Posts

IT Security for Small Businesses

Security, Privacy, & ComplianceStreamlining IT Security for SMBs

Streamlining IT security is a more balanced message about why and how to protect your business. Over the past year, we have covered the on-going, and increasing, threats to small businesses.  We often highlight the scope and severity of the risk, including how security trends will affect small business.  Hopefully this information, along with cost-effective solutions, prompts you to act. At times, we may appear to be fear-mongering.

Sound business practices, not fear, should be your motivation to protect against cyber attacks.

The market is awash with cyber security solutions. These range from single-protection products to complex advanced security monitoring and response services.  The number of options, and competing claims, is overwhelming.

Our Recommendations on IT Security for Small Businesses

Focus protections on the most common, and most damaging, types of attacks.

1. Focus on Risks

We know that:

  • More than 80% of cyber attacks start with, or involve email via phishing and other social engineering tactics
  • Ransomware is the most common type of attack
  • Business email compromise (BEC) is the most costly type of attack
  • Attacks via DNS and web content are becoming more of a risk

As such, small and midsize businesses should focus on preventing these types of attacks. Plan to limit your security approach and spending to prevention and recovery from these risks.

2. Use our CPR model as a guide

Communication and Education

Make sure your team knows how to spot an attack and what to do if they suspect an attack.  They should know the risks and steps you are taking to protect your business.

Periodically sharing articles or updates may be sufficient to strengthen your business.  Subscribing to a security awareness training service is an affordable way to provide this education. Your cyber insurance policy may require this service.

Protect and Prevent

To protect your business from the greatest risks, put the following solutions in place:

  • Multi-Factor Authentication (MFA)
  • Encrypt data at rest, including on servers, desktops, and laptops
  • Use advanced threat protection (ATP) on all email accounts for inbound messages
  • Ensure your endpoint protection (local anti-virus) is a next-gen solution
  • Use DNS/Web protection to prevent harmful downloads

Specific to business email compromise attacks and ensuring your legitimate emails are not flagged as dangerous, ensure your domain configuration include the following protocols and services:

  • An accurate and complete Sender Policy Framework (SPF) record
  • DomainKey Identified Mail (DKIM) for all sources of email (including marketing tools)
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Respond and Recover

Even with protections in place, cyber attacks can be successful.  Ensure that you can return to operations quickly, even as a full recovery may take time. Your ability to recover and respond should include:

  • Backup/Recover data stored in the cloud (Microsoft 365, Google Workspace, etc.), as well as on local servers, desktops, and laptops
  • Continuity services so you can run images of key servers, desktops, and laptops if they are damaged by an attack

Note that continuity services also protects you from the impact of hardware issues, theft, and other losses.

Start with an Assessment to See Where Your Small Business Stands with IT Security

For a limited time, our Rapid Security Assessment is free of charge. Complete a 3 minute survey and receive a detailed report benchmarking your basic security services with respect to the most common cyber attacks against small and midsize enterprises.  

To learn more, please join us on May 17th at 3:00 PM ET for Streamlining Security, our May 3T@3 Webcast or schedule a no-obligation call with one of our cloud advisors.


Business Email Compromise – The Costliest Type of Cybercrime

Email, Communications, & MobilityBusiness Email Compromise

While the massive number and scale of ransomware attacks get the most media attention, Business Email Compromise (“BEC“) attacks are the costliest type of cybercrime.

What is a Business Email Compromise (BEC)?

In a BEC attack, the criminal impersonates you and convinces somebody who trusts you to send money. While successful attacks often begin with unauthorized access to your email account, savvy criminals use email and domain impersonation techniques. They trick others into thinking that you are asking for, or instructing them to complete, a money transfer.

As we noted in a recent post, real estate agents and brokers are prime targets of Business Email Compromise attacks because they regularly discuss transferring large amounts of money with their clients. As noted in this recent email scam article from the Associated Press, however, BEC attacks are hitting a wide range of small businesses, nonprofits, and schools.

Business Email Compromise attacks succeed when cyber criminals are able to collate enough information about you to gain access to your account or impersonate you.  Here is how they do it:

  • Given that you use your email address to log into many systems, a third party breach can provide attackers with your email address and enough information to calculate your password.
  • Third party breaches often provide hackers with enough personally identifiable information (PII) about you to launch a successful phishing attack that captures your username and password.
  • Scanning social media posts can also provide hackers with enough PII to successfully phish for your identity.
  • Malware, known as an Advanced Persistent Threat (APT), that makes it past your endpoint protections can gather usernames, passwords, and other information while running undetected on your computer.

How to Prevent Business Email Compromise

Protect Your Identity

To keep your email account secure, you need to protect your identity.

  • Understand the risks and follow practical advice for safe online hygiene. Use unique, complex passwords across systems; avoid oversharing personal information; and learn to recognize phishing and impersonation attacks.
  • Use “Next-Gen” endpoint protections to prevent zero-day attacks, APTs, and more traditional forms malware.  These solutions use heuristics, AI, and behavioral analysis of files to identify an attack. They can also “roll back” changes to stop an attack.

Secure Your Email Service, and All of Your Services

Even as you protect your identity, you still need to secure your email service through proper data protection and security services.

  • Advanced Threat Protection (ATP) protects your account from phishing attacks, bad links, infected attachments, and other risks. ATP verifies sender information and test links and attachments in a “sandbox”, allowing safe messages to arrive in your inbox.
  • Two-Factor Authentication (2FA), or Multi-Factor Authentication (MFA), can prevent access to your accounts if your username and password are compromised.
  • Ensure that all of your information is encrypted at-rest and in-motion. Your email service should use Transport Layer Security (TLS) to encrypt messages between sending and receiving services.  Encrypt files on your local disk, on any file servers, and in the cloud.

Prevent Email and Domain Impersonation

As noted in a recent blog post, you can use three (3) different levels of email security to prevent email and domain impersonation.

  • Sender Policy Framework (SPF): Authenticates addresses you use to send email.
  • DomainKeys Identified Email (DKIM): Digitally signs messages to ensure emails are not altered en-route.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC): Authenticates email origin and instructs recipients how to process bad messages. A DMARC service will track and report any potential issues.

These protocols and a DMARC monitoring service offer the best protection against BEC and impersonation attacks. They also help improve the deliverability of your email. Our ebook, Email Security: Good, Better, Best, dives deeper into this topic.

For a limited time, our Rapid Security Assessment is free of charge. Complete a 3 minute survey and receive a detailed report benchmarking your basic security services with respect to the most common cyber attacks against small and midsize enterprises.  

 

Dark Web Security Risks and Dangers

Dark Web Risks: Threats to Be Aware of, and How to Protect Yourself and Your Business

We offer a monitoring service for dark web risks.  In August, we received alerts for more than 40% of the companies we monitor about dark web risks and danger.

Threats from information mining and third party breaches continue to pose a risk.  The level of risk varies based on the source, scope, and nature of the breach. Learn about the dark web threats to be aware of, and learn what strategies you can implement to protect yourself, as well as your business.

Direct and Indirect Security Threats from the Dark Web

Third party breaches from the dark web pose direct and indirect security threats. A direct threat, as the name implies, represented a compromised identity with direct access to your system.  Indirect threats are breaches with information that enables more advanced attacks against your systems and user identities.

Direct threats, while less common, represent a breach of usernames and passwords for your system.  The source of direct threats may not be your systems. Hackers with access to valid email addresses and similar passwords will try permutations and patterns to gain access.  While they may then use the compromised credentials themselves, they may also put them up for sale or lease on the Dark Web.

Indirect Threats take many forms, and are a big risk on the dark web.  Identities with similar passwords are sold to hackers that will use them to gain access.  Personal identifying information is valuable to hackers looking to create effective spoofing and phishing attacks.  Repetitive breaches identify targets more easily compromised and/or more likely to respond to a phishing attack with personal information.

Dark Web Dangers and Threat Sources

Sources for Dark Web security threats vary.  Most common is a third party breach, for example the LinkedIn breach in 2018.  Given that many people use their work email address as an identity for LinkedIn, along with identical or similar passwords, the breach gave hackers a means to test access to core businesses services.  Simple testing of leaked passwords, permutations, and common patterns provides access to core businesses systems, including accounts on Microsoft, Google cloud, Salesforce, and others.

Growing in frequency, hackers grab personally identifying information matched to known email addresses.  While first and last names may not appear to create much risk, cyber criminals can use PII to create sophisticated spoofing and phishing attacks.  Your zip code, home address, job title, role in your company, and who you work with and for can all be used to create more effective attacks.  When matched to data from social media accounts — where you shop, foods you like, answers to “survey” questions that mirror security prompts — criminals can refine their attacks and sell your data for more on the dark web. This is why data protection services are highly recommended in todays environment.

Protecting Yourself and Your Business from the Dark Web

More than 70% of people use the same or similar passwords across systems, which is a huge dark web danger. When employees use work email addresses for other services, the nature of their passwords creates risks when any of these third party systems experiences a breach. Compromised third-party passwords reduce the effort required for cyber criminals to compromise other accounts. LinkedIn, Egnyte, Dropbox and other reputable services have all experienced breaches over the past few years.

An additional risk from third-party systems is the risk of personally identifying information, or PII.  With a valid email address and leaked or breach PII, cyber attackers have access to information that allows them to personalize phishing emails and other attacks.

Monitoring the Dark Web for these third party breaches, and responding appropriately, helps protect your employees and your business.

 

Remote Workforce Security: Tips, Challenges & Lessons Learned

As part of its Global Year in Breach – 2021 report, security firm ID Agent found that remote workforce security is more difficult than generally thought. With many of the changes in how we work expected to continue, as business leaders we need to embrace hybrid work as the way of the future.

What Exactly is Remote Work Security?

Remote workforce security is a subset of IT cybersecurity that focuses on protecting corporate data and other assets when employees work outside of a physical office. Implementing strong security protocols and technologies for remote access, educating employees on how to identify security risks and stay safe, and strengthening your overall business data protection and security are some of the best ways to secure your remote workforce.

What to Know When Developing Security Procedures for a Remote Workforce

Pandemic Triggers Panic

2020 and the onset of the global COVID-19 pandemic presented new challenges. The biggest challenge was cybercrime. The mix of understaffed IT departments, maintenance failures, unpreparedness, record-breaking cybercrime, and employee stress taxed IT teams and services. Cybercriminals took advantage of this golden opportunity, and businesses were hit hard.

Businesses needed to rapidly shift to remote operations. For those with older technology, this shift was especially difficult. Everybody became a remote worker. IT teams needed to become instant experts in remote workforce security, including knowing the four pillars of cloud security. For too many businesses, it was a mad scramble to to get their teams remotely or face shutting down entirely. Many employees lacked training in remote work; many IT teams had never managed remote security at scale. A barrage of unintentional, insider threats assaulted IT teams daily.

Stress Creates Vulnerabilities

Why was the massive shift to Work from Home such a boon to cybercrime?

IT departments were unprepared and understaffed.  Only 39% of IT executives polled felt they have adequate IT expertise on staff to assist with remote work issues. Only 45% of organizations reported having and adequate budget to support remote work.

At the same time, employees were dealing with unexpected stress at home and more likely to make cybersecurity mistakes. Over 50% of respondents admitted they were more error-prone while stressed. 40% said they made more mistakes when tired or distracted. Altogether, 43% of workers surveyed acknowledged mistakes resulting in cybersecurity repercussions for themselves or their company while working remotely.

Cybercrime Complications

Chaos and confusion created opportunities for cybercriminals. Experts estimate that overall cybercrime was up by 80% in 2020. Much of that increase was from phishing attacks. Cybercriminals took advantage distracted, stressed workers, with limited IT support, and immense numbers of email. In 2020, phishing attacks skyrocketed by more than 650%. Attacks hit 75% of companies and accounted for almost 80% of all cybercrime.

Successful ransomware also jumped more than 145%. In 2020, 51% of all businesses and 40% of small and midsize businesses experienced a ransomware attack. 50% of attacks on SMBs used vicious double extortion ransomware. Ransomware will continue to top the list of cybercrime trends in 2021.

FAQs About Remote Workforce Security

Next Steps for How to Secure Your Remote Workforce

Stopping ransomware and decreasing your company’s risk of a successful cyberattack against remote and hybrid workers starts with stopping phishing and its destructive effects. We have tools that help your IT team support and protect your people and your business, while also protecting your budget.

To learn more about you cyber risks, and solutions to fit your needs and budget, contact us and schedule a complimentary Cloud Advisor Session.

 

Phishing Attacks Spike Amid COVID-19 Crisis

Cyber AttackIt should be no surprise to you that we are seeing a surge in phishing and other cyber attacks, as criminals look to take advantage of the COVID-19 crisis. A sample of recent news reports illustrates the scope of the problem.

  • In April, the FBI issued a warning about COVID-19 stimulus package scams (CNET).
  • In mid-April, Google reported the daily volume of malware and phishing attack emails jumped to more than 18 million per day (The Verge).
  • Last week, TechRepublic reported a surge in phishing emails trying to exploit DocuSign and COVID-19.
  • Hackers are impersonating Zoom, Microsoft Teams, and Google Meet for phishing scams (The Verge 5/12/20).

Understand the Risk

The risk to your business, employees, and customers is greater at time when your systems may be less secure.

If your employees are using home computers while following stay-at-home orders and guidance, your risk of falling victim to an attack is significantly greater.  Most home computers do not have commercial-grade, next-generation endpoint protections and many run outdated versions of the consumer-grade products installed.

CPR is Still the Best Practice

Our model remains the best, holistic method of avoiding attacks at the human and tech levels, and for responding should something slip through.

Communicate & Educate

  • Remind your employees to be on the look out for suspicious emails, phone calls, web links.
  • Encourage your team to get help and verification if a message or interaction appears or feels suspicious in any way (better safe than sorry).
  • Consider testing employees with simulated attack messages and identify those that may need additional training and guidance.

Prevent & Protect

  • Deploy multi-factor authentication (MFA) and, optionally, single sign-on (SSO) services to prevent the use of compromised accounts.
  • Install Advanced Threat Protection solutions for inbound and outbound email to catch phishing, ransomware, and other illegitimate message.
  • Deploy “next generation” endpoint protection on computers and mobile devices to detect, prevent, and undo damage from dangerous files and applications.
  • Put Web and DNS protection services in place to prevent downloading attacks from hacked websites and identity impersonation.
  • Monitor the “dark web” for direct and third party breaches that may compromise your employees’ business accounts.
  • Take advantage of data loss prevention features built into G Suite and Microsoft 365, and consider tools to identify and prevent unauthorized access, permission errors, and data loss.
  • Eliminate the use of “shadow IT” services, particularly free or consumer-grade services by providing those capabilities to employees and making sure they know how to use them.

Restore & Recover

  • Ensure that you back up and can recover your data, regardless of location.  Your data is not just on your physical or virtual servers, it resides in your Microsoft 365 or G Suite environment, in SaaS applications like Salesforce, on desktops and laptops, and on mobile devices.
  • Put business continuity systems in place with affordable services that let you spin up and run images of your servers and workstations in a cloud data center while you recover your primary systems.
  • Have a breach response plan and service in place as an increasing number of attacks are stealing information, as effective data breach response involves:
    • Forensic analysis and recovery
    • Legal compliance with reporting requirements
    • Legal strategies to minimize liability
    • Increased customer service demand
    • Communications with customers, stakeholders, and the media
    • A potential need to provide consumer protection services
    • Cyber Insurance claims management

Fortunately for most businesses, putting these protections in place is affordable and can be done with minimal impact on your employees and their productivity.  Understand your needs, assess the value proposition (include the risks and costs of doing nothing), and deploy a solution that is the best fit for your business.


Please contact us for assistance as you evaluate your risks, needs, priorities, and solutions.


 

Customer Notice Update: Email Advanced Threat Protection

Data ProtectionGiven the demand and need to improve your protection from the devastating impact of ransomware, crypto attacks, and other forms of cyber attacks we are extending the Advanced Threat Protection Priority Opt-in discount period through March, 2020. We understand that adding a service, even a critical service, impacts your budget and costs. Our Priority Opt-In discounts, and other measures (see below), intend to minimize the impact.

Email Advanced Threat Protection (ATP) and Multi-factor authentication (MFA) are necessary, baseline services for protecting your business

Beginning April 1, 2020, we require Advanced Threat Protection for all of our customers’ email service, unless you specifically opt out. Opting out is appropriate if you already have an advanced threat protection service in place.

If you opt out, the cost of our data recovery efforts will not be covered under our unlimited support plans (See our Support Services SLA). When we add ATP to your service, we will discuss with you when we can add MFA.

We will mitigate the cost.

We are sensitive to your budget.

  • ATP requires a technical setup and typically incurs a setup fee along with the monthly or annual subscription.
  • We are discounting both the setup and subscription fees for all customers. For customers requesting Priority Opt-In, we will waive the ATP related setup fees completely.
  • MFA implementation is covered by our support plans as an administrative change.  If you do not have on of our support plans, we will provide an affordable, discounted quote for the project.
  • For customers without an unlimited support plan and/or those that choose to Opt-Out, we will discount our hourly fees for recovery work.

For more information on specific discounts and pricing, and to let us know if you want to Opt-In, to have Priority Opt-In, or to Opt-Out, please visit this web page and complete the form.

We realize that this is a significant change for most of our customers.  We also understand the importance of these protections.  Please contact us with questions or concerns

Thank you for being part of our community,
Allen Falcon
CEO & Pragmatic Evangelist

Customer Notice: Email Advanced Threat Protection

Data Protection

(Updated January 20, 2020)

We continue to witness the devastating impact of ransomware, crypto attacks, and other forms of cyber attacks on our customers.  The recovery cost and frequency of attacks are increasing at alarming rates. The average cost for a small or midsize business (SMB) to fully recovery from a cyber attack has increased to between $145,000 and $180,000. This includes loss of direct business, remediation costs, damage to reputation, and employee downtime.  At the same time, the number of ransomware attacks so far in 2019 has doubled when compared with the same period in 2018.

As a managed cloud service provider, you have heard from us that you “should” have more protections in place. Our position is changing: these protections are a “must”.

Multi-factor authentication (MFA) and email Advanced Threat Protection (ATP) are necessary, baseline services for protecting your business. 

Beginning April 1, 2020, we will require and will begin adding Advanced Threat Protection to all of our customers’ email service unless you specifically opt out. If you opt out, the cost of our data recovery efforts will not be covered under our unlimited support plans (See our Support Services SLA). When we add ATP to your service, we will discuss with you when we can add MFA.

We will mitigate the cost.

We are sensitive to your budget.

  • ATP requires a technical setup and typically incurs a setup fee along with the monthly or annual subscription.  We are discounting both the setup and subscription fees for all customers. For customers requesting Priority Opt-In, we will waive the ATP related setup fees completely.
  • MFA implementation is covered by our support plans as an administrative change.  If you do not have on of our support plans, we will provide an affordable, discounted quote for the project.
  • For customers without an unlimited support plan and/or those that choose to Opt-Out, we will discount our hourly fees for recovery work.

For more information on specific discounts and pricing, and to let us know if you want to Opt-In, to have Priority Opt-In, or to Opt-Out, please visit this web page and complete the form.

We realize that this is a significant change for most of our customers.  We also understand the importance of these protections.  Please contact us with questions or concerns

Thank you for being part of our community,
Allen Falcon
CEO & Pragmatic Evangelist

Cyber Protection: Time for New Best Practices to Safeguard Your Business in the Digital Age

Cyber ProtectionAccording to a recent survey* of IT service providers, ransomware attack downtime costs 23 times more than requested ransom. The average ransom for small and midsize businesses (SMBs) victims jumped 37% to $5,900 from 2018 to 2019.  And lastly, the average cost of ransomware downtime jumped from $46,800 to $141,000, an increase of more than 200%. This underscored the importance of having cyber protection protocols in place in an increasingly digital age.

To add to your cyber security concerns, SMBs fall victim to cyber crime and ransomware attacks even when they have traditional antivirus, email/spam, ad/pop-up blockers, and endpoint protection in place.  67% of IT service providers report their SMB customers fall victim to phishing emails; 30% report that most customers still rely on weak passwords and access management.

The Need for a New Approach to Cyber Protection

Traditional cyber security solutions are no match for many cyber attackers. We need a new modernized approach to ransomware, with business continuity at the core.

Using business continuity as a guiding principle drives new best practices for preventing and responding to cyber security attacks. With a business continuity mindset, you focus on what is needed to keep the business running, and how quickly you can “return to operations”.  When we discuss business continuity, we understand that we need to take steps to prevent disruption, mitigate the scope of potential disruptions, respond effectively when disruptions happen, and have the systems and processes in place to recover quickly.

For over a year, we have promoted and refined our CPR model to help ensure appropriate data protection and security.

Implementing The Following CPR Model Can Help Combat Cyber Threats

Communicate and Educate: Involve everybody in the solution by educating your team on the risks, how to spot and report fraudulent content, and how their behavior can prevent or help an attack.

Protect and Prevent: Implement multi-layer, multi-vector protections that focuses on your people (identities), data, applications, and systems. Our data, our businesses, no longer sit comfortably hidden in a computer room behind a firewall.

Respond and Recover: No defense is perfect. Have services in solutions in place that let you recover and return to operations within a time frame that protects the health of your business. More than getting data and systems back on line, put in place the forensics, legal, public relations, and customer service resources you will likely need in a cyber attack emergency.

Here are 10 Actions you can initiate today to improve your cyber protection:

  1. Ensure your computing environment is protected across multiple attack vectors: Identity, Endpoints, User Data, Cloud Apps, and Infrastructure.
  2. Deploy multi-factor authentication, advanced threat protection, next-gen endpoint protection, and DNS/web protection across your ecosystem for a comprehensive baseline or protection.
  3. Encrypt your data at rest and in transit.
  4. Educate your team on the risk and how their actions can impact the business.
  5. Actively manage your cloud and “as-a-Service” subscriptions, standardize on-boarding and off-boarding of staff and contractors based on role, application needs, and appropriate access to data.
  6. Understand how your team uses your business and unauthorized (“shadow IT”) applications and services.  Reign in shadow IT by ensuring your business systems provide staff with the necessary capabilities.
  7. Test your staff’s behavior related to cyber attacks and follow up with additional coaching and guidance. Discipline and, if needed, terminate those who are unwilling or unable to adapt to the current realities of behavior and risk.
  8. Upgrade from data backup/recovery to a business continuity solution that will get you up and running in minutes or hours, instead of days, should an attack get past your defenses.
  9. Arrange in advance for the legal, forensic, PR, communications, and customer service resources you need to respond to an attack with a potential or actual data breach.  Prepaid breach response services give you nearly instant access, reducing your risks and liability while bundling in baseline cyber insurance coverage.
  10. Get cyber insurance, either a baseline policy bundled with Breach Response services and/or a fully underwritten policy from your business insurance provider.

Please contact us for more information about your cyber protection, available assessments, and solutions. We are happy to schedule a free, no obligation Cloud Advisor Session.

* Global State of the Channel Ransomware Report. Datto, Inc. Oct. 2019.


 

Manufacturers Beware: Attacks on Industrial Equipment are on the Rise

Automation Cyber SecurityWe have seen the issue ourselves: A malware attack crosses the bridge from your network PCs to the controllers in your industrial machines. Your shop floor comes to a halt until you can recover. The effort is painful as you deal with embedded and stand-aside controllers running out-dated versions of Windows, limited network options, and compatibility issues.

The risk is so great, that ZDNet is reporting that the world’s largest and most well-known hacking contest, Pwn2Own, will focus on software for industrial equipment.  Reflecting the reality of current threats, the sponsoring organizations and the “white hat” hackers themselves see an urgent need to bring the issue of protecting your industrial equipment to the forefront.

Fortunately, best practices can help protect your operations.

While it is not always possible to protect your industrial equipment with “next gen” endpoint protection, you can take steps to protect yourselves from potentially devastating attacks and accidents.

  • Segregate
    • The network on which your production systems run should be physically or logically separate from other networks — office, voice, etc. — running in your business.
  • Isolate
    • Unless the equipment needs to communicate with the manufacturer, cloud-based systems, or other locations, the production systems network should not have paths to the outside world.
    • If the equipment needs to communicate externally, setup secure VPNs for all traffic.
  • Maintain
    • Whenever possible, update and maintain your industrial systems to run current versions of the manufacturer’s software and the underlying operating system.  Too many production machines are running obsolete versions of Windows that cannot be secured from attack.
  • Scan
    • Before moving any software or programming to a system, explicitly scan the files for malware.
  • Educate
    • Communicate with your employees about the risks and steps they can take to prevent a cyber attack to your industrial equipment as well as their computers and other devices.

Please contact us for more information or to assess your risk and discuss solutions.


 

Risk and Reward – Protecting the Value of Your Business

Business ContinuitySeveral weeks ago, in a town not far from our headquarters, a massive fire destroyed a building housing six small businesses.  Our local business journal followed up a few weeks after the disaster with a poll asking business owners how prepared they are for a major disaster.

  • Fewer than 50% of responding business owners feel that they are fully insured, have an emergency plan, and could be up and running in a few days.
  • 39% feel that it could take a month or so, but they could eventually reopen
  • 17% felt they would be out of business or would required state and local aid to survive

While not a scientific sampling, the results are alarming.  Alarming for a few reasons:

  • Even with insurance, it can take days or weeks to get authorization so you can move forward with your emergency plan.  Securing a new location and replacing fixtures, inventory, etc. takes time, as does recovering computer systems and data.
  • More than 50% of businesses closed for 7 days due to a disaster fail within 6 months of reopening.  While many businesses might re-open in a month, the future will be challenging.

Your Risks are Yours

A major fire in a block of retail and service businesses creates specific challenges, as do storms and floods.  Many more businesses, however, experience disasters equal or greater in scope even if they do not have the same level of physical damage. Some examples we have seen.

  • A distributor of customized office supplies lost all electronic business records for the past three years when they where hit by ransomware. The attack corrupted their on-site backup servers as well as their main file and database servers.
  • A news publisher lost all of their physical servers, firewalls, and networking equipment when a sprinkler head failed in their small equipment room.
  • A small plastics manufacturer lost the ability to use their process control systems when embedded Windows workstations were corrupted by a malware attack.

In each of these examples, businesses with customer commitments, production schedules, and deadlines were idled for days. For some, full recovery can take months.  Beyond the hard cost of recovering systems and data, these businesses suffered from soft cost losses.  Missed customer commitments, delayed invoicing and collections, and the time employees spent on the recovery effort all have lasting impacts on your business.

Business Continuity is a not just a good idea, it is a responsibility. 

As business owners, our employees, vendors, and customers count on us.  While people can empathize with the impact of a fire, there is less understanding for businesses that fall victim to cyber crime.  Malware, phishing, ransomware and other attacks are generally preventable when your team is alert and aware of the risks and when you put reasonable identity, data, and system protections in place. And since no protection is perfect, you need to be able to recover quickly enough for your business to continue operating smoothly.

Here is some food for thought:

  • Know Your RTO:  Understand how quickly your business needs to Return to Operational.  Maybe you can work on paper for a few days. Maybe you need to be up and running in a few hours because you are at a standstill until systems are back online. Your RTO goal will guide your decisions on what protection and recovery/continuity services are the right match for your needs and budget.
  • Assess Your Risk: Understand the different disaster scenarios and how they may impact your business.  Think about physical issues, such as loss of power and catastrophic system failures, as well as other disruptions, such as cyber attacks and potential actions by a disgruntled employee.
  • Watch Your Flank: Asses how different types of threats could impact your business.  We are beyond hiding our computers behind firewalls. We still have physical threats, but we also have threats focused on networks, user identities, access control, third party services, and data sources and services. Each threat vector needs a plan for protection, response, and recovery.
  • Factor in Humanity: We used to talk about balancing security with ease of use.  Today, the humanity equation is different as most IT disasters take advantage of human factors like our fundamental desire be helpful when asked. In many ways, your team is your best defense. They need to understand the risks, the methods of manipulation, and the signs that something is not quite “right”.  Your team needs to understand the value of inconveniences like multi-factor authentication and enhanced privacy and access controls — that these protect them as well as the company.

Your next step.

Contact us.  It is time for a serious conversation about protecting the value of your business.  A basic assessment of your business continuity profile will identify risks and gaps. From there, we can discuss improvements and their business value so you can make informed decisions that balance your risks, needs, and budget.  Business Continuity solutions — from disaster prevention through recovery — do not need to bust your budget.   For most business, changes in security settings on existing systems paired with modest, incremental services provide the protection and recover-ability you need.