Bob Gaines, security and compliance manager of All Covered, reviews best practices for passwords in small to medium-sized businesses. Most people know passwords need to be strong and secure. Other guidelines from real-world studies: Don’t repeat passwords on a periodic basis. Every password should be unique. Keep your personal accounts separate and different from business accounts. Do not share passwords within departments or organizations because accounts are used to track who is doing what when.

Encryption is a key component of IT security for small to medium-sized businesses. Bob Gaines, security and compliance manager of All Covered, discusses what needs to be encrypted and how.

All Covered is observing a growing trend of malware attacks and hacking attempts across the small business sector. In the past many businesses could rightfully believe that they were not going to be attacked by hackers because they were either too small, or because they were “off the radar” due to their small presence in the marketplace. This has all changed in the past 18 months.

According to the FBI, more money is now made off of malware then off of illegal narcotics. This represents a significant shift in how organized crime is both operating and where they will be making their investments in the future. Experts anticipate more sophisticated attacks with malware that is both harder to detect, and harder to remove. This is driven by several trends:

1. No network is safe. In the past, attacks from the internet were directed by a person who had a specific target in mind, such as a business, and institution or a governmental agency. These days attacks are completely automated, run by sophisticated programs that scan blocks of IP addresses.
• Automated scans scan examine 1000 IP addresses in an hour looking for vulnerabilities to exploit. Most scans are running continuously for days and weeks at a time.
• When an IP address is detected with a vulnerability, the application immediately attempts to exploit it. If successful, it will alert it’s administrator so that he can examine the results and see what additional exploitation can take place.
• Most firewalls are scanned by these automated systems at least twenty times a week from different sources
2. The bad economy is good for recruiting. Computer scientists and professional programmers are being actively recruited to write malware code because it pays well and offers very little risk. This code is often sold to other hacking groups to make money using similar application distribution methods that legitimate business use.
• Virus writing kits enable people with little technical skill to create sophisticated malware applications at low cost.
• Most of these virus kits come with 24hour technical support.
• Virus kits enable rapid advancements in code exploit to be rapidly distributed, which closes the gap between a known vulnerability and a viable virus or worm that can exploit it.
• Many organized crime groups cooperate and share resources for code writing, research and development and malware distribution in order to maximize profits
• There is a for-profit malware contingency who use dedicated test labs and other professional methods to improve their chances of infecting computers that employ techniques which outpace security software maker’s capabilities
3. Malware is now designed to make profits. In the past, viruses and worms were often designed as an intellectual exercise or to make a political or social statement. Today, it’s all about the money.
• Infested machines (bots) send out 44 billion spam emails a day. With many advertising programs, advertisers are paid on a cost-per-mille (CPM) metric. This means that the vendor or merchant is charged a flat rate for every thousand people that are shown the ad. Spam alone generates billions in profits.
• In 2010 McAfee Labs identified more than 20 million new pieces of malware.
• SophosLabs received around 60,000 new malware samples every day in the first half of 2010; every 1.4 seconds of every day, a new malware sample arrives.
• Captured data has value (represented in price per number of accounts captured)

  Facebook

  • 100/$15
  • 250/$35
  • 500/$65
  • 1,000/$120

  YouTube

  • 100/$12
  • 250/$30
  • 500/$60
  • 1,000/$120

  Yahoo

  • 100/$3
  • 500/$8
  • 1,000/$15
  • 5,000/$50
  • 10,000/$100

  Facebook

  • 100/$15
  • 250/$35
  • 500/$65
  • 1,000/$120

  Gmail

  • 100/$20
  • 250/$40
  • 500/$65
  • 1,000/$120

  Hotmail

  • 500/$10
  • 1,000/$15
  • 5,000/$65
  • 10,000/$120

  Twitter/MySpace

  • 100/$15
  • 250/$35
  • 500/$65
  • 1,000/$100

  Hushmail/AOL

  • 500/$10
  • 1,000/$20
  • 5,000/$90
  • 10,000/$160
4. Blended Threats are the latest trend. These days threats are no longer from just the internet, or just from infected attachments. Often these threats come from many sources, such as infected web sites, thumb drives or through VPN connections.
• Within the top 100 results 51 percent of the daily top search terms led to malicious sites, and on average each of these poisoned-results pages contained more than five malicious links. Of those poisoned, almost 5 percent had a malicious link in the top 10 results alone.
• As the IPAD and other apple product rise in popularity, so do the number of viruses designed specifically to exploit them. Currently there are over 35 viruses written for the IPAD alone
• Over 30 percent of network infections come from either a thumbdrive or through a vpn connection from a home office
• Most viruses are network-aware, allowing them to spread rapidly across the network. In addition, most viruses are designed to “call home” to a command and control center to download more advanced malware.
5. Advanced persistent threats are on the rise. APTs are different from other attacks. They are coordinated, methodical and exceptionally hard to detect.
• APTs are not automated – these attacks are directed by individuals or teams with a high degree of skill
• APTs establish a back door so that they can return to steal more data.
• APSs use sophisticated techniques to encrypt and hide data so that it can evade detection
• The detection rate for APTs is 24%. In comparison, the detection rate for malware is above 80%

Businesses can defend against these threats in many ways, but it is important to understand that there is no singular solution to the defense against malware and attacks. Organizations need to have a layered approach to security, defending the perimeter, the servers, the workstations, the network and the data, with solutions that overlap protection at each layer. These protections need to be specific to the organization – one size does not fit all, as solutions need to not only align with the individual needs of the organization, but with the policies that are in place.

Most companies go to great lengths to ensure that appropriate security measures are applied to servers, workstations, and firewalls through applications and policies. However, businesses often neglect to consider the inherent security vulnerabilities involved with their peripheral devices such as multifunctional printers (MFPs – print, copy, fax and scan all in one system).  A 2010 feature on CBS’ 60 Minutes highlighted many of these risks including documents stored on MFP hard drives to printed information left on MFPs and never picked up.  What many customers don’t know is that some manufacturers’ MFPs come with optional security features that when enabled minimize these risks.

All Covered asked Konica Minolta (its parent company) to help shed some light on this important security topic. Here is some helpful advice on securing your MFPs.

Understanding the Problem

Businesses use secondary computing devices – MFPs – that might create critical security gaps for the following reasons:

• Unauthorized network access can be a problem with many MFPs.  Because most MFPs don’t have built-in security and are designed to integrate with your business’s mail servers to distribute faxes to users there is always a potential risk that the MFP can be used by hackers to gain access to your company’s network.
• Potential data exposure is always a risk as most MFPs store data in centrally located areas that do not require credentials for access.  All data residing on your business’s MFP is likely available to anyone that has physical access to the machine.
• Data theft can be a problem if the MFP or the hard drive within it is stolen or if the device is returned to the vendor for any reason (a lease expires).  In the event that the device or its hard drive is stolen or sent back to the vendor, all data on the hard drive is accessible to whoever is in physical control of the MFP because encryption and password protection are typically not available or enabled on MFPs.

The solution

Small businesses need to include security as part of their MFP evaluations.  If it is overlooked your valuable data could be at risk.   Security features every business should look for in MFPs include:

• Hard Drive Encryption is usually an 8 or 20-character alphanumeric key that encrypts the entire contents of the MFP drive.  Look for products that use real-time 128-bit AES encryption algorithms to provide the highest level of protection if the hard drive is removed from the device.
• Hard Drive Lock Password is an additional level of security that can be added to a hard drive by electronically locking it to the MFP via a 20-digit alphanumeric password.  The password is applied directly to the BIOS of the hard drive and prevents access to the hard disk data. This also protects the hard drive from unauthorized access if it is removed or switched to another device.
• Automatic Deletion of Temporary Image Data on a timely basis is another safeguard to data security for MFPs.  An auto deletion time can be set for data stored in the personal or public user boxes, as well as system boxes (e.g. secure print box or encrypted PDF print box). The auto deletion setting will erase the copy, print, scan or fax jobs stored in boxes, depending on the storage period and the time frame selected for deletion.
• Data Overwrite of Electronic Documents on a Timed Basis eliminates the potential of retrieving temporary data even after it’s been deleted. This feature automatically overwrites each completed job, deleting it from MFP and leaving no trace of its data anywhere in the system.  Be sure that the feature is in compliance with U.S. Department of Defense standards by using either one-time overwrite or three times overwrite.

Konica Minolta, has led the industry in providing enhanced security features for the digital era.  With our new bizhub SECURE professional service, Konica Minolta helps customers set up enhanced password protection and data security features on all its bizhub MFPs.   This ensures that any document data residing on bizhub MFP’s internal hard drive is locked down.

Learn more

Your business’s IT network needs to be secured and protected against potential data exposure especially if your business has to adhere to regulatory guidelines (such as healthcare origination). One of the easiest ways to ensure that it meets these requirements is to purchase MFPs that include the industry’s most cutting-edge security technologies – most of which come standard on Konica Minolta bizhub MFPs.  To learn more about how to secure your network including your MFPs, please contact the experts at All Covered or Konica Minolta.

Dino Pagliarello is director of product marketing at Konica Minolta Business Solutions U.S.A., Inc.

In addition to the regularly scheduled assessments and audits that your business includes as part of its security plan, there are other instances where and immediate security assessment should be performed. Security events that require an immediate assessment are events that threaten the confidentiality, integrity, and/or availability of data. All Covered has identified the following types of events that that should automatically trigger an immediate security assessment.

Verified network breach

In the event that a verified security breach has occurred and your business cannot determine if data or any part of the network was modified, your business needs to have a security assessment. Security breaches which should trigger an immediate assessment include, but are not limited to, the following:

• Actions by an unauthorized user
• Accidental actions by an authorized user
• Unlawful actions by an authorized user

Newly discovered application and hardware vulnerabilities

Vulnerabilities are always being identified and your business needs to protect itself. Because many of the newly discovered vulnerabilities don’t have fixes, secondary security measures need to be implemented. An immediate assessment will identify the specific scope of the threat to your business’ infrastructure and help identify the best secondary solution. To learn about vulnerabilities consult with the following sources:

• Vendors of hardware and software
• Trade groups
• Law enforcement

Lost or stolen computing devices and media

In the event that a laptop, smartphone, backup tape, or other media device is lost or stolen, your business should consider an immediate security assessment if any of the following data types were stored on the missing device:

• Passwords
• Network diagrams
• Firewall and router configurations
• Wireless network information

Significant modifications to the IT infrastructure

Adding, updating, or removing hardware, software, or firmware can create new security holes within your network. The following modifications should trigger an immediate security assessment:

• Operating system upgrades on servers
• New Line of business applications or upgrades
• Changes in perimeter security
• Changes in networking equipment
• Changes to or installation of remote access solutions
• Modifications to information system platforms such as virtualization, storage, high availability, and public/private clouds

Significant organizational changes

Organizational changes to your company through the departure of key personnel or modifications to risk management strategies or information security policies can affect the security of your company’s infrastructure. An immediate assessment will do the following for your business:

• Ensure that security policies are in alignment with your company’s other existing policies and strategies
• Verify access controls and permissions
• Validate security controls on information systems when the types of data being processed, stored, or transmitted by your company have changed

Learn more

In addition to the above identified threats which should trigger an immediate security assessment, depending upon the nature of your business and the types of data it handles, there may be other security events that also require immediate attention. To learn more about security events that threaten your business or to schedule a security assessment please contact All Covered.

The Situation

On a Monday morning, just back from a three day vacation, you plod into your business office, set down your steaming cup of coffee, turn on your computer, roll up your sleeves, and take a look at your email inbox. In addition to all of the expected emails that typically accumulate over three day weekend, there are numerous, automatically generated security warnings announcing that a potentially malicious threat has been identified– some sort of virus, worm, or other type of malware made it through the firewall and infected your company’s IT network and spread to one or more critical servers that contains sensitive data.

In the past, you might not have done much about the identified malware except quarantine it with your antivirus application because more often than not, a virus was nothing more than an inconvenience and the likelihood of it being a true threat was minimal. Unfortunately, cybercriminals got smart and started developing malware that multitasks. This is bad news for your business.

The Primary Risks

In the event of a successful malware attack, your company’s primary risk revolves around the proprietary data that might have been compromised. Data from your company, partners, and clients may have been exposed, but the extent of that exposure will likely be difficult to initially determine. Besides potential data exposure, even the least harmful malware can be expected to do the following:

• Penetrate your business’s information systems by seeking out all vulnerable systems on the network. Most malware is network-aware, meaning that it will prowl the network looking for systems that are unpatched and then use those systems to launch attacks on other external networks. In situations like this, not only is your company’s network compromised, it is also now being used to attack other corporations’ networks.
• Download more complex malware to your company’s network. The first wave of malware is typically simple exploits that are designed to breach the network’s security and establish permanent access to the IT environment. This first wave of malware gives hackers complete access to information systems, allowing more nefarious malware to be deployed at will.
• Communicate back to a “command and control” center. More advanced malware will report back to the hacker once the initial automated attack has been completed. These communications provide the hacker with system information that makes it easier to execute advanced threats and gain remote access to your company’s network.
• Affect services and systems such as internet, email, and server-based applications. Malware infected networks can slow down the speed and availability of services because they tax the processing power of every infected system with thousands of simultaneous communication requests.

The Secondary Risks

In addition to the primary risks that malware poses to your business’s network, malware infections can cause secondary risks such as the following:

• Shutdown by your ISP providers is not uncommon if they detect that your network has been compromised by malware with their network monitoring tools. Losing access to internet connectivity can delay the quarantine and eradication of malware on your system, especially if tools and patches need to be downloaded from the internet to clean up the infection.
• Blacklisting of your business’s IP addresses will occur if the malware hijacks your network to send out spam. This will affect your business’s ability to send and receive emails because the ISP community will block all mail flow to and from your company’s IP addresses. Getting the problem cleared up with the ISP community can take weeks.
• Reinfection of your business’s network is possible because advanced forms of malware can evade detection and continually re-launch themselves even after initial cleanup has been done.

The Reactive Solution

As soon as your business detects the presence of malware on its network, it should contact the IT security experts at All Covered. All Covered’s trained security team will triage your business’s IT environment and quickly identify what immediate steps must be taken to secure your information systems.As part of All Covered’s Incident Response Program you can expect our trained security experts to do the following for your information systems:

• Isolate- All Covered will quarantine all machines that are suspected of being infected from the network to prevent the possibility of further infection.
• Analyze- All Covered will research the nature of the malware to determine what its payload is. Due to the rapidly changing cyber threat landscape this can be a challenging, time consuming, but very important step that must be done to identify which tools must be used to completely eradicate the malware from you business’s IT environment.
• Remove- All Covered will get rid of the malware on your network. Removal is often very difficult and may require specific applications and tools such as specialized “boot disks” or vendor specific utilities which can be expensive.
• Patch- All Covered will update all operating systems and applications on all computers, servers and network devices to recommended standards. It is important that all available updates are applied immediately after the network has been cleaned up to avoid the risk of reinfection.
• Examine- All Covered will examine all servers using forensically sound procedures to determine the extent of the malware infection and identify if any sensitive data has been compromised. Depending on your business’s vertical market it may be governed by regulations, legal contracts, or association memberships that require a forensic investigation.
• Report- All Covered will provide your business a written document that identifies the nature of the including a detailed accounting of the malware type, the infected devices, and recommendations to help prevent the situation from reoccurring.

The Proactive Solution

Information Security should be considered an extension of business operations. Because your business has unique information security needs, All Covered will work with you to create a customized proactive Information Security Plan that will do the following for your organization:

• Assess- All Covered will provide your company with a comprehensive and critical examination of its information systems to identify all potential security risks. The assessment will compare your corporation’s current security environment against industry best practices. If vulnerabilities are discovered, All Covered will provide your business with solutions to help secure your network.
• Advise- All Covered will help your business navigate the complex security requirements of regulatory compliance from governing bodies such as HIPAA, SOX, and PCI.
• Monitor- All Covered offers your business remote monitoring services to track the health and condition of your information systems 24/7, responding to incidents while they happen, not after.
• Support- All Covered will keep your information systems patched and properly configured to prevent malware outbreaks that usually occur due to delinquent security updates or misconfigurations.
• Train- All Covered will provide your company with customized end-user security awareness training for all information system users.
• Test- All Covered will examine your network’s external protections to ensure that information systems are protected from internet attacks.
• Review- All Covered will work with your company to create or refine an information security policy that is in alignment with your business’s operational needs while keeping it responsive to the latest threats.

Learn More

Statistically, it is only a matter of time before your company is targeted by a malware threat. All Covered wants you to know that any malware infection poses a very real threat to your business on many different levels and encourages your company to face the threat head on by adopting proactive solutions that will help protect your company. When your business forms a partnership with All Covered it can trust that it is working IT security experts that will provide customized security solutions that will reduce the likelihood of a malware incident. In the event that your business does suffer from a malware infection, All Covered’s Incident Response team can help stop the infection, mitigate the damage, and determine the nature of data exposure.

To learn more about the proactive and reactive security solutions that All Covered can offer your organization please contact the IT services & security experts at All Covered.

Engineering and planning controls are designed to ensure that your entire business’s IT infrastructure and all the data stored on it are secure.

Top five engineering and planning controls

All Covered cyber security experts believe that this final set of controls will help ensure that your corporation’s information systems are protected.  After your business has implemented the fifteen controls that were mentioned in previous articles, its corporate information systems need to be tested.  Engineering and planning controls will assess your information systems’ security as well as how it responds to potential security incidents.

 1.    Secure network engineering

All of your company’s network services need to be configured to allow for rapid deployment of security controls.  All Covered strongly urge your company to adopt a standardized practice that allows DNS, DHCP, and other network services to quickly update all corporate information systems as needed, in addition to being configured for regularly scheduled updates.

• All Covered recommends that your business maintain detailed network diagrams and logs of all information systems.  DHCP, DNS, and other networking systems such as RADIUS need to be configured to log as much information as possible.
• Networking devices should be configured to identify all connected systems, logged on users, and potential security issues.

2.    Penetration tests and red team exercises

IT security experts recommend that your business conduct regularly scheduled penetration tests to identify vulnerabilities and attack vectors that hackers could exploit to gain unauthorized access to your information systems.

• Cyber security experts cannot overemphasize the importance of conducting internal and external vulnerability scans anytime a major network component is replaced or modified or any time application upgrades are installed.
• Your IT security team should perform periodic “red team” exercises to test your company’s ability to quickly respond to and nullify cyber threats.  Additionally, if one of your company’s “red team” attacks gets through the current security controls, take the time to refresh the security and then retest it.

3.    Incident response capability

Your business needs to develop a written incident response plan.  IT security experts recommend that the plan identifies the different types of potential cyber threats and the expected procedure for responding to each type of threat.

• Staff members that have access to your company’s information systems need training regarding how to identify the different types cyber threats as well as their specific responsibilities for reporting potential incidents to your company’s IT security staff.
• Incident response plans should be revised at regular intervals and any time that major modifications have been made to the IT infrastructure.

4.    Data recovery capability

All Covered recommend that your company create image based backups for critical systems that will allow for quick system restoration in the event of a cyber security incident.  Images should include important data, applications, and operating systems that are stored at a secure remote site.

• Backups should be made on a regular basis to ensure that the most current information set is available in the event that a system needs to be restored.
• Backups should be assessed regularly to ensure that your business is protecting all of its critical systems.

5.    Security skills assessment and appropriate training to fill gaps

All Covered recommend that your company develop security awareness training for all staff members.  Training should include specific, incident-based scenarios that require staff to react to simulated threats.

• All employees should be annually re-certified on security awareness.
• Periodic tests should be performed to ensure that users are performing their duties in alignment with company security policies.

Learn more

Engineering and planning controls are strategically focused and designed to provide overlapping coverage with the other controls mentioned in the previous articles in this series.  To learn how these five controls, coupled with the fifteen controls mentioned in previous articles, will help your business create an effective cyber defense plan, please read the final article in this series.  To learn more about creating an effective cyber defense plan for your business, please contact the IT support experts at All Covered at 866-446-1133.

Network and application controls will help your company protect its IT infrastructure from unauthorized access.  IT security experts believe that by limiting access to your corporate information systems with carefully selected controls, your business can protect itself from the potential damages that unauthorized access can cause.

 Top five network and application controls

Most cyber security experts believe that the best defenses for your corporation’s IT infrastructure should include a combination of network and application controls.  These controls, when implemented properly, will limit who can access your business’s information systems.  In order for your corporation to protect its information systems, security consultants have identified the following five network and application controls:

 1.    Boundary Defense

Multi-layered defenses need to be in place for all information systems that are accessible through the internet.  By locking down access to your company’s IT infrastructure with firewalls, proxy systems, and limited router access, your IT environment will become less vulnerable to outside cyber threats.

• Security consultants advise that your company use blacklists to block known malicious or infected IP addresses.
• IT security consultants recommend that your company install an intrusion detection system on the firewall’s DMZ port to help monitor network attacks.

2.    Wireless Device Control

Wireless access points and devices need to be secured.  Security consultants also recommend that the “auto-connect” feature on your business’s wireless devices such as smart phones, tablet pcs, and laptop computers should be disabled.

• Wireless configurations for access points should be centrally administered with configurations that allow only specifically authorized devices to connect.
• Network vulnerability scanning tools should be configured to detect all wireless access points that are connected to your corporation’s network.
• Wireless intrusion detection systems (WIDS) should be used to identify network attacks and rogue wireless devices that attempt to connect to your business’s wireless network.  IT security experts recommend that automated reports should be generated any time unauthorized access is attempted.

3.    Application Software Security

All applications that are installed on your business’s information systems need to be tested on a regularly scheduled basis.  Regardless of whether applications are created in-house or are third-party, cyber security experts recommend that any time your company decides to install a new application it do pre-deployment testing to ensure that the application does not introduce security risks to your company’s information systems.

• Web applications should be tested using Open Web Application Security Project (OWASP) methodologies prior to implementation.  Cyber security experts recommend testing your systems with these methodologies because they are created by industry experts who understand the nature of cyber threats.
• All in-house developed software should reference a whitelist of acceptable input sources and data types before allowing any data in or out of the program.

4.    Malware Defenses

In order to protect your company’s IT infrastructure, all operating systems must have updated antivirus locally installed.  IT security experts caution that a single, unpatched workstation can infect your business’s entire IT environment and potentially cause catastrophic damage.

• Cyber security experts advise that as standard practice, all antivirus solutions should be scheduled to run automatically and then report to the system administrator any time a suspicious file, program, etc. is identified.
• All laptops, workstations, and servers should be configured to automatically run an antivirus scan anytime an external device such as a USB drive is attached.  Additionally, IT security experts recommend that the “auto run” feature for all external devices is disabled.

5.    Continuous Vulnerability Assessment and Remediation

Automated vulnerability scanning tools should be used on a weekly—or more frequent basis, depending upon your business’s needs.  IT security consultants recommend that all of your business’s information systems should be scanned regularly and that any unusual reports be examined immediately.

• Automated scan results should be compared to previous scans to ensure that any detected vulnerabilities have been properly repaired.
• Detailed external and internal vulnerability assessments should be performed annually to ensure that security controls will protect your business’s information systems against the latest cyber threats.

Learn more

Network and application controls can help your business protect its information systems against many potential cyber threats.  To learn about other sets of controls that will help your company create an effective cyber defense plan, please see the upcoming articles in this series.  To learn more about how network and application controls can be customized to meet your business’s particular needs, please contact the IT services experts at All Covered at 866-446-1133.

Security is easily one of the biggest concerns of the business sector, no matter what technology they implement or platform iteration they choose to subsist on. Businesses, ranging from large-scale IT companies to small businesses, are always at risk – even if their infrastructure consists of a traditional, self-sufficient office network setup with basic direct-to-computer wired hook-ups and crude security protocols.

Threats levels increase exponentially as businesses begin building on expansions. And these days, cloud computing has become one of many industry-wide solutions companies are opting for in the name of high availability, unfettered real-time productivity, and reduced overhead costs. Along with its numerous benefits, utilizing this technology obviously raises a host of concerns related to data security.

This, of course, is unavoidable, given the fact that more end-users are granted IT support, and access within and outside customary connectivity parameters. These are two factors cybercriminals take advantage of, as proven by recent hacking and mass data exposing activities directed towards big companies by the likes of yet-to-be traced hacktivists Anonymous, LulzSec and the 4Chan community.

Amid the mission critical processes taking place, and the potentially unsecure nature of remote data access, companies should always ensure the security of their cloud environments and implementations. Here are some of the most important security considerations businesses should never overlook when dealing with cloud computing.

Operational Security for Business on the Cloud

Like most managed IT services and technology roll-outs in the workplace, businesses should always make sure that their existing IT security protocols are up-to-date and flexible enough to handle the risks involved in cloud computing. Operational security in this case becomes crucial in enabling this level of security. By doing so, companies can take the latest cloud-based solutions to the forefront, develop specific best practices to ensure regulatory compliance, updated hardware and software solutions, and proactively secure IT systems against known vulnerabilities. Moreover, workers are provided with the best training possible to comply with these security parameters.

Focus on Integrated Cloud Security

System administrators should work to device network architectures that segment the services being ported to the cloud. This should be organized based on the volume of traffic, level of security required, and the type of data running through the ports and onto the virtual drives housed within every server. With this setup in place, data traffic on these servers can be visible to the most hardware and software-based security solutions, allowing them to be filtered and enabling system administrators to determine any potential security issue before they enter the network to wreak havoc on your system.

Provide IT Support and Secure Customer Access

To provide clients with the best services, companies often provide clients access to their own data and the company’s cloud-based business resources. While this allows your customers ways to manage their information and use your products and services, it can also be a potential security gap into your organization’s cloud application — a component that can easily be used by malicious software as a gateway into your data infrastructure. In this case, the best thing you can do is isolate customer data networks from data management, and other back-end networks. You can offer IT support and use more stringent layers of security to prevent potential data breaches.

While the many large enterprises have already begun to integrate cloud computing as part of their organizations’ data infrastructure because of the great benefits the technology brings to the table, it has also raised many questions with regard to security. Learn more about cloud computing and how security can be proactively implemented for your cloud-based services by visiting AllCovered at wwww.allcovered.com or contacting our IT experts at 866-446-1133.

If your company uses information technology in any way, and if your company gives employees access to it, IT consulting companies advise that your business needs to have an acceptable usage policy (AUP) in place.

IT support companies believe that a carefully worded AUP  will provide your employees with the right levels of access and permissions needed to get their jobs done without giving them so much freedom that they accidently or purposefully compromise your business’s IT infrastructure.

What it is

An AUP is a document that should complement existing corporate HR policies.  It should outline what your company’s employees may and may not do with the elements of its IT infrastructure.  IT outsourcing companies that are experienced with AUPs recommend that even the most basic AUP should contain the following five sections:

1.    Introduction- This section is a general overview of what an AUP is and why it is typically needed.  The introduction should tie the AUP into the operational side of business.

2.    Purpose- IT companies suggest that the purpose section should expand upon the introduction to clearly state why your business needs the policy.  It should outline the overall effect that the policy will have for your company, business operations, and employees. In addition, the purpose section of the AUP should, at the least, identify the following:

• What problem will be prevented or solved with the implementation of an AUP
• Which goals will be met by implementing an AUP

3.    Scope- IT outsourcing providers suggest that your business’s AUP identify who is affected by the AUP as well as which systems are governed by it.  IT services providers also recommend that the scope should be very specific about the following:

• Who is obliged to follow the AUP
• Which applications and information systems are covered by the policy
• What personal devices may or may not be used in the corporate environment
• Where the policy is applicable, i.e.at the main business site, at home with remote access, at coffee shops with free Wi-Fi, etc.
• Exceptions should outline the specific individuals and  instances when the AUP may be disregarded

4.    Details- The section of the AUP should clearly identify what employees can and cannot do in regards to your business’s IT infrastructure.  IT support companies recommend that your business should clearly identify whether corporate assets may be accessed for personal use, and if so, when personal use may occur.  In addition,  a comprehensive AUP should identify how employees may use the following IT assets:

• Hardware
• Software
• Data

5.    Enforcement- IT consulting companies recommend that this last section of your company’s AUP should clearly state what will happen if an employee violates the policy.   Depending on the nature of your company’s vertical market, the enforcement section of the AUP may be very short or very long.  Typically, the enforcement portion of the policy will address the following:

• Monitoring methods that will be used to identify policy violations
• Disciplinary actions that will initiated at the identification of policy violation, i.e. verbal reprimand, formal letter in HR file, dismissal, etc.
• Legal action that might be pursued in the event that of an AUP violation

To learn more

IT outsourcing companies recommend that once your company has an AUP in place, that it require employees to review it on an annual or semiannual basis to protect corporate assets.  To learn more about how to create or implement an AUP that will complement your business’s existing HR policies, please contact the experts at All Covered at 866-446-1133.