February 26, 2015
Making The Most Out Of Cloud File-Sharing
A business’s ability to access, protect and share its data amongst its employees can be seriously limited if it tries to do everything in-house with only minimal on-site technology resources. This is where cloud storage comes in.
Moving data to the cloud can improve an SMEs productivity, security and data accessibility no end. Of course, it does come with its own concerns, but, due to the cost savings and the overall efficiency and convenience benefits of cloud storage, more and more businesses of all sizes are deciding to utilize cloud services in one form or another.
Choosing the right cloud storage service for your business can indeed be a bit of a tricky task, however, as there are nearly as many of them as there are clouds in the sky – and so the purpose of this blog is to help you become familiar with the different features of cloud storage that you will find available to you when start shopping, in order that you may be better informed when it comes to making a decision.
File-Sharing In The Cloud
Firstly, going for cloud storage will allow your company to be able to work without a virtual private network (VPN) or file server(s). When cloud storage first emerged, companies were mainly using it to enable remote accessibility to important files for employees who were doing a lot of work from their smartphones or tablets. However, as things have progressed, many businesses have found that by utilizing many of the available online services – such as Dropbox, SugarSync or Egnyte – they can actually replace the file servers that they had previously hosted in-house. Without the need of a VPN, a huge cost saving is initially incurred right out at the outset.
It’s fair to say that Dropbox can be thought of as the pioneer for simplicity and ease of use when it comes to file-sharing. Now there are literally dozens of well-known vendors offering similar services.
There is great appeal for many SMEs, as Vladis Filks, the research director at Gartner explains:
Enterprise employees use Dropbox and Google [Drive] because they are consumer products that are simple to use, can be purchased without officially requesting new infrastructure or budget expenditure, and can be installed quickly on your own device without the involvement of IT.
Be this as it may, IT departments around the globe have become increasingly concerned about the security of sensitive corporate data being stored off-premises, especially due to the fact that data laws require knowledge of and control over data location. What is more, a lot of the consumer-grade services, such as those most commonly provided by the likes of Dropbox et al, don’t necessarily provide the kinds of features that is required by businesses.
However, there are plenty of options to go for, and so below we have compiled a short list of 5 of the very best cloud storage services for businesses and have outlined their key features.
5 Cloud Storage Services For SMEs
Dropbox For Business
Dropbox for Business is becoming as popular for enterprises as Dropbox has proved to be for non-commercial use. Providing business with 1 TB of storage and supporting multiple user with centralized activity monitoring, this is one of the very best cloud services that you can go for.
Google Drive is another very popular service that pairs with an SaaS (software as a service) suite (Google Docs) which allows to create and edit documents via a browser. What’s so appealing about Google Drive is its ability to let you view files even if you don’t have the program they were created on installed onto your computer (so, if you don’t have the Adobe suite, then no worries, you can still view files that were created in Photoshop or Illustrator etc.).
SkyDrive is great for free storage and of course integrates well with Windows operating systems – for example it will sync Windows Phone with Windows 8+ so that all settings, apps, files and folders are seamlessly integrated. SkyDrive is not limited to Windows, however – it’s available on iOS and Android too.
The central idea behind Box, unlike that of the others whose main focus is to keep online files synced and stored so that various copies can be accessed on various devices (though it does of course still have this capability), but rather to serve as a means to centralize business data for easier collaboration in the cloud. Box also lets you share screencasts and screenshots from your desktop.
SugarSync For Business
SugarSync For Business lets you sync files and folders across any Mac, PC, Android, Blackberry or iOS device. It also includes an Outlook plugin that lets you embed links in your emails to large files rather than attaching the actual files themselves.
Cloud storage and file-sharing is something that you will require as your business grows. It is a fully scalable solution for many business’s storage needs, and V&C Solutions are the team that can help you find the right service for you. Get in touch to find out more.
February 19, 2015
Spam-proofing Your Website Forms
Preventing spam on your website, email or blog can at times feel like a full time job in itself. Bots are relentless, diminutive little beings, and so is the case for spammers in general.
What Is Spam?
Spam is the internet’s equivalent of junk mail – it’s junk email (and messages and comments and tweets and posts) if you will. Normally, when we talk about spam, we are specifically talking about a flooding of the internet with lots and lots of copies of the exact same message, which is generally used to try and force this message onto people who would not otherwise choose to receive it. However, some people define spam even more broadly as any unsolicited message, email, comment etc.
In most instances, spam is used for commercial advertising, though usually these will be for questionable products, get rich quick schemes, or sometimes quasi-legal services.
As black-hat tricks go, it is a little, well, old (black) hat in this day and age. Indeed, we’ve all had to put up with spam attacks for years, and, frankly, they’re simply just more of a nuisance than any real threat. But, a nuisance they are – especially if it is your machine that becomes compromised and is set up as the unwitting launch pad for a spam attack.
The Honeypot Technique
One form of spam prevention is known as the Honeypot Technique. This is considered to be one of the fastest, easiest and most effective methods of preventing spam.
One of the best things about the technique is that it does not interfere with the user experience – something that some prevention techniques unfortunately do (see below). The Honeypot Technique requires no additional input from the user, and in fact they won’t even realise that you’re using it.
If you’ve got a form on your website that you want as many genuine leads to fill out as possible, then the last thing you want is for a load of spam bots filling them out and skewing your metrics with junk data.
To implement the Honeypot Technique you will need to get a little technical. What you will need to do is to add a hidden form field to the form in question. When a spam bot encounters a form, it will fill in every field it comes across – and so, the trick is to make one of those fields invisible. When a real user fills out the form, they won’t be able to see the invisible field, and therefore leave it blank. However, the spam bot will be able to see it, and will therefore fill it out, thusly alerting you and your system that the submission can be treated as spam.
Here’s an example of the CSS rule of the type that you will need to use when coding your form:
Spam Prevention Options To Avoid
As mentioned above, what is so great about the Honeypot Technique is that it does not interfere with nor at all degrade the user experience. It is completely hidden from the form and the site. It is an unseen sniper that picks off spam attacks in broad daylight without the general public having to know anything about it.
There are other options that you can use, of course. Some are equally effective in terms of detecting and deflecting spam, however they are not quite so good when it comes to user experience.
A captcha (completely automated public Turing test to tell computers and humans apart) is an image that displays text in a manner that is not easy to read. Another name for this is challenge text. We’ve all come across them, and when we do we are asked to type into the appropriate field the text that we can decipher with our human eyes that a spam bot cannot with its spammy ones. The challenge, as it were, is set – if we can complete it, then we verify to some extent that we indeed have a higher level of intelligence than a spam bot, and so must of course be human.
Spam bots have trouble reading this type of text firstly because they usually appear in an image rather than an html markup, and secondly because they are normally unaware that the form field in question is looking for a specific entry (i.e. what’s written in the image) and just fill it in with their usual junk.
Although a captcha is an effective way of shielding your site from spam, it nonetheless degrades the user experience. These types of forms are a nuisance to fill in, and indeed account for a number of bounces and page abandonments.
A second captcha-style option is to implement a question and an answer field. So, for example – your sign up form may include the question: What colour is the blue sky? A human should be able to answer that question very easily, whereas a spam bot won’t, and, again, will just fill the field with junk, and thusly be denied access to your site.
Spam, unfortunately, is not going anywhere anytime soon. However, there are a few techniques that you can use to prevent the attacks on your website, and by far the best one is the Honeypot method, which does not interfere with the user experience of your site at all. It is the least invasive method, and, since you always want to keep your users in mind, then that’s the one to go for.
Are you encountering trouble with Spam? Get in touch with us here at V&C Solutions to find out how we can assist you.
February 13, 2015
Why Your Company Will Benefit From A VPN
From a security standpoint, VPNs (Virtual Private Networks) are a no-brainer. The whole world is connected these days, we are reliant on the internet for practically every part of our lives – but so much of it is still a digital jungle, where hackers can very easily sneak into vulnerable networks from anywhere and wreak as much havoc and steal as much sensitive data as they like.
The solution? Well, instead of floundering around helplessly in full site of potential adversaries in public networks, why not switch to a private network instead?
Look at it this way. Public networks are literally a cesspool of spoofing, spam, Honeypot and Firesheep attacks. If your business requires employees to sometimes work remotely (and, let’s face it, nearly every business these days is not entirely centralised – even if you’re the boss, you will still no doubt want access to some pretty important stuff while you’re at home), they will sometimes need to access sensitive data that is stored on your organization’s private servers. But, doing so on a public network – such as a café’s Wi-Fi hotspot, for instance – puts that data, and therefore your business and your job at risk.
The beauty of implementing a VPN is that this risk can be significantly diminished. VPNs allow users to access a private network securely and then share data through public networks. They work in a similar way that a firewall does on your computer – firewalls protect your data on your computer, and VPNs protect your data online.
Why VPNs Are So Great
There are many reasons, but here are the best ones:
- Secure connection to a remote network via the internet: Companies mainly implement a VPN so that their employees can always have remote access to any files, printers, applications, etc. on the office network, without ever having to compromise on security.
- Connecting Multiple Networks: VPNs can also ensure the secure connection of multiple networks. Larger companies especially enjoy this service, though SMEs also benefit as well. VPNs are relied upon to share servers and other resources among multiple stores or offices around the world if necessary. Even if a company doesn’t have multiple offices, the same ‘trick’ can be utilised to connect multiple home networks if, as is becoming the increasing trend, you have employees who work from home or what have you.
- Privacy: Connecting to an encrypted VPN whilst you’re on an untrusted public network – a hotel Wi-Fi hotspot, for instance – is a very smart practice in security. The VPN will encrypt all of your internet traffic, and therefore help to stave off anyone who might be attempting to spy on what you’re doing via the Wi-Fi and possibly steal your passwords.
VPNs are very popular in business for their security capabilities. Since VPNs use a brilliant combination of encryption protocols and dedicated connections, even if a hacker did actually manage to sneak in and siphon off some data, they still wouldn’t be able to gain access to it because of the encryption.
Choosing The Best VPN
There are many types of VPN, but the very best are the ones that offer the most favourable balance of server location, features, connectivity protocols, and of course price. Here’s a list of what you should look out for when choosing a VPN:
- Protocol: Each protocol comes with its own advantages and drawbacks. Most private users don’t really need to be too concerned, as nearly all will provide a secure connection. However, SMEs and corporations should really be using IPSec or SSL clients.
- Logging: Every time you connect with your VPN, you are placing your trust in the VPN service provider with you sensitive data. While it’s true that all of your communications will be secured from any eavesdroppers, other systems on the same VPN, however, can actually log any of your data if they so choose – especially the operator. This may very well be an issue for you, and so, before signing up to a service, you need to be absolutely 100% crystal clear about your provider’s logging policies. There are many VPN companies who do not log your activities when you’re connected, and, frankly, there are just as many that do. Take a look at this article from TorrentFreak for a full list.
- Anti-Malware and Spyware Features: Just because you’re on a VPN doesn’t mean that you’re invulnerable to attack. Therefore you must make sure that whatever provider you go for offer anti-malware and spyware protection while you’re connected.
- Price: Some VPN providers are free to use. However, these ones are far more likely to log your activities and may well even bombard you with adverts while you’re connected – not to mention some rather shoddy commitments to your privacy. Really, then, you’re much better off parting with some cash and paying for a decent service. Some will still log your data, so you will have to do your research before committing. However, you will be able to take advantage of a free trial in most cases, so you’ll have a chance to test the waters and find the best one for you.
Are you considering a VPN solution? Get in touch with us here at V&C Solutions to find out how we can help you do just that.
February 6, 2015
BYOD and MDM: What Does It Mean For Your Business?
Smartphones are now the mobile device of choice for millions of consumers around the globe. It began back in 2007 when iPhones first came to market, and thusly changed the way that people think about phones forever. They transformed the way people communicate, access the internet, shop and work. Now, smartphones have long ushered in what has become known as a consumerization of IT, meaning that the once corporate issued devices have largely been shoved aside for work purposes, and instead have been replaced by those that employees prefer using, are more familiar with, and in a lot of cases actually own themselves.
This has resulted in many BYOD (bring your own device) policies in workforces around the globe. Your company may already have one in place, or you may be thinking that it might be more cost efficient if your employees all provided their own smart devices rather than having to fork out for them yourself. In either case, you will need stringent BYOD and MDM (mobile data management) policies in order to fully protect yourself and your customers when it comes to the sharing and security of sensitive data.
What Does BYOD Mean For Your Business?
iPhones, Android phones and Windows Phones – whatever the preferred smart device of your employees, they have proven to be a highly disruptive force for the enterprise. Firstly, smartphones are no longer simply voice communication devices. They are data devices. And, as data devices, they are much more valuable to a company than what it says on their price tags.
So let’s start there.
BYOD Saves Money
It was indeed an inevitable response by a lot of companies to the rapidly changing mobile technology to introduce BYOD policies. Put simply, it saved a lot of organizations a lot of money. Since employees are buying smartphones anyway, by allowing those workers to use these devices for business purposes negates any need for the company to provide them.
However, when you suddenly have a lot of employees bringing their own devices into to work, it can very quickly begin to create quite a significant headache for IT managers.
The problem of course comes from the fact that these devices aren’t necessarily secured adequately. If the user is perhaps a little careless with their smartphone, then any amount of malware could potentially find its way in, and then the device itself in turn could be used as the jumping point for the whole network to become infected. And what if a worker’s device becomes lost or stolen? Any sensitive data that is stored on there immediately becomes compromised. And what happens when an employee leaves the company? How can you be sure that he or she leaves all important information behind?
BYOD Means Strict Policies
This is where there needs to be some strict policies in place to mitigate these risks. One approach is to manage clients with a central policy engine. For example, Windows Intune can provide insights into configuration updates, can make sure that all devices are up to date and secure, and provide malware protection statuses for users, as well alerts and security policies.
What some companies like to do is integrate these functionalities all within a complete configuration management console, so that they can centrally provision all end-user systems on mobile devices so that they can be kept current with all the latest platform updates.
The consumerization of IT has meant that the desktop-dependent lifestyles of employees around the globe have been traded in for the convenience of smartphones and tablets. The slew of security concerns, as outlined above, has given way for an influx of mobile device management (MDM) solutions to offer some sort of relief for companies. Indeed, the need for such solutions has become so great, in fact, that the MDM market is now worth nearly $6.6 billion according to Forrester.
How a lot of these solutions work is by creating a “secure container” on an employee’s device, that hosts and encrypts corporate data independently from personal data. IT administrators can then use the MDM platform that has been put in place to deploy corporate emails or apps to employee’s personal devices and establish specific user access policies for each.
The idea is that, should an employee’s device become lost or stolen, the company can rest assured that all corporate data resides in its own secured space. And, what is more, employees can actually enjoy the benefit of essentially having two devices in one.
A BYOD policy can save your company a lot of money, and indeed it is what a lot of employees simply expect in this day and age. However, such strategies do of course come with a large amount of risk, and so they should only be considered if you are capable of putting strict policies in place, and have the capacity to also implement some kind MDM solution to protect yourself.
Contact us at V&C Solutions to find out how we can help you with your BYOD policies and MDM solutions.
February 4, 2015
Protecting Your Business from Increasingly Sophisticated Malware
Published by Igor Varnava, February 3, 2015
According to TrendLabs 2Q 2014 Security Roundup, events such as the data breaches that we saw in the first half of last year “strongly indicate that organizations need to start adopting a more strategic approach to protect digital information” this year. This includes protecting sensitive data such as intellectual property, but is also important for protecting customer data. An Identity Theft Resource Center study carried out last year found that more than 10bn personal records had been exposed in the first half of 2014 and “the majority of the breaches occurred in the business sector.”
This is not by any means a new problem. A study carried out in November 2013 by Osterman Research states that “security is no longer a “nice to have, but a must-have”. This is especially true for a few reasons, the need to protect both customer and organizational data, the increasingly sophisticated nature of malware and the growing popularity of technologies such as the Internet of Things. The latter, Trend points out, makes the threat landscape into a “moving target” as it presents new targets for cybercriminals to attack.
Attacks Become More High Profile
While the incidences of high-profile attacks are now something that are commonly reported on, it seems that organizations are still not doing enough to protect business systems. This is due to “a failure to adequately address employee and insider vulnerabilities” as well as a lack of a strategic approach to cybersecurity. Protecting systems must be something that takes a strategic approach and aligns with business goals. It’s no use simply allocating a budget and effectively throwing money at the problem and hoping it will go away, security must be addressed in such a way that it’s not just the responsibility of the IT department, but also gains attention at board level.
So what can a business do to ensure that they are protected? To some extent, it’s impossible to protect against every single threat as many now don’t damage systems but do all that they can to remain hidden. Add to this the growing power of DDoS attacks, where one attacker with as little as 1MB of bandwidth can carry out a 20GBPS attack thanks to botnet amplification, and it’s clear that businesses need to take steps to protect themselves in a variety of way and put layered protection in place.
With that in mind, let’s have a look at what every business should be doing to ensure that data and customers are as protected as they can be in the current threat landscape.
Education and Training
Any security professional will tell you that the end user is often the weakest link when it comes to network security. Spear phishing techniques are now sophisticated enough that even the most tech savvy employee can get caught out. Despite this, many companies don’t adequately train staff on the dangers of phishing and social engineering techniques rife on social media.
Education on security issues is globally inadequate. It could be said that given the threat to business and consumers alike, not to mention national infrastructures, governments should be doing more to ensure that citizens are aware of the common types of threats that are out there. However, this isn’t the case, so it’s up to the organization to ensure that proper training is put in place for staff.
Staff training should include:
- Guidance on phishing mails – examples, understanding how information is gathered by cybercriminals on social media, dangers of opening attachments and clicking on links.
- Understanding vulnerabilities – while it’s the responsibility of the IT department or IT support company to patch systems, the employee who is aware that it needs to be done is one that is more vigilant.
- Disaster recovery/incident response plans – staff should be aware of processes that need to be carried out in the event of a breach or other security incident, such as the best person to contact, how to respond, etc.
- Use strong passwords – it’s astonishing but true that in 2014 the most commonly used ‘bad’ passwords were 12345 and ‘password’. Teach employees how important strong passwords are and ensure that they’re used on the network. Ideally, employees should use a password manager to generate and store complex passwords.
Employees need to understand that the way that they approach network security can make a difference to the business. It’s thought that 60% of companies fail in the six months following a data breach so to the employee, the bottom line is that they could lose their job.
AV and Vulnerability Scanning
Research carried out last year by NTT Group found that 45% of all network attacks were due to malware, but many of these could be prevented if businesses has basic protect in place and “effective vulnerability lifecycle management.” It was found that many companies didn’t employ even the most basic protection such as AV software and in some cases, patches hadn’t been applied to software for more than 2 years.
Further to this, the report found that 77% of all participating businesses did not have a disaster recovery plan in place.
The research collated and studied data from around 3 billion attacks that took place in 2013 and focused on the losses suffered by businesses that had already suffered an attack. By putting in place more robust security and prioritizing controls, one firm reported a saving of almost $100,000. The report recommended that businesses work with trusted security professionals to mitigate risk, with vulnerability scanning being a priority alongside pulling together an effective incident response plan.
It was also recommended that company networks should have the ability to analyze and collect logs which could then be stored for use in investigative reports.
The use of AV software, or lack of it as highlighted in the report is surprising. However, the industry has been in decline for some time now as more layered approaches to security have become more popular. Despite this, it remains a vital part of a company’s approach to security and shouldn’t be dismissed.
Business Grade Security
Even if your business does use an AV solution, it’s important to understand that this alone is not enough to protect systems. Modern AV software is relatively powerful, but it doesn’t pick up each and every threat that comes along and it can’t protect against incidences such as a DDoS attack or even a good hacker.
The modern network requires that businesses take a layered approach, as mentioned earlier. So, if one layer is bypassed by an attack, then another should stand in the way of the attacker gaining access to the network. The most common approach to this is in the use of firewalls and intrusion detection systems. A firewall is installed between the internal network and the rest of the network (such as the internet) and restricts traffic depending on how it’s been configured.
A good firewall can:
- Detect unusual activity on the network
- Block email services to prevent spam
- Restrict access to certain services on the network
- Verify incoming and outgoing traffic
- Log all network traffic
However, a firewall cannot:
- Prevent an employee revealing sensitive information through social media
- Protect against flaws and vulnerability at application level
- Can’t prevent tunneling attempts
Additionally, a firewall is only ever as good as the rules that are configured to govern it, so it’s essential that’s it’s set up correctly in the first instance.
Types of Firewall
Firewalls and the level of protection that they afford an organization vary depending on the type chosen. For a business, it’s unlikely, for example, that a free, consumer-grade software firewall will ever be enough to offer a decent level of protection.
The main types of firewall available are:
- Hardware – for networks a hardware firewall provides an additional physical layer of security.
- Software – protects at the application level.
- Packet-Filter – filters at network or transport level based on information carried in the TCP/IP header of each packet.
- Application gateway – Analyze information at application level as to whether or not a packet should be transmitted.
- Stateful Packet Inspection (SPI) – similar to a packet filter, this also makes decisions as to whether to allow a packet based on IP and data contained in the TCP header and can dynamically open and close ports.
More recently, we’re seeing technologies such as Unified Threat Management (UTM) solutions come to the fore, which provide the following protection:
- Content and email filtering
- Intrusion prevention
- Application control
Depending on the level of configuration needed, UTM solutions are simple to deploy and offer wide range network protection from internal and external threats. They are cost effective and can be fully managed from a single console. The market shows a robust level of growth and is becoming increasingly competitive; in 2014, the market was estimated by MarketsandMarkets to be worth $2584.6 million and that was expected to grow to $4445.7 million by 2019.
Lost or stolen data can be fatal to an organization and yet many still fail not only to inadequately protect the network, but also to put in place a plan with regard to how to respond to an attack or IT disaster. A sound disaster/incident recovery plan can help to bring a network online again quickly, lessening the cost of downtime and reducing the cost of disaster to the organization.
It should set out who to contact in the event of an IT failure or outside attack and what to do in order to prevent further damage. Without it, an organization’s staff must respond in a disorganized manner and this leads to mistakes being made.
The mainstream use of the cloud also means that there’s no real reason for an organization’s data not to be fully backed up and easily restorable. Organizations which don’t feel safe with their data being offsite can choose to implement a hybrid solution in which data is backed up both onsite and to the cloud.
Whilst there’s little that can be done to prevent a huge DDoS attack, to some extent the risk can be mitigated by early detection and the use of a service which helps to distribute the attack. Monitoring at file and server level can also be put in place to help pick up attacks before they can do too much damage.
DDoS attacks have become much more common in recent years and vary in the approach that they take. Some use botnets whilst others, more commonly used by hacktivists, use bandwidth attacks only. It’s simple for attackers to find and rent tools that cost very little but can have a devastating effect on a business. The best protection against attacks such as this begins with understanding the risk and why it should be mitigated. Cybercriminals who come up against a well-protected network will simply move on to the next if they find too much resistance.
Cybercrime and its effect on business continue to present a problem for many businesses of all sizes. Whilst many believe that it’s more common for large organizations to come under attack this isn’t the case. Smaller businesses present a far easier target for the majority of attacks and so as the weakest link, these are attacked more often.
It’s important for CEOs to understand the risks if they are going to have a hope of mitigating the considerable risks and to put strong protection in place. Education of staff is key too as they represent an area in which further targeting by cybercriminals is implemented.
The threat landscape is a complex and ever-evolving one and in order to ensure that a business is safe from as many threats as possible, businesses must learn to understand the risk and what should be done in order to eliminate it. For many years IT departments have bemoaned the lack of attention to security at board level but this is changing now as CEOs have come to understand that risk must be mitigated if the business is to survive. Whilst little can be done to stop attacks on the scale seen recently by Sony as these are thought to be state sponsored, there’s plenty that can be done to halt cyberattacks that are based in criminal activity.