" New Feature Announcements Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more

Archive for the ‘New Feature Announcements’ Category

Remote Work & Its Cybersecurity Implications

Tuesday, June 4th, 2019

Remote work has become a hot topic in recent years, with the rise of digital nomads as well as those who just want to sleep in, skip traffic and avoid their bosses. The increased flexibility can be great for workers, while organizations can save on office costs and even boost employee morale.

Despite the potential benefits, remote work can complicate an organization’s cybersecurity. Instead of having everything centrally controlled in the office, businesses with remote workers also have to account for people accessing their resources in other locations over potentially insecure connections and equipment.

It’s not an insurmountable problem, and all it requires is some basic analysis, planning and policy, as well as a few simple security tools.

remote work and cybersecurity implications

What Kind of Data Does the Employee Need to Access?

Before you dive into the technology requirements and write up a detailed policy framework, it’s important to perform an analysis to see what kind of access remote employees will need in the course of their work, and to determine whether they process any data that needs to be protected.

Some employees may not require any access to company systems and don’t need to deal with sensitive data. Others may need to log in to company tools and databases, while certain remote workers may need to deal with sensitive business data or ePHI. Each of these situations will require a different approach to maintain an appropriate security level within your organization.

Low-risk Employees

If it’s just a graphic designer updating your flyers or a similar type of low-risk work, you probably don’t need to worry too much. The graphic designer could directly email the drafts to hackers and it wouldn’t have any serious ramifications for your company (unless the hackers have some kind of absurd hatred for spam and target your business in an over-the-top revenge plot).

For employees that don’t access company systems or its data, you really don’t need to take any major security precautions. If the employees only deal with information that you could post on a billboard without repercussions, there’s no real point in developing special systems.

The only policy that you would need in place is to ensure that the rest of your employees keep their communications on a strict need-to-know basis with remote employees. While these remote workers don’t need any sensitive information in the course of their work, it’s important to prevent any gossipers from divulging company secrets.  It’s also important to segregate their computer systems from those of sensitive employees if and when they happen to be in the same location, so as to avoid the spread of malware.

If your organization already has secure systems in place, it may be worthwhile to use them with remote employees that fall into this category. It could prevent such rare slip ups at a low cost, since the infrastructure is already available.

Employees that Access Company Resources, Sensitive Data or ePHI

If remote workers need to access company systems, sensitive data or ePHI in the course of their work, then your organization will need to take a number of precautions to secure itself and the data.

Again, you first need to analyze what the employees actually need and come up with policies and technologies that allow them to safely use it, without opening up any doors to unauthorized parties.

This policy should include rudimentary security processes like enforcing strong passwords and requiring two-factor authentication.

Access Control

Follow the principle of least privilege and only allow employees to access what they strictly need in order to accomplish their tasks. Opening up all of your company’s systems and its data to employees only adds unnecessary risk.

Over time, an employee’s access needs may change. If this occurs, simply adjust their privileges as necessary, whether this involves increasing or decreasing them.

Secure Employee Devices

Ideally, companies should be supplying the devices that their employees use so that they have strict control over them. These devices should have full-disk encryption with remote wipe capabilities, firewalls and antivirus software at a minimum. Your organization should also have strict rules about what employees can and cannot use company devices for.

VPN Access

VPNs offer one of the best ways to safely allow remote access to company resources. They fully encrypt the pathway between an employee’s device and the company server, preventing outside access.

Monitor Your Remote Workers

As part of your organization’s overall security policy, it should be monitoring and taking logs whenever employees access company resources. Not only does this deter employees from acting inappropriately, but it also makes it much easier to find the culprit if the company has been breached.

Obviously, this policy should be extended to remote workers who access company systems and data, as well as internal employees.

Encrypt Everything

Sensitive data needs to be encrypted whenever it is being collected, processed, transmitted or stored. LuxSci offers a range of services that can help your organization keep this data safe, from our secure forms and hosting, to our HIPAA-compliant email.

Encrypting all of your organization’s sensitive data is a crucial part of keeping it safe when dealing with remote employees. Between this and the steps mentioned above, you can offer your employees the freedom of working from anywhere without putting your organization at risk.

Updated Service Level Agreement

Friday, May 31st, 2019

LuxSci has updated its Service Level Agreement (SLA) for all shared and dedicated customers. This change supersedes the previous SLA for all existing LuxSci customers that do not have a custom SLA agreement with LuxSci.

Download the Complete SLA Document

The new SLA in an improvement over the old SLA in many ways. Some of these include:

  • A new explicit guarantee on the Availability of Services running on dedicated servers
  • The addition of explicit SLAs for services provided by LuxSci’s vendors (such as Proofpoint).
  • An explicit description of how LuxSci performs regular and emergency maintenance on servers and services.
  • A new paid SLA Track called Premium SLA that changes how maintenance is performed with respect to Premium SLA Customer’s dedicated servers.

The Premium SLA Track provides:

  1. Higher degree of insulation from the potential impacts of software updates and changes.
  2. Preferred scheduled maintenance window selection.
  3. Higher-touch notices and coordination of updates.
  4. Longer notice for emergency maintenance.

Premium SLA Tracks are generally only available to Customers with an Enterprise Custom plan. If that is you and you are interested in adding Premium SLA to your LuxSci account, please contact sales.

WebAides Passwords: Your Password Management Solution

Tuesday, May 28th, 2019

By now, you probably have more online accounts than friends . As this number grows, it gets more difficult to manage each set of credentials. We tend to see two main approaches to this problem, each with their own downsides.

Using the Same or Similar Passwords for All of Your Accounts

The easiest approach is to use the same password for every account, or similar passwords with only slight variations (like adding a number at the end). This makes it easy to remember how to access all of your accounts, but it’s also incredibly dangerous.

If you have the same credentials for all of your accounts, all an attacker has to do is find out the password for one of them, and then they have access to everything. Such an attack could turn your life upside down – draining your bank accounts, ruining your credit, hijacking your social media and more.

It’s even less secure if you never change your single password. Have you noticed all of the major data breaches that keep popping up in the news? Unless you have lottery-winner luck, you’ve probably been a victim in at least a few of them.

This means that the passwords involved in these breaches are out there floating around in the depths of the internet. If you use the same old password for every account, a savvy attacker can seek out your password from a previous breach and use it to infiltrate all of your accounts.

If you only change your passwords slightly, it doesn’t make things much better. An attacker can take the related password that they found online and use it as a base. This gives them a huge advantage and makes it much quicker to find your password variations.

With this information and modern cracking tools, it doesn’t take long until they have access to your banking, email, social media accounts and more.

Using Different Passwords for Each of Your Accounts

The best approach for securing your online life is to have different passwords for each of your accounts. If an attacker gets ahold of one, they will only be able to access that account, and everything else will generally be safe. This method helps to limit any damage that may occur if you are hacked.

The problem is that it’s basically impossible to remember dozens of passwords. Unless you’re Rain Man, you’re going to forget and get locked out of your accounts on a regular basis, creating a huge amount of inconvenience.

The only way that most people can remember a bunch of passwords is if they use simple ones. This approach also creates issues, because weak passwords are easy to break with cracking tools. As you can see, none of these techniques provide a secure, convenient and usable option.

The Solution? WebAidesTM Passwords

As part of LuxSci’s WebAidesTM application package, we offer a password management tool. WebAidesTM Passwords allows LuxSci users to create and securely store lists of passwords. It makes it easy to keep separate passwords for each of your accounts, bolstering your security.

With just a single master password, you can have separate complex passwords for everything, giving you both security and convenience. WebAidesTM Passwords features PGP encryption to safely store passwords for either single users or groups. This set up means that LuxSci cannot access the password data.

The tool is flexible, allowing you to easily control access to group passwords. It’s simple to add or remove users from groups. This automatically changes the individual’s access, without forcing you to re-encrypt individual passwords. Group passwords can also be changed easily whenever needed.

We’ve also added a new admin export feature for business continuity and disaster recovery. This tool allows admins to interactively decrypt and backup the entire password web archive as either a backup or for offline storage. Doing so creates an audit trail to keep track of how the passwords are being managed.

This new feature makes it easy to check one more box on your business continuity and disaster recovery plan. It’s an easy solution for ensuring that all of your passwords are saved offline, just in case.

Our WebAidesTM Passwords tool isn’t the only option for password management. There are other choices like LastPass, which can be useful for tasks like in-browser completion.

LuxSci’s offering has its own advantages as a versatile tool for back-end corporate password archival, sharing and storage. The best part? It’s included in our HIPAA-compliant email.

Telehealth & BYOD: Is It a Bad Idea?

Tuesday, May 21st, 2019

Telehealth leverages telecommunication technology to provide healthcare and related services. It can include treatment, education, prevention, reminders, communication and other measures that rely on devices and technology.

Over the past few years, it has become more common for companies to allow their employees to bring their smartphones into the workplace. This practice, known as bring your own device (BYOD), has been embraced by many businesses because it can help to reduce costs, boost productivity, and increase employee satisfaction.

Despite these benefits, BYOD policies come with a number of security complications. Since healthcare organizations deal with vast quantities of highly regulated and sensitive information, the security and privacy of data is even more critical than in other sectors.

Given the risks of breaching electronic protected health information (ePHI), or going through a costly and disruptive HIPAA violation, are BYOD policies appropriate for telehealth practices?


Devices in Healthcare

Devices such as smartphones and tablets are now seen as an essential part of the medical world. They can help to improve communication and give patients new options for treatment. They are also a core aspect of telehealth practices.

Given the necessity of these devices in the healthcare industry, organizations have two ways that they can facilitate their use. They can either provide devices for their employees, which allows employers to maintain strict controls over how they are used, or they can let their employees bring their own devices and use them as part of their work processes.

Employer Provided Devices

Providing devices for employees is the ideal option from a security perspective, particularly in a health scenario where there is so much sensitive data at stake. Since employers own the devices, they can regulate where and how they are used without too many major issues.

The most important aspect is to make sure that the rules are enforced to minimize any breach-related risks.

Another major challenge is keeping the personal devices of employees outside of the workplace. Since they have become a mainstay of modern life, it can be difficult to prevent employees from bringing smartphones in to work and using them. It requires strongly enforced policy and a high level of employee awareness to manage this risk.

BYOD Devices

If personal devices are going to be allowed in the workplace or as part of a healthcare worker’s job, a strict BYOD policy needs to be in place. The threat of exposing ePHI is simply too great for healthcare organizations to neglect having one.

These policies should define when, where, how and through which applications employees may use their devices, as well as what is strictly prohibited.

If employees are allowed to use personal devices in the course of their jobs, then the BYOD policy needs to be even more stringent. Businesses have two major ways that they can do this and still safeguard ePHI to a reasonable degree.

The first is to only allow access to ePHI through VPNs or web portals, never storing any sensitive patient data on the personal devices of employees. This can secure data without being too intrusive.

Alternatively, employers can require their workers to add security software and make sure that devices are configured properly to safeguard any ePHI. This includes things like encrypted folders and remote wipe capabilities.

Since this option involves mandating how employees use their own devices and can even affect their personal files, it’s not ideal. It can lead to privacy concerns and cause employee dissatisfaction.

Should Your Organization Allow BYOD?

Ideally, healthcare organizations should keep personal devices out of the workplace to minimize the risks of leaking ePHI and facing HIPAA violations. This may not be practical for all businesses, so those that choose to allow personal devices need to be aware of the risks and adopt a strict policy that minimizes them.

AI: Rise of the Machines

Tuesday, May 14th, 2019

In the last few years, artificial intelligence has become a much more common part of our daily lives. Whether it’s the Facebook’s News Feed or Waze’s routing algorithm, most of us probably use AI every day.

What you may not know is that AI is being applied in the cybersecurity world as well, both for good and bad. At its essence, AI can be used for automation and to make decisions based on what it has learned over time.

These properties can be used in a number of different ways to help defend against attacks, but they can also be used to mount new ones or increase the efficiency of hacker staples. Because of this, AI isn’t really seen as a boon for either side of the cybersecurity divide.

Instead, it’s simply a new technological development, and much like those that came before it, it will just mean a shift in the way that both white hat and black hat hackers operate.

The Cybersecurity Benefits of AI

One of the main benefits of AI is that it opens up a new way to detect and stop threats. Traditional antivirus programs find malware by searching for file signatures, while network abnormalities are found through rule-based systems.

For either of these tactics to work, the threat generally needs to have been seen before. Once a new malware attack is discovered, antivirus providers log its signature and then send it to the antivirus software of users, so that they can detect it in future.

The big issue with this approach is that it isn’t useful against attacks that have never been seen before. When adversaries come up with innovative attacks, they can use them to slip straight into systems. These initial attacks can cause significant damage, all before antivirus software is aware of the threat.

The difference with an AI approach is that it isn’t so reactive. Instead of waiting until after attacks have infiltrated systems to develop defenses, AI can look for patterns, learn and adapt, which can help it to stop many attacks that slip straight past other cybersecurity mechanisms

As an example of how AI can work, let’s look at ransomware. Once it executes, it scans through a victim’s files, makes copies of the ones it thinks are important, sends the encryption keys to the attacker and deletes the original files.

These aren’t steps that you ever really see in legitimate software, so whenever security AI notices a pattern like this taking place, it could put a stop to the attack before it it causes any damage. In contrast, if a user’s antivirus didn’t already have the ransomware’s signature, it could get through undetected and the user’s files would be locked.

Normal antivirus software can only look for signatures for what it knows is malware. AI has the potential to notice patterns that look like malware and put a stop to it.

The Dark Side of AI in Cybersecurity

While AI will make many traditional attacks more difficult for hackers, it also opens up a number of new doors for them. Since AI has the ability to learn and recognize patterns, it follows that it can begin to understand the defenses that are in place and come up with ways to get around them.

On top of this, AI has the potential to automate many of the attacks we already see, making them much more efficient and cheaper for criminals to execute. AI can help take the labor out of spearphishing, allowing scammers to automate their attacks, and target many more people.

It can also be used to replicate someone’s voice, all from just 10 minutes of speech. This could have tremendous impacts – imagine getting a panicked phone call from your partner. You probably wouldn’t be thinking, and would comply with whatever they asked for to help them. Much later, you would find out that it wasn’t your partner after all, but a hacker who has now stolen your identity.

These aren’t the only applications. AI also has the potential to help hackers sniff packets and scan for vulnerable ports, as well as accomplish a range of other malicious tasks at scale.

AI: A New Era

At the end of the day, AI in cybersecurity is neither good nor bad. It just represents a new era. It will open up the doors for innovative attacks, but we will also gain new security techniques and abilities. The important thing is for the industry to be aware of the changes and to be as prepared as possible for this new generation of information security.