Coleman Technologies Blog

When I was a kid, there was a Tex Avery cartoon where Droopy Dog was chasing down a crook who escaped from jail. There was a particular scene where the crook (I think it was a wolf in a black-and-white striped jumpsuit) takes a bus, a plane, a ship, and a taxi to a secluded cabin, and then closes a series of increasingly complex doors with a large number of locks, in order to hide away from the pursuing cartoon basset hound. 

Of course, when he turns around, exhausted by all the effort he puts in, he realizes that Droopy is standing right behind him, and greets him with a monotone “hello.”

I haven’t seen this cartoon since I was 7 years old, but I almost always think about it when I am using multi-factor authentication. 

Does Cybersecurity Feel Like It’s a Lot of Effort?

Strong complex passwords, multi-factor authentication, complex policies and rules, and not always feeling like you have total access to everything you need at any given time certainly can feel like a hurdle when it comes to getting stuff done.

Believe me, I get it. As a tech head, I love how secure my information can get, but as a business owner, as a person who just needs to get things done, it really can be just frustrating enough to make it feel like it isn’t worth it.

I’ll never stop advocating it though.

Sometimes, in my head, I might grumble and think to myself—this is stupid, I’m just trying to get into my Facebook account. But then I think, through my Facebook account, I have all of my contacts, many of which are people I do business with. I also own my business page, and a couple of groups that I rely on for networking, and my ads account, which has my business credit card…

You get the idea. It’s just Facebook, but it’s so wrapped around my life that if someone else were to get in there, it could get really messy and complicated.

The same goes for email accounts, bank accounts, and software that stores sensitive information for myself and my business. Basically, anything that you can lock down with multi-factor authentication, you really should, and your employees should all be doing the same.

The Password Just Isn’t as Secure as It Used to Be

Somewhere early on, when the world was figuring out what to do with computers and the Internet, a bunch of folks got together and decided that the password would be the ultimate authentication tool. You just type in your magic words, “open sesame!” and yep, that’s definitely you and can’t possibly be anyone else!

It wasn’t a bad idea back before we were doing banking and storing medical records and other sensitive information online, and before we were using online tools and databases to store tons and tons of client information about people besides just ourselves.

But the password just isn’t that secure. They are easy to crack, and it’s so easy to be lazy about them to the point where they don’t even offer any protection at all. A 12-character password can be cracked with password-cracking software on your average laptop in less than 14 hours, and that time could be much shorter if your password isn’t all that complex.

Plus everyone has the tendency to reuse passwords or establish a predictable pattern in their password-making behaviors… it’s a mess. It’s not a good way to rely on security.

That’s why we have things like multi-factor authentication. Yes, it adds an extra step and can be a little annoying, but it can be streamlined. Here are some tips.

How to Optimize Your Multi-Factor Authentication

• Try to stick to just one single authentication app, preferably one that can be backed up and synced between devices. Give us a call at (604) 513-9428 to help you pick one that works for you.
• Label your accounts in the app clearly, and try to organize them if you can.
• In your password manager, note how the multi-factor authentication works. If it has to come through SMS or email, it might feel a little more efficient if you noted that for yourself so you were prepared as you were logging in.
• Go into current accounts and check to see what your security settings allow you to do. When possible, use the authentication app so you aren’t relying on authentication information coming in from all different directions.

Cybersecurity is complicated, and it can feel like an overwhelming hurdle, but we can help you and your business use it effectively. It is important, and it is something that we should all be using as often as possible.

To get help, give us a call at (604) 513-9428.

Perhaps predictably, the word “insure” has roots that tie it closely to “ensure,” as it is meant to ensure a level of security after some form of loss. Nowadays, that loss often pertains to data, making cyber insurance an extremely valuable investment for the modern business to make.

However, in order to obtain this kind of insurance, businesses commonly need to meet some basic requirements. Let’s go over some of these requirements now.

What Are Insurance Providers Looking for to Approve Cyber Insurance?

It’s important that your business is not only meeting the requirements that an insurance provider expects from you, but that you also have it fully documented. This helps make it easier for everyone to stay on the same page, as well as to evaluate how prepared the business is to protect its data. What follows are some of the preparations that many insurance providers expect to see from businesses seeking coverage.

Multi-Factor Authentication Protecting Email (at a Minimum)

It should come as no surprise that email is a major target for cybercriminal activity. It’s popular, it’s convenient, and—as countless attacks have proven—it works. If a cybercriminal manages to gain access to a target’s email account, they effectively have the keys to the castle, as any accounts tied to that email can then be altered and adjusted.

This is what makes it so important that if you have multi-factor authentication protecting anything, your email is a good candidate… although, we recommend that it’s implemented wherever it is available. Multi-factor authentication reinforces your security by adding additional requirements to a login process before access will be granted, ideally by also requiring a user to confirm their identity, often through a secondary key or by providing a generated code or biometric proof.

The long and the short of it is that MFA is a very effective means of eliminating unauthorized access, which is something that insurance providers want to see before they offer coverage.

Testing and Training for Cybersecurity Awareness

On a related note, insurance providers want to see staff engagement where a business’ cybersecurity is involved. After all, all the protection in the world won’t matter if one of your team members leaves the door open or allows an attacker in. This makes it critical that your team knows about the threats they face and—crucially—how to appropriately identify and react to these threats as they encounter them.

Due to the evolving nature of cybercrime, this needs to be an ongoing process. You should be regularly evaluating your employees with and without warning, providing immediate education to anyone who misses one of your simulated threats. Your potential insurance provider will likely want to see documented proof that these steps exist and are enforced as they consider your application.

Incident Response, Backup and Disaster Recovery, and Similar Defenses

In order for these policies to stay profitable, insurance companies will want to see that every precaution has been put in place. After all, the less likely a policyholder is to suffer the damages that their policy covers, the less likely it is that the insurer will have to issue a reimbursement payment. As a result, insurance providers like to see that businesses are as prepared as possible, so they don’t just want to see preventative measures, but mitigations as well.

Therefore, your insurance provider is going to want to see everything you have in place as a part of your incident response plan. They’ll want to see that your backups are situated and updated appropriately, they’ll want to see established processes and systems, and they’ll want to see that you have different people assigned to carry these processes and systems out.

Applicable Compliance Gap Assessments

Chances are pretty good that you process credit card information as part of your business operations in some shape or form. This means that you presumably need to align to the Payment Card Industry Data Security Standard (PCI DSS), which dictates what businesses need to do to protect the information of their cardholding customers. A gap assessment is a process that helps you identify anywhere that you fall short of true compliance, allowing you to more effectively resolve these issues to reach the standards expected. Because of this, insurance providers will want to see the results of your gap assessments and documentation of any steps that you’ve taken to fix the issues present regarding any applicable compliance requirements.

We can help you maintain the standards that an insurance company will be looking for to approve your business for cyber insurance coverage. Learn more about our managed IT services by giving us a call at (604) 513-9428.

Artificial intelligence, or AI, has upended the way that we discuss technology in business, society, and individual everyday life. While we mostly focus on the benefits of the technology, there are many downsides to consider as well. That’s what we’d like to discuss today; how AI has a dark side to it that potentially requires regulation.

Understanding AI

AI is, in short, a system of complex algorithms, data, and computers that can mimic human intelligence.

Through math and logic, AI can simulate human intelligence, and for the most part, it can do so quite effectively. However, there are problems with this technology that must be considered—and it’s not all strictly cybersecurity-related, either.

In short, there will always be those who want to use technology for evil rather than good.

Hackers can use AI to automate their threats. Companies can use AI to eliminate costs and lay off employees. Individuals or government agencies can use AI to misrepresent the ideas of others to manipulate the masses into believing their wacky ideas.

Indeed, if something technology-related is good, you can count on someone bad ruining it for everyone else.

Part of the problem is the “AI black box,” which refers to the idea that people simply don’t know how AI does what it does. The old adage from math class, “Show your work,” is important here, and there’s a serious lack of transparency surrounding how AI comes up with the responses it gets. And since AI is often trusted to handle some serious tasks, it’d be foolish to trust something you don’t know or understand with total control, yet some do it anyway.

This brings us to our final point: AI is not some omnipotent force, some all-knowing system that can fabricate content from nothing.

AI runs on data, and as such, you get out what you put in. The more data it’s supplied with, the more reliable and quickly it can push out an acceptable response. But the kicker here is that if the data is biased, AI’s response will be biased, too.

So, if the data and the AI are biased, the product will be biased, which will make the end result dangerous and counterproductive.

The Question of Regulation

While regulation could make AI much more fair and safe to use, the answer is not as simple as you might think.

If you don’t put rules in place, AI could make unfair and biased decisions—decisions that invade people’s privacy and have a negative impact on society. A lot of it also boils down to purpose. For those who want to use AI to breach the privacy and security of others, regulations can go a long way toward making that goal harder.

However, some believe such rules will only slow down the growth of AI and the technology that powers it.

Thus, the challenge becomes how to strike a balance between safety and allowing this technology to grow. If the rules are too rigid, small companies will find it harder to compete and survive in an increasingly competitive business environment. Those who believe mandates are too strict still believe guidelines would be helpful to keep AI creators responsible and accountable, but how effective this practice would be is a bit nebulous at present.

All in all, the primary goal of those arguing for the regulation of AI is for the protection and safety of others and their ideas, which can never be considered an inherently bad thing.

We’re sure you have plenty of questions about AI and how you can use it for your business. To learn more, call Coleman Technologies at (604) 513-9428.

What’s the Exploit and Who Does It Affect?

The vulnerability in the CISA’s emergency directive affects all supported Windows Server operating systems. It’s been named Zerologon, and If left unpatched, it could allow an unauthenticated threat actor to gain access to a domain controller and completely compromise your network’s Active Directory services. The vulnerability gets its name because all the hacker has to do is send a series of Netlogon messages with the input fields filled with zeroes to gain access. 

Once in, this essentially gives the hacker a lot of control over your network, and it’s a publicly available exploit (since Microsoft has released a patch for it) which means cybercriminals will be taking advantage of it. The attacker doesn’t need any user credentials to use this exploit.

If your business network is running Windows Server, you need to have updates applied to your servers to ensure that this vulnerability is patched. If you aren’t actively keeping all the devices on your network maintained with the latest updates and security patches, you are essentially leaving the front door wide open.

The Department of Homeland Security (the parent department of the CISA), has issued a directive for all government agencies in the United States that they have until today (September  21st) to apply the patch, to prevent giving hackers control over federal networks. This means all state and local government agencies are required to apply this today and report back to the CISA. Not having this patch installed will also affect other compliance standards throughout other industries, and of course, leave your business and your data at high-risk of a breach. It is highly recommended to apply this patch today, as soon as possible, regardless of the industry you are in. We can’t stress this enough. Apply this patch as soon as humanly possible.

The Good News

If you have an active managed IT services agreement with Coleman Technologies that covers the maintenance of your Windows Servers, you have likely already received the patch, or will be having it installed today. The patch was released by Microsoft as part of their August 2020 Patch Tuesday Update.

If you don’t have an agreement with us, or you aren’t sure if your agreement covers fixing the Zerologon vulnerability, we urge you to reach out to us by calling (604) 513-9428. This is definitely not something you want to risk.

The Department of Homeland Security and the US Cybersecurity and Infrastructure Security Agency don’t issue emergency directives casually. This needs to be taken seriously for all businesses and organizations.

If you need help, or you are unsure about how to protect your organization from the Zerologon vulnerability, don’t hesitate to reach out to Coleman Technologies at (604) 513-9428.

A business’ compliance with the regulations it operates under is a huge issue that many inside your organization won’t understand but has to draw some attention. Let’s look at some of the variables that go into compliance to outline just how important it is.

Regulatory Requirements

Governments and regulatory bodies create various laws and regulations to ensure the security, privacy, and ethical use of technology. Compliance with these regulations is absolutely mandatory, and failure to meet them can result in significant fines, legal penalties, and reputational damage.

Data Security and Privacy

As businesses collect and store sensitive data, ensuring the security and privacy of this information has to be a priority. Compliance frameworks, such as GDPR, HIPAA, and CCPA, set standards for protecting personal data and require organizations to implement robust security measures.

Risk Management

The process that goes into successful technology compliance helps organizations manage risks associated with cybersecurity threats. Building strategies that adhere to compliance standards can minimize the risk of incidents that could disrupt operations or harm customers.

Trust and Reputation

Doing everything you can to stay compliant demonstrates a commitment to ethical practices and protecting customer data, which builds trust with customers, partners, and stakeholders. Non-compliance, on the other hand, can lead to a loss of confidence and damage to the organization's reputation.

Operational Efficiency

Compliance frameworks often include best practices and guidelines that can improve the efficiency and effectiveness of technology operations. By following these standards, organizations can enhance their overall performance and reduce the likelihood of error.

To follow technology rules, you need to know the laws, use strong security, be proactive in managing risks, and follow ethical guidelines. For help with this, contact the IT experts at Coleman Technologies today at (604) 513-9428.

Would you feel safe staying at a hotel that, instead of unique locks, each door used the same key as all of the others? Probably not—because if someone got in, they could take whatever they wanted. That’s similar to how old-school cybersecurity worked. Once someone got into a company’s network, they could access almost everything, making it easy for hackers to steal information. But today, many businesses use a better security framework called zero-trust security. In today’s blog, we discuss what zero-trust security is and why it’s safer.

What Is Zero-Trust Security?

Zero-trust security is all about being extra careful. It means that nothing and no one inside a company’s network is trusted automatically. Instead, everything has to prove it has permission to be there, even if it’s already inside the network.

Returning to our hotel example, imagine that the hotel used a unique lock on each room's door instead of using a marginally better version of the honor system. Even if someone managed to find your floor, they still can’t get in the room unless they have your room’s access code. Zero-trust security works the same way by adding multiple layers of security to keep data safe.

How Does Zero-Trust Security Work?

For zero-trust security to work, companies need to focus on these seven things:

• Users - The company needs to know who is trying to get into its network and make sure each person only sees what they need for their job. For instance, people in sales wouldn’t have access to financial records, and engineers wouldn’t be able to see private HR documents.
• Devices - Every computer, tablet, and phone connecting to the network needs to be safe. Companies make sure devices have the latest updates and security settings, and they check to see if each device is allowed to connect.
• Networks - Different parts of the network are locked down, so only people who need to use them can access them. Firewalls and other tools help block out anyone who shouldn’t be there.
• Applications - Companies keep all the software they use up-to-date and secure. This ensures no one uses unsafe programs that could let hackers in.
• Data - Data is super valuable, so companies protect it with encryption (which turns data into code) and other strong security tools to keep it safe from people who shouldn’t see it.
• Automation - Computers can help by watching the network for unusual behavior, like a hacker trying to get in. This helps companies stop threats faster than if a person had to notice on their own.
• Analytics - By tracking everything happening on the network, companies can spot warning signs early and stop problems before they become big issues.

Why Zero-Trust Security Matters

Zero-trust security is all about being cautious and making sure every user and device proves it’s allowed to be on the network. By checking everything—even what’s already inside—companies can ensure their information stays safe.

Want to know more about keeping your business secure? Give the IT professionals at Coleman Technologies a call today at (604) 513-9428 to learn more.

Cybersecurity is important. Scroll through a few pages of our blog and you’ll see article after article talking about threats and ways to make yourself and your business less vulnerable to cyberthreats. As an IT professional, however, I’d be so much happier if the state of the world didn’t require such a massive effort just to protect oneself and we could just talk about cool stuff you can do with modern technology all the time!

But alas, strong cybersecurity is crucial to virtually any organization, and it’s becoming even more important by the month.

You Can’t Flub Your Cybersecurity Awareness

Cybersecurity is something that you can’t just ignore. It’s not going to ignore you—cybercriminals target the people who think they aren’t a target in the first place.

Most businesses these days have at least some level of cybersecurity-based compliance regulations to meet and follow. Some can come from the state, some can come from the industry you are in, some apply based on the type of information you work with, and some can come directly from your business insurance provider. 

One of the biggest mistakes I see business owners and C-levels make is that they have overconfidence in their own cybersecurity. Most business owners are the least secure people I know (and I don’t mean that in an insulting way; CEOs and entrepreneurs, in general, are just wired to be efficient, and cybersecurity practices can feel like a big roadblock to efficiency.)

Heck, I lose sleep at night when I suspect that the owner of a company we work with refuses to use multi-factor authentication, but I catch myself longing to turn that feature off because of the extra couple of seconds it adds to getting into an account every day. 

The point is, even as a leader, you can’t skimp on security. In fact, you should be the shining example of it in your organization.

You Have to Know If You Are Compliant or Not

Depending on the regulations your organization needs to meet, you likely have a laundry list of tasks to check off quarterly or yearly. For many organizations, a part of that might include a regular penetration test.

A penetration test is a very specific set of tasks that involve an ethical hacker attempting to break into your business network using a variety of different ways. 

There are multiple phases that include reconnaissance, scanning for vulnerabilities and other weaknesses, getting in and attempting to steal, change or delete data, staying within the network undetected for a period of time, and looking for non-technical ways to exploit your organization, such as social engineering.

It’s not a small feat, and it’s far from the typical quick network audit or port sniffer scan and things that a technician might do to solve a problem or investigate an issue.

Don’t confuse the small stuff with a penetration test. I’ve talked to business owners in the past who were convinced their network was secure because a third-party ran some network audit tools that came back with devices that were out of date and fixed them. While that’s important to do, and something we do regularly, and maintain for our clients, it’s a long way from an actual penetration test.

Let’s Make Sense of Your Cybersecurity, Together

Protecting your business from modern-day threats and meeting regulatory requirements is a challenge if you try to do it by yourself. Let Coleman Technologies be your trusted IT partner and keep your business operating smoothly. Get started today by calling (604) 513-9428.

Introducing PCI DSS

With so many people using credit, debit, and prepaid gift cards to pay for goods and services, the economic ramifications of digital payment fraud, data loss, and other side effects of continued reliance on these methods of payment have led the companies that issue these cards to band together to create what is now known as the PCI Security Standards Council. Since its inception in 2006 the PCI Security Standards Council has been overseeing the establishment and coordination of the PCI DSS, or Payment Card Industry Digital Security Standard. Let’s take a look at how PCI compliance works.

Taking a Look at PCI 

PCI DSS was established in 2006 by credit card companies as a way to regulate business use of personal payment card information. That means all businesses. If your business processes or stores payment card information as a means of accepting digital payment, you need to maintain your PCI compliance. PCI DSS demands that businesses satisfactorily take the following steps:

1. Change passwords from system default
2. Install all sufficient network security tools (antivirus, firewalls, etc.) that will work to protect card data
3. Encrypt transmission of card data across public networks
4. Restrict the transmission of card and cardholder data to “need to know” basis
5. Assign user ID to all users with server or database access
6. Make efforts to protect physical and digital access to card and cardholder data
7. Monitor and maintain system security
8. Test system security regularly
9. Create written policies and procedures that address the importance of securing cardholder data
10. Train your staff on best practices of accepting payment cards

While many businesses already do these things in the normal course of doing business, if you currently don’t and you still allow for the use of payment cards, your business could have a problem on its hands. 

Business Size and Compliance 

Once you understand what you need to do to be PCI compliant, you then need to comply with the standards of your business’ merchant status. They are defined as follows:

• Merchant Level #1 - A business that processes over six million payment card transactions per year.
• Merchant Level #2 - A business that processes between one million-to-six million payment card transactions per year.
• Merchant Level #3 - A business that processes between 20,000-to-one million e-commerce payment card transactions per year.
• Merchant Level #4 - A business that processes less than 20,000 e-commerce payment transactions, and fewer than one million overall payment card transactions per year.

Since a business with more transactions has a better chance to foul up a situation concerning payment card compliance, they are required to do more to prove compliance than smaller businesses do. Here are the expectations for businesses in each merchant level:

Merchant Level #1

Doing massive business online and otherwise brings with it more responsibility. To maintain PCI compliance, Level one merchants need to:

• Perform a yearly Report on Compliance (ROC) through a Qualified Security Assessor (QSA)
• Allow an Approved Security Vendor (ASV) to complete a quarterly network scan
• Complete the Attestation of Compliance Form for PCI Council records

Merchant Level #2

As transactions begin to decrease there are less stringent standards. Level twos include:

• Perform a yearly Self-Assessment Questionnaire (SAQ)
• Allow an ASV to complete a quarterly network scan
• Complete the Attestation of Compliance Form for PCI Council records

Merchant Level #3

Many medium-sized businesses will fall under this level and need to:

• Perform an SAQ
• Allow an ASV to complete a quarterly network scan
• Complete the Attestation of Compliance Form for PCI Council records

Merchant Level #4

The majority of small businesses fall into level #4 status and, like levels two and three, need to:

• Perform a SAQ
• Allow an ASV to complete a quarterly network scan
• Complete the Attestation of Compliance Form for PCI Council record

Businesses that are non-compliant will face fines, extra scrutiny, or risk having the privilege of accepting payment cards officially revoked. If you have questions about the particulars of PCI DSS compliance, call the knowledgeable professionals at Coleman Technologies today at (604) 513-9428.

Your business is likely subject to certain compliance laws and regulations depending on the type of data you collect from your clients or customers. Today, we want to emphasize the importance of your business considering regulation and compliance when managing its data and IT resources, as without doing so, you run considerable risk.

Consumer Personal Data

You probably collect certain information from your clients and customers, such as their names, emails, phone numbers, and so on. You might use this to provide better service to them, but collecting and holding on to this information means that you are subject to the General Data Protection Regulation (GDPR)—particularly if you collect personally identifiable information or sensitive information like Social Security numbers.

Financial Records and Transactions

You’re in business to make money, and in order to make money, you have to receive payments somehow. Therefore, the necessity for financial records and transaction ledgers is there. This might include tax documents, payment card information, bank account details, and so on, and they all require adherence to regulatory requirements. One that you’re likely to see is the Payment Card Industry Data Security Standard, or PCI DSS, which requires you to protect data from card payments in various ways. This might involve securing your payment portal, protecting and auditing the system, and ensuring that it complies with other laws.

Health and Medical Records

Healthcare and other health-related records are extremely private by nature, so they must be protected per the Health Insurance Portability and Accountability Act, or HIPAA. If you store information on patient demographics, medical history, treatment records, and insurance information, you need to protect it, period. To ensure data is transmitted and stored securely, you can use encryption, access control, multi-factor authentication, and other powerful security measures.

Take Responsibility for Your Data Security

Hackers will always take advantage of businesses that don’t take the time to consider cybersecurity, and when compliance fines and penalties are involved, you cannot afford to slip up. You have to accept the fact that your business is a target, and ready or not, the hackers will launch attacks at you until they get their way.

Coleman Technologies can help your business master cybersecurity and regulatory compliance. Call us today at (604) 513-9428 to learn more.

For businesses, one of the scariest threats out there is that of compliance fines for not holding up your end of the bargain with your customers’ data. But what goes into compliance, and what does it look like? We won’t be digging into the nitty-gritty of what these specific regulations require; rather, we’re performing a broad analysis of what businesses should be doing to ensure compliance, regardless of the protocol or the industry.

Some Common Core Principles

Even though there are plenty of industry-specific standards and regulations you need to comply with, these regulations usually have several core principles in common:

• Transparency - Your customers have a right to know what data you collect, how you use it, and who you share it with.
• Consent - Never collect data from customers (or worse, sell it) without their consent. This is especially the case with personal data or sensitive information.
• Data minimization - While having a lot of data on your customers can be a good thing for sales, marketing, and so on, only collect and retain data that you need, and only do so if you have a specific, legitimate purpose for holding on to it.
• Data security - This is honestly a no-brainer; if people are going to trust your business with their data, it’s your obligation to ensure it’s protected to the best of your ability. This means protecting data from unauthorized access, like a data breach.
• Individual Rights - Remember, you’re collecting the data of customers—people who have trusted your business—so the least you can do is respect their rights to collect, delete, and restrict what you do with their personal data.

Again, the requirements vary by industry, but most businesses (if not all) should anticipate adhering to regulations that do the above, at a bare minimum.

What You Can Do to Ensure Compliance

While the above might paint a broad picture of compliance, we assure you it’s much better to be safe than sorry.

We recommend that you take inventory of all the data your business collects, as well as what it’s used for and how it’s stored. Once you’ve done that, be sure to implement any security measures you’re lacking, whether they’re strong passwords, encryption, unified threat management, and endpoint protection. All employees should also be well-versed in your business’ data privacy policies and security expectations, so implement a training schedule that’s reinforced with regular reviews.

Taking data privacy seriously isn’t easy, but we have a solution that makes it a lot easier.

We Can Help You Protect Your Data

IT plays a significant role in compliance, specifically when it comes to data security.

All businesses collect personal information in some regard, whether it’s the personal information of their employees, the payment credentials of their customers, or the health insurance documentation employees need to receive care. You need to keep this data safe. Thankfully, you can do it with ease thanks to our security solutions.

To get started taking compliance seriously (and you should), give Coleman Technologies a call at (604) 513-9428 today.

While the word “audit” can easily be a scary thought for businesses, there are certain cases where an audit serves an organization’s direct benefit. Take, for instance, the ones that occur internally to identify and correct security issues and vulnerabilities. These audits are not only a positive endeavor for businesses; they’re extremely important to carry out.

Let’s talk about why this is and review a few standard practices you should prioritize as you go about this process.

First, What is a Security Audit, and Why Is It So Important?

As you would expect, a security audit reviews and analyzes a business’ protections against modern threats. It is meant to identify existing vulnerabilities and indicate where a business needs to improve its protections.

Hopefully, the reason it is so important is already clear, but just in case:

A security audit enables a business to understand its real-life risks better and improve its protections more effectively.

More specifically:

• An audit helps you find and resolve digital vulnerabilities in your infrastructure
• You also get insights into your business’ security and ways to improve it overall
• Auditing your security preparedness also helps you meet the evolution of modern threats
• Taking the initiative to identify and improve these vulnerabilities helps you inspire trust in your clients/customers
• Many compliance standards that businesses are beholden to are more easily followed with the help of an audit
• The information gleaned during an audit can help you develop more effective security policies moving forward
• Cyberattack preparedness and response can also be informed by data collected in an audit

What Kinds of Security Audits Are There?

First, audits can be separated by who is conducting them. Internal audits are conducted by members of the business being audited, and external audits involve a third party evaluating the business’ security preparations. Each has its own benefits and drawbacks, so undergoing both to the best of your ability will probably be ideal.

Whomever it is that is carrying out the audit, there are five security umbrellas that it should cover:

1. Data - How protected is your data and access to it, whether at rest in a technology infrastructure or in transit?
2. Operational - When examining your data loss prevention strategies, does every policy and procedure meet applicable best practices?
3. Network - Are your network-wide security controls actually effective, including your antivirus and monitoring strategies? 
4. System - What processes and procedures are in place regarding account privileges and their management, patching, or role-based access controls?
5. Physical - While your team uses their devices, what requirements are in place for them to access your network securely regarding access controls, authentication measures, and on-device data protections?

How to Optimize Your Security Audits

There are a few things that all of your audits should involve to help ensure you get as much value as you can from each of them. For instance:

Set Goals

While a security audit can and should cover various aspects of your business security, you should go into it with specific objectives in mind. How well does your network security operate? What vulnerabilities do you need to resolve? Having a goal in mind for your audit can help you better understand and approach different shortcomings as they are identified.

Communicate With Your Auditor

Whether an internal resource or an external provider like Coleman Technologies is conducting your evaluation, you must reiterate the goals we just discussed as well as some of your business’ more specific needs… particularly concerning your compliance. While your auditor should already know what to look for, communicating with them can only be helpful.

Act on the Information

Evaluating your existing security measures and not making any changes based on the results would be a waste of time and money. Make sure you consider your audit's outcome completely, lean on an IT professional for assistance, and make the adjustments they recommend.

We Can Be Here for You

If you worked with us, you’d have access to a team of technology experts committed to helping your business’ IT—and, by extension, your business—thrive, focusing on both productivity and security. To learn more about what we can offer, call us at (604) 513-9428.

IT Security

Let’s start with IT security because it’s undeniably important if you want to maintain not just IT regulatory compliance, but business on your own terms. IT security, like the act of complying with regulations, is an act of risk mitigation. In the case of IT security, the risks are many and complex. You have the risk of operational issues like downtime. You have the risk of system corruption from hackers and other outside entities who are trying to break through (or in) and get access to your assets. There is also internal risk to physical systems, central computing infrastructure, and every endpoint on the network.  

In IT security, the amount of risk often dictates what kind of action is necessary, since reacting to the problems themselves isn’t a viable option. Thus, when protecting your network from threats, you will likely have to be much more comprehensive about your attention to detail as you would even under the most strictest compliance standards.

IT Compliance

Compliance also is all about minimizing risk, but to stay compliant, it’s more about focusing on following set-in-stone rules than it is about keeping systems secure. Most of the regulations that have been passed down by a government entity, third-party security framework, or customer contract have very specific requirements. This gives network administrators a punch-list of tasks that need to happen to keep their organization’s IT compliant with their various IT mandates. 

Insofar as it works to maintain digital asset security, many regulations are created to ensure that risky behavior is not introduced, while others are very specific about what data needs to be protected, and what systems need protection. In fact, some regulations barely touch the IT infrastructure, only dictating that the business purchase regulation-compliant hardware. 

Where Your Company Stands

Compliance standards typically depend on which vertical market your business does business in, or more specifically, how it uses sensitive information in the course of doing business. That doesn’t speak to your organization’s complete IT security strategy. In order to keep all of your digital (and physical) assets secure, there needs to be a dedicated plan to do it. After all, today the user is the most common breach point. 

With that truth it is important for the business that operates under the watchful eyes of a regulatory body to understand that you may be compliant, but still be at risk. It’s important that aside from meeting all the compliance standards set forth by your industry’s regulatory mandates, you need to put together a cybersecurity strategy that prioritizes the ongoing training of your endpoint operators. 

At Coleman Technologies, our technicians are experts in modern compliance standards and cybersecurity. Our team can work to simultaneously build an IT infrastructure, the policies to govern that infrastructure, and the endpoint monitoring and protection solution that will keep your business secure from threats, while also being compliant to any mandated regulations your business is under. Call us today at (604) 513-9428 to learn more.