data security Archives - Page 2 of 3

Posts

Shadow IT: What it is and how to mitigate it

October 31, 2016/in Blog, Cloud Hosting, Communications, Professional Services, Security, Storage /by ISG Technology

Technology has advanced at an incredibly fast rate in the past few years. Innovations such as the computer that were once thought too expensive for personal use are in a vast majority of American homes, and the emergence of the smartphone has increased the internet’s reach even further.

It would seem that every day some new device or piece of software is making life easier for people, and while this may be good for the consumer, it poses a major risk for IT administrators. The in-office use of these kinds of technology is called shadow IT, and it’s causing some big problems for organizations all over the globe.

How is shadow IT formed?

“The issue at hand here has to do with an employee’s personal convenience.”

The issue at hand here has to do with an employee’s personal convenience. As a rule, shadow IT very often forms when a worker decides to go outside of the company-supported suite of software and hardware in order to use something he or she is more familiar with.

A good example of this would be an employee that gets fed up with a certain file storage/exchange system. They don’t know how to work this platform, so they decide to use a free service that they’ve relied on before.

While this may solve a convenience issue, this employee is now moving company information around utilizing a platform that isn’t supported by the internal IT team. This creates a gaping security vulnerability that a hacker could work to exploit.

BYOD can help foster it

An aspect that a lot of administrators don’t consider is that shadow IT doesn’t just pertain to software or digital platforms. As TechTarget contributor Margaret Rouse points out, hardware is also part of the equation.

Your employees have all kinds of personal devices that they use at home, and they bought them for good reasons. They have experience with this tech, and this can very easily translate to an increase in productivity.

In fact, the bring-your-own-device trend hinges on this exact principle. BYOD allows organizations to sidestep paying for new equipment by simply allowing workers to bring in their own gadgets. On top of that, staff members get the unique ability to complete daily responsibilities with the tech they know and love.

When done properly, this is a perfect example of a win-win scenario. However, a BYOD deployment must be implemented properly. The IT team needs to handle this transition to ensure that the devices in question are properly secured against hackers. Without some kind of security procedure on the books, companies could be looking at a data breach.

The problem is that employees very often don’t know about the risks involved here. Again, without any sort of maliciousness, they’re simply thinking of their own convenience and choose to bring in their own gadgets without clearing it with company officials. In fact, a survey from Gartner found that more than one-third of respondents were currently completing work-related tasks on personal devices without telling anyone about it.

This is huge because the average person simply does not take the time to properly secure their gadgets on their own, especially considering the high standards of data security many industries need.

A consumer affairs survey found that only 8 percent of average smartphone owners had software that would allow them to delete the information contained on their phone should it be stolen. While most people would worry about the photos and other irreplaceable memories in the event of a theft, a stolen smartphone can easily turn into a major data breach should the wrong person get their hands on the gadget.

Smartphones used for work must be secure.

Companies must take action

Clearly, shadow IT is no laughing matter, and organizations must take decisive action in order to mitigate the risks of a data breach. So, what would this look like?

First and foremost, set up a meeting with employees to explain the consequences of their actions. As stated, it’s not that these workers are actively trying to sabotage the company. Rather, they simply don’t understand that using a personal device or outside software could cause serious harm. These people simply need to be educated about what can happen when they step outside the approved systems.

Second, to attack unlicensed BYOD directly, administrators must come up with a plan. This could include banning these gadgets outright, but doing so is nearly impossible to enforce, and completely misses all of the advantages BYOD has to offer when done correctly. A better option may be to simply work with a vendor that knows how to implement a secure system to regulate these devices.

Finally, it might be important to figure out why employees were using outside tech to begin with. Are current solutions not doing what they’re supposed to? Do you need to implement training sessions? Would it be best to simply move on to a different platform? Answer these questions and you can work to find the root of the problem.

Data dilemma: Where does police body camera footage go?

September 21, 2016/in Blog, Government, Professional Services, Security, Storage /by ISG Technology

As recording technologies get smaller and cheaper, giving police officers cameras to wear on their bodies at all times is quickly becoming a reality. These devices have incredible implications, both for average citizens and for officers, as they allow the courts to cut through all the drama and hearsay in order to get to the truth of what exactly happened. That said, there are a few obstacles standing in the way of widespread body camera deployment.

One of the biggest issues currently facing departments wishing to bring these gadgets to the field is the storage of the video itself. Having a camera running at all times during an officer’s shift creates a lot of footage, and simply deleting this because “nothing happened” isn’t an option. After all, an officer could have recorded something of import without even noticing it. So how extensive is this storage problem, and what can police departments do to ease such a transition?

How much data can a police department generate?

Before delving into the more nuanced discussions of data storage, it’s vital to first understand exactly how much data the average police station can create. Each department will obviously have its own special needs, but a good place to start is the analysis of the Chula Vista, California, police department’s data storage given by Lieutenant Vern Sallee in Police Chief Magazine.

Sallee stated that his station had 200 sworn police officers that were using body cameras in their daily rounds. After playing around with their current setup, Sallee’s department found that a 30-minute video demands around 800 MB of storage. Accounting for all officers with cameras, Chula Vista could generate around 33 TB of data annually. To put this in perspective, Sallee stated that this is roughly the same size as 17 million photographs.

Again, it’s important to remember that this is a rough estimate for a single town. Chula Vista has just over 265,000 citizens, making it larger than the average American city. That said, such a population pales in comparison to the 8.5 million people living in New York City, and implementing a police body camera initiative in this kind of metropolis would be a whole different ball game. What’s more, these larger cities are the ones that need body cameras the most, as they generally have more violent crime requiring forceful police intervention. Clearly, simply finding a place to put all this data is going to be a challenge.

Privacy and security are huge concerns

Another major concern with these body cameras is the privacy of the people involved in the recordings. As stated, departments can’t delete a video until they are absolutely sure that nothing on it could possibly be useful in the future. This means that the actions of a lot of innocent people are going to be recorded and stored, and this has certain civil rights groups worried.

In fact, a coalition of the National Association for the Advancement of Colored People and the American Civil Liberties Union presented some guidelines to legislators in 2015 attempting to govern how these recordings are treated. The group wanted to prevent an overreaching use of facial recognition software, as well as ensure officers were only allowed to watch their videos from the day after filing a report, according to CNN.

“Police officers have the right to discuss personal matters without being listened to.”

On top of that, it’s important to remember that police officers have rights, too. These men and women will be recorded at all times during their shift, which means any private conversations they’ve had with their partners could easily be viewed by a third party. These people have the right to discuss personal matters without being listened to after the fact, and officers shouldn’t live in fear that their superiors will eavesdrop on some conversation that they don’t agree with.

Finally, and perhaps most importantly, all of this is for naught if police departments can’t keep the video files secure. A malicious individual or group could do a lot of damage with the ability to map out an officer’s day-to-day duties, and departments must therefore do everything in their power to ensure these criminals are kept at bay.

Partnering with the right company is crucial

Clearly, there are a lot of challenges to overcome when implementing a body camera initiative. That said, the pros definitely outweigh the cons if police administrators are willing to find the right partner for the job. Any officials looking for a company to assist them in their transition should definitely check out the data storage services offered by ISG Technology. We have years of experience storing information for companies from all kinds of industries, and we pride ourselves on our ability to keep our clients’ data safe. Contact us today and find out what an ISG Technology solution can do for your department.

Securing A Mobile-First Digital Workplace

August 2, 2016/in Blog, Communications, Professional Services /by ISG Technology

With the growing millennial presence in the workforce today, it’s safe to say GenMobile has definitely arrived. GenMobile isn’t about a specific age generation; rather, a “changing-how-we-do-work” generation. Think about how we do things today versus five or even ten years ago. No longer do we need to come into a dedicated office space between specific hours of the day to get our work done. GenMobile is an always-on-the-go, yet more-connected-than-ever generation, and it’s changing the way IT responds to their business needs.

Today, mobility is everywhere – and it can benefit everyone. If you are an employee, and your child is sick at home, you can be home with them and still meet your deadline. Maybe you are more focused at ten o’clock at night, versus ten o’clock in the morning. Employers benefit from mobility for those same reasons.

Mobility also affects the business-to-consumer relationship as well. As more companies develop applications that customers can interact with on their smart devices, both parties benefit. Customers benefit from a variety of ways – from product information and reviews to location-based services that lead them around the workspace. Businesses pull valuable information about their customer base through these apps – from what products are generating a lot of interest online, to where customers are spending their time, and when.

Workspaces are changing as well. IDC claims there are over 1.3B mobile workers today, or 1.3B people who aren’t tied to a specific network port. Think of that unoccupied cubicle space in your office. Can you tell me that 100% of your cubicles are in use by a specific employee – not as storage space – as an actual desk space? On average, these spaces are sitting unused at $14k per cube. If it fits the needs of the workspace, what’s holding an organization back from going wireless?

The Internet of Things couldn’t be what it is today without mobility. IoT is all about the sensors, and most of those sensors connect wirelessly. IDC claims that by 2017, 90% of datacenter and enterprise systems management will rapidly adopt new business models to manage non-traditional infrastructure and BYOD device categories. That screams IoT. The only thing more important than those sensors, is securing the data that those sensors are gathering. If the integrity of the data is compromised, what’s the point of the sensor?

With all of these changes in mobility, and everything already coming from IoT, how do you respond? How do you accept these business-advancing changes while keeping your company secure? It all comes down to access – who has access to what on what device at what time. How do you enforce changes as your business changes? Let’s take a look at a few features that will help.

Authentication and Authorization

802.1x – It doesn’t matter if it is wired or wireless, 802.1x provides a great level of control over network access. Being able to throw a connection to a quarantine VLAN if/when needed keeps internal data and services safe.
Device Profiling – Having specific information about devices on your network can help create workflows and enforcement policies. It allows you to know what behavior you should expect from the device, and take action when that device is exhibiting unexpected behavior.

Identity-based Security – Not everything connects to the network through a wired port. The system needs a way to find out who is on the network, so that it can enforce proper permissions to its users.

Network Access Control Services

Device Differentiated Access – Being able to control not only who has access, but by what device, can help keep expected connections safe and unexpected connections off the network.

Managed Guest Access – Setting up an open Wi-Fi network with an Internet connection is not a guest network anymore. Bandwidth throttling, self-registration, and connection length monitoring are a few capabilities you need to have to provide a safe guest network.

Health/Posture Checks – Making sure that trusted devices are staying compliant before they reconnect to the network keeps networks safe.

Architecture and Coverage

Scalability – You never want to paint yourself into a corner when architecting a solution. Business growth shouldn’t mean ‘ripping and replacing’ architecture. Scalability is key.

Context Capture – Sharing information between systems can be extremely valuable. Why can’t your NAC solution benefit from information that your MDM solution has?

3rd-Party Integration – What happens when two companies merge? Often times, multiple hardware platforms are a result, but multiple connection scenarios shouldn’t be. IT needs a solution that has the ability to control a wide breadth of hardware, so the users see the same connection experience, regardless of what they are connecting through.

Management and Visibility

Workflow Automation/Template-Based Simplicity – Workflows should be easy enough for users to follow successfully, yet structured well enough that IT gets the information they need from them. These workflows can be created from templates – standardized, that all IT tiers can support them and a win-win for both users and IT staff.

Intelligent Reporting – This term shouldn’t seem like an oxymoron anymore. With a system that is natively aware of all of its parts, reporting should be simplistic yet specific. No more need for a flood of reports, just the ability to piece together what you’re looking for.

At the core of these 4 feature sets is security. The individual pieces of these feature sets are useful, but without security being at the core, they are worthless. Deploying security that works behind the scenes without interfering with a user’s productivity is what the industry is yearning for.

If we combine these 4 feature sets together and we make sure that security isn’t just a ‘bolt on the door’ but an actual part of the solution or part of the DNA, what do we get? At its most foundational level, we get IT adapting authentication to mobile requirements. To do this, we really need 3 things – policy, context, and visibility. We need policy to help us control who we have connecting to what and from what device. Context identifies users and their devices and helps keep policies and enforcement current. Visibility is what ultimately allows us to see how effective our policies are, and gives us the eyes we need for effective troubleshooting. Policy, context and visibility are their own separate powerful entities, but making them work together is far more powerful.

So, IT adapting authentication to mobile requirements seems obvious enough. After all, users need what they need and IT needs what they need, but there’s no reason why both parties can’t have their cake and eat it too. Have you met my friend, Aruba ClearPass?

Aruba has put together a pretty sophisticated authentication engine to run access to your network. ClearPass can handle everything – from onboarding devices for part of your BYOD strategy to managing access to your guest network to providing enterprise AAA including RADIUS and TACACS+. ClearPass also has over 100 vendor dictionaries to make sure that regardless of your hardware platform, ClearPass will be able to not only communicate with it but also make sure that your policies are being enforced through those devices. Having all of these possibilities through one product and not bolted on or piecemealed together, helps ensure consistency throughout the entire ClearPass experience.

New Call-to-action

Lessons learned from the Bangladesh Bank hack

May 11, 2016/in Blog, Cloud Hosting, Continuity, Finance, Security /by ISG Technology

Years ago, bank robberies were a very physical affair. Criminals donned ski masks and shot automatic weapons in the air, shouting for tellers to step away from the silent alarm buttons. That said, it would appear thieves have decided that this is just a little too much work. Hacking banks in order to steal money allows for the same reward without having to deal with a hostage negotiator.

In fact, the most recent cyberattack levied against Bangladesh Bank shows just how lucrative these schemes can be. The hackers involved in this scenario made away with around $81 million, which is more loot than any ski-masked thug could ever carry away. However, perhaps the most interesting part of this whole debacle is that this is nowhere near what the culprits originally intended to get. Investigators have discovered that the original plan was to take close to $1 billion when all was said and done, according to Ars Technica.

Unfortunately for the individuals involved, a simple typo wrecked what could have been the biggest criminal act of all time. A transaction meant for the Shalika Foundation was spelled as “Fandation,” which tipped employees off that something was afoot. Regardless, this is still a massive undertaking that demands intense review.

“Bangladesh Bank isn’t completely free of blame.”

How did they get in?

To understand how this whole scheme began, it’s important to comprehend how Bangladesh Bank sends and receives funds. Institutions like this rely on SWIFT software, which basically creates a private network between a large number of financial organizations. This lets them send money to each other without having to worry about hackers – or so the banks thought.

Gaining access to the transactions within this network was basically impossible, unless someone were to be able to compromise a bank’s internal IT systems. This is exactly what the criminals did.

However, Bangladesh Bank isn’t completely free of blame here. The only reason that hackers were able to gain entry was because the financial institution was relying on old second-hand switches that cost about $10 each. Considering how much was at stake, pinching pennies in such a crucial department seems incredibly irresponsible in hindsight. What’s more, the bank didn’t even have a firewall set up to keep intruders out.

Once hackers bypassed this low level of security, they were given free rein to do as they pleased. Accessing Bangladesh Bank’s network allowed them to move on to SWIFT, as the cheap switches didn’t keep these two separate. However, the really interesting part of this whole criminal act was how they took the money without anyone noticing.

Why weren’t they discovered sooner?

In order to make off with the cash, the criminals had to access a piece of software called Alliance Access. This is used to send money, which allowed the hackers to increase transactions in order to make a profit. However, Alliance Access also records transactions. This was a big problem for the thieves, as they couldn’t make money if someone knew they were stealing it.

To fix this, the hackers simply inserted malware that disrupted the software’s ability to properly regulate the money that was being moved. On top of that, this malicious code also modified confirmation messages about the transactions. This allowed the criminals to continue to operate in obscurity, racking up millions of dollars without anyone being the wiser. In fact, they would have gotten close to $1 billion if one of these altered reports didn’t have a spelling error.

A small error cost these hackers hundreds of millions.

However, understanding so much about how Bangladesh Bank’s system worked has pointed investigators to the notion that this was an inside job. In fact, The Hill reported that “people familiar with the matter” know that a major suspect is a person who works at the bank. No one has been named yet, but getting an employee in on the job certainly makes sense.

Network assessments are a must

Regardless of whether or not this turns out to be an inside job, the fact still remains that Bangladesh Bank was incredibly vulnerable to a hack like this. Relying on cheap network switches is bad enough, but not having any sort of firewall is a major hazard that modern institutions simply cannot allow.

This is why every company should consider receiving a network assessment from ISG Technology. Our skilled experts know how to spot glaring vulnerabilities such as these, and can suggest fixes to ensure the security of private data.

How ISG handles HIPAA compliance

May 10, 2016/in Blog, Cloud Hosting, Healthcare, Security, Storage /by ISG Technology

Health care data is heavily monitored in the U.S. The Health Insurance Portability and Accountability Act has very strict regulatory standards about how this kind of information can be handled. One wrong decision could result in some hefty fines, even if the person or organization didn’t know they were making a mistake. The American Medical Association has stated that even accidentally violating HIPAA could cost a medical facility up to $50,000 per violation.

Clearly, making a mistake when handling medical records isn’t an option, which is why ISG Technology works with health care providers to ensure they don’t stumble. But what exactly can ISG do for you?

“Accidentally violating HIPAA could cost a medical facility up to $50,000 per violation.”

Issues with security aren’t always apparent

The main advantage of partnering with ISG is that we can help you get ready for an actual HIPAA compliance audit by zeroing in on problems you might not even notice.

One of the main issues our engineers run into when assessing a hospital’s network is the fact that security credentials often aren’t taken as seriously as they should be. Basically, employees who only need to view certain kinds of data are often able to access information they shouldn’t be able to see. In an average hospital network, only about two or three employees should be given admin privileges. However, ISG experts often come into an assessment and find that 100 workers in a 700-user system will have domain admin accounts.

This is a problem because it creates a huge number of entry points for a hacker who can socially engineer her way into accessing one of these accounts. According to past experience recounted by security firm Social-Engineer, more than two-thirds of employees will provide a stranger with their information such as their birthday, Social Security number or their personal employee ID. A hacker could easily call into this hospital and use this information to trick a staff member into giving them login credentials to an admin account, thereby allowing the criminal free reign over a network.

Hackers use social engineering to get data.

ISG can help you fix these problems and pass an audit

HIPAA audits are extremely comprehensive, and getting a perfect score is next to impossible. In fact, as the above example shows, health care facilities often have numerous issues that they don’t even know about, which can decrease an organization’s standing if an auditor were to discover these problems.

ISG can help these facilities decrease the number of red flags to a manageable and reasonable number, thereby increasing the chances of passing an inspection. Health care data is extremely private, and ensuring its safety should be a top priority.

White Paper: Best Practices For K-12 Tech

April 27, 2016/in Cloud Hosting, Education, Networking, Whitepapers /by ISG Technology

Register to receive the ISG white paper

Done right, IT can ensure a strong return on investment and have a proven positive impact on Education Success Measures (ESM). This free report will teach you the common pitfalls to avoid, along with best practices for network implementation, including:

5 benefits of converged technology
A sample strategic IT hierarchy for planning
2 critical factors for successful Wi-Fi upgrade
Wi-Fi purchasing tips
Keys to successful video surveillance and access control systems
3 security benefits of IT as a Service

White Paper: Cybersecurity Best Practices

April 27, 2016/in Security, Whitepapers /by ISG Technology

Register to receive the ISG white paper

In the ever-changing security landscape, it’s hard to fully understand security threats and even more difficult to create lasting, effective solutions. Read the ISG executive report to learn:

How to identify potential threats
Best practices to protect your business

ISG Services

April 26, 2016/in Cloud Hosting, Communications, Compute, Continuity, Infographics, Networking, Professional Services, Security, Storage /by ISG Technology

The True Value of Cisco Communications Solutions

April 26, 2016/in Case Studies, Communications, Healthcare, Security /by ISG Technology

Industry: Healthcare

Formed in 1989, Kansas Medical Mutual Insurance Company (KaMMCO) is the state’s largest liability insurer, serving physicians, hospitals, and other health care professionals. Headquartered in Topeka, Kansas, the member-directed company has three branch offices throughout the state and approximately 80 employees.

Challenge

Formed by Kansas physicians, KaMMCO is a trusted insurance provider for approximately 3,700 health care professionals and facilities throughout Kansas and in the greater Kansas City area. However, its aging Nortel communication platform fell short of the company’s reputation, needs, and goals. Employees had to dial 800 numbers to connect with coworkers in any of the company’s four locations and they couldn’t transfer calls, which threatened to impact internal and client satisfaction.

In October 2006, as KaMMCO planned for a major addition to its headquarters, the company decided to upgrade its existing Nortel system to a more advanced Nortel VoIP solution that would allow direct interoffice calling. So when a company executive suggested to Andy Grittman, KaMMCO CIO and vice president of MIS, he meet with Salina, Kansas-headquartered ISG Technology, Inc., to explore a Cisco solution — he was hesitant.

In December 2006, Grittman somewhat reluctantly met with the 143-employee Cisco Premier Certified Partner with eight additional locations in Kansas, Missouri, and Oklahoma. “As a happy Nortel client, I was less than thrilled with the prospect of a Cisco telephone system,” explains Grittman. “But in the course of a two-hour meeting with ISG, I opened my mind to the possibility. And over the next several weeks, ISG demonstrated that Cisco was far more than just a telephone system. It’s a foundation that KaMMCO could build on to meet future needs. We signed the contract January 31, 2007.”

Solution

ISG began the five-month implementation in March 2007, installing a robust Cisco network infrastructure including Cisco Catalyst switches and Cisco Integrated Services Routers.

ISG also installed Cisco Unified Communications, a single system that provides powerful new ways to collaborate. To that, ISG added Cisco Unified Communications Manager, an IP telephony call processing system; Cisco Unity, a voice and unified messaging platform; and Cisco Unified MeetingPlace Express, an integrated voice-, video-, and Web-conferencing solution.

To enhance internal and client communication, ISG implemented a Cisco Digital Media System. The comprehensive suite of digital signage, enterprise TV, and desktop video applications allows KaMMCO to quickly and easily connect and collaborate.

ISG secured the infrastructure with Cisco Adaptive Security Appliances (ASAs) that stop attacks before they impact business continuity.

Results

“The Cisco solution has made us a stronger organization across the board.”

Andy Grittman, KaMMCO CIO and vice president of MIS

“The Cisco solution has made us a stronger organization across the board,” says Grittman. “With four-digit dialing and video conferencing, we communicate instantly and more effectively between branches, which has increased productivity by about 20 percent and cut travel by as much as 90 percent.

“We’re also now able to deliver more services to our insureds without raising premiums, which better positions us nationally and globally as a vested partner in health-services delivery versus just another insurance company.

“One of my prerequisites for a new phone system was to be heavily involved in the implementation. While other technology providers might cringe at this, ISG embraced my desire for knowledge and made me an active participant during configuration and installation.

“We now have a reliable, scalable communication foundation to which we can cost-effectively add new technologies as we grow, and we’ll continue to partner with ISG and Cisco along that road.”

Ransomware: How hackers hold data hostage

March 22, 2016/in Blog, Security /by ISG Technology

Crime has changed with the Internet age. Although physical theft is still a problem, the introduction of computer systems into the workplace has brought about a generation of criminals who use code to steal rather than a gun. Perhaps the epitome of this trend is ransomware, a specific piece of malware that encrypts a victim’s files until the user pays the hacker a ransom.

Ransomware attacks have been steadily increasing recently, with more businesses than ever being forced into a corner by cybercriminals. What does the current ransomware landscape look like, and how can companies protect themselves from this ever-growing threat?

The online underworld has taken a shine to ransomware. This popularity has a lot to do with just how simple and effective a ransomware campaign can be. All it takes is for the user to open the wrong attachment on a bogus email, and the malware takes it from there. What’s more, these kinds of attacks are extremely effective. Victims generally panic, sometimes scared by phony messages from the FBI or CIA about having to pay a fine, and will often enforce this malicious behavior by paying the criminal.

In fact, a November 2015 McAfee Labs Threats Report found that hackers are throwing their full weight behind these campaigns. The study discovered that total ransomware more than doubled between the fourth quarter of 2014 and the third quarter of 2015, eventually resting at a whopping 5 million observations.

Forbes contributor Thomas Fox-Brewster noted the example of Locky, a specific type of ransomware that is compromising around 90,000 devices per day. It’s a strong and effective piece of malware and shows just how troublesome these kinds of attacks are.

Although a ransomware attack is pretty straightforward, hackers are constantly innovating their techniques to make a fast buck. One of the ways they’re doing this is by branching out in terms of what systems they attempt to infect. Cybercriminals are going for less of a “spray and pray” method and more of a targeted approach, going after CEOs and CFOs. The logic here is that the important people in a company have important data on their computers and as such would be more willing to fork over a ransom.

Another trend: Hackers are also beginning to target entire servers rather than specific computers. This was recently proven to be a solid tactic after cybercriminals held Hollywood Presbyterian Medical Center’s data hostage, eventually forcing the health care facility to pay $17,000 in untraceable bitcoins. Hackers using ransomware often ask for bitcoins because they’re so hard to trace.

Ransomware may be a frightening concept, but it can be beaten if a business takes the right preventive steps. These steps include three key areas of focus: technology, processes and people.

Technology is already the backbone of your organization, so it makes sense that you’d need to invest in it if you want to prevent a ransomware attack. There are a lot of tools that detect infections before they become a problem, but what you’ll really want to focus on is backup software. The practical uses of backing up your most important data are nearly endless, but it also has the added bonus of mitigating the risks of a ransomware attack. If you have your mission-critical information backed up somewhere, you can simply ignore the hackers’ demands of payment to unlock your files.

Next is processes, and this is one that the boardroom is going to need to take a specific interest in. Executives often ask questions like “Are we backing data up?” This kind of inquiry doesn’t really mean anything, as it doesn’t tell you the specifics behind your company’s contingency plan. You should be asking where the data is or how far back the records go in order to have a full understanding of where your organization is at.

Last, and most importantly, businesses need to invest in education for their workers. Despite the fact that they keep operations running, the people at your company are the weakest link in your cybersecurity chain. You need to train them to be able to spot what a fishy email looks like and how to avoid clicking on suspicious links. Your company is only as safe as you want it to be, so make sure to train your employees to recognize the dangers of cyberattacks.