633 Route 211 East Middletown, NY 10941

3 Neptune Road Poughkeepsie, NY 12601

}

Mon – Sat 8:00 – 18:00
Sun – Closed

Call Us Today!
(877) 740-9500

TAP 6 | Data Security

 

Almost everything these days is done digitally, which means speed and convenience to everyone. But along with its many benefits comes heightened awareness when it comes to data security. With scammers, phishers, and cyber attackers lurking out there, just one wrong click and your business could be gone. Jen Coleman and Paul Villanueva talk with Michael Garofalo about their Pleasant-Valley-based business, Intelligent IT Designs. They discuss the benefits of using UPS technology and undergoing security awareness training. Paul also explains the future of passwords and some important tips in choosing a good hard drive.

Listen to the podcast here


 

Intelligent IT Talks Cybersecurity, Phishing And Defending Your Business In The Digital World

We are here with Jen Coleman and Paul Villanueva from Intelligent IT out of Pleasant Valley. How are you guys?

We are great. Thank you.

Jen and I have a good relationship because both of our companies are involved in the Chamber of Commerce. We are involved as an ambassador and body. We meet each other, learning what the Chamber is about, what it can offer our businesses, and trying to connect businesses to one another, who you never know when they are going to need each other services. How is your experience been so far, not just in the Dutchess Chamber but other networking-related events? How is everything been going here in the Hudson Valley for you?

There is a lot of value in the Chambers and making sure that we are keeping our community safe. I have had good results with most of the Chambers. Paul and Intelligent IT Designs have been part of the Dutchess Chamber for quite some time. I’m new to the company, so coming in can be a little daunting, and for the fact that they gave me you, which was wonderful, we have a lot of good things we can do. My experience has been great, and everybody should look into their local chambers.

It is always a passive generation. Meeting as many people as you can, shaking hands, introducing people, and you never know. It might even be several years down the line when someone says, “I need that service.” I have that relationship already built. He did not know that several years apart. Paul, you have got an interesting history from down in the Bronx, where you initially started your career. Can you give a quick 101 history on your background?

We have been in business for several years. The serving businesses started in New York City. I grew up in Westchester, and now for the past several years in Dutchess County. We’ve got a pretty wide stretch. I have been an IT for many years. I was the IT Director for a consumer lending company and an Assistant IT Manager for a bank. I go back to the days of DAS, and when Windows 3.1 came out, I was like, “Who needs a mouse? I could do everything faster from the keyboard.” It is a long history of supporting small and larger organizations.

With all the changes that accelerated during COVID, geographical locations are a lot less important than it was even several years ago.

We serve clients not only in New York but in other states as well, and we serve them well. It is the advancements in technology. I have made it easier to provide the tools. The COVID has made it a requirement to do that.

Everyone has room to learn and be better. You just need to be open-minded that you don't know everything. Click To Tweet

IT is a broad field. Can you maybe narrow down for the readers where your specializations are and where you feel your company’s strengths now?

Our strengths are understanding what the business owner needs as far as their infrastructure, support, applications, network management, and security. That is a big one.

One thing I wanted to hit on real quick before we dive in is the newsletter you have out there. I know it is a good way to connect with business owners in the community and make an introduction. You have a cool one out about UPS, Unlimited Power Supply technology, and how it could potentially save a business from a real disaster. One cool thing about your newsletters is that you try to stay on a single topic. It is like, “If you want that topic, click it and read it. If it is not for you, move on and keep going.” What is UPS technology? Have you seen scenarios where it has been a big lifesaver for companies?

It is important to have a good battery backup. Having that type of solution in place, should there be a power failure, whether it is to the building or to that electrical outlet? If you lose power and the computer drops suddenly, any unsafe data could be lost, and that could be hours of work. It could also have corruption. If you are running QuickBooks or some other database, the data to be damaged. You have to go to a backup and restore it.

If the entire office goes offline, it creates additional problems. If your clients are trying to call and reach you, and they are, “You fall off the map,” that is dangerous. What the UPS does is it gives you depending on how much runtime and power you have available to you. Sometimes it could be minutes and depending on your investment. It could be hours. It gives you time to properly save data properly, shut down, probably notify other people of what is going on so that it is not as abrupt.

It is only intended to be a temporary fix. You want to save all your data. It is not going to keep you online and keep you there long enough, so you don’t lose too much.

Some of it depends on your investment in battery power. That can become expensive. I have seen people be able to run a small office for a few hours but that can get expensive. At that point, if you are looking for a longer run time, use a gas generator because that can keep you running for days.

TAP 6 | Data Security

Data Security: People are using personal devices when accessing data from the office or the cloud. As a result, there’s potential for data being leaked or lost.

 

The UPS, I assume, is a lithium-ion battery or similar.

It is a 12-volt DC battery. I’m not sure if it is lithium-ion but it resembles small car batteries.

That is a potential problem that business owners could face. Could you talk about three of the top challenges that you are seeing now that are the most common or threatening for businesses and potential solutions for this?

One of the big problems that have become a bigger problem is as more people are working from home, everyone has figured out how to work from home but I do not think everyone has figured out how to work from home securely. What happened is people are using maybe personal devices, business provided devices, they are accessing data from the office or cloud. There is the potential for data being leaked or lost. When employees are leaving the company that they are taking data with them, that is a big problem.

The work from home and the sprawl have accelerated. It made that problem bigger. There are some solutions like Microsoft 365 Azure. Those kinds of things have mobile device management where you can enroll the devices. Even if it is an employee-owned device, you can still enroll. It does not install software on their machines because sometimes they do not like that. As far it is part of Windows.

What that lets you do employee leaves, you can revoke access to data and make data expire. That reduces the potential for data leakage, data loss and increases security. Another big problem that has become even more important with all of the things happening that we see in the news with regards to security, cybersecurity, and things like that is a lack of security awareness on behalf of business owners and their employees.

A lot of employees or workers are well-intentioned. They want to do a good job but they do not know how to navigate some of the threats they encounter on a day-to-day basis. One solution we have is security awareness training, where we enroll our clients into a platform that allows them to receive regular technology newsletters in addition to the ones that we have that are public-facing. We have a whole other more in-depth sets. It educates and stays top of mind.

If you protect the organization and your entire staff, it also protects the clients. It's an unselfish act that everyone is on the same page. Click To Tweet

We take these staff members and make security top of mind for them. We give them regular newsletters. We enroll them in a platform where they have access to training. They take quizzes, get little certificates, get graded, and get a little comparison chart among their peers to see who is doing better and needs to invest more time. It keeps make security top of mind and educates them.

The other thing we do is phishing simulations on a regular basis because everyone says, “I know how to detect phishing attempts. That is easy.” They are getting good. Our staff members mean well. They say, “We’ve got it. We know how to detect it, and we won’t make those mistakes.” When you test them and send them the fake emails yourself, you get to see who is clicking and not clicking. You can go to them, have a conversation and say, “That is reinforced. What do you need to do to make sure we are not clicking on these links because they could be dangerous?”

What is a good way to do that? It is true. It is widespread, and some of them are obvious. You can look at those emails, and you know that is spam. You are going to delete a phishing email. You are going to remove that. Some of them are getting good, and they can mimic an email address that looks like a valid one from your company. There is a good reason to be afraid of it.

You also want to look at and say, “I do not want to insinuate to my employees that I suspect them of not being up to the challenge of detecting things. I do not want to imply that I’m distrusting you.” What is a good way to tow that line and provide the software but let them know, “We are all being tested. It is not personal?”

The actual test provides concrete information that confirms whether they are up to the task or not. We all have room to learn and be better. The discussion is, “Let’s be open-minded. I know a lot of things but I do not know everything. There is always room for me to learn and do better.” If the employee shares that open mind, it is not that much of a problem.

It is like all your coworkers in the office are also seeing or feeling like.

We are not singling anyone out and saying, “You are potentially a problem. We are going to single you out and run tests against you.” It is an organization-wide thing because it protects the organization. If you protect the organization and the entire staff, it protects clients. It is an act of love. An unselfish act that we all have to be on the same page because we want to be safe. We want the organization and team members to be safe. We want our client’s data that we possess or are stewards of to be safe. We have to be willing to be tested.

TAP 6 | Data Security

Data Security: Business owners and employees just want to do a good job, but they don’t know how to navigate some of the threats they encounter on a day-to-day basis.

 

If you might have had a third bullet point for businesses, I do not want to step on your toes until you could get that one out there, and we will move on to the next topic.

A lot of times, when I meet with business owners, who already have an IT person, they will tell me, “We have a guy. It is a family member. It is someone who has a day job and comes by at night. Sometimes we can’t reach him.” That is a recipe for disaster. That was okay years ago because setting up technology was pretty relatively straightforward. You do not have to be an expert in everything or some things.

My team and I spend a lot of time studying, learning about new tools, and working with our vendors. We are always sharpening our toolsets, collaborating with vendors, and as a team, teaching each other things and doing labs. We invest a lot of time into this stuff. It is still difficult to keep up with the constantly changing landscape.

I say to myself, “If that is a challenge for us, that is a challenge for other people as well. If it is a challenge for other people, how has that single guy keeping up with all that stuff?” As business owners, we are stewards of our client’s data and people that work for us. I’m responsible for my team, and to some degree, for their livelihoods and my clients. If I’m using this guy and he is creating some vulnerabilities in my environment because he is not up to speed, things have changed.

There is an opportunity to do better. I’m trying to educate business owners, inform them and say, “These are the hurdles that we are facing, trying to keep up and trying to protect our clients. How is that one guy doing it as well as we are?” I do not see it as possible. Many businesses that have that guy or gal scenario are highly vulnerable and can one day be in big trouble. That is something we are trying to sound the alarm on.

Jen, are you seeing the same thing that Paul described in terms of those vulnerabilities?

I had a call with somebody and asked them about their network. The response was, “I do not even know what that is.” I was like, “You need us.”

As a business owner, you are the steward of your client's data and the people who work for you. Click To Tweet

There is specialization in about everything to speak from this side of the table. We think we are good with beer distributors and manufacturers but we know there are some industries where we can probably do that tax return but we are not the specialized firm for that. We know a firm. They call themselves Aviation CPA.

They know everything about aircraft and its specific niche. We are comfortable saying, “If you have a specific need for that, that is the right firm for you.” That is fine. I imagine for the person you spoke about too they probably have an area of expertise where they know a lot about it but it is not IT or network. There is no shame in that they probably need a little help.

People are open to having help when they hear the stories we have to tell them when they hear what we do. As Paul said earlier, we have a team that has expertise in all different areas. We’ve got somebody for any of your needs is. That is how we look at it.

Can we pivot a little bit and talk to our readers about tax, accounting, and some key topics in this particular area? One is, can we talk about the client’s responsibility in terms of the best practice for a client holding a file? We do our best to send everything with end-to-end encryption. We have two choices for that. We even have some non-digital clients that want a paper copy in a different category.

What are some tips for clients who have received an encrypted file? They have that now through the portal or however they would like to receive it, but now, they would like to save that locally. It is a PDF file, and they want to hold onto that for several years until they know they do not need that tax return anymore. What is the best practice for keeping that file as securely as they can?

There are a few different things that should happen. Starting out is the hard drives, and whatever computer that they are storing it on should be encrypted. This way, if the devices are ever lost or stolen, whoever has that drive can read it. That would restrict access. The other things are, while it is living on the file system, you can also encrypt the files. If someone does have access to the computer, still cannot access the files unless they have granted permission to it.

You do not even have to have it live on the computer. You can store it on a flash drive but the data should exist in multiple locations. If it is one flash drive, maybe 2 or 3, stored it in a small safe, a metal box or two different locations. The other thing is you’ve got to have a backup. Not only for the financial data but other files that you have on your computer.

TAP 6 | Data Security

Data Security: The IRS won’t send you an email asking you for financial or personal information. If you’re getting that kind of email, that’s definitely a scam.

 

People have years of their kids’ pictures on their computers. Sometimes they have no extra copy or backup. A drive on a computer will fail. It could be today, tomorrow or ten years from now but it is guaranteed to one day fail. At that point, it could be too late. Years of critical data and memories could be lost. There is no replacement for a good backup.

A good quality drive will last a long time but not indefinitely. What should you do at a certain point? Should you transfer those files somewhere else? What is a good practice on that? How many years down the road should you be considering a change?

It depends on how many years down the road you should consider changing the device. Some in part depend on the quality of the device. Look at the traditional magnetic drive. Companies like Western Digital and Seagate have different levels of quality and their drives. They have green drives, blue drives, black drives, red drives, and gold drives. The gold and the black tend to have a five-year warranty, whereas the green, which is supposed to be environmentally friendlier and has lower power consumption. They are also much slower and have poor performance. They have a one-year type of thing. I have seen them fail at that year or less than a year.

The blacks and golds, I have seen them fail 3 to 7 years later. I have seen them last longer, too. I would invest in a high-quality drive, and now we would be a solid-state drive. Crucial makes a good product. I have seen those run for five years without issues, sometimes longer but we all see in a few fail at around three. I would say that somewhere between 3 to 5 years, we are upgrading our storage but nothing replaces a good backup.

When you look at it, and if it is not fire damage, water damage, and had been sitting in my closet, you think that is probably pretty secure and static but over time, slowly, it is degrading a little bit.

Some other things that can affect if you are storing a device are the amount of humidity and moisture in the air in the room. I had the electronic devices stored for a long time, that is not the problem but you can have that thing. If you are not using the storage, the potential for failure is much lower.

A flash drive sitting in a box somewhere is probably pretty good for a number of years.

Nothing replaces a good backup. Click To Tweet

You should have more than one, and you should vary the manufacturer. If we have 2, 1 should be a Kingston, and the other one should be Crucial because sometimes, if there is a defected hardware, that would be across the batch. If you have 2 from the same batch and 1 has a failure, that other one may have the same failure as soon after. Different manufacturers are a good way to increase your protection.

Can we talk about one more tax topic? We have seen in the news phishing and phony IRS scams. Some of them are easy to catch with someone requesting that you pay tax with an iTunes gift card. That is going to raise a red flag for the vast majority of people. They are going to know that is not a legitimate claim. What have you seen in terms of these phishing schemes? That is how someone feels that is the best way to use their time. If they are happening at this scale, there is a large enough percentage of people, even if it is very small, that are falling for it and are making this a profitable thing for people.

These guys are casting a wide net, and someone is going to fall for it. If you cast that wide net to millions of people and you get a few that fall for it, it is a “win for them.” You had mentioned, I wonder if it was here now or when we spoke before, with the IRS. My understanding is the IRS won’t send you an email asking you for financial or personal information. If you are getting that email, that is a scam. Those folks have an email that you can report stuff to. It is called Phishing@IRS.gov. It is where you could forward those emails, too.

As far as phishing, in general, it has become a lot better and more sophisticated. Sometimes if they can get access poor password policies within our organization, the account gets compromised. The malicious persons can get access to someone’s mailbox, read the conversations, and study. From that, if I can see your inbox, I could start to figure out, “Who is the owner? How does he conduct themselves? How does he speak to people? Who is he asking? Who cuts the checks, and who has certain roles at the organization?” I can start creating conversations with other staff members.

I can send you or the bookkeeper an email and pretend I’m your boss. I will speak like him and mimic him as I read the other emails and say, “I need you to cut a check or buy some gift cards and do not call me because I’m in a meeting but please send me the codes on the back of the gift cards. It is an urgent matter.” I have seen people fall for that.

You described a broad net before, and now that is the opposite. There is a narrow, targeted approach, which is, in a lot of ways, even scarier.

A lot of times, that starts with a compromised password. That means that organization is probably not using multi-factor authentication. One big thing you can do to greatly increase your security at your organization is to use two-factor authentication. When you enter your username and your password, you will get a code on your cell phone that you would enter to gain access. Even if your password is compromised, they do not have access to the code on your cell phone to get in.

TAP 6 | Data Security

Data Security: Biometrics is here to stay. In 2018, around 64% of enterprises had already deployed some form of biometric authentication.

 

I’m glad you brought up passwords, Paul, because that is the last thing I wanted to talk about. The book, Scam Me if You Can that’s by Frank Abagnale. A lot of people know him from the movie, Catch Me if You Can. It is a little bit of a spoiler alert but you could summarize it as a fraudster who turned to the good side. He used his knowledge of fraud to try to help the US and to investigate these problems and stop them before they occur. In his book, he suggested that passwords are likely to change in the near future and with respect to how we create and use passwords. Can you touch on that?

The password is going to be here still for a long time. There are a lot of software systems and applications that we use that you use a username password and secondary authentication. It is going to be quite a long time before that gets replaced but what we are talking about the biometric stuff, is here to stay. The Department of Defense, DLD, DOJ, and DHS are all using it. For some of their stuff, IRS had made it required. I was reading something that they had backed off on that. It is no longer a mandatory thing.

In 2018, 64% of enterprises had already deployed some form of biometric authentication, and two years after that, the expectation moved to 22%. It is all over the place. It is on our cell phones AND the images. It is on laptops and time clocks. It is not going away. There are some things that get in the way of it moving forward faster. It may not be as fast as some of us think it is. There are privacy concerns and regulations. Some people have proposed legislation because of privacy, legalities, and things like that.

There are other concerns that we have to worry about with biometrics. For instance, if you have retina data or my vain data, which I thought was an interesting one. They pick up the pattern of the veins in your hand and know if it is you or not. It is pretty amazing. When it is a password, and the password is compromised, you can change the password, but now, if your biometric data is compromised, how do you change that?

That is what Abagnale was saying in his book. It does seem more secure because it is so individual to you but if, at the end of the day, a computer recognizes that as a set of 1s and 0s, ultimately, it is copyable and a bit vulnerable. There is no perfect now.

In the absence of perfect, a slower and more guarded approach is ideal.

I appreciate both of you coming out. Do you have any final words for the readers?

I want to thank you for doing this and highlighting the businesses in the area and for both of you for working with the Chamber. I’m especially thankful for the Chamber. The Chamber has been instrumental in helping us get the word out about security, getting to know businesses, and being willing to make introductions and connections. I would encourage all business owners, especially if you had a slow down over the past few years, to get involved with the Chamber and use the resources that they have made available to you to help move your business forward.

One of those resources is your ambassador, which is you as my ambassador, and it is wonderful because you can talk to a specified person and say, “This is what I’m looking to do. This is what I need to do.” They are very helpful. I truly believe in the Chambers supporting the local businesses. I’m happy that you had us here.

You never know when a good connection is going to happen. I appreciate you both being on.

Thank you very much.

 

Important links

 

About Jennifer Coleman

TAP 6 | Data SecurityAccomplished and proven professional with dynamic experience in establishing business focused strategies to optimize corporate events, communication, graphic design, and digital marketing. Demonstrated excellence in conducting data-driven marketing research on new and emerging trends, and deploy the industrial best practices to achieve bottom-line results. Radical success in pipeline growth, project requirements, budgeting and forecasting, demand generation, and supply chain operations. Seasoned and methodical in building credibility with executive management, key clients, and employees by leveraging excellent communication and interpersonal skills.

 

About Paul Villanueva

TAP 6 | Data SecuritySenior IT Consultant and President of Intelligent IT Designs, an Information Technology Services Provider serving and supporting customers and their businesses. I have 20 years of technology experience in IT. Over the years, I have done many things with technology and have had a great deal of exposure. This allows me to bring tremendous value to any business needing IT services.

My business primarily provides IT support to businesses in New York but we also have clients from all over.

Our approach is to align ourselves with our clients strategically with their long and short term goals. We treat the businesses of our clients as if that business belongs to us. We do whatever we can to ensure their success.

We do not advocate for any specific vendor or solution and are always unbiased. Our goal is always the customer. First we develop an understanding of challenges and opportunities, then we design, test, implement and refine to deliver a perfect solution.