In today's business environment, there is a whole host of incidents that can interrupt a company's daily operations. However, with constantly rising client demands, businesses cannot afford any stumbles, even for a moment. This is where business continuity and disaster recovery plans come in, and they are becoming increasingly critical to implement before a disaster strikes.
Why is BCDR planning so important?
So many different kinds of events can have a negative impact on an organization's ability to function, and not all of them occur in the digital sphere. Inclement weather, a fire or a break-in could make the company's office uninhabitable for an extended period of time. In this type of event, it is key that the business has a plan for how to remain up and running.
"Since all of the risk cannot be eliminated, companies are implementing disaster recovery and business continuity plans to prepare for potentially disruptive events," noted Ideal Integrations. "In the event of a disaster, the continued operations of your company depend on the ability to replicate your IT systems and data."
A BCDR plan includes all relevant aspects of an organization's technology infrastructure, and will also outline what preparations employees should make ahead of time, how the group will respond to the event at hand, and what steps will be taken to restore business processes.
While BCDR planning is key for any size enterprise, Clare Computer Solutions contributor Bruce Campbell pointed out that it is especially important for small to mid-size companies. Statistics from the Insurance Information Institute show that 40 percent of all SMBs close their doors for good after suffering a disaster. Additionally, Symantec research found that many organizations don't currently have a BCDR plan in place, leaving them unprepared to deal with any kind of damaging event.
"Financial ruin can be avoided by spending time creating a plan that is well thought out and regularly updated," Campbell wrote.
What to include in BCDR plans
What to include in BCDR plans
Overall, Campbell advised that any policies or arrangements connected with BCDR be centered around keeping employees productive through the availability of phone lines, Internet, company information and applications. In these regards, connectivity is key: The organization must be able to launch the technology-based resources that are critical to its function in today's business environment.
Campbell recommended including five important elements in BCDR plans:
As it is nearly impossible to perform regular tasks without the proper technology in place, one of the most vital parts of BCDR plans is a partnership with a hosting provider that can ensure the availability of mission-critical systems from any location. With Hostway BCDR solutions in place, company leaders need not worry about accessing important content from outside the office, allowing them to instead focus on keeping operations humming along in the face of a disaster.
In today's corporate environment, disaster recovery is a must. With so much riding on the availability of online resources – like business applications and other mission-critical platforms – companies cannot afford to have these components go down. When items like this become inaccessible due to a natural disaster, utility outage or other event, business processes stall, causing considerable losses in productivity and potential revenues.
For this reason, the majority of enterprises now have continuity and disaster recovery plans in place to ensure that – no matter what happens – critical business resources will remain available to staff members. In fact, a Regus study found that more than half of all small businesses and nearly three quarters of large organizations have business continuity plans in place to guarantee the return of services within 24 hours.
ConvergeDirect adds second location in Florida
Among the firms with plans in place for disaster recovery is ConvergeDirect, a marketing firm offering an array of advertising services. The company looked to bolster its DR approach with the addition of a new site in Tampa, Florida, which would be dedicated to business continuity.
However, during the establishment of this second home, the company ran into a number of challenges. Thankfully, Hostway – which also handled ConvergeDirect's database, web and hit-tracking servers – was standing by with a solution. Hostway's expert engineers recommended the most optimal disaster recovery arrangement that would strike the balance ConvergeDirect was looking for – being adequately prepared while still keeping within the budget.
"Hostway was able to figure out what we would need to keep running in case of a disaster... until our regular production service was up and running," noted Jason Schalz, ConvergeDirect's system architect and technical team leader.
Best of all, the disaster recovery configuration Hostway provided allowed ConvergeDirect to spend much less than they anticipated for establishing a secondary site especially for business continuity purposes.
To find out more about the Hostway DR system ConvergeDirect leverages, and all the benefits it provided the company, take a look at our case study.
Any e-commerce site needs to be able to demonstrate PCI compliance. Validating your company's compliance requires testing your security policies, network configurations and internal procedures. This can involve verifying the capabilities of business facilities, system components, and third-party service providers.
Hostway's allies at SilverSky provided these five tips for businesses considering beginning a PCI assessment:
Engage a QSA: Engaging a Qualified Security Assessor (QSA) early in the process can actually save you time, money and effort, especially if it’s your initial foray into PCI compliance. A QSA can eliminate the guesswork by helping you understand the requirements as they relate to your business, as well as the intent behind specific controls and if a compensation control could suffice. They can review the practices you already have in place to help you determine the key areas on which you must focus to bridge the gap to compliance. Another great tool to leverage if you are just getting started is the PCI Prioritized approach which can be found on the PCI council’s website.
Limit the Scope: Minimizing the scope of your PCI environment is one of the most advantageous moves towards simplifying audits and ongoing PCI compliance management. While network segmentation technically isn’t a requirement, it permits you to consolidate and isolate the portions of your network that are necessary for transaction processing from the rest of your environment. This practice also reduces risk by making the target smaller and access easier to manage, track and control; this in turn limits exposure. Start with the cardholder data. Do you need it? If you don’t, then don’t store it. If you do, consolidate and isolate it.
It’s Not Just an IT Thing: The cardholder data environment is comprised of people, processes and technologies that store, process or transmit cardholder data. All too often, we get hung up on the technology alone as the solution to all our problems. To implement a strong and continuous compliance and security program, you must have executive business and IT sponsorship. The daily tasks that must be performed should be embedded in the overall security program and business practices. With the right executive sponsorship, security and compliance can become a streamlined process instead of a burden – and it’s also the responsible thing to do for your company and your customers.
Validate Your Service Providers and Vendors: You can’t outsource accountability. Ultimately, your organization is responsible for your PCI compliance. Good partnerships can certainly help you get there. However, it is your responsibility to validate your service providers and vendors. Depending on the services provided, their ability to demonstrate compliance will be critical for you to pass an audit. A good partner should be able to clearly delineate the lines of responsibility and make the due diligence process easy for their customers. Beyond compliance, many notable security breaches have occurred because a third-party vendor was compromised and utilized to access their target.
Continuous Monitoring and Reporting: An audit is a point-in-time activity; securing your environment is a 24/7/365 endeavor. Active security event monitoring, reviewing logs and real-time reporting are crucial in identifying security incidents and minimizing the impact. You can’t control what you can’t measure. While reports are crucial during an audit, they are also very important to continuously gauge the effectiveness of your program. Reports are the yardstick that lets you measure how you’re stacking up. In addition to making your auditor happy, strong reports help maintain executive sponsorship by demonstrating the results of their investment in the program to secure the network and exceed compliance.
With these concepts adopted, you're well on your away to PCI compliance.
Another healthcare provider has been given a costly reminder of the value of data security.
Publicly traded hospital operator Community Health Systems admitted in a Security and Exchanges Commission filing that names, Social Security numbers and addresses for 4.5 million patients were compromised by cyberattackers from April to June of this year.
According to statistics maintained by the U.S. Office of Civil Rights, this ranks as the second largest theft of patient data ever.
The Health Insurance Portability and Accountability Act (HIPAA) oversees protection of such personal data. There is no theoretical maximum fine for a HIPAA breach, though any individual violation is capped at $1.5 million.
This incident can serve as a reminder to all healthcare entities that data security cannot be overlooked. HIPAA compliance is a crucial issue for the entire industry. Liability for compliance extends beyond healthcare companies to all “business associates” of these entities who handle protected health information.
To view a list of CHS hospitals and clinics, visit this link.
If HIPAA compliance is among your company's concerns, discuss with our consultants how to protect yourself and your data.
Hurricane season is upon us, but you don’t know what your business continuity plan entails? Larger catastrophes like Hurricane Sandy prove that one single natural disaster can yield up to $25 billion in lost business activity. More recently, the 2014 ice storm that crippled Atlanta and the late-April severe flooding that affected Pensacola, Florida – the state saw its heaviest rains in 130 years – similarly struck business owners where it hurts most: their wallets.
In today’s “Internet-always” economy, where even social media is being harnessed for crisis management efforts, you have to have precautions in place. If you rely primarily on web-based applications to run your business, you need to guarantee your Internet is always up and running. In such a case, the cloud would be a great place to start your business continuity plan.
Research shows that your competitors are likely taking this step, too. The adoption of cloud for disaster recovery and business continuity grew from 17.9 percent to almost 30 percent from mid to late 2013 – and that number is only growing.
Your first step should be choosing a trusted cloud hosting provider to help you in the process. Between integration and interoperability issues, you need a quality partner that will help you every step of the way. Knowing your needs will play a critical role in determining what works best for you. Here’s what you should generally look for in a cloud hosting provider:
Downtime in any form can cause serious, often irreversible damage, but there’s no need to worry when you have a trusted hosted provider backing you up – literally.
The HTTPS lock icon we’re all used to trusting in our browsers hasn’t been as trustworthy as we’d like to believe.
Ever since the good folks at Codenomicon and Google have publicized the OpenSSL implementation bug known colloquially as Heartbleed, two questions have come to the forefront for each Internet user: What sites have been compromised, and what do I need to do about it?
OpenSSL, an open-source cryptographic library project which began in 1998, has been vulnerable since December 31, 2011, which means that many current versions of the most popular traffic-encryption service currently running are compromised.
Apache Tomcat users are particularly endangered, because OpenSSL comes bundled with that web server. Apache today released information on mitigating the Heartbleed vulnerability.
In total, it is believed that 17% of all SSL web servers can currently allow hackers to view purportedly secured information. These affected sites reportedly include Twitter, Yahoo, Tumblr, Steam, DropBox, and many more of the most popular URLs on the Internet. Among those, Tumblr has already reacted by advising all users to change their passwords.
On the website-operator end, Hostway has determined that 4 percent of Hostway’s total server count may have been affected by this OpenSSL issue, and has contacted each customer regarding steps to become more secure.
While affected sites are busy reissuing their security certificates to rectify the situation, Internet users are left wondering what they should or can do about the issue. Here are three tips on staying safe:
Firstly you can use this site to determine if a site is vulnerable. But it may be best to proceed as though all your accounts have been compromised. Here's a handy list of major sites, if they were vulnerable, if they've acted, and if you should do anything yet.
Secondly, it’s important to note is that changing your password before a site corrects the issue doesn’t completely address the security issue. Major websites subject to the vulnerability will likely publicize their response to it; once they confirm that their security certificates are updated, then change your password there. OpenSSL has already addressed the issue on its end.
Finally, it will be impossible to determine if attackers have intercepted user passwords in the interim unless a problem arises. So until you get the all-clear, don’t log in to affected sites at all. With the vulnerability as high-profile as ever, it seems more likely now that hackers will be aware of the opportunity to exploit the weakness.
So while you’re waiting to browse the web and figuring out how to generate new passwords, check out xkcd’s advice on the subject.
Since the passage of the Health Insurance Portability and Accountability Act (HIPAA) in 1996, businesses that handle medical data and records have been placed under increased scrutiny, which was only enhanced by the addition of the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009. The cost of non-compliance is high. Businesses found in violation of HIPAA could be forced to pay fines ranging from $100 to $50,000 per violation, with an annual maximum of $1.5 million.
With those figures in mind, forward-thinking businesses must act to ensure HIPAA compliance. But even with stringent regulations in place, many do not. While it takes dedicated effort and a financial investment to ensure HIPAA compliance, the investment is truly worthwhile.
Recently, AHMC Healthcare, a six-hospital organization based in California, reported a HIPAA breach that affected 729,000 patients. An unencrypted laptop containing sensitive patient information was stolen from a facility, the company reported, and the thieves made off with patient names, Medicare data, medical diagnoses, and insurance and payment information. It’s safe to say those patients are not too happy with their healthcare provider or its security measures, and it underscores the need for a better solution.
AHMC Healthcare is not a unique case; healthcare providers around the country have experienced similar situations, through theft, hacking or employee error (for example, erroneously sending patient information via email). While it takes dedicated effort – and a financial investment – to make sure your company is HIPAA- compliant, the cost of non-compliance can be a lot higher.
Why is HIPAA Compliance Important?
HIPAA was enacted to prevent healthcare fraud and ensure that all Protected Health Information (PHI) is only accessible to authorized individuals is shared securely between authorized professionals only.
With the use of electronic medical records (EMR) on the rise, healthcare companies need to protect their networks with security safeguards to prevent breaches that release sensitive information. But many companies may lack the technological expertise or experience needed. To address HIPAA mandates – and avoid hefty fines – companies typically require a skilled internal team to manage compliance, plus external IT resources and auditing staff.
Unfortunately, many companies lack the technological expertise or experience needed to address HIPAA mandates and avoid hefty fines. That’s typically because companies typically require a skilled internal team, plus external IT resources and auditing staff to manage HIPAA compliance. Lack of funding and resources to enact compliance protocols can put providers at risk since they are vulnerable to financial penalties if they don’t participate and subject to fines if their compliance system doesn’t pass random audits.
Why is HIPAA Important to Healthcare Organizations and Patients?
No healthcare organization wants their sensitive data to get into the wrong hands. But without HIPAA, patients and the public would have no recourse if healthcare facilities and organizations weren’t properly securing their sensitive data.
HIPAA requires healthcare organizations to manage who has access to patient health data, restricting who can view it and who it can be shared with. This helps to give more order to how data is managed in the healthcare system, and gives individual patients, and the public, more protection and more control over healthcare records and data.
Is Your Business HIPAA Compliant?
HIPAA does not provide an easy checklist of requirements that healthcare providers must meet in order to ensure HIPAA compliance. Rather, the act's vague terminology leaves many confused about whether or not they are compliant. This is where managed security providers come in, assuming control of network security and ensuring compliance with all aspects of the law. This allows healthcare companies to focus on their bread and butter while a team of experts keeps their networks—and the data that runs across it—safe.
Hostway HIPAA Essential meets all specifications of the law, as well as those relating to the HITECH Act. By implementing Hostway HIPAA Essential, business owners can rest assured that patients’ sensitive information is protected, avoiding costly fines and the ire of patients.
It's no surprise that American public schools are facing tightened budgets; every community is currently crunching their numbers, trying to squeeze as much as they can into a shrinking budget. So cloud computing – with its plethora of learning and administrative applications and cost-effective nature – is a perfect fit for schools, which spend an estimated $7.9 billion on educational software, according to the Software & Information Industry Association.
A new study from the Center on Law and Information Policy at Fordham University Law School indicates that 95 percent of school districts rely on cloud services for a diverse range of functions, including data mining related to student performance, support for classroom activities, student guidance, data hosting, and special services like cafeteria payment plans and transportation scheduling.
But are schools educated enough about the cloud to ensure the privacy of students? According to the Fordham study, many school districts might not fully grasp the implications of outsourcing data handling, or they don't have enough negotiating power to insist on contracts that restrict the use of their information. Much of the issue lies not with technology and IT, but rather with contracts; while technology is growing by leaps and bounds, contract language doesn't adequately reflect these rapid changes. Consider these statistics from the Fordham study:
So what can school districts do to better protect the privacy of their students and achieve compliance with child-protection mandates like COPPA (Children's Online Privacy Protection Act), while still being able to take advantage of flexible, cost-effective cloud-based technologies? Working with a trusted managed hosting provider, schools can make great strides by following these three recommendations when approaching the privacy of their students:
The cloud is a cost-effective and efficient way for schools to utilize the latest technologies and applications. With clear privacy policies in place, districts can also guard the privacy of their students and truly have the best of both worlds.
For many of us, it’s automatic to keep our doors and windows locked while running an errand or at work in order to prevent burglars from gaining easy access to our homes. These locks serve as safeguards that protect our assets.
When it comes to your network, it’s important to use similar care to keep unauthorized people from accessing your critical business information. Just like a door has its locks, a network can be protected by firewalls and intrusion detection and prevention systems (IDPS).
Typically, networks have hardware- or software-based firewalls that serve as gatekeepers for traffic. This technology analyzes information to determine whether it is allowed to enter or exit a secure network. A network lacking a firewall could easily become infected with malware, viruses or other damaging programs that serve to steal information and slow down networks compromising their integrity.
Firewalls, however, are not the end-all be-all when it comes to network security. They allow traffic into your network based on some basic principles; port, protocol, IP address. They also eliminate the ‘noise’ of the internet, but do very little actual protection because they do not ‘inspect’ traffic. This is why it’s important to take your security a step further and integrate an IDPS into your network. Such systems act as a further layer of prevention against unwarranted access and attacks. With a capable IDPS engine, monitored 24/7/365 by trained security engineers, you have full visibility in to the traffic allowed in by your firewall.
A network is only as secure as its most vulnerable point. With that in mind, a strong IDPS will detect threats and determine their intention, analyzing information in order to strengthen the network and prevent similar subsequent attacks. Generally, IDPS detects attacks, records them and analyzes them in a historical perspective to determine persistent offenders. IDPS can play offense, squashing attacks before they breach your network.
In today’s fast-paced business world, you simply cannot afford to have your data compromised. With so much on your plate, you don’t have the time to worry about intruders in your network and the damage that can be done to your business information and your company’s reputation. Arm yourself with an IDPS behind a strong firewall – give your network the weapons it needs to fight off attacks and function as intended.
The PCI Security Standards Council released a new set of requirements in November 2013. According to the Council, the changes were designed to “help organizations make payment security part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility.” We at Hostway and SilverSky thought it would be helpful to deep-dive into specifics of the new requirements and discuss what they mean to our customers in the retail industry. Here are the new PCI 3.0 requirements – along with guidance about what each requirement means to you:
New PCI Requirement
5.1.2 – Evaluate evolving malware threats for any systems not considered to be commonly affected
SilverSky Guidance
Certain systems (mainframes, mid-range computers, etc.) were not traditionally affected by malware. However, these systems could potentially be at risk due to evolving malware threats, and you need to perform periodic evaluations in case these systems require protection in the future.
This is unlikely to apply to the average small to mid-size retailer. However, when discussing PCI solutions with Hostway and SilverSky, our experts can help you determine if you have any systems that may be at risk and provide guidance on how to address these risks.
New PCI Requirement
8.2.3 – Combined minimum password complexity and strength requirements into one, and increased flexibility for alternatives
SilverSky Guidance
For this requirement, the customer bears the responsibility for setting and enforcing sufficient password policies for their employees. Make sure to require a minimum length of seven characters and include both numeric and alphabetic characters in order to meet minimum requirements.
SilverSky’s E-Security Training course helps promote employee security awareness, including the importance of sufficient passwords. Our web-based course can help you reduce security risk and meet compliance requirements at a much lower price than alternative options.
New PCI Requirement
8.5.1 – For service providers with remote access to customer premises, use unique authentication credentials for each customer
SilverSky Guidance
This requirement was added to the PCI code in response to a data breach incident in which a vendor used one password for all customers. With just this one password, a hacker was able to compromise multiple accounts.
This requirement applies to any service provider with remote access to your on-premise systems (for example, POS companies that have access for support purposes). These third-party service providers are responsible for meeting this requirement, but you should make sure that they are complying with the rule – after all, it’s still your data and reputation at risk.
New PCI Requirement
8.6 – Where other authentication mechanisms are used (for example, physical or logical security tokens, smart cards, certificates, etc.), these must be linked to an individual account and ensure only the intended user can gain access
SilverSky Guidance
Linking authentication mechanisms to individual accounts prevents them from being used by multiple people. This reduces the risk that an unauthorized individual can gain access to critical data via the authentication mechanisms.
Hostway’s partner, SilverSky, provides authentication mechanisms to our PCI Complete customers via Managed VPN and multi-factor authentication. However, it is up to you to ensure that these are assigned to one person only and not shared.
New PCI Requirement
9.3 – Control physical access to sensitive areas for onsite personnel, including a process to authorize access, and revoke access immediately upon termination
SilverSky Guidance
Restrictions on physical access to data are required to limit the chances of unauthorized personnel obtaining sensitive data. This includes monitoring the access levels of authorized personnel as well.
All Hostway’s data centers have physical security safeguards, including controls on facility entry, login access restrictions, CCTV monitoring capabilities, and limits on who can access internal systems and administrative functions.
New PCI Requirement
9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution
SilverSky Guidance
Criminals often attempt to steal cardholder data by stealing or manipulating card-reading devices and terminals (aka “skimming”). Because these are physical devices on customer premises, it is the customer’s responsibility to secure them. In order to prevent skimming and ensure compliance, customers should consult this document on skimming prevention provided by the PCI Council.
New PCI Requirement
11.3 and 11.3.4 – Implement a methodology for penetration testing; if segmentation is used to isolate the cardholder data environment from other networks, perform penetration tests to verify that the segmentation methods are operational and effective
SilverSky Guidance
According to the PCI Council, these rules were implemented in response to “requests for more details for penetration tests, and for more stringent scoping verification.”
SilverSky provides internal and external vulnerability scans and file integrity monitoring as part of our PCI Complete solution to cover requirement 11.3. In addition, we can provide penetration testing through our Professional Services team to verify that your segmentation methods are operational and effective.
New PCI Requirement
11.5.1 – Implement a process to respond to any alerts generated by the change-detection mechanism
SilverSky Guidance
File Integrity Monitoring (FIM) solution (included with PCI Complete) detects unauthorized changes to your critical resources and immediately notifies you of suspicious activity. You are responsible for implementing a process to respond to our alerts, but we will prove guidance on how to remedy any security issues that we detect.
New PCI Requirement
12.8.5 – Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity
SilverSky Guidance
To meet this requirement, you will need to create documentation to show which PCI requirements are covered by your company, which are covered by SilverSky, and which are covered by other service providers. SilverSky provides you with documentation detailing which PCI requirements we cover to make this process easier.
New PCI Requirement
12.9 – Service providers that store, process, or transmit sensitive data on behalf of the customer must acknowledge their accountability for securing the data in writing to the customer
SilverSky Guidance
SilverSky provides written acknowledgment of our responsibilities to all of our customers. Customers will also need to make sure that they receive similar written acknowledgement from all service providers that handle sensitive data on your behalf.
Did you know:
To learn more about how Hostway and SilverSky can help your organization improve IT security, reduce costs and complexity, and meet PCI compliance, please visit https://www.hostway.com/managed-security/compliance/pci-dss-compliance.html.