According to Gartner, spending on cloud system infrastructure services is expected to grow from $44 billion in 2019 to $63 billion in 2020, reaching $81 billion by 2022.
The cloud offers a level of flexibility that companies cannot get by using in-house servers. Scaling up and down is almost always easy. Also, as we saw this year with the massive shift to working from home, if things suddenly change in the workplace, you can easily adapt by allowing people to work from wherever they need to.
Cloud computing can also be deployed faster, it can happen in minutes instead of the long time you usually need to add physical servers.
Nonetheless, the biggest difference is the cost. Not having physical servers that need maintenance will allow you to save money. Also, you do not need someone on-site to manage and maintain them. With the cloud, all of that is taken care of by the service provider.
What leads to cloud overspend?
Let’s see how that happens and what you can do to prevent it.
The Multi-Cloud Approach
Mid-size companies are using an average of seven different cloud providers for the applications and services they use. The multi-cloud approach is not bad on its own, but there are some associated costs that add up. Everything from security mitigation to reporting must be done repeatedly over your various cloud providers which is time consuming and finding someone to manage your cloud stack will generate additional costs.
Some executives, rather than waiting until their businesses need more capacity, they order more than needed. This usually happens because when you are running physical servers, adding more server capacity takes time. You cannot just double or triple the number of servers you are working with one week, then scale back the next week. You must order everything few weeks in advance. When you come to the cloud with the same mindset, you end up with lots of unused resources that most likely never get used but cost you money.
The real issue here is not that you end up with stuff you do not actually need, but you also lose sight of all the hidden costs associated with these services. API calls, vendor lock-in, and even premium support packages can all add to your costs if you do not pay close attention to what you buy.
Cloud’s Not Cheap
Cloud can be cheap. The problem is that it is easy to lose track of how much you are spending and where. There are many aspects that take the cloud from a reasonable expense to a considerable expense, but you can get those costs under control with the right approach.
Reducing cloud overspend is not quite as easy as wasting all that money was in the first place, so the effort you put into eliminating it is significant.
Pay Per Use
Firstly, conduct an audit to determine your usage habits. By analyzing your usage, you will probably discover some areas where you are spending more than needed. Things to look for include whether you are using all the features in the plan you have purchased. It is one thing to have the pro-level software suite that a company offers, but if you are not actually using a large percentage of the tools they offer, you should just drop down to the next level. The same thing goes with storage. If you have a lot of unused cloud storage space, get rid of it. In case you suddenly need more, you will not be in trouble, adding cloud resources is easy.
When you are auditing your cloud usage, verify details like the software you are using, how many people are using each tool, and how many cloud resources you are consuming. This will establish if you have got unused software licenses, if you are paying for instances that are not being used, etc. All these are areas where you are likely to find overspend. The golden rule here is to keep auditing to make sure you are not overspending again. You cannot just do it once and consider the problem solved. Auditing is going to save you a lot of money, especially in the long-term.
Optimization will always reduce spend. A lot of what you are going to find in terms of optimization will be aspects we have already discussed in this blog, but there are other, more technical aspects you can look at to lower your cloud spending, things like: workload modeling, workload automation, and rightsizing services.
The main goal is to get the cloud working as smoothly as possible and get rid of anything that is not configured, to maximize your organization’s benefit.
Partner with Experts
Businesspeople do not have the time nor the expertise to really manage cloud spend within their organization. Therefore, partnering with a team of cloud experts can help. Not only we can provide you with a reliable team of experts to help you manage your cloud, but we can do it cost-effectively. If you are ready to reduce cloud overspend and fully optimize your business, let’s talk. We love helping our customers use the benefits of top-notch technology without breaking the bank.
The Business Email Compromise (BEC) attack is an increasingly popular type of cyberattack because the success rate is quite high. A BEC attack impersonates a familiar person, such as a business partner or an employee, tricking the victim into buying gift cards or transferring expensive items to the hackers orchestrating the attack.
Like the traditional phishing campaigns, BEC attacks often take advantage of topics in the news. These days, one of the main topics is the novel coronavirus. According to Check Point researchers – their team collects and analyzes global cyberattack data, SARS-CoV-2 related cyberattacks jumped by more than 30% in May 2020 alone, many of which involved email scams.
Several government agencies and medical facilities looking to purchase equipment unknowingly transferred money to hackers, eventually have discovered that the requested equipment does not exist and that their money was gone.
Also, in 2019, a group of attackers infiltrated and monitored the Office 365 accounts of three financial organizations. After creating fake domains for these firms and for their partners, accounts, and banks, the criminals diverted certain emails to these fake domains. Using this type of “man-in-the-middle” approach, the group behind the attack managed to request and receive money transfers worth more than $1.2 million.
BEC campaigns typically use three different methods for impersonating legitimate email accounts:
Usually, the attackers spoof real email addresses, which can be done quite easily as the SMTP protocol offers no efficient way to validate the sender. Hackers either use dedicated or public SMTP servers to deploy emails with a spoofed address.
Secondly, the attackers register and send email from a domain name like that of the actual domain they intend to spoof. For example, the registered domain may be example.co in contrast to the legitimate domain name of example.com.
Thirdly, the attackers use phishing techniques to gain control of the email accounts of the people they want to impersonate. They can then send emails from the actual account for legitimacy which facilitates their success in requesting and receiving money.
Stopping BEC attacks
Firstly, train your staff regularly about modern fraud techniques like BEC. The best training is brief, frequent, and focused. Organizations need to constantly retrain and keep security awareness messages front and center through multiple channels, including newsletters, web pages, online lessons, webinars, or presentations.
Every time irreversible actions such as money transfers are initiated, details of the transaction must be verified through additional methods such as voice communication and must not exclusively rely on email correspondence.
Review the existing protocols, and separation of duties for financial operations. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised by insider threats, therefore risk reviews may need to be rechecked as well.
Create new policies related to “out of band” transactions or urgent executive requests. An email from a fellow worker’s Gmail or Yahoo account should automatically raise a red flag to staff members, but they need to understand the latest techniques being deployed by hackers. You need authorized emergency procedures that are well understood by all team members.
Review and test your incident management and spam reporting systems. Also, test your staff with simulations of incident scenarios.
Protect your email traffic with a layer of advanced email security. Make sure the email security solution you use blocks sophisticated phishing attacks like BEC. Viable email protection solutions would prevent those attacks from reaching employee mailboxes.
Protect mobile and endpoint browsing with advanced cybersecurity solutions, which among others, prevent browsing phishing websites.
Check the full email address on any message and be alert to links that may contain misspellings of the real domain name.
Regularly monitor financial accounts for suspicious transactions.
Use two-factor authentication every time you attempt to login to key applications.
Do not provide login credentials or personal information in response to an email.
In case you or your team members have encountered any suspicious activity, please let us know here. We are ready to offer your organization the professional support that it needs.
Location flexibility is one of the benefits of telecommuting, but as remote working becomes standard practice, information security becomes more of a concern.
From employees using unsecured Wi-Fi networks to workers bringing their own unsecured devices, remote work has added additional levels of security related concerns for organizations and their data.
– According to new data released by independent polling company Censuswide.
Organization leaders and their employees need to accept mutual accountability in doing what they can to protect sensitive data.
To start, business leaders should allocate funds to educate employees in regard to data security and how everyone is responsible for protecting it. They also need to initiate certain practices and procedures that will strengthen data security within their organizations.
Remote workers must also prioritize data security education and best practices, then commit to those measures.
So, what can companies and their remote workers do to protect their data? Here are few aspects to consider.
Have a BYOD Policy in place
To avoid any unnecessary disputes and the costs associated with them, it is recommended to have a carefully drafted BYOD policy in place with employees. Not having a structured policy may create disputes over what data is what and it may also compromise intellectual property protection.
Installing an endpoint agent with the ability to perform data and malware protection will provide greater assurance into securing the endpoint especially if corporate data resides on the employee’s device.
Keep Passwords Strong | Use a Password Manager
Password protection is another fairly easy way to protect your organization’s data. Some people tend to underestimate the importance of password access, using the same password from device to device- account to account. Educating remote workers about password protection is crucial to securing sensitive data. Start with the basics of how to keep passwords strong and why it is so important to not use the same one over and over.
Another way for organizations and employees to alleviate this risk is by using a password manager that will allow users to randomly generate passwords and store them safely. This way, employees can focus on their daily tasks without needing to remember all their passwords for different accounts. Also, data will remain secure and uncompromised.
Plan for authentication and authorization
Act as if a breach is inevitable to further improve the security of your company. Multi-factor authentication (MFA), monitoring access controls, and creating strong passwords are important hacks that every smart company should know by now.
Many organizations are moving to two-factor authentication (2FA) for their data security management. This method confirms a user’s identity by first requiring a username and password, as well as another piece of information, whether it be an answer to a “secret question” or maybe a PIN sent to the user’s cell phone.
Having the right authorization levels is crucial. Especially for remote workers, having access only to the necessary applications and features is the best way to go. Companies must develop the habit of granting ‘least privilege’ access rights. This means giving only the minimum permissions required by an end user.
Watch out for phishing threats
Phishing threats that target remote workers are on the rise. Usual phishing strategies include getting employees to engage with suspicious content through what seems to be essential notifications. Phishing threats often include obvious errors such as bad grammar and spelling. Well-trained and aware remote workers will be able to spot these signals.
Consider running simulated phishing campaigns to test your employee’s awareness to potentially harmful emails, from who opened or clicked shady links to who entered credentials or submitted suspicious forms.
Therefore, it is important to develop a remote working culture that takes IT security best practices as a top priority. When it comes to cyber security, organizations should plan for every possibility and leave nothing to chance. Remote workers must be trained to avoid and report any suspicious activity.
Last month, Google has announced Workspace, the brand-new name for all their productivity apps such as Gmail, Drive, Docs, Keep, Sheets, Calendar, Slides, Meet, etc.
According to the company, Workspace isn’t just a new brand (a replacement for GSuite), it also offers a deeper integration between apps, helping users collaborate more efficiently, improving their experience while aligning their products to today’s business necessities.
Improved User Experience
One of Google’s strengths has always been smart integration between its various products and services, but now the organization is taking dozens of little steps towards making these integrations deeper, simpler, and making the collaboration process more natural, especially when working in teams from remote locations.
Today you have the possibility to preview a linked file without having to open a new tab, which means less time spent switching between apps and more time getting the work done.
Also, when you mention someone (by using @ in your document), a smart chip will show the person’s contact details, including for those outside your organization, providing context and even suggesting actions like adding that person to Contacts or reaching out via email, chat or video.
In the coming weeks, Google promises that users will be able to create and collaborate in a more dynamic way on a document with guests in a Chat room. This will make content sharing easier and will allow users to directly work together with those outside their organization.
Google prepares even more ambitious features, such as creating a document directly from Chat or starting a video call from within a presentation. Those features are expected to be launched in the coming months.
There are some changes to the pricing, too. Starting this month, the cheapest plan named Business Starter costs $6 per month/per user and it allows users to create business emails using their organization’s domain name, video meetings for 100 participants, and 30 GB of cloud storage per user.
The next pricing plan is Business Standard, which costs $12 per month/per user, and you will get video meetings for 150 participants plus recording capabilities, as well as 2 TB of cloud storage/user.
Business Plus will cost $18 per month/per user and you will get video meetings for 250 participants plus the benefits of recording and tracking attendance, 5TB of cloud storage/user, enhanced security, and management controls, including Vault and advanced endpoint management.
Eventually, if your organization needs more resources, you may contact Google for a customized Enterprise plan.
Google has made obvious improvements in user experience, app integration, product flexibility within the last ten years and promises to continue this process. It has also launched, rebranded, and merged so many products over the past couple of years it’s hard to keep track, so most likely, in the following years, we will see a stronger Google Workspace, a tougher competitor to Office/Microsoft 365.
All the buzz words are out there; virtual CIO (vCIO), IT Advisory Services, Technology Advisor, etc. Yes, all the reasons why you should engage in such a service is important, but it should be more than just good advice.
Let’s explain the key aspects of an IT Advisory practice, and what it can do for you. Then we should talk about the key differentiator between “talking about IT strategy” vs. “doing IT strategy”.
Key aspects of an IT Advisory practice:
Assists in aligning IT to your business objectives
- Involves in strategy meetings with leadership/management
- Comprehends short-term vs. long-term initiatives
Identifies and documents your infrastructure
- Aligns technology with your business objectives
- Hardware and service standardization, from workstations, networks, servers, backup solutions, and cloud services
Recommends process improvements, investments and savings based on your infrastructure and business objectives
- Assists in developing your IT budget based on useful life of your current environment
- IT governance policy and process, along with new technology recommendations
Recognizes vulnerabilities to achieve your business objectives
- From compliance shortfalls to security vulnerabilities
- Starting with identifying, then communicating, and finally prioritizing solutions
“Talking about IT strategy” vs. “Doing IT strategy”:
When a managed IT service provider tells you, they provide vCIO or IT Advisory services, ask them what their methodology is and do they have a platform to orchestrate the process. As was mentioned in a previous blog “MSP-Are You Getting More Than A HelpDesk”, also ask if the service is being delivered by a dedicated resource or an engineer who also resolves tickets, etc.
Any IT provider selling IT Advisory services should have three key aspects to ensure it’s the right service for you.
- A dedicated team solely focused on the customer success and tasked with supporting and driving positive change in your business.
- A methodology geared around a strategic, business driven, technology consulting process to engage with customers. A methodology that is a value-add service to assist customers through an ever-changing technology landscape, from cloud migrations, to implementing proper security protocols.
- A platform to orchestrate the methodology, where the customer and advisor can share, document, communicate, and track decisions and agenda items in one portal.
It’s easy for someone to talk to you about IT strategy, and they will call it vCIO services, but you deserve more than just a conversation. Engage with an IT provider that has a dedicated team that provides a proven methodology through a transparent process on driving success with their customers.
Contact StratusPointIT and ask about our STAR methodology, and see how we are “doing IT strategy”.
Multi-factor authentication (MFA) is commonly used to prevent a stranger from logging in, with or without a password. MFA improves the security of user logins.
With Office 365 MFA, users are required to allow a phone call, a text message, or enter an app-generated number on their smartphone after correctly entering their username and password. Only after this additional authentication factor has been verified the user can sign in.
Security Is Key
Using passwords alone is risky. If a single password is cracked, cyber criminals could have their way in your system, and you would probably not be alerted to their access. Enabling MFA for an Office 365 user ensures that if access occurs from an unusual location, from another device, or another Office client, etc. the user will be blocked until he/she provides additional verification.
Many users still have weak passwords, and it becomes difficult for management to mandate strong password management. By implementing Office365 MFA, it provides a layer of security to protect sensitive information.
To date, the use of MFA to protect systems is not mandatory for every industry.
However, The Payment Card Industry Data Security Standard (PCI DSS) requires companies to use multi-factor authentication (MFA) to protect against breaches that could compromise payment card data.
Two-Factor Authentication (2FA) is a needed measure to comply with password restrictions in sectors such as finance, healthcare, defense, law enforcement, and government, among others. Let’s take a few examples:
The Healthcare Industry
The Health Insurance Portability and Accountability Act (HIPAA) does require organizations to confirm that users looking for access to electronic protected health information (ePHI) have the necessary authorization. Two-factor authentication addresses this HIPAA requirement, and multi-factor authentication takes it to the next level.
The Finance Industry
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act includes The Safeguards Rule which is a directive designed to secure customer data with specific provisions to ensure that data is not accessed under false claims. Risk assessment and risk mitigation are integral to compliance with the Safeguards Rule.
An identity and access management (IAM) solution can proactively address provisions in The Safeguards Rule and improve GLBA compliance through role-based management, entitlement management (limits permissions and only access what is needed), and multi-factor authentication.
The Unites States Government
For several years, 2FA has been a requirement for accessing government websites. This action plan has also instructed the National Cyber Security Alliance (NCSA), a non-profit, public-private partnership, to partner with leading technology companies such as Google and Microsoft to promote the use of 2FA.
These public-private partnerships instituted by the US Government prove that MFA is a handy solution for mitigating security risks inherent to systems that use single password authentication protocols.
Authenticator is Microsoft’s two-factor authentication app. Launched around four years ago the app simplifies the multi-factor authentication process. Basically, you log into an account and after entering the username and password you are asked to provide a code to ensure MFA.
The Authenticator generates a six-digit code every 30 seconds that you must enter to finalize the login process into your app or service.
It is extremely useful for quick sign-ins, it works cross-platform, and it is faster than email or SMS codes.
When MFA is enabled, there are certain situations when O365 users must re-authenticate:
- In case of password change;
- In case the user signs in and out in Office clients;
- In case users swap between Office 365 accounts;
- In case administrators apply conditional policies to restrict the resource the user is trying to access.
MFA Can Combat Phishing Attacks
How? Basically, by making it harder for hackers to get into your system. With multi-factor authentication enabled, cyber criminals need to have initial access to even more information in order to perform a successful login (sometimes access to the victim’s phone, so not just the username and password).
MFA is a needed enhancement as more people use the entire Office 365 suite and save sensitive data in OneDrive and/or SharePoint. Protecting your data is crucial, and it seems that MFA’s importance and applicability will only grow over time.
While private and “incognito” modes can reduce your digital footprint online to an extent, there are still ways in which your activity can be tracked by malicious third-parties such as people on your network, the internet service provider, government agencies, and cyber criminals.
So, What Is Private Browsing?
Web browsers generally store data about your searches and online activity to make it easier for you to revisit websites. Browsers can store web-based content like usernames and passwords to speed up the log-in process or information about your location and preferences (favorite pages or certain features). This can be helpful in the short-term, but you likely don’t want this information shared with other users.
Private browsing first appeared in Apple’s Safari 4.4 browser back in 2005. It didn’t take long for other players like Google and Mozilla to release the feature. Soon, it became a standard component for any modern web browser.
Basically, private browsing creates a separate browsing session that’s isolated from the main one. Any websites you visit within that tab aren’t recorded in your device’s history. So, if you log in to a website in private mode, the cookies aren’t saved when you close the window.
Another consequence is that private browsing tabs can’t access cookies you use in the main session. For instance, if you log in to LinkedIn, and then enter incognito mode, you’ll have to re-enter your credentials. This also allows you to easily access multiple accounts at the same time and will make it more difficult for third-party sites to track your activity while in incognito mode.
Besides, using private or incognito mode, it becomes easier to further check some “soft paywalls” websites such as The New York Times, where you’re granted access to a few pages before being prompted to either log in or subscribe.
The Incognito Mode
Your private browsing mode only blocks your own device from getting information about your web session. Browsers that offer private (or incognito) mode usually warn users it isn’t an efficient security method.
Incognito mode doesn’t stop network administrators from keeping an eye on your activity. It also doesn’t prevent a third party from spying on your browsing habits if you’re using a public hotspot in a restaurant.
So, private browsing is a matter of how browsing activity data is stored on the user’s personal device, and not about its transmission across a network.
Google and Mozilla are completely upfront about this in their browsers. “Going incognito doesn’t hide your browsing from your employer, your Internet service provider or the websites that you visit,” Chrome users are warned each time they open a new incognito window. Microsoft Edge also informs its users about “InPrivate” browsing limitations.
Furthermore, there are several ways to defeat private browsing at local level. If your device is infected with malware that tracks network traffic and DNS requests, incognito mode cannot help you. It also can’t protect the user from “fingerprinting”, in which third parties (usually advertising companies) try to determine unique features of your computer to track its activity across a network.
Unfortunately, fingerprinting attracts less attention than malware, despite its ability to identify individuals with remarkable accuracy. As you browse the internet, third-party sites can squeeze information about your device, your display resolution, the browser, plugins, language, time zone, and so on. Any piece of information might be insignificant by itself, but together, it may be used to create your computer’s profile putting yourself and your organization at risk.