Category: Cyber Security

5 Ways to Think Like a Hacker to Protect Your Business
As you’re going about your day-to-day activities online, thinking of how a hacker might take advantage of even mundane aspects of your routine probably doesn’t enter into the equation.

We all sign on to work for the day, check our emails, maybe post an update on social media and chat with our colleagues before getting into the grind of our daily activities. Already when you first log in, you’re potentially being exposed to potential threat activity.

Here are five ways you can “think like a hacker” and protect your business and yourself from falling victim to scams, malware attempts and more:
1. As we mentioned, the first thing almost everyone does is check their emails but how closely are you scrutinizing the items in your inbox? Phishing is still the number one-way attackers gain access to personally identifying information and systems in your business. Here’s some advice on spotting phishing emails and how to avoid falling for them.
2. Sharing on social media? You’re volunteering personal information that anyone can read and take advantage of. It might be nice to post that lunch selfie you took with your colleagues but maybe wait until you’re back at your desk, especially if you’re a business owner as you’re more likely to be targeted by something called spear fishing. By posting that selfie during lunch you’re letting anyone who may be watching know your office computer is unattended.
3. In the same vein, the more details you post online the more information can be gleaned to target you. If you post that your Aunt Kathy Isn’t feeling well Aunt Kathy’s “friend” may send you a message offering sympathy and describing their own woes and tribulations while perhaps trying to gain your trust. However, when you go to confirm with Aunt Kathy later on you find out she’s never heard of this so called “friend”. Social engineering is a large part of long-term scams, always confirm with your friends and relatives directly before giving credence to any messages you receive online.
4. Sending something important? Always encrypt! You cannot account for the security awareness of others; by encrypting important files being sent via email you’re at least protecting your side of equation.
5. Speaking of security awareness, being up to date on the latest threats is exactly what a hacker would do. With security awareness training, you can “think like a hacker” and avoid many of the traps they try and set up to gain access to your business.
Security awareness training is just one of the features we include with all of our service plans. On top of that you will also gain access to:
1. 24/7 Endpoint Detection and Threat Monitoring
2. Automatic Daily Backups
3. Disaster Recovery Planning
4. Consistent Patching & Updates
5. Ticket Response Times in Under 15 Minutes
With a Valley Techlogic plan you don’t need to think like a hacker to protect your business, learn more today with a free consultation.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley Techlogic, leading provider of trouble free IT services for businesses in California including Merced, Fresno, Stockton & More. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic and LinkedIn at https://www.linkedin.com/company/valley-techlogic-inc/.
October 25, 2024
How easy is it to hack your car? For one brand it can take just a few minutes
We are all aware of the devices in our home that are vulnerable to attacks, from the usual suspects like our PCs, laptops and phones to the less obvious like our internet capable smart home devices, but now we even have to worry about hackers when it comes to our cars?

In the past, hacking a car required a great deal of skill and time. One recent variation was hackers taking advantage of RFID powered key fobs by intercepting their signal from outside your home. This attack still required the attacker to be quite close to your vehicle and security cameras (or even tinfoil wrapped around the keyfob) would be a deterrent, it also required knowledge in how the signals being broadcasted work and special equipment to intercept those signals.

For Kia car owners, hackers have discovered a vulnerability in Kia’s own web portal that allows them to assume control of the internet connected features on the car, including swapping out the owner’s smart phone for the hackers own on the vehicle.

This vulnerability wasn’t limited to a certain type of Kia but could be applied to any Kia with internet connected features, which in total is millions of cars. While the vulnerability Isn’t allowing the attacker to steal the car (yet) it can give the attacker control of the customers Bluetooth, vehicle cameras, door locks (allowing for theft of items in the car) and more.

For researchers who discovered the vulnerability they also realized it led to a rabbit hole of similar vulnerabilities found on a variety of car maker websites, including Honda, Toyota, Hyundai, Infiniti and more. In a nutshell, the cyber protection available for cars leaves a lot to be desired.

For more information on how these vulnerabilities are being exploited and exactly which car manufacturers are affected, you can read the comprehensive study put out by Sam Curry, an ethical hacker that works towards bringing critical vulnerabilities to light so they can be solved.

So where do we go from here? In general, the more internet features devices like cars or home products have the more vulnerable they are to attacks, and the same protections we apply to our computers, servers and phones need to apply to Internet of Things (IoT) devices as well. Below are three ways you can secure your IoT devices:

While we can’t help you with securing your car, we can help you with securing your business’s technology. At Valley Techlogic, cyber security protections are an included offering in every service plan we provide – including 24/7 monitoring, advanced threat detection, threat remediation and more. Learn more today with a consultation.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley Techlogic, leading provider of trouble free IT services for businesses in California including Merced, Fresno, Stockton & More. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic and LinkedIn at https://www.linkedin.com/company/valley-techlogic-inc/.
September 27, 2024
Ransomware attack brings down auto dealers across the country, bringing car sales to a halt
Software creator CDK Global experienced a ransomware attack last week that left auto dealerships that use the software they distribute (Dealer Management System or DMS) unable to process car sales as they normally do.

The DMS software is used by over 15,000 dealerships nationwide and not only helps car dealerships quickly process applications but also provides dealers with the ability to manage customer relationships and service solutions such as maintenance contracts, car rebates and even tracks dealer inventory.

Many dealerships have begun to process car sales manually, but the software also managed appointment requests, for both buying and car maintenance grinding those services to a halt as well. The service has been down since last Wednesday and CDK Global doesn’t expect the service will be back up until June 30^th although they say some services are starting to be brought back online as of writing.

Summer time is typically a popular car buying season especially with Fourth of July sales being a staple of the industry, it’s unknown what effect this attack will have on overall sales for this quarter.

The group behind the outage, BlackSuit, is part of a growing trend of hacks specifically targeting software suppliers and demanding lucrative ransoms to get systems back online. CDK hasn’t thus far paid the ransom and we have no confirmation of what that figure is.

Blacksuit is known for both stealing sensitive data and locking up systems, then demanding a ransom to restore both. They also provider information to smaller hacking groups so they can carry out their own attacks including resources to intimidate victims into paying. It’s estimated they’ve carried out successful attacks on 95 organizations globally although this figure only includes companies who reported the attack. The figure is likely much higher.

In one post on Reddit a user describes a client who was hacked by an affiliate of the group and paid $4000 to recover their data, the reach of not only Blacksuit themselves but by bad actors who utilize their services to conduct their own attacks would be impossible to determine but should make even small business owners wary as we continue to see hackers organize and expand their reach as a group rather than as individuals.

CDK meanwhile has continually moved the goal post on when a resolution will occur, automotive dealerships were originally told systems would be up by June 21^st and now June 30^th but they’ve already stated even by that date systems may not be back up for everyone affected.

“We are still doing the workarounds, using a paper processing system. The problem is we can’t load this data back into the system,” Geoffrey Pohanka, chairman of Pohanka Automotive Group located in Maryland told CBS. “We can account for the work we did in our general ledger from a financial statement standpoint, but it’s very hard to pop all this data back into the system so you can have access to it later.”

Attackers continue to grow more savvy and the effects of an attack like this won’t only incur damages such as downtime or a loss of data or even the financial burden of paying a ransom, they can affect customer perception of your business and cause customers to lose faith in your ability to service them.

At Valley Techlogic, cybersecurity is a keystone offering of our technology support plan. We follow cybersecurity frameworks such as NIST, CIS, HIPAA and CMMC to ensure we’re following nationally recognized standards for cybersecurity protections. If you would like to ensure an attack like this will never happen to your business, or if you’ve already experienced a hack and are looking towards the path to recovery, Valley Techlogic can support your business today.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley Techlogic, leading provider of trouble free IT services for businesses in California including Merced, Fresno, Stockton & More. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic and LinkedIn at https://www.linkedin.com/company/valley-techlogic-inc/.
June 28, 2024
Six Ways Continuous Monitoring Keeps You a Step Ahead in Your Cyber Security Efforts
In today’s digital age, businesses face an ever-increasing number of cyber threats. As cybercriminals become more sophisticated, the need for robust and proactive security measures has never been greater. One of the most effective strategies for safeguarding business assets and sensitive information is continuous monitoring. Here are six ways continuous monitoring benefits businesses when seeking comprehensive cyber security solutions.
1. Real-Time Threat Detection
Continuous monitoring provides businesses with real-time visibility into their network activities. Traditional security measures, which often rely on periodic scans and updates, can leave gaps in protection. Continuous monitoring, on the other hand, ensures that potential threats are identified and addressed as they occur. This real-time threat detection is crucial in minimizing the window of opportunity for cybercriminals, significantly reducing the risk of data breaches and other security incidents.
1. Proactive Risk Management
By constantly monitoring systems and networks, businesses can proactively manage risks. Continuous monitoring tools can identify vulnerabilities and weaknesses before they are exploited by attackers. This proactive approach allows businesses to implement timely patches, updates, and security measures to fortify their defenses. Instead of reacting to incidents after they happen, businesses can stay ahead of potential threats, creating a more secure and resilient environment.
1. Enhanced Compliance
Regulatory compliance is a critical concern for many industries. Continuous monitoring helps businesses maintain compliance with various standards and regulations, such as GDPR, HIPAA, and PCI DSS. These regulations often require ongoing monitoring and reporting of security measures. By integrating continuous monitoring into their security strategy, businesses can ensure they meet compliance requirements, avoid hefty fines, and protect their reputation.
1. Improved Incident Response
When a security incident occurs, the speed and effectiveness of the response are crucial in mitigating damage. Continuous monitoring equips businesses with the necessary tools and information to respond swiftly to incidents. Detailed logs and real-time alerts provide valuable insights into the nature and scope of the threat, enabling security teams to isolate affected systems, contain the breach, and implement remediation measures. This rapid response capability minimizes downtime, reduces financial losses, and preserves customer trust.
1. Cost Efficiency
While investing in continuous monitoring may seem like a significant expense, it can actually lead to substantial cost savings in the long run. By preventing data breaches and minimizing the impact of security incidents, businesses can avoid the financial consequences of lost data, legal liabilities, and reputational damage. Additionally, continuous monitoring can streamline security operations, reducing the need for manual interventions and allowing IT teams to focus on strategic initiatives rather than constant firefighting.
1. Increased Business Agility
In today’s fast-paced business environment, agility is a key competitive advantage. Continuous monitoring provides businesses with the flexibility to adapt to evolving threats and changing security landscapes. With real-time insights and up-to-date threat intelligence, businesses can make informed decisions and adjust their security strategies as needed. This agility ensures that businesses remain resilient in the face of emerging threats and can quickly pivot to address new challenges.

Continuous monitoring is a vital component of a robust cyber security strategy. By providing real-time threat detection, proactive risk management, enhanced compliance, improved incident response, cost efficiency, and increased business agility, continuous monitoring empowers businesses to safeguard their digital assets and maintain a strong security posture. As cyber threats continue to evolve, businesses that invest in continuous monitoring will be better equipped to protect their operations, data, and reputation.

Embrace continuous monitoring today and take a proactive stance in securing your business against the ever-present cyber threats of tomorrow by partnering with Valley Techlogic. Our plans include cyber security protections like continuous monitoring, advanced threat detection and end point security by default. Learn more today by scheduling a consultation with us today.

This article was powered by Valley Techlogic, leading provider of trouble free IT services for businesses in California including Merced, Fresno, Stockton & More. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic and LinkedIn at https://www.linkedin.com/company/valley-techlogic-inc/.
June 6, 2024
Have you heard of zero trust security? Why it should be the standard for small businesses and 3 ways to implement it
Explaining cyber security in 2024 means navigating all sorts of buzz words – cybersecurity awareness, data breach, ransomware and malware, endpoint security, threat detection, two-factor and multi-factor authentication, and yes zero trust just to name a very small portion of them.

We know users feel burnt out on the number of phrases that do represent actual security threats that are thrown at them day to day, as an IT service provider it can be difficult to translate this phrasing into a tangible concern for our clients.

For example, whose data hasn’t been leaked in a data breach in 2024? Our personal data has become a commodity that most of us have accepted may end up on the internet in ways we can’t anticipate or prevent.

But that’s not exactly true, with a zero trust environment you can make your business much more resilient to threats and data breaches and it’s not as difficult as you may think.

What is Zero Trust? Zero Trust abandons the idea that everything connected to your work network is safe and instead treats everything as a potential threat, you might be thinking now, why would I want that? It is a more rigorous approach but extremely beneficial, if every device must be individually verified then none of them can act as a trojan horse to your business.

The key pillars of Zero Trust are:
- Least Privilege: Users get enough access to do their job, no more no less. We can’t tell you how many situations we’ve encountered where everyone’s computer has admin level privileges, and in a data breach situation that would make any one of those devices an extreme threat to your business.
- Continuous Verification: It might be kind of irritating at first to check your two-factor application or your phone for a texted code – but the benefits will come in spades should any of your passwords be leaked (only around 50% of users are aware of good password hygiene).
- Network Segmentation: This one is not too difficult to implement, and your users won’t even notice it, this is just segmenting your network so that say your work computers and other devices are on one network and outside devices (like a visitor’s cellphone) are on something like a guest network. This zero cost fix will mean you have greatly reduced exposure to threats from outside devices.
Within the pillars it’s easy to see the three steps we would recommend someone start with when setting up a zero trust environment, that is reducing users to having only the level of access tey need, enforcing two factor or multi-factor authentication, and setting up at the very least a guest network.

When it comes to implementing cyber security standards, the sky is the limit. All of the settings we recommend above really only cost time, but they will benefit your business greatly in the event any kind of breach occurs.

Limiting the damage that can be done is always the goal when it comes to cyber security, hackers will constantly push at boundaries and find ways to access your systems (yes even if you’re a small business) and with minor improvements you can protect yourself from most major threats.

Cyber security protection is a cornerstone of our service plans, and whether you’re interested in evolving your cyber security standards to include zero trust strategies or in receiving the benefits of a comprehensive cyber security stack without having to assemble it yourself, Valley Techlogic has you covered. Book a meeting with us today to learn more.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley Techlogic, leading provider of trouble free IT services for businesses in California including Merced, Fresno, Stockton & More. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic and LinkedIn at https://www.linkedin.com/company/valley-techlogic-inc/.
May 17, 2024
Frontier Communications suffered a cyber security breach last week that shut down their systems
Frontier, a leading internet provider that’s coverage area includes millions of customers across the United States, suffered a cyber security breach last week that forced them to shut down some systems to prevent further damage.

“On April 14, 2024, Frontier Communications Parent, Inc. [..] detected that a third party had gained unauthorized access to portions of its information technology environment,” the company revealed in a filing with the U.S. Securities and Exchange Commission on Thursday.

They also stated based on their findings that a third party entity from a cybercrime group was likely responsible for the event and may have gained access to some PII (Personal Identifying Information). They have not yet stated whether the PII data likely belonged to customers, employees or both.

As of writing Frontier has stated that systems are back online, but from the responses to their company Twitter page that doesn’t appear to be the case across the board.

Customers are also stating that when calling for support they’re being directed to an automatic message and cannot reach a live person at this time. In general, Frontier appears to be doing damage control as they struggle to regain control of the systems that were impacted by the cyber attack.

Internet provides are a popular target for cyber crime group, as a disruption that makes national news is highly profitable when it comes to bargaining with the affected entities. To add insult to injury the data they’re able to collect during a successful attack is also often profitable on the dark web after the fact.

Even if your business is not a nationwide internet provider, that doesn’t mean you are safe from attacks such as these. Data leaks following these attacks can occur from successful attacks, including credentials or payment information for business accounts.

Attackers also cast a wide net when conducting attackers such as these, your business may be inadvertently included on an attack intended for another business. You may even be the primary target if they’re looking for businesses of a specific niche or location. It’s foolhardy to ignore the warning signs attacks like this pose. If multi-billion dollar companies are struggling to prevent attacks such as these, what hope does your business have in preventing them?

That’s where Valley Techlogic comes in, we offer cyber security coverage for the following elements all under one monthly plan:

In addition to these cyber security preventions, we also offer ongoing backups, help desk services, preventative maintenance, project management and support and more. Reach out today to learn more.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley Techlogic, an IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
April 26, 2024
Received a weird text from your boss? You’re not alone, text scams are rising in popularity
You’re sitting at your desk when you receive a text on your phone, it’s allegedly from the CEO of your company. He may say this is his new number (or his personal number) and he’s reaching out to you by name, adding to the legitimacy of the text. If you respond, he’ll say he’s in an important meeting and he needs you to use your company card to buy gift cards as a gift for the attendants of the meeting.

If you do so, and he’ll be keeping in constant communication with you in spite of being in an “Important meeting”, he’ll say he doesn’t need the physical cards just the codes which you can find if you scratch off the back. He may thank you for being a team playing after providing the codes or stop responding altogether because unbeknownst to you, the scam has been successfully completed.

Why gift cards? Gift cards are untraceable and usually not refundable when purchased. The scammer will quickly move the funds off the gift card leaving you with the empty plastic remnants and no recourse. Other variations on this scam may request Cryptocurrency instead (such as a message sent pretending to be one of your friends or a family member) but scammers know this would throw up too many red flags in a workplace setting.

The request even that unusual, if you’re an executive assistant for instance you probably regularly make purchases at the request of your employer. Scammers may target the whole company if they’re unsure who the influencers to the decision maker are or they may target specific individuals.

How are they getting the information to make their requests see more legitimate? They find it in the following ways.
1. Your Company Website: Often times your website will have information about your key players on it, including contact information. While we don’t recommend excluding this information to prevent being a target (as it’s valuable to those you want to legitimately do business with) it’s a good idea to remember that it’s out there when you’re getting strange communications via text or email that may call you out by name.
2. Social Media: This may be your company social media pages or even your personal accounts. We recommend making your personal accounts private and not oversharing on social media in general.
3. Search Engines: Nothing beats a good old fashioned Google search, and the information that’s available about you online may shock you. Phone numbers, relatives names, addresses etc. can all be found online. While there’s no real way to prevent this, you can somewhat keep track of what’s been made available by creating Google Alerts for your name, email address, etc.
While text scams may never rise to the prevalence of BEC (Business Email Compromise) attacks – which are being sent out at the rate of 10 per 1000 inboxes per day – it still showcases the way scammers will strategically target you and your business.

If you are looking to beef up your cyber security protocols in 2024, including providing your employees training to prevent attacks like this one, Valley Techlogic can help.

Security training is included as part of your monthly plan with us, as well as 24/7 monitoring, data recovery and remediation, backup solutions and more. Get started with us today.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley Techlogic, an IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
March 15, 2024
China sponsored hacking data dump highlights the importance of seeing the bigger picture when it comes to your cyber security protections
It’s not a new concept to many Americans that cyber warfare crosses all borders and boundaries and affects many areas of our day to day, from the increase in attacks at the start of Russia’s war with Ukraine, to concerns related to our voting systems and democracy, to even leaving US citizens nationwide transfixed over the implications of an errant balloon. Overseas sponsored cyber-attacks tend to strike a different chord with us than attacks that originate stateside.

Many of us have heard of applications on our phones being rife with spyware connected to China, conversations about apps such as Temu or TikTok and how to safeguard our information from not only being sold and used in overseas ventures but even whether these apps are a potential threat vector have lead to talks about whether they should be banned outright. Again, the fear surrounding the unknown nature of the threat these apps may or may not pose is often palpable.

Awareness is only one part of the equation when it comes to overseas invasions of a digital nature, agreeing on what to do about it, how to prevent it or whether it can even be prevented in our interconnected world is no small matter and something that is constantly debated at a government level.

We don’t often have the proof needed to back up the claims that are made, however, that these cyber-attacks are occurring. As you would expect the threat actors behind attacks on other countries are experts in their field and covering their tracks can often be a matter of life and death for them.

That’s why the leak that occurred this week of a 600-page document detailing a complex network of for hire hackers used to spy on Chinese citizens and conduct global cyber attacks is so shocking. The document which was posted to GitHub is being analyzed and experts are weighing in on what is nearly a first of its kind look at the inner operations behind global cyber warfare conspiracies that have proliferated news cycles for decades.

This leak occurs during heightening tensions with the US and China and is being dubbed “the tip of the iceberg” by FBI Director Chris Wray who reported in October that Chinese cyber operations are the “biggest hacking program in the world by far, bigger than ever other major nation combined” in an interview with CBS News.

You may be reading this now wondering, what does this have to do with me? Well besides the implications when it comes to our global security, cyber attacks don’t occur in a vacuum.

Hackers are constantly looking for new ways to infiltrate systems and the aftermath is new threats are being released for public consumption. Not every hacker is an expert, and many attacks don’t have financial motivation and are simply orchestrated to disrupt.

We need to come together as a community and make sure we’re doing everything possible to prevent our systems from being infiltrated and our devices from being used in potential attacks.

Even if your business is unlikely to be targeted by an overseas orchestrated attack, that doesn’t mean it cannot be used to assist a specific hacker’s operations and the more ways we shut down cyber attacks as a profitable enterprise the better off we all will be.

If you want to know how you can help or where to start, here are 10 items you can implement in 2024 that will be up your cyber security protections 10-fold.

If you need help with the implementation of cyber security measures in your business, Valley Techlogic is the resource you’ve been looking for. We are experts in the field of cyber security and for helping businesses improve their cyber security protections and comply with government regulations and frameworks. Reach out to us today to learn more.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley Techlogic, an IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
February 23, 2024
Toothbrush or threat vector? Turns out it was both for 3 million smart toothbrushes utilized in a recent DDoS attack
When it comes to cyber attacks it seems like anything can be utilized (see Amazon Fire Stick on the recent attack on Rockstar Games) but even our toothbrushes?

It’s true, while details are still coming out it’s been reported that 3 million malware infected toothbrushes were used to bring down a Swiss company’s website at the cost of millions of Euros.

No details have emerged yet on either the brand of toothbrush or the specific company that was targeted but we know the toothbrushes were running on Java which is a popular operating system for IoTs (Internet of Things) devices.

It highlights the point that any device connected to the internet can be used for malicious intent. We’ve all probably heard about threat actors utilizing home security cameras or baby monitors to gain unwanted access to our homes or to just be creeps. Or how about the study on smart fridges that found out they were collecting a lot of your data unknowingly.

With so many of us having smart devices scattered throughout our homes it’s long overdue that we think about what security needs to be in place to prevent these devices from being a danger to us or others. That includes both the obvious devices like our computers and the less obvious devices like our internet connected home gadgets.

In a recent study by the SANS Internet Storm Center they tested how long it would take for an unprotected, unpatched PC to become infected with malware when exposed to the internet. Their calculations came back that it would only take 20 minutes on average for that PC to be infected, this is down from 40 minutes back in 2003.

Even if you consider yourself tech savvy and “careful”, attackers are relentless when it comes to looking for the latest exploits and staying ahead of the curve. It’s the unfortunate truth that they can put more time into their nefarious activities than you as a business owner can dedicate to outsmarting them.

For them it’s a numbers game and the more nets they cast and the more avenues they look for to gain access the more likely they are to be successful, and even items such as a toothbrush are not safe.

That is, unless you follow these steps when securing your network and IoT devices.

On top of these simple steps to secure your network and maintain your devices, you can also work with a provider like Valley Techlogic.

We utilize best in class tools that prevent cyber attacks from occurring in the first place. Our partners have the resources to stay on top of and mitigate threats (even zero-day attacks) and with ongoing maintenance included in our service plans we can prevent your devices from becoming a threat vector to you or to another business.

Schedule a meeting with us today to learn more.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley Techlogic, an IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
February 9, 2024
CMMC Changes for 2024 Summarized
On December 26^th 2023 the DoD (Department of Defense) dropped a slightly belated Christmas gift on defense contractors and vendors in the form of big changes to the CMMC (Cybersecurity Maturity Model Certification) program.

Whether the timing of the info dump was intentional or not remains a matter of debate but what’s not up for debate is that these changes are now the law of the land when it comes to reaching your CMMC goals (at least until they’re possibly challenged in court but we wouldn’t hold our breath on that). If you have not started working on them yet this is your sign to get started ASAP.

The 234-page document covered a variety of updates to the program, including splitting up tier 2 into self-attestation OR requiring contractors and vendors to obtain a third-party audit, but for those actively working on it we’re happy to say the controls themselves remain unchanged.

The vast majority of contractors (63% as estimated by the DoD) will still fall under CMMC Level 1 but a new change will not allow these contractors to submit a POA&M (Plan of Action and Milestones) to comply with unmet milestones going forward.

For contractors falling under Level 2 and 3 they can still submit a POA&M but while it previously allowed contractors to set their own timing for completing the actions required the new rules state all POA&M must have a plan for completion within 180 days of the initial assessment.

This is a huge change and will make it very difficult for contractors who are trying to rush to get their accreditation to comply with existing contracts. There are also new limitations on POA&Ms and some controls don’t allow them to be completed under a POA&M at all.

DoD contractors and vendors will have to rethink their entire plan for coming into compliance with CMMC this year.

The good news is that if you do meet all of the new hurdles and pass your assessment you will be in the clear for 3 years.

For those in the CMMC level 2 category (an estimated 37% of those affected) whether or not you can still self-attest in SPURs (Supplier Performance Risk System) or will need a third-party assessment is dependent entirely on whether the CUI (Controlled Unclassified Information) found in your contract warrants one or the other as determined by the DoD.

As these rules are still rolling out Level 2 contracts will most likely be required to self-attest to start until the program gains its footing when we’ll start to see more required to take on a third-party assessment. Contractors should be prepared either way as they perform the actions needed to qualify for certification.

There’s good news for Level 3 contractors in that not much has changed for them, and the program overall is still based on guidance from NIST SP 800-172. New language was added that CMMC Level 3 contractors must maintain a perfect Level 2 score in addition to achieving 20 out of 24 points to meet the qualifications for Level 3. Only a small minority of contractors will need to worry about achieving Level 3 and we have no doubt those that qualify know who they are and were already well prepared for this news.

The proposed roll out of these changes and CMMC as a whole is under a phased implementation window that will expand across a three-year period. Beginning with the DoD looking at those soliciting new DoD contracts to have a Level 1 or Level 2 self-attested score all the way up to the inclusion of CMMC in all new and existing contracts by year three.

It should also be noted that those who misrepresent their level of readiness under the CMMC program can face some pretty sharp penalties for doing so.

To add salt to the wounds the DoD have given themselves a grace period up to 2027 to begin rolling out these changes within their own organization – rules for thee but not for me? Perhaps a little bit.

These weren’t the only changes to be announced in December, if you would like to see and read the full 234-page document yourself you can find it here.

Either way the time to get your ducks in a row was several years ago (CMMC 2.0 was released in 2021) but short of inventing a time machine to do so the second best time to start is now.

Valley Techlogic has worked with clients on readiness for a variety of cybersecurity compliance frameworks including but not limited to CMMC, HIPAA, NIST, CIS and more. If you would like to learn more about how we can help you meet your CMMC goals, reach out today.

Looking for more to read? We suggest these other articles from our site.
This article was powered by Valley Techlogic, an IT service provider in Atwater, CA. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on Twitter at https://x.com/valleytechlogic.
February 2, 2024