business partners shaking hands

Making your company more cyber aware

The biggest problem companies face when it comes to cybersecurity is often not the technology; it’s the people.  And hackers know this. That’s why it takes more than strong IT to keep your company safe.

Beyond technology, the best way to protect your business from cybercriminals is with a trained and educated cyber aware company culture. It may seem like a large and daunting company initiative, but it isn’t.  There are a few corner stones that continue to build up, along with continuing education and strong corporate communication.

Let them know cybersecurity is everyone’s job

Leadership is always where a company culture starts. Employees and contractors, from entry-level to senior management, need to feel that cybersecurity is important to the company. If the executive leadership team values cyber safety, it will trickle its way down to all corners of workplace.

Cybersecurity should be more than just the responsibility of the Information Technology department. A statement by leadership must be delivered that it is up to everyone, beyond IT, to keep cyber criminals out of the company’s network.

Management shouldn’t be the exception to the rule.  Management most often have the highest privileged accounts.  Allowing management to bypass those safeguard not only put the organization at risk but sets a bad tone from the top.

Train and test your staff

Posters, employee newsletters, training sessions and regular meetings are avenues to communicate across the organization about how everyone can be more cyber aware. Regardless of what methods you choose, you should train staff on a regular basis. Monthly training is highly suggested. It can be via email or face-to-face. Or both.

Beyond training, it is good to see that employees are understanding and retaining the cybersecurity information. While you can trust that the staff is paying attention, it is recommended to test your staff as well.

Send a mock phishing email a little while after a training session or communication. It would be interesting to see who, if anyone, falls prey to the false hack.  This shouldn’t be a gotcha for those employees but a change for the organization to focus on more advanced training.

Teach your team that the inbox is the hacker’s favorite target

Based on current trends, cyber attackers are finding email to be the best route for penetrating a company’s security defenses. Trends Labs reports that 91% of targeted cyber-attacks use email as their way to breach networks. Likewise, Ponemon reports that 78% of targeted email cyber-attacks use malware embedded in an attachment.

Addressing targeted email attacks from leadership and your technology department is an essential piece of puzzle when creating a cyber safe culture. This should certainly be a topic addressed in employee training and even onboarding.

Have a password update plan

According to Verizon’s 2017 Data Breach Investigations Report, as many as 81% of hacking-related breaches were caused by leveraging stolen or weak passwords.

Often, employees are not aware of the risks. That is why password education is a great topic to include in cybersecurity training. Require complex password structures and explain the reasoning behind it.  Do not allow people to use the default password for more than the first login.

Have a formal cybersecurity plan

Your technology team should contribute significantly to a cyber aware culture and with cybersecurity training. Have the IT folks develop formal cybersecurity training with a documented plan to accompany it. The plan should be reviewed and updated often. Too many companies create cybersecurity plans and teams only to find that the plan becomes dusty and the teams include staff that’s no longer at your company.

Ask for a cyber security advocate from each of your departments like HR, Finance, Sales & Marketing, etc. since this casts a wider net to learn about targeted phishing and helps show that cyber security isn’t just for IT anymore.

No matter how great your CIO or CTO might be, one person alone cannot fight cybercriminals. Create a cyber aware culture and get everyone at your organization involved.


Disaster Recovery Plan

Some stats on disaster recovery

If you’ve ever known disaster, whether it be natural or cyber, you know just how serious it can be. Obvious causes include storms that inflict on-site damage or malicious attacks, but even user error can trigger disaster at a moment’s notice. Regardless of how your business conceives of these threats, the cruel fact remains: 93% of companies without a data recovery plan face closure within a year of a major disaster.

According to phoenixNAP, over the past five years, half of all businesses have weathered a downtime event longer than a full working day. The most common causes are:

  • 45% - hardware failure
  • 35% - loss of power
  • 34% - software failure
  • 23% - external security breaches
  • 20% - accidental user error

According to DataCore, for the businesses that experienced a downtime event, only half were confident they could restore 100% of their data. Smaller and medium sized businesses face greater fallout from these disasters, often because they have fewer IT staff, and a smaller portion of funding allocated towards technology resources.

Reports have also found that 75% of small businesses do not have a disaster recovery plan in place, creating a huge liability for an already overtaxed budget. Given the tremendous cost associated with data recovery, roughly $100,000 per incident, small businesses face a more arduous recovery process.

Keep in mind that 1 in 3 businesses reported a virus or malware attack in the last five years. Also, 58% of businesses breaches in the last 12 months have been due to viruses and malware and only 2% of businesses were able to recover from their latest security event within an hour.

Fortunately, the majority of these problems are avoidable through strategic planning. 96% of companies with thorough disaster recovery and data backup plans were able to avoid the fallout from ransomware attacks. By leveraging a resource such as TimbukTech, your company will have the benefit of:

  • Disaster recovery
  • Retention and reporting
  • Data backup and restoration
  • High availability and shared storage
  • Infrastructure design and architecture

If you're looking to outfit your business with affordable, enterprise protection, contact a TimbukTech expert today.


Managed IT Service

What to look for in Managed IT Services in central Illinois

Outsourcing your company’s IT can be complex. There are many factors to consider and many IT solutions out there. Before you start looking for managed IT services, you need to know what you’re looking for.

Not all IT solutions in central Illinois a created equal. A managed IT service may offer very minimal services or very extensive services and it’s up to you to determine what level of service you need.

On-premise or off-premise IT administration services.

A Managed Service Provider, or MSP, may provide services either on-site or remotely. If services are provided on-site, an MSP may complete hardware upgrades and troubleshoot hardware problems, while working directly with employees to resolve issues. If services are provided remotely, an MSP may operate primarily server-side and through screen sharing. Either way, IT administrative services will bridge any gaps a company currently has with its internal IT department.

Managed cloud services.

Many companies are moving towards cloud-based solutions. MSPs that specialize in cloud services will secure, protect, monitor, and maintain the company's cloud solutions, providing an as-a-Service infrastructure for the company. Companies that want to outsource their software solutions may want to establish a relationship with a cloud-based MSP, as they will be able to deploy the needed cloud-based solutions.

Help desk solutions.

Companies that don't have an internal IT department (or who want to refocus their IT department to higher priority tasks) can use the services of a help desk solution. A help desk solution will respond to trouble tickets from within the company, addressing internal issues and putting out fires. This frees up the company's own IT staff for more important tasks.

Data backup and protection.

Data is central to the operations of the modern business. MSPs may provide advanced data backup and protection suites, which will protect the company's data from malicious attacks or negligence. Frequently, cloud-based backup solutions are used to redundantly sync and protect data.

Security solutions.

Security-as-a-Service is becoming a more popular way to protect a company's infrastructure and its data. Advanced security solutions are able to monitor a network environment and identify potentially malicious behavior. An MSP will be alerted to security issues and can work to mitigate them quickly.

TimbukTech offers all of these services, so it’s time to assess your current IT infrastructure and pain points to determine the services that you need. We can walk you through the assessment in a short meeting to begin to develop a plan for your business going forward.

The needs of a company can vary depending on its industry. TimbukTech specializes in quite a few industries including financial, healthcare, local government, manufacturing, retail, and small business. Our experience in these industries makes us very knowledgeable and ready to take on industries beyond these as well!

A managed IT service provider is going to work with you as a partner. Once you find the right fit, you’re sure to improve upon and optimize your company’s entire IT infrastructure. Give TimbukTech a call at 309-444-7263 to begin exploring your options close to home!


Anonymous hacker at work

Protect your information

Scamming people has been around for ages and as long as people continue to fall for them, people will continue to set them into motion. New scams and new mediums with which to create them are changing and growing constantly. The new thing? Computers and interactive scams. As long as people use computers, criminals will continue to use them in their scamming efforts.

Some examples of common scams include:

  • The Nigerian Prince check scam
  • Winning a fake lottery or prize
  • Travel scams
  • Disaster relief scams
  • Phishing

We know people are falling for these because studies show a good percentage of people are willing to give out personal information voluntarily to people they may or may not know. This can be interpreted as a majority of the population is not careful enough with their information. It’s scary to find the numbers are sometimes in favor of the criminals.

Avoid being the victim of a scam

Education is key when it comes to scams. You should stay on top of current techniques scammers are using so you know what to look for in a scam.

How do you know if it’s legit or fraudulent?

To protect yourself, your company, and your customers from these cyber attacks you need to be up to date with current scamming trends and also know some best practices to follow in case you are suspicious of something.

Here are a list of cyber safety tips and best practices to follow to help minimize your chances of falling victim to a scam:

  1. Pop-ups
  • Make sure your browser has a pop-up blocker turned on.
  • Be suspicious of any pop-ups.
  1. Spelling errors
  2. Email
  • Be cautious of all links and attachments.
  • If you are not expecting or not familiar with an email address, be cautious.
  • Be cautious the email body is vague.
  • If you are possibly familiar with sender but were not expecting the email, reach out to the person to see if they did in fact try to email you.
  1. Familiarize yourself with popular scams or social engineering tactics
  • There are many great news websites with articles on current scams.
  • Example: JohnD@marrillych.com (Notice "Merrill Lynch" is spelled incorrectly?)
  1. If something says, “time sensitive” and you’re not familiar with the contents, do not feel the pressure to be rushed.

It’s not a bad thing to be suspicious! If something seems suspicious, consult us here at TimbukTech or do some further research to determine what the best course of action should be. Remember that like a fence or a firewall, you are the first line of defense to your money and information.

What is the best way to defend yourself against cybercrimes?

The best advice for defending against these scams is to be aware. Be aware that people are trying to scam you and be aware that the resources exist to help you spot these scams. If you follow these cyber safety tips, stay vigilant, and stay updated – You should feel more confident that you’re protecting your money and your information.


Busy man working with computer while talking on phone

Your IT guy won’t beat an MSP

Does your company work with a Managed Services Provider (MSP) like TimbukTech or are you relying on a “tech guy” in-house? We’re willing to bet that you’re relying heavily on a “tech guy” and hoping you don’t run into any difficulties. There are some drawbacks to that logic. Let’s take a look.

IT is the secondary role of your employee

Often, we find that your employee was not hired to be the IT guy, but in fact he’s the receptionist first and IT guy second. His core duties are scheduling, taking and making phone calls, routing email, directing visitors around, and much more. On top of these primary duties, your whole company is calling on this employee to fix their tech issues. At this point, he’s doing two jobs. It’s highly likely that this employee is not doing either job to his fullest ability as he can’t focus on one at a time.

Employee burnout

When one person is handling two jobs at the same time, the effort can really bog them down. He was asked to be a tech person because he knows a few things about computers and now that everyone’s aware of that, they’ll be calling upon him frequently. Anyone who has taken on extra duties beyond their core role knows that it is easy to get burnt out fairly quickly.

So now we ask, what if that employee quits? What happens when things turn ugly late at night? Is it up to this overworked employee to get up and come in to handle the situation? If he can’t come in until the next day, what does this mean for the company? Downtime can be costly.

Employee limitations

“The tech guy” can come with many limitations. Out of 40 hours in the workweek, how many are to be spent on their primary occupation and how many are to be spent on tech?

Another limitation might be training. It’s likely that this person has never read a page of a Network+ book, taken the MCSE test, or had any other IT training. Yet your company has him poking around in the network. What happens when he makes a mistake that brings the network down? Now you’re hiring a 3rd party anyway to come in and fix what’s broken. That can be expensive … often over $120 an hour, plus loss of business!

MSPs can help

When we come across a client that uses a “tech guy” in-house, we ask the following questions to assess lost revenue.

  • When was the last time your server was down?
  • How long did it take to bring it back up?
  • Were you able to conduct business without the server?
  • Did your tech person know how to fix the IT issue?
  • Did you need to call in a 3rd party to fix the IT issue?
  • How many times has the server or network gone down? Is this a fairly common occurrence?

The underlying cost of downtime could equate to a lot more than a monthly agreement with TimbukTech as your MSP. We’re here to help you understand the implications of not having a solid IT solution. Let’s explore your business’ options. Give us a call at 309-444-7263 and we’ll go through your specific needs and weigh your options.


Login and password

They’re fired, but what about their passwords?

It can be difficult to fire or part ways with an employee. You’re losing a valuable asset if they’re leaving voluntarily, but someone being fired can leave you in a lurch. You have the task of launching a disciplinary process and then holding a meeting at the time of termination. But there are other things to think about. Primarily security and the ex-employee’s access to company data.

It’s important to have a process in place so that whenever a termination or parting of ways occurs, nothing slips through the cracks regarding your business’ security. Here are some considerations regarding passwords and voluntary termination or involuntary termination.

When an employee is let go, immediately change all the passwords to anything the employee had access to. You should have a few days to make a plan and define the process for cancelling access. Don’t make the changes in security before your final meeting and dismissal. Instead, plan ahead and assign someone to disable their passwords during the time you are having the termination meeting. Before the meeting, be sure you have a list of all access cards, keys, etc. prepared so they can be cancelled before the employee leaves the building.

If your company has, let’s say, a Twitter account, you don’t want the ex-employee tweeting through it, so be prepared to change all social media passwords. We mention this because often companies and organizations either forget about these kinds of access or hesitate to change passwords due to hardships that occur and getting everyone access again. Trust us. The effort is worth it!

The possibility of having to lock out an employee may make you consider measures you have avoided so far. Consider a shared wifi password. Do you really want to change it for everyone or is it time to use a managed router and individual authentication?

If someone voluntarily leaves your employment, you hopefully have 2 weeks or so to implement a similar plan as above. Use your best judgement as to whether the soon to be ex-employee will be up to no good during their final days. That is only something you can judge on an individual basis.

Make sure you have a solid data backup and continuity strategy in place. You may need to compare data after the employee is gone to see if any sensitive data was moved or deleted.

We always recommend that you force a password change for immediately surrounding co-workers and consider a company wide reset. You may be unaware of shared passwords. Even though they are not supposed to use each other’s passwords, it may be going on anyways.

Lastly, you should consider pushing a remote wipe to the terminated employee’s BYOD devices from your Exchange server. This should remove only company data and reboot the phone to prevent access. Be aware that you might end up wiping all data from the phone, so you might openly ask them to delete company data on the device while they’re with you in the office. It will make it easier on themselves in the long run.

If you have questions on how to deal with departing employees, give us a call at 309-444-7263. TimbukTech can help you develop an employee termination procedure.


A password is hidden from view

Let’s talk password basics

Worry about your security all you want and keep locks on your data center and have the recommended level of network security available, but it will all mean nothing if your employees are sloppy with their passwords!

Based on data from real-world investigations and compliance management vendor Trustwave’s 2012 Global Security Report, the most common password used by global businesses is “Password1”! This is an unbelievable statistic, and it shows that many administrators don’t understand how to make password-based access policies more robust.

Here are some basic practices that you should require your employees to follow. System administrators should implement other policies, such as those that forbid using passwords previously used and locking accounts after a few failed attempts to login. But let’s take it a step further with these tips.

  • We recommend that companies change out all passwords every 30 to 90 days.
  • Each password should include a of mix upper and lowercase, number, and a symbol.
  • Teach employees NOT to use standard dictionary words (in any language).
  • Don’t use personal data that can be known, or could be stolen: addresses, telephone numbers, SSN, etc.
  • A longer password is a more robust one.
  • Emphasize that employees should not access anything using another employee’s login.
  • Employees shouldn’t use variations of the same password such as changing the number or special character. Hackers know this is a common practice and are using this knowledge to guess the passwords easier.

These are just a few basic password tips, but they can make a big difference in keeping your business’s sensitive data safe.