2FA/MFA: Multi-Factor Authentication, What Is It?

Password security is one of the most fundamental steps to effective end-user security policy. However, over the years, advice on how to keep passwords and access to them secure have undergone several revisions and updates, which has left people and businesses confused as to best practices. We are going to look at the latest recommendations and understand a core component of the new “password paradigm,” namely Two Factor Authentication (2FA) or Multi-Factor Authentication (MFA).

Back when I was in high school, around 20 years ago, everyone in the tech industry thought a good password was complicated, contained not only letters and numbers but also symbols, and didn’t spell anything obvious. Basically, the adage was to make your password so hard not even you can remember it.

How many times did this backfire on me? How many times did I have to hit that password reset button and force myself to come up with something else? How many of you have a spreadsheet on your desktop where you’ve pasted all these passwords in an effort to keep track of them? Do you have a secure password to unlock your computer? How about to open the spreadsheet to read your passwords?

With this situation of a single password for each log-in, your passwords are only as secure as the weakest link to get to them. It doesn’t matter how varied and complex the passwords are if the list of them is easy to find, or one can access that list on your PC, or even in your home. While experts always recommended having a separate, unique password for each login you create, most people ended up using the same password for pretty much everything. As you can imagine, the problem here is if someone found out that one password, they would be able to access everything. Not good.

There has been so much fear driven into people around the concept of password security; most of us ended up just sticking our heads in the sand and hoping no one stole our passwords. That was my parents, that was my coworkers, and, yes, that was me.

That was also in the day where we had only one internet-connected device: the computer. These days, almost everyone has at least two devices: a smartphone and another device (tablet, laptop, desktop, smart-TV, etc.). Some of these devices also have fancy biometric technology, such as face or fingerprint scanners built in.

As such, our ability to prove our identity has improved significantly, and experts have updated their password security recommendations. Authentication methods are now divided into three main categories: 1) Something you “know;” 2) something you “have;” and 3) something you “are.” Since it is highly unlikely that an attacker would have gained access to more than one of these, experts now recommend using at least two of these items to authenticate with; hence 2FA or Two Factor Authentication.

Multi-Factor Authentication (MFA) is the industry term that means just that, using more than one of these three categories to prove your identity. When you call your bank and they ask you for the last 4 of your Social Security number, they are taking what you “have,” which is the phone number you’re calling from, and testing it against what you “know” – the Social Security number you provided. If one of these two doesn’t match what they have on file, then it’s not enough for them to verify your identity (or at least it shouldn’t be).

What you “are” comes into play these days primarily with biometrics (fingerprints, face scans, etc). MFA in this instance is used mostly when setting up the biometric login function, in that you would use methods from the other two categories to prove that the face or fingerprint being presented does in fact belong to the person logging in. Once it’s set up, due to the level of uniqueness of the biometric, other factors typically are not necessary for passing authentication.

When it comes to web logins, MFA has developed into a fairly streamlined, if not obviously simple, process. You put in your password (what you “know”), then a box comes up asking for a code (what you “have”). Sometimes this code is sent to your phone in a text message or in an email, sometimes you have to download a specific app that connects with website login systems and auto-generates codes every 30 seconds or so.

Configuring these authentication apps can be somewhat confusing, but they generally break down into a few basic steps when you are logging onto a website that requires MFA: 1) Download the app onto your device, say your smartphone, and log in, if necessary; 2) Use the app to read a QR code displayed on the screen; and 3) Enter the code that appears on your phone onto the page on your computer. Once this is set up, the next time you sign into the website you just open the app on your phone and the code is there waiting for you.

The biggest pitfall of this authentication method is if something happens to your smartphone (i.e., it’s lost, stolen or just dies outright). If you suddenly don’t “have” the thing you had used to prove yourself, then your only option is to reach out to the support of the company that you’re trying to log into and see if they can reset your MFA settings on the back end so you can set up another device.

This happened to me earlier this year, when my phone fell and then refused to turn back on. I got a new phone quickly enough, got my phone number transferred over, restored my iCloud backup and got all my apps back. At first, all seemed good. Then I opened my authentication code app to get logged into work the next day and . . . it was empty. After a minor panic attack, I reached out to the necessary admins, and they were able to reset the system so I could create a new MFA link to my new phone. When this happens to you (and it will, especially considering how frequently people replace their phones these days), don’t panic! If you don’t know who to call, call us at Vermont Panurgy and we’ll help you get pointed in the right direction to get your new MFA setup complete.

Call today to set up a free consultation:

What is an MSP?

Before Vermont Panurgy, I managed a trade school in the Pittsburgh (PA) area with three physical locations. The school offered associates degrees in four disciplines: dental assisting, medical assisting, medical coding and billing and massage therapy.

With multiple locations, over 300 students and 100 employees, the school utilized a wide variety of computers, printers and software applications for operational, student and compliance needs. Each location also had a library offering access to computers and printers for all students. It was therefore critical that all school IT systems functioned properly and with virtually no downtime.

As with many small businesses, we did not have the budget for a dedicated technology department. To get by, I did what I could and tapped the semi-technical abilities of the company’s controller. This worked well in some situations, but it also took away from the controller’s and my time and resulted in partial fixes rather than a comprehensive, proactive monitoring of our technology systems.

Therefore, I began to look for a more comprehensive solution. My objective was to find a service provider that could support the school’s computers and printers as well as several applications (like SharePoint and QuickBooks) residing on the cloud; and obviously at a reasonable cost.

I began with what many people do when they don’t really know what they want … use Google.

I began to enter key words and terms in Google such as “desktop support”; “IT”; “computer repair”; “computer services”; “IT systems”; etc. I thought I was thorough in my selections; I was not. I should also have been looking up the terms “managed services”, “managed services provider”, “fixed fee IT support” or “set fee IT support.”

For sure, the search I did conduct yielded a variety of support providers and some looked to be right in line with the school’s needs. After several follow-ups, I thought I found the ideal match. Subsequently, I arranged for an in person meeting along with several senior school managers and me.

While the meeting went well, the subsequent engagement letter from the support provider was not close to what we wanted in terms of daily support and cost. The proposed terms started with a large, up-front retainer fee with support focusing on the development of a longer-term strategy of systems upgrades and conversions. Disappointing to say the least given the discussion at the in-person meeting.

We did not move forward with that proposal. In fact, we continued to limp along with the existing patchwork of internal IT support because of that experience and not being able to find what we needed.

Here is the irony: I left that position and about a year later acquired Vermont Panurgy … exactly the type of support provider we needed at the school; albeit in a different state.

So what is the lesson here? Actually, there are two lessons and my suggestion: 1) When searching for an IT support provider, thoroughly research applicable terms and nomenclature; and 2) think about what you need and want in a provider.  I suggest you contact Vermont Panurgy!

Oh, and lastly, MSP means Managed Service Provider, which is what we are. Vermont Panurgy delivers IT services such as network updates, application and infrastructure management and security measures via regular remote support and/or active administration on our customers’ premises. Our overarching goals are to ensure that our customers’ IT systems are always operational and secure.

Don’t Lose Your Files, Save Them Properly

Remember paperback books? Remember how you’d put it down somewhere, then have the hardest time remembering where you put it? Keeping track of stuff is tricky but keeping track of documents and files you’ve saved on your computer can often feel even more confusing. Recently, with the advent of cloud synced storage, yet another layer of complexity has been added. It’s nuts! This article will discuss some of the most important aspects of file saving on your computer and strategies to make sure you can not only find your stuff, but preserve it in case of catastrophe.

File organization on your PC or Mac starts when you click the “Save” button. Two main questions occur at this phase:  What are you going to call it? and Where are you going to put it? A name is often pre-filled, and there is always a default save location, so raise your hand if you usually just hit “Save” and move on. But where did you save it? What was that name? If you weren’t paying attention, things can get quite confusing fast.

Quick Access in Windows 10

Luckily, Windows File Explorer has an easy shortcut to find it. If you click on “Quick access” in the sidebar of a File Explorer window, you will see a list of the 20 most recent files on your PC. It also shows you where that file is saved, so you can remind yourself.

You now know where that file is, but how accessible is it? How protected is it? Is it on a flash drive? Do you run backups? Does it sync? All these questions need to be answered if you want to be confident that your files are safe and secure.

Accessibility. It’s all well and good to save files to flash drives, but don’t forget to eject it before you pull it from your PC, and don’t forget where you put it! I can’t tell you how many files I’ve lost because I couldn’t remember where I put that drive, or I forgot what was on it and reformatted it for another purpose.

Another “local” option is to save files to your business’s internal file server. Servers generally are more reliably backed up than workstations (though check with your boss on this if you’re not sure!), and you can access the file from any PC that is connected to the internal network (which includes over VPN). The main drawbacks to this option are that both the server and your workstation need access to the network, if one goes down then the file is not available. Furthermore, if you are out of the office or want to access the files using a device that cannot connect to the internal VPN, you can’t access the file.

A more modern option is to use a Cloud-based storage sync tool. Something like OneDrive, iCloud Drive, Google Drive or DropBox. All these programs allow you to create a folder on your PC that automatically syncs the contents up to the cloud, then you can access them from any device that has an internet connection using just your login credentials. Furthermore, you can’t lose “the cloud”, and it doesn’t burn down in a fire or other catastrophe.

Most of these options now can also sync your main user folders, such as Desktop, Documents and Pictures. With this option enabled, even if you continue saving things to Documents or Desktop, it will still be protected and accessible in the cloud, on demand. Coolest part? When you get a new computer and sign into your syncing platform, all your files from your old computer automatically appear in their correct locations on the new one!

Protection. You now have your file, you can get to it anywhere, but how protected is it? It is important to remember that in nearly every scenario, syncing files to the cloud does NOT constitute as a backup. First, if you delete a file from your computer, the sync then deletes that file from the cloud as well. Second, if your account with the cloud provider is somehow disabled, expired or revoked, you could lose access to the cloud storage altogether. Finally, a loss of internet connection renders cloud syncing moot. And let’s not forget cyber-attacks. Hackers can change the password on your cloud account and lock you out, they can delete files from the cloud, thus deleting them from your synced devices, they can hold files ransom, just to name a few. Synced files are STILL VULNERABLE!

A third-party backup solution is the best protection to ensure your files are safe. Whether that backup is a physical hard drive you connect to your computer, or a cloud-based backup solution, it is important to make sure it’s through a different provider, using a different password, than your main cloud syncing service. This way, if a hacker takes down your cloud, they can’t also take down your backup.

Make sure your files are safe and easily retrievable by paying attention to where and how they are saved. A little care now can go a long way later!

Personalized IT for Your Business: Know your Techie

The importance of a well-functioning IT infrastructure is critical to the health of any business.  These days it is impossible to imagine a successful business that does not rely on technology to keep it functioning.  Reliability is a must to keep any business efficient and competitive.

Your business has likely contracted with an IT support company or a Managed Services Provider (MSP) to manage its IT needs, keep things running smoothly and respond when support is needed.  Regular maintenance and upkeep are the foundation of IT support, but the critical part for your business comes with the quality and effectiveness of responses when unexpected support needs arise.

Ask yourself this: When you call in to get help with something from your IT support/MSP, how many people do you talk to before you get your issue resolved?  How many times do you have to explain your issue?  How many technicians have you interacted with more than once and how knowledgeable were they regarding the overall state of your business’s IT setup?

Large businesses may not have a choice but to use an IT support/MSP provider with rotating staff to efficiently respond to all their requests.  On the other hand, small- and medium-size businesses have the opportunity to have personalized IT support/MSP that fits the needs of their business.  They do not have to explain the entire setup of their business and the specific issue each time someone calls in with a problem.  They do not have added downtime or frustration as a result of dealing with someone different each time they contact their IT support/MSP.

The best IT support/MSP experience is not based on technical prowess alone, but on the ability to build and maintain relationships with the clients themselves.  If you really know your IT support/MSP, you know who you’re calling before you even dial the number.  You can trust that they know you and your business and will be able to help translate your issue into the technical jargon needed to isolate and resolve it.  You know exactly who to go to when you have a question and you can trust that their answer will take your personal needs into account.  It’s a huge difference from rolling the dice with a large or faceless IT company.

Here at Vermont Panurgy, our clients are known and dear to us.  We strive daily to fortify the trust placed in our care for each company’s IT.  In our weekly team meetings, we discuss each one of our clients in detail, where we share updates, plan preventative steps to keep each one running optimally, and overall make sure everyone on our team knows what is happening with that client, even for clients who may have had a quieter week.  When businesses have Vermont Panurgy for their IT support/MSP, they can rest assured that if they communicate something to one person, it is the same as if they had sent the message to the entire company.  We work well with each other to ensure that responses are quick, efficient, and personalized to each business.  

Are you feeling like your current IT support provider’s shoes are too big for you or not quite the fit or feel that you would like?  Do you wish you knew who was actually working on your IT system?  Give us a call today, and let’s chat about how we can work together so you know your techie!

Do You Remember the Time? Risks and Protections for Business Data Storage

Throughout history, the way we humans have stored memories has been fraught with unreliability. Before the written word, memories were passed down through stories, and each person retelling the story added their own flare, sometimes radically changing the substance of the story, until the line ran out and the stories were forgotten. Once scrolls, books and other archival documents were created, historians still had to deal with decomposing papyrus, fading ink, zealotry and the risk of disaster. Even recordings written in stone have worn down over time. Nature has this unfailing tendency to destroy everything in order to create everything anew.

When computers came along, many people believed the days of deteriorating memory storage were over. Once you write a bit of data into a hard drive, it’s there forever, right? The internet never forgets, right? Unfortunately, the same laws of entropy apply in the electronic storage of data as they did before. If I hadn’t downloaded all the code and assets from that GeoCities website I made back in high school, I would’ve lost it forever when GeoCities shut down. Most of my music library in iTunes would’ve been lost forever if I hadn’t uploaded it to Apple’s cloud before that hard drive stopped spinning. Of course, whenever I end up losing access to the Apple cloud, that’ll be the end of that, but at least I can access it for now.

The fact is, nothing material in this world is permanent. However, we still must operate under the assumption of continued business growth and perpetual operation. So how do we make sure we don’t lose all that important data, documentation, communication, history, that allows our businesses to keep flourishing and succeeding? How do we preserve the past so that we can learn from it?

By now, you’ve probably heard the word “backup” so many times it’s been driven into the ground. Whether or not you’ve heeded the warnings, whether or not you’ve experienced the calamity of data loss, the concept of backups has become a familiar one in our highly digital age. But despite its prevalence in our 21st century lexicon, a large portion of the population still doesn’t understand what it does, how it works, or why it’s important. Let’s take a look.

The Basics of Backups

At its most fundamental root, the term “backup” refers to a copy of your data saved elsewhere, so that if you lose access to the data, you can retrieve it from the other location. Backups are most commonly 1-to-1 copies of the data, preserved exactly as it was when it was copied over, making retrieval seamless and familiar. Backups are sometimes encrypted or compressed, which can alter the code, but as long as you are able to decrypt or decompress it, you shouldn’t notice any difference. This is a bigger IF though, so if you do encrypt your backups, make sure to store the decryption key somewhere safe, preferably offline, preferably in multiple locations, like on a piece of paper in your locked desk drawer, copied to another piece of paper in a safety deposit box at the bank. If your backup solution creates compressed backups or proprietary backup files, be aware that you will need that solution to retrieve content from that backup as well.

Depending on where your data is stored, different types of failures can affect your ability to access your data. Stored locally (i.e., on a hard drive connected to your PC, on a network-attached storage drive, on a server in your office), the integrity of your data relies mostly on physical considerations. Physical technology such as hard drives, fans, capacitors on circuit boards, cables, or connectors all wear out over time, it’s just a fact of physical reality. It is therefore important to have another, preferably newer hard drive connected onto which automatic backups of your data can be quickly copied and then retrieved in the event of a failure in your main device.

Then there’s the risk of catastrophic disaster: fires, floods, hurricanes, earthquakes, super volcanoes, continental drift…. Nature (and sometimes humanity) has a way of surprising us with all sorts of dramatic tragedy. In this event, none of your on-site hardware will likely be recoverable, so it is also important to have an offsite backup of your data. Some will elect to get a couple of identical hard drives, one to be connected to the machine for backups, one to be stored in the safety deposit box or some other secure offsite location, then regularly switching out the two devices to keep the offsite drive’s contents up to date. Others elect to use cloud-based offsite backup solutions. Either way, with a backup stored somewhere else, disaster doesn’t have to mean a loss of all your company’s important data.

Data in the Cloud

These days, more and more businesses are taking advantage of cloud-based storage, even cloud-based servers are becoming more and more popular. The benefits of moving your company data to the cloud are many: ease of access, always-on, low-maintenance, general reliability, not to mention the ability to blame someone else if your data gets corrupted or lost. However, the risks of keeping your data in the cloud can be much greater even than keeping it in your office, depending on your setup.

Anything connected to the internet runs the risk of being compromised, as we have seen from all the news lately about systems and networks being hacked and taken down. The security of your internet-connected data is only as secure as the methods you use to access it. If you don’t have Multi-Factor Authentication enabled, if you don’t enforce strong password policies, if you don’t restrict access to cloud data based on the roles and responsibilities of the individuals accessing it, you are the low hanging fruit that internet saboteurs froth at the mouth over. If you are considering using cloud-based storage, the first thing you must consider is security.

The other side of cloud-based data storage integrity relates to the company hosting the service itself. Even if all your internal security measures are locked down as tight as possible, what happens if the company hosting your data gets compromised? What happens if they go out of business? What happens if they decide to cancel your subscription without notice? With all the uncertainty in the air these days, these possibilities don’t seem so far fetched as they did even a year or two ago.

For these reasons, even if your data is in the cloud, it is of utmost importance to back it up. Local backup solutions are good, having a drive in your office to regularly copy the cloud-based data down. Cloud-to-cloud backup services from third party providers are good as well, as it is rather unlikely that both your storage provider and your backup provider will go down at the same time. Utilizing both of these solutions simultaneously gives you the best chances of preserving your company’s data in the event of nearly any potential threat.

In Conclusion

Here at Vermont Panurgy, we specialize in creating secure and reliable backup solutions for our clients. We can help you identify your storage locations, assess your risk-level, secure your network and connections, and configure your backups for optimal performance. We can even monitor those backups and catch any errors or failures before they cause the backup schedule to fall behind and put your newer data at risk. If you aren’t sure about the integrity of your company’s data, give us a call today and schedule a network assessment. We will provide you with the best recommendations to secure and preserve your systems and data, and we can help you set it all up and give you the peace of mind you need to focus on making your business the best that it can be. Call us today!

Turn to Face the Strain: The Importance of Employee Training in 2021

Coming up on our one-year pandemiversary (yes, I just made that word up), one thing that has become very clear is how different the workplace has become. No more water cooler chats or unexpected pop-ins, team meetings gone remote, difficulty measuring employee productivity or maintaining employee morale, and that’s just a few. The changes are massive and all-encompassing, and the longer this goes on, the more we realize that the “new normal” is going to look a lot different than what we remember. How do we equip our employees with the necessary tools, skills and confidence to face these daunting ch-ch-changes, as David Bowie would call them? Let’s explore.

The first thing I noticed when converting to the work-from-home environment was the sudden absence of communication. It’s so easy to just walk over to someone else’s desk and ask them a question when we’re all in the same building, but when sitting alone in my home office, the hurdle to communication has become much greater. It can feel foolish calling up a coworker for a 10 second chat to answer a question, and it can feel equally foolish sending a text to a coworker that doesn’t get responded to for hours. Confidence is the key, knowing what is effective with whom, and what works best for you. But instilling that in employees can be quite difficult, especially when you’re physically distant.

As consistent communication decreases, echo chambers increase, what I like to refer to as the disparity of experience. Sure, we’re all working from home, but as far as relating to one another goes, the shared experience ends there. All of our home situations are different, how we are responding to the continued isolation and how it is affecting us are different, even our perspectives on larger community and world events may be different. This makes the critical skill of empathy quite difficult to practice, but at the same time even more important. The only thing worse than facing extreme challenge is the feeling of facing it alone.

As the shared experience dissolves and empathy decreases, conflict lies right at the surface, a misplaced word or uninvited opinion away. Maybe you consider yourself a conflict resolution expert, maybe you have tons of experience diffusing situations in the office. But how do you even detect a conflict when it’s occurring in virtual meetings you aren’t even privy to? When everyone is separate and oversight of intra-org communications is minimal, how do you see the red flags before the conflict erupts? These are difficult questions to face, even for the most experienced behaviorist.

One unique benefit to having everyone working from home comes through the transition of many training companies such as Vermont Panurgy to virtual classrooms. Working from home eliminates the distractions of a busy office, but the expectation of sitting in front of the computer for long blocks of time is still there. This brings a unique opportunity to provide truly engaging training content in a comfortable and relatable atmosphere for the student, with minimal distraction, thereby increasing their chances of retaining the knowledge gained.

Vermont Panurgy holds a vast portfolio of talent development courses covering all the above topics and more. Whether we’re discussing inter-office communication, practicing empathy, conflict resolution, leadership techniques, writing skills or stress management, we’ve got a class for that.

The best part? Our small class sizes, properly-paced content and highly-skilled instructors allow for a highly interactive virtual classroom, where students can ask questions, discuss with each other and share experiences with ease. Couple this with the quiet, familiar space of your own home, in front of your own computer, and you’re looking at a learning experience unlike any other, the possibilities greater than ever before.

Maybe you feel like your team has acclimated to the work from home environment well enough, maybe you think all these soft skills are already in the bag. Don’t let that confidence allow you to overlook the importance of training though! As with even before the pandemic, investing in professional and personal development of your employees demonstrates a caring attitude and can create a sense of purpose and security, translating into more productivity and job satisfaction. In 2021, you can also add in the opportunity to interact with others for an extended period, something most of us have longed for since last March!

Vermont Panurgy also offers technical training in common software applications such as Microsoft Office 365, Quickbooks, Adobe Creative Suite, and more. We even have higher-level technical classes for IT professionals, such as CompTIA certification boot camps, server and database administration, Exchange Server and Office 365 administration. These offerings bring even more opportunities for you to provide some valuable education to your employees and show them how valued they are. It’s a win-win!

Take a look at our full class schedule to see all of our offerings and upcoming dates. We are excited to help you and your employees take advantage of this unique opportunity for learning and growing, especially while we are all working from home. Bowie had it right, the best way to deal with change is to “turn to face the strain,” let’s turn together!

Managing Employees Remotely: The Importance of Updates

Back at the beginning of last year with the pandemic closing most in-person businesses, a wide variety of businesses started letting their employees work from home — all at the same time, with virtually no preparation or planning. Now, nearly a year later, it is clear that work-from-home is likely going to be a part of nearly all businesses’ infrastructures, whether total or in part.

This hybrid in-person/remote environment has continued to present surprises to business owners and managers even now, over 10 months in. One thing that has become an issue is running manufacturer updates on company-managed computers that are physically in the homes of employees. This article will detail the updates issue and discuss some potential solutions, particularly for the less-than-computer-literate business manager. If you have employees using your machines at home and you don’t have your own IT department managing those PCs, then this article is for you.

Typically, system and software updates continue to run automatically on the operating system of employees’ PCs. However, computer manufacturers periodically release updates to their Drivers and Firmware to keep the communication between the hardware and the software flowing smoothly. If only one side of this relationship stays current and the other side doesn’t, your employees will start experiencing problems with their PCs.

A lot of hardware manufacturers have attempted to resolve the communication issue by setting up their update software to run automatically. There are two main issues that cause these auto-updates to fail: first, a lot of hardware updates require the computer to reboot and the second is if an employee’s PC requires administrative privileges for an update to occur.

The updates won’t happen if there is trouble scheduling a reboot or running it automatically. If you have employees who never shut down or don’t routinely restart their computers, this type of issue is most likely to be the cause of whatever oddities are occurring on your employees’ PCs. Have them restart their computers so the updates can occur and, voila! That should solve the problem.

However, an issue that can cause the auto-updates to fail is when all modifications to hardware or the communication between hardware and software require administrative privileges. Chances are you created an account for your employees to use on their PCs that do NOT have admin rights. This makes sense because you typically don’t want employees installing software that may compromise the security or functionality of their PCs. Unfortunately, unless you installed a remote access tool on each employee’s PC with its own admin privileges before you let employees leave with company PCs — or let employees use their own PCS (more on related issues to that another time!), then you’re going to need to get your hands on each PC to be able to run the updates using your stored admin credentials. What a pain that would be if you need to get them all back! But that is what you’d need to do in that situation unless you have remote access software. 

Remote access software is the primary tool that Remote Management and Monitoring companies such as Vermont Panurgy use to remotely support clients. Similar tools can be purchased and used by business owners, but they are generally rather complicated and expensive. Most importantly, configuring them so the connection to each employee’s remote PC and the contents of the PC itself remain secure can be quite challenging and pose security issues if not done properly.

Some remote access tools are free or cheap, but generally require someone on both ends of the PC to initiate the connection. This means taking up valuable work time from your employees while you run updates on their PC that could otherwise be done while the users are offline.

If you are looking for assistance managing your company’s workstations and the updates that they need, Vermont Panurgy has a number of flexible offerings that can help you with this. Contact us to let us know what your needs are today — don’t wait for an employee’s PC to stop working because no one is there to run its updates!

How Many IT Companies Does it Take?

You all have heard the old joke, told in numerous permutations, starting with the simple task of screwing in a lightbulb. If you’ve been following business and government news over the weekend, you probably heard about the security breach at SolarWinds, an IT company that services clients from Government Agencies to Fortune 500 companies. I want to talk today about how these two things, an absurd generalization turned into a joke, and a serious security threat to the stability of our society.

Let’s first get some preliminaries and disclosure out of the way. SolarWinds is a Managed Services Provider for IT products and services. I also work for an MSP company, and have worked in the Technology sector for over a decade. That said, the connections stop there. Vermont Panurgy does not function in the same ways as SolarWinds, does not service the same types of clients, does not offer the same types of services.

That all said, with the background that I have, I am in a good position to provide a bit of perspective, so I wanted to write this article to point out a commonly misunderstood aspect of the particular product that was compromised, why it is potentially dangerous and what you, as a business owner with valuable and irreplaceable IP, can do about it.

According to news reports and filings by SolarWinds, the specific product that was compromised was something called The Orion Platform. I did some cursory research on this product and it claims to solve a lot of headaches by giving you one single point for all of a company’s IT-related needs. It bundles together several of SolarWinds’ proprietary products into a “single pane of glass,” dangling a tempting carrot of simplicity and streamlined efficiency. Hard to resist, especially for the less-than-technically-minded of us.

How many times have you had trouble with some piece of technology in your office, only to have various Help Desks pass the buck between each other, always saying it was the other company’s fault? How many times have you called one help desk only to be told that you need to call a different one? Who makes what, and how easy are they to get ahold of? What is my warranty on this product, and what does that entitle me to? The headaches of having to deal with multiple IT companies is entirely understandable, but is the right solution to just find some giant that claims to do it all and put all your eggs in their basket?

The problem with bundled, proprietary services is that if there is only one point of access for you, there need be only one point of access for a hacker to get in and crash the party. Decentralizing, especially when it comes to cloud-based and networked IT solutions, helps you be confident that if one company gets hacked, maybe one of your systems will go down but it won’t bring down the whole house. Switching from a complex VOIP phone network back to calling each other on cell phones for a few days is much less catastrophic than your phones, your financial systems, your production lines, everything going down at once.

At Vermont Panurgy, we do our due diligence in researching and carefully considering all the factors that go into making a decision on which provider to choose for a particular service. The services we recommend are all highly commended in their field, and they all come from companies that specialize in the particular area that they service. Need good network security? We’ve got recommendations. Need good Wi-Fi access points? We’ve got recommendations. Need a cloud-based backup system? We’ve got you. And no, they’re not all the same company!

If you are a business owner or manager and this recent SolarWinds hack has got you reconsidering whether or not an MSP is really a good idea, keep in mind that there are a wide variety of MSP types out there, we are not one-size-fits-all! And if you are now concerned about companies that will try and steer you to their own sub-par in-house solutions instead of making honest recommendations about what is best for your business’s success, then give us a call!

“I Didn’t Send That!” Domain Impersonation and You

How many of you were affected by the #Ransomware attack on the UVM Medical Center’s IT network last week? Whether it was a delayed or cancelled appointment, an issue with work orders and partnerships, or just dropped communication, this type of attack is a tragically real example of the importance of network security.

One of the biggest vulnerabilities that malicious actors tend to exploit in order to gain access to a network is through #emailsecurity. There are numerous methods for using email as an attack vector, a big one being what is known as #DomainImpersonation.

image says "you've been hacked!"

Domain Impersonation is when someone purchases domain names very similar to the appropriate domain that they are impersonating, and then send emails from that domain with malicious links, attachments, etc, to infect unwitting recipients’ machines and networks.

Consider this example: You’ve been going back and forth with a vendor (say, sales@panurgyvt.com) in emails about purchasing a product for an upcoming project. Suddenly, you receive an email that appears to be coming from that vendor with an invoice and a request for payment through a link in the email. Whether or not you were expecting this email, take a close look at the domain (what comes after the @ symbol). If you notice the typo (maybe something like sales@panrugyvt.com), you’ll easily identify the email as suspicious and know to delete it.

But how many of us actually look at the email address that every single email is sent from? Chances are, you’re busy and overloaded, you’re distracted, or you’re just the type of person who does not handle their email inbox with suspicion. Under these circumstances, you get the email, remember you’ve been communicating with this person already, and just assume that this is related to that communication. You click the link, or open the attachment, and boom, malware has infected your PC and potentially your entire network. Bad news.

No alt text provided for this image

Thankfully, there are solutions out there to monitor and protect from these potentialities before the email even hits your inbox. Through the use of artificial intelligence and intelligent monitoring, advanced email security systems today can take record of the domains of emails recently delivered to your inbox, and if an email comes in with a similar but false domain, it gets blocked even before it hits your email server.

There are also increasing amounts of opportunities for end user training on how to identify suspicious emails. As nearly all email attacks rely on carelessness, ignorance or manipulation to get people to click on malicious links and attachments, the biggest vulnerability point is, in fact, the end users themselves. Implementing regular training and reminders for your workforce surrounding the importance of email security is a top priority for securing modern networks.

If your business could benefit from a more robust email security plan, contact us today! We offer flexible options tailored to your company’s needs that include both server-side monitoring as well as end user training. Reach out today to start the conversation on how Vermont Panurgy can help your business stay protected in today’s modern work environment.

The Human Element of IT Security

Firewalls. Backups. Anti-Virus. Device Management. There are many tools in the IT professional’s toolbox for protecting technology from the threats of the internet. Unfortunately, even the most protected devices are only as secure as the humans that use them. No amount of software is going to prevent a user from clicking on a link in an email, and the inherent flaws of the human condition make the easiest target for an internet attack the end user. Because humans are the leading cause of IT security incidents, it is imperative for business owners and security professionals to integrate the Human Layer into their IT Security framework.

When considering the methods for implementing a security plan for the humans working in your business, the nature of human vulnerability becomes quickly clear: humans are subjective, distracted and easily influenced. Thus, the most effective method of attack comes through what is known in the IT Security world as Social Engineering, or the use of deception to manipulate individuals into divulging confidential or personal information to be used for fraudulent purposes. Hit people where they’re psychologically weak, and they are easy targets for manipulation.

puppet master controlling puppet

Examples of social engineering are everywhere. As one example in just the past week, a blast of emails recently made it through a client’s email security system informing several senior staff members that their Anti-Virus license had expired and required renewal. Several folks who received that email had no knowledge of the status of the Anti-Virus software on their systems, let alone its license’s expiration date. Thanks to overworked and underslept mental states, red alarms started going off, but for the wrong reasons. Emails quickly came in asking not if the email was legitimate, but why their Anti-Virus software had expired and whether their computers were at risk. Thankfully, they reached out to us before anyone clicked on the link in the email, but one errant finger could have placed the company and everyone who worked in it at serious risk.

Here’s a hypothetical example, uncovering another, even more urgent layer of the human element. In adjusting to a work-from-home workforce placed abruptly on us by the pandemic, members of your organization have migrated to relying heavily on Microsoft Teams for internal communication. Being based in the cloud, this means your server and all of your employees’ workstations are connecting to Microsoft servers regularly. Sniffers pick this scent up and suddenly you start seeing emails coming in offering all sorts of add-ons, freebies, enhancements, support, training, anything that might get you to click on the link in the email. They now know that you’re using Microsoft products for cloud communication, just from the act of you using it. They also know you’re new to it, which makes you more vulnerable. They use everything they can find out about you, in that very moment, to target you with content that strikes at your most vulnerable spots, and they are always adapting.

No alt text provided for this image

This shifting field of attack vectors causes us to realize that the implementation of IT security for the human layer must be an ongoing process, with regular reviews, trainings, updates and simulations. They didn’t make us do fire drills in school just to test the bells. Conditioning and repetition are vital parts of training humans in how to recognize and respond to threats.

Let’s next consider the impact of technology on how we form and maintain relationships, especially within the context of social distancing. Different types of people may have different opinions on the effectiveness and authenticity of virtual relationships, but even before government mandates brought compulsory hurdles to physical connection between people, many, especially in the younger generations, had already accepted virtual reality as their primary platform for connecting with others. Now, we’re all finding ourselves there, like it or not.

Just think of all the social engineering vulnerabilities this new paradigm poses. Thanks to the popular MTV show, the term “catfish” comes to mind, or people who subsume a fake identity online in order to connect with others behind a mask. The subject of the TV show, however, developing romantic relationships over the internet, is child’s play when compared to the sophistication with which similar tactics are used in spear-phishing and other social engineering attacks on businesses and their employees.

Consider the portions of your Facebook profile that are set to be visible to the public. Maybe you don’t think showing people that you live in Vermont and love cats is particularly concerning for the whole world to know. But what about that one Monday morning at work after a long weekend hiking and camping, sleep-deprived and sore, an email comes in marked important that appears to be coming from someone you work with about how they really need your help taking care of their cat? Do you stop and think if this person has ever told you they have a cat before? Do you check the email address the message is coming from, rather than just trusting the displayed name? Or do your instincts kick in and tell you “cat in trouble, must respond”?

Just like getting arrested, anything you say and do on the internet can be used against you in the court of social engineering. The simplest solution, just not doing anything on the internet, is not feasible in today’s business environment. So we are left to implement as comprehensive a strategy to protect ourselves, our business, and our employees, from these threats we will inevitably face.

Vermont Panurgy has been at the forefront of IT security and support for over 30 years. We would love to start a conversation with you about how we can implement a thorough, effective and ongoing strategy for your business to protect the Human Layer of IT security. Contact us today!