1 813.540.0454

Phishing attacks are one of the single greatest threats to ANY network today. It is estimated by Symantec in the “2014 Internet Security Threat Report” that 91% of data breaches came from targeted attack against individuals. This is an increase of 500% from 2012 and is apparently here to stay. The overwhelming majority of these attacks involved ransomware being sent as an attachment and being installed on the victim’s computer. The user has to pay from $100-$300 to get the encryption keys to decrypt their computer files, and in most cases don’t get the correct keys and just get taken by the bad guys anyway. In some cases the victims were sent to a web site that appeared reputable that held malicious content that as able to infect their computers just from visiting it. All of these attacks have one thing in common: they were sent from what was deemed a reputable source to the victim. Think about that for a second. All of the victims were sent an email with a link or an attachment from someone they thought they could trust.

So how are we supposed to do business, communicate with our loved ones and use what has arguably become one of the most useful aspects of the Internet with a relative degree of safety ever again? We can fix this with just one word. And you can even pick the word! Let me explain with a little history lesson… In the olden days (think Middle Ages, not the 1950’s) when one approached a walled city you had to have a word to pass through the gates that showed that you were trusted, hence the term “Password”. So if we want to send an email with attachment or a link to the Internet to a colleague at work we just need to agree that if the email does indeed originate from a colleague we will use a word somewhere in that email to validate that it indeed came from that person. No encryption needed. No hardware needed. Just a little behavioral change and voila! You have just stopped Phishing attack in their tracks! So as a company agree on your code word and if emailing each other make sure you use it. Make it something innocuous like “local” if it is an email within your domain and “global” if it is going to someone outside the domain. Put it in the subject line. Put it at the end of the email. Put it wherever you deem necessary, just make sure you use it. Do the same thing with family and friends and watch how fast the viruses disappear in your family and friend network.

And all without spending a dime…

There are two mistakes that are common to almost every account we take over from another IT company. The first mistake is customers getting the support/warranty for the devices they purchase in the name of the previous IT company, or worse, the name of an ex-employee. It is a common mistake with a common root cause- time. Companies don’t call for technical support when things are going well, they call when things are pretty much on the verge of being critical. In the flurry of activity to get an Internet connection back up or replace a firewall so the company can get back to work the pervasive feeling is “just get it done” and people don’t pay attention to the details, just the results. If you have to purchase equipment for your company ALWAYS make sure you have the following:

• ·       The product is registered in your companies name with multiple email contacts.
• ·       The support contract or warranty is in your companies name with multiple email contacts.
• ·       You have the original box and all documentation for the equipment.

As a bonus you may want to make sure the support company is not a reseller of the product they are suggesting. More often than not we go into a customer site and see a firewall, server or other hardware that is massive overkill for what the customer needed. Doing a little homework may save you thousands of dollars in the long run.

The second mistake we see is the customers thinking they have the usernames and passwords to all of their network assets only to find out that they don’t. A good IT company will not only give the customer the passwords for everything on the network they will also provide diagrams, network maps and a full inventory (which is required by HIPAA and HITECH). Just getting the passwords is not good enough. You need to go in and TEST the passwords. You need to go on your server and make sure you have administrative privileges.  The same goes for the firewall, wireless access point and the multi-function printer you have behind the front desk.

If your IT company is not providing you with these services you may want to contact Bellcurve Technology!

This year saw a sort of milestone for the engineers at Bellcurve Technology, and it wasn't a good one. This was the year we have represented customers in one capacity or another for 16 years, and we saw our 40th data breach. Out of those 40 breaches 10 have been significant and two rated as "the biggest medical data breach of 2011" and another client claimed the same title in 2012. Just to be clear, they were NOT our customers when the breach happened (NO customer of Bellcurve Technology has EVER had a data breach or faced ANY kind of fine from local, state or federal regulators) but they became our customers shortly after. In all of the breaches we have seen there are three common threads. In an effort to shed some light on the factors that may lead to a data breach we are bringing them to light in this forum. They are as follows:

1) ALL of the customers that had a data breach had an IT department or a contract with a company to provide IT services.

2) ALL of the data breaches had a human element, i.e. either through intent or through accident a human caused the breach.

3) NONE of the customers who had a data breach had been through an audit in the prior 12 months.

Number one is really not that much of a surprise if you think about it. Most companies have a contract for services with a company or have their own internal department if the company is big enough. The problem is that an IT department has to do everything in the workplace- printers, laptops, servers, applications, phones and they have to support them. And patch them. And build them for the departments that need them YESTERDAY (hint: developers aren't very patient). In short they have little time to devote to the function of security and security alone. they don't have the time to troll the dark web, read 20-30 articles a day and practice with the latest tools to stay on top of the latest trends. Their primary function, as it should be, is keeping your company operating so you can make money.

Number two is also not a surprise if you think it through. Out of the top ten biggest data breaches we have seen ONE was intentional (and the person will be in prison until 2022) while the other 9 were a direct result of a machine, application, server or firewall being incorrectly configured. Since then our customers learned that before they put a new service on the Internet they allow us to scan it and make suggestions about ways to secure it. This is a classic case of an ounce of prevention being worth a boat-load of headaches from OCR after you have to declare a HIPAA breach!

Number three is the one that just kills us. An average doctors office takes about 20 hours to audit and secure (we don't just hand over a list of what is wrong, we secure it as we go). So for the lack of a $2,500 security audit the companies faced fines up to $1million, loss of reputation, loss of business and in some cases criminal charges. This is an entirely preventable set of circumstances. HIPAA and HITECH both require annual audits and not having a solid track record of having those audit performed makes you a target for OCR. Gone are the days of warnings and token fines. One only needs to look at the "wall of shame" OCR hosts at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf to see that there is no one safe from the long arm of the law.