Can You Save Money by Spending on Security?

Published: May 23rd, 2017

When everything is running smoothly, cyber security can go unnoticed by executives. It’s only when things go wrong that it tends to enter their peripherals. This often leads to inadequate budgeting or heavy cutbacks. Unfortunately, restricting security funds can result in incidents that cost companies many times more than what they would have spent on security measures.

Because of this, security can be seen as an investment that often has a high ROI, as long as it is applied strategically and intelligently. Although no amount of money and infrastructure can make your systems 100% secure, the right measures can still help to boost a company’s bottom line.

Security

A well thought-out security plan is a balancing act between the costs of implementation and the potential damage of a breach. Sure, your company could invest in complex security measures, but is it justified by the risks you face?

In some situations–such as healthcare–highly advanced security is a necessity. Other businesses may be able to justify a lower level of security, particularly if they operate at a smaller scale and don’t handle sensitive data. Security needs will vary depending on industry and the individual business model, according to both the relevant regulations and the risk profile.

Read the rest of this post »

The Wanacrypt0r 2.0 Ransomware May Have Stopped Spreading, But Are You Protected Against Future Attacks?

Published: May 14th, 2017

 

by Josh Lake

The vicious ransomware, Wanacrypt0r 2.0, may have been halted by the quick actions of a security researcher, but it won’t be long before a similar beast comes back with a vengeance. On Friday, the virus tore across the world, affecting more than 75,000 machines in over 74 countries.

It affected a range of businesses and organizations, including Fedex, Vodafone Espana, Santander, Portugal Telecom, Telefonica, and the UK’s healthcare system, the NHS. Once Wanacrypt0r 2.0 penetrated a system, it locked down files and demanded a ransom payment to have them decrypted.

Cryptomalware

The massive attack has seriously affected operations at a range of companies and has also forced some UK hospitals to divert emergency patients to locations that were unaffected. Although the spread of the attack has been stopped, it does not alleviate the problems for organizations that have already been infected.

Microsoft had already released patches for supported versions of their software that closed up the vulnerabilities. Despite this, the scale of the attack shows that many organizations either had not run the patch, or were using unsupported versions of Windows.

Due to the immense scale of the attack, Microsoft made the rare move to release patches that address the vulnerability in unsupported versions such as Windows XP, Windows 8 and Windows Server 2003. Organizations need to run these patches if they want to be protected from future forms of the virus, which could turn out to be even more damaging.

Read the rest of this post »

Self-Addressed Spoofed Email: How to Shut Down Spam

Published: May 11th, 2017

Spam messages coming from… your own email? This may sound like a cheesy movie plot, but this form of spam, known as “spoofing,” can have horrifying consequences if they result in compromised security, stolen data, or malware on your company’s machines. Read on to find out how to snuff out spoofing and help everyone avoid these attacks in the future.

Forged Email

Read the rest of this post »

Plenty of Phish in the C-Suite: Protecting Your Executives

Published: May 9th, 2017

Phishing attacks have grown more complex as hackers learn how to defeat security measures and countermeasures, and their targets have become more lucrative in scope and scale: the CEOs, CFOs, CMOs, and other executives collectively making up your company’s C-suite. Personalized hacks that target top executives, known as “spear phishing” or “whaling,” can be incredibly detrimental. Training and awareness are your top tools for strengthening your C-suite’s ability to recognize and defend itself against malicious cyber threats.

Phishing

Read the rest of this post »

Kick Your Privacy Up a Notch with Tor

Published: May 8th, 2017

Online privacy is becoming more important as our lives increasingly migrate to the internet. With government surveillance intensifying, you may have come across the term Tor as a way to protect yourself. So what exactly is it?

The Onion Router (TOR), is an open source project that aims to provide anonymous communication for its users. The underlying technology was initially developed by the United States Naval Research Laboratory in the nineties as a way to protect communications within the intelligence community. Tor has since moved over to the open source community, supported by a range of volunteers, privacy advocacy groups, various US government departments and others.

Tor - The Onin Router

Tor allows web browsing, messaging and chat, as well as access to .onion websites, which are a secretive side of the internet. Unfortunately, Tor cannot give a user complete anonymity, particularly from government level surveillance. This is because these entities have the capability to correlate the traffic that goes into Tor with the traffic that exits. Despite this, it is still a useful tool that can help to enhance privacy in a range of use cases.

Read the rest of this post »

How do I send HIPAA-compliant lab results via email?

Published: May 5th, 2017

A question about HIPAA-compliant transactional email from Ask Erik:

As a non-technical member of the founding team of a Health Care Startup I have a question about HIPAA-compliant email as we begin to send out lab test results to individuals and the health care providers we partner with:

“Does one dedicated email address for results distribution that is HIPAA-compliant and secure make us in compliance. ”

We have team members who communicate with our DDS clinics but they don’t distribute test results. Only I will do that through a dedicated email address.   What do we have to do to be compliant from day one of distributing test results as part of our service to our customers (primarily dentists and oral surgeons)?

I was told by the service provider of our website and email hosting services that if we made the one email address a Business Premium account using the Microsoft Secure Server, that all the other regular email addresses would be covered as well. Is this true?

Thank you for the forum to ask real life scenario questions.

Lab results to email

Hello,

There are many aspects to your question.  Lets address each one in turn:

Read the rest of this post »

HIPAA-compliant Save and Resume for your Web forms

Published: May 3rd, 2017

If you have a long or complex web form, users may wish to fill out only part of it and then save their work so that they can come back later and finish the form.  This is “Save and Resume” functionality.  While some form systems support Save and Resume, few provide HIPAA-compliant Save and Resume.

Form Save and Resume

What does HIPAA-compliant Save and Resume require?

For HIPAA-compliant Save and Resume, at a high level you need:

  1. The form data to be saved must be securely transmitted from the user’s browser to a server
  2. That data should be encrypted while stored
  3. That data must be securely transmitted back from the server when the user wants to resume editing the form
  4. Usually, the end user gets a link that can be used to resume editing the form where the s/he left off.  This link needs to be password protected or otherwise include authentication so that access to the sensitive form data is restricted.  HIPAA requires access control.
  5. Audit trail logs of saving and resuming form data should be kept.
  6. You need a HIPAA Business Associate Agreement with the service provider hosting the database where the form data is being saved.

The majority of Save and Resume functions provided by form service providers either (a) do not encrypt the data, (b) do not provide authentication for resuming the form, (d) do not keep any kind of logs, or (d) do not provide a HIPAA Business Associate Agreement for the data hosting servers.

Read the rest of this post »

Generation Z are Hitting the Workforce: is Your Business Ready to Keep them Secure?

Published: May 1st, 2017

Generation Z are already beginning to embark on their careers. While the divide between each era is certainly blurry, those born after the mid 90s tend to have different attitudes to life and the workplace compared to those who came before them.

Understanding Generation Z, their habits and their values is crucial for any business that wants to fully embrace the next wave of talent. It’s important to remember that their different views and practices will also have a range of security ramification. From their desire to constantly stay connected down to their privacy attitudes, the way that the new generation functions means that companies need to adapt in order to stay secure.

Generation Z

Read the rest of this post »

Interview with Jim Simpson, Director of Product Management at Duo

Published: April 26th, 2017

Back in 2011, LuxSci integrated Duo.com‘s advanced two-factor authentication into our WebMail service. Any LuxSci customer can use Duo.com to protect their WebMail, as well as their admin access to LuxSci. This all comes at no extra cost.

We even use Duo’s authentication ourselves. It’s great for administrative actions both at the server command line and through the web interface. An advanced two-factor authentication system such as Duo.com is excellent for enhancing a system’s security. It is a requirement for PCI compliance and can be helpful for HIPAA compliance as well.

Duo.com

The new Duo Access service is an innovative way to enforce corporate security policies, helping businesses to drastically cut their risks. Duo’s Jim Simpson has taken some time out of his schedule to answer some questions for us and discuss the details of their service.

Read the rest of this post »

Tighten Up Your Security with a VPN: LuxSci’s Guide to Choosing One that Works for You

Published: April 24th, 2017

As online crime figures continue to grow and government spying moves forward unabated, many people are becoming worried about their privacy and security. With the US Government striking down a set of privacy laws that were set to boost individual rights on the internet, things are getting pretty grim.

In recent years, VPNs have become more popular for personal use as individuals attempt to reclaim some sense of anonymity online. Given how many entities could be looking at your activity – governments, advertisers, your ISP and criminals – a VPN is one of many tools you can use to help protect yourself. VPNs can also be useful for circumventing censorship or accessing geo-restricted content.VPN Security

A VPN can be excellent for helping you stay safe online, but you also need to be aware of the limitations. Unfortunately, VPNs aren’t some magic technology that immediately makes you impenetrable – they are merely something that enhances your security.

You also need to be aware that not all VPNs are created equal. In fact, the VPN industry is incredibly messy and the dodgy operators far outnumber the good. There is a huge disparity in the services and protection level that are on offer. This ranges from the free VPNs, which are poorly regarded, to the scammy companies that are just in it to make a buck, to the more trusted options that generally have good reputations. Finding a reliable VPN isn’t the end of the battle. You also have to set it up and use it properly.

Read the rest of this post »