Author: Derek Wiedenhoeft

DIY Security: Why It’s Usually a Bad Idea for Most Businesses

Do-it-yourself is a popular mantra among many people building websites, doing home renovations, or marketing artistic and cultural products.  Unfortunately, however, it is not an appropriate approach for some things; like network security.  Just like a home renovation DIY project gone horribly wrong, organizations taking on cybersecurity roles outside of their core competency could cause themselves ruinous, avoidable expense.

Some companies make the decision to be wholly responsible for their network security intentionally, perhaps due to cost considerations, or a lack of understanding about the frequency and harm of security incidents.  For some companies, it was simply neglected, or a tiny startup in stealth mode grew too quickly for management to keep up with all demands.

The cost of network downtime for enterprises is $5,600 per minute, which is close to $300,000 per hour.

According to Gartner research, the cost of network downtime for enterprises is $5,600 per minute, on average, which is close to $300,000 per hour.  Worse, Ponemon research found that the average total cost of a data breach in 2016 was $4 million.  Protecting against that kind of risk is a job for professionals.  Keeping a network secure can be easy.  You just have to have the right help.

The True Cost of DIY

A business that has succeeded so far at maintaining security and operational performance may have saved thousands of dollars, yet based on Gartner’s findings, lose those entire savings within a minute or two of a critical network failure.  For companies that suffer prolonged downtime, the cost of mitigation, recovery, and reputation management could mean a lost quarter, or worse; considering that for many, a dropped deal or missed opportunity could easily drive the cost of a lost eight-hour workday into the millions of dollars.

Companies that consider themselves unlikely targets for hackers should consider the proliferation of ransomware attacks, as well as the many reasons that hackers attack corporate networks, such as attack method tests or demonstrations.  According to Kaspersky Labs, one in five businesses suffered a security event as a result of a ransomware attack in 2016.  The average ransom demanded is $300, but it can be much higher.  Further, until the ransom is paid, or the system is otherwise unencrypted, the victim accumulates costs from downtime, and 20 percent of ransomware victims who pay do not have their systems restored in return.

Given the low bar for ransomware demands, any company can be targeted.  As your company and its profits grow, it becomes a more enticing target for hackers.  Because of this, professional network security has become in essence a form of insurance.  Considered this way, effective protection is easily applied and inexpensive.  Achieving small monthly savings with DIY security is not worth the risk.  It amounts to a bet made against changing odds, and the stakes could be as high as the continued success of your company.

Additionally, time spent learning and applying skills outside of the business’ focus is taken away from that crucial role.  Let your IT team serve its primary purpose of supporting core business operations; leave securing your servers to a dedicated provider like Atlantic.net.

The Better Option

Specializing in your business is part of what makes your IT team valuable, and likewise, premium security is part of the value delivered by network service providers.  A survey by Intel security (PDF) found that the cyber security skills shortage, reported by 82 percent of companies, has already driven 60 percent to outsource at least part of their organization’s IT security.

Maintaining uptime and keeping company data secure can be challenging for many organizations, but meeting complex regulatory requirements represent another level of responsibility and difficulty.  While outside of the expertise of even most skilled IT professionals, HIPAA compliant environments and PCI compliant servers are among Atlantic.net’s specialties.  That level of security expertise gives companies in need of assurances against costly incidents, but without compliance burdens, full confidence that their IT systems are protected.

Managed services offered by Atlantic.net, from Dedicated Private Cloud to HIPAA and PCI-compliant plans, come with a fully managed firewall and an intrusion detection system, as well as a 100 percent uptime guarantee.  Trend Micro’s industry-leading Deep Security Suite, including anti-malware network security, and integrity monitoring, provides additional protection.

Private Cloud plans give customers dedicated infrastructure and uplinks, while Atlantic.net manages the provisioning of virtual machines.  Security analysis, load balancing, and daily backups are also available to further ensure continuous system performance.

Compliance hosting plans provide further protection, like automatic encryption of data at rest, managed backup, and log inspection to meet the most stringent security standards. All solutions are hosted in Atlantic.net’s fully audited, SOC 2 certified data centers.

Upgrade Easily

Fortunately for organizations upgrading to professional IT security services to meet the new threat challenge, help is available not just to provide the service, but to help you choose and implement the right solution for your business.  Atlantic.net provides a wide range of options, as well as custom packages, with the support of a team of dedicated veterans, for whom making businesses’ IT environments work and their security maintained, is a core focus, and a point of professional pride.

Between the costs of security incidents, the advantages of an IT team focused on core competencies, and the availability of strong security, organizations stand to benefit the most by shifting from DIY security to a more modern approach sooner, rather than later.  Some companies experience a small security incident and have a chance to adjust.  Some companies are less fortunate, and businesses and lives can be dramatically affected by avoidable situations.  Cautionary tales abound in the media about companies with almost good enough security.  Do not be the next cautionary tale.

 

Your security-focused hosting partner

At Atlantic.Net, we offer enterprise-grade solutions through our fully-managed Atlantic.Net Firewall and Intrusion Detection systems and TrendMicro Deep Security. With features like anti-malware with web reputation, intrusion prevention, integrity monitoring, and log inspection, TrendMicro Deep Security is a full-featured and cost-effective option for any hosting environment. Contact our Sales team today for pricing and availability of our Managed Security solutions! [email protected] or 888-618-DATA (3282)



Two-factor authentication – Is it necessary? How do I get my employees to use it?

Contributing writer: Ahmed Muztaba

Why two-factor?

Today, nothing is more valuable than information. Because the majority of online content is behind the lock and key of the so-called “deep web,” it’s no wonder that hackers are more interested than ever in ferreting out secure information. Today’s great heist doesn’t require a cat burglar. A mouse is easier to maneuver.

Two-factor authorization (or 2FA) arose as a bulwark against the hijinks of Internet pirates whose Trojan Horses and phishing scams were netting easy prey. The premise is simple: by requiring a second layer of verification, it makes your data twice as hard to access illegally. You can see this everywhere; from the chip-and-pin credit card requirements to the “secret questions” that some websites require their users to answer.

By reducing the points of vulnerability in your company, both company and employee sensitive data can remain far less likely of being breached. Requiring strongly-typed password used to be enough, but with the increase in computing power and prevalence of botnets, a person or organization with malicious intent can have an immense amount of resources to harness. This means that once touch-to-crack passwords are now much easier to crack. By requiring a second layer of authentication that requires a code to be entered within a given amount of time before expiring, this can greatly prevent widespread damage.

Read More


I Need PCI Compliance for My Small Web Store

Derek Wiedenhoeft April 28, 2017 by under Compliance 0 Comments

PCI Compliance – Critical for small businesses

PCI compliance is critical for small businesses. It is important for two reasons: it gets the company in line with the standards set up by the major credit and debit card brands, and it legitimately checks the security of the business’s systems. In other words, PCI compliance isn’t just about following rules but about protection – especially important since three in five small businesses that get hacked are bankrupt within six months.

Read More


The Beginner’s Guide to PCI Compliance

Introduction

If your business accepts credit cards and other types of payments cards, you may have heard about something called PCI compliance. Payment card industry compliance (PCI compliance) is the meeting of guidelines developed by the PCI Security Standards Council, an open worldwide body formed to focus on payment card data protection during and following transactions. This article will explain the basics of getting started with becoming PCI compliant.

Read More


I need HIPAA-compliant hosting. How do I get started?

Derek Wiedenhoeft March 10, 2017 by under Healthcare IT 0 Comments

So you need HIPAA-compliant hosting, and you want to know what the basics to get started are. Before we delve into the details, it helps to know the different types of companies that are concerned with HIPAA, in order to understand your relationship with the hosting provider.

 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines two different types of organizations that must meet its parameters: covered entities and business associates. However, there is now a third type of organization that falls under HIPAA rules. Here is basic descriptive information for these categories from the National Institutes of Health (NIH)[i]:

Read More


What is HIPAA Hosting and why do I need it?

Economy-class hosting vs. first-class HIPAA hosting

A hard fact of the Internet is that you need machines to be part of it – either on your own or as a service. If you are in the healthcare field and don’t want to set up servers for your website or other services in your own datacenter, you need HIPAA hosting.

All hosting is not created equal. Because there is a disparity of security and other checks and balances from one system to another, standards were created to guide oversight of infrastructure and maintain proper protection of patient data. Those standards were developed by the US Health and Human Services Department (HHS), as directed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Hence, beyond simple web hosting, anyone who is aiming to secure healthcare records needs HIPAA compliant hosting, sometimes called simply HIPAA hosting.

“HIPAA recognizes all health care providers and their business associates as covered entities (CEs) and makes them responsible to safeguard the privacy and security of identifying information.” “Some CEs, particularly smaller sized CEs, don’t have the resources necessary to implement a system to handle and safeguard health data on their own, so they rely upon the services of HIPAA hosting.”

Jacco Blankenspoor of HIPAA HQ[i]

Any hosting provider can offer a service that is HIPAA compliant as determined by its own understanding of the healthcare law; in other words, there is no official federal certification process for these business associates. The vetting of the quality of HIPAA infrastructure that backs any hosted services must be determined by the healthcare covered entities that use their services.

The government also doesn’t recognize any third-party certification bodies. That allows free competition in developing credibility and proving it through legitimate independent parties. However, it also means it’s your responsibility to know the quality of the certification body and what exactly is included in their auditing process.

HIPAA final rule reshuffles the deck

Given those challenges, there is a positive for covered entities: Business associates (BAs) are now responsible for data in the same manner as covered entities (healthcare providers, plans, and data clearinghouses) are – after implementation of the Omnibus HIPAA Final Rule (often called just the Final Rule or Omnibus Rule; activated March 26, 2013).

Following passage of the rule, business associates “are liable for PHI uses and disclosures and HIPAA Security Rule compliance.” “Additionally, BAs with their subcontractors, while BAs – not covered entities – are also now responsible for responding to any noncompliant subcontractors.”

Elizabeth Snell of HealthIT Security[ii]

Health and Human Services additionally created a process through which randomly chosen covered entities would be audited for adherence to the all-important Security, Privacy, and Breach Notification Rules.

HIPAA & HITECH

HITECH (the Health Information Technology for Economic and Clinical Health Act of 2009) was an effort to keep the transition to digital health data as safe as possible. While HITECH describes how electronic health records can be shared, HIPAA assigns responsibility for data security to any organization or individual that accesses and uses electronic protected health information (ePHI).

Specific security methods are at your discretion, though, to an extent. “[T]he HHS allows entities to implement their own chosen methods,” said Blankenspoor. “However, there are best practices used in the industry that the HHS would expect entities to make use of, or show that they are able to implement a comparable or better system.”

What are examples of covered entities & business associates?

The term covered entity specifically includes all healthcare providers, plans, and data clearinghouses operating in the United States. Like their business associates – contracted through a business associate agreement, per HIPAA – covered entities have to independently meet all compliance rules.

Essentially, the covered entities are healthcare companies and agencies that are more directly healthcare-related. What are business associates? HIPAA hosting providers are one example. Others include medical billing services and shredding companies.

Jail possible for HIPAA violations

Like anything in business, a company might look at HIPAA and decide they are not going to invest in meeting its guidelines. Within the law, that refusal to comply is called willful neglect. Fines for this violation are $10,000-$50,000. The total a single company can be fined per year is $1.5 million. It’s also possible to be sentenced to jail time for willful neglect of HIPAA that results in sensitive data being exposed.

Top 10 HIPAA Fines by Settlement


Neglect isn’t always considered willful. It is sometimes categorized as reasonable cause. In these situations, 500 or more individual pieces of medical data have become exposed – resulting in $100-$50,000 fines for each violation. Note that these types of violations are never accompanied by jail time.

The HHS audit program

The random audits began with a pilot program that included 113 companies and other organizations. This pilot process allowed Health and Human Services to better understand best practices both for compliance and for non-compliance (i.e. how they should respond to violations).

“[Atlantic.Net’s] financial strength and proven track record are something we view with great confidence.”

Joseph Nompleggi, Vice President, Complete Healthcare Solutions

What is the HIPAA Security Rule?

In a nutshell, the Privacy Rule safeguards electronic health records. The Security Rule, however, is the especially pertinent one to HIPAA hosting because it sets more specific expectations for health data storage and transmission – i.e., the realm of ePHI (electronic Protected Health Information).

The HIPAA Security Rule is sectioned into Administrative Safeguards, Physical Safeguards, and Technological Safeguards. It has gradually become more prominent because of adaptations in the digital world and expansion of different, newer technological methods.

“The same standards for the privacy and confidentiality of healthcare data apply to PHI and ePHI,” advised Blankenspoor, “but the processes used to keep data private are much more complex and technical for electronic data files and ePHI than they are for paper files.”

Your Free & Easy HIPAA Hosting Checklist

When you look at hosting providers, you want to know how audit-ready the host is. The first step is reviewing components of compliance with this handy 15-piece HIPAA Hosting Checklist (which covers the basics but is obviously not substantive enough for a comprehensive evaluation):

Full data security, management, and training strategies, on file
“A system of developing unique user IDs and passwords and procedures for login, logout, decryption and emergencies” (Blankenspoor)
Policies developed to control access to physical buildings and electronic systems containing PHI (protected health information)
Guidelines for how data is stored, transferred, trashed, and reimplemented
Audits and logs of system use
Rules for data transmission in all possible scenarios (email, cloud, etc.).
Quality control for all data (destroyed, changed, backed-up, etc.)
Dynamic data availability
Distinction between web, database, and production servers
Antivirus
Management of OS (operating system) patching
Private IP (internet protocol) addresses
SSL certificate encryption of all PHI
Disaster recovery and backup plans
VPNs and private firewalls.


[i] https://www.hipaahq.com/hipaa-compliant-hosting-explained/

[ii] http://healthitsecurity.com/news/breaking-down-hipaa-rules-and-regulations-the-omnibus-rule

 


Atlantic.Net Cloud Hosting: FreeBSD 11 Now Available!

Atlantic.Net is always working to provide our customers with the latest and greatest! We are happy to announce that FreeBSD 11 is now available to provision in our Cloud Hosting Portal.

If you have not already signed up, please sign up for a Cloud Hosting account here, and spin up a server in less than 30 seconds.

To see what’s new in FreeBSD 11, click here.

 


The Beginner’s Guide to HIPAA Compliance

Compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is important to the covered entities and business associates that are expected by the federal government to follow the law. However, the requirements of HIPAA and its regulatory agency, the US Department of Health and Human Services (HHS), are not as rigid as they first may seem.

Why HIPAA?

The healthcare privacy and security law was written to encompass the broad array of organizations for which it was intended. For that reason, the HHS website notes that “there is no single standardized program that could appropriately train employees of all entities.”[i]

Nonetheless, training is a requirement of HIPAA, so it’s necessary to find a strong beginner’s guide that can be used to train your employees on the essentials of compliance. Most of what is available online through the federal government is either aggregations of disparate pieces of information or sizable PDFs, such as the Guide to Privacy and Security of Electronic Health Information[ii] – created by the Office of the National Coordinator for Health Information Technology (ONC). The former is a bit disorganized. While the latter can be great as course material, its 60+ pages are overkill for the purpose of an initial overview.

Read More


Fault Tolerance with Linux High Availability


IT downtime is expensive for any business.  Gartner[I] estimates that each minute of downtime costs $5,600 on average, with true costs depending on the vertical, the size of the company, and other factors.  The cost can be largely avoided, however, with systems designed for high availability and fault tolerance.

Definition: High Availability
Oracle[II] defines high availability as “computing environments configured to provide nearly full-time availability.”  A commonly held standard for high availability is “five nines,” or 99.999 percent uptime.

Not all service providers are able to meet this robust standard, which makes just over 5 minutes of downtime per year permissible.

For organizations that would approach the average downtime cost, achieving even higher availability than “five nines” is important to profitability, and even survival. Atlantic.net offers an industry-leading 100 percent network uptime guarantee, in part by leveraging Linux High Availability (Linux-HA).

Read More


New York, NY

100 Delawanna Ave, Building 1

Clifton, NJ 07014

United States

San Francisco, CA

2820 Northwestern Pkwy,

Santa Clara, CA 95051

United States

Dallas, TX

2323 Bryan Street,

Dallas, Texas 75201

United States

Orlando, FL

2201 Lucien Way, Suite 401

Maitland, FL 32751

United States

London, UK

14 Liverpool Road, Slough,

Berkshire SL1 4QZ

United Kingdom

Toronto, Canada

20 Pullman Ct, Scarborough,

Ontario M1X 1E4

Canada