• Security  /  HIPAA  /  PCI-DSS  /  Remote Access

    Within reason, you can never be too secure – it really is as bad as you read in the headlines. Between Internet break-ins and social engineering scams, the world IS out to get you … and your data. (At our offices, just from Asia we can log over a thousand break-in attempts in a single day.)

    That said, there’s no need to panic. While most business networks we encounter are relatively easy to penetrate, it doesn’t take a huge investment to secure your business and your data.

    We use a multi-tiered security approach, with a realistic analysis of your needs and a cost-benefit based-solution. We always protect each level of your infrastructure, from workstations through servers, tablets, and cellphones, and, most important, your firewall and Internet access.

    We use a combination of hardware, software, and best practices, including teaching your employees why they shouldn’t, for example, insert an unknown thumb drive into any computer on your network.

    Typically, on each device we install monitoring software that reports continually to our operations center. When something suspicious occurs, the software immediately takes action, such as blocking a specific attack or disabling malicious software. Next, we are notified. Often, we can resolve things remotely, without ever interrupting you.

    We send you regular reports and bring patterns to your attention so that you can identify threats, modify user behavior, or take other reasonable action.

TYPICAL DEPLOYMENT OF SECURITY SOFTWARE

Phone Tablet Workstation Servers Firewall
ANTI-VIRUS
ANTI-MALWARE   1
INTRUSION DETECTION
ANTI-SPAM   2
ACCESS CONTROL
DATA ENCRYPTION

Yes No Partial

1 EMAIL & FILE SERVER
2 EMAIL SERVER

TYPICAL DEPLOYMENT OF SECURITY SOFTWARE

Phone Tablet Workstation Servers Firewall
ANTI-VIRUS
ANTI-MALWARE
INTRUSION DETECTION
ANTI-SPAM
ACCESS CONTROL
DATA ENCRYPTION

GENERAL THOUGHTS ON SECURITY SOLUTIONS

We have installed many different security products across thousands of workstations and servers. It’s always a balancing act between:
• Performance – some security solutions really slow down a system.
• Specific Combinations – multiple security software can interact badly, so it is crucial to test and choose specific combinations.
• Usability – security cannot be so onerous that it interferes with daily business.

We typically install a few separate products, each of which specializes in a specific type of threat. These ‘best of breed’ components are modified to independently communicate with our operations center to ‘keep us in the loop.’ And they have been tested extensively in combination to ensure they work well together.

Finally, every computer connected to the Internet in a business setting should be protected by a firewall. Firewalls can be very complex to program in a way that protects you, but also makes it easy to do your work. We are expert in this area.

REMOTE ACCESS

Remote access is a keystone of modern network design. It allows managers and employees to securely work from home, handle emergencies quickly without running into the office, and travel on business without losing touch – via a desktop, laptop, tablet, or cell phone.

Designing and deploying remote access requires a strong emphasis on security and the selection of the appropriate technology.

Salesman on the Road – we employ secure encrypted remote access to work desktop along with collaborative tools. We use a secure encrypted connection that does NOT use a device-based VPN. (Device-based VPN’s are difficult for a user to use and maintain – they frequently drop and require resetting.)

Work from Home – working from home requires a fast and secure connection. If the worker has a desktop in the office, we mightprobably install remote access software so they can work as if they were in their office chair. For a remote worker without a office desktop, we would create a network-based VPN using a very reasonably priced hardware solution (e.g., Sophos RED).

VOIP (Voice Over IP) – If you have a VOIP-based phone system, workers can use their computers, a VOIP phone, or their cellphone (using a ‘follow-me’ feature) to call out as if they were in the office.

PCI DSS – FOR RETAILERS & THOSE ACCEPTING CREDIT CARDS

The PCI DSS standard (Payment Card Industry Data Security Standard) is a private initiative enforced by Visa, Mastercard, American Express, and Discover.

PCI requires stringent security on all networks and connected devices that handle, store, or transmit electronic payment information. Penalties are typically governed by credit card agreements – and they can be exceedingly harsh.

In February 2015, the US Congressional Research Service published a thoughtful and comprehensive paper on the subject, which is available at:
https://www.fas.org/sgp/crs/misc/R43496.pdf.
This paper includes a discussion of the Target and JP Morgan breaches, among others.

A slightly different perspective is contained in this paper: http://www.darkreading.com/risk/compliance/target-pci-auditor-trustwave-sued-by-banks/d/d-id/1127936f.

Like HIPAA in the medical field, PCI is really a collection of best practices, but 90% of PCI compliance relates to maintaining a fully secure network environment.

We can secure your network and help train your people to greatly reduce or eliminate your PCI exposure.

LEGAL & ACCOUNTING OFFICES

Law and accounting offices have their own set of needs related to the client data they store and transmit. While there are no HIPAA or PCI requirements for these professionals, exposure is significant, because most offices store unencrypted data on their servers and provide remote access that permits employees to perform work from home.

We provide complete end-to-end protection, along with access tracking control, and we can securely encrypt all stored and transmitted files.

HIPAA – FOR MEDICAL AND DENTAL OFFICES

Medical office have significant exposure to HIPAA regulations. We know HIPAA intimately and we are very familiar with not only the requirements, but how to meet them.

Basically, HIPAA (the Insurance Portability and Accountability Act of 1996) places tight requirements on how patient information is shared, stored, delivered, and protected. Physicians are held liable for violations, including system break-ins that result from inadequate safeguards or network security.

In reality, HIPAA compliance is achieved through a blend of:
• well-written software
• proper network engineering
• best practices in day-to-day operations.

We are expert in secure network engineering and we are seasoned in deploying, configuring, protecting, and supporting medical software packages. We also help train employees in best practices to avoid HIPAA exposure.