#1 It’s Not A Technology Problem. It’s A People Problem When it comes to security, your organisation is very similar to a house. For protection, you have doors, locks, windows and fences. To detect threats, you have alarms, motion detectors, monitoring and crime watch. To respond to threats, you might have a dog, a gun, the help of local police and the option of filing an insurance claim. But intruders can still gain access. Businesses are in the same boat and in many cases may have all kinds of next generation technology to protect, detect and response to threats and sure enough, intruders still gain access. Why? 95% of breaches are related to human error. This makes it imperative to focus on early detection and response to lower liability because there is no way to keep everyone out. #2 Nobody’s “IT Guy” Has Everything Covered While most organisations don’t have a solitary, in-house IT resource managing both IT applications and IT infrastructure, (because it’s impossible to find the specialization and bandwidth in one person), many companies still work with a third-party “IT guy.” Even if this individual is only focused on IT infrastructure, there are still significant skill and bandwidth gaps. The operative term is “single point of failure.” This was much less of a problem 20 years ago. However, IT systems have become much more decentralized and complex and now require oversight by specialists in diverse disciplines such as public cloud, security and mobility. Do any of your vendors still work with an IT guy? Remember, you are only as safe as your weakest link. Just ask Target. Their payment systems were hacked because one of their HVAC vendor’s IT systems were hacked. #3 Cybercrime Has Very Low Barriers To Entry Cybercrime is increasingly accessible to everyone. There are online job postings, anonymous payment systems and marketplaces where personal data is bought and sold 24/7. You can even buy R400 software programs to hack into systems. Many come with ratings similar to Amazon Reviews and some allow you to choose options like gold, silver and platinum depending on the kind of support you want. How scary is that? #4 Cybercrime Is Deployed Via Social Engineering Tactics Phishing is the most common form of social engineering. It often appears in emails, chat tools and web ads. It’s designed to look like it’s coming from a real company and delivers a sense of urgency or demands immediate action. A hacker could disguise themselves as a company emailing an end user an invoice. When they click the attachment, it will release a virus into the system. Or you could be reading on article on the New York Times website and unwittingly click on a Bing ad that redirects you to website equipped with an exploit kit that downloads a virus, malware or ransomware to your computer. #5 You Do Not Have To Go At This Alone There are several reasons your company is working with Multi IT & Telephony Solutions. Security is certainly one of them. If you get any suspicious or random emails from FedEx, AT&T, Amazon, Microsoft Office, DocuSign, DropBox and LinkedIn (just to name a few), practice the 5 second rule and take a breather before responding or clicking. I would always call the sender to confirm any digital signing requests. And please forward any questionable emails to support@multi.co.za. We’re here to help. #6 Social Engineering Takes Many Forms Baiting offers the reader something in exchange for private information. This could take the form of a free music download or a glimpse at once svelte movie stars who now look like train wrecks in their bathing suits. Quizzes on Facebook may seem perfectly innocent but, in some instances, you may be submitting answers that are the same as those employed for security questions with your on-line banking and mortgage accounts. Seen any offers for free credit reports lately? Proceed with caution. Better yet, don’t proceed at all. There are a number of scams offering free credit reports that include credit charges with account numbers you don’t recognize. Then when you call to dispute the charge, you may be lured into correcting the mistake by submitting your legitimate account number, your security code or even your social security number. Phone numbers can be spoofed which catches a lot of people off guard because most of us are used to trusting numbers from known entities as the gold standard of verification. Ditto on text messages. If you sign up for newsletters, gated content offers on Facebook, and participate in social media petitions, you could be agreeing to service terms that allow them to sell your number or you may be giving your number directly to a fraudulent entity. Social engineering is not always technology-centric. Tailgating happens when an unauthorized person follows an employee into a restricted area at their company. Fraudsters commonly ask unsuspecting employees to hold doors for them, claiming they forgot their badge or they may intentionally have their hands full and expect human empathy to take them over the finish line. #7 Avoid Unauthorized Software & Devices Don’t install unauthorized programs on your work computer or plug in personal devices such as laptops, USBs, MP3 players and smartphones without permission from your manager. Even a brand-new device or USB flash drive could be infected with malware. Devices can be compromised with code waiting to launch as soon as you plug them in. It’s also a good idea to turn off/disable Bluetooth and wireless services when not in use. Don’t give hackers any windows to visit any of your networks, no matter how insignificant they may seem. If you have an unprotected home network (non-password/user ID authenticated) and you happen to have banking statements on your laptop, threat actors in your parking lot can find the information if they happen to be looking for it. People like this do the same thing in parking lots at commercial establishments with Wifi. #8 Simplify Your Digital Life Unsubscribe from email lists - ones that crowd your work email inbox as well as your Yahoo or Gmail account. Less clutter means fewer opportunities to step on the proverbial grenade. This also allows you to focus on what’s actionable. Get anything of value off your desktop and into a file sharing schema that is secure and backed up. Post with caution. You don’t want Facebook to serve as a geo-tracking device to notify criminals that the coast is clear every time you upload a shot of your foot and a drink from a recliner in St. Croix. You should exercise similar caution with LinkedIn. Be careful about posting financial details, gripes about company policy or detailed technical information about your computer network. Certain phone systems have user manuals online that explain how to reset passwords which means a nefarious third-party could take down your entire voice system or rack up tolls charges in the thousands of dollars. #9 Get A Password Manager Passwords are a twentieth-century solution to a twenty-first century problem. Unfortunately, user names and passwords – the most common digital credentials used today – are all that stands between employees and vital online services including corporate networks, social media sites, e-commerce and many others. Sharing corporate email addresses and passwords with your Yahoo, LinkedIn and Facebook accounts is a bad idea. Therefore, one of the best security practices you can implement is to use a completely different password for every service you use. Sixty-percent of Americans follow this process but an astounding 40% do not. A simple password manager can make the transition a breeze. Popular options include Blur, Sticky Password, Keeper, Password Boss, LastPass and Dashlane. You only have to remember one master password and the password manager will store all of your sites, encrypt their passwords, allow you to activate 2-factor authentication, set reminders to create new passwords, and even help you generate new ones. It also helps you stay organized because all your most important sites are conveniently housed within the password manager portal. #10 Consider Identity Theft Protection It’s not a matter of if, it’s a matter of when. Pardon the cynicism but we all have a 1 in 4 chance of getting hit. Long before the Internet took off, a lot of paper records included personal identifying information (“PII”) which is now at large. Georgia Driver’s licenses used to include your Social Security number. It would be safe to assume somebody with bad intentions either has your PII or will be able to locate it because paper records are digitized and put up for sale on the Dark Web all the time. If your identity is stolen it will take you a minimum of 80 hours to remediate with all the government agencies, credit bureaus, banks, credit card companies and other organizations you do business with. Can you imagine how disruptive that would be to your professional life? For pennies a day, a good Identity Theft Protection and Recovery Company can protect you and manage the recovery process if you happen to get hit. In the very least, keep your credit frozen and only unfreeze it when necessary. #11 Two-Factor Authentication Two Factor Authentication, also known as 2FA, is an extra layer of security that is known as "multi-factor authentication." This requires not only a password and username but also something else that is unique to that user. Using a username and password together with a piece of information that only the user knows makes it harder for potential intruders to gain access and steal that person's personal data or identity. 2FA can be implemented with enterprise grade solutions such as Duo Mobile, Okta, OneLogin and SecureAuth. It can also be implemented at no cost directly with online services such as Facebook, LinkedIn, Yahoo and Well Fargo, just to name a few. Once you log in with a user ID and password, a dialogue box prompts you to request a code which they send to your smartphone as a text message. A few seconds later you can enter the 6 to 8 digit code to gain access. #12 Don’t Operate In The Shadows Eighty percent (80%) of workers admit to using cloud applications that have not been approved by their company or IT provider. Thirty-Three (33%) of cyber breach incidents are triggered through shadow IT. Why? IT has been heavily “consumerised” making it easier than ever to do whatever you want on your own device. Users are constantly downloading free, unauthorized apps. They’re storing and transmitting sensitive data between personal devices, webmail and the organization’s email system. Employees are putting corporate data in personal, consumer-grade DropBox accounts. We’re all being automatically logged into free WIFI hotspots. Unregulated website browsing is out of control. And just about everyone is using corporate laptops at home for personal matters. Once a compromised machine or device is plugged into the network, your organization is exposed to a host of preventable problems. #13 Make Sure You Are Really Unsubscribing Clicking “Unsubscribe” in a fraudulent email does not mean your email address will be removed from the scammer’s hit list. Especially if it takes you to a website that prompts you to re-enter your email address. It will, however, do one or things – verify the address for the scammer or lead you to a malicious website that will download malware onto your computer and/or trick you into falling for some sort of scam. Reputable marketers don’t do this. Companies like Amazon, Apple, J. Crew, Bonobos, and Brooks Brothers, et al already have your email address and respect your wishes to be removed. The best approach is to handle the questionable spam barrage is to simply mark the suspicious or unwanted email as “SPAM” or “Junk” and then simply delete it. Resist the urge to open it. To find out more about security please contact us online or call us in Johannesburg on 011 435 0450 or in Cape Town on 021 879 1950

The European Union’s General Data Protection Regulation, better known as GDPR, swung into full enforcement May 25, 2018. It was enacted to offer certain protections to EU citizens regarding their personal information. Though it was passed two years ago, SMBs and corporations without an international business model largely ignored it until the enforcement went into effect a month ago. You have likely noticed updated terms and conditions on many websites you visit. Understandably. It’s brought up a lot of questions for businesses and organizations everywhere. Here’s what we want you to know: What is GDPR? Through GDPR any citizen or resident of the European Union has increased control over their personal data. It does this by clarifying the rules and responsibilities for any company who collects or processes personal data of citizens or residents of the EU, regardless of where that company is located. The GDPR also empowers EU citizens with expanded rights about the collection and use of their data, with which companies are required to comply with. EU residents can even object to how their information is being used and can revoke their consent for the use of their information at any time. How does it affect your business? As an organization in South Africa, this all may sound completely irrelevant to you at this point. However, the possibility remains that you might have web traffic coming from the EU and you may not even realize you’re collecting information on those users, via cookies and web tracking. Or, perhaps someone from the EU signs up to your email list. Remembering that the internet is a vast place and all things are possible, it’s important to ensure that your company is compliant with the GDPR. Failure to do so could result in trouble down the road, including fines. Changing the way people do business The European regulations are reshaping the way major companies approach user data. Global corporations are extending the new data paradigm to countries across the globe. While GDPR has immediate implications for businesses worldwide, regulations like this tend to travel. The comprehensive law was implemented so smoothly that it is seen as the harbinger of a global shift towards increased privacy and respect for the sanctity of digital identities. Analysts anticipate similar regulations appearing in South Africa in coming years. South Africans are expected to vote on a newly proposed data privacy law called the Protection of Personal Information Act (POPI). This new law would allow residents to request copies of data collected about them and affords them the right to know what third parties that data has been sold to and request that their information not be shared or sold. And the Supreme Court just passed a ruling requiring that police get a search warrant to review cell phone records that include data like a user's location. While this is not an imposition on businesses, it aligns with the global trend of increased privacy protections. Even for companies that are not subject to specific regulations yet, the tide has turned, and consumer and privacy advocates are gaining traction. People want to know their information is safe; otherwise, they are going to be less willing to part with it than just a couple of years ago. And businesses who rely on any kind of personal information – whether that’s site browsing habits, names or even email addresses – will do well to address and reassure those concerns head-on. Ignoring them will be considered one of the most egregious business faux pas of our times. What Multi IT & Telephony Solutions is doing about GDPR GDPR is something we’re addressing with clients during their strategic quarterly business reviews in the coming months. We want to help our clients meet the existing requirements that they are subject to, but also start thinking about how they can offer more data assurance. Our solutions partners are already compliant and offering solutions that can help ensure compliance and better protect client information. Clients are encouraged to bring up their concerns with us sooner rather than waiting so we can help you determine if you are affected and what to do about it GDPR is just the tip of the iceberg, with more regulations and customer expectations expected to follow suit. The time to meet the privacy demands of our times is now. With the end of the Wild-Wild-Web comes a lot of uncertainty for businesses, even ones that operate on a local level. As the data protection revolution continues to evolve, Multi IT & Telephony Solutions is here to serve as your trusted advisor. Our team can help you identify what data you might be collecting, how it’s being stored and what solutions are essential for keeping you compliant, so you can ease your fears. Are you an Johannesburg-area or Cape Town-area business or non-profit organization worried about the impact of GDPR? We can help. Contact us by phone in Johannesburg on 011 435 0450 or in Cape Town on 021 879 1950

Imagine yourself laying on a warm beach, cool breeze coming off the ocean, refreshing drink in hand. You’re soaking up the sun to get a “healthy” tan to show off when you get back home after vacation. Skin cancer isn’t on your mind. Heck, you’re not even worried about getting a sunburn. It won’t happen to you, you say to yourself as you roll over to nap. It’s called “Optimism Bias,” one of many subjective components of risk perception, and it causes people to assume that “it won’t happen to me” or “everything will be ok.” We all do it even when we know that if “it” does happen to us, it could mean bad news. Many companies do the same thing when it comes to protecting their technology. Even though over 70% of companies report being compromised by a cyber-attack in the last 12 months. Even though the average cost of downtime is R100,000 per hour. Some businesses remain unprotected and susceptible to downtime whether it’s caused by cyber criminals, natural disasters, user error or plain neglect. “It won’t happen to ME!” But what if it does? The direct costs of downtime will obviously include lost production, delivery disruption and wages paid to idle employees. Your bottom line is impacted immediately. But what about the intangible losses? Companies that experience downtime lose client confidence, and their reputation suffers. Facebook, glassdoor.com and online review sites make it easy to spread the word about an unpleasant experience with a company. Some industries are required to have business continuity plans as downtime compromises security and compliance. HIPAA, for instance, requires medical organizations to have a disaster recovery and business continuity plan in place; noncompliance can lead to substantial fines and penalties. No matter the reason for downtime, it costs more money than it takes to prevent downtime. Here are 3 best practices to put into place to help you prevent downtime: Identify single points of failure The more redundancy in your IT environment, the better. If you’re concerned about the internet going down, have two internet providers that each use a different mode: cable and fibre, for example. Also, make sure you have dual firewalls and antivirus systems. Implement a cloud solution To ensure that data is available at all times, use the cloud for data storage. Using a subscription-based version of your line-of-business software also ensures that employees can work from any location. If you’re already using the cloud, focus on making sure connectivity to the internet is fast and symmetrical. Meaning you need as good an upload speed as your download speed. Manage equipment It’s not enough to monitor your equipment. When an issue is discovered from monitoring, the only response is reaction. If your equipment is managed, the response is proactive. It prevents systems from going down in the first place. Eliminate threats from natural disasters and power outages by storing data at an off-site data center. Even if your IT system boasts a high availability of four nines – 99.99% uptime – that still equates to over a full day of downtime every year. According to International Data Corporation (IDC), wasted time costs R190,975 per information worker per year, a loss of 21.3% in the organization’s total productivity. How much lost time and productivity can you afford? Contact Multi IT & Telephony Solutions or call our Johannesburg office on 011 435 0450 or our Cape Town office on 021 879 1950 for a risk assessment.