Six Things to Look for in Modern Remote Management and Monitoring Tools

If you are a managed IT services provider or a company that gets services from one, you are likely very familiar with remote management and monitoring software. RMM has been a mainstay application used by managed IT services providers for years. It provides several important functions that enable the cost-effective and secure delivery of the end-device services by IT service providers. 

The past two years have rapidly changed the breadth and frequency of remote work. Whether this is a permanent change in work habits or not, the remote worker needs to be supported as a standard part of IT service delivery, not as an exception – what people call hybrid work now. 

For modern RMM software to keep up with the changing nature of work and the applications and systems being used, the following items need to be addressed: 

1. Remote Updating Needs Rock Solid Reliability 

All RMM clients have supported remote patching and other software updates for years. Not all of them have supported remote updates effectively. The challenge in this new hybrid work model is that a remote user whose device gets bricked by a poorly executed update is especially adversely affected. The RMM client also needs to not only give users the option when to update, but also needs to warn them if they should be doing an update because maybe they are not plugged in, are in a public hotspot, or are on an unreliable internet connection. This approach will help minimize the times a user goes down and IT needs to scramble to get them running (typically at a high cost!) 

2. Top Rate Remote Policy Enforcement 

Policy enforcement needs to be included in any modern RMM. This is needed for a variety of reasons including 1) compliance to frameworks like HIPAA or NIST CSF; 2) security from a user making poor decisions like plugging in an unknown USB drive, and 3) intellectual property loss from users copying files or deleting files. The policy management importantly needs to be integrated with a centralized policy management system, so the policies that are enforced by the RMM are always in lockstep with the latest corporate policies. 

3. Remote Revocation of Rights is Critical 

Since employees can be anywhere when they leave the company, the traditional process of “hand me your computer” doesn’t work. Typically, laptops are mailed back after an empty box is shipped to the employee, or the system is just kept by the exiting employee. In either case, the user’s rights to access data on the device need to be removed remotely and preferably the data wiped. Not all RMM software does this well or in coordination with other HR and IT offboarding processes. 

4. Remote Control Is No Longer Optional 

To solve some issues remotely, it is often easier for the support engineer to take over control of the user’s system. This has been an optional feature in a lot of RMMs, but modern RMMs need to support this feature and support it well. It needs to work through consumer-grade firewalls and in typical co-working spaces, airports, and coffee shops. 

5. Need to support Macs and PCs 

Mac devices have continued to make inroads in the corporate environment. The new M1 processor Macs have provided a new price-performance benefit that is noticeable to every user/ Additionally, with more employees working from home, there are more employees that are doing work on their personal Mac. To properly support these users, RMM software needs to either support Mac and Windows equally well or managed IT service providers need to use two RMMs – one for Mac and one for Windows.  

6. Location Information Needs to Be Accessible 

Location information is available on most modern laptops. It can be GPS-based or WiFi-based, but it should be made available to the RMM. This is a necessary feature in a hybrid working world for many reasons. Employers need to know where employees are in emergencies, info-security needs to know where the device is for login and data usage rights, and it is helpful when a device has been lost or stolen. Modern RMMs need to tap into that information so that managed IT service providers can use it to track assets, data, and people. 

Montra successfully manages thousands of remote devices across all the hybrid workplaces of our customers. If you would like to learn more about how we can keep your workforce productive and secure, please email us at sales@montra.io. 

12 Cyber Readiness Strategies #1 and #2

Is your business ready to handle a targeted cyber-attack? Maybe you have been attacked and don’t even know it. According to the the 2020 Thales Data Threat Report, 49% of US companies have already experienced a data breach. To help you become more proactive and effective at defending against cyber threats, we are discussing 12 Cyber Readiness Strategies over the next few blogs.

1. Have a Cyber Readiness Plan

It may seem obvious, but to properly address all of the cyber-security threats to your organization, you first need to have a plan – specifically a Cyber Readiness Plan. Your ability to quickly and cost-effectively overcome security threats or breaches determines your business’s success and survival. How you handle and protect your data is central to your business’s security and customers, employees, and partners’ privacy expectations. You need a cyber readiness plan that includes prevention, continuity, and recovery strategies. The Federal Communications Commission provides an excellent planning guide that identifies six critical areas of cybersecurity for companies to address:

1. Privacy and Data Security

2. Scams and Fraud

3. Network Security

4. Email

5. Website Security

6. Mobile Devices

Download the associated cheat sheet as an easy outline to understand each of these areas to help you quickly navigate these best practices and assess your readiness.

2. Establish Strict Policies and Procedures

Cybersecurity policies and procedures help guide secure business operations and are essential for defining the standards of business conduct, system controls, employee awareness, and workplace definitions and expectations. While establishing strict, security-focused protocols is crucial, a system of validation and enforcement is equally important. In fact, all major cybersecurity and privacy frameworks, such as NIST CSF, ISO 27001, HIPAA, and PCI DSS, all require periodic auditing or continuous monitoring to make certain that policies are properly put into operation.

To help you start building your cybersecurity policy and procedure library, we have provided a few policy templates to start. Click to download 12 IT policy templates that are critical to any IT operation.

Cloud Compliance in 2022

This is the second in our series of 2022 trends. Last week we covered employee information management trends for 2022. This week we look at the trends for cloud compliance in 2022. 

Compliance – which in our context is specifically cybersecurity compliance – continues to be the way in which cybersecurity is managed and measured in modern IT. This is especially true is cloud services, where compliance standards have been an enabler to cloud growth. Cyber compliance standards like HIPAA, PCI DSS, NIST, and ISO 27001, help set the standards that businesses can use when evaluating how secure the cloud services are that they are evaluating and purchasing. 

As the nature of cybersecurity attacks change, so too do the standards for cybersecurity compliance. This leads to our big trends in cloud compliance for 2022. 

1. Companies Will More Broadly Apply CMMC to Their Non-Federal Clouds 

We discussed Cybersecurity Maturity Model Certification (CMMC) in a post a couple of weeks ago. This measurement standard from the Federal government will continue to expand into and provide influence over cybersecurity in the private sector. 

CMMC incorporates NIST SP 800-171 standards and provides a convenient five-level maturity measure. This type of measure has been used in IT in the past with the Capability Maturity Model (CMM) which was used by many CIOs in the early 2000s to measure their path toward better IT process and service orientation. 

With the recent announcement of CMMC 2.0, and with the prevalent knowledge of consultants that can lead IT organizations down the path of better cybersecurity, 2022 looks to be the year that CMMC measurement and reporting of the cloud becomes commonplace. 

2. Private-Public Hybrid Cloud Models Will Add Compliance Nuance 

In 2022, more companies will generate more of their data in the public cloud. Many of those companies will have policies to move portions of that data to their private cloud within defined periods of time. Which data is moved and when and where will continue to be a compliance challenge both for security as well as privacy. As compliance rules shift – like frequency of vulnerability scanning – companies that maintain hybrid clouds will need to update their procedures in both private and public contexts as well as the reporting for audits. Enforcement of data-related policies such as right to erase personal data will increase  

 3. Multi-cloud Application Compliance Will Become More Complex to Track  

When companies implement applications in a cloud today, they mostly isolate each application in one cloud – typically called hybrid cloud. Multi-cloud applications span more than one cloud and are increasing in popularity as different cloud vendors develop specialized and unique services. In 2022, more companies than ever will be using multiple clouds for a single application. 

For instance, maybe you develop a customer relationship management application for your sales team. You might store customer phone numbers in one cloud because their database service has privacy protections built-in, but you use a slick emailing app from another cloud that is easy to implement and extend. When emails and first names are temporarily stored in the second cloud, there becomes a second location for personally identifiable information (PII) to reside. Privacy policy understanding and enforcement is needed in both clouds, but without a rather technical review of each component of the application, this can be missed. 

Compliance audits and policy enforcement will need to get increasingly into the “weeds” on each application to understand where the cyber-risks are and how cyber-compliance policies apply. 

4. Compliance Ownership When Using Cloud-native Services Will Shift 

All the major clouds – AWSAzureGCPIBM – have co-management models for cloud compliance, but the policies are mostly utilized for first-gen cloud technologies like virtual machines. The differences in co-management of cloud compliance with cloud-native services have been treated as a special case by cloud providers. In 2022, the prevalent usage of cloud-native services will make it necessary for cloud providers to address the ambiguities of cloud compliance responsibilities that these services create. 

For example, with virtual machine implementations, responsibility for user credentials is clearly on the side of the customer. With cloud-native services, though, user credentials are exposed as they are used to access various services and/or are passed between services. How the user credentials are being handled by the cloud provider becomes important for compliance and security purposes for the cloud customer. 

What do you think about cloud compliance in 2022? What are your big concerns for the upcoming year? Let us know what you think at info@montra.io.

Phishing in the Workplace: 3 Attacks and 3 Ways to Protect Yourself

About the time most people learn how to spell phishing, they realize that it is an email-based social engineering tactic to get access to a user’s account or financial information. It probably won’t come as a surprise that phishing is now fairly common on LinkedIn and Text. 

No matter whether it is email, LinkedIn, or text, the tactics the scammers use are consistent. Here are three of the most common tactics being used by scammers today: 

1. Fake Messages from the “Boss” 

This is a particularly insidious and effective tactic. A message is sent via email/text/LinkedIn to the user with an urgent request to contact them from the CEO, CFO, or other high-ranking employees at the company. The scammer typically uses more targeted language in the messages that applies to the business to make the attack more effective. This is typically called a spear-phishing attack because of its more targeted nature.

2. Fake Tech Support Messages  

Some phishers try to mimic the IT support staff rather than an executive to get people to engage. The focus of this type of attack is to get the target to give up their credentials to important company accounts. The attacks usually start with something like “Important Alert: Your Account Has Been Hacked”. The user will then be instructed to click on a link to reset their password and/or give up other important information. The links will always go to fake sites that will not match the company name or name of the software that has been supposed hacked. 

3. Fake Contact Requests 

This is used most often on social platforms like LinkedIn, but it is seen on email and text also. When a fake LinkedIn request comes via email, the link embedded in the email will go to a nefarious site that can load malware or ask for login information. We are often excited to receive a request that might lead to new business, so these attacks are particularly effective on sales and finance staff. 

These are just a few examples, and it is important to know that the types of phishing attacks and the format by which employees are targeted in the workplace continue to expand. Regardless, there are some basic tactics that apply across email, text or LinkedIn. Here are three ways to keep yourself from getting “social engineered” by one of these attacks:

1. Look at the Sender Information 

Whether in email, text, or LinkedIn, the sender’s information will look wrong. Most sending info will have the right name with the incorrect email like: 

Boss Lady <badactor234@gmail.com> 

In the case of LinkedIn, you need to look at their profile picture, name, and work history. The picture will typically be pulled from publicly available photos and the work history will be very limited. 

2. Look for Poor Grammar and Terminology 

While the sophistication of attacks continues to improve, it is difficult to completely mimic a message from a boss, customer, or colleague. If the fake sender is using the term “customer” when you know the real sender always says “client”, you should be concerned. 

“Hey, send me your phone number. I have some important work for you” 

Also, if they send an email to ask for your phone number, you need to think whether that fits with how they would really interact with you. Once they ask for your phone number, and they text you rather than call you then it is 100% a scam. 

 3. Reach out Separately or Just Don’t Respond 

In most workplace phishing attacks, you have alternate ways to communicate with the supposed sender. If you are concerned, reach out to them by a different method – phone call or Slack – and see if that is really them. If you do not have another way to verify the information, and you are not certain if it is legitimate then ‘do nothing’ is not a bad option.

“John, I just received a strange email message that is supposedly from you. Did you just send me something?” 

If the scammer is trying to create a false sense of urgency for the boss or a customer, this is difficult to do. Just remember, though, if it is really an emergency – even in today’s world – they will call you. If it is a social network connection request, just login to the service separately and view the request there rather than clicking the email link. 

There is a lot more your company can do to help including using email filters and text blockers on company accounts and providing cybersecurity training on an annual basis. In fact, for many companies, these actions are required for them to follow industry cybersecurity regulations. If you aren’t certain what tools are available to you, reach out to your company’s IT staff or service provider. They will be happy to help you stay safe!  

CMMC and Cloud Compliance for Mid-Market Companies

The Cybersecurity Maturity Model Certification (CMMC) is a new and still developing standard for measuring a company’s cybersecurity effectiveness. It has been developed by the Department of Defense to measure and rate the cybersecurity practices of the Defense Industrial Base (DIB) who are supplying services to the DoD. 

While the CMMC only applies to DoD contractors, it is based on NIST CSF and NIST SP 800-171. These NIST frameworks are used across all industries to help companies gauge their cybersecurity effectiveness. CMMC combines NIST and other standards into a unified standard for cybersecurity, which can be applied to any company that wants to method for achieving higher levels of cybersecurity over time. 

CMMC is simply divided into five levels to allow organizations to put measures in place to reach the minimum cybersecurity necessary to protect customer data. The addition of a third-party audit organization (3PAO) certification provides proof that any organization working to achieve a certain CMMC level has the proper security measures in place.  

The five maturity levels range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” Each maturity level includes progressively more demanding process and practice requirements to achieve the certification level. 

Click To Download

Most mid-market and SMB companies will never need to go beyond Level 3 in the CMMC model unless they are doing work for the Federal government or another customer that maintains highly sensitive data and processes.  

In addition to the level, there are 171 practices and 5 processes across the five levels of CMMC maturity. These practices and processes are organized into 17 capability domains to make them more manageable. 

Looking at the number of practices and the capability domains can seem daunting. Since the CMMC and NIST are highly related, you can organize the CMMC Capability into the NIST Core Functions and then think about how you manage your cloud compliance to the CMMC levels by the functions. 

CMMC and the Cloud 

Since most mid-market companies are moving or have moved all their IT operations to the cloud, it is helpful to think of the CMMC in that context. If you move all your IT operations to the cloud, do you even need to worry about cybersecurity maturity? The answer is “yes”, but the good news is that the cloud and SaaS providers with whom you work will take on much of the cybersecurity burden and make achieving higher levels of CMMC easier. 

Looking at the following table, you can see that moving to the cloud allows a company to “outsource” much of its burden of CMMC requirements to the cloud provider. It is important as you look at a cloud or SaaS provider to know whether they are CMMC compliant themselves. You can use this as a framework to analyze whether they are following the necessary steps to be a partner in your CMMC success. 

CMMC compliance of cloud operations is very achievable for mid-market companies. The key to success is breaking the compliance process into smaller pieces and setting goals for achieving each level. Working with a company that can help you manage the project and work through implementing the needed security standards can make the process much easier and the likelihood of the success of the program much higher.