Small Businesses: Does the CCPA Affect You?

The California Consumer Privacy Act (CCPA) went into effect January 1, 2020. This law deals with the right of consumers to know or even control how their personal information is used by organizations. For businesses that collect such information from consumers, this represents new burdens.

Do I Have to Comply with CCPA?

The CCPA comes with certain thresholds that may exclude some small or medium businesses from compliance requirements. What are these thresholds? You’re on the hook for compliance if you are:

  • Are a for-profit business operating in California
  • Collect personal information from consumers
  • Exceed one or more of the following:
    • Buy, receive, sell or share personal data from 50,000+ devices, consumers, or households
    • Have gross annual revenues of over $25 million
    • Sales of California residents’ personal data represents 50% or more of total annual revenue

I Don’t Meet the Thresholds, So Why Should I Worry About CCPA?

The CCPA is the most extensive privacy law ever passed in the US. Other states are taking a page from California’s book and are considering or have already passed similar legislation. Plus, the possibility of having different standards instituted across multiple states could result in the enactment of a privacy law at the federal level. So even if the CCPA does not currently affect you, it will eventually.

Looking at the legislative climate, given the CCPA and likelihood of more laws like it coming soon, it’s clear that there is an increasing recognition of the need for businesses to handle consumer data responsibly, for consumers to have the right to determine how that data can be used, and for businesses to protect consumer data against theft or loss.

What is “Reasonable Security”?

Part of the CCPA revolves around an organization’s responsibility to protect consumer data against theft or loss, like through a data breach. If a business fails to implement reasonable safety measures, resulting in a breach, they may be liable to pay penalties of $100-$750 per consumer per incident, or even higher. What would count as “easonable security” measures? The CCPA does not specify, but some legal experts refer to the state attorney general’s words in the California 2016 Data Breach Report:

“The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

These CIS Controls are comprised of a set of 20 broad categories of action, each of which contains subcontrols in the form of specific tools and practices. These subcontrols vary based on the sensitivity of the data you’re protecting, the size of your organization, and the extent of your IT resources. Together, these controls form a defense strategy against breaches and cyberattacks.

We recommend that companies of all sizes take a look at the CIS Controls—especially if you’re at or near a threshold for CCPA compliance. At FIT Solutions, we use CIS Controls and other security frameworks, like NIST, to follow best cybersecurity practices for our clients. Contact us or call 888-339-5694 for help in strengthening your organization’s defenses.

Is Your MSP Proactive or Reactive? The Role of a Technology Business Plan

Here at FIT Solutions, we pride ourselves on the way our teams don’t just fix problems; they deliver additional business value for our clients. That means applying technology to improve operations, reduce costs, boost efficiency and productivity, and protect and enhance security. Let’s take a look at one of the primary ways we accomplish that: a regularly updated Technology Business Plan (or TBP, as we call it).

When you engage with us, we send one of our senior engineers onsite to take a holistic look at your facility and IT operations. A team of engineers assigned to you then delivers a set of recommendations. It is essentially a gap analysis between your current IT environment and prevailing best practices for an organization of your purpose, scope and size.

This is NOT a one-and-done exercise. The TBP is a living document, geared to a timeframe of up to 24 months, that is regularly updated to chart your progress. It’s a stepwise, realistic approach geared to budgetary realities and your own appetite for change and improvement. Many of the recommendations don’t cost anything.

While the recommendations are geared specifically to your organization, the TBP addresses four general areas.

Environment Enhancements

A great many IT environments have been built piecemeal over the years with a mix of workstations, Wi-Fi access points and various makes of networking hardware. We look for opportunities to consolidate and standardize, replace outdated equipment, and create common configurations that will make the entire environment easier to maintain and lower the cost of operations. We also address opportunities to cut costs and increase efficiency by switching Internet providers or swapping out telephone systems; bringing in management solutions for administering printers, computers, or mobile devices; making better use of existing software; or acquiring new solutions. Employees and staffing fall under this category as well, such as employee onboarding practices and user training.

Network Security

Many of the most valuable recommendations in this area are free, because they revolve around password-policy shortfalls such as password reuse, allowing short or weak passwords, not mandating regular changes, or instances where entire staff shares the same set of login credentials. Relatively low-cost security enhancements include cleaning out unused accounts and properly setting privileges. Additional security technologies such as multi-factor authentication, single sign-on, spam filtering and other email security measures, encryption or ransomware defense might be called for, depending on use patterns and your degree of susceptibility and exposure.

Licensing, Renewals, and Compliance

Here we address hardware and software that is reaching end-of-life or out-of-warranty, calling for replacement, refresh or upgrade as your budget allows. Legal matters such as email retention policies and your posture with respect to compliance and other regulations falls under this category as well, and might include our recommendations or referrals to third-party experts we have worked with.

Disaster Recovery and Business Continuity

This includes your backup and retention procedures and policies, and ability to restore if necessary. In addition, we consider shortfalls unique to your environment, such as whether you have remote users with critical files that need to be backed up, or whether you might be better served with a solution that enforces file storage on a network repository rather than individual workstations. We also consider your ability to work through a power outage or loss of Internet connectivity, and whether you need to have contingency solutions in place.

In this time of uncertainty and business upheaval, many are seeing a stark contrast between proactive and reactive managed service partners. Clients prefer proactivity. In our experience, clients appreciate these regularly updated technology business plans, especially if their experience with a previous IT service provider was more of a reactive, break-fix service than a proactive partner. Our clients use these reports to plan ahead, budget for essential improvements, and solve problems before they happen. Does this approach to IT services appeal to you? Give us a call at 888-339-5694.

How to Quickly — and Securely — Enable Work-From-Home

In response to current events, your business may be faced with the challenge of quickly putting a work-from-home program in place for your employees. Here’s the hard part: those employees will be largely on their own, with varying degrees of technical knowledge, connecting from their own home networks and accessing corporate data and resources. You need not only to get them connected, but equip them to work productively, with ample security in place so you don’t put your organization at unnecessary risk.

Considering the Alternatives

The best-practices approach — under normal circumstances — is to distribute preconfigured corporate-owned laptops. Aside from the expense, time might be the bigger issue in our current situation as businesses everywhere are rushing to equip remote workforces. Currently, the time from order to delivery of new laptops is around 15-30 days, for some suppliers.

A tempting short-term fix is to allow employees to connect to corporate resources directly using their own personal home computers, laptops, or tablets. However, this exposes corporate assets to a wide variety of risks that are outside of your control. These risks include outdated or insufficient endpoint protection, access of confidential data by others in employee households, and rogue devices on a poorly secured home network — among other threats.

The Right Technology, Right Now: Virtual Desktop Infrastructure

Virtual Desktop Infrastructure (VDI) is a widely used remote access approach with many advantages. With VDI, employees use their personal devices to access a virtual desktop — a computer that they control remotely. They view the screen, and control it via mouse or keyboard. The approach is much less expensive than provisioning and distributing laptops, and far more secure than a direct connection. With VDI, business owners can:

  • Provision remote access for tens or hundreds of users cost-effectively with a cloud-hosted solution
  • Allow secure access by a wide range of employees’ personal devices, from home PCs to laptops and tablets to smartphones
  • Tightly control access by combining standard login credentials with multi-factor authentication (MFA) to guard against weak or compromised passwords
  • Keep corporate data off of personal or public networks — the corporate data only appears superficially onscreen, and never actually enters or is stored on the user’s personal device
  • Provide a familiar environment and business access —the virtual desktop can be configured to look and behave exactly like an office-based system, with access to all corporate applications and data stores, productivity, email and collaboration software

At FIT Solutions, we can quickly set up a VDI for your employee remote access. It is housed in our data center in a private cloud, with all essential security measures provided. We connect the virtual desktops to any applications or data you need, whether those are in another public or private cloud, or in your own data center with access protected through a secure point-to-point VPN.

Have questions? We have the answers. For more information or to get started right away, give us a call at 888-339-5694. We’re also offering a free Remote Workforce Readiness assessment, which you can find here.

Changing Your IT Services Provider: 5 Tips for a Smoother Switch

Let’s face it: You probably rely on your IT services provider a lot. And if there’s a substantial amount of knowledge locked up with your provider, it feels easier to stay the course — even if you know you’re outgrowing their ability to deliver the support and services you need.

With a little pre-planning, you can switch providers with confidence that you won’t lose access to critical systems and suffer the lack of business continuity that comes with it. There’s no reason to let fear of the unknown keep you from making a transition that you know will be better in the long run for the growth and prosperity of your business.

Why Switch?

A reluctance to make a change is understandable, but also unfortunate because there are many legitimate reasons for making a switch. You might feel that you’ve outgrown your current provider, or are frustrated because the level of responsiveness or quality of IT support isn’t what it could be. But in our experience, the #1 reason for switching IT providers is that the provider failed to provide proactive consulting and business planning. A true IT services partner shouldn’t just be content to keep your systems running—they should endeavor to use IT to grow your business, and make it more efficient and profitable.

Transition Tips

Preparing to switch IT providers involves taking a thorough inventory of your IT environment to make sure that the switch won’t leave you without access to systems that are critical for business operations. Especially if you’ve been with the current provider for a while, key pieces of information or infrastructure might be in their hands rather than yours, and that’s a problem. Here are five areas to check:

  1. Administrative control. Look at network equipment, servers, and applications — whether on-premises or in the cloud — and make sure you have the current logins and passwords. Verify you have the right credentials by logging in, and ensure that those accounts give you full administrative control.
  2. Ownership of equipment. Are your data and applications on servers that are leased or owned by the outgoing provider? Similarly, who owns the firewalls, switches and other networking equipment? If you don’t have ownership of the infrastructure and licenses, you’ll need to anticipate the costs of a buyout or transfer, or of purchasing new equipment.
  3. Internet service provider, telephony and other connectivity. Are the service contracts with you, or the outgoing IT provider? Don’t overlook the registration of your domain name and control of the DNS records.
  4. Software licenses. Who holds the software licenses for Office 365 and any line of business applications your team uses?
  5. Continuity planning. Before you pull the switch, consider plans for how you’ll keep your business running through the change. The incoming provider can help, but changing IT providers is more complex than simply turning over the keys to someone new. You’ll need a well-thought-out project plan—especially if the change involves moving to new applications or other infrastructure changes.

Avoiding Lock-In

It’s an unfortunate fact of life in our industry that service providers sometimes put themselves in a position where they own infrastructure or licenses, or keep administrative credentials to themselves. The more dependent you are on them, the easier it is for them to hold onto your business even after you’ve outgrown their service. But if you’re thinking about changing providers now, or can see a need to change at some point in the not-so-distant future, it’s time to start making sure you have the keys to your own kingdom.

At FIT Solutions, we share the administrative logins and full network documentation with our customers, using a third-party service to ensure full transparency. We also have a thorough and documented onboarding process to ensure the change goes smoothly. If you’ve outgrown your current IT provider, we’d love to start a conversation. Call us at 888-339-5694.

5 Practical Tips for Year-End IT Budgeting and Procurement

As year-end approaches, many of our customers take a critical look at their budget and budget-planning processes. That can involve 1) looking at the current year’s budget for opportunities to make potential procurements in order to get those expenses in before the year-end, as well as 2) setting the budget for the coming year.

Here are a few things to consider as you set priorities for new investments and upgrades. Don’t overlook changes that can lower your operating costs.

Items for Consideration

  1. License renewals. This is perhaps the most crucial item, since if you allow licenses to lapse, you lose the use of critical software and systems. License considerations are especially important this year, with Windows 7 end-of-life coming January 14, 2020. We covered this topic in an earlier post, especially the compliance implications. Include Windows 10 upgrades in your budgeting plans. Look at the age of your Windows 7-licensed workstations, and decide whether it makes more economic sense to replace them entirely with new Windows 10-licensed systems.
  2. Aging equipment. There’s a tendency to wait until something fails before you replace it. But if a system is near or past the end of the warranty period, it might be better to replace it proactively and avoid the costs and inconveniences of downtime while you wait for replacement of a broken machine.
  3. Network refresh. Take a closer look at your networking equipment, such as switches, routers and wireless access points. If they’re older, possible failure is a concern, but you also need to determine whether they can keep up with current network standards and expectations. Would a faster or more-capable switch improve performance or manageability? Would upgrading your older wireless access points or adding new ones improve network coverage or get rid of dead spots?
  4. Security. You can never be too secure, but there are a few additions that will improve your security posture immensely. One is free: enforcing a password policy that requires strong, regularly changed passwords. Another that is inexpensive or free is implementing multi-factor authentication (MFA) anytime a user logs on for the first time, or from a different machine or remote location. There are third-party solutions, or you can use the MFA capability built into Office 365.
  5. Service providers. Take a look at your monthly fees paid to service providers, and consider whether a different solution could give you a lower price, better performance, or new features. Feature-rich voice-over-IP systems have much to recommend them over traditional telephone services, and are generally less expensive. The same is true of replacing an older Internet connection with a vendor who delivers over fiber. If you have a large number of printers, there are printer management services that can save you money on consumables by controlling the use of color toner and ink, and curbing unnecessary printing.

Planning Proactively

At FIT Solutions, we help our clients look at the big picture of their technology, project future needs and plan proactively. One of the services we offer is the development of a Technology Business Plan that considers many of the areas above and more. It includes a Technology Infrastructure Roadmap that looks at short-, near- and long-term needs on a quarter-by-quarter basis so that you can budget effectively, accurately and proactively.

This holistic view will guide you to a more stable infrastructure, tighter security and increased performance while serving as a guideline for prioritizing and decision-making. If you’d like to get started, call us at (888) 339-5694.

Outlook Security: Why You Should Deploy MFA for Office 365

Multi-factor authentication, or MFA (sometimes known as two-factor authentication, or 2FA), is recommended whenever basic usernames and passwords aren’t enough for protecting sensitive logins.

If you’ve ever been asked to confirm your identity by entering a code sent to your phone, you’ve used MFA. The method is widely used for online banking accounts, to bolster security when employees remotely access corporate sites, and to help satisfy HIPAA requirements. More and more, though, we’re advising its use to protect all access to Office 365.

We’re making this recommendation because of the experiences of some of our newer clients. It’s a sad fact that organizations often discover they need our security services only after they’ve been victimized. Several have turned to us after making tens of thousands of dollars in payments that were never received, because the money was sent to fraudulent bank accounts. That’s when they called us in to untangle what happened.

Who’s Reading My Emails?

We’ve found a new breed of criminals who specialize in hijacking email accounts. They’re very sophisticated, expert in covering their tracks, and victims are none the wiser — until it’s too late and the money’s gone.

It all starts with compromised login credentials that criminals use to gain access to one or more individuals’ email accounts. The perpetrator either tricks the individual into giving up the credentials with a phishing email, or simply purchases lists of stolen login credentials on the dark web. Once access is obtained, the criminal lurks and learns, watches and waits. The goal is to find out who moves the money and how. Who are the approvers? Who gives the instructions? Who executes the transactions?

Or Worse, Who’s Sending My Emails?

Less sophisticated criminals would be content to send a bogus invoice. This new sort is looking for legitimate transactions conducted in the normal course of business. They intercept those transactions by issuing instructions to send the money to different accounts, masquerading as the authorized worker. They’re sending these emails from the actual mailboxes, complete with signatures, so the communications look legitimate. Of course, because these are sent using the real email accounts, the compromised users would see the bogus messages in their outbox, or the inbox would contain replies to messages they never sent. To avoid detection, the criminal sets rules in the Outlook account to immediately delete the bogus messages based on the subject line.

Here’s an example of a sophisticated criminal attack; this happened to an engineering firm with about 20 employees. The criminal had the email credentials for the employee responsible for payroll, and also knew, from reading the emails, who the firm’s third-party payroll provider was. Trying the employee’s email credentials on the payroll account revealed that the employee used the same password in both places. Now it was simple to log in to the payroll provider and re-route all the direct deposits to accounts the criminal controlled.  An entire month’s payroll was lost before the theft was discovered.

Detection and Prevention

There are two approaches to dealing with these kinds of attacks. One is detection, through SOC monitoring. SOC monitoring issues alerts for suspicious email access, such as a user accessing from a different location or device, or a user simultaneously logged in from two locations or devices. Either of these is an indicator of unauthorized access of an email account.

Prevention is where MFA comes in. In addition to username and password (something the user knows), MFA adds an additional factor (something the user possesses). The additional factor is the user’s smartphone. Unless the criminal also steals the employee’s phone, the compromised login credentials are useless. There are several approaches to implementing MFA:

  1. Some third-party applications that do single sign-on have MFA capabilities. Examples include Okta and Duo. Microsoft Azure also supports MFA.
  2. Office 365 has the ability to natively enable MFA through the Microsoft Authenticator application. However, some companies have issues with mandating that employees install specific applications on their personal smartphones. If the company doesn’t reimburse employees for their phone use, this becomes a concern for the HR department.
  3. Office 365 also supports native MFA by sending a one-time passcode to the employee’s phone via a text message. This gets around the reimbursement issue because it doesn’t require loading a specific application on the phone. Plus, the simplicity of the approach allows employees to self-enroll through an eight-step process that requires less than two minutes to complete. The impact on the employee is minimal, because the one-time passcode is required only when the employee is logging in from an unknown location or device.

At FIT Solutions, our managed IT services include implementing the multiple forms of MFA. We also perform SOC monitoring through our cybersecurity offering, SOCBOX. You can learn more about FIT Solutions managed IT services, or better yet, call us at (888) 339-5694.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!