Vulnerability and compliance scanning
  • Policies
  • Procedures
  • Network security
  • Network segmentation to reduce your requirements
  • Updates
  • Alerts
  • Monitoring

Mask and vandal-resistant cameras

Employees are going to be distracted while we re-open, and customer patterns are changing. Now’s a great time to consider your camera surveillance systems. When offices and stores were closing for the pandemic, we saw an increase in demand for AI-enabled vandal-resistant cameras that don’t require extra networking, VPNs, or recording systems. They record up to a year’s worth of footage right on the device and back it up to the cloud. These cameras reach 98% accuracy in recognizing faces of past trouble-makers and can even do things like recognize license plate numbers and types of cars. Since the computer vision AI keeps adapting and updating, we’re seeing surprisingly high success in matching people wearing masks as well!

Best of all, our clients have reported that this increased reliability, 4K resolution, and features end up saving them money compared to their previous options. Please contact us for more information.

Made in Canada

Some industries, such as healthcare, need to keep their data in Canada. The pandemic has heightened awareness for other industries to do the same. If you’re using Microsoft or Amazon cloud services, you can require your data to be stored in Canada. You can also consider hosts and other providers that are based and hosted in Canada. Some of the top systems to consider migrating include phone, camera, and firewall providers.

Working from Home

The province’s guidance encourages employees to continue to work from home when possible. One of the riskiest ways to do this is with Remote Desktop. However, as of 11 May 2020, over 66,611 computers in Canada have exposed this vulnerable protocol to the Internet – including at least 1,192 in Calgary and 864 in Edmonton!

We encourage businesses to use secure firewalls that tie into workstation antivirus. This approach can prevent computers that are infected with ransomware, aren’t properly patched, or don’t belong to the company from accessing internal resources.

Passwords & Documentation

You’ll be hiring new staff, and existing staff might forget some of your procedures. Now’s a great time to document your policies and procedures to make onboarding easier and to ensure consistent processes. If you accept credit cards, the Payment Card Industry (PCI) requires that your staff read some of your policies and procedures. These are included in Lavawall packages if you don’t have them already.

You might be tempted to put passwords in your documentation. A much safer option is to use a password manager like LastPass.

In addition to remembering passwords, a good password manager will:

  • tell you if your account was part of a breach (like those that exposed passwords of LinkedIn users, for example),
  • allow you to automatically change passwords if needed,
  • provide an easy way to generate passwords, and
  • let you know if you’ve reused the same password.

The easiest way to break into a company’s computer systems is to try reused passwords from 3rd-party breaches. A password manager makes life easier for employees and prevents passwords from being reused.

LastPass has some neat business features that let employees keep their personal passwords in a free personal account, which can be linked to the business account. This way, the company doesn’t have any access to anything personal, can share and revoke business passwords easily, and allows employees to retain their personal stuff if they leave.

Business Continuity

Ten years ago, we talked about backups. Those old-fashioned external hard drives, tapes, DVD writers, and file share copies were great when we were protecting against a hard drive crash. However, with time-delayed ransomeware, we often see whole sets of rotated external hard drives infected. Inexpensive on-site copies and backups through systems like Veeam or Windows backup also tend to get encrypted along with the ransomware. Our businesses can no longer tolerate day- or week-long outages while people scramble to replace and restore servers.

The modern approach to business calls for business continuity. This is all the more important at a time when employees are distracted and likely to accidentally click on a phishing email or forget to restart their computer to apply a critical security patch. We recommend using devices that duplicate servers — and even critical workstations — every hour then copy the backups to redundant data centres in Calgary and Toronto. This way, your backups are protected if everything gets compromised or a flood fries your systems.

The other benefit is that the device in your office or the remote copies can spin up and instantly replace a damaged or inaccessible computer. Outages go from days to seconds!

When’s the last time you tested your backups? This is a key security practice that many businesses neglect. A backup that doesn’t work is useless! We recommend spinning up those backups every hour and testing to make sure that everything works. This technique has caught problems before they affect the real server. For example, Sage50 updates in 2020 prevented some servers from booting. We found this problem before scheduled reboots and kept businesses running. Our real-time tests also detect data changes so if ransomware manages to sneak past your advanced antivirus and breach detection (which we haven’t experienced yet with our current tools, but always want to be prepared), then we can catch the ransomware, remove it, and restore a couple compromised files instead of waiting for the whole company to get infected. Testing and monitoring are the most critical parts of business continuity.

Securing Cloud Applications

If you migrated your email to Office365 (now Microsoft 365) or G Suite, congratulations! Properly configured cloud applications tend to be more secure than systems that small to medium-sized businesses try to maintain themselves. However, if you haven’t set up multi-factor authentication (something more than a password to log in) and the other requirements, your account might be compromised already. Make multi-factor authentication a priority. Here are links to set up the most popular services: