Destination Unknown – Cybersecurity without a defined objective is a path to disaster

TechMgmt.jpg

Destination Unknown – Cybersecurity without a defined objective is a path to disaster

Vacation time!

Let’s start this cybersecurity discussion by taking a little vacation – or at least pretend to take a vacation. Before going on vacation, people usually plan for the trip ahead of time.

Scenario 1: Planning for a vacation.

When planning a vacation, most people take the following steps:

  1. Determine the budget.

  2. Choose the destination.

  3. Decide when to go on vacation (busy season, hot, cold, vacation days available at work, etc.).

  4. Decide where to stay (choose hotel, condo, Airbnb, etc.).

  5. Choose mode of transportation (plane, car, boat, etc.).

  6. Book flights, rent car, plan your driving route, etc. 

  7. Book babysitter, dog sitter, house sitter, etc.

  8. Plan activities while on vacation.

  9. Begin the journey to the destination.

  10. Arrive at the destination.

  11. Have fun!

All the above has a cost element to be considered, which can cause the vacation plans to change.  Ideally, a budget would be created at the beginning of the process to help with planning the vacation and determining what is and is not doable. Although, a budget should be the first step in the planning process, people oftentimes choose a desired destination, and then adjust the budget accordingly.

Another important step when planning a vacation, is to do enough research to make informed decisions and properly budget for each part of the plan, especially if traveling to a new destination. People will often turn to friends and/or family for suggestions and input when planning a vacation, but friends and family may not be able to give the best advice. For example, how could they recommend a hotel if they’ve never been to the destination? 

Therefore, it’s also important to utilize outside resources for information and contact experts who are able provide information on destinations, price, pros and cons, hotels, activities, etc. The hard part is knowing who to trust. Some “experts” are more concerned with selling certain products or services even if they may not be the best option. So, it’s usually a good idea to gather information from various people and resources before making informed decisions.

Cybersecurity Time!

If the same logic is applied to businesses when choosing cybersecurity solutions, it reveals a dangerous tendency. 

Scenario 2: Choosing and implementing the best solution and level of cybersecurity

When planning for cybersecurity implementation, business leaders should take several steps:

  1. Determine the budget.

  2. Choose the level of security needed for the business.

  3. Analyze each security element to understand what it does and doesn’t do.

  4. Based on the analysis, determine the priority and order for implementing each element.

  5. Determine who will be responsible for assessing the solution options.

  6. Decide when to begin implementing the security solutions.

  7. Decide who will be involved in the implementation process.

  8. Plan the implementation process and any impact to the business (downtime, users, etc.).

  9. Ensure all relevant parties have been informed, then begin implementation.

  10. Implement the solution and test (sometime in phases or using pilot groups).

  11. Complete implementation and make the necessary adjustments.

  12. Conduct a post-review of the project to determine areas for future improvement.

Planning a Vacation vs. Planning Cybersecurity Implementation

While planning a vacation can be challenging, it is exponentially more difficult to plan and implement cybersecurity. 

When planning a trip, people usually have some sense of what the budget should be or at least know what they can and cannot spend.  Most businesses don’t even have a budget for cybersecurity, so there’s no starting point.  In fact, most companies don’t even have an IT budget, so they certainly don’t have a security budget.

While understanding the purpose for each part of a trip, the reason for it, and pros and cons is relatively easy, understanding the different levels of cybersecurity is not easy at all. Due to the technical nature and the complexity of cybersecurity, it’s difficult to educate CEO’s (buyers) on the different levels of cybersecurity. Translating technology and then articulating the risk/value can be extremely challenging.

Also, like the “experts” people may consult when planning a vacation, many “cybersecurity experts” try to sell solutions to businesses that may not be the appropriate solutions and/or security level. In addition, many IT professionals don’t know how to implement or even determine the best security solutions.

Start with Communication

CEO’s and C-level executives:

  • Cybersecurity is extremely complex, so it’s always wise to consult with multiple experts during the planning and implementation process.

  • When in doubt, ask: If you need more clarification, ask questions until you understand. Ask your IT resources to use analogies or imagery to help you understand.

  • Stay as involved as you possibly can before, during and after the implementation process.  

If you are an IT professional:

  • Before drowning the CEO with cybersecurity jargon, find a way to communicate and educate in terms that the management team can understand: Like the “vacation scenario”, try using analogies, imagery, etc. to explain technology.

  • Don’t be afraid to seek advice from external resources and/or other IT professionals. Technology is complex, and constantly evolving. So, it’s impossible to have all the answers.

Effective and consistent communication is imperative for businesses to appropriately address technology and cybersecurity risks. 

The following provides ways to help overcome this challenge in order to effectively plan and implement cybersecurity:

Define, Determine and Decide

As the diagram below illustrates, there are various levels of cybersecurity.

Step 1. Define and understand each level.

  • Because it includes technical jargon, this diagram may need to be explained in a way that business management and users can understand.

Step 2. Determine what level of security the company currently has.

  • None, Basic, Advance or Comprehensive

Step 3. Decide on which security level to target during implementation.

  • Keep in mind that it takes time and money for a company to start from “None” and move directly to “Advanced”.  So, when trying to decide on a level, remember 80% of all security incidents are due to employees. When in doubt, start with solutions that will address employee driven risks for prevention – AV, training, email ATP. 

SecurityLevels.png

Step 4. Implement, monitor and communicate

·         Once the desired level is agreed upon, begin implementation and continue to monitor and communicate the current state of risk as the company progresses towards the desired cybersecurity level.

·         Using a simple diagram, like the one below, is a helpful tool to use when explaining the progress of implementation to management. 

This diagram illustrates an example of an organization that has a “Yellow risk level” while also showing what has been completed and what has not.

SecurityStatus.png

Step 5. Update management on an ongoing basis

  • Once a communication method is in place, it’s important to update management on the cybersecurity status on an ongoing basis. 

The diagram below is another example of a helpful communication tool to use when explaining the cybersecurity status to management.

SecurityCommunication.png

Embrace the journey!

Effective cybersecurity management never ends. Therefore, if security solutions and levels are not proactively monitored, the risk level can move from Yellow to Green and then back down to Red.  Firewall failure, equipment beyond end-of-life, anti-virus expiration, etc. can cause immediate changes in risk levels.

Cybersecurity is about continuously mitigating risk and keeping businesses from going out of business.  But, in order to successfully mitigate risk, a disconnect between management and IT cannot exist. The IT industry continues to struggle with effective communication – especially when it comes to cybersecurity. Because of this, over 58% of all cyberattacks target small to mid-sized businesses and over 60% of businesses that are hit with a cyberattack go out of business.

Albert Einstein defined insanity as doing the same thing over and over again and expecting different results. It’s time for the technology industry to stop the insanity of ineffective and/or complete lack of communication with business owners and executives about cybersecurity. 

It’s important to take a step back to understand the ‘why’ then work on the ‘what’.  Create a communication method that works for the business, then begin focus on the ‘how’ and ‘when’ to take the appropriate action.

 

Engage Workspace

Very exiting times for one of my colleagues, Chelsea Green. Chelsea, CEO of Engage, recently announced the formal launch of Engage Workspace, a new shared office center focused solely on attorneys.

There are many ‘shared workspace’ companies – some, like IWG plc (formerly Regus), have been around since the ‘80s. But, the “shared” office model has been rapidly increasing in popularity over the last decade. According to Forbes.com, shared workspaces will host more than 3.8 million people by 2020. WeWork now has 502 locations since opening their first shared office space in 2010.

But, what makes Engage so unique is that it is designed specifically to cater to the requirements of independent attorneys and small law firms.

From the Dallas Morning News article:

https://www.dallasnews.com/business/real-estate/2019/01/29/coworking-center-targets-legal-eagles-new-north-dallas-shared-office-location

“The new Engage Workspace in North Dallas is targeting attorneys with its co-working facility in the landmark Campbell Centre complex on North Central Expressway.

The just-opened workspace is designed to accommodate more than 60 attorneys with workstations, offices, meeting space, office equipment and other amenities.

So far, the co-working operation takes up a full floor in the building, but Engage says it hopes to expand to additional floors of the iconic gold Campbell Centre II tower.

"Independent attorneys and small law firms represent nearly half the legal industry," Engage CEO Chelsea Green said. "With continuing market changes and technology advances, that looks to accelerate over the next several years.

"With Engage, we have created an office environment that has the familiarity of a traditional law office but with the greater independence, flexibility and efficiency of an executive suite or co-working space."

Green and partners Jim Chester and Darin Klemchuk opened the co-working center Jan. 1. Chester and Klemchuk are both partners in the Dallas law firm Klemchuk LLP.

The owners are planning to upgrade this spring with a new coffee bar and more collaborative space.

"Attorneys are a perfect fit for the Engage office space model," said Chester. "Law practice is collaborative by nature, and attorneys benefit from networking with other lawyers to share referrals and resources."

Stephen Holley of Holley + Co. Real Estate negotiated the office lease for the co-working center with Barbara Houlihan of Peloton Commercial Real Estate.

Shared office providers now occupy more than 1.5 million square feet of building space in North Texas. Co-working firms are one of the fastest-growing sectors in the office industry.”

What is not mentioned in the article is that the Engage Workspace will also provide the level of technology, IT support and cybersecurity necessary for attorneys.  All companies require technology and cybersecurity, but attorneys have the additional challenge of needing to collaborate and exchange information externally while also keeping their practice and data isolated and secure. Engage understands this, often overlooked, requirement and will include it as a part of their service.

At Engage, attorneys will be able to be as productive and efficient as possible, while knowing their data is secure. Each tenant will also be provided with ongoing IT support from a team of technology experts.  The blend of amenities, technology support and cybersecurity, creates compelling value that independent attorneys and small practices typically would not be able to take advantage of.

For more information, visit www.engagelawspace.com.

 

Is your business as safe as you think it is? What you need to know to keep your company secure.

With the increase in cyber threats, coupled with the confusion and lack of knowledge about cybersecurity, how do you know if your company is secure?  How do you know if you’re doing the right things at the right time?  The whole topic of cybersecurity is overwhelming and there’s not anything “fun” about it. So, it’s easy to avoid, but at what real risk to the company?

Monsters!

CyberMonsterDespite all the statistics that point to the fact that businesses, without the proper security measures, will likely suffer from a cyberattack, cyber threats are still being viewed as scary, but unlikely to occur. Most businesses still see a cyberattack as the monster under the bed, and cybersecurity as protection against the highly unrealistic possibility that there will ever actually be a monster under the bed. But unfortunately, these “monsters” are very real, and the number of attacks continues to escalate. It’s critical for businesses to have the correct security measures in place to keep the “monsters” from being able to even enter the front door.

One security solution does NOT fit all

Be cautious of cybersecurity providers who offer the same solution to every client. Every company is different, so expectations should be set based on many factors: size of the business, type of business, industry, etc. Also, no two businesses require the same IT solutions, support, software, or hardware. So, having tailored and specific IT security is crucial.

Is your business insecure?

If you’re reading this blog, then you’ve been warned! Now, what are you going to do about it? If you want to keep your business safe from cyber threats, knowing your risk level is a good first step to take before addressing each risk.

The following questionnaire addresses this by asking some basic questions that any business owner or management team should be able to answer.  While some of the topics are technical in nature, the questions are driven from a focus on the business itself.Questionnaire

Cybersecurity Preparedness Questionnaire

Answer each question below and tally your score. After completing the questionnaire, total your score to determine the level of risk for your company.

Yes: 0 points  No: 5 points  Unsure: 5 points

  1. Do you have a cybersecurity budget review annually?
  2. Do you have a written information security policy signed by every employee?
  3. Has your company reviewed its cybersecurity policies and procedures within the last year?
  4. Do you have a person designated as your security officer?
  5. Do you have a written incident response plan that is reviewed annually?
  6. Have you tested your incident response plan within the last 12 months?
  7. Do you know if you have any compliance or regulatory requirements?
  8. Have you defined the level of cybersecurity needs based on your business and compliance requirements?
  9. Have you provided security training to your employees in the past 12 months?
  10. Do you provide security training to employees on an annual basis?
  11. Can you employees identify sensitive information that could compromise the company if stolen?
  12. Do you know where your sensitive data is stored?
  13. Do you have cyber insurance that is reviewed annually?
  14. Are employees prevented from administrative privileges on your network or computers?
  15. Does your company have an acceptable use policy?
  16. Does your company consistently enforce policies around the acceptable use of computers, email, internet?
  17. Do employees regularly update passwords on company-issued computers/devices?
  18. Do your employees lock their computers when away from their desk, even for a few minutes?
  19. Do all your computers have anti-virus software that is regularly updated?
  20. Does your company have data backups onsite and offsite verified at least once a year?

Low Risk: 0-10 Moderate Risk: 15-25 High Risk: 30-50 Escalated Risk: 55-100

What now?

Once you’ve identified your risk level, what now?  If you answered “unsure” to any of the questions, do the necessary research to confirm the answer.  Once you have a “Yes” or “No” answer for every question, you will have a better idea of your true exposure and can begin prioritizing which areas to address first to mitigate the risk.

Don’t put your head in the sand!Headinsand

If you didn’t score a 10 or below, then getting to the green, (low risk range), won’t happen overnight. It takes time and, most importantly, full commitment and buy-in from ownership and senior leadership. But, as I mentioned, cyber threats are not imaginary monsters. So, don’t pretend they don’t exist and hope that nothing bad will happen. At Fluid, we understand the process can be overwhelming. Even determining the priority of what to do first can be a challenge. Luckily, we have a team of experts dedicated to cybersecurity. So, please feel free to reach out to us for help. Don’t wait until it’s too late!

Happy #$%@ New Year’s!! My Money is Gone!

HoodedHackerThis scam is downright scary!

Time is of the essence on this blog, so I tried to find a title that will grab your attention. I hope it did. I don’t get overly dramatic in my blogs, but this one is warranted for how bad it is. I also try to use graphics to break things up a bit, but I didn’t want to spend more time trying to make things “artsy”.

If you’re going to read anything, please read this. It might just save you thousands of dollars.

A small business owner and close friend of mine, we’ll refer to as “Joe”, texted me on December 22nd, (yes, right before Christmas), livid he had been conned out of thousands of dollars by a very elaborate and well executed scam. Now Joe is no dummy and pulling one over on him is no small task, but the detail these scammers deployed was no match for even an astute businessman.

So what happened?

The target, Joe, uses Chase Bank for his business and personal finances, which becomes important later.  All the money in both his personal and business accounts was stolen within minutes! How?... Joe gave the hackers the information they needed to steal it.

The chain of events.

Joe received a call from Chase Bank’s “Fraud Department” stating there was suspicious activity on his account, and transactions were made in a foreign country. Joe then explained that had recently been to Mexico on vacation – a common destination when you live in Texas.

Being a diligent and rightfully cautious person, Joe checked the number calling him and it matched the phone number on the back of his Chase credit card. The hook was set!!

The “Chase representative” stated because there were fraudulent attempts on his account, he needed to close both accounts, personal and business, and transfer the money to new, “safe” accounts. Then, the representative said he would text Joe a code for him to read back, which once again came from a legitimate number.  A two-factor authentication, using texted codes, to a mobile number is common practice, and no cause for alarm.  The representative then used this code to access both accounts and change the real password, one the hacker could then use.

In real time, the hacker used the common online payment app, Zelle, to clean out both personal and business accounts. It should also be noted that the scammer on the phone spoke excellent English and sounded legitimate, which is another well thought out tactic and different from the obvious “rich uncle” accents from Eastern Europe or other countries.

Worst nightmare!

Now being suspicious, Joe went into a Chase branch location and they verified that it was, in fact, NOT Chase. The real Chase representative mentioned this was the second time in a few days they have dealt with this same scam.  Panic now set in!

Pain and no gain.

While in the branch location, Joe had to immediately close all his accounts, open new accounts, while simultaneously working with the bank’s fraud department to try and reverse the transfers to get his money back.

When the Chase fraud department did their initial forensics, they discovered the transfer was made using a relative’s name.  This means the hackers gained full access to the account information, including the list of approved people and accounts to transfer money to and from.  Because the hackers chose a relative as the person receiving the funds, Chase would not escalate until Joe could confirm and ‘prove’ funds were not transferred to the family member as a legitimate transfer. The hackers purposely chose a family member knowing it wouldn’t get escalated.

It’s important to note that the phone number showing on Joe's caller ID matched the number on his Chase credit card.  At one point, Joe hit ‘call back’ feature on his phone to automatically dial the Chase number, which was directed back to the fraudsters (a tactic called number spoofing). The Chase fraud department advised Joe to always manually dial the number and not use the automatic call back feature on your mobile phone to ensure that you’re calling the correct number. In addition to closing his accounts and opening new accounts, Joe also has to identify and contact the numerous legitimate personal and business vendors and payers he works with to update their new account information.  More pain.

At the time of this blog, the success of reversing the scam is unknown. The bank stated it would take up to 30 days to determine if Joe would get the money back. To add insult to injury, Joe is also now locked out of online banking for 60 days.

This is one of the most elaborate and well thought out cons I’ve ever seen, requiring multiple people who know exactly how people use banking, and more importantly, people who know exactly how banks and their fraud departments work.  They were always one step ahead of the victim and I’m certain there are more to come!  So be diligent, be doubtful, beware.

Recession Obsession

If you’ve been alive 10 years, you’ve been through a recession – the Great Recession actually.  If you’ve been alive 20 years, you’ve been through two recessions.  30 years on the planet will give you…you guessed it, three recessions.  Although recessions do seem to be cyclical, they don’t always happen every 10 years. Over the last 50 years, there have been 7 recessions.

Gas Lines and Baby Food Jars

RecessionThe ramifications of a recession also change over time. Being 53 years old, I recall my grandparents saving every coffee can, baby food jar, and plastic container to repurpose and use for storing things throughout the house.  As products of the Great Depression, they were raised to literally save everything.  I can also distinctly recall having to wait in long lines for gas during the recession in the 1970’s.  My father and I would park the car in line at the gas station and go to the nearby strip mall to kill time for two hours while we waited for the line to move.

Although not a recession, I recall Black Monday in 1987 when the stock market dropped over 22%.  I was working at a financial planning firm at the time and that was not a good day, and not just because it was Monday.

Dot Bomb Bubble Burst

In the early 2000’s, the dot com bubble burst, and turned into the dot “bomb”.  It seemed like anyone with a web-based idea was given millions of dollars in funding without having to show any DownGraphprofits (a scenario which still occurs today).  eToys.com, Webvan.com, Pets.com, and many more all wiped out almost overnight.

Most recently, we can all recall, if not relate, to the Great Recession that occurred in 2007-2009 when the housing bubble burst due to the subprime mortgage crisis.  The term “government bailout” became a major thorn, and the nemesis for many household brands.  Many are still recovering from this economic meltdown. However, the prosperity over the past 10 years has dulled some of the sting.

But, some are now warning us that the great run we have enjoyed may be slowing down, and we’re potentially headed for a recession.  Search Google for “Recession 2019” and you’ll find blue-chip names discussing the very likely possibility that a recession is looming.

Before it's too late!

CrisisI have owned a technology company, Fluid IT Services, for the past 17 years, and we felt the impact of the 2007 recession – but in an interesting way.  We provide IT solutions and support for small to mid-sized businesses, and the cost of our services is typically less than the cost of one full-time employee. Although we lost the clients who unfortunately went out of business, we gained new clients who needed to cut costs and couldn’t afford full-time IT staff.

We certainly had to cut costs ourselves and manage everything more tightly, but we were okay because our risks were spread sufficiently, and we provide a service that is “recession friendly”.  We continued to grow as the economy improved, but always with a keen eye on our market segment and the economy as a whole.

As the economic signs, signals, metrics, statistics, etc. started showing a downturn, we’ve used it as an opportunity to get our business in order.  It’s much easier to evaluate all your people, processes and technology-related costs, and make sure that your business is operating as efficiently as possible, before things go south.

Every company has and uses technology (IT) constantly. Most companies today wouldn’t be able to function without IT.  But, when times are good, costs related to IT (and other business functions) may not be closely monitored because sales and revenue can cure many ills.  However, it’s best to ensure your IT house is in order before the times get tough and budgets get tight.

Start by asking questions

An analysis of your current IT spend at a detailed level, may be as exciting as watching paint dry, but it’s crucial when dollars tighten. IT cost analysis can also be difficult. Even knowing which items to include when analyzing your IT spend can be confusing. I’ve found that it’s easiest to start by asking questions…

  1. What are my costs for internet, phones, software subscriptions, IT support, computers, etc.?
  2. What hardware needs to be replaced soon? How much will it cost to replace?
  3. What costs can be reduced or eliminated?
  4. What costs are a bare minimum to keep the lights on?
  5. When was the last time I evaluated all my contracts related to technology and what are the terms? Being locked into an expensive 5-year contract at the beginning of a downturn is no fun.

Good news...

We can help! At Fluid, we help companies analyze their IT costs almost daily. So, we already know where most of the IT costs are found, where the skeletons are buried, what is reasonable, and what is outrageous.  As a provider of outsourced IT services for small to medium businesses, we have to know these costs because we’re responsible for managing them in order to be a good steward with our clients’ hard-earned money spent on IT.

We also take it one step further by using a more proactive and strategic approach to IT. We will hope for the best, but also help you plan for the worst by discussing current and future business needs, goals and “what if” scenarios. Once we have this information, we can provide guidance on ways to cut IT costs and suggest solutions that will generate revenue, and specifically align with each clients’ business plan.

Don’t be afraid to say you don’t know and bring in experts to help you understand your costs.  It will reap rewards now and help you sleep better when economic conditions do change.  Feel free to call Fluid IT, we love this stuff!  Our main objective is to help people with their businesses and see IT in action!

Ho, Ho, Ho No! I've been hacked!!

With the holidays upon us, it's not only the kids getting excited.  Hackers also love the holidays and the gift of giving takes on a whole new meaning.  Increasing malicious activity during the holiday spending spree is no coincidence.  Don't be a victim!  Take some tips from this blog by IBM SecurityIntelligence to be more diligent.  Hacky Holidays?

Cybersecurity - "You can't handle the truth!"

I’m a guy who likes sports and movies, and my wife tells me that I’m constantly quoting sports analogies and movie tag lines. Guilty as charged.  So, why do I do that???  Because I can quickly state a movie quote or sports reference to explain a situation to someone, without having to spend an hour doing so. If I tell someone “you just fumbled”, knowing this person likes or understands American football, he or she will immediately know they made a mistake.  Notice how I stated ‘American football’ lest I confuse it with the round ball version and defeat the very purpose of my analogy.

ManYelling

The problem is, if I use my linguistic mojo on people who don’t follow sports or movies (yes, those people do exist), I not only don’t get my point across, I confuse them.  Many times, I get that tilt-of-the-head puppy look and then a nod, never asking me to clarify what I meant.  It’s surprising how many people never ask the question – I don’t understand, what do you mean?

This can be very frustrating and even a cause for escalating arguments and disagreement later.

To clarify, here’s an example of a recent conversation when discussing a company project…

Me: “We’re at the one-yard line!  It’s time to punch it across the goal line!” Colleague: “Got it!  You can count on me!”

A week later…

Me: “So that project was completed, right?” Colleague: “No, I’m still working on it.  I need to add some more detail." Me: “What!  I thought I told you and we agreed this needed to be done asap!? Like yesterday.” Colleague: “Oh, I’m sorry.  You didn’t tell me it was urgent.” Me: “I did tell you it was urgent.  Remember ‘the one-yard line’, ‘the goal line’?” Colleague: “Yeah I kind of recall something like that.” Me: “Then why didn’t you get it done??” Colleague: “Why are you yelling at me?  I have no idea what you meant.” Me: “Why didn’t you ask?

And the downward spiral continues.  The frustration level for everyone is extreme.  Worse yet, the project was not completed, and the company suffers.

I see this same scenario over and over again as it relates to technology and business – especially with cybersecurity.

Get serious about cybersecurity SecurityGuard

Articles are published every day stating how businesses aren’t taking cybersecurity seriously enough only to be completely ignored.

I constantly come across articles that give real statistics showing how businesses think they are secure, yet they have recently been breached or compromised!  How is that possible?  Why do businesses, led by extremely smart people, continue to ignore the very real threat that cybersecurity breaches and hackers can easily compromise their business’ livelihood?  Why do they continue to have incidents, and not learn from them?

Some studies show, many business owners rely on their insurance policy to save them instead of protecting their assets proactively.  I believe some of that is true, but I believe the real issue is a complete disconnect in communication.

The danger of miscommunication

MiscommunicationThere is a very real and dangerous disconnect in communication between business and IT!

I read an article recently that was trying to get businesses to understand the importance of cybersecurity and the importance of communication between IT and business.  Here is how the article begins…

 

ArguingDigital transformation is happening rapidly in every industry. As companies move toward software-defined infrastructures (SDI) connected to powerful cloud ecosystems, they can tap into the near-real-time intelligence from the data gathered from every edge of their business, helping to drive faster business decisions and changing the way they serve their customers.

Rapid transformation, however, without a solid plan, can produce cybersecurity vulnerabilities. As infrastructures go virtual, security models need to shift. To avoid serious risks and security management issues, companies need to identify challenges, strategize, collaborate, pilot, test, and evangelize. *

 

Did you have to read it twice?  Did you understand even part of it?  What exactly is ‘every edge of their business’?

“Trust me, Greg, when you start having little Fockers running around, you'll feel the need for this type of security.” Meet the Parents, 2000

Yes, I did it, I used a movie line from the great film “Meet the Parents” to make my point.  If you haven’t seen the movie, you have no clue what I’m talking about.  Business leaders have not seen the cybersecurity movie!!  They don’t understand a word coming out of your mouth (another movie reference).

Don’t allow technology to get lost in translation

LostTranslation

In all seriousness, business leaders have not taken the time and do not have the time to learn all the parlance of cybersecurity.  Yet, we keep pummeling them to death with cyber techno-speak.

The reality is, both business and technology leaders have a responsibility to their companies, their employees, and themselves to learn enough about each other to make the conversation relevant.  I can keep showing business owners all statistics. But, most of them still don’t properly plan for or budget for cybersecurity, and most will only do so after they’re hit with ransomware or have a breach.  But what is ransomware?  What is a breach?  What do they look like? What is the actual cost to the business now and in the future?

This is not a one-sided issue. IT professionals also need to learn how to translate technology jargon into terms that business owners can understand.

The same case can be made for IT experts making an effort to understand the language of business and understand the impact they are having.  When business owners and leadership speak in terms of EBITDA, CAPEX, OPEX, Life Time Value, Gross Margins, Net Margins, Cash Management, etc., they are speaking a language immediately understood within the group, but many times foreign to the IT group.

At some point, business owners, leadership, and even board members must work with IT experts to start taking cybersecurity more seriously.  Both parties must be willing to have an open dialog where each is not afraid to ask questions, educate and translate into terms each party can understand, to make better business decisions.

If you want to have a discussion regarding your business and how the cybersecurity landscape impacts your company now and in the future in a language you can understand, contact us! We will be happy to advise and educate you in this increasingly complex space.

May the force be with you!

 

* AT&T Cybersecurity Insights Vol 7

We've moved everything to the cloud, we don't need IT staff or support.

It’s Fall, the weather is cooler, football is in full swing and we finally moved all our systems to the cloud.  No more worrying about having the deal with all that techie stuff.  Life is good! vectorstock_3501851

 

“We’re in the cloud, we’re all good.”  We hear this all the time from business owners. The number of companies using cloud services for all their business software is increasing. With no servers and software in the office, many people have the misconception that any hardware still onsite, requires no attention.

So, when asking owners and CEO’s about their IT needs we get the quick “We’re all good, everything we have is in the cloud.”

This misconception is not only inaccurate, it is extremely risky.

While it is true that cloud solutions can mean computers in the office, laptops and desktops may not need to be as beefy because all the work is ‘in the cloud’, the fact remains there are still devices, and more importantly, users that will require the same level of IT support and responsiveness from their IT staff/provider.

Security is a primary concern when in the cloud.

In the “old days”, users would login to software and systems running on servers in the closet.  When there were issues, the IT guy would come to the rescue, and they would take systems down to do maintenance, upgrades, etc.  Having your software in the cloud can be very easy to use, convenient and appear to not need the same ongoing care and feeding, which can be mostly true and a great advantage of the cloud.  But that one first step – logging in, is still a critical component to ensure proper security is in place for accessing systems now in the cloud.

Managing security is still a core requirement for every business and with the “sprawl” of cloud solutions, many companies use multiple cloud applications requiring multiple logins and passwords.  On the other end of that cloud application is a user that still requires support when things go wrong, or when they want to add something new.

Users still exist and need to be supported

Seemingly simple cloud applications like DropBox still require security settings, user settings and support in a business environment.  You probably don’t want all employees to have access to sensitive HR data.  Users still must be added and managed, printers still stop working (the bane of my existence), and laptops and desktops still fail.  Assuming there is no need for IT support, puts the company back into reactive mode, only addressing needs after something happens.

Reverting to reactive support is a step backwards in user productivity

Most of what IT does is under the water line.  Like the propeller and rudder on a boat, you can’t see them, but they are required if you want to move forward in a precise direction.  Technology is only visible when the business and users are accessing it.  Much of the cloud is below the water line and appears to work on its own, but it still requires the skilled engineers and technicians to ensure everything is working to meet the business goals.

When you add the ongoing and more visible needs of the end-users, having good, proactive managed IT support and security is a MUST! Therefore, even when everything is in the cloud, having the right IT support can make the difference between success and failure.

What you don't know CAN hurt you!

BlindMan Cybersecurity continues to be a real problem for small to mid-sized (SMB) companies because they honestly believe it will not happen to them.  To make matters worse, in a recent article by Dark Reading, 51% of SMB leaders are convinced their companies are not a target for cybercrime.  You can read the article here.  With the large number of security incidents we respond to within the SMB community, it is very surprising and discouraging businesses continue to ignore cyber threats.

Small to Mid-Sized Companies Do Not Act Until AFTER They Have Incurred Multiple Cyber Incidents

Unfortunately, what we find is that companies take preventative action only after they have been hit multiple times.  You read that last line correctly.  We see companies have an incident, incur very large unplanned expenses to deal with it, and continue to 'do nothing' until they are hit again and again.  I have to believe this is primarily due to the lack of understanding of the real risk of cyber threats at a business level, coupled with it being a blind spot in business management - I don't know what I don't know.

The Security Industry is Partly to Blame

The cybersecurity industry is partly to blame for the lack of understanding and visibility in the business community because, as an industry, cybersecurity continues to communicate in very technical jargon and terms business owners and management simply cannot understand and do not have time to try and figure out.  This creates a disconnect between the business and the very solutions available to proactively address mitigating the risk related to cyber attacks.

If business owners were armed with information showing what is actually occurring within their business on a regular basis, communicated in terms they can understand, not only would they enable the experts to help remediate issues proactively, they would have detailed information on employee behavior and actual traffic moving in and out of the business.  Security reports provide extremely valuable and powerful information which can be used not only to thwart cyber threats, but also create and enforce general company policies on how business assets are being used.

You can see sample report showing one month of actual data obtained from proactively deploying and monitoring security here Security Report

I believe if business owners could SEE what is actually happening, they would be much more likely to address the very real cyber threat risk.  At a minimum, they would have to decide to do nothing knowing bad things really are happening.

 

Your Cyber Security is Failing!

managed-security-services  

When you take a course in school or work and you get 100% on the test, it’s a great feeling.  Perfection!  How smart are you!  When you get 100% on every test, every time, you have truly mastered the subject and are clearly an expert.  It’s something you might even want to boast about to your friends; what an accomplishment!

But what if the scenario was turned 180 degrees and you received a 0% on every test.  Your feelings are completely opposite.  You are discouraged, frustrated, even embarrassed.  Your confidence is shot and you certainly don’t want to be bragging about it to your friends.

This is the scenario we see in cyber security.  When we deploy our cyber security solution for a new client, we have a very methodical process for the implementation and configuration of the solution based on the clients’ needs.  Part of the process includes continually capturing real-time data and then reporting those findings on a monthly basis.  We review these security reports with our clients so they can see and understand what is actually happening in their company.

Every company fails security 100% of the time!

What we have found interesting is that we find an issue or issues that need immediate remediation 100% of the time.  Think about that for a minute.  Every single time for every single client they fail.  This is not something the company wants to deal with, it is very frightening to them, and they certainly do not want to boast about it to others.

Often times we have already remediated issues in real-time as we are monitoring their security, but many times it takes working with the company management to determine what they want to do.  As an example, if we find a company computer suddenly is trying to broadcast malicious content out through the company’s internet connection, we will be immediately notified, shut-down and ‘clean’ the identified computer.  We certainly do not want to wait until the end of the month to address the issue.

Other issues are more dependent on what the company management team wants to do.  During our initial monthly review of the report, there are often issues related to how employees are using company systems.  For example, employees are accessing inappropriate websites, usage of social media sites such as YouTube, Facebook and Pandora are excessive and saturating internet bandwidth.  We also see attempts to access the company network from other countries, such as China, Romania, North Korea, etc.  In these cases, the company management almost always is shocked and says “We don’t do business with those countries!  Why are they trying to access our information!?”.

This is an example where we need to have a discussion with management to confirm what is legitimate and what is not.  Using our service, we can block websites and countries permanently and selectively, or the company may want to write and issue an Information Security Policy that states what the company policies are for appropriate use.  In the latter case, the issue is handled through policy and not technology.

You can’t address what you can’t see

In all these cases, the primary issue is that companies without proper security in place are in a state of being blissfully ignorant.  They do not see anything going on so they assume everything is good.  Once we shine a light on security, their eyes are wide open because they can now see what is actually happening.  Having the information allows us, working with the company, to address and remediate issues.

The larger implication is companies without proper security are playing with fire.  While some issues are not extremely damaging, it is only a matter of time when a malicious event becomes a major security incident the company must respond to.  Imagine you are a health provider, law firm or any company (since every company has sensitive and private information) and find you have a breach and private information has been leaking out of the company.  The status just went from green to red, requiring significant and immediate effort from many different people – the incident response plan.

The point is, in today’s world, it is better to know and have a planned response than to continue to be in the dark.  We know 100% of companies we work with will have issues to address, we also know most companies continue to operate in the dark believing it won’t happen to them.  As scary and uncomfortable as it may be, I would certainly rather operate from a position of knowing rather than taking the chance and hoping nothing will happen.  After all, we know from actual data, ‘nothing will happen’ actually never happens.

Security Delivered in a Box

With news of breaches occurring daily, cyber security has been forced to the forefront of every business.  The challenge is cyber security is a very complex subject to address with many layers using names confusing even to technical people.  Trying to decipher and understand all the layers and what is appropriate for your business is nearly impossible without a team of experts to guide you along the way.  Often the result is having multiple vendors provide different layers of security that do not work well together, are difficult to manage, and ultimately more expensive. For this reason, Fluid spent a year researching to find a better way.  What we found was very interesting.  There were many security companies offering specific pieces of an overall solution – one vendor offering a firewall, another offering anti-virus, and another offering cloud based security, and so on.  This was the very overly complex scenario we were trying to avoid.

Using this knowledge, Fluid developed a set of solutions to address each layer of security in a unified way that can be centrally managed, while in turn reducing the number of vendors involved and related cost.  The result is security in a box, a menu of security solutions to address each layer of security with options for increasing security levels to meet the specific needs of a business.

You are covered from the end user to the cloud!

SecurityInABox

The primary aspects in a consolidated solution had to include the following –

  1. Centralized management of all security devices and software
  2. Consistent ongoing management and monitoring of security events for remediation
  3. Proactive notification of threats
  4. Detailed monthly reports showing actual data related to the specific client environment and usage
  5. Inclusion all necessary hardware, software, and support renewals (firewalls, network switches, wireless access points, cloud based firewalls, etc.)

Whether it’s 3 devices or 3,000, Fluid can procure, configure, implement, and manage security using a single standardized process.

The results for our clients have been fantastic!

After implementation of the service, we review the initial monthly security report with our clients and without exception, the report shows activities they had no idea were occurring.  Not only do they have visibility to what is actually happening in their business, they now can do something about it.  Whether it is through creating a company policy or having Fluid systematically block certain traffic, the business is now in control.

In addition, because the service is all-inclusive and standardized, it can very easily scale as the company grows.  We have many clients that open new branch offices around the country and we can very quickly deploy the solution to those locations and add them to the overall solution.  In addition, each location receives its own monthly security report, so analysis and action items can be done at the location level.

The reports are an extremely valuable tool for ongoing cyber security monitoring and remediation.

SecRpt1

Visibility to outside attempts to infiltrate company systems allows specific geographic based controls.

SecRpt2

A primary role of any cyber security is to block malicious attacks and intrusions.  Monthly reports show details on specific attacks.

SecRpt3

If a deeper inspection is needed, we can even go to the user level to analyze what is occurring.  This has been especially helpful for situations where there may be one or two rogue users that need to be addressed.

SecRpt4

Unfortunately, employees are the number one source for security incidents.  Knowing what they are doing is necessary to continue to improve security training and make adjustments to security policies.

SecRpt5

Fluid’s Security-as-a-Service includes everything you need, out of the box, to secure your business!  Contact us now to learn how 214-245-4118 or wade.yeaman@fluiditservices.com.

Does you technology department know your business? They should.

vectorstock_1260341-FluidLogo-01 I have been in the technology business providing technology services to small and mid-sized businesses for over 20 years and surprisingly through all the change, there is a serious gap I continue to observe…

The technology department does not know the business

Whether using in-house technology staff or an outside technology provider, I find the technology group may know what business they are in, but they no little else.  The obvious question is – how can a business get the most out of technology when they do not fully understand the business?

Signs your technology department is not involved enough in the business

  1. A representative from technology is not included in business strategy sessions
  2. The business does not have a technology steering committee or similar group
  3. The technology staff do not know all the software the business is using and more importantly why
  4. Business management makes technology decisions without proactively including the technology department

If you have any of these occurring in your business, you are not getting the most out of your technology function.  As a result, technology may be adequately supporting the business, but they are not provide the real value – enabling the business.  This creates a very real gap between the business and IT that is overlooked and unattended.  In fact, in most cases it is a case of “I don’t know what I don’t know”.

Most small to mid-sized organizations do not have a Chief Information Officer (CIO) or access to one

Any large organization has a dedicated CIO with dedicated staff with the primary objective to be an integral part of the business strategy process to ensure technology continues to align to the business and provide tangible value on an ongoing basis.  Small to mid-sized organizations have the same need and can obtain the same value, they just do not know to include it or assume it may be too expensive.

While true that a full-time CIO often is cost prohibitive for small to mid-sized organizations, there is little reason why this valuable service cannot be obtained on a fractional ‘as needed’ basis.

Business Strategy Model

Although admittedly simplistic, the graphic below shows how business strategy works from the top down, from development to execution.

vectorstock_15134295-FluidBlue-ClearBackgroundIn real terms, the same model is used for technology (place “technology” in front of each level and you have it).

Most technology departments and providers deliver the bottom half of the pyramid and do so really well.  However, this is just the basics any technology department should be expected to deliver.  What is missing is a defined approach to address the top half of the pyramid.

As shown in the following graphic, the top portion of the model is often overlooked or missing in technology delivery.

vectorstock_15134295-FluidBlueGray-ClearBackground

Technology departments and providers lack a refined method to deliver strategic services

The reality is most technology departments and providers do not possess the experience or skillset to deliver the high-level strategic services.  Complicating matters, it is not a skill that can be simply ‘turned on’.  It takes years of hands-on experience working with business senior leadership along with various strategy methodologies to provide these services.

A defined repeatable methodology and process is required for IT strategy delivery

At Fluid, we have a proven methodology for addressing the strategy gap to work with our business partners to deliver technology at a strategic level.  In almost every case, our clients have never experienced this level of strategic service.  In fact, most require training to take full advantage of the benefits.  Once we engage with the business, the senior management not only welcomes the service, they devour it at an increasing level.  What we call virtual CIO services becomes an addiction for the business.  The results are tangible and IT value increases from a necessary business function to a strategic business enabler.

The Power of Data

At Fluid, we specialize in managing our client's data.  Our clients trust us to help them create, utilize, and protect their data in all facets of their business.  Through this role, we have a front row seat to see the power of data and analytics in high-performance businesses.   When we work together with our clients to integrate data and analytics into their business processes, IT transforms from a cost center to a business enabler.  That's the most rewarding work we can do with our clients. Given that focus, we found this article to be really powerful with some great, actionable suggestions for your business.

 

Wanna Cry?

As you may know, on May 12, hackers launched a global ransomware campaign against tens of thousands of corporate and governmental targets. The ransomware encrypts files on an infected computer and asks the computer's administrator to pay a ransom in order to regain access.  

The ransomware attack is apparently spreading through a Microsoft Windows exploit called “EternalBlue,” for which Microsoft released a patch in March. That month Fortinet released an initial IPS signature to detect vulnerabilities against MS17-10. This signature specifically looks for SMB type vulnerabilities. Earlier this week, Fortinet updated their IPS signature to further enhance detection. It appears this update detects the ransomware. Today, they released an AV signature that detects and stops this attack. (Third-party testing has confirmed that Fortinet Anti-Virus and FortiSandbox are blocking the attacks.)

 

We strongly advise customers to take all of the following steps:

  • Apply the patch published by Microsoft on all nodes of the network.
  • Ensure that the Fortinet AV inspections as well as web filtering engines are turned on to prevent the malware being downloaded and to ensure that our web filtering is blocking communications back to the command and control servers.
  • Disable via GPO the execution of files with extension WNCRY.
  • Isolate communication to ports 137 / 138 UDP and ports 139 / 445 TCP in the networks of the organizations.

 

If you would like more information on how to protect your network, use the link below to register for the Fluid IT Services/Fortinet Security event on June 6, 2017 @12pm:

 

Register Now

 

Please feel free to read the latest posts on this subject, published by the FortiGuard Labs team:

https://blog.fortinet.com/2017/05/12/protecting-your-organization-from-the-wcry-ransomware

http://blog.fortinet.com/2017/05/15/wannacry-ransomware

 

 

Are You Prepared for a Cyberwar?

We make it our business to protect yours. Former white hat hacker Joshua Petty will be presenting the unexpected sources of security threats and how to defend yourself. In light of the recent global ransomware attacks, this information could prove invaluable. We think you should be there.

Fortinet is the largest security appliance vendor, and when partnered with Fluid IT Services you know that your information is protected. The topics over lunch will cover simple ways to harden your infrastructure, how to manage your security with minimal effort, and arming your staff to become more security conscious.

Space is limited, so register today to secure your place at the table. We look forward to your participation.

Tuesday, June 6, 2017 @12pm

Maggiano's Little Italy 6001 West Park Blvd.

What you can expect:
  • Security insights from the experts
  • Fine Italian dining
  • GOPRO giveaway with all the accessories to get you started

Register Now

How 20 Minutes Can Save Your Business: 4 of 4

In my previous post, I promised 4 topics that if considered may make you re-think outsourcing IT.  We started with the specialized knowledge required to keep IT running smoothly for a business today.  No one (or two) person will have it all.  If you missed it, check it out here.  Next we covered the strategic role IT should play in your organization.  Here's #2.  In my third post, I covered reducing risk.  Sometimes we don't consider how much key-person risk we have in our businesses.  This post will help you consider that. Today, I'm going to focus on cost.

Reason #4 - Cost is King: Why Managed Services are MORE Affordable

For small businesses, costs are a critical measurement. The cost to maintain an internal employee’s technical acumen can be monumental. Salary, workers compensation, benefits, and payroll taxes are not cheap. Small companies do not have access to healthcare discounts that large enterprises can harness. Adding regular and expensive training for an IT staffer is a significant increase to those costs. Every course sponsored by your company makes an employee more valuable on the open market. Every course neglected creates risk for your business.

If you are making investments in hardware to maintain an on-premise environment, what happens in the event of an economic downturn? There is no better example than that of the ever-changing Oil and Gas industry. I have seen large infrastructure investments made during a growth period, followed immediately by a downturn. Many found themselves paying for hardware they can no longer utilize effectively.

All things considered, outsourcing IT is less expensive than the cost to maintain a full-time employee. If your industry is facing a downturn, a managed services agreement allows you to scale down. When you experience growth you can easily scale up. You gain access to a team of experts instead of relying on the expertise of one person or a small team. A recent Gartner study cited that 80% of small business would “realize significant savings from outsourcing e-mail management alone.” Imagine the savings in outsourcing other technology components.

Bottom line: If you own or operate a small business you should be evaluating IT outsourcing. A 20 minute conversation might just change your life.

 

How 20 Minutes Can Save Your Business: 3 of 4

In my previous post, I promised 4 topics that if considered may make you re-think outsourcing IT.  We started with the specialized knowledge required to keep IT running smoothly for a business today.  No one (or two) person will have it all.  If you missed it, check it out here.  Next we covered the strategic role IT should play in your organization.  Here's #2. Today, I'm going to focus on reducing risk.

Reason #3 - Taking the Stress out of Taking Vacation (Reducing risk)

What would happen if the only employee familiar with your IT environment resigns? Or just goes on vacation? What is the procedure when a server goes down in the middle of the night? Would anyone notice before business was disrupted the next day?

When a small company chooses to use a managed service provider, these questions are no longer relevant. You are not impacted by the loss of an employee or having to scramble when they go on vacation. If a business-critical system goes down, you will be notified and it will be handled quickly. If the power goes down on site your systems are not impacted (depending on your level/type of service). If your company is subject to compliance requirements, you don’t have to worry if you are meeting them. For many businesses, managed services provide peace of mind and value that more than compensate for the cost.

Have you taken a hard look at the cost of a full-time IT employee? Read the last of this series, Cost.

 

How 20 Minutes Can Save Your Business: 2 of 4

In my previous post, I promised 4 topics that if considered may make you re-think outsourcing IT.  We started with the specialized knowledge required to keep IT running smoothly for a business today.  No one (or two) person will have it all.  If you missed it, check it out here. Today, I'm going to focus on the strategic support you get from the right IT partner.  IT should be a business enabler, not a cost center.  The right partner will provide that support.

Reason #2 - From Password Resets to Profit (Setting an IT Strategy)

If you currently have a full-time IT employee or team, how often do they approach executives to get input on how to better support the business using technology? Based upon experience, my guess would be not very often. Smaller IT shops typically do not have the time to keep all of their systems up to date (not to mention password resets, break/fix, email issues), much less consider how to make the technology profitable. The most valuable function an IT organization can provide is not just keeping the lights on, it is enabling the business to grow.

Outsourcing your IT to a managed service provider gives you access to consultants that will work to align technology with your business strategy. Some even provide virtual CIO services, such as planning a technology roadmap, developing an IT budget, and analyzing and reworking business processes.

How are you mitigating the risks associated with maintaining an IT environment? See our next installment on Reducing Risk.

 

How 20 Minutes Can Save Your Business (And Your Sanity)

You are busy, I get it. There is not enough time in the day for you to finish the tasks on your plate, much less extra time to evaluate new technology options. Whether you are part of a small internal IT team or your company has added IT maintenance to your ever-growing list of responsibilities, Fluid has you covered.  There are 4 key reasons to consider outsourcing IT that you may not have thought of in the past.  I'll cover these reasons in a 4-part series.  So if you have 20 minutes, read on and we might be able to change your IT life!

Reason #1 - Specialized Knowledge

I recently participated in a meeting with a potential managed services client whose IT staff consisted of two full time IT employees who both left the company unexpectedly. The reasons they exited are common in small business, though are not often considered in decisions regarding outsourcing. For one employee, the responsibilities were just too overwhelming and they could not handle the workload; the other believed that they did not have a vertical career path. Unfortunately, most small companies cannot afford IT employees with the depth and breadth of knowledge required to adequately run an entire IT environment. Many of the good ones don’t stick around because they are offered more money for their skills by larger companies. The damages left in the wake of their departure were systems and hardware that had not been updated in years, creating significant risk for this business and few options to resolve the issues quickly.

With the decision to outsource, you leverage the collective knowledge of a much larger IT organization. You receive the benefit of much broader coverage, access to expertise and skills you would not have otherwise, and reassurance knowing that critical systems will be maintained consistently.

Are you getting the strategic guidance that you need to grow your business? Check out the next installment on General Business Consulting.

 

Security Breaches: The Kiss of Death for Small Business

For romantics, a kiss signifies love, affection, or respect. Unless you receive the kiss of death, which signifies that your days are numbered. For small business, a cyber-security breach is the dreaded kiss of death. security metrics 2.0Here are some stats that’ll start your heart from recent studies from Property Casualty 360 and Small Business Trends:

- 62% of cyber-attacks are focused on small to medium businesses - Only 14% of these businesses rating their ability to mitigate an attack as highly effective - Average cost of a breach for a small business, including damage or theft of assets and disruption of normal operations is slightly over $1.8M - 60% of small companies will go out of business within six months after an attack

While it may be surprising that 60% of SMBs attacked will be out of business, once you understand the typical cost of a successful attack, it’s far less surprising.

So do small business owners just give up in the face of these threats? Nah, that’s not the way entrepreneurs roll. Most small businesses can outsource the mitigation of this risk for less than $1K per month, offloading both the risk and the time that it takes to manage a security solution. For a small business, this can be the difference between life or death, much like an insurance policy.

In the world today, it’s no longer a matter of IF your company will be hit by a cyber-attack, it is a matter of WHEN. The question that you should ask yourself is, “Do I have almost 2 million dollars to handle it retroactively, or does it make more sense to spend $1,000 per month to proactively protect my livelihood and my customers?”

For a frank discussion on cyber-security and ways to mitigate these risk, reach out to Fluid. We can help.

[gravityform id="1" title="true" description="true"]