One of the most commonly believed myths among small business owners (SBOs) is that they don’t need to worry about data security because they aren’t going to be a target. It’s easy to see why SBOs think this way. After all, going after a small business doesn’t seem like it would be nearly as profitable to hackers as going after a big company, like the Target breach from a couple of years ago.
But the unfortunate reality is, small businesses are often easy targets for hackers. The hackers in the in the 2013 Target attack actually got in through a small HVAC company. Hackers know that small businesses don’t have a lot of resources to dedicate to data security – certainly not as many as enterprise organizations. And they will use that to exploit you.
Don’t believe us? Take a look at these two stats from August 2015:
- 78% of spear-phishing attacks targeted businesses with < 250 employees (Spear phishing is an email that appears to be from someone you know but is actually from a hacker).
- 1 in every 162 emails sent to companies with <250 employees was malicious.
Scary stuff, right?
So what can you do about it?
Get the right systems in place and keep them up to date
At a MINIMUM, you should have a firewall, an antivirus program on all computers, passwords on all computers and programs containing company data, and a system that monitors your outbound internet connections.
But a firewall and an antivirus program installed 2 years that hasn’t been touched since isn’t doing much to protect you from the latest threats. Hackers and threats to your data security are constantly evolving – and your data security needs to evolve with it. Your data security programs need to be regularly updated and constantly running to keep you protected.
If this sounds too expensive and too cumbersome to manage on your own, you may want to talk to your IT company about security as a service. This treats data security services as an always-on, constantly monitored service, generally paid for with a monthly fee. This means your systems should be protected against the newest threats – and a monthly fee is usually more affordable for small businesses than the large expenses that come with replacing your firewall.
Educate your employees
Ultimately the biggest threat to your company isn’t an outside attacker – it’s your employees. No, we don’t mean your employees are stealing your data to sell on the black market.
But most data breaches are caused by human error: someone opening a malicious email or clicking a bad link or losing their phone or getting a virus on their work laptop while working at home and bringing it inside your network.
It’s vital for all employees to be trained on data security policies and best practices. Employees must understand what they need to watch out for and why. All it takes is for one employee to click on a bad link for your company’s information to be compromised.
There is never a 100% guarantee when it comes to data security (any vendor who tells you differently is either lying or doesn’t know what they’re talking about) – but with up to date systems and a vigilant workforce, you can get much, much closer.
If you have any questions about data security, please contact us!
 Symantec Intelligence Report: August 2015
 Symantec Intelligence Report: August 2015
October is National Cyber Security Awareness Month. In recognition, we’re rounding up some of our top security blog posts and tips from the past few years. There is never a 100% guarantee when it comes to data security. But following the advice in these posts, along with implementing the right system, will certainly get you a lot closer.
This post outlines basic data security best practices. We hope you’re already following the advice covered in this post! But we get it – if you’re not thinking about it every day, like we are, it can be easy to forget about data security. Read this as a refresher post and make it a goal to follow the tips every day. Read Now
In the post, we cover common security threats you face while out in public and what you can do to keep your data safe. Read this one if you travel for work or if you ever work outside the office (or if you connect to public Wi-Fi in your private time!). We cover threats like rogue access points and safety tips like two-factor authentication (also called dual factor authentication). Read Now
Like the name suggests, this post is about staying safe on vacation – but if you travel frequently for work, this advice applies to you, too! Read Now
If you’ve created a new password anytime recently, you were probably required to use a combination of numbers, letters and special characters. But that may not necessarily mean your password is secure. Read this post to find out some tips for creating a secure password and get links to test your password strength. Read Now
This is still one of our most popular blog posts. It was originally written in 2013 when the Cryptolocker malware first started getting attention and updated recently. It tells you how to block EXE file attachments (one of those popular ways to send malware) in Office 365. Read Now
Learn about some of the built-in options for customization in Office 365 that you can use to protect your sensitive data. This post covers disclaimers, blocking domains and data loss prevention. These are especially useful for companies dealing with sensitive customer data or who regularly have to email customer information. Read Now
This post covered encrypted email: How it works and what it will look like to your recipients. It’s primarily geared towards the healthcare field but if your company deals with ANY sensitive data on a regular basis (credit cards, SSNs, legal information, etc), encrypted email is something you may want to look into. Read Now
This covers a few recent data breaches on iOS and Android platforms and covers mobile device policies. If your employees are using their phones or tablets for work (they probably are, even if you issued them a phone), this one is especially important for you. Read Now
This post covers what you need to know about staying HIPAA and HITECH compliant and storing your inforamtion in the cloud. A common misconception is that the cloud isn’t safe – but it can be! We talk about that, along with business agreements – necessary to HIPAA compliance. Read Now
If an old server doesn’t sound like a security threat to you, then you need to read this post. Storing ANY information on a server that has reached end of service is a huge risk to your business. This post explains why it a risk and what the process is for migrating to a new system. Read Now
It’s important to remember that just following the advice in these posts isn’t enough to keep your business safe if you don’t also have the right system in place. A firewall you bought a couple of years ago and haven’t touched since isn’t doing much to keep you safe. Data security threats are constantly evolving and your data security should be evolving with it. If you have any questions about data security, or just want a check on your current data security set up, please contact us.
Microsoft released the latest version of the Office platform – Office 2016 – earlier this week. There are few ways to purchase it and understanding the difference can be confusing.
Office 2016 can be purchased as a stand-alone software or as part of an Office 365 subscription.
Stand Alone Office 2016
There are two stand-alone versions available for businesses:
Office Home & Business 2016
Includes Word, Excel Powerpoint, OneNote and Outlook) for $229.99 for 1 PC (or Mac – Mac users must purchase Office Home & Business 2016 for Mac)
Office Professional 2016
Includes everything in Home & Business 2016 plus Publisher and Access) for $399.99 for 1 PC (not compatible with Mac)
The stand-alone versions include the ability to save your files to the cloud, which makes collaboration easier – especially among teams not working in the same physical location.
Office 2016 as part of Office 365
If you purchase Office 2016 as part of an Office 365 plan, you have a lot more options for plans and a lot more features. ALL Office 365 plans include:
- Online versions of Office (Word, Powerpoint, Excel)
- 1 TB per user of file storage and sharing (OneDrive)
- Sway presentation creator (learn the differences between Sway and Powerpoint in this blog post)
- 99% uptime guaranteed
- World-class data security
- Active Directory integration to make user permissions
As you go up in Office 365 plans, features you can get in addition to the above include:
- Full desktop versions of Office (Word, Powerpoint, Excel plus OneNote and Publisher) on up to 5 computers per user
- Office on tablet or mobile (compatible with most tablets and phones regardless of OS)
- Outlook with 50 GB of inbox space per user
- Sharepoint (customizable intranet)
- Skype for Business instant messenger (can also be used as your phone system)
- Yammer (corporate social network)
- Compliance Protection (Encrypted Email, Data Loss Prevention, etc)
Which is right for me? Factors to consider:
There are few things to consider when deciding which version of Office 2016 or Office 365 is right for you:
Desired programs and features
Take a good look at what programs and features are important to you. If you just need the basic Office programs like Word, Powerpoint and Excel, either a stand-alone version or a lower level Office 365 plan is probably enough for you. If you’re looking for something more robust, or with access to programs like Sharepoint, you’ll need Office 365.
- Office 2016: Stand-alone Office 365 is the same as previous versions of Office in that you won’t get access to new features until you install a new version of Office. If you
- Office 365: Since Office 365 is a subscription service, you’ll get access to new features as they become available. You’re also going to have access to a lot more features.
If you need to access your information from multiple devices, Office 365 is the way to go. While files in Office 2016 can be saved to the cloud, Office 365 gives you a lot more options for access plus the ability to install office on multiple machines. It also gives you the ability to access online versions of Office programs from ANY device with an internet connection.
Movement between plans
Is it possible you’ll need to upgrade your plan?
- Office 2016: Since Office 2016 is a standalone software, if you need to add features or upgrade, you’ll need to purchase and install new licenses for all users.
- Office 365: Office 365 can switch between plans in the admin center at any time.
What can you afford to pay per user? Would you rather pay a large sum up front or a small monthly fee?
- Office 2016: The stand-alone version is a one-time cost per user, so it will be a large expense up front, but you won’t have to pay a monthly fee after.
- Office 365: Office 365 is a subscription plan, meaning you won’t pay anything up front, but you will pay a set monthly fee per user per month. If don’t have the capital to pay a large chunk of change up front, this may be the better option, even if you don’t need all the features.
If you want to try it out before buying, you can try Office 365 free for 30 days. The trial includes 25 user licenses of the Enterprise E3 plan so you can try it as an individual or as a team – Click here to start your trial.
Windows 10 was released in late July with much fanfare and since then, Microsoft is reporting that more than 75 million users have made the jump to the new operating system.
For some users (and for some hesitant to adopt), privacy is a concern. One of the features causing this concern is Wi-Fi-Sense, which automatically connects you to Wi-Fi. It will connect you to known open Wi-Fi networks or to Wi-Fi networks your contacts have shared with you.
The second option is what’s causing concern. Wi-Fi Sense gives you the ability to share Wi-Fi networks with your Outlook and Skype contacts and Facebook friends. Some people are concerned this will let strangers access their networks without their permissions or that it will give away their passwords.
Here is the truth about Wi-Fi Sense: If that’s all you know, it does sound a little scary, but don’t worry – Microsoft isn’t emailing everyone your password. While Wi-Fi sense is turned on by default in Windows 10, it doesn’t automatically share your Wi-Fi passwords with anyone’s system. Here’s how it works, from the Wi-Fi Sense FAQ:
“You control whether you want to share your password-protected network with your contacts using Wi-Fi Sense. You can share a network with just your Facebook friends, mutual Skype contacts, or mutual Outlook.com contacts, or with all three groups if you want. It’s up to you. After you share access to a network with a group of contacts, all the contacts in that group will be able to connect to the network when it’s in range. For example, if you choose to share with your Facebook friends, any of your Facebook friends who are using Wi-Fi Sense on a Windows Phone will be able to connect to the network you shared when it’s in range. You can’t pick and choose individual contacts.”
When you do share your Wi-Fi network with someone, the password is encrypted – meaning they’ll never know your password, unless you provide it to them yourself.
A great potential use for this would be sharing your office’s guest Wi-Fi with your network so they don’t have to type the password in every time they come by for a meeting.
If you’re uncomfortable using this, though, Wi-Fi sense can be limited or turned off completely in your settings.
You can also opt your Wi-Fi network out of Wi-Fi sense and stop sharing a network you’ve previously shared (directions can be found here). We’d recommend turning off automatically connecting to open hotspots since they aren’t secured. As always, be cautious about what you’re connecting to and what information you are sharing over an unknown network. If you’re unsure about the security of any Wi-Fi network, even one that has been shared to you by a colleague or friend, disconnect and connect to a network you trust.
Email is essential in today’s business world, but oftentimes companies overlook some of the simpler security aspects of Office 365. Not a lot of people are aware of the built-in security options for email – like disclaimers, the ability to block certain domains, and data loss prevention policies. The great thing about all of these items is that they can be applied in a matter of minutes.
Many companies, especially law firms, append disclaimers at the bottom of all of their employees’ emails (e.g. This email is intended only for the recipient…). In fact, the use of disclaimers is required for a lot of companies in industries dealing with sensitive client data.
Most companies don’t know that the use of multiple disclaimers is possible. A second disclaimer can be added to emails to highlight the company’s upcoming fundraiser or to alert people to a new address or a new procedure.
In addition, with Office 365, you can add disclaimers with certain conditions. For instance, you could add a company announcement for only internal emails or even have a special disclaimer for certain companies.
Office 365’s built-in email protection is great to start with, but you can tweak some of the settings to provide even better protection for your company. One of the simplest settings you can modify is the allow/block list
Similar to marking an item in your Inbox as junk, you can designate an entire domain as blocked. This is extremely useful if you and your colleagues’ inboxes are continually filled with junk mail and newsletters. Adding a domain to the allow list, however, guarantees that the email will get delivered straight to your inbox.
Data Loss Prevention
Due to the ever growing need for additional security, Microsoft provides a feature called Data Loss Prevention. This is a set of policies that Office 365 provides to allow organization to monitor email communications for sensitive material.
Once turned on, these rules scan all emails to and from an organization looking for information like credit card numbers, SSNs, Taxpayer Identification Numbers, and Passport numbers. Although Microsoft’s policies are pre-canned (they did all the hard work in setting them up for you), you still have the ability to decide what to do with a message once an email is deemed out of compliance with your Data Loss Prevention policies – like not sending the message, CC’ing the employee’s manager, or to warn the employee the email may contain sensitive content, etc.
Your security options aren’t limited to just these – Office 365 also includes encrypted email (which we covered recently), rights management services and more. It’s not always necessary to use them all together, but they’re worth exploring. Thankfully, these features can all be customized to fit your particular needs.
These features come standard in the Office 365 Enterprise and Business Plan packages. If you need help setting them up, or if you need to upgrade your Office 365 plan, please contact us.
Recent data breaches for both iPhone and Android OS’s highlight the need for businesses to pay attention to mobile device data security.
Whether or not you’re giving your employees cell phones to use for work (or have Bring Your Own Device (BYOD) policy), it’s likely that you have employees using their cell phones or tablets to access company information (like email and sensitive line-of-business applications).
And this could present a problem if not managed correctly. Phone hacking is becoming increasingly common, with two major phone data security breaches recently:
You may have heard about the recent “Stage Fright” vulnerability on Google’s Android operating system. If you haven’t, here is the gist: Using a specific type of text message, hackers could send a text to your Android phone that gives them complete control over your device. They can read your email, siphon data out of your apps (like Dropbox), access your photos, and even turn on your microphone or camera without your knowledge. Since they control your phone they could even delete the text they sent to get access to your device, so you would never even know.
Google put out a patch to fix the issue quickly, but it was up to the carriers (like Verizon) to make the patch available. If you have employees with Android devices, it’s critical that their phones are updated with the patch – otherwise you may be leaving your company data open for the taking.
More than 225,000 iPhone users had their phones compromised in a recent hack. This particular hack only affected “jail broken” phones (phones that have been modified to bypass Apple security – typically to download apps outside of the App Store), so if your company distributed new iPhones (or refurbished iPhones you’re sure aren’t jailbroken) to your employees, you’re probably safe.
If you have a BYOD policy for phones, however, you may have a problem on your hands if any of your employees have a jail broken phone and access company data from their phones.
Mobile Device Security
We are absolutely not advocating taking phones away from employees or not letting employees access company data from their smart phones. Quite the opposite – we’re strong believers in the Cloud and being able to work from any place and any device. Office 365, Google Apps and other cloud based systems have made that a reality for many companies, saving them time and money and boosting productivity.
But if your company doesn’t already have a mobile device policy in place, it time to get one. If your company has a mobile device policy in place but doesn’t really enforce it or if your employees don’t know about it, it’s time to remedy that. Make sure your team members know what is and isn’t acceptable to do with company data. The biggest threat to your company ultimately isn’t malicious outsiders – it’s your employees.
All it takes is one employee clicking on a bad link in an email or accessing company data from a jail broken phone that’s been compromised for their device (and potentially your whole company) to be affected. If you’re in an industry dealing with sensitive client data, this can be especially devastating.
Implementing and enforcing a mobile device policy that include data security best practices can go a long way to mitigating that. Here’s a few to get you started are:
- Use a passcode on your phone
- Store all passwords in an encrypted password vault (like LastPass or 1Password)
- Devices must not be “jailbroken” or modified in a way to bypass security features or gain access to information not intended for the user to access.
- Keep phone updated with latest security patches and do not connect to any computer that isn’t using updated malware detectors.
A mobile device policy isn’t necessarily going to protect you 100% of the time (unfortunately, there is no 100% guarantee when it comes to data security of any kind, mobile or otherwise). But a strong policy, tailored to your company’s needs (and actually enforced!), along with a well-educated workforce will go a long way to mitigating your risks.
“Let’s meet later this week to discuss. When are you available to discuss?”
“I can meeting Thursday from 9-10 or 3-4.”
“I am busy during those times. Can you do Friday? I can meet before 11 am Friday.”
“I am out of office Friday. Let’s shoot for next week. What’s your schedule like on Monday?”
“Monday isn’t great for me…”
Sound familiar? If you’re cringing right now, you’ve probably tried to schedule a meeting with someone else outside your organization with similar results. Trying to schedule a time to meet without being able to see other people’s calendars can be a hassle.
Thankfully, if you’re using Outlook, it’s actually really easy to send someone your upcoming availability without sharing your whole calendar with them. Here’s how:
When writing your email, go to the “Insert” Tab and click “Calendar”.
You’ll get this pop up:
From this screen, you can specify how much of your calendar you want to share. You can change the date range to a specific date or date range or share the whole thing.
You can also specify how much detail your recipient can see. If you only want them to see when you’re free, you can choose “Availability only.” If you’re feeling a little more open about your schedule, you can send your calendar with meeting details.
If you control more than one calendar, you can also specify which calendar to send.
Here’s what your recipient will see (you can add a message before sending). This example is for one day, with availability only:
Sending your calendar availability will hopefully make scheduling meetings a little less of a pain. Unfortunately, we can’t help you too much with the NUMBER of meetings you have to attend.
If you’re looking at replacing your on-premises server, there are a probably a lot more options available to you than there were the last time you had to do this. Replacing your server now means choosing between different options like:
- On-premises server: a server physically located at your office
- Cloud server: a server hosted by a third party like Microsoft or Rackspace with files accessed via the internet
- Hybrid Solution: uses both on-premises and cloud servers
What’s right for your business will depend primarily on your storage needs and the requirements of your business applications. Here are a few questions you need to ask before replacing your server:
1. How old is my server?
Age is usually the reason you need to replace your on-premises server. You should expect 3-5 years out of a server. Anything older than that and it’s probably no longer supported, putting your company at risk (read more about the dangers and how to migrate on this blog post).
2. Do I even need a server anymore?
Smaller offices may not need a server unless they have a specific line of business application that requires a physical server. If you don’t, moving to a cloud service may fit your needs better.
3. If I don’t need a server, could I use cloud storage service as my file server?
Programs like OneDrive, Dropbox and Google Drive all offer online storage that may be sufficient for just file storage. Something like Sharepoint may work if you need file storage with more organization and the ability to build applications. If you’re in a field that must meet regulatory requirements (like HIPAA), make sure the option you choose will keep you compliant.
4. If I do need a server, what operating system do I need?
One big reason we see customers stick with on-premises servers is because of a particular business application they’re using. Some line of business applications require a physical server and may require either a Windows or SQL server. Make sure you know if your business flow will be affected by switching server types.
5. What can I spend?
This question doesn’t just cover cost – it covers when you can spend it. On-premises servers typically mean spending a large chunk of money at once. Cloud servers are typically paid on a month-by-month basis. If all other factors are equal, your choice may just come down to what you can afford to spend and when.
As you research and decide what option will be best for you, there will be many more factors to consider – but these questions should be at the top of the list. If you are running your business on an outdated server, though, it’s vital that you move to a new server ASAP.
If you have any questions about what kind of server is right for you, please contact us.
One of the most annoying things to have to do with your data is to manually clean it up. Having to go line by line in Excel to reformat names personally makes me want to scream. Thankfully, Excel has a lot of lesser known features to take care of some of those more menial tasks – including separating names stored in one column into two separate columns.
If you have a list of people, but they are listed in the lastname, firstname format and you want to separate them into different columns, there is a built-in function in Excel 2013 called Text to Columns that makes this super easy. Here’s how to do it:
1. Highlight the cells you want to separate:
2. Click on the Data tab of the ribbon and you will see several useful tools here. We are going to be exploring Text to Columns:
3. Clicking Text to Columns will start the wizard that walks you through your options. On the first screen of the wizard, we will select “Delimited” because our data is already separated by a comma, and click next:
Next, we will check the box next to comma and click next:
We can leave the data format as General and click Finish on the last screen of the wizard:
Now the names have been separated into different columns! You can use this same Text to Column wizard to separate other types of copy into multiple columns. Just walk through the wizard the same way, but choose the options that fit your data (For example, if your names are separated by a space, like “Joe Smith”, choose “Space” instead of “Comma” on the second screen of the wizard).
Now you can separate text within cells like a pro! Want to turn your new, separated list of names into email addresses? There’s an Excel formula for that – find out how on this blog post. Happy Excelling!
For more Office tips and news or to find out when we publish new blog posts, follow us on Twitter, Facebook and LinkedIn.
In a recent survey by MedData Group, 272 respondents examined the top security concerns among healthcare professionals (hospital administrators, physicians and healthcare IT professionals). Email and messaging systems were named by respondents as the top security risk among information assets. Email and messaging systems don’t need to be a major threat, though. By following security best practices and using encrypted email, you can keep your patient information safe – and keep your organization HIPAA compliant.
The diagram on the right shows how email encryption works. In a nutshell, though, it protects your emails from being read by someone other than the intended recipient. When you’re dealing with sensitive data – like patient information – this is vital. We typically recommend Office 365 for our clients looking for email encryption. We’ve covered why in a previous blog post.
Email encryption rules can vary by organization even within Office 365. You can set up rules based on your needs. For example, we configure our clients email to require adding the word **Encrypt** in the subject line.
The image below show email encryption in action. Here is what the recipient will see:
If your recipient does not have an Office 365 account or Outlook.com account, they can create a one-time passcode to retrieve the message, allowing you send encrypted emails to individuals outside of your organization.
If you’re sending emails containing any personal information (Social Security numbers, birthdays, medical information, etc), encrypt the email. Err on the side of caution – if you’re not sure if an email should be encrypted or not, turn on encryption. It’s better to be safe than sorry when it comes to protecting sensitive information.
Email encryption is already included in several Office 365 plans or it can be added to other plans for a small monthly fee. If you have any questions about email encryption or would like to add it to your company’s plan, please contact us.