5 Tips on Protecting Your Business from a DDoS Attack

ddos-attack1

An escalating number of businesses are falling victim to distributed denial of service, or DDoS, attacks. Compared to this period last year, there has been an 47% increase in the total number of DDoS strikes. The companies that take advantage of their attack experience by learning from it and educating their employees on cyber security go a long way. Getting hit by a DDoS attack can help uncover some vulnerabilities or mistakes that your IT department may not have previously been aware of. Combining your experiences with these 5 tips on protecting your business from a DDoS attack is the best way to help prevent future incidents.

  1. Conduct an Assessment: Review your company’s current state of network security – whether you’ve experienced problems in the past or not. This will give you a sense of where your weak points are and allow you to reinforce them.
  2. Know your Network: Reducing the cost and impact of an attack starts with early detection. The better you know your network, the easier it is for you to identify a problem. Having an understanding of the strengths and weaknesses of each network component will also give you a better understanding of what kind of assaults you can protect yourself from (such as a small attack originating from a single IP address) and if you need to outsource to help fill any security holes.
  3. Implement General Rules to Help Mitigate Attacks: Some general rules to help defend against a DDoS attack include turning down all unnecessary ports and protocols, implement an IP blacklist, block invalid and malformed packets, and configure and harden network equipment.
  4. Communicate with your ISP: In some instances, an attack can be so big that it completely saturates your bandwidth, making any other preventative tactics ineffective. Be sure to learn the procedures for getting your ISP to intervene if necessary. Work with your ISP to plan and practice for any possible large-scale attacks, and be sure to examine your Service Level Agreement (SLA) to learn your ISP’s options for defending against DDoS assaults.
  5. Create an Action Plan: In the unfortunate even that your company suffers an attack, having an action plan in place can help you stay in control – because once an attack is occurring, it’s too late to decide what action to take and how to respond. Be sure to structure your plan by severity level, since your responder actions will vary depending on the impact of the attack.

DDoS attacks can happen to any business at any moment. It’s naive to think that your website is too small to attract the attention of hackers, especially since DDoS is a relatively easy attack to perform. Reducing the cost of an attack starts with preparation and early detection.

Click here to learn more about how to protect your company from cyber attacks.

Blog Author: Vanessa Hartung

Infographic: Cyber Crime 2013 – The Year of the Mega Breach

The year 2013 yielded record breaking data breaches and cyber crime numbers in the business community. Upon reviewing multiple reports generated by industry heavy hitters, like IBM and Symantec, we’ve created an infographic of some of their key findings.

Cyber Crime 2013

 

Business will need to take an active role in securing their company and customer data in 2014. Poor protective measures are putting an increasing number of companies at risk and the potential implications of losing data is huge. Educating staff, improving malware solutions, and routinely backing up your data are some of the steps your company can take towards increasing security and preventing loss.

Blog/Infographic Author: Vanessa Hartung

 

Five of the Worst Cyber Attacks: Learning from Past Mistakes

As computer and Internet technologies continue to improve and evolve, so do the tactics and infiltration methods of cyber criminals. It’s critical for businesses of all shapes and sizes to ensure their network is always protected. Network security measures need to be updated and tested frequently in order to prevent the loss of any important company or customer data. If you’re business isn’t adequately protected from hackers, you could end up like one of the companies included in our list of some of the worst cyber-attacks.

  1. Mafia Boy Attack on Commercial Websites: In 2000, a 15-year old Quebec boy hacked into multiple commercial websites and shut down their systems for hours. Some of the impacted sites included CNN, Dell, Amazon, Yahoo, and E-Bay. The only reason this “professional hacker” was caught is because he bragged about his achievements in an online chat room. It’s estimated that the juvenile hacker cost $1.2 billion in damages, proving to businesses everywhere that all it takes is one hacker to cripple their productivity and cut revenue.Screen Shot 2014-04-24 at 9.53.19 AM
  2. Target Loses Credit Card Data: During the holiday season in 2013, Target Corp. was hit by cyber thieves who used a RAM scraper to grab encrypted data by capturing it as it travels though the live memory of a computer, or – in this case – a checkout point-of-sale system. An investigation of the attack revealed that the cyber criminals stole the personal information of approximately 70 million customers. It wasn’t until Internet security blogger, Brian Krebs, wrote about the incident on his website that Target publicly admitted to the data breach. This resulted in a double hit for Target customers – not only was their information compromised, but they weren’t aware of it until long after the incident had occurred, which resulted in some very disgruntled customers.
  3. Epsilon Emails Hacked: The massive Marketing firm, best known for its big name clients – Best Buy and Chase, is estimated to have a potential loss of up to $4 billion after cyber criminals hacked into their database. The names and emails of millions of customers was stolen in March 2011, which could then be used to create more personalized and targeted phishing attacks. However, the biggest hit was felt by Epsilon – who had a client list of more than 2,200 global brands and handled more than 40 billion emails annually – as they struggled to keep the trust and business of their well-known clients.Epsilon_Logo_PMS
  4. Grocery Retailer Suffers 4 Month Long Breach: That’s right, for 4 months the upscale North American grocery chain experienced a security breach that resulted in the loss of approximately 4.2 million customers’ credit card details. Not only was the incident a black mark on the company’s public image, but it was a huge financial burden for the corporation. Cyber criminals gained access to the sensitive information by installing malware on the store servers, collecting the data from the winter of 2007 until the spring of 2008. It’s estimated that the costs incurred by the attack totaled $252 million.
  5. PlayStation Network Loses Millions: In 2011, over 100 million customer accounts containing credit and debit card information were stolen by a group of hackers. The breach lasted 24 days, and the hackers were even able to log on while the company was trying to fix the problem – even though dedicated gamers weren’t able to log on. Experts are speculating that this may be the costliest cyber-attack ever, totaling an estimated $2 billion in damages. To make matters ever worse, British regulators fined Sony 250,000 pounds (approximately $396,000) for failing to prevent the attacks by not implementing adequate security. Britain’s Information Commissioner’s Office stated that the security measures in place at the time were “simply not good enough” and that there’s “no disguising that this is a business that should have known better”. So if you’re company isn’t making the time and effort to protect customer data – they’re sure to find out if your system is attacked. Good luck regaining your customer’s trust – and business – after a reveal like that.

Still haven’t convinced you that implementing a variety of security measures to protect your company and customer data is one of the highest priorities? Check out this quick video BuzzFeed created highlighting some more major cyber-attacks.

Screen Shot 2014-04-24 at 9.52.47 AM

Not sure where to get started? Here an article on how to train your employees on cyber security – click here.

Blog Author: Vanessa Hartung

The Impact of the Heartbleed Bug on Business

The Heartbleed bug has swept across the nation, impacting a countless number of businesses and consumers. The bug is a vulnerability in OpenSSL, which is the name of a 1998 project that was started to encrypt websites and user information across the web. What started as a project committed to data encryption is now standard on 2/3 of all websites on the Internet. Without OpenSSL, our personal information submitted across every website we visit could land in the hands of cyber criminals. Ironically, the OpenSSL software that was designed to protect users contained a flaw that made it possible for hackers to trick a server into spewing out the data that was held in its memory.

14b6heartbleed-affected-sites-660x369-400x223

When news of the Heartbleed struck, business scrambled to find out how many of their systems were using the vulnerable version of OpenSSL. While the big web companies, such as Google and Yahoo, were able to move fast to fix the problem – smaller e-commerce sites are struggling to “patch” the software quickly. As the larger sites close the door on the Heartbleed bug, hackers are turning their attention to any small and medium businesses that may not have the knowledge or manpower to update and protect their e-commerce sites accordingly.

However, regardless of the size of the business, if customers learn that a company’s system has been hacked and their personal information was compromised, legal issues could arise. Angered customers – and their lawyers – will look to hold businesses accountable for any personal data that lands in the hands of hackers. Businesses need to communicate with their customers to inform them what steps have – and will be – taken to fix the problem. That way, customers can update their passwords accordingly once a business has confirmed that their site is clean.

Many of the impacted sites are not just popular for personal usage, but are used every day by businesses of all sizes. Companies will need to follow the same steps as their customers and wait to receive confirmation from any frequently used websites that the issue has been resolved before changing their passwords. It’s also important to realize that other devices, such as Android smart phones and tablets, are vulnerable to the bug as well.

The Heartbleed bug ordeal is just another reminder of the security challenges companies are facing as more and more economic activity move online. According to eMarketer, an independent research organization, worldwide business-to-consumer e-commerce sales are likely to increase to $1.5 trillion this year. With money like that on the line, you can bet cyber criminals will be vigorously targeting businesses to try and get a piece of the pie. Companies need to take all necessary precautions to protect themselves and their customers.

To learn more about protecting your business, click here.

Blog Author: Vanessa Hartung

Are You Too Worried About Cloud Security?

Should you wait, or push forward? Is it better to embrace the new technology, or to wait for it to be improved and refined? These are questions that come up again and again in virtually every part of the business world, but they seem particularly apt when it comes to the phenomenon that is cloud computing – the hottest IT trend in the world and a way for businesses of all sizes to gain huge performance advantages on smaller budgets.

cloud secrure

On the surface, there isn’t much not to love about cloud computing. By moving your hardware and software to a remote location and accessing it via the web, you gain the ability to access real-time information from any web-enabled device… and all while taking advantage of those cost savings we already mentioned. A relatively sizable minority of small businesses is holding off on making the transition just yet, however, because they have concerns about cloud security.

Should you wait right alongside them? Or, is worrying too much about cloud security holding you back from making a decision that can help your company? As always, there isn’t a cut-and-dried answer to that question. While security breaches have been relatively rare, there have been some valid concerns when it comes to cloud security at some facilities, and with some vendors. However, those concerns shouldn’t be pressing enough to stop most organizations from making the switch.

To understand why, consider the basic model that most reputable cloud computing package providers employ to keep data safe. Generally speaking they do deter, prevent, correct, and detect – or do everything they can to scare thieves away, stop them from accessing data, limit the damage they can do, and then fix any known security issues quickly. To get a sense of how that actually works in the real world, consider some of the major safeguards that cloud computing providers using Canadian data centres put into place to protect the flow and integrity of client data:

Maximum strength encryption: In the best Canadian colocation data centres, high-level encryption is used for the transmission of files to and from client workstations. Although maximum strength encryption can theoretically be broken, cyber criminals almost always look for smaller and easier targets that are more vulnerable.

Comprehensive antivirus scanning: It isn’t unusual for a single virus, introduced by the wrong download or email attachment, to infect multiple computers within the same small business network quickly. At a state-of-the-art cloud computing facility, however, continuous antivirus scans mean that bits of problematic code are identified and quarantined very quickly.

On-site protection: In a lot of small businesses, servers, backup hard drives, and other pieces of hardware containing sensitive data are often left completely unguarded and out in the open. At a cloud facility, trained security personnel are on the premises around the clock – as are engineers and systems experts to monitor the hardware and flow of information.

Redundancy systems: When you lose an important piece of hardware in your office or facility, it’s likely that the important files you need have disappeared forever. Because files stored in the cloud are continuously backed up, however, even a natural disaster won’t cause you to lose information like client records that you desperately need to keep your company going.

Environmental controls. You can’t find a better environment for cloud computing than the ones you’ll find in our Canadian data centres, where continuous power backups, strict climate control, and a lack of natural disasters all work in our favor. Plus, we have a very stable government with strict privacy laws, so you don’t have to worry that any organization is going to have an unauthorized look through your company’s records.

When it comes down to it, we can’t guarantee beyond every doubt that a security breach will never take place at our cloud facility, or at any of the others across the country. What we can promise you, however, is that the steps we take to safeguard important information are much, much stronger than the ones you would find in most corporate offices… and certainly at a higher level than the ones most small businesses use.

The issue, then, isn’t whether cloud security should be a concern, but whether you can really believe that you’re safer without cloud computing in a Canadian data centre.

To learn more about cloud computing, check out our white paper Cutting IT Costs with Cloud Computing.

The Great NSA Debate has Companies Moving to Canada

tdwfb

This week, privacy advocates around the world staged a protest online in an attempt to protect their data and company information from the world’s government intelligence agencies. Over 6,000 websites took part in the protest, which was branded as “The Day We Fight Back” campaign, by displaying banners at the bottom of their web pages to encourage individuals and companies to participate. Heavy hitters like Google, Twitter, and Mozilla took part in the protest.

Even though the protest itself was more of a whimper than a roar, the controversy over government surveillance still had a significant impact on the businesses economy south of the Canadian border. A recent estimate completed by the Information Technology & Innovation Foundation stated that the American economy could stand to lost up to $35 billion in lost revenues as a result. Because of our proximity to the U.S., skilled workforce, cold climate, and affordable energy sources, Canada is a very ideal location for businesses who no longer want to house their data in the States. Several businesses have already made the move to a Canadian-based data centre, including European banking and insurance firms with operations in the States as well as American retail outlets and oil and gas companies.

SouvenirofCanada_026

Telus and Rogers are expecting data storage sales in Canada to increase by 20% this year, not including the number of businesses seeking refuge from the ever-watching eye of the NSA. Though it would be naive to assume to any data stored in Canada is fully exempt from government surveillance, there are stricter rules on what government agencies can access. The Canadian Privacy Act, established in 1983, limits the amount of personal information the government can collect, use, and disclose.

So what does this mean for Canadian businesses? With more businesses looking for storage in data centre colocation facilities, there will be increased competition for space. Data centres are a finite resource. Once the space is gone – it’s gone, putting pressure on Canadian companies to get their foot in the door before the data centre is full. Many companies will also be looking to utilize cloud computing services, further driving the demand.

There will also be an increased need for bandwidth as businesses transfer data to their colocation facility or cloud, so obtaining a reliable and secure high speed connection is critical. In order to obtain the full benefits of cloud computing, users will require a symmetrical connection so they can upload and download data at an efficient rate.

To learn more about Canadian data centres, click here.

Blog Author: Vanessa Hartung

Top IT Predictions for 2014

It’s that time of year again – businesses around the globe are busy preparing for 2014. After reviewing multiple research documents released by industry leading companies, such as Gartner, IDC, CA Technologies, and CompTIA, we’ve compiled a list of the top I.T. predictions for 2014.

  1. Security: In a survey conducted by CompTIA, it was revealed that businesses are funnelling resources into better security, and that 56% of CIOs have indicated that IT security is their top priority. As the number of devices used by employees increases (driven by BYOD – bring your own device) it is getting increasingly difficult to protect company data. Factor in the technical advances made by cyber criminals, who are finding more and more ways to get around security barriers, and you’ve got a real problem on your hands. There is a delicate balance between enabling and protecting the business, and IT members will need to find the happy medium.
  2. Outsourcing IT: Several companies are either planning or rolling out programs and technology trends such as cloud computing, mobility, and big data. This combination of multiple technology trends, in addition to the increased adoption rate of these technologies by enterprises, will contribute to a IT skills shortage. For many companies, change is occurring fast, and they don’t have the in-house resources or expertise needed to implement their plans. In order for businesses to obtain the full benefits of these technologies, they will need to employ outsourced resources.
  3. Data Centre Utilization: Businesses of all sizes are quickly filling up data centres across the country. Best advice – get in while you can. Data centres are comparable to a finite resource – once they’re full, that’s it. And as the demand for data centre services increases, so can the price. Several smaller businesses perceive data centres an inaccessible – believing that the costs will be too high – but that’s not the case. There is a variety of data centres across the country, ranging in price, size, and security level. Still don’t think your company needs data centre services? Check out our post on the Top 5 Benefits of Using a Data Centre for Business.
  4. The Internet of Things: We’re on the brink of the Internet of Things (IoT). Currently, many companies are aware of IoT, but haven’t yet explored the possibilities of an expanded Internet. As a result, several businesses are not operationally or organizationally ready to employ IoT. However, Gartner predicts that companies will be using 2014 to prepare for IoT by utilizing data centre resources, adopting a variety of data management software, and ensuring the right employee resources are in place. IoT is not restricted to any particular industry, and with the advent of massively connected devices, businesses now have access to more information than they actually act on. Gartner’s prediction focuses on the “opportunity to build applications and services that can use that information to create new engagement models for customers, employees and partners”. This means that IoT is set to become more user friendly and accessible – so you had better start preparing for it.
  5. Software Defined Anything: Gartner predicts that software spending will increase by 25% in 2014. Software-defined anything (SDx) is a collective term used to define the growing market momentum for software systems that are controlling different types of hardware. More specifically, it’s making software more “in command” of multi-piece hardware systems and allowing for software control of a greater range of devices.

Reviewing the five top IT predictions listed above, there appears to be three things in common; businesses will need to manage a vast amount of data, businesses will need a reliable Internet connection, and businesses will need to act fast. So if you haven’t solidified your 2014 IT plans, or if you have – and it doesn’t include at least one of the items listed above, then it’s time to hustle.

Blog Author: Vanessa Hartung

How to Train Employees on Company Cyber Security

Guest Author: This week’s blog was provided to us by Theo Schmidt, an independent blogger. Schmidt has an interest in computer science and engineering, which he uses to fuel his blogging. You can learn more about him on Google+.

No matter your line of work, company cyber security is something that should weigh heavily on your mind. Whether it be phishing scams or malware attacks, it is important to ensure that employees know what they are expected to do to prevent and avoid security breaches.

Suspicious Links

It is important that employees realize that the sites they visit can negatively affect the entire company. Typically these sites are not sought after but are brought on via email or links from other sites.

A company can help to prevent visitation to harmful websites by installing a powerful firewall protection. However, employees are at the front lines of defense. They must be trained and reminded that bad links can be just as dangerous as anything else on the web.

Unknown Emails

Scammers and phishers know what they’re doing when they try to trick people into giving up information. Sometimes an email is an obvious scam—a prince in Nairobi is asking for monetary donations or something equally ridiculous. Other emails can be a bit trickier though.

Email scammers are getting smarter and better at making the email address look legitimate. Often they will attach a file that they want downloaded disguised as a form or important information. However, once the file is downloaded the company’s security, data, contacts, and even financial information can be at risk.

Employees should exercise extreme caution when downloading any file, whether they think they recognize it or not. In general, it is smarter to keep computers as clean as possible and storing only work-related materials.

Logging In

When employees are asked to log in to sites they are not familiar with using their company login information, plenty of information is automatically given up to the intruding site. From there it is possible that they will be asked to download files, give up more information, or the site will simply have the password and username on hand for whatever they wish to do.

Logging in to an untrustworthy site is an easy albeit foolish mistake to make. It is important to make employees aware of the risks at hand. Companies can still protect themselves with encryption software and training to help employees spot these scamming sites.

Sharing Information

Additionally, it is key that employees recognize the importance of keeping the company’s data safe and secure. This means that not only should they do what they can to keep it safe inside, they won’t let it be leaked outside as well.

Information can be leaked via blogs, emails, or anything else. Employees should keep passwords secret and frequently change them. Passwords should never be repeated on multiple sites.

Enforce Change

Keeping employees up on security procedures is a process. Employees won’t change their behavior overnight nor will they decide to care about the company’s security on a whim. It must be made a part of their everyday job expectations to work against cyber threats. Just like any other positive behavior in employees, it should be recognized and reinforced.

In the war against scammers, human error is the bigger problem. According to Comptia, 55% of breaches are due to mistakes made by employees. It can be difficult to spot potential problems because so often fake websites, emails, and links look real. However, the flaws are in the details.

Companies that store important data like electronic medical records, financial records, and other personal information are at a high risk of intrusion. Employees must be trained to diligently watch for signs of a breach in cyber security. So long as they know what to be aware of and what threat they themselves could pose, they can help the company by becoming part of the defense and less of a liability.

For more information on data protection, check out the Practice Studio website.

To learn about storing company information in a secure location, click here.

Yet Another Security Breach – When Will Businesses Learn?

Another week, another data breach. More and more businesses seem to be falling victim to cyber crime, and the rate of attacks doesn’t seem to be slowing down any time soon. This week alone, I’ve read about companies like Microsoft, SAP, and Adobe experiencing issues with with preventing attacks or securing their data. However, it would be very naive  to think that only big name companies are being targeted by cyber criminals.

security-features-to-protect-customer-data-and-your-brand

Every business, big or small, must increase their security measures in order to alleviate any outside threats. Just like locking your doors when you leave your home — it doesn’t matter that your house is smaller or larger than your neighbour’s, the threat of someone breaking in still exists. Many small business owners carry the mentality that “it won’t happen to me” – but that’s a very ignorant way of approaching the issue. Not every attack is as sophisticated as some may imagine.

With continuous network and technology upgrades happening almost daily, ensuring that your security system is also up to date can be time consuming. In many cases, IT resources are stretch so thin that they just don’t have the time to go through every single item to ensure the company data is protected. Increasing network security must be a company-wide exercise, it can’t rest solely on the shoulders of IT. That being said, can IT rely on company employees to reinforce network security?

As discussed in our previous blog, which detailed a number of security breaches experienced by the Federal Government, human error is one of the primary contributing factors to a loss in data. This includes the theft of company devices, such as laptops, USBs, or cell phones, as well as the use of weak passwords, downloading corrupted content, or general negligence. However, by making employees responsible for protecting their own devices, IT members can focus on protecting the company network as a whole instead of working to secure every single device.

I’ve said it before, and I’ll say it again – companies of any size must do everything in their power to protect their data. In our increasingly virtual world, data can be easily compared to currency. Having thousands of customer records stolen is just as bad as having thousands of dollars stolen. Companies that lose control of their data also lost the trust of any existing or potential customers. Rebuilding your business after a data breach can be a very difficult exercise, resulting in the permanent closure of some companies who aren’t able to recoup their losses.

Read our blog “Small and Medium Businesses are being Targeted by Hackers” to learn some tips for securing your company’s network.

Blog Author: Vanessa Hartung

 

 

Having Trouble Securing Your Data? So is the Federal Government

Security breaches seem to be occurring on a regular basis lately, as more and more reports of lost data and hackers flood news headlines. Many businesses store their information in a virtual environment, but do little to protect it once it gets there. Complacency and a lack of understanding is  contributing the the number of attacks – and businesses aren’t the only ones being targeted by hackers.

IMG_0008

In an annual report to Parliament on Tuesday, commissioner Jennifer Stoddart reported that the number of data breaches reported by federal institutions between April 2012 and March 2013 rose from 80 to 109 during the same period the year before  (click here for report). Hackers are breaking into federal networks in record numbers, yet it seems as though this issue isn’t being taken seriously. Several of the reported incidents could have been prevented if the proper security measures were in place. Treating cyber crime as random and unpredictable is counter productive for government and business.

Employee negligence, or “human error”, was responsible for a majority of the federal government’s stolen data, with hacking and malware encompass the rest. Some of the stolen data included:

  • Human Resources Development Canada (now called Employment and Social Development Canada) reported that a staff member lost a portable hard drive that contained 585,000 personal records
  • A Justice Department employee lost a USB key that contained sensitive information on 5,000 people
  • A USB key, papers, and a laptop that contained information used by the Financial Transaction and Reports Analysis Centre (FINTRAC) was stolen in Calgary
  • A Security Intelligence Officer working for Corrections Canada had dropped a USB key containing personal information about 152 prisoners was lost while the Officer was dropping off a child at school
  • The personal tax information of 46 people was stolen along with an employee’s laptop

And the list goes on. It’s frightening to think that federal employees are so complacent with the personal information of others, but it happens every day. No one believes that it will happen to them, until it does. However, ignorance is not bliss, nor is it an effective method of data protection.

canada-facebook_

Employees need to be responsible for the protection of portable devices, especially the devices containing private information. Many business and government establishes take the time to install the best security measures, but the moment an employee transports data – the risk of a data breach increases drastically. This is becoming increasingly difficult to control as virtual environments continue to increase in use. Although it may be convenient, companies need to be aware of the risks associated with virtually accessible and transported data.

Some of the ways that companies can help decrease the amount of data lost to “human error” is through education, awareness, and guidelines. By educating and alerting your employees about the methods used by cyber criminals to gain access to private data, they’ll have a better understanding of how to keep the data secure. Additionally, creating awareness will show your employees that cyber crime is a reality that can happen to anyone, anytime. It’s not just something you hear about on the news, it’s something that hundreds of companies have experienced across North America.

Establishing some rules and guidelines around transporting sensitive data, either in a USB key, laptop, or external hard drive, can also help keep data safe. By attaching consequences to an employees actions, such as losing a USB key, it’s likely that they’ll remain vigilant. The other option would be to restrict the transportation of data all together by utilizing cloud technology. By moving all your data to a online environment, your employees can access the information from anywhere, anytime.

To learn more about storing your data in a safe location, click here.

Blog author: Vanessa Hartung

%d bloggers like this: