5 security tips that every MSP should share with clients
There are tons of risk factors when owning a business, and one of the least prioritized is that of cybersecurity. Small businesses are the prime target for hackers because they have the least resources, and least awareness for the need for security. About 50% of all cyber-attacks target small businesses specifically because they are deemed as “soft” targets. Whether you land a new client or not, it is important for us as managed service providers to stress the importance of security by sharing tips on how to protect a business – no matter the industry.
Get protection (Security)
Many small businesses don’t have a dedicated IT person or department to handle the technology aspects of the business. The best advice is to find an affordable cyber security service that can provide protection against cyber threats such as phishing emails, viruses, and malware. Getting an enterprise-grade security suite will combat identity theft by blocking phishing and spoofing, by adding authenticity to your mail messages, and by eliminating worthless traffic from your inbox. A great email protection should be compatible with all major email service providers – including Office 365, on-premise Exchange, and G-Suite for Business. A managed service provider can provide a multi-layer approach to provide the strongest defense to protect your business.
Think before you click (phishing)
In 2020, the FBI named Phishing as the most common type of cybercrime to affect businesses, doubling from the years before. It is not that your employees are haphazardly clicking things in their email. (Although this happens occasionally too!) They are being duped by cleverly made emails presumably sent by reputable companies that we normally trust. What is important to note here is the trust factor – users become victim to phishing scams by emails that appear to be coming from amazon, google pay, and even Microsoft.
To combat Phishing, you’ll want to get Phishing protection – it is normally included in any enterprise-grade email security suite, like ExchangeDefender PRO.
Change your passwords (frequently)
You have heard this a million times, we know – but it is extremely important. We tend to use the same 4 or 5 passwords over and over for our login credentials. These weak passwords can have serious consequences for a small business, and is normally a precursor for a data breach.
The solution for this is simple, a password manager. A password manager is a secure, encrypted app that keeps tracks of your passwords for different websites so that you don’t have to remember them on the spot. A password management solution would allow you to create super strong passwords that are longer than eight characters, making them harder to guess, and even harder to hack.
Get encryption (keep your data secure)
As a corporate encryption provider, we fully understand that business have a hard time understanding the dire importance of securing their data. The way we pitch it is: would you still have a business if all of your company and client’s information got exposed to the public? We’re talking financial information, health information, business strategies. In most cases, our clients say ‘absolutely not!’. The main reason why businesses don’t use encryption is because they think it would be too hard to actually use, and to implement. The good news is that – this is simply not true! Protect your organization, and protect your customers, get encryption today.
Backup your data (emails, files, documents etc.)
Recent surveys revealed that 51% of businesses questioned had no disaster recovery plan whatsoever to combat the coronavirus. Do you have a backup plan? It is crucial that you Save, and store your data somewhere safe. Most companies without a business continuity plan who suffer a major data disaster go out of business within twelve months. All of your communications, your company emails – should be stored in a long-term, tamper-proof storage for compliance and backup reasons. Company files and word documents should be stored in the cloud, with unlimited storage and 24/7 secure access. You’ll want to sign up for a file sharing software for business that is affordable, and easy to use – we recommend Web File Server.
5 things every MSP website needs in 2021
In 2021, every business should have an online presence via a company website. We all use the internet as the first step to search for the products and services that we are interested in purchasing. What do you call a MSP business without a website? A technical disaster. Today, we have 5 major pro-tips that all MSPs should take into account when having their website. These casual tips will offer major benefits to you, and your prospective customer. Remember, keep it simple.
1 – Keep a secure website, and keep it updated.
We highly encourage that every MSP have their own website that showcases their business, and the services that they offer. Be sure that the website is clean in design, and straight to the point. Take note whether your site is showing as ‘secure’. Keep in mind that user experience is key in landing a new client. It’s great to have your own website, please ensure that the information is current. There is nothing worse than an interested client who contacts you with outdated material in hand.
2 – Market everything you offer on your home page.
Normally, the homepage of your website is the most visited page. It is the first place that the client lands on, and it also determines whether they visit other pages you have to offer. Focus on showcasing all the major services that you offer on your homepage. Keep it clean, and straight to the point to encourage them to explore further, or to give you call for more information. Your future client should be able to look at your homepage and know: who you are, what services you offer, and how to contact you.
3 – Display your contact information on everything!
We mean that, place your contact details on every webpage. When a client is exploring your website, and navigates to a secondary page, you want them to be able to see that there is an option to contact you readily available. What type of contact information should be displayed? Your business name, phone number, and office hours. You can also add your office address if you take clients for appointments. Adding an email address is always great, and a live chat option is even better!
4 – Add affiliate logos to your website
Hear us out on this one, the more credibility you can show your prospective clients, the better! For instance, adding an ExchangeDefender Partner Logo to your homepage displays that you are a certified vendor of our services. It also showcases that you are an expert in your field, that your business is in good standing, and is respected by other businesses. If you have other vendors that you are in partnership with, we suggest adding their logos as well. A visual display of trustworthiness will certainly help convince future clients to work with your business.
5 – Add Pricing, at least an offer a price range.
We know it may be difficult to display pricing for clients, especially because there are a range of factors that are in play. The reality is though, that a client is more likely to pursue the MSP who clearly shows their pricing, or at least provides a general estimate. Why? We naturally think something is more expensive when the price is not displayed. It’s hard to change that consumer mentality, however you can definitely improve your odds by showcasing actual numbers that the customer can relate to.
How does one accomplish this? Well, you can show your services in packages or a-la-carte, and simply put: starting at (enter $ amount) per user, per month. This quick tactic is a game-changer, because it tells the client whether they can afford your services or not, before actually making contact.
COVID-19: Cybersecurity Challenges Facing Small Business
Employees are suddenly finding themselves working remotely due to the current health crisis of the Coronavirus that is sweeping nations across the globe.
As we protect thousands of businesses from the drastic uptick of phishing emails and ransomware attacks claiming they are from verified sources, we have noticed new tactics that hackers are using to fraud employees working from home.
Here are our top 3 cybersecurity implications of working from home:
- The lack of authentication and authorization
There is an increased need for two-factor authentication, monitoring access controls and creating strong passwords. Managed Service Providers should encourage their clients and end users to add additional security safeguards.
We recommend changing your password every 90 days, and enabling OTP/2FA to improve your account security. To manage this for ExchangeDefender, view user guide. - Increased risk to cyber attacks
There’s an increase risk to attacks like phishing and malware, especially since employees will now likely receive an unprecedented amount of emails and online requests.
ExchangeDefender Phishing Firewall (EPF) automatically secures inbound mail by rewriting HTML links so they are forced through our firewall when you click on them in Outlook, Gmail, or any web-enabled email application.
To add a new web site to the Whitelist or Blacklist click on the + Add New button in your ExchangeDefender Admin portal. To learn how to manage this setting, click here! - Unsecured BYOD (Bring your own device)
Remote working can successfully widen an organization’s attack surface. Mainly due to employees who use their own devices for work can introduce new platforms and operating systems that require their own dedicated support and security. As a result of so many devices being used, it’s likely that at least some will fall through the security cracks.
ExchangeDefender Pro offers users a VPN server to connect to in a secure manner no matter where they go. Public Wifi hotspots tend to have questionable security at best and can be used to compromise a device that is connecting blindly across the Internet. Connecting your phone automatically to a VPN can assure that email access (and all the confidential data in the email) can never be snooped on.
Webinar Announcement: ExchangeDefender solutions will soon be available “a la carte” to clients. Attend our webinar on Tuesday, March 31st at 12:00 PM EST. Register Now!
ExchangeDefender PTR & RBL Whitelisting
ExchangeDefender is opening a wider beta test of our whitelisting functionality, which allows IT Solution Providers to whitelist sender mail servers that have broken DNS (missing PTR, mismatched A/PTR records) and poor sender reputation (hosts listed on multiple RBL blacklists).
If you have a sender you would like to whitelist against these essential network tests, please open a ticket at support.ownwebnow.com with subject “Whitelist PTR/RBL: IP Address” and provide as much information in the ticket so we can accommodate this specific request. Only hard non-negotiable rejections to whitelist will be for unknown address space and dialup/consumer cable IP addresses (because due to their nature those are typically dynamically assigned address spaces that shouldn’t be relaying mail at all, they should be using their ISP mail server provided smarthost)
Requests will be reviewed and either approved (and enrolled) or rejected within 24 hours by our CSO.
Background: Inability to previously whitelist broken DNS and dynamic IP address space is rooted in our mission statement. We are here, beyond everything else, to help secure the email. We know our partners, IT Solution Providers, VARs, MSPs, etc do not have the skill set, the time to properly research underlying issues, enough data and statistical models to evaluate sender IP reputation, or even the incentive to discern how big of a security threat and compromise a specific IP address with broken DNS or poor reputation may pose to your client.
In fact, you pay us to worry about those things and keep your clients secure. But, sometimes clients like to think they know better than their technology experts, generally accepted security standards on the Internet, and ExchangeDefender. And the client is always right. But, when they get infected attachments, broadcast storm, password dumps, or other security compromises because they insisted on lowering their security – then ExchangeDefender is on the hook for securing them. And we don’t get to say “told you so” nor do we have any rapid means to fix the issue.
Since my retirement, all of those hard-line policies designed to keep clients safe beyond whatever “specific business case requirement” they may have, are slowly going away. Good news for the client, good news for the partners. Good news for us, because going forward we will start providing Email Security Engineering services – so when you get a security compromise or an usual issue and you’ve asked us to compromise your security – we will be able to address the issue on your behalf.
I choose to look at this as a positive – we will help our clients meet their business needs and get the mail they desperately need – and if something breaks we will be there to help assist with the cleanup (for a fee, of course). This, among many other service related things, is just the part of the ExchangeDefender being more responsive and service oriented when it comes to our clients demands as opposed to our expert opinion as a security policy.
ExchangeDefender’s AnythingDown.com – See How It Works!
As promised in the last webinar, we’re moving as aggressively as possible to make sure our partners have as flexible of a tool as we can imagine to communicate with clients in the event of an IT catastrophe. Or, in our case, to further increase transparency and collaboration with all our ExchangeDefender service providers so you can get better insight into our network and when we’re dealing with a lot. That said, I believe that the product/service is now production ready and we’ve already tied it up in our ExchangeDefender Enterprise product so you’ll know as we know. 🙂
Remember, ExchangeDefender’s AnythingDown.com , or https://yourserviceproviderid.xdnoc.com – is your own brandable, real-time alert system that covers ExchangeDefender managed resources as well as your own custom defined events.
Let’s go on a little tour, shall we?
First, here is the nearly-final look of the site. It will of course feature your logo, your contact information, and your own services but you can see that there is now a sign in section as well as nested posts – so when something is updated it’s done so in-line and can be read normally (as opposed to just seeing the latest update and not knowing what it’s about at all).
Sign in screen is for you, just provide your service provider ID and password and you’re in your own portal.
As for your users that want real-time updates via email or RSS/blog, we have a signup page (I know, I know, it’s idiotic but GDPR and EU have put this obstacle in place where we need contracts and disclosures about signing up for an email list).
Once you’ve signed in as the service provider, you will have access to manage and create new service advisories. Just click on the Add New button in the upper right corner. If you’re managing a larger NOC and have a ton of fires going on (you’re among friends, #respect) you can also search current open advisories and make sure you update the correct one.
New advisory posting is pretty flexible and gives you actually quite a bit of power to include images, links, and other multimedia. As network geeks we’re used to plain text, ASCII, 80 columns across black on white kind of alerts but in the 21st century with lots of things going on sometimes you can throw out a quick alert with a screenshot of what’s going on rather than trying to document every single detail (for example, a cloud of daily network/ISP outages as an explanation why things are moving slow or getting delayed or buffered)
And of course, you can update every service advisory.
As mentioned last month, ExchangeDefender XDNOC </a> service is all about helping us work better with the people that pay us to help protect their networks and users. I have some rather personal thoughts on that subject, which will be a matter of another post. However, when you design software and when you serve as the gatekeeper, your primary responsibility to the people you’re protecting and waking up to keep safe every day is not just to keep things going but also to keep everyone aware of what is going on to improve things – because hackers don’t take days off.
Anything down? We’re improving our NOC and communications!
When things malfunction at other companies, they blame vendors and equipment. When things malfunction at ExchangeDefender, we build products and services so we never have to deal with the problem in the first place. As a result of a DDoS attack last month, I am happy to introduce you to our new service that will improve one area in which we undoubtedly suck the most: communication.
Say hello to AnythingDown.com:
It’s an offsite NOC alert site that’s branded for you.
At ExchangeDefender we do a pretty amazing job communicating and working with our partners, it’s actually our #1 selling point, that you can come to our offices and data centers, you can work with our team and get things done. But when something breaks, that same business friendliness and accessibility is an achilles heel – clients swamp the phones demanding to be briefed on every detail, “Friends of Vlad” call every staff cell phone they can find, the staff that is there to help/coordinate/assist in technical work cannot efficiently correspond and inform every user particularly when things go down and everything isn’t working as it should.
This is where ExchangeDefender XDNOC (aka “AnythingDown.com”) helps.
It’s off site. Doesn’t rely on our networks at all.
It’s on it’s own name space. Not dependent on our DNS/registrars.
It’s branded. Your name, your image, your message.
That last bit is pretty important – we realize that our larger clients have many employees that have never heard of ExchangeDefender, ditto for our partners that don’t want to reveal ExchangeDefender is behind their branded email offering.
Not to worry, your site is already branded and you have your own Service Provider XDNOC: https://<yourExchangeDefenderSPId>.xdnoc.com
It’s yours, it’s yours for free, and we’re just getting started. For the next week or two, the site will host ExchangeDefender content only as we add in the mechanism for RSS subscriptions, linking, SMS/txt alerts, and email notifications.
But this is just the beginning. As an ExchangeDefender subscriber you will have access to this site to tweak it as necessary and to add your own NOC alerts. That’s right, we’re not just building this for ourselves, we see it as a role of central accountability for everyone that relies on our services and all the services you use to deliver a solution. We all want to keep the client happy and informed and this will help out a lot towards that goal.
Our expectation is also to have our proprietary monitoring and alert feeds published on AnythingDown.com going forward so you can see or anticipate the issues that our infrastructure is seeing even before there are tickets or human confirmation of the problems. For many that will be way, way, way too much data but we feel it’s better to present it and get more eyes on it than hide it and hope it’s handled through automation or our staff activity.
In closing, I hope this helps. I know outages and service interruptions or performance issues or networking issues all suck, nobody wants them. They come with the territory and everyone knows it – so it’s not about technology malfunctions, it’s about your communication about the IT work that is done to make it as flawless as possible. We thank you for your business and for your continued support of ExchangeDefender that makes stuff like this possible.
Better Password Policies
ExchangeDefender has been SMB friendly – to a fault, but the era of terrible passwords and plain text passwords is finally over. Not a single piece of ExchangeDefender stores (or offers) user credentials in plain text anymore. We’ve made the transition exceptionally smooth as well, requiring no changes or IT intervention at all.
But we cannot encourage it enough. And over the next year you will see us introduce several features meant to help you lock down ExchangeDefender and use it to lock down your overall IT security strategy. We’re happy to introduce password age configuration that allows you to force users to reset their passwords automatically.
This setting can be accessed from the Domain Administrator > Policies > Features section of admin.exchangedefender.com
When the password is older than your preset number of days (by default, 90) the user will see an ugly red notice telling them to update their password.
If you set the password expiration to 0 days you will turn this feature off entirely but we cannot discourage it more. The feature is there to help your users avoid having their accounts compromised.
If you implement some of these stronger security features we’ve also got you when it comes to minimizing account management – users can reset their password at any time if they have their PIN on them. So even if their mail server is down, having their PIN handy will let them reset the password without additional authentication. Forgot your pin? No problem, we can email you a reset link to a known email address.
As you can tell, ExchangeDefender will go the extra step of helping your users configure a strong password. It will also keep memory of recent passwords so that they can’t just rotate it back and forth between the same two passwords they use elsewhere.
As you’ve seen with mass password resets , access to advanced access logging , known trusted devices and IP restrictions , we are adding more, and more, of our enterprise features to the ExchangeDefender Pro product.
To hear about all these new security features in more detail please check out the webinar that covers our current security portfolio and how these features make sense.
ExchangeDefender Support: Enhanced Security and Password Management
Password Policies
You’ve seen us blog endlessly about improved security that is being rolled out with all the brand new features across our entire product and service portfolio. Trust us, this is not a simple process of just changing the password complexity requirements, people hate password changes and for the most part have become predictable in what their current and next password will be. Add to it the fact that almost everyone uses the exact same password all over the web and not a single day passes by without at least one major provider having a data breach. Sometimes it becomes comical – even LifeLock had a security issue today where they exposed a bunch of data and had to take their site offline!
So passwords suck and short of using our One Time Password / Two Factor Authentication service, it’s going to remain that way. The cool thing about ExchangeDefender, and all of our service, is that we’re going to help you better manage security and password expiration so that your users and services can remain protected and still user friendly.
New password policy at ExchangeDefender, for all of our services going forward, will be a required mixture of upper case, lower case, numbers and special characters with minimum length of 9 characters.
That is just the beginning. Some services will require a transparent OTP/2FA using your email address or cell phone as an additional real-time identity verification process. If you are about to make a large-scale change, we want to make sure it’s you and not just someone that got your password. Calling in will now require PIN or txt verification as will any service request changes – the cool thing is, if you can provide us with that information we can do just about everything you want or need through phone and chat.
The reality of security on the web is that it’s as weak as the laziest user – and it only takes one careless one to mess up the entire organization. We are on your side, we are on your team – that’s why you hire ExchangeDefender – so we’re stepping things up in terms of support and management functionality to help identify, train, and assist users when they run into an issue. Passwords and password changes may continue to suck until the end of time – but we are currently making huge changes in the way we handle support in order to help our partners and CIO’s become more productive by letting us both better secure and support users.
Three Simple Ways To Begin Regulatory Compliance Archiving
Have you been putting off offering or relying on Compliance Archiving to meet regulatory compliance requirements? If so, you’re among friends as most businesses tend to view it as a form of a backup until they receive a letter from a law firm. Recently we published a quick and informal techie-free post about business continuity and we wanted to do the same for archiving because the #1 thing that will keep you out of trouble is making sure your entire organization is on the same page.
With that in mind, here are three steps that your organization needs to follow to get started with Compliance Archiving:
Step 1: Understand how your organization communicates
If you only knew what everyone did and what they had access to, things like security and compliance would be a non-issue. In the real world, organizations have a revolving door of staff, vendors, clients, laws, and projects that is constantly spinning. The notion that you can get something to manage it all, held together by IT staff and automation, is nothing short of a fantasy. Or rather, a nightmare, because you’ll get in trouble over one thing that was missed and went wrong not a million things that went right.
Our Compliance Archiving touches every message in your organization: doesn’t matter if it’s a message you sent to a client, a message you received from a vendor, or an interoffice email you sent to a coworker – we get them all. The important thing in step one is identifying the people and making sure that the way you communicate is set in stone: “We communicate with everyone through @ownwebnow.com email addresses, every ticket, every update, every inquiry, every quote, every bill pay – everything either comes from or is cc’d to an @ownwebnow.com address.”
Step 2: Get a grip on your devices, apps, and processes
Convenience is the enemy of order. And if you’re going to run a business, you cannot have everyone do exactly what they want to do. Yes, Subway will make your sandwich any way you want them to, but if you walk in and order a key lime cheesecake you’re going to be hungry. Same method applies to all the devices, apps, processes, etc. The simplest, most common sense, most effortless thing to do is to just give everyone that works on your behalf an email address on your infrastructure and have them use that email for all company communications.
If they use something else, and for some reason you wish to permit that rule change in your business, request that everything is cc’d to a local shared mailbox where you can keep ownership of it. Don’t make a big deal out of it – we get our office beer and red solo cups from Costco – and believe me we don’t have a massive asset inventory tracking system around it with people signing off on stuff left and right. We just take a picture of the receipt/order form and email to a receipts@ address – done.
Step 3: Get a regulatory compliance plan
The worst thing you can possibly do is start thinking about a plan when you’ve received a request for information or a legal hold. The good news is, step #3 is the simplest one because it’s just a matter of calling us at 877-546-0316 and talking to someone about implementing the Compliance Archiving solution. The complexity isn’t in the technology, it’s with the people and the constant sprawl of apps and devices that hold vital corporate information.
The great news about what we offer with our partners is that anything going in and out of your company can be screened, monitored, reported, and produced on demand or automatically for just a few bucks a month. The biggest challenge is knowing what to do – and you have to actually get started.
We look forward to serving you and making regulatory Compliance Archiving a breeze.
Top 5 Mistakes Companies Make With Compliance
ExchangeDefender Compliance Archive was designed as a blend of services and products to help organizations achieve regulatory compliance. This complex process is always evolving with new regulatory requirements, changes in organization structure, and unique reporting requirements.
At ExchangeDefender we specialize in helping organizations with their eDiscovery needs. Here are the biggest fallacies we hear all the time:
“We have a backup”
Email backups are not sufficient for nearly any modern regulatory compliance requirements for email retention. Not only can the messages be deleted before backups run, but running reports across the entire organization is next to impossible, not to mention excessively expensive. We recently assisted a partner managing a small 15 employee office in their backup and restore process to locate a message from 5 years ago, costing the organization over $18,000 in IT labor alone.
“We have a product/compliance service”
Having a product or a service subscription is different from being in compliance with regulatory requirements. The difference between having a product and being in compliance is similar to “We have a CPA” and “We have filed our tax returns on time” – mistaking the two can be costly and dangerous.
“We are never going to need that”
Most organizations downplay the importance of long term email archiving and eDiscovery. An overwhelming majority of subscribers to our eDiscovery service don’t have a specific regulatory requirement at all, they do it to effectively defend themselves from legal threats that are all too common these days. With email being the gateway for all corporate communication, it is the first place record retentions, legal holds, and subpoenas are issued for electronic records and there needs to be a system in place to effectively deliver that information.
“What we have is enough”
Regulatory compliance goes far beyond poorly interpreted recommendations and laws. It is a process of producing reports, identifying problems, and assuring that corporate communications policies are being followed, or at least addressed, in case there is an issue. If the organization does not have people in charge of managing the compliance on a monthly basis or there are no current reports searching for dangerous or sensitive content or there is no ongoing maintenance or an established incident record – the organization is likely out of compliance even if they purchased the right software or signed up for the right service at one point.
“We have a someone managing that”
Someone is not a good person to rely on when you get a subpoena and they are even more difficult to get into a courtroom. Plus, how much would you trust them to demonstrate expertise and defend the implementation of the compliance archiving and eDiscovery solution? Many organizations make a mistake of thinking that just signing up for a service or purchasing a product is sufficient for compliance but it’s really just a starting point. You need the personnel, product, service, and reporting to fully achieve regulatory compliance.
ExchangeDefender Compliance Archiving and eDiscovery are a part of a professional service that helps get your organization and its means of communication on path to achieving regulatory compliance. Whenever someone is fully confident that they have their compliance in order we simply ask them to “show me your last Compliance Officer Report” and almost everyone struggles to produce the report or even name the Compliance Officer, the processes being used for archiving, the type of data protection, or the way in which the entire process is tested and audited. With ExchangeDefender Compliance Archiving, you not only get a service, you get a partner that will work with you every step of the way in achieving your regulatory and organizational needs for proper record keeping.