Posts

Security Best Practices to Protect Your Admin Accounts

Data Protection & SecurityIn any client environment, it is critical for you to protect your admin account with current security best practices. Most cloud services have multiple levels of admin accounts, including a super admin with the ability to access, manage, and change every configuration and security settings.  In many cloud services, “super admin” accounts also have blanket access to your data.  In effect your super admin and admin accounts hold the keys to your kingdom.

Protecting and managing admin accounts is critical for keeping your data and your business secure.

Here are four security best practices for managing and protecting admin accounts.

1 Multi-Factor Authentification

While we recommend multi-factor authentication (‘MFA”, also known as Two Factor Authentication or Two-Step Verification) for all user accounts, the added protection of MFA is critical for super admin and admin accounts.  MFA helps to protect your admin account by preventing somebody from using stolen or compromised credentials to access your cloud services, your data, and your business.

For Super Admin accounts, consider a FIDO-compliant security key.  These keys, or fobs, are physical devices that provide a timed access code required to log in. Keys provide the most secure method for multi-factor authentication, and are our number one recommendation when it comes to security best practices for administrator accounts.

2Secondary Super Admin Access

Even a super admin account can be lost or compromised.  Should this happen, you need a way to perform critical admin tasks while you recover the super admin account.  You have a few options, as follows.

  • Create a second, dedicated, super admin account.  While this comes with a licensing cost, you are not giving additional privileges to other admins or users.
  • Assign super admin rights to an existing admin or user. You avoid any increased fees, but grant privileges which can be accidentally or intentionally misused. These privileges can include access to sensitive data, archives, and the ability to alter security settings.
  • Engage your cloud partner/reseller. If your cloud partner/reseller has the ability to recover super admin accounts and/or reset super admin passwords, make sure you have a service or support agreement in place that covers admin account password reset and account recovery.

3Force Logout Super Admins

Day to day admin services can and should be performed by Admin accounts with permissions to perform specific sets of tasks.  User your Super Admin account for specific administrative and security tasks not permissioned to other Admin accounts.

As a Super Admin: Log in. Perform the specific task. Log out.

If possible, set your system to automatically log out Super Admin accounts if idle for a short period of time.

4Privileged Access Management

Our final best practices to protect your admin account includes Privileged Access Management, or PAM, which limits access to critical security and administrative functions. Permission is granted to specific functions, upon request by another Admin or the system, for a limited amount of time. Using PAM provides additional tracking of who/when/why for critical settings and tasks.

Call To Action

Take a look at your cyber security. Complete our Rapid Security Assessment (free through June 2023) for a review of your basic security measures.

Contact us or schedule time with one of our Cloud Advisors to discuss your cyber security protections and/or your broader security needs, priorities, and solutions.

About the Author

Chris CaldwellChristopher Caldwell is the COO and a co-founder of Cumulus Global.  Chris is a successful Information Services executive with 40 years experience in information services operations, application development, management, and leadership. His expertise includes corporate information technology and service management; program and project management; strategic and project-specific business requirements analysis; system requirements analysis and specification; system, application, and database design; software engineering and development, data center management, network and systems administration, network and system security, and end-user technical support.

The State and Future of Remote Work

As noted in a recent article published by American City Business Journals, the state and future of remote work are still up for debate.  Remote work and hybrid work arrangements continue to face resistance. Our reduced need for office space still impacts city centers and commercial real estate markets.  And yet, employees still want remote and hybrid work arrangements. The desire to have work-from-home options is strong enough that many employees will take pay cuts in exchange for the flexibility.

Some of the Data

Work from Home Research noted that paid full days worked out of office was about 27%, year to date, in 2023.  This represents a very slight decrease from recent months.

In February 2023:

  • 60% of employees worked full-time in the office
  • 28% of employees worked in a hybrid arrangement
  • 12% of employees worked remotely full time

40% of employees continue to work some or all of their time outside the office.

A recent study by Robert Half found:

  • 28% of job postings were advertised as remote
  • 32% of employees who work in the office at least one (1) day per week would take an average 18%  pay cut to work remotely full time

Data from the Federal Reserve indicates that:

  • From 2020 to 2021, during the surge in remote work, productivity jumped from 108.57 per hour to 115.3 per hour
  • In 2022, productivity dropped slightly as more employees returned to the office

Using the Data

Remote and hybrid work arrangements will likely continue as companies and employees work to find the right balance for the company and employees.  As small business leaders, we understand that remote work is an attractive feature of job postings, and 1/3 of employees would take a pay cut or change jobs to work remotely.

We need to manage our remote and hybrid work arrangements in ways that employees see as flexible and accommodating. 

In-person interactions with colleagues can improve morale and enhance company culture. It makes sense that we want most employees in the office, interacting face-to-face, at least some of the time.

Employees see most hybrid work arrangements as designed to meet the needs of the company, not employees.  Employees see incentives, such as free meals and other “perks”, as gimmicks to attract employees to the office without addressing employees’ needs.  We need to present hybrid work arrangements honestly in terms of company needs and priorities and those of the employees. If we provide a real balance of needs and priorities, employees will feel respected and heard. They will be more accepting of change.

The Role of Technology

We have no doubts about the power of technology to empower your employees to do their best work — in office or remotely.  Many small businesses scrambled to support remote work at the onset of the pandemic.  These solutions were often rushed and, as such, less efficient or effective than needed.  Too many of us, however, have not stepped back to assess, revise, and improve our IT support for remote and hybrid work.

We need support and technologies in place to ensure the long-term viability of remote and hybrid work.

Employees, when working remotely, want and need the same resources and abilities as when they are working in the office.  They want the same user experience regardless of where or how they work.  At the same time, we need to ensure our systems and data remain secure and protected.

When assessing your IT services, make sure you have the SPARC you need:

  • Security
  • Performance
  • Availability
  • Reliability
  • Cost

Leveraging cloud services, you can provide secure access to your systems and data, with a consistent user experience, at a reasonable cost.

Calls To Action

1. Read our recent eBook, Cloud Strategies for Small and Midsize Businesses. In this eBook, we: Set the stage by looking at how small and midsize businesses acquire and use technology and IT services; Explore the challenges we face moving into the cloud; and Map out four strategies for enhancing your use and expansion of cloud services.

2. Schedule time with one of our Cloud Advisors or contact us to discuss how best you can support your remote and hybrid workers. The conversation is free, without obligation, and at your convenience.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Effective Cloud Strategies for Small Businesses

As small and midsize businesses (SMBs), most of us have cloud strategies centered around productivity suites for email, calendars, chat, and file services. Beyond Microsoft 365 and Google Workspace, we need cloud strategies for small businesses that differ from those used by larger organizations.  Although our goals and objectives may be similar, we differ in the scope of our IT services, how we acquire and use IT services, and our budgets.

Understanding these differences, we need appropriate strategies to guide our plans and decisions. We need to focus on getting the most value from our current systems and new, managed cloud services.

What is a Cloud Strategy?

Cloud strategy refers to a comprehensive plan and approach that an organization adopts to leverage cloud computing technology effectively. It involves determining how to utilize cloud services, platforms, and infrastructure to achieve specific business objectives, optimize operations, enhance agility, and drive innovation.

A typical cloud strategy includes several key components:

  1. Cloud Adoption
  2. Cloud Service Models
  3. Cloud Provider Selection
  4. Data Management and Security
  5. Cost Optimization
  6. Integration and Interoperability
  7. Governance and Compliance
  8. Training and Skills Development
  9. Performance Monitoring and Optimization

Evolving Business Strategy into the Cloud

Historically, we ran our applications and databases on local workstations, servers, and networks. Evolving markets, business models, and hybrid work patterns drive change. The on-premise architecture no longer meets our needs. Remote access to on-premise systems is cumbersome, more difficult to secure, and likely to be slower. 

From a cost perspective, most of us have outgrown the on-premise model as well. Servers, storage, and related infrastructure represent significant capital expenditures and fixed configurations. Infrastructure and services add hardware, software, and service costs. If you have a managed service provider, or MSP, you pay monthly per-server monitoring and management fees.

Our Big Cloud Challenge

Most cloud services are designed for larger entities that will rebuild systems, applications, and databases to use specific cloud services. As small businesses, we use the cloud differently. We rely on software packages rather than custom-built applications or highly customized systems.

Moving our applications and systems into the cloud is challenging for a few key reasons:

  • Our software vendor may not offer a SaaS version
  • The SaaS version of our software may be missing key features we need, or does not support our customizations
  • Integrations may not be available for the applications and systems we use and need.

Cloud Strategies

If we want to take advantage of the benefits of the cloud, we need better strategic services for the cloud.

Selective Cloud Services

We define selective cloud services as point solutions for a specific need, often in support of other cloud or on-premise services. You can leverage cloud solutions to meet specific business and IT service needs.

Server to Service

Simply stated, the Server to Service strategy replaces your servers – on-premise or hosted – with managed cloud services.  Replacing your file servers with managed cloud file services is the best example of the Server to Service strategy. File servers come with the added burdens of backup/restore services, hardware maintenance and upgrades, and with most managed service contracts, per-device fees for monitoring and management.

Lift and Shift

As noted above, many small business software packages lack a cloud version comparable with the traditional version. In these situations, you can still move into the cloud using the “Lift and Shift” strategy. With “Lift and Shift”, you move your applications and systems from their existing on-premise servers (physical or virtual), to cloud-based servers. You access the applications over a secure VPN or using remote desktop services.

Remote Desktop / VDI

As the name ‘remote desktop’ implies, your actual desktop is running remotely in a cloud environment. You access your desktop via a thin client application running locally on your PC, Laptop, or mobile device, or through a web browser. Using Remote Desktop / Virtual Desktop Infrastructure (VDI) services gives you a complete, secure environment in which you have your private network, servers, and clients. Using Remote Desktop / VDI enhances Lift and Shift solutions.

Final Thoughts on Cloud Strategy for a Small Business

These cloud strategies are NOT mutually exclusive.  With proper analysis and planning, you can match the services to your business and technology needs. More information is available in our eBook, Cloud Strategies for Small and Midsize Businesses.

Call To Action

Contact us or schedule time with one of our Cloud Advisors to discuss if, when, and how expanding your cloud services will help your business thrive and grow.

About the Author

Chris CaldwellChristopher Caldwell is the COO and a co-founder of Cumulus Global.  Chris is a successful Information Services executive with 40 years experience in information services operations, application development, management, and leadership. His expertise includes corporate information technology and service management; program and project management; strategic and project-specific business requirements analysis; system requirements analysis and specification; system, application, and database design; software engineering and development, data center management, network and systems administration, network and system security, and end-user technical support.

Cloud Computing Trends, Challenges & Provider Insights in 2023

Cloud Computing Trends

Earlier this month, CRN published a story covering Flexera’s 2023 State of the Cloud Report.  Flexera provides software and systems to manage enterprise private and public clouds.  The report on cloud computing trends originates with an annual survey of 750 technology leaders across sectors, geographies, and size of the business.  While the report classifies small and midsize businesses as those with under 1,000 employees, we still find the results interesting and relevant.

As small businesses, our concerns are spending, security, compliance, and managing cloud services. The cloud model hits our income statements and balance sheets differently than historical IT services. The need to protect our businesses, and our customers, has never been greater. And, we find it difficult to understand if we are spending efficiently and effectively.

We take a look at the top 3 cloud challenges, discuss managing clouds, and explore cloud waste.  Understanding these issues, you will better understand how to create better cloud solutions. You will also be better able to set expectations from those providing cloud solutions and related services.

Top 3 Cloud Computing Challenges

For 2023, SMB respondents identify the top three cloud computing challenges as:

  • Managing Cloud Spend (80%),
  • Security (73%), and
  • Compliance (71%).

These concerns make sense. The spending model for managed cloud services, based on subscriptions or usage, is an operating expense.  Most smaller companies are used to making capital expenditures and paying for service contracts and managed services.  Additionally, many of the IT firms working with small businesses will replicate on-premise networks and servers in a public cloud service. They may lack the expertise and tools to actively manage costs.

Concerns about security and compliance reflect the increasing need and demands of protecting sensitive business and personal information.  We face the same increased regulations and expanding industry standards as larger enterprises. But we do not have the in-house resources or the same access to experts. We place our trust on local or regional IT service firms.

Latest Trends and Developments in Cloud Computing

Undefined Cloud Management

Following closely behind the top 3 cloud challenges, governance (67%) and subscription management (61%) indicate that small businesses are not sure how to best manage their cloud services.  As cloud infrastructure matures, the number of options expand.  To make simple decisions, such as whether to subscribe monthly or make an annual commitment at a lower per unit price, we need to understand the operating cost models.  We need standard operating procedures, such as on/off-boarding and access controls, in place.

Cloud is still new. We need our IT service firms and managed service providers to guide, if not lead, our cloud management efforts. Co-management is a viable strategy, provided it includes policies and procedures as well as products and services.

Cloud Waste

On average, the survey results show that businesses spent 18% more than budgeted on public cloud services last year.  The greatest contributor to the overspend appears to be Cloud Waste.

Cloud waste is spending on cloud services that go unutilized or are under-utilized.  Reducing cloud waste can be as simple as

  • Shutting down unused resources after hours
  • Selecting lower cost regions / data centers
  • Periodically right-sizing systems and resources

Policies that scale resources in real-time based on usage will increase efficiency, but require expertise and planning during the solution design process, monitoring, and refinement over time.

How to Pick a Cloud Computing Provider

Traditional managed service providers, or MSPs, are experts in buying, monitoring, and managing things. They focus on network components, servers, systems software, and end user devices.  To get the most value from our cloud services, we need partners that understand service and cost management.

Managed cloud service providers, or MCSPs, understand how the “as-a-Service” model is different. Security, compliance, and cost management only work when they are built into the requirements, design, and management of your cloud services.

Before picking your cloud provider, ask about their management and co-management models. Understand if they actively work to monitor and manage security, compliance, and costs. Ask them to explain how.

Call To Action

Get a copy of our recent eBook, Cloud Strategies for Small and Midsize Businesses. In this eBook, we: set the stage by looking at how small and midsize businesses acquire and use technology and IT services; explore the challenges we face moving into the cloud; and map out four strategies for enhancing your use and expansion of cloud services.

To discuss how your business can better utilize a broader range of cloud services, please contact us or schedule time with one of our Cloud Advisors at your convenience.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

A Notable Shift in Cyber Attacks

As we proceed into 2023, we begin receiving reports and analysis of 2022, the year that was.  Now is a time when we gather data and perspectives on the past year. This new information helps guide us to better decisions in the year ahead. With respect to Cyber Attacks, the information is definitely both positive and negative in nature.

Mixed News

As reported recently in CRN, SonicWall reports in their 2023 annual Cyber Threat Report that ransomware attack volume dropped by 21% worldwide last year. In the US, the volume dropped by 48%.  While this is good news, we see some serious caveats in the data.

  • 2021 was the worst year on record for ransomware attacks, with more than 600 million worldwide.
  • Even with the 21% drop, 2022 still had the second largest number of ransomware attacks in history.
  • Ransomware attack volume in 2022 was 50% more than in 2020, and more than 2019 and 2022 combined.
  • SonicWall also reports that the last quarter of 2022 had a spike of attacks with an increase over Q4 in 2021.

What does this mean?  Ransomware attack volumes have dropped, but they are still at historical highs.  It is too soon for us to predict a change that would alter how we protect and respond these attacks.

Shifting Landscape

Related data suggest the cyber attack landscape is shifting. This information suggests that cyber criminals are focusing on other types of attacks. In 2022,

  • Cryptojacking attacks jumped by 43%
  • IoT malware attacks increased by 87%

Similarly, CRN reported that security vendor CrowdStrike noted a 20% increase in data theft and data extortion attacks that did NOT deploy encryption. More attackers are avoiding the protections against ransomware and simply threatening to expose or release sensitive data.

What does this mean? Businesses with solid cyber security and business recovery solutions in place can avoid paying ransoms. Collecting ransoms to decrypt files has become less attractive.  By quietly identify and collecting sensitive information, cyber attackers regain the upper hand.  They can release portions of the data if the victim hesitates to pay.

The Impact on Your Business

While we may see some encouraging signs, your business remains at risk. Our Security CPR model guides decisions on cyber security solutions. The model offers a holistic approach that begins with communication and education, ensures protection and prevention, and includes your ability to restore and recover.

To ensure your business has the resiliency it needs, focus on threats most likely to impact your business and those that will be the most damaging if successful. We have a number of blog posts, webcasts, and whitepapers in our Resource Center.

Call To Action

For a look at your cyber security, complete our Rapid Security Assessment (free through June 2023) for a review of your basic security measures.

Contact us or schedule time with one of our Cloud Advisors to discuss your cyber security protections and/or your broader security needs, priorities, and solutions.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

The Cloud, Shared Responsibility, and You

The vast majority of small and midsize businesses (SMBs) understand — or have learned the hard way — that the ability to recover lost or damaged data is critical to your IT services and business resiliency.  You need to be able to recover and restore files, databases, servers, and workstations from loss due to disasters, hardware failures, software errors, or human action. In the cloud, it is your shared responsibility to protect your data.

The Cloud

As we move data, services, and servers, we rely on infrastructure and security built into the services.  Google and Microsoft operate industry-leading, sophisticated services designed for security as well as performance, features, and functions.  The capabilities do three things:

  1. Continuity: Ensure the clouds run with little or no disruption
  2. Recovery: Enable the restoration of services without loss of failure do to hardware, network, or other issues
  3. Capability: Provide us with the ability to secure and protect our data based on our usage

Microsoft, Google, and other cloud services do not, however, protect us from how we use their services.

You

Microsoft and Google do not control how we use Microsoft 365 or Google Workspace services.  We, as subscribers, control how we manage and protect our data, including:

  • Who can access the services
  • Which applications can connect and integrate
  • Which other applications and services will share user identities
  • Which users can manage, edit, suggest, or view files and folders
  • Which users can access various services within each of the productivity suites

With these controls comes great responsibility.  You are responsible for how your data is stored and used.  You are responsible if that use causes data loss or damage.

Shared Responsibility

Microsoft and Google  both use a “Shared Responsibility” model for security and data protection. The model defines which aspects of the cloud service security and data protection are your responsibility and which are the responsibility of the service provider.

Microsoft

Microsoft Shared Responsibility ModelMicrosoft discusses Shared Responsibility as a component of its terms of service.  A recent Microsoft Learning article notes the following:

“In an on-premises datacenter, you own the whole stack. As you move to the cloud some responsibilities transfer to Microsoft. The following diagram illustrates the areas of responsibility between you and Microsoft, according to the type of deployment of your stack.”

For Microsoft 365, a “Software as a Service” (SaaS) offering, Microsoft expects you to take responsibility for protecting and recovery of your information and data; devices; accounts and identities; and portions of your identity and directory infrastructure. Microsoft has a detailed white paper covering shared responsibility for Azure services.

Google

Google Shared Responsibility ModelThe Google Workspace Data Protection Guide includes a section dedicated to the Shared Responsibility model. Google states:

“Data protection is not only the responsibility of the business using Google Workspace services; nor is it only that of Google in providing those services. Data protection on the cloud is instead a shared responsibility; a collaboration between the customer and the Cloud service provider (CSP).”

“As a Google Workspace customer, you are responsible for the security of components that you provide or control, such as the content you put in Google Workspace services, and establishing access control for your users.”

As a SaaS offering, Google warns that you are responsible for the access control, security, and protection of any and all content you place in the Google Workspace service. The Google Cloud Platform: Shared Responsibility Matrix provides a detailed overview of shared responsibility for Google Cloud Platform.

Back to You

Understanding your shared responsibility, you can meet your data security and protection obligations.

First and foremost, configure and use the security and data protection features included within your Microsoft 365 or Google Workspace subscription. These services range from multi-factor authentication to secure user identities and access to advanced data loss prevention services in enterprise level subscriptions.

Your next step is to add additional services to cover aspects of data protection not provided with your Microsoft 365 or Google Workspace subscriptions.  These services may include:

  • Advanced threat protection for inbound email
  • Backup/recovery of all user content in Google Workspace (including shared drives) and Microsoft 365 (including Teams)
  • Archive/eDiscovery services to meet internal data policy, industry guidelines, or regulatory requirements
  • Backup/recovery for data located on end user devices and on-premise or hosted servers
  • Continuity services for mission-critical servers and end user device
  • Message-level and file-level encryption for compliance with industry or regulatory requirements

Your business may or may not need all of the services listed.  Which services you deploy should be part of a larger assessment of your cyber security and data protection needs.

Call To Action

Contact us or schedule time with one of our Cloud Advisors to discuss how you are meeting your shared responsibility and/or your broader security needs, priorities, and solutions.

For a broader look at your cyber security, complete our Rapid Security Assessment (free through June 2023) for a review of your basic security measures.

About the Author

Chris CaldwellChristopher Caldwell is the COO and a co-founder of Cumulus Global.  Chris is a successful Information Services executive with 40 years experience in information services operations, application development, management, and leadership. His expertise includes corporate information technology and service management; program and project management; strategic and project-specific business requirements analysis; system requirements analysis and specification; system, application, and database design; software engineering and development, data center management, network and systems administration, network and system security, and end-user technical support.

Understanding a Third Party Data Breach & How to Prevent One

Understanding Third Party Breach AlertsWhat is a Third Party Data Breach?

A third party data breach occurs when an individual’s login identity and/or personally identifiable information (PII) has been disclosed by a third party system or service. A third party system or service is one that is unrelated to your business.

Third party data breaches are a security risk to your business and your employees. To understand this risk, we look at human behavior and the nature of modern cyber attacks. Knowing the risks, we look at ways to identify and respond. We discuss methods to ensure you are properly protecting your employees and your business.

The Risks of Third Party Data Breaches

The Risk of Human Nature

Multiple studies show that between 65% and 70% of humans will use identical or similar passwords across systems. The practices of “patterning” and “mimicking” passwords is more common across accounts using the email address or username as the account identity, whether or not the login is for a business system or some other system or service.

Think about employees using their work email for business-related services, such as video conferencing services, LinkedIn, or file sharing services. Some employees may have accounts to online stores for purchasing materials or supplies.  A breach in any of these systems, which are out of your control, poses a risk to your business.

A second aspect of human nature that works against us: humans are social creatures.  People, at different levels, want and need to interact with others.  In general, humans are trusting and we want to be helpful.  We will share information if and when it fits within typical interactions and when we think we are helping ourselves or others.

The Risk of Cyber Attack Methods

Currently, sophisticated criminal organizations (sometimes backed by hostile nation-states or terrorist groups) execute the vast majority of cyber attacks. They often sell and trade methods, malware, and data on the dark web, as different organizations build specialized expertise. Modern cyber attacks reflect the sophistication and expertise of the cyber criminals. Most cyber attacks involve indirect and direct methods.

Indirect Attacks

We define indirect attacks as those intending to gather information. Cyber criminals collect useful information in order to conduct direct attacks and to sell to other criminals. Phishing, social media “clickbait”, and third party data breaches are three common examples of indirect attacks that provide personal information for further attacks.

Direct Attacks

We define direct attacks as those intending to gain access to your systems and information. These include compromised user identities or credentials, ransomware, activity/keystroke monitoring, business email compromise attacks, and other attacks where your data is exposed or altered.

Direct attacks are more successful if they use data gathered from previous, indirect attacks.  And while cyber attackers may manage the complete attack, it is more common for those interested in direct attacks to buy data from those that specialize in conducting indirect attacks.  Your answers to quizzes and games on Facebook are being sold to cyber criminals that will use that information against you in a future attack. Indirect attacks also gather information that allow the attackers to impersonate you, organizations, or those around you.

Maybe the information lets them craft a surprisingly real-looking email asking you to log into a fake website, or to transfer money to a vendor using incorrect banking information.  Or, you are asked to share the MFA code you received by text. And with enough information, the attackers pretend to be you and ask your customers to make a payment by wire or ACH transfer using their banking information, not yours.

Tracking Third Party Data Breaches

The best method of tracking third party data breaches is subscribing to a monitoring and alert service.  Use the service to scan and monitor the dark web for data breaches related to any email address from your business domain(s).  The service should send you alerts that include:

  • Email address of the breached account
  • Origin of the breach, if known and disclosed
  • The Source of the breached data (where was the data posted/visible)
  • The type of the compromise
  • When the data was found
  • If a password was compromised, and if the password is visible or encrypted
  • Any PII disclosed in the breach

Using this information, you can assess the risk and take appropriate actions in response.

At Cumulus Global, we partner with DarkWeb ID for third party data breach monitoring and alerts.  Our eBook, Understanding Third Party Breach Alerts, covers how to analyze alerts, assess risks, and respond accordingly.

Protecting Your Business From a Third Party Data Breach

To fully protect your business from a third party data breach, your security strategy needs to ensure you have three things in place:

  1. You and your team should understand your security risks and how your behaviors can help or prevent an attack.
  2. Have procedures and technologies in place to protect you from successful attacks
  3. Have security services in place to prevent the disclosure or loss of data and/or system access.
  4. Capabilities and services in place to respond should an attack be successful, and to help your business recover.

We developed our Security CPR Model specifically to help small and midsize businesses create, deploy, and manage an appropriate security strategy. If you follow this model in addition to other cyber security best practices, you’ll be well positioned to prevent a third party data breach.

Communicate & Educate

    • Communicate with your team that Cyber Security is a priority and educate them on cyber security risks, the need for everybody to be vigilant, and the behaviors/actions they can use to help prevent successful attacks.
    • Develop policies and procedures to establish clear expectations for how your organization will maintain cyber security and how your team will use security technologies and services

Protect & Prevent

      • Select, deploy, and maintain security technologies and services that match and support your cyber protection needs and priorities.
      • You can simplify your security services by focusing on the most likely threats and those that would have the greatest impact if successful (see: How Can SMBs Streamline IT Security?)

Respond & Recover

    • Put systems in place to recover lost or damaged data and systems; consider business continuity solutions that enable you to continue operating your business while restoring your primary systems.
    • Pre-arrange resources to help you respond to the technical, regulatory, legal, reputation, and customer service impacts of a successful cyber attack

You can learn cyber security tips and key information about third party data breach prevention by viewing Security CPR, our 3T@3 Webcast from January 2023.

Call To Action

Complete our Rapid Security Assessment (free through June 2023) for a review of your basic security measures.

Or, contact us or schedule time with one of our Cloud Advisors to discuss your security needs, priorities, and solutions.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

 

 

How Can SMBs Streamline IT Security?

Data Protection & Security

Cumulus Global CEO, Allen Falcon, answers this question in Inc. Magazine.

Small businesses face new demands to improve and maintain their IT Security.  Customer, vendors, regulators, and insurance carriers are defining criteria and pushing SMBs to implement procedures and technologies. If not managed well, SMBs end up with duplicate services and increased operating costs. How can SMBs streamline their IT security to manage costs without losing capabilities?

To learn more about cyber security for SMBS, visit these blog posts:

Additional resources to help you Streamline IT Security:

Need guidance? Schedule a call with one of our Cloud Advisors.

2022 SMB IT Security Needs Study Highlights & Contradictions

Security firm Action 1 recently published the results of its 2022 SMB IT Security study after surveying 750 small and midsize businesses.Data Protection & Security

Key Findings and Contradictions of the Action1 SMB Report

It is no secret that perceptions about our security risks differ from reality.  Not surprisingly, some of the 2022 SMB IT security needs survey results contradict one another.

52% vs 65% vs 37%

52% of respondents acknowledge that they lack sufficient skills and technology to effectively protect against cyber attacks. But 65% believe the cost of protection is too high and 37% complain that security controls hurt productivity. Businesses clearly struggle to balance the security they need with the cost and the user experience. Often SMBs are presented with security solutions designed – and priced – for larger organizations. As employees use added security steps for everyday transactions (online banking, etc.), the overhead of security protocols is less intrusive.

63% vs 81% vs 40%

While 63% believe that their SMB faces a lower cyber risk compared to larger companies, 81% of respondents had at least one security incident within the past 12 months. 40% of SMBs had 2 or more incidents. Too many SMBs continue to have a false sense of security. Cyber criminals understand that is easier to hack 10, or even 100, small businesses than it is to successfully attack 1 large enterprise. And with current tools, cyber attacks are inexpensive to launch and manage.

Where the Security Risks Exist

40% vs 39% vs 34%

The most common forms of successful cyber attacks are password attacks (40%), ransomware or other malware (39%), and phishing (34%). Note that these forms of attack are not mutually exclusive.  One form of attack, malware for example, can be used to gather the information needed for a successful password breach.

63% vs 43%

Looking at root causes, 63% of SMB IT Security study respondents noted that attacks began with phishing.  Unpatched systems were the starting point for 43% of attacks. These numbers make sense as these attack vectors provide access to information that supports further attacks.

Who is Helping

96% vs 23%

The vast majority of SMBs rely on outside experts for help with their security needs.  93% of respondents use an IT firm for at least some of their IT security needs.  That said, 23% of small businesses are looking to replace their IT service providers in the coming year. While security is not the only trigger for changing providers, it is one consideration.

48% vs 33% vs 29%

SMBs responded that poor system performance (48%), system outages (33%), and long problem resolution times (29%) are the three primary reasons for switching service providers. Each of these issues relate to business interruptions.

2022 SMB Security Study Conclusions

Examining the SMB IT Needs Security Study results, we see three clear conclusions.

  1. Failing to recognize the risks leads business owners to under value security technology and services.  The cost to respond and recover to a single incident dwarfs the cost of reasonable protections.  For SMBs, the average successful cyber attack can disrupt business operations for 18 to 21 days at a total cost to recover exceeding $200,000.
  2. With 50% of employees working remotely, at least part time, individuals and systems are more exposed to attack. Physical security is no longer sufficient. SMBs need a security services designed to protect against the most common and the most costly types of cyber attacks.
  3. As an IT service provider, we must ensure that our services, first and foremost, do no harm.  While security protocols can introduce some inconveniences, our services cannot interfere with performance, availability, or reliability.

Next Steps to Improve Your IT Security

Step back and take a look at your security services and footprint.  Our Rapid Security Assessment is a quick and simple starting point to identify security gaps. You can also schedule a call with one of our Cloud Advisors to review your security and IT services.

 

Security Trends Will Impact Small Businesses

Security, Privacy, & ComplianceSpeaking at a recent CRN-hosted security summit for midsize enterprises, Paul Furtado, Gartner’s Vice President of Midsize Enterprise Security stated, “The only thing harder than defending yourself against a cyberattack is telling your executives and your partners why you didn’t do enough to protect yourself.”  His comments reflect current security trends from our historic “Trust but Verify” security model to one that is “Never Trust; Always Verify” — also known as Zero Trust.

Expectations are changing and our tolerance for breaches is dropping.  More than 56% of successful attacks exploit known vulnerabilities with patches available for more than 90 days.  Frankly, many of us are failing at the fundamentals of IT security and this needs to change.

While smaller in size, SMBs remain prime targets of cyber attacks.  With “Ransomware as a Service” readily available, finding and attacking vulnerable small businesses is inexpensive and effective.  SMBs are more likely to have fewer security protections; SMBs are less likely to be able to recover from an attack and more likely to pay ransoms.

Here are 7 security trends that warrant our attention and action:

1 Zero Day Exploits

As the name implies, Zero-Day  Exploits take advantage of newly discovered security holes before our tools and systems can be updated to prevent an attack.

Next Gen solutions are needed to protect from attacks on devices, in the flow of email, and in web traffic.

2 Insider Threats

Insider risk refers to every account that has access into an organization’s environment such as service accounts, custom integrations, and API accounts. Insider threats, meanwhile, are the small percentage of insiders actually doing something that will cause a security incident, intentionally or not.  For example, the increased use of QR codes allows attackers to create malicious QR codes that install keyloggers and screen grabbers to steal identities and multi-factor authentication tokens.

We need Security Awareness Training to help individuals understand the risks and build safe habits.

3 Regulatory Changes

As noted, security expectations are changing.  State and federal laws are changing. Passed by the Senate this year, the Strengthening American Cybersecurity Act will require businesses to report significant cyber events within 72 hours and ransomware payments within 24 hours. These requirements lay on top of other federal regulations, multiple states’ privacy laws (CCPA, MA PII, etc.), and industry regulations (PCI-DSS, etc.).

With cyber insurance and cyber response services in place, small businesses are more likely to avoid fines, losses, and legal actions.

4 IoT

Internet of Things devices, and similar automation technologies are popular and often lack basic security features.

As IoT-based solutions move into smaller businesses, we need to secure and monitor devices and the networks on which they run.

5 Supply Chain

Bad actors know that attacks on supply chains can be more effective than attacking an intended target.

If your smaller business is in the supply chain of a larger company, expect security to become an issue.  They are likely to request — or demand – additional security measures as a condition of your business relationship.  And, be ready to demonstrate (prove) that you actually do what you claim on the security checklist.

6 Data Mining

Data mining enables attackers to not only go after your business, but your vendors and customers as well.  Imagine attackers telling your customers their private data will be released if you do not pay the ransom.  Even more common, imagine your customers receiving emails “from” (impersonating) you instructing them to send money.

We need to start protecting unregulated data in the same ways we protect regulated data.  Encryption, for example, does not prevent a breach but ensures the data cannot be used.

7 Ransomware

It would be nice to think we are past the ransomware pandemic, but we are not.  Over 80% of ransomware attacks are on small and mid-size businesses. Because attacks have moved beyond encryption to data exfiltration, attackers are likely to understand your business and set ransoms that are steep, but payable (often 1% to 1.5% of annual revenue).  Businesses hit by ransomware average more than 20 days of significant business disruption. On average, they permanently lose more than 35% of their data.

A response and recovery plan that includes business continuity ensures that you can keep your business running while you recover from and respond to an attack.

Your Next Step

Please contact us to evaluate your security footprint and needs, and discuss possible next steps, or schedule a no-obligation introductory call with one of our Cloud Advisors.

library

Protect Your Business – Top 3 Security Threats

eBook | Source: Microsoft —
This eBook explores how you can safeguard your business against the top three security threats, plus the one threat your business is probably overlooking.

Crash Course in Office 365

eBook | Source: Microsoft —
You already know the productivity power of Office applications like Word, PowerPoint, and Excel. Full adoption empowers you to access your …

Global Year in Breach – 2021

eBook | Source: ID Agent —
2020 saw a cybercrime boom that included record-breaking phishing and ransomware threats. This report provides insights into the rapidly changing cybersecurity landscape; forecasts cybersecurity trends for 2021; and provides helpful advice about smart risk mitigations that fit every business and every budget.

Google Workspace Security

eBook | Source: Google —
Google started in the cloud and runs on the cloud, so it’s no surprise that we fully understand the security implications of powering your business in the cloud.

Make it Work: The Future of Collaboration and Productivity

eBook | Source: Google —
The future of work is here – it’s just not evenly distributed. This report identifies three changes businesses  can make to work in the future

Unblocking Workplace Collaboration

eBook | Source: Microsoft —
Poor workplace collaboration is 1 of 5 top reasons people quit their jobs. Break down collaboration blockers so that teams …

Google Workspace Migration Guide

eBook | Source: Google — What are your goals, and what makes one technology solution the best fit? Here are some insights that can help facilitate a smooth transition to new workplace productivity tools at all stages — with specifics on Google Workspace — from decision to preparation to deployment to upkeep.

Six Types of Remote Workers and How to Support Them

eBook | Source: Microsoft —
Great teams build great companies. Understand the six types of remote workers who impact your team, evaluate their technical needs, assess their …

The Ultimate Meeting Guide

eBook | Source: Microsoft —
Many businesses experience a sizable gap between the increasing number of meetings and the value derived from the time spent in these meetings. What can you do? The simple answer for better meetings is to …

Securing Your Digital Transformation

eBook | Source: Cumulus Global

Webcasts

Cloud Cover – Manage IT All

(9/20/2022) – The right IT management and services add value and save money. Learn IT management strategies for small and midsize businesses that can better match current and evolving business needs and priorities.

Cloud Cover – Hybrid Work

(8/16/2022) – Successful businesses will adapt to changing expectations. You can, affordably, adapt your IT to hybrid work while improving security and resilience. This webcast covers the IT strategies and solutions to help you adjust your IT services to better support hybrid work.

Streamlining Security

(5/17/2022) – While small businesses are more vulnerable and more frequent targets of cyber attacks, constant fear-mongering and hype does not help. Sound business practices, not fear, should be your motivation to protect against cyber attacks.

Spring Cleaning Your Files

(4/19/2022) – With an understanding of personal file services – OneDrive and My Drive – and domain file services – Shared Drives and Sharepoint, businesses can build a file service that organizes and protects files in ways that make them easier to find, share, and use.

Beyond Backup

(3/15/2022) – Map out how restore, recovery, and continuity solutions offer different value propositions for you and your business. Assess total cost and impact when selecting your solution.

Peak Productivity

(2/22/2022) – We all have our jobs to do. We want to do well. We want to succeed. We want and need peak productivity.  While “hacks” are trendy, productivity is boosted when we understand how to best use the tools we have.

Keep IT Simple

(1/25/2022) – Solid IT services are critical to your success, but they consume your time and budget. Using managed services ensures you have effective and affordable services and frees up time and money to focus on your core business activities.

2022 is Here; What’s Next?

(12/14/2021) – COVID-19 triggered fundamental changes in the economy, markets, and society that alter the way we need to operate our businesses and work as individuals. Explore ways small and midsize businesses can better leverage technologies and resources to respond to these challenges.

Four Cornerstones for Cloud Security

(11/16/2021) – Four security cornerstones create a solid foundation for your cloud security. Assess your security footprint; Identify security gaps; Prioritize changes and security services.

Cloud File Services

(10/19/2021) – Moving to a managed cloud file service can improve access, productivity, and resilience without sacrificing security and budget.