We have received numerous inquiries from potential customers regarding our pricing structure. Specifically, they want to know if we offer monthly contracts or if we charge an hourly rate. The answer is Yes.
Hourly Rate
For customers who require a one-time fix or need a project completed, we offer a service based on an hourly rate. Our rate for remote or on-site work that is not covered under a contract is $150 per hour. We bill in 15-minute increments and take pride in our efficiency. For clients with more than 2 service requests per month, we highly recommend signing up for a contract to save money and benefit from our expert oversight.
Monthly Contracts
There are three types of monthly contracts:
Remote Maintenance Contract
This is the package that most of our clients choose. It includes automated maintenance, cyber security protections, and unlimited remote support. Since most problems and questions can be handled remotely, this package offers real value.
Full Service Maintenance Contract
This package is for clients who want complete peace of mind. It includes all services, whether remote or at their offices. Additionally, it provides some additional benefits, such as top priority in our support queue.
Co-Managed IT Contract
This special package is designed for companies that already have a full-time IT employee or IT service companies in need of extra help. It provides them with the necessary automations and tools to make their jobs easier, allowing them to focus on what matters. This package also includes a discount on our remote and on-site services.
All contracts are based on a per-device model, taking into account the number of workstations, printers, servers, switches, etc. on the client’s network. We use this model because the other popular model, per user, is too vague and can easily hide excessive profit margins. Contracts can be month-to-month or a yearly commitment. The difference is that with a yearly commitment, you are protected from price increases for the entire year. We also offer many optional add-ons for our clients, such as Office 365, Employee Security Training, Penetration/Vulnerability Scanning, Mobile Device Management, Compliance, Secure Remote Access, and Security Operations Center.
Are you looking for reliable IT support that suits your business’s unique requirements? Look no further! Our flexible pricing options cater to businesses of all sizes. Whether you require one-time assistance or ongoing support, we have the right plan for you. Ready to take your business IT support to the next level? Contact us today to discuss your needs and find the perfect plan for your business.
Compliance is and always has been a complicated matter. Here are the quotes from the three types of compliance – CMMC, HIPAA, and PCI:
“CMMC – Risk AssessmentL2-3.11.2 – VULNERABILITY SCAN: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.”
“HIPAA – § 164.308 Administrative safeguards. (a)(1)(ii)(A) –Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.”
“PCI – 11.3: External and internal vulnerabilities are regularly identified, prioritized, and addressed”
To summarize what this all mean – compliance requires penetration testing and vulnerability scanning. Networks have to be tested regularly to make sure that there has been nothing missed which would allow a hacker to breach the network and steal the treasure of information. Our recommendation is to scan at least quarterly, if not monthly, to find these vulnerabilities and address them before the hackers find them.
If your company has compliance requirements that you need consulting for, then contact us for assistance.
Today we tell the story of a medical office’s journey to the cloud. This particular client was facing their server operating system reaching end of support (a HIPAA violation) in the near future. They had begun by looking at their electronic medical records software company’s online offering, which didn’t have all the functionality of their on-premises software and was very expensive (this is typical).
They next decided to look into moving their current on-premises software into the cloud and we were asked to help with the testing. We determined that it would be best to move the file portion of the server to SharePoint / OneDrive to increase their mobility and flexibility. We also determined that it would be best to move them away from on premises Active Directory into Azure Active Directory / Intune to allow authentication and security policies. Finally we began testing the on-premises software hosted on a server in Azure with a VPN connection to their office.
The SharePoint / OneDrive and Azure Active Directory portions went through with little issues. The server, however, was not as we had hoped. The Azure VPN connection was expensive due to it always being on and no way of turning it off outside of business hours. The performance of the SQL database that the on-premises software used was basically unusable. The other option would be to create virtual desktops on Azure for this purpose but the cost and functionality was not what the customer was hoping for.
This has lead them back to searching for an online EMR software that will meet all their requirements. This will be tough because most companies are good at some things, but not all things and compromises usually have to be made. Our hope is that this story is a lesson to other companies. The cloud may sound like the newest and best way to work, but the costs and functionality are often worse than expected.
If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.
This is the tenth and finale in a series about the concept of Zero Trust, which means in the IT sense that you trust nothing and always verify everything surrounding and connected to your network. Today’s discussion will be on Cyber Security Audit.
Cyber Security Audit
Cyber Security Audit is a process where both internal and external systems are tested for their ability and susceptibility to being successfully attacked by hackers. This usually involves an inventory of current systems, research into known vulnerabilities, and testing of those found to see what information can be accessed. Once this process is complete a report is generated to detail both what is found and how those vulnerabilities can be addressed to protect the business’ most valuable commodity – information (intellectual property and client data). Here are some questions to ask:
Do you have an inventory of all assets in your organization? Is it up to date?
Have you tested your internal network for vulnerabilities?
Have you had a penetration test performed on your external network?
Do you know what compliance standards apply?
How do you document policies and procedures? Who oversees that?
If your company is wanting to have a free cyber security audit, then contact us for assistance.
This is the seventh in a series about the concept of Zero Trust, which means in the IT sense that you trust nothing and always verify everything surrounding and connected to your network. Today’s discussion will be on software patching.
Software Patching
Software patching is a neccesity because no person who writes code is perfect and hackers are actively looking for these mistakes. The hackers find the mistakes and then develop ways of using these to exploit the software, computer, or whatever else they can gain access to. The only way to combat both the mistakes and the exploits is to discover them before the hackers do and patch the hole in the software. This patch can however lead to unforseen consequences to the software, so a plan for testing and deployment of patches is needed to avoid unexpected downtime to businesses.Here are some questions to ask:
Do you know all of the hardware and software on your network?
Do you check for hardware, operating system, and other software regularly?
How do you check for updates, patches, or upgrades to software?
How do you install these patches? Is it automated?
Are these patches tested before installation?
What happens if a patch causes problems?
Do you have a log of all installed updates?
Are any systems or software on your network no longer supported for updates?
If your company is going to use full disk encryption or has compliance requirements that you need consulting for, then contact us for assistance.
There has been a recent trend for companies to “negotiate” with the criminal terrorists behind wave of ransomware attacks across the world by paying the ransom. In a recent study some alarming statistics have been released:
Current Ransomware Stats
If Ransom is Paid: The global findings also show that only 8% of organizations manage to get back all of their data after paying a ransom, with 29% getting back no more than half of their data.
Cost of Ransom: The average ransom paid was $170,404. While $3.2 million was the highest payment out of those surveyed, the most common payment was $10,000. Ten organizations paid ransoms of $1 million or more.
Who is Paying the Ransom: The number of organizations that paid the ransom increased from 26% in 2020 to 32% in 2021.
The Brighter Side: While the number of organizations that experienced a ransomware attack fell from 51% of respondents surveyed in 2020 to 37% in 2021, and fewer organizations suffered data encryption as the result of a significant attack (54% in 2021 compared to 73% in 2020).
What is Being Done
There are now organizations trying to create a common framework to address this threat. The Institute for Security and Technology has created a Ransomware Task Force. This task force has been working to develop this framework and has published some guidance. Even though this is just the foundation work, it is good to see that efforts are being made.
If your company is worried about the threat of ransomware, then contact us for assistance setting up a multiple layer approach to security.
On January 5, 2021, President Trump signed into law legislation approved by the House Energy and Commerce Committee known as HR 7898. HR 7898, now law, requires the Department of Health and Human Services (HHS) to “incentivize” a covered entity’s or business associate’s cybersecurity best practices.
How We Get Chewed
Now when a business is under a HIPAA audit the HSS will be looking at whether the company has been following cybersecurity best practices for not less than the past 12 months. Here are what HR7899 classifies as best practices:
Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).
Programs and practices that are developed in, recognized by, or set forth in federal laws other than HIPAA.
If these measures were in place, HHS can lower the amount of a fine and decrease the length and extent of an audit – aka if you are not doing these things your fine will be larger and your audit will be more intense for longer period of time.
If you do not already have a designated HIPAA compliance officer and ALL the proper documentation in place, then contact us for assistance.
This blog post is more about the use of retail routers at the office than at home, just to make that clear from the beginning. We would also recommend non-retail routers at home, but that is not feasible for everyone.
What is a retail router?
This is a phrase I am coining to describe any router that is generally available from your local retailers like Staples, Walmart, etc or delivered as part of the internet service from your local provider. They include brand names like ASUS, D-Link, Linksys, and Netgear. They range in price from $30 for the extreme low end to $450 for a gaming router. These routers are built for home and small office networks that have very few users or devices connected at any given time. They may include some features that sound “business-like” such as Virtual Private Network (VPN), Stateful Packet Inspection (SPI), VLAN, and Quality of Service (QoS) – remember though that these are also only able to support a minimum number of users and devices connected at any given time. If you try to use a retail router to run your business network then you will find that performance will be severely degraded and these features will not work as advertised.
There is also the issue of security. These routers are rarely if ever updated even when new vulnerabilities are found. This makes them ineligible for PCI or HIPAA compliance situations.
Is there a non-retail router?
So what to do about this situation? Time to call your trusted IT services provider who will be able to get you a non-retail router, but that begs the question – what is a non-retail router?
These routers are built by network professionals who design the hardware to perform under the pressures of the office environment and to handle the work from home remote workload. These routers include brands like Cisco, Juniper, Ubiquiti, and Araknis. They range in price from $150 for an office of up to 5 people to $10,000 for a high traffic company with hundreds of users. These routers handle VPN, SPI, VLAN, QoS, and many other services all at once with ease. Security is baked into these routers with the best ones having the ability to be managed from the cloud. They provide consistent access to all connected users and devices at all times. Your trusted IT services provider will work with you to “right size” the router to your business needs.
If your company is going to have full time work from home employees and is concerned about their ability to perform, then contact us for assistance.
On June 1st, the Department of Justice (DoJ) release further guidance about compliance programs which could effect the way PCI and HIPAA compliance breaches are handled in court.
They state that compliance programs aren’t merely one-and-done snapshots in time, but are instead dynamic programs that get updated regularly to fit changing circumstances.
An article about it states, “the latest guidance issued by DOJ is premised almost entirely on the adequacy of the organization’s risk assessment efforts, an approach well-known and particularly applicable to cybersecurity professionals. Prosecutors are urged to evaluate the quality and effectiveness of an organization’s risk assessment program by examining:
The risk management process, particularly the methodology used to identify, analyze and address the risks an organization faces
Risk-tailored resource allocation, namely whether the organization devotes enough resources to managing risks
Updates and revisions, specifically whether the risk assessment is subject to periodic dynamic reviews
Lessons learned, determining whether the company has a process for tracking and coordinating changes in its risk management program based on its experience
The DOJ also stressed the importance of risk-based training and communications about misconduct as essential parts of how it determines whether the organization’s compliance programs are up to snuff. Finally, the guidance highlights the importance of management support of the organization’s compliance initiatives and the value of extending compliance due diligence to third-party providers.”
If your company is unsure about their compliance program or risk assessment process, then contact us for assistance.
Many industries we serve are under some sort of compliance requirements – HIPAA, PCI, GDPR, etc. and several of these require some sort of vulnerability scans or penetration testing:
HIPAA Section 164.308(a)(1)(ii)(A) states:
RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
PCI DSS Requirement 11.3:
The scope of a penetration test, as defined in PCI DSS Requirement 11.3, must include the entire CDE perimeter and any critical systems that may impact the security of the CDE as well as the environment in scope for PCI DSS. This includes both the external perimeter (public-facing attack surfaces) and the internal perimeter of the CDE (LAN-LAN attack surfaces).
GDPR Article 32 states:
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
Farmhouse Networking has begun offering both internal and external network vulnerability scans and penetration testing for clients who fall under compliance requirements. We also provide remediation planning and implementation for any issues found during the scans.
If your company is has compliance requirements for internal or external vulnerability scans or penetration testing, then contact us for assistance.
And God will generously provide all you need. Then you will always have everything you need and plenty left over to share with others. As the Scriptures say,
“They share freely and give generously to the poor. Their good deeds will be remembered forever.”
For God is the one who provides seed for the farmer and then bread to eat. In the same way, he will provide and increase your resources and then produce a great harvest of generosity in you. - 2 Corinthians 9:8-10
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.OkNoPrivacy policy