IT Advisory Services: Getting More Than Just Good Advice

All the buzz words are out there; virtual CIO (vCIO), IT Advisory Services, Technology Advisor, etc.  Yes, all the reasons why you should engage in such a service is important, but it should be more than just good advice.

Let’s explain the key aspects of an IT Advisory practice, and what it can do for you.  Then we should talk about the key differentiator between “talking about IT strategy” vs. “doing IT strategy”.

Key aspects of an IT Advisory practice:

Assists in aligning IT to your business objectives

  • Involves in strategy meetings with leadership/management
  • Comprehends short-term vs. long-term initiatives

Identifies and documents your infrastructure

  • Aligns technology with your business objectives
  • Hardware and service standardization, from workstations, networks, servers, backup solutions, and cloud services

Recommends process improvements, investments and savings based on your infrastructure and business objectives

  • Assists in developing your IT budget based on useful life of your current environment
  • IT governance policy and process, along with new technology recommendations

Recognizes vulnerabilities to achieve your business objectives

  • From compliance shortfalls to security vulnerabilities
  • Starting with identifying, then communicating, and finally prioritizing solutions

“Talking about IT strategy” vs. “Doing IT strategy”:

When a managed IT service provider tells you, they provide vCIO or IT Advisory services, ask them what their methodology is and do they have a platform to orchestrate the process. As was mentioned in a previous blog “MSP-Are You Getting More Than A HelpDesk”, also ask if the service is being delivered by a dedicated resource or an engineer who also resolves tickets, etc.

Too often IT providers market that they provide Virtual CIO (vCIO) services, but those services are being provided by an engineer who is also responsible for resolving tickets or installing hardware. When you ask about advisory services, ask if this service is delivered by dedicated individuals, or is it part of the responsibility of the engineering team.

Any IT provider selling IT Advisory services should have three key aspects to ensure it’s the right service for you.

  1. A dedicated team solely focused on the customer success and tasked with supporting and driving positive change in your business.
  2. A methodology geared around a strategic, business driven, technology consulting process to engage with customers. A methodology that is a value-add service to assist customers through an ever-changing technology landscape, from cloud migrations, to implementing proper security protocols.
  3. A platform to orchestrate the methodology, where the customer and advisor can share, document, communicate, and track decisions and agenda items in one portal.

It’s easy for someone to talk to you about IT strategy, and they will call it vCIO services, but you deserve more than just a conversation.  Engage with an IT provider that has a dedicated team that provides a proven methodology through a transparent process on driving success with their customers.

Contact StratusPointIT and ask about our STAR methodology, and see how we are “doing IT strategy”.

Office 365 Multi-Factor Authentication

Multi-factor authentication (MFA) is commonly used to prevent a stranger from logging in, with or without a password. MFA improves the security of user logins.

With Office 365 MFA, users are required to allow a phone call, a text message, or enter an app-generated number on their smartphone after correctly entering their username and password. Only after this additional authentication factor has been verified the user can sign in.

Security Is Key

Using passwords alone is risky. If a single password is cracked, cyber criminals could have their way in your system, and you would probably not be alerted to their access. Enabling MFA for an Office 365 user ensures that if access occurs from an unusual location, from another device, or another Office client, etc. the user will be blocked until he/she provides additional verification.

Many users still have weak passwords, and it becomes difficult for management to mandate strong password management. By implementing Office365 MFA, it provides a layer of security to protect sensitive information.

NOTE: Based on studies conducted by Microsoft, an account is more than 99.9% less likely to be compromised if MFA is enabled.

Compliance Requirements

To date, the use of MFA to protect systems is not mandatory for every industry.

However, The Payment Card Industry Data Security Standard (PCI DSS) requires companies to use multi-factor authentication (MFA) to protect against breaches that could compromise payment card data.

Two-Factor Authentication (2FA) is a needed measure to comply with password restrictions in sectors such as finance, healthcare, defense, law enforcement, and government, among others. Let’s take a few examples:

The Healthcare Industry

The Health Insurance Portability and Accountability Act (HIPAA) does require organizations to confirm that users looking for access to electronic protected health information (ePHI) have the necessary authorization. Two-factor authentication addresses this HIPAA requirement, and multi-factor authentication takes it to the next level.

The Finance Industry

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act includes The Safeguards Rule which is a directive designed to secure customer data with specific provisions to ensure that data is not accessed under false claims. Risk assessment and risk mitigation are integral to compliance with the Safeguards Rule.

An identity and access management (IAM) solution can proactively address provisions in The Safeguards Rule and improve GLBA compliance through role-based management, entitlement management (limits permissions and only access what is needed), and multi-factor authentication.

The Unites States Government

For several years, 2FA has been a requirement for accessing government websites. This action plan has also instructed the National Cyber Security Alliance (NCSA), a non-profit, public-private partnership, to partner with leading technology companies such as Google and Microsoft to promote the use of 2FA.

These public-private partnerships instituted by the US Government prove that MFA is a handy solution for mitigating security risks inherent to systems that use single password authentication protocols.

Microsoft Authenticator

Authenticator is Microsoft’s two-factor authentication app. Launched around four years ago the app simplifies the multi-factor authentication process. Basically, you log into an account and after entering the username and password you are asked to provide a code to ensure MFA.

The Authenticator generates a six-digit code every 30 seconds that you must enter to finalize the login process into your app or service.

It is extremely useful for quick sign-ins, it works cross-platform, and it is faster than email or SMS codes.

O365 Re-Authentication

When MFA is enabled, there are certain situations when O365 users must re-authenticate:

  • In case of password change;
  • In case the user signs in and out in Office clients;
  • In case users swap between Office 365 accounts;
  • In case administrators apply conditional policies to restrict the resource the user is trying to access.

MFA Can Combat Phishing Attacks

How? Basically, by making it harder for hackers to get into your system. With multi-factor authentication enabled, cyber criminals need to have initial access to even more information in order to perform a successful login (sometimes access to the victim’s phone, so not just the username and password).

Finally

MFA is a needed enhancement as more people use the entire Office 365 suite and save sensitive data in OneDrive and/or SharePoint. Protecting your data is crucial, and it seems that MFA’s importance and applicability will only grow over time.

The Limitations of Private Browsing

While private and “incognito” modes can reduce your digital footprint online to an extent, there are still ways in which your activity can be tracked by malicious third-parties such as people on your network, the internet service provider, government agencies, and cyber criminals.

NOTE: Private Browsing mode is also known as Incognito Mode in Google Chrome and InPrivate Browsing in Microsoft Edge.

So, What Is Private Browsing?

Web browsers generally store data about your searches and online activity to make it easier for you to revisit websites. Browsers can store web-based content like usernames and passwords to speed up the log-in process or information about your location and preferences (favorite pages or certain features). This can be helpful in the short-term, but you likely don’t want this information shared with other users.

Private browsing first appeared in Apple’s Safari 4.4 browser back in 2005. It didn’t take long for other players like Google and Mozilla to release the feature. Soon, it became a standard component for any modern web browser.

Basically, private browsing creates a separate browsing session that’s isolated from the main one. Any websites you visit within that tab aren’t recorded in your device’s history. So, if you log in to a website in private mode, the cookies aren’t saved when you close the window.

Another consequence is that private browsing tabs can’t access cookies you use in the main session. For instance, if you log in to LinkedIn, and then enter incognito mode, you’ll have to re-enter your credentials. This also allows you to easily access multiple accounts at the same time and will make it more difficult for third-party sites to track your activity while in incognito mode.

Besides, using private or incognito mode, it becomes easier to further check some “soft paywalls” websites such as The New York Times, where you’re granted access to a few pages before being prompted to either log in or subscribe.

NOTE: When private browsing mode was first introduced, websites could avoid this limitation by storing cookies using the Adobe Flash browser plug-in, but now Flash supports private browsing and won’t store data when private-browsing mode is enabled.

The Incognito Mode

Your private browsing mode only blocks your own device from getting information about your web session. Browsers that offer private (or incognito) mode usually warn users it isn’t an efficient security method.

Incognito mode doesn’t stop network administrators from keeping an eye on your activity. It also doesn’t prevent a third party from spying on your browsing habits if you’re using a public hotspot in a restaurant.

So, private browsing is a matter of how browsing activity data is stored on the user’s personal device, and not about its transmission across a network.

Google and Mozilla are completely upfront about this in their browsers. “Going incognito doesn’t hide your browsing from your employer, your Internet service provider or the websites that you visit,” Chrome users are warned each time they open a new incognito window. Microsoft Edge also informs its users about “InPrivate” browsing limitations.

Furthermore, there are several ways to defeat private browsing at local level. If your device is infected with malware that tracks network traffic and DNS requests, incognito mode cannot help you. It also can’t protect the user from “fingerprinting”, in which third parties (usually advertising companies) try to determine unique features of your computer to track its activity across a network.

Unfortunately, fingerprinting attracts less attention than malware, despite its ability to identify individuals with remarkable accuracy. As you browse the internet, third-party sites can squeeze information about your device, your display resolution, the browser, plugins, language, time zone, and so on. Any piece of information might be insignificant by itself, but together, it may be used to create your computer’s profile putting yourself and your organization at risk.

Conclusion: In 2020, anonymous browsing is still work in progress. Currently, not even Tor, a browser developed with the sole purpose of anonymizing traffic is not a completely private and secure solution.