Business of IT

Destination Unknown – Cybersecurity without a defined objective is a path to disaster

TechMgmt.jpg

Destination Unknown – Cybersecurity without a defined objective is a path to disaster

Vacation time!

Let’s start this cybersecurity discussion by taking a little vacation – or at least pretend to take a vacation. Before going on vacation, people usually plan for the trip ahead of time.

Scenario 1: Planning for a vacation.

When planning a vacation, most people take the following steps:

  1. Determine the budget.

  2. Choose the destination.

  3. Decide when to go on vacation (busy season, hot, cold, vacation days available at work, etc.).

  4. Decide where to stay (choose hotel, condo, Airbnb, etc.).

  5. Choose mode of transportation (plane, car, boat, etc.).

  6. Book flights, rent car, plan your driving route, etc. 

  7. Book babysitter, dog sitter, house sitter, etc.

  8. Plan activities while on vacation.

  9. Begin the journey to the destination.

  10. Arrive at the destination.

  11. Have fun!

All the above has a cost element to be considered, which can cause the vacation plans to change.  Ideally, a budget would be created at the beginning of the process to help with planning the vacation and determining what is and is not doable. Although, a budget should be the first step in the planning process, people oftentimes choose a desired destination, and then adjust the budget accordingly.

Another important step when planning a vacation, is to do enough research to make informed decisions and properly budget for each part of the plan, especially if traveling to a new destination. People will often turn to friends and/or family for suggestions and input when planning a vacation, but friends and family may not be able to give the best advice. For example, how could they recommend a hotel if they’ve never been to the destination? 

Therefore, it’s also important to utilize outside resources for information and contact experts who are able provide information on destinations, price, pros and cons, hotels, activities, etc. The hard part is knowing who to trust. Some “experts” are more concerned with selling certain products or services even if they may not be the best option. So, it’s usually a good idea to gather information from various people and resources before making informed decisions.

Cybersecurity Time!

If the same logic is applied to businesses when choosing cybersecurity solutions, it reveals a dangerous tendency. 

Scenario 2: Choosing and implementing the best solution and level of cybersecurity

When planning for cybersecurity implementation, business leaders should take several steps:

  1. Determine the budget.

  2. Choose the level of security needed for the business.

  3. Analyze each security element to understand what it does and doesn’t do.

  4. Based on the analysis, determine the priority and order for implementing each element.

  5. Determine who will be responsible for assessing the solution options.

  6. Decide when to begin implementing the security solutions.

  7. Decide who will be involved in the implementation process.

  8. Plan the implementation process and any impact to the business (downtime, users, etc.).

  9. Ensure all relevant parties have been informed, then begin implementation.

  10. Implement the solution and test (sometime in phases or using pilot groups).

  11. Complete implementation and make the necessary adjustments.

  12. Conduct a post-review of the project to determine areas for future improvement.

Planning a Vacation vs. Planning Cybersecurity Implementation

While planning a vacation can be challenging, it is exponentially more difficult to plan and implement cybersecurity. 

When planning a trip, people usually have some sense of what the budget should be or at least know what they can and cannot spend.  Most businesses don’t even have a budget for cybersecurity, so there’s no starting point.  In fact, most companies don’t even have an IT budget, so they certainly don’t have a security budget.

While understanding the purpose for each part of a trip, the reason for it, and pros and cons is relatively easy, understanding the different levels of cybersecurity is not easy at all. Due to the technical nature and the complexity of cybersecurity, it’s difficult to educate CEO’s (buyers) on the different levels of cybersecurity. Translating technology and then articulating the risk/value can be extremely challenging.

Also, like the “experts” people may consult when planning a vacation, many “cybersecurity experts” try to sell solutions to businesses that may not be the appropriate solutions and/or security level. In addition, many IT professionals don’t know how to implement or even determine the best security solutions.

Start with Communication

CEO’s and C-level executives:

  • Cybersecurity is extremely complex, so it’s always wise to consult with multiple experts during the planning and implementation process.

  • When in doubt, ask: If you need more clarification, ask questions until you understand. Ask your IT resources to use analogies or imagery to help you understand.

  • Stay as involved as you possibly can before, during and after the implementation process.  

If you are an IT professional:

  • Before drowning the CEO with cybersecurity jargon, find a way to communicate and educate in terms that the management team can understand: Like the “vacation scenario”, try using analogies, imagery, etc. to explain technology.

  • Don’t be afraid to seek advice from external resources and/or other IT professionals. Technology is complex, and constantly evolving. So, it’s impossible to have all the answers.

Effective and consistent communication is imperative for businesses to appropriately address technology and cybersecurity risks. 

The following provides ways to help overcome this challenge in order to effectively plan and implement cybersecurity:

Define, Determine and Decide

As the diagram below illustrates, there are various levels of cybersecurity.

Step 1. Define and understand each level.

  • Because it includes technical jargon, this diagram may need to be explained in a way that business management and users can understand.

Step 2. Determine what level of security the company currently has.

  • None, Basic, Advance or Comprehensive

Step 3. Decide on which security level to target during implementation.

  • Keep in mind that it takes time and money for a company to start from “None” and move directly to “Advanced”.  So, when trying to decide on a level, remember 80% of all security incidents are due to employees. When in doubt, start with solutions that will address employee driven risks for prevention – AV, training, email ATP. 

SecurityLevels.png

Step 4. Implement, monitor and communicate

·         Once the desired level is agreed upon, begin implementation and continue to monitor and communicate the current state of risk as the company progresses towards the desired cybersecurity level.

·         Using a simple diagram, like the one below, is a helpful tool to use when explaining the progress of implementation to management. 

This diagram illustrates an example of an organization that has a “Yellow risk level” while also showing what has been completed and what has not.

SecurityStatus.png

Step 5. Update management on an ongoing basis

  • Once a communication method is in place, it’s important to update management on the cybersecurity status on an ongoing basis. 

The diagram below is another example of a helpful communication tool to use when explaining the cybersecurity status to management.

SecurityCommunication.png

Embrace the journey!

Effective cybersecurity management never ends. Therefore, if security solutions and levels are not proactively monitored, the risk level can move from Yellow to Green and then back down to Red.  Firewall failure, equipment beyond end-of-life, anti-virus expiration, etc. can cause immediate changes in risk levels.

Cybersecurity is about continuously mitigating risk and keeping businesses from going out of business.  But, in order to successfully mitigate risk, a disconnect between management and IT cannot exist. The IT industry continues to struggle with effective communication – especially when it comes to cybersecurity. Because of this, over 58% of all cyberattacks target small to mid-sized businesses and over 60% of businesses that are hit with a cyberattack go out of business.

Albert Einstein defined insanity as doing the same thing over and over again and expecting different results. It’s time for the technology industry to stop the insanity of ineffective and/or complete lack of communication with business owners and executives about cybersecurity. 

It’s important to take a step back to understand the ‘why’ then work on the ‘what’.  Create a communication method that works for the business, then begin focus on the ‘how’ and ‘when’ to take the appropriate action.

 

Is your business as safe as you think it is? What you need to know to keep your company secure.

With the increase in cyber threats, coupled with the confusion and lack of knowledge about cybersecurity, how do you know if your company is secure?  How do you know if you’re doing the right things at the right time?  The whole topic of cybersecurity is overwhelming and there’s not anything “fun” about it. So, it’s easy to avoid, but at what real risk to the company?

Monsters!

CyberMonsterDespite all the statistics that point to the fact that businesses, without the proper security measures, will likely suffer from a cyberattack, cyber threats are still being viewed as scary, but unlikely to occur. Most businesses still see a cyberattack as the monster under the bed, and cybersecurity as protection against the highly unrealistic possibility that there will ever actually be a monster under the bed. But unfortunately, these “monsters” are very real, and the number of attacks continues to escalate. It’s critical for businesses to have the correct security measures in place to keep the “monsters” from being able to even enter the front door.

One security solution does NOT fit all

Be cautious of cybersecurity providers who offer the same solution to every client. Every company is different, so expectations should be set based on many factors: size of the business, type of business, industry, etc. Also, no two businesses require the same IT solutions, support, software, or hardware. So, having tailored and specific IT security is crucial.

Is your business insecure?

If you’re reading this blog, then you’ve been warned! Now, what are you going to do about it? If you want to keep your business safe from cyber threats, knowing your risk level is a good first step to take before addressing each risk.

The following questionnaire addresses this by asking some basic questions that any business owner or management team should be able to answer.  While some of the topics are technical in nature, the questions are driven from a focus on the business itself.Questionnaire

Cybersecurity Preparedness Questionnaire

Answer each question below and tally your score. After completing the questionnaire, total your score to determine the level of risk for your company.

Yes: 0 points  No: 5 points  Unsure: 5 points

  1. Do you have a cybersecurity budget review annually?
  2. Do you have a written information security policy signed by every employee?
  3. Has your company reviewed its cybersecurity policies and procedures within the last year?
  4. Do you have a person designated as your security officer?
  5. Do you have a written incident response plan that is reviewed annually?
  6. Have you tested your incident response plan within the last 12 months?
  7. Do you know if you have any compliance or regulatory requirements?
  8. Have you defined the level of cybersecurity needs based on your business and compliance requirements?
  9. Have you provided security training to your employees in the past 12 months?
  10. Do you provide security training to employees on an annual basis?
  11. Can you employees identify sensitive information that could compromise the company if stolen?
  12. Do you know where your sensitive data is stored?
  13. Do you have cyber insurance that is reviewed annually?
  14. Are employees prevented from administrative privileges on your network or computers?
  15. Does your company have an acceptable use policy?
  16. Does your company consistently enforce policies around the acceptable use of computers, email, internet?
  17. Do employees regularly update passwords on company-issued computers/devices?
  18. Do your employees lock their computers when away from their desk, even for a few minutes?
  19. Do all your computers have anti-virus software that is regularly updated?
  20. Does your company have data backups onsite and offsite verified at least once a year?

Low Risk: 0-10 Moderate Risk: 15-25 High Risk: 30-50 Escalated Risk: 55-100

What now?

Once you’ve identified your risk level, what now?  If you answered “unsure” to any of the questions, do the necessary research to confirm the answer.  Once you have a “Yes” or “No” answer for every question, you will have a better idea of your true exposure and can begin prioritizing which areas to address first to mitigate the risk.

Don’t put your head in the sand!Headinsand

If you didn’t score a 10 or below, then getting to the green, (low risk range), won’t happen overnight. It takes time and, most importantly, full commitment and buy-in from ownership and senior leadership. But, as I mentioned, cyber threats are not imaginary monsters. So, don’t pretend they don’t exist and hope that nothing bad will happen. At Fluid, we understand the process can be overwhelming. Even determining the priority of what to do first can be a challenge. Luckily, we have a team of experts dedicated to cybersecurity. So, please feel free to reach out to us for help. Don’t wait until it’s too late!

Recession Obsession

If you’ve been alive 10 years, you’ve been through a recession – the Great Recession actually.  If you’ve been alive 20 years, you’ve been through two recessions.  30 years on the planet will give you…you guessed it, three recessions.  Although recessions do seem to be cyclical, they don’t always happen every 10 years. Over the last 50 years, there have been 7 recessions.

Gas Lines and Baby Food Jars

RecessionThe ramifications of a recession also change over time. Being 53 years old, I recall my grandparents saving every coffee can, baby food jar, and plastic container to repurpose and use for storing things throughout the house.  As products of the Great Depression, they were raised to literally save everything.  I can also distinctly recall having to wait in long lines for gas during the recession in the 1970’s.  My father and I would park the car in line at the gas station and go to the nearby strip mall to kill time for two hours while we waited for the line to move.

Although not a recession, I recall Black Monday in 1987 when the stock market dropped over 22%.  I was working at a financial planning firm at the time and that was not a good day, and not just because it was Monday.

Dot Bomb Bubble Burst

In the early 2000’s, the dot com bubble burst, and turned into the dot “bomb”.  It seemed like anyone with a web-based idea was given millions of dollars in funding without having to show any DownGraphprofits (a scenario which still occurs today).  eToys.com, Webvan.com, Pets.com, and many more all wiped out almost overnight.

Most recently, we can all recall, if not relate, to the Great Recession that occurred in 2007-2009 when the housing bubble burst due to the subprime mortgage crisis.  The term “government bailout” became a major thorn, and the nemesis for many household brands.  Many are still recovering from this economic meltdown. However, the prosperity over the past 10 years has dulled some of the sting.

But, some are now warning us that the great run we have enjoyed may be slowing down, and we’re potentially headed for a recession.  Search Google for “Recession 2019” and you’ll find blue-chip names discussing the very likely possibility that a recession is looming.

Before it's too late!

CrisisI have owned a technology company, Fluid IT Services, for the past 17 years, and we felt the impact of the 2007 recession – but in an interesting way.  We provide IT solutions and support for small to mid-sized businesses, and the cost of our services is typically less than the cost of one full-time employee. Although we lost the clients who unfortunately went out of business, we gained new clients who needed to cut costs and couldn’t afford full-time IT staff.

We certainly had to cut costs ourselves and manage everything more tightly, but we were okay because our risks were spread sufficiently, and we provide a service that is “recession friendly”.  We continued to grow as the economy improved, but always with a keen eye on our market segment and the economy as a whole.

As the economic signs, signals, metrics, statistics, etc. started showing a downturn, we’ve used it as an opportunity to get our business in order.  It’s much easier to evaluate all your people, processes and technology-related costs, and make sure that your business is operating as efficiently as possible, before things go south.

Every company has and uses technology (IT) constantly. Most companies today wouldn’t be able to function without IT.  But, when times are good, costs related to IT (and other business functions) may not be closely monitored because sales and revenue can cure many ills.  However, it’s best to ensure your IT house is in order before the times get tough and budgets get tight.

Start by asking questions

An analysis of your current IT spend at a detailed level, may be as exciting as watching paint dry, but it’s crucial when dollars tighten. IT cost analysis can also be difficult. Even knowing which items to include when analyzing your IT spend can be confusing. I’ve found that it’s easiest to start by asking questions…

  1. What are my costs for internet, phones, software subscriptions, IT support, computers, etc.?
  2. What hardware needs to be replaced soon? How much will it cost to replace?
  3. What costs can be reduced or eliminated?
  4. What costs are a bare minimum to keep the lights on?
  5. When was the last time I evaluated all my contracts related to technology and what are the terms? Being locked into an expensive 5-year contract at the beginning of a downturn is no fun.

Good news...

We can help! At Fluid, we help companies analyze their IT costs almost daily. So, we already know where most of the IT costs are found, where the skeletons are buried, what is reasonable, and what is outrageous.  As a provider of outsourced IT services for small to medium businesses, we have to know these costs because we’re responsible for managing them in order to be a good steward with our clients’ hard-earned money spent on IT.

We also take it one step further by using a more proactive and strategic approach to IT. We will hope for the best, but also help you plan for the worst by discussing current and future business needs, goals and “what if” scenarios. Once we have this information, we can provide guidance on ways to cut IT costs and suggest solutions that will generate revenue, and specifically align with each clients’ business plan.

Don’t be afraid to say you don’t know and bring in experts to help you understand your costs.  It will reap rewards now and help you sleep better when economic conditions do change.  Feel free to call Fluid IT, we love this stuff!  Our main objective is to help people with their businesses and see IT in action!

Cybersecurity - "You can't handle the truth!"

I’m a guy who likes sports and movies, and my wife tells me that I’m constantly quoting sports analogies and movie tag lines. Guilty as charged.  So, why do I do that???  Because I can quickly state a movie quote or sports reference to explain a situation to someone, without having to spend an hour doing so. If I tell someone “you just fumbled”, knowing this person likes or understands American football, he or she will immediately know they made a mistake.  Notice how I stated ‘American football’ lest I confuse it with the round ball version and defeat the very purpose of my analogy.

ManYelling

The problem is, if I use my linguistic mojo on people who don’t follow sports or movies (yes, those people do exist), I not only don’t get my point across, I confuse them.  Many times, I get that tilt-of-the-head puppy look and then a nod, never asking me to clarify what I meant.  It’s surprising how many people never ask the question – I don’t understand, what do you mean?

This can be very frustrating and even a cause for escalating arguments and disagreement later.

To clarify, here’s an example of a recent conversation when discussing a company project…

Me: “We’re at the one-yard line!  It’s time to punch it across the goal line!” Colleague: “Got it!  You can count on me!”

A week later…

Me: “So that project was completed, right?” Colleague: “No, I’m still working on it.  I need to add some more detail." Me: “What!  I thought I told you and we agreed this needed to be done asap!? Like yesterday.” Colleague: “Oh, I’m sorry.  You didn’t tell me it was urgent.” Me: “I did tell you it was urgent.  Remember ‘the one-yard line’, ‘the goal line’?” Colleague: “Yeah I kind of recall something like that.” Me: “Then why didn’t you get it done??” Colleague: “Why are you yelling at me?  I have no idea what you meant.” Me: “Why didn’t you ask?

And the downward spiral continues.  The frustration level for everyone is extreme.  Worse yet, the project was not completed, and the company suffers.

I see this same scenario over and over again as it relates to technology and business – especially with cybersecurity.

Get serious about cybersecurity SecurityGuard

Articles are published every day stating how businesses aren’t taking cybersecurity seriously enough only to be completely ignored.

I constantly come across articles that give real statistics showing how businesses think they are secure, yet they have recently been breached or compromised!  How is that possible?  Why do businesses, led by extremely smart people, continue to ignore the very real threat that cybersecurity breaches and hackers can easily compromise their business’ livelihood?  Why do they continue to have incidents, and not learn from them?

Some studies show, many business owners rely on their insurance policy to save them instead of protecting their assets proactively.  I believe some of that is true, but I believe the real issue is a complete disconnect in communication.

The danger of miscommunication

MiscommunicationThere is a very real and dangerous disconnect in communication between business and IT!

I read an article recently that was trying to get businesses to understand the importance of cybersecurity and the importance of communication between IT and business.  Here is how the article begins…

 

ArguingDigital transformation is happening rapidly in every industry. As companies move toward software-defined infrastructures (SDI) connected to powerful cloud ecosystems, they can tap into the near-real-time intelligence from the data gathered from every edge of their business, helping to drive faster business decisions and changing the way they serve their customers.

Rapid transformation, however, without a solid plan, can produce cybersecurity vulnerabilities. As infrastructures go virtual, security models need to shift. To avoid serious risks and security management issues, companies need to identify challenges, strategize, collaborate, pilot, test, and evangelize. *

 

Did you have to read it twice?  Did you understand even part of it?  What exactly is ‘every edge of their business’?

“Trust me, Greg, when you start having little Fockers running around, you'll feel the need for this type of security.” Meet the Parents, 2000

Yes, I did it, I used a movie line from the great film “Meet the Parents” to make my point.  If you haven’t seen the movie, you have no clue what I’m talking about.  Business leaders have not seen the cybersecurity movie!!  They don’t understand a word coming out of your mouth (another movie reference).

Don’t allow technology to get lost in translation

LostTranslation

In all seriousness, business leaders have not taken the time and do not have the time to learn all the parlance of cybersecurity.  Yet, we keep pummeling them to death with cyber techno-speak.

The reality is, both business and technology leaders have a responsibility to their companies, their employees, and themselves to learn enough about each other to make the conversation relevant.  I can keep showing business owners all statistics. But, most of them still don’t properly plan for or budget for cybersecurity, and most will only do so after they’re hit with ransomware or have a breach.  But what is ransomware?  What is a breach?  What do they look like? What is the actual cost to the business now and in the future?

This is not a one-sided issue. IT professionals also need to learn how to translate technology jargon into terms that business owners can understand.

The same case can be made for IT experts making an effort to understand the language of business and understand the impact they are having.  When business owners and leadership speak in terms of EBITDA, CAPEX, OPEX, Life Time Value, Gross Margins, Net Margins, Cash Management, etc., they are speaking a language immediately understood within the group, but many times foreign to the IT group.

At some point, business owners, leadership, and even board members must work with IT experts to start taking cybersecurity more seriously.  Both parties must be willing to have an open dialog where each is not afraid to ask questions, educate and translate into terms each party can understand, to make better business decisions.

If you want to have a discussion regarding your business and how the cybersecurity landscape impacts your company now and in the future in a language you can understand, contact us! We will be happy to advise and educate you in this increasingly complex space.

May the force be with you!

 

* AT&T Cybersecurity Insights Vol 7

When Is The Right Time To Hire A CIO Who Can Take Your Small To Mid-Sized Business To The Next Level?

Why You Might Need To Outsource Your CIOA CIO (Chief Information Officer) can provide a great deal of value to any business — large or small. They not only help set technology standards, but they help the company keep an eye on the future. Smaller businesses often struggle to support this position, however, because they often operate on tighter budgets. The role is frequently divided up among many members of the executive team.

Before you lump CIO responsibilities onto other members of your team, consider outsourcing the role.

What Is A CIO, and Do I Need One?

CIOs are generally found in large or enterprise companies, specifically those with over 250 employees. This executive level role helps ensure that any selected technology is able to move the company forward. The CIO is also forward looking, keeping an eye on which new technologies might benefit the company.

A CIO is:

  • Dedicated to extracting maximum value from implemented technologies
  • Strategically focused rather than tactical
  • Constantly learning about the latest technologies that can provide value

Small to mid-size companies usually do not have a CIO position. When a CIO is not present, responsibilities are usually piled onto an IT Manager, Director or even shared across several managers. But for more complex use of technology or when technology implementation becomes large or far-reaching, these quasi-roles can break down.

IT managers are usually tactically focused. They may have some focus on strategy but day-to-day tasks can distract from having a purely strategic focus. A CIO will not have such distractions.

In businesses that have distributed software via cloud services or SaaS, knowing where everything is located and which data is coming to and from the company is important for the integrity of security and privacy. Especially for any company that must be HIPAA compliant (to name only one type of compliance), ensuring compliance of complex systems is critical. This is where a CIO can play an important role.

"In addition to handling issues as they've come up, Fluid has done a great job of getting out in front of things and consulting with us. They let us know when we need to start thinking about upgrades or capacity increases -- letting us know what's on the horizon for the technology of our company. When we've had issues, they've been very good about thinking out of the box and really being an outsourced CIO."

The CIO's Role in Driving Business Growth

To drive business growth, the CIO’s role shouldn’t be isolated to IT. Instead, the CIO should be integrated into overall business strategy discussions. Even better if the CIO steps up and becomes actively involved in helping shape the overall business strategy. Having the CIO report directly and regularly to the CEO rather than IT support groups can build trust with other C-level members. The result is a more cohesive business strategy and greater potential for the business.

What many businesses don’t realize, however, is that the CIO doesn’t have to be in-house in order to drive the business forward. Partnering with an IT provider who puts business first can be a way to get the benefit of having a CIO without adding to company headcount.

Looking To Bridge the Gap?

Your company may not yet require (or be able to afford) a CIO on-staff. And many IT providers have limitations when it comes to overall business strategy. Finding the right provider who has both IT expertise and business focus can solve a lot of problems for small to mid-sized businesses or larger companies that can’t yet budget for a CIO position. If you’re ready to work with a team that can move your IT from break/fix support to business driver, don’t hesitate to contact us here at Fluid IT Services.

What Should You Do When Your Data Is Held for Ransom?

What Should You Do When Your Data Is Held for Ransom?You come into work on a typical Monday morning… and find something devastating. One of your machines was infected with the Crypto virus, which then spread to your main servers.

All of your files are locked.

But it gets worse.

The virus owner is demanding you pay a ransom – or lose your files forever.

Does that sound like the plot of a modern action movie? Well, sadly, it’s not. It happens to businesses every day. In fact, it happened to some of our IT support clients.

Lessons From a Near Death Experience

“It was a near death experience for us. One more day being down and we would literally have been out of business.”

This statement may seem dramatic, but it is actually a quote from one of our long-time IT support clients. And it was all too true. Due to several missteps by their cloud provider, the Crypto virus caused 7 days of downtime.

This was no mom-and-pop shop, either. This was a 50+ employee company with multiple locations brought to a standstill due to this horrible virus.

No business wants to be in this situation. Most businesses couldn’t survive a full week of being completely down. So you might be asking, What can I do to avoid getting a virus?

First, let’s set the record straight. It is a myth that you can secure your business so tightly that you never get a computer virus. Even with the best firewalls, anti-virus software, intrusion protection, Internet filtering and policies in place, your system may still get infected at some point. Why? Because…

  1. Virus protection is a cat-and-mouse game. New viruses are created and released every minute, and antivirus software must be updated to contend with each one
  2. People are only human. Human error is the number one reason companies get infected. Well-meaning employees click on the wrong thing while surfing the web or reading emails, or they open infected attachments
  3. Many hackers are diabolically smart. Many viruses are cleverly disguised to look safe and legitimate. That infected email might have a very real-looking logo from a major company. That attachment might look like a resume PDF – one you’ve actually been expecting – only to reveal itself as a virus once you open it.

So what’s a business to do? Beyond the IT team doing all they can to protect the business against viruses, the most important deterrent is user education.

Do all of your users really know what not to click on and what not to open? Do they know what telltale virus clues to look for? Hackers are getting more clever and sophisticated, so this education has to become even more of a priority today. Many users are so busy, they quickly open and click just to move on with their day. But taking that extra few seconds to assess before they click might mean the difference between life and death for your business.

Your Business EMTs: The Response Team

Once a virus is found, the company must move quickly into an organized response process. This should include a designated and well-trained response team that can jump right into action. Whether that team is made up of internal IT people or a third-party IT support vendor, identifying this team before a virus hits is critical.

In the past week alone, we have seen 5 clients’ systems become infected with dangerous viruses. Most of them were infected with some form of Crypto virus, which locks you out of your files (encrypts them) and tells you to pay a ransom to regain access. If you don’t pay the ransom within the “kidnapper’s” timeframe, your files will remain locked forever.

So if you are hit with a Crypto virus, what steps should you take?

  1. Inform your IT staff so they can begin the response process and investigate the severity of the infection.
  2. Every virus comes with a “payload.” This is what really does the damage to your systems. If the payload has not been activated, your IT team may be able to remove the virus without any damage.
  3. If the payload has been activated with a Crypto virus, this means you will be unable to access your files – and you must choose one of these two options:
    1. Determine when the payload was activated and restore clean files from a backup prior to that date and time.
    2. Pay the ransom and hope the hacker will unlock your files.

Choosing 3a or 3b is a business decision – not a technical one. Because of the financial implication (in money and downtime) in paying a ransom for data, only the business leadership can make this call. To make that call wisely, though, they need the best information their IT team can provide.

To Pay or Not to Pay

Just this week alone we have seen both cases: paying ransom and restoring from a backup. In all cases the clients were able to get their data back and get back to business, but only after several days of costly downtime.

But let me be very clear: paying the ransom is no guarantee. In that case, you are trusting the hacker (the person who infected your system in the first place!) to keep up their end of the bargain.

Because no one can guarantee paying the ransom will work – or work long-term — many companies choose to restore their data from backups. This can be a relatively easy endeavor, or one that is very painful. Success depends on knowing these key pieces of information before restoring from a backup:

  1. Do you know when the last date/time your data was clean, and do you have backups from that date and prior?
  2. Is the good data backup prior to the virus still viable? For example, if the last known good backup was 30 days ago, that data may be so old that restoring it would useless.
  3. Are the backups complete server container backups or only file backups? This is VERY important. Server container backups may be restored with the underlying server software, software application and data all at one time, which only takes hours. File-level backups require manually rebuilding the servers, configuring them, loading the software, configuring it and finally loading the files — which can take days.

In the nightmare case of the business that was down for over seven days, critical events happened that worsened the situation. First, the Crypto virus response timeframe had lapsed, so paying the ransom was no longer an option. But second — and worst of all — the backups the cloud provider had were not server container backups (which the vendor had promised they would be), but file-level backups only.

This last problem forced us to work with the cloud provider to restore the file backups. To do this, we had to figure out the last day the data was clean. Only then could we figure out where to start. However, before actually restoring the files, we also had to do the following.

  • Rebuild the virtual servers
  • Load and configure Windows Server
  • Load and configure the software applications (e.g. QuickBooks)
  • Restore files to each server
  • Reset the printer settings, file sharing settings, and user settings

If the cloud provider had done their part right, this would have taken 2 days. But unfortunately they made mistakes at almost every step, creating a lot of rework for everyone. The end result was that it took over 7 full days and over 130 hours from our team to help them get it right.

Do that math. That’s 7 days x 24 hours — 168 hours of downtime. That shows you just how intense (and expensive) getting a virus can be.

What You Should Do Right Now to Protect Your Business

In the Fluid cloud, our proprietary cloud solution, our backups have multiple layers and always include server container backups. In this same situation we would have had them back online in less than 24 hours.

No one wants a computer virus, and certainly no business wants to be down a day — much less a week. Here are some steps you can take with your business to be more proactive, so you can better avoid viruses and be more prepared to respond if you do get hit:

  1. Educate your management and users on the importance of information security. Provide them with simple tip-sheets of dos and don’ts, and follow it up with face-to-face training.
  2. Ensure your IT department or provider has the right type of data backups — and that those backups are current.
  3. Define and confirm who is on your response team and what their process is. This way they are ready to respond in a calm and methodical fashion if and when a virus infects your systems.
  4. Most importantly, be prepared. Regardless of all the precautions and preparations, you still may get infected at some point.

If you have not done ALL of the above, you are at serious risk of getting a computer virus, and of business downtime. Contact us at Fluid IT Services and we will be glad to help fill the gaps!

Reinventing Law Practice with the Cloud

When Len Musgrove started his own law practice, IT was just another frustration and expense. He was all-ears when Wade Yeaman said, “The cloud would be an easier, more cost-effective solution.”