» 

Blog

Posts Categorized Under "FILE SECURITY"

USPS Eliminates FTP, Requires Secure File Transfers via SFTP, AS2 or PDX

Early this year, the United States Postal Service (USPS) announced the elimination of FTP (File Transfer Protocol) from their business practices and policies—a change that strengthens the security of their data transmissions and addresses recent audit findings.

What does this mean for you? The change is still in transition for now, but after August 31, 2017, mailers and shippers will need to send data to the USPS using one of the following secure communication methods: PDX (Parcel Data Exchange), SFTP (Secure File Transfer Protocol), or AS2 (Applicability Statement 2). This applies to SSF, EMM, BPOD, DEXTRO, and ERR files.

Any of these approved methods will work. The USPS lists PDX as preferred, allowing business customers and third-party vendors to use PDX through their web application. But for those who can’t or don’t want to switch to PDX, SFTP or AS2 are just as secure, cost-friendly, and easy to implement.

Are you in the market for a solution that supports SFTP and AS2 protocols? GoAnywhere MFT offers both of these in a managed file transfer solution that’s affordable and intuitive. Connect to Secure FTP servers (including SFTP, FTPS, and SCP) for protected communication, or send AS2 messages with multiple file attachments. However you want to do it, we’ve got you covered.

To see how GoAnywhere MFT can meet these new USPS policies and save your organization money in the process, request a demo.

 


7 Steps to Protect Yourself Against Corporate Spear Phishing

Anyone with an email account is used to spam. It happens one day: you get that first unsolicited email, and then a flood of ads, flash sale offers, and foreign bank transaction requests rushes into your inbox. In that moment, the battle for your virtual sanity begins.

But while spam emails are mostly harmless—you tend to see them from a mile away and respond accordingly—spear phishing emails are dangerous, and they’re harder to detect.

What is Spear Phishing?

In general, phishing is the practice of sending fraudulent emails from what appears to be a trusted sender in your organization, like a family member, bank institution, or business you frequent (eBay or PayPal are two good examples of this). Phishing and spear phishing attacks both follow this practice, but the similarities end with the strategy they use to get your information.

Regular phishing attacks trawl the waters with a wide net, hoping to catch whoever falls for their scam. Spear phishing emails, on the other hand, target users that have specific access to the information hackers want. These users could be accounting employees, executives, or IT professionals.

Spear phishing emails are tailored to look, sound, and feel legitimate. The messages they contain generally include a grab for confidential information, like a link you can follow to change your password, a downloadable attachment, or a request for sensitive employee data. Regardless of what form it takes, if you follow the email’s instructions, your computer and organization are immediately compromised.

Spear Phishing Affects Everyone

The number of spear phishing attacks on organizations climbs every year. Cybersecurity growth has spiked to anticipate these security concerns, but that doesn’t mean companies who follow best practices are protected from a potential attack. Employees can fall victim to these scams without ever realizing something is amiss, and the repercussions of a single instance of infiltration? They’re crippling.

Spear phishing attacks affect a multitude of industries. According to InfoSec Institute, top industries targeted by these attacks in 2014 and 2015 include logistics, retail, public administration, finance, and services. What’s worse, a successful attack can cost a company, on average, $1.6 million. This is no small amount of damage.

Are you confident your business is secure enough to shut down potential phishing attacks? Think again.

In 2014, the Carbanak Breach impacted over 100 financial institutions and cost them around $1 billion. According to Kaspersky Lab, who investigated the breach, “The attackers used spear phishing emails [to infiltrate the bank’s intranet], luring users to open them, infecting machines with malware. A backdoor was installed onto the victim’s PC based on the Carberp malicious code, which, in turn gave the name to the campaign — Carbanak.

Seagate Technology was affected in a similar way in 2016. Through an email that looked like a request from the CEO, all W-2 forms the company had were stolen, compromising Seagate employees in more ways than one. And the heartache could’ve been avoided with a few extra, precautionary steps.

How to Protect Yourself against Spear Phishing

If you’re concerned about the danger of spear phishing attacks or looking for ways to make your environment more secure, we suggest you implement these seven steps in your company. They may help stop a potential attack before it can begin.

1. Keep your systems up-to-date with the latest security patches

Check your operating system frequently for the latest security patch releases. If you’re running Windows, Microsoft is always updating and promoting their security patches, especially if they foresee a new security concern and want to fortify their users. This is also true of unsupported versions, like Windows XP, if there’s enough risk to warrant an update.

Like Microsoft, Apple, Linux, AIX, and VIOS operating systems also have security patches. New ones are released as industries rise to meet and predict new phishing attacks, so keep your systems (both customer-facing and internal systems) up-to-date and install new security patches whenever possible to avoid gaps in protection.

2. Encrypt any sensitive company information you have

File encryption is a good way to protect sensitive company data from prying eyes. With the right tool or solution, the files you send to your systems, cloud environments, trading partners, and remote locations will be secure, making it difficult for outside parties to decrypt your data even if they get their hands on it.

What should you encrypt? Here are just a few examples that limit the amount of damage a spear phishing attack could do to your organization:

  • Hard drives
  • Cloud storage
  • Passwords and security questions
  • Internet activity (using a VPN or masked IP address)
  • External storage (USB drives, external hard drives)
  • Files (business contracts, audit reports, tax documents)

managed file transfer solution can encrypt your files at rest and in transit using modern, secure encryption methods. Good MFT software helps ensure that you stay up-to-date as encryption standards change over time, while making your data transfers simple to manage and audit.

3. Use DMARC technology

You’d think, in this day and age, that emails received from an address you know would be trustworthy. After all, you get emails from AwesomeCoworker@company.com all the time, which means even the suspicious emails are safe to answer. Right? Wrong. Far too often, hackers are able to spoof the FROM field of an actual email address, such as JoeSmithCEO@company.com, and send a message with that address to company employees.

Because these spoofed emails look real and cause successful spear phishing attacks, DMARC (Domain-based Message Authentication, Reporting & Conformance) technology uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to analyze incoming emails against its database. If the email doesn’t match the record for the sender, DMARC rejects it and submits a report to a specified security admin.

Patrick Peterson is a visionary leader at Agari, a company that prevents cyber attacks and secures email for Fortune 1000 companies. He addressed the growing need for DMARC in a recent data security panel: “A very important aspect in email security is making sure your email provider uses technology like DMARC. It's the only email authentication protocol that ensures spoofed emails do not reach consumers and helps maintain company reputation. Top tier providers like Google, Yahoo, Microsoft and AOL all use it to stop phishing.”

Despite the obvious benefits of using email authentication technologies, DMARC and other protocols like it are not foolproof. Google fell victim to a successful spear phishing attack in May 2017 when hackers sent emails containing fraudulent Google Doc links to Gmail users. Though Google reportedly stopped the attack within an hour, the damage was still felt. Over a million accounts were compromised.

While we still recommend implementing DMARC into your email, consider it but one of many tools you should use to secure your data, users, and company. It’s just safer that way.

4. Implement multi-factor authentication wherever possible

Many businesses have implemented multi-factor authentication (MFA) into their security routine. Some, like Google, allow their customers to turn on MFA as a precautionary measure. Others require clients to enter a sequence of personal details to access their account.

So why not use MFA to protect your data?

Multi-factor authentication is a simple way to ensure anyone who accesses your private data is legitimate. How does it work? It requires at least two pieces of identification, like a login and randomly generated token, that makes it infinitely harder for hackers to compromise your systemseven if they have half the information needed to get in.

If we lived in a perfect world, user passwords and security questions would always be secure. But in reality, employees recycle passwords across multiple websites and overshare personal data on social media, compromising the integrity of their logins and security questions.

So really, implement MFA wherever you canat work and in your personal life. At the very least, it’ll give you an extra layer of protection against spear phishing and other potential data breaches.

5. Make cybersecurity a company focus

Is cybersecurity a focus in your organization? It should be. When security is forefront in your mind and the minds of your employees, better decisions are made and more precautions are taken, enabling you to prevent spear phishing attacks before they become a concern.

Here are a few ideas to get you started:

  • Document and send internal security procedures to your employees.
  • Create a cybersecurity policy and data breach response plan for your organization.
  • Schedule quarterly meetings with key players to review the latest spear phishing attacks in the industry.
  • Identify potential spear-phishing targets, and brief them on the actions they should take if they receive a questionable email.
  • Review employee roles and access regularly, including third party vendors, partners, and those in remote offices. Make adjustments as necessary.

6. Educate your employees and regularly test their knowledge

Over 90% of cyber attacks are successful because of employee error. What’s the common method used in these cyber attacks to compromise data? You guessed it, spear phishing.

Spear phishing emails are rarely transparent. One believable email from a spoofed address is all it takes to gain access to employee credentials and, from there, sensitive company information. But the good news is, human error is avoidable with some training and education.

Talk to your employees about the reality of phishing attacks. Set aside 15 minutes at your next company meeting to educate them on what spear phishing attacks look like, what they do, and any steps they should take if they encounter one. Document a quick guide to internet security and make it available on your network. Even quarterly quizzes with a fun prize for winners can be the motivation needed to build security knowledge.

The more opportunities your employees have to learn about spear phishing and other scams, the better prepared they’ll be if they encounter something suspicious.

7. Confirm suspicious email activity before interacting with it

If you receive a suspicious email from someone you trust, but you’re not sure if it truly came from them, stop by their office, pick up the phone, or send them a separate email.

The two minutes it takes to establish validity is absolutely worth it, no matter the outcome. Best case scenario? The email is legitimate, and you have peace of mind. Worst case scenario? It’s a spear phishing email, but you still have peace of mind, and the person you spoke to can now warn others in the organization of a potential phishing attack.

Spear phishing attacks happen every day. But though they’re a security concern, they don’t have to be a problem if you plan ahead, prepare your organization for attacks, educate your employees, and encrypt your data.

 

Looking for more tips to help you combat cyber threats? Watch our on-demand webinar, where top cybersecurity experts discuss how you can protect your company from data breaches and avoid security risks.

 


Preview of Gartner Security & Risk Management Summit 2017

Four days of security discussions, over seventy five speakers, and six program tracks; these are the numbers exciting cybersecurity professionals around the nation as they prepare to attend this year’s Gartner Security & Risk Management Summit. Taking place from June 12-15 in National Harbour, Maryland, this summit is one of the biggest and most important of the year.

Linoma Software, a HelpSystems company, will be attending this premier gathering of security, risk management, and business continuity management leaders, in order to take in this all too valuable informational experience.

Here are some must-see sessions that we’re looking forward to:

What Can We Expect from the EU’s General Data Protection Regulation?

June 12, 2017 | 10:00 AM – 11:00 AM | Carsten Casper

Are you ready for GDPR compliance? Do you have a timeline in place to implement the required security protocol? The latest cybersecurity compliance regulation out of Europe has companies around the world wondering – does this apply to us? This session will go into full detail about the regulation, as well as what actions IT departments in non-European countries must take to meet compliance regulations.

Forcepoint: Insider Threats: Understanding Intent and Creating Actionable Programs

June 12, 2017 | 11:30 AM – 12:15 PM | Dr. Richard Ford, Meerah Rajavel

In a time where large and harmful security breaches seem to occur as often as the sun rises and sets, companies often struggle to hard to pinpoint where these breaches are coming from and why. A recent study from Crowd Research Partners showed that cybersecurity professionals consider “internal threats” the biggest threat to IT security. This session, presented by Joint Forcepoint Chief Scientist Dr. Richard Ford and CIO Meerah Rajavel, will examine strategies for implementing people-centric protection systems that will prevent bad cyber practices and enable good behaviors to help stop breaches caused by internal threats.

Roundtable: Managing Cloud Service Provider Security

June 12, 2017 | 2:00 PM – 3:00 PM | Jay Heiser

When it comes to the many cloud services that enterprises are confronted with, well, the sky’s the limit (pun intended). The cloud and its many benefits are more relevant than ever, and in this session, speaker Jay Heiser poses the question: who is accountable for managing this risk and ensuring that these cloud providers can be trusted? With such promising discussion, we strongly urge you not to miss this one.

To the Point: How to Respond to PCI DSS v.3.2

June 15, 2017 | 12:00 PM – 12:30 PM | Rajpreet Kaur

The 2018 deadline for compliance to PCI DSS v.3.2 is rapidly approaching. This session will cover information surrounding the various enhancements to the latest PCI DSS version and how to deal with them. Our recent whitepaper breaks down everything new about v.3.2, but we’re certainly interested in hearing what additional details and considerations Rajpreet discusses in this session.

 

We can’t wait to see you at the Gartner Security & Risk Management Summit of 2017! Make sure to come find us in booth 100 or reserve time at the event to chat.


8 Ways to Protect Your Healthcare Organization from a Data Breach

Last year there were 328 data breaches of healthcare organizations. That’s a new record, up from 268 the previous year. In these breaches, the records of approximately 16.6 million Americans were exposed. These incidents occurred at all types of organizations in the industry, including clinics, insurance providers and their healthsystem business associates.

If you’re in the healthcare industry, here are eight steps you can take to ensure that your organization isn’t the next one in the news.

#1. Continually Evaluate HIPAA Compliance

You’re in healthcare, so you already know about HIPAA, the Health Insurance Portability and Accountability Act that safeguards Protected Health Information (PHI). Fines for non-compliance can reach millions of dollars and even include jail time, which should be enough to ensure that you take HIPAA seriously. But you should also think of HIPAA as a solid starting point for avoiding major cybersecurity threats.

HIPAA requires annual risk assessments, and it’s not a bad idea to assess your security and compliance even more frequently. In a typical organization a lot of changes are made in a year, including new software implementations and upgrades, employee turnover and role changes, or mergers and acquisitions—all of which can create vulnerabilities. These assessments are also a great chance to evaluate your internal security policy and incident response plan.

#2. Educate Your Employees

We all worry about the nefarious hacker, lurking in a dark room and furiously typing code to steal your organization’s records. The truth is that one of the leading causes of healthcare data breaches in 2016 was employee error.

Make sure that all employees in your organization know what personal information can be shared with patients, caregivers, and others according to HIPAA and any state regulations you need to follow. Give your employees a test of their security knowledge or run simulations through phone calls and emails, and reward the employees who respond correctly.

#3. Manage Roles and Access

Keeping medical records secure can be a challenge because they pass through so many hands, but the access that a doctor needs is different than that of a member of the finance or IT staff. It’s essential that every user has an individual account with role-based access appropriate for their position. The IT administrator should also have full visibility into who accesses or manipulates what data and when, so they can identify suspicious activity such as downloading large volumes of data to an unknown IP address.

#4. Subnet Your Network

It may seem like a basic mistake to an IT or security professional, but you might be surprised how many healthcare providers leave patient records exposed to anyone who accesses the publicly available internet. Subnetting, or creating separate subnetworks, allows you to set aside part of your network for the public and others (with more security) for any applications that touch medical records or credit cards.

#5. Use Multi-Factor Authentication

The standard username and password isn’t secure enough for users who need to access private patient information. Multi-factor authentication typically requires at least two of the following: something you know (like your password), something you have (like a token), or something you are (like a fingerprint). A 2015 report by the Office of the National Coordinator for Health IT found that, while hospital support for multi-factor authentication had risen by 53 percent since 2010, only half of small urban hospitals were capable of it. Fifty-nine percent of medium and 63 percent of large institutions had the capability.

If you are a healthcare organization that still doesn’t support multi-factor authentication, it’s a key step to take toward securing your data.

#6. Protect Devices and Be Cautious with BYOD

The majority of healthcare data breaches occur not because of hackers, but because of stolen or lost devices. For devices owned by your organization, make sure they are encrypted and that you have the ability to wipe them remotely.

You should also adopt strong security measures in your BYOD policy. Employees will want to have the convenience of easily accessing PHI from their tablets, laptops, or mobile phones, but if one of these devices falls into the wrong hands, the result could be devastating to your company. Here are some steps you should take in your BYOD policy:

  • Require strong authentication methods
  • Don’t allow medical records to be stored on employee devices
  • Prevent devices from connecting to healthcare applications beyond a certain distance from your facility

#7. Ensure Business Associates are Protecting PHI

Healthcare providers rely on a wide network of associated companies and services. Business associates of organizations that must comply with HIPAA are also held to HIPAA standards for protecting patient data and will be fined if they fail to do so. Your business associate agreements with these organizations should be tailored to both HIPAA and any state regulations that apply to your organization. The associates should be required to develop internal processes to assess security, and discover and report data breaches. Choose business partners that are agreeable to complying with security best practices or they will be a liability.

#8. Encrypt Data at Rest and in Transit

HIPAA states that covered entities should “implement a mechanism to encrypt PHI whenever deemed appropriate.” That can be a little hard to interpret, but regardless of HIPAA or other regulations, strong encryption is the best way to protect your data.

HIPAA also says that if encrypted data is stolen, the incident does not constitute a data breach. In other words, you can avoid damaging your reputation by having to notify your patients, the media, and the government by using encryption.

managed file transfer solution can encrypt your files both at rest and in transit using modern, secure encryption methods. Good MFT software will help ensure that you stay up-to-date as encryption standards change over time, while also making your data transfers simple to manage and audit.

To find out how GoAnywhere MFT can help you stay HIPAA compliant, download the guide.

 


Top Takeaways from the 2017 Cybersecurity Trend Report


Do you ever wish you knew how other businesses are dealing with today’s security threats? The 2017 Cybersecurity Trends Report, recently released by Crowd Research Partners, provides insight into the cybersecurity concerns and priorities of organizations across a wide range of industries.

The report is a comprehensive study revealing current cybersecurity trends in threat management, data protection, cloud security, application security, mobile security, security training and certification, managed security, and more. The 2017 report is based on a survey of more than 1,900 cybersecurity professionals across businesses of all sizes, from those with fewer than 10 employees (7 percent of respondents) to those with over 10,000 (26 percent of respondents). Download the full report here or read on for a few top takeaways.

#1 - Everyone is Worried about Cybersecurity

Security threats are a very real and urgent concern for most companies. Over half (54 percent) of cybersecurity professionals anticipate successful cyberattacks on their organization in the next 12 months. And they aren’t taking that threat lightly. 52 percent are boosting their security budget by an average of 21 percent.

Most professionals are not convinced that they are ready for an attack. 62 percent of respondents were moderately confident to not at all confident in their organization’s overall security posture.

#2 - Lack of Budget is Greatest Barrier to Security

While the majority of organizations are increasing their security budget, finances remain one of the top obstacles to stronger security, with 45 percent of respondents citing lack of budget as a barrier that inhibits the organization from defending against cyber threats.

For this reason, it’s essential that companies spend their money on solutions that give them a solid return on investment. Using free tools and apps where an enterprise-class product is needed can cause a company to fall victim to a cyberattack, while purchasing the most expensive tools on the market can leave you with empty pockets and a long list of features you don’t need.

ROI of MFT calculatorNeed to secure and streamline your file transfers? Maximize your investment with the MFT ROI Calculator.

 

#3 - Internal Threats & Untrained Employees are Biggest Threats

33 percent of cybersecurity professionals are worried about threats coming from within the company. While a malicious employee may hack into sensitive data intentionally, in most cases the more pressing concern is careless or uninformed staff members. A lack of skilled employees tops the list of barriers to both stronger security (45 percent) and to threat management (33 percent).

Whether your insider threats are malicious or careless, solutions with role-based security and auditing are recommended to help mitigate risk of a breach. Role-based security enables organizations to restrict permissions of individual users to only the information and functionality required to do their job, while auditing capabilities provide detailed audit logs of actions taken by each user.

Another top concern is the security of cloud applications, services, and infrastructure. Respondents cited fears including the need to protect against data loss, threats to data privacy, and breaches of confidentiality. To protect sensitive data transferred using a cloud-based solution, experts recommend  verifying that the solution provides end-to-end encryption for protecting files at rest and in transit.

#4 - Encryption is Greatest File Transfer Challenge

The number one concern when it comes to transferring files is security, with 59 percent of survey respondents citing encryption of files as a challenge they face. This is a serious shortcoming given that 67 percent of respondents ranked data encryption as the most effective means for protecting against cybersecurity attacks. It’s critical that any organization transferring files implements a secure managed file transfer solution that streamlines the process of providing various types of encryption like SSL, SSH, AES, and OpenPGP.

Unfortunately, the majority of organizations surveyed are still using inadequate solutions. For example, email is still the most common file transfer method for smaller files, even though unsecured email is both vulnerable to cyberattack and difficult to track for auditing.

Over half of professionals surveyed said that they lack the tools to prove compliance related to transfer of sensitive files. The right enterprise file transfer software simplifies compliance by providing the security features required by major industry regulations, the reports an auditor needs to see, and even tools to help you check if your data transfers are meeting standards.

Learn more about what the 2017 Cybersecurity Trends Report means for your file transfers, or read the full report now.

Download the Cybersecurity Trends Report

cybersecurity trends report


The State of File Transfer Security

file transfer security
The 2017 Cybersecurity Trends Report was recently released by Crowd Research Partners. The report covers many aspects of cybersecurity, such as general security trends, cloud and mobile security, and managed security services. It also looks at how organizations are securing their file transfers, including some common file security pitfalls.

Here’s what the CyberSecurity Trends Report has to say about file transfers.

file transfer concern graphSecurity is the Top File Transfer Concern

When it comes to the challenges businesses face when transferring files, security is at the top of the list, with 59 percent of respondents citing it as a concern. Furthermore, over half of the IT security professionals surveyed said that if their file sharing practices were audited for regulatory compliance, they do not have the tools they need to streamline the process.

Managed file transfer (MFT) is the clear answer for both security and compliance challenges. A good MFT solution will provide a variety of encryption methods and secure protocols to combat modern data security threats. MFT software also includes detailed audit logging capabilities to ensure you can prove your file transfers are compliant in case of an audit.

Securing Customer Data is Critical

Protecting sensitive data is a significant concern for most organizations. Above all, companies are worried about the security of customer data—72 percent of survey respondents cited it as a type of sensitive data they are most concerned about protecting.

types of sensitive data transferred graph

There’s good reason to be careful about customer data. According to Verizon’s latest PCI DSS Compliance Report, 69 percent of consumers would be less inclined to do business with an organization that had suffered a data breach. Customer data security is also essential for maintaining compliance with PCI DSS and other industry standards.

Other types of data that respondents are concerned about protecting include employee data (66 percent), email (54 percent), corporate financial data (46 percent), and health information (33 percent)—important if you need to comply with HIPAA.

A managed file transfer solution can provide end-to-end encryption to protect files at rest and in transit. 67 percent of survey respondents ranked encryption as the most effective means for protecting data.

Too Many Organizations are Using Inadequate File Transfer Methods

Email is still the most common file transfer method for smaller files, used by 63 percent of respondents. This is a serious risk as unsecured email is both vulnerable to cyberattack and difficult to track for auditing purposes. Another 18 percent rely on writing custom scripts, a method that is both time-consuming and prone to error.

file exchange mediums graphFortunately, 49 percent of respondents have implemented managed file transfer software. Managed file transfer streamlines the secure exchange of data and provides organizations with a single point of control for all file transfers. Implementing an MFT solution that provides enterprise-level security features, role-based security, and full audit trails, is the best way to make sure your data transfers stay ahead of constantly evolving security threats.

To learn more, download the full Cybersecurity Trends Report.

cybersecurity trends report

 


Linoma Software Earns a Spot on the Cybersecurity 500

cybersecurity company

We are proud to announce that Linoma Software, a HelpSystems company, has been named to the Cybersecurity 500, a global list from Cybersecurity Ventures of the hottest and most innovative companies in the cybersecurity industry.

Cybersecurity Ventures chooses the Cybersecurity 500 by soliciting feedback from CISOs, IT security practitioners, and service providers, and researching hundreds of cybersecurity events and news sources. Joseph Steinberg, a cybersecurity expert and Inc. columnist, says that for years “business publications have shared lists of companies of which they recommend readers take note. The Cybersecurity 500 gives the same convenience and wisdom to people interested in the cybersecurity industry.”

Linoma made the list in the category of file security and data encryption. Linoma’s GoAnywhere Managed File Transfer software is an enterprise-level solution for automating and securing file transfers through a single interface. With extensive security controls and detailed audit trails, GoAnywhere MFT helps businesses achieve regulatory compliance, increase security, and streamline processes.


How to Create a Cybersecurity Policy for Your Organization

The cyberattacks and data breaches that make the news are usually the ones that happen at big corporations like TJX or Home Depot. But every organization, large or small, needs to be concerned about cybersecurity.

According to Symantec’s 2016 Internet Security Threat Report, 43 percent of cyberattacks in 2015 targeted small businesses—up from just 18 percent in 2011. Hackers might be starting to understand that even though small and mid-sized businesses may not have as much valuable information available to steal, they are also less likely than their large counterparts to have strong security measures in place.

An attack is usually devastating to a small company. The U.S. National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyberattack. If you don’t want your organization to be put out of business by a hacker, it’s time to improve your security posture. The first thing to do is develop something that most of the big companies already have: a cybersecurity policy. Here’s how:

Step One: Secure Senior Management Buy-in

If you’re in IT, you could probably tell most of your fellow employees a thing or two about security best practices. But in order to have the resources to design the policy and the authority to enforce it, you need management on your side.

It may help to point out that if you don’t have a cybersecurity policy, it could open you up to legal liability. For example, if you don’t want your employees connecting to your network with their own devices but you haven’t told them not to, what happens when an employee’s device with corporate data stored on it is lost? Your first reaction may be to remotely wipe the device—but can you legally do that without a written and user-acknowledged policy?

Step Two: Determine Your Security Guidelines

A key reason you need a policy in the first place is that modern cybersecurity has gotten very complex. There are a lot of details to keep track of, even for a small organization, and the landscape is constantly changing as both cybersecurity technology and cyber criminals become more advanced. Only you know your organization’s unique needs, but some things you might want to keep in mind include:

  • Which industry regulations do you need to comply with?
  • What data do you need to protect and how should it be stored and transferred?
  • What business software needs to be maintained and updated to stay secure?
  • What do you expect of all employees in terms of choosing passwords, appropriate internet use, remote network access, email guidelines, etc.?
  • Who will manage and maintain the cybersecurity policy?
  • How will you enforce the guidelines (what is the penalty for willful non-compliance)?

Once you have these questions answered, you should be able to draft your company’s policy. Depending on your current situation, understanding your security needs could be easy or could require extensive auditing of your current assets and tools.

We’ve compiled a few resources that provide templates and examples of cybersecurity policies below.

Step Three: Educate Your Employees

Did you know that internal actors are responsible for 43 percent of data loss? Half of this is intentional—disgruntled or opportunistic employees, contractors, or suppliers performing deliberate acts of data theft. But half of it is simply negligence. Employees don’t want to change their password every month if they can stick with “password123” forever. Some of them probably don’t see the problem downloading the attachment from that suspicious “urgent” email.

Communicate your new cybersecurity policy to employees, and make sure they understand the relevant details: what they are expected to do, how to do it, and what could happen if they don’t. Remember that things that seem obvious to you—like how to change that password—might not be known to everyone in the company.

Some organizations regularly test their employees on their cybersecurity knowledge. Make it fun and rewarding—there should be some kind of incentive for mastering security best practices.

Step Four: Monitor and Update Your Policy

Now your cybersecurity policy is up and running! But that doesn’t mean the work is over. A cybersecurity policy is a living document that needs to be updated regularly to include changes in your business, in technology, and in compliance regulations. Set a timeline for when you will re-evaluate the policy.

You’ll also need to determine how you will self-audit along the way. How will you know if the latest updates to your security software have been installed or that no one changed the server settings a month ago? Ideally, maintaining compliance with your policy will not be a fully manual process.

Bonus Step: Choose Solutions that Complement Your Cybersecurity Policy

Maintaining security and compliance across your entire business and all your employees can be daunting. Fortunately, dealing with all those moving parts doesn’t have to be so complicated. Implementing the right software solutions can mean that your security policy practically enforces itself.

For example, you may be checking systems manually that could be monitored automatically. And if you expect employees to update their passwords regularly, what’s easier—checking if they have done it on their own or using software that requires it? Software with role-based security and audit logging will ensure that you always know who accessed or changed what, and when they did it.

Ideally, any solution you choose to implement should come from a vendor that you trust to keep the software updated to match current security threats. Needing to replace your security tools or update custom scripts makes it much more difficult to keep compliant with your own policy.

Sometimes despite your best efforts, your data is breached. Check out these resources to help you create a data breach response plan.


Exclusive Sneak Peak of COMMON 2017 Sessions

In just a few days, Power Systems professionals from around the world will gather for expert discussions on IBM i, open source and cybersecurity topics at the COMMON 2017 Annual Conference. Known as the largest Power Systems event of its kind, the conference offers over 300 sessions and presented by more than 100 experts in the field.

As the event quickly approaches, we sat down with some of this year’s speakers to uncover their passions, advice to attendees and exclusive peaks into next week’s presentations. Read on to see what each shared.

 

Greg Cannella

Director of MIS at Magid Glove & Safety Mfg

Greg will be presenting at two sessions titled Creating SQL Functions and How to Use the SQL Descriptor. You may view Greg’s biography and session schedule here.

Which one of your sessions are you most passionate about, and why?
“I am most passionate about Creating SQL Functions.  This topic has very broad applications and is most likely to appeal to the widest audience.  Once people learn how easy it is to create a function and how much they can do for you, the adoption rate should be very high.  My goal is to provide everything someone needs so they can go back to the office the next day and create a function.”

What are you most looking forward to at COMMON?

“Since I am a first time speaker at Common, I am definitely looking forward to those sessions.  I am also looking forward to meeting up with all of the other people that I have worked with in the industry.”

 

Raymond Johnson COMMON speakerRaymond Johnson

Consultant / Owner at iSolutions Consulting, Inc

Ray will be presenting at three sessions titled No More Excuses, Save the Entire System Using the IBM i Default Job Scheduler, Are You Secure? Are You Monitoring the IBM i Audit Journal? and IBM ACS Overview. You may view Ray’s biography and session schedule here.

What’s one topic you’re hoping to learn about at this year’s conference?

“I plan to learn more about VIOS since I now have two VIOS partitions to manage and the AIX environment is NOT like the IBM i (it is not integrated). Everything has its own version and the PTF and upgrade processes are nowhere near as easy (or maybe familiar??) as the IBM i processes.”

What do you predict will be the hottest topic of discussion at this year’s conference?

“I predict system and network security will be a hot topic of discussion.”

 

Carol Woodbury COMMON speakerCarol Woodbury

VP Global Security Services at HelpSystems

Carol will be presenting three sessions, with titles including IBM i Security from the Ground Up and Best Practices for the IBM i Security Administrator.  You may view Carol’s biography and session schedule here.

Which one of your sessions are you most passionate about, and why?
I’m probably most passionate about the Best Practices for the IBM i Administrator.  Attendees sit through a lot of sessions about new and advanced technology, but sometimes, it’s not obvious how to apply it. In this session I provide actionable tasks that administrators can take back to their workplace and start making their systems more secure.  In other words, it’s full of practical advice that’s easily applied in their work environment.

What is one piece of advice you’d offer to first-time attendees?
Don’t be afraid to ask questions. You’re there to learn! If something’s not clear… ask!

 

Liam Allan COMMON speakerLiam Allan

Product Developer at Profound Logic

Liam will be presenting at three sessions titled Git Fun and Games, Open-Source ILE Concepts and Web Requests in Embedded SQL. You may view Liam’s biography and session schedule here.

Which one of your sessions are you most passionate about, and why?

“I am actually most excited for the workshop I am giving with Alan Seiden and Steph Rabbani. I am not only excited to talk about something I am passionate about, but having the opportunity to do it with two amazing people makes it even more exciting for me.”

What are you most looking forward to at COMMON?

“I am most looking forward to hanging out with people that I have worked with in the last year. My favourite part about COMMON is the social element to it.”

 

Bob Luebbe COMMON speaker IBM iBob Luebbe

Chief Architect at Linoma Software

Bob will be presenting at two sessions titled Simplify Encryption with DB2 Field Procedures and Securing Your File Transfers from the IBM i. You may view Bob’s biography and session schedule here.

Which one of your sessions are you most passionate about, and why?

“I am most excited to talk about encryption using DB2 field procedures since a lot of organizations are looking at how to encrypt data at rest.  With field procedures, encryption has greatly been simplified.  Oftentimes, companies do not have to make any changes to their applications to implement encryption.  So it is much easier to do encryption at the field level now.”

What do you predict will be the hottest topic of discussion at this year’s conference?

“I think security is going to be a hot topic since so many organizations are facing strict regulations regarding sensitive data.”

 

Randall Munson

President of Creatively Speaking

Randall will be presenting at three sessions titled WRITE RIGHT! Business Writing for Geeks, Magic of SELLING Technology! and Riding the Rapids of CHANGE! You may view Randall’s biography and session schedule here.

Which one of your sessions are you most passionate about, and why?

"The presentation I am most passionate about is, 'Magic of SELLING Technology!'. Since working in the IBM development lab in Rochester as the interface between the lab and IBM sales and marketing more than 20 years ago, I have been focused on how to sell IBM i technology around the world. I've helped companies make millions of dollars in increased sales. I enjoy sharing with others what I have learned so that they can improve their marketing and sales. But this presentation isn't just for people in sales and marketing roles. It is also valuable for showing technical people how to sell their own company's decision makers on products and services that would be valuable to them."

What do you enjoy most about speaking at COMMON?

"I love teaching valuable information in a way that is fun and memorable. I'm deeply gratified when people tell me things like, 'I've been working on this for 6 years and now I finally understand it!' or, 'Ten years ago I saw you present and I'll never forget what you said!' or 'You've changed my life.' Most people don't have a chance to experience that but speaking at COMMON for 30 years has given me that opportunity and I am grateful."

 

Tom Huntington COMMON speaker IBM iTom Huntington

EVP of Technical Solutions at HelpSystems

Tom will be presenting a session titled High Availability Options for SMB IBM i Users on Tuesday, May 9th at 2:00pm. You may view Tom’s biography and session details here.

What is the largest takeaway that you’re hoping to leave the audience with?
“High availability can be hosted in the cloud and it can be affordable.”

What are you most looking forward to at COMMON?
“It’s great to unite with our customers and friends in the industry; I always learn so much from them. There’s a unique energy behind COMMON because it’s run by experts from all different industries using IBM Power Systems running IBM i.”


Vern Hamberg

Senior IT Developer at Ecolab, Pest Elimination

Vern will be presenting at nine sessions, with titles including Query Management: What is it? Why Should I Care?, Fast Modern Excel Workbook Creation Using RPG and Extend Your Reach to Remote Data with Open Access: RPG Edition. You may view Vern’s biography and session schedule here.

Which one of your sessions are you most passionate about, and why?
“Although I feel strongly about them all, probably I’m most passionate about the 2 on ‘Fast Modern Excel (XLSX) Workbook Creation Using RPG’. I hope they convey the idea that we should find ways to say ‘Yes!’ to almost any ‘Can you do this…?’ request. And to accomplish this goal in effective and interesting and well-pleasing ways.”

What’s one topic you’re hoping to learn about at this year’s conference?
“I want to learn more about the open source possibilities on our favorite system.”

 

Rich Diedrich COMMON speaker IBM iRich Diedrich

IBM i Wizard at Rich Diedrich Consulting, LLC

Rich will be presenting at three sessions titled Accessing Java from RPG IV, The RPG Programs Used by Madoff and Encryption on IBMi. You may view Rich’s biography and session schedule here.

Which one of your sessions are you most passionate about, and why?

“The RPG Programs Used by Madoff (33CN) is the most fun because it is very different from my other more technical presentations. I get to talk about the experience of being an expert witness in a federal trial, how I did the analysis of the programs, and show the actual code used. I particularly appreciate talking through the code with an audience that understands the code and some of the more humorous aspects of how it was done.”

What do you predict will be the hottest IBM i topic of the conference this year?

“I am not sure what it will be, but based on the presentations and presenters available, this conference will be an excellent opportunity for attendees to think and learn about how their IBM i data needs to be made available in current application environments and the serious security considerations that need to accompany that availability.”

 

Dawn May COMMON speaker IBM iDawn May

Senior Technical Staff Member at IBM

Dawn will be presenting at ten sessions, with titles including Predictive Performance Management, Introduction to the IBM i Performance Data Investigator and Hidden Gems of IBM i. You may view Dawn’s biography and session schedule here.

Which of your sessions are you most looking forward to presenting, and why?

“One of my favorite presentations to give is ‘Introduction to the IBM i Performance Data Investigator’. I find there are a lot of people that have never used this function even though it is included with the operating system and everyone has it. I've really enjoyed it when someone tells me they logged onto their own system to try it out during the presentation.

I also look forward to presenting the ‘Manage Work Better with Better Work Management’ session. IBM i work management is a significant differentiator for IBM i and IBM has delivered some important enhancements that make it even better.”

As a seasoned COMMON veteran, what do you enjoy most about the conference?

“Of course it's the people in the IBM i community! Over the years, I've met a lot of people while at COMMON and there are a set of folks that I only see when at the conference. Each year, I meet a few more people and my professional network gets a little bit bigger. The best part is that the people in the IBM i community are the friendliest!”

 

Conrad Feldt COMMON speaker IBM iConrad Feldt

Owner / IT Consultant at Itasca Computer Resources

Conrad will be presenting two sessions titled Windows 7 & 10 Tips, Tricks & Techniques and Improving Your Memory. You may view Conrad’s biography and session schedule here.

Which one of your sessions are you most passionate about, and why?

“My session Tuesday afternoon Improving Your Memory.  It is non-Technical session and it gives a break from the other sessions.  We all know that we do not remember as well as we would like to.  This is an interactive session and has proven to be a lot of fun.  Come to relax and at the same time come away with some useful tips on Improving Your Memory.”

What are you most looking forward to at COMMON?

“I enjoy meeting up with past acquaintances from 18 years ago to last year, and meeting new people, sharing ideas, thoughts, and knowledge.  Simply put the networking.”

 

Robin Tatum COMMON speaker IBM iRobin Tatam

Director of Security Technologies at HelpSystems

Robin will be presenting five sessions, with titles including IBM i Security: The Good, the Bad and the Downright Ugly, Data Breaches: Is IBM i Really at Risk? and IBM i Security for Programmers. You may view Robin’s biography and session schedule here.

Which one of your sessions are you most passionate about, and why?

“The session I am most passionate about is definitely the enthusiastic discussion surrounding our annual "State of IBM i Security" study.  This is an award-winning session for a reason. Each year, we pour a wealth of resources into compiling what is the only study of its kind, and it always amazes me the provocative things we uncover.  It's a good education for the uninitiated as well as those that mistakenly think that security on a Power Server is correctly and fully preconfigured at the factory.”

As a seasoned COMMON veteran, what do you enjoy most about the conference?

“I thoroughly enjoy COMMON's encouragement of knowledge expansion. While we all gravitate towards sessions that are 100% pertinent to our daily grind, I also encourage attendees to sign up for one session whose abstract is completely outside of the box; just to get some exposure to something new.  It's also an unparalleled opportunity for our team to share what we work on behind the scenes and the expansive suite business solutions (software and services) we bring to the corporate table. From the human side, let's not forget meeting up with old friends as well as introductions to numerous new ones via a networking opportunity like no other!”

 

Gordon Leary COMMON speaker IBM iGordon Leary

IT Manager at AMPORTS, Inc.

Gordon will be presenting at two sessions, the Reception for First-time Attendees and the First Timers Social. You may view Gordon’s biography and session schedule here.

You’ve been attending COMMON conferences for quite some time. What keeps you coming back?

“I have been attending COMMON conferences since 1987 for several reasons. The first is education. The IT business is in a constant state of change, and COMMON has always kept me up to date on this change. Every time I come to a conference, I learn something that I can take back to my organization to use. It may be a new skill, a new relationship, or a new application that can be used to save my corporation time and resources. I can also use this information to take advantage of the year-round learning that COMMON offers.

The second reason I keep coming to a COMMON conference is relationships. The COMMON community is a helpful group of IT professionals. I do not know how many times I did not know how to pursue a problem, but I knew someone else that I met at the annual conference that does know the answer. A short email or phone call always brings help! The COMMON community wants to help and see every member grow in their profession.”

What is one piece of advice you’d offer to first-time attendees?

“Don’t be shy! The speakers are there to help you become a better IT professional. Ask questions, participate in sessions, talk to people outside of sessions.  Talk to the vendors in the Expo. You may not have a need for their product now, but things change. I keep a drawer full of vendor products. It is great to be able to pull out the answer for that new challenging project. If someone give out an email, it is because they truly want you to ask questions at any time. This is a great community, and COMMON is here to help grow that community.”

 

Steven Wolk COMMON speaker IBM iSteven Wolk

CTO at PC Richard & Son

Steven will be presenting at six sessions, with titles including Let’s Learn Linux, Words to Live By: A Blueprint for Success and Command Jeopardy. You may view Steven’s biography and session schedule here.

Which one of your sessions are you most passionate about, and why?

“Of the six sessions I’m presenting at this year’s Annual Meeting, I’d have to say I’m most passionate about ‘Words to Live By: A Blueprint for Success’. While I enjoy speaking about a variety of technical topics that are near and dear to my heart, my true passion in teaching is helping people succeed. Personal success is a topic I’ve studied for many years, and I’ve identified what I believe are 12 key principles we can all follow that will lead to greater success in our own lives. We’ll discuss these principles through the context of meaningful motivational quotes, combined with some very personal stories demonstrating how these lessons can be applied. Many of the stories are funny, while others are poignant, but it’s my hope that they will be remembered – and help attendees be more successful - long after the conference has ended.”

What do you predict will be the hottest topic of discussion at this year’s conference?

“I think open source will be the hottest topic of discussion at this year’s Annual Meeting. While the IBM i has always been a very open operating system, the interest I’m seeing in running open source software on the i seems to just be exploding. That’s why I decided to present a brand new session at this year’s conference, ‘Let's Learn Linux’. It’s a great way for attendees to get their feet wet with open source software, without assuming any previous knowledge. And the skills learned will be applicable across a wide variety of platforms, ranging from Linux servers, to desktops, to our favorite server, the IBM i!”


Debbie Saugen COMMON speaker IBM iDebbie Saugen

Director of Business Continuity Services at HelpSystems

Debbie will be presenting four sessions, with titles including Essentials of Backup Recovery for Disaster Recovery on IBM i and Getting the Most Out of BRMS Recoveries. You may view Debbie’s biography and session schedule here.

Which one of your sessions are you most passionate about, and why?

“Everyone who knows me, understands the passion I have about IBM i disaster recovery. My session on Essentials of Backup/Recovery for Disaster Recovery on IBM i will help you prepare for being recovery ready should  a system failure or disaster occur.  During this session, I will share true stories from my decades of experience helping companies recover their systems after a disaster.”

What are you most looking forward to at COMMON?
“I’m looking forward to seeing all my friends, making new friends and sharing my knowledge about the latest for IBM i Backup/Recovery and Disaster Recovery. Not only do I get to share my knowledge and experiences, but I will also be learning from others!”

 

Ron Byrd COMMON speaker IBM iRon Byrd

Director of Professional Services at Linoma Software

Ron will be presenting alongside Bob Luebbe of Linoma Software at two sessions titled Simplify Encryption with DB2 Field Procedures and Securing Your File Transfers from the IBM i. You may view Ron’s biography and session schedule here.

What are you most looking forward to at COMMON?

“I am looking forward to seeing all our customers that go to COMMON to learn more about the IBM i.”

What is one piece of advice you’d offer to first-time attendees?

"COMMON can be overwhelming for a first-time attendee. Spend time before you arrive to check out online the classes you want to attend. Learning can also happen in the Exposition. There are a lot of talented people working in the Exposition. Stop by and ask the vendors questions that you have about different processes and products. You will find that the vendors are always willing to help people learn."

 

 

From the teams at Linoma Software and HelpSystems, we wish this year’s COMMON speakers the best of luck!

Linoma Software, together with HelpSystems, will be participating in the Expo at booths 413 and 417. Be sure to stop by! For more information on the COMMON 2017 Annual Meeting and Exposition, visit www.common.org/events/annual-meeting/.