Disaster Recovery

5 Data Security Tips for Accounting Firms

cloud securityFrom working hand-in-hand with our CPA firm, Accounting services, and Bookkeeping clients over the years, we know a thing or two about data security and how best to protect your firm from data losses or data breaches.  In today’s world, accounting firms must do everything they can to protect their client’s sensitive financial information.  We’ve pulled together a few best practices for you to keep in mind.  

1) Assess your current data protection and security levels

If you never measure your security performance, you never know if your network and data are secure or not.  That is, until you learn from a breach or malicious virus that you had poor security after all.  We recommend an outside firm provide an annual security assessment and review.  You may not have the time or budget to implement all suggestions, but at least you will know your weaknesses and you can develop a plan to improve over time.

 

2) Physical security, Information Systems Policies

Your network can be bullet proof to hackers and your data encrypted, but if your team isn’t trained or your office isn’t physically secure, your data is still at risk.

  • Ensure the physical security of your office with card keys, visitor logs and badges, and proper locks on doors leading to all critical infrastructure.
  • Use cable locks to ensure laptops, desktops, tablets, and any other critical devices are locked to desks.
  • Policies for each employee
    • Clean desk (no sensitive information left on desks, whiteboards or print stations)
    • Password policies that define the proper construction and maintenance of passwords
    • Acceptable use for utilizing company data and technical assets
    • Mobile device policies to help employees understand the risks associated with mobile devices
  • Keep users informed and accountable
    • Training classes are great vehicle for delivering written policies and procedures
    • Weekly (or even monthly) information security newsletters can help remind users of the importance of information security, as well as provide updates on the latest trends and threats.

 

3) Secure technology solutions

This is the sweet spot.  We feel you need to start from the outside and work toward each user device to implement proper security.

  • Are your cloud vendors PCI compliant? It’s a great standard that can generally be trusted.
  • Follow best practices when setting up office infrastructure
    • Place a business grade firewall at the front of the network that is supported and continually updated
    • Ensure WiFi networks use strong passwords and encryption protocols. Keep guest networks separate from internal networks.
    • A business-grade Anti-virus solution for all PCs
    • Standard email defense software
  • Do you know what compliance regulations your business or your customer’s business requires you to have?

 

4) Automated backup and disaster recovery

What if you are hacked or a malicious virus infects your system?  If major financial institutions or fortune 500 companies have some vulnerability, you probably will to (even if you follow some of these tips).

Can you recreate lost data or data held hostage by a malicious virus?  Do you conduct a periodic test of your data backups to confirm their validity?  Do you have multiple layers of backup – local, onsite, offsite?

A good, up-to-date backup or disaster recovery solution can be your “get out of jail (almost) free” card if you run into a problem.

 

5) Address your BYOD policy and it’s security implications

The use of personal devices on a company network to handle client data is always one of your largest security concerns.  If you allow company data on personal devices, there are some steps you can take to limit the security vulnerabilities this may cause.  Here are a couple of ideas:

  • Have a policy in place that states when it is acceptable to use personal devices for work purposes. If it is acceptable, provide guidelines to help employees understand the risks of using personal devices for business purposes.
  • Have a mobile device management (MDM) solution deployed to help manage all company data on personal devices.

 

The cost of proper security, if done proactively, will generally be much cheaper than the cost of a data breach or work stoppage from an IT problem.  Your firm can work on some of the solutions on your own.  A proactive IT partner like Fluid IT Services can help you with the rest.  Give us a call and we’ll help you out!

What in the World… Series Went Wrong?

 

Anyone in the United States or much of the world for that matter, is very aware of that giant of sporting spectaculars, the fall classic known as the World Series.  The first game was an absolute thriller, starting off with a leadoff first pitch inside-the-park homerun (last accomplished in a World Series in 1929 and first leadoff since 1903), continuing for 14 innings over 5 hours and 9 minutes, tying the record for the most innings in World Series history.  Pretty heady stuff, but that wasn’t even the big story.

“We are experiencing technical difficulties”

What stole the show was the inexplicable 4 to 5 minute blackout that literally shutdown the game and made millions of viewers blast four letter tirades at their televisions.  The problem - the Fox broadcast lost power, which would never have been noticed had the first generator not failed, but the backup generator also failed.  What are the chances of that?!  Both backup generators ‘failed’.  I’m sure someone at Fox will become the ceremonial fall guy for that one.

With Fox paying around $500 million for the broadcast rights to the World Series this is a no laughing matter and a very expensive “technical glitch”.  It is very obvious what the immediate impact is in a situation like this – millions of pissed off viewers, panic stricken Fox technicians, irked broadcasters (Joe Buck was NOT happy) and mortified Fox executives.  But what about the aftermath?  Is there any lingering negative effect on the Fox brand, trust, and goodwill?  Only time will tell.  The point is, it was the worst possible thing that could happen at the worst possible time on the world’s largest stage.

But they did everything right, didn’t they?

Technically speaking, Fox, if they did as they say, had the right setup – a backup generator with a second backup generator in the event of a power failure and unlikely failure of the first generator.  This is what we call N+1 in technology speak.  It means for critical systems, always have one more than you need to failover to if there is an issue.  This certainly met the criteria for a ‘critical system’ and they had N+1, but it still wasn’t enough.  You can bet Fox is opening their wallet today to spend whatever it takes to avoid issue again, even if it means having four generators on standby with a person physically watching each one throughout the broadcast.  By the way, having more redundancy than one more backup than you need is typically called 2N+1, where you have twice the redundancy, or in this case 3-4 generators.  We may see just that outside the stadium on Wednesday night.

It’s not if it happens, but when

The situation was bad enough, but had it happened during one of the 162 regular season games back in April it would have registered as a blip on the radar.  Happening during the first game of the World Series blew up the radar and made every front page – it become the story.  If you are a business owner or operator, you should take notice.  I’m sure Fox thought this could ‘never happen’ but now we know otherwise.  What if this happened to your business at the absolute most critical time?  What would it cost you?  What would you be willing to spend to prevent it from happening again?

Sadly, most small to mid-sized companies do not have redundant systems simply due to the cost and the minimal risk of a critical failure actually happening.  The cost vs. risk just won’t justify it… unless it happens to you.  However, this very public SNAFU happening in the most unlikely of situations to one of the world’s largest companies (number 97 on the Fortune 500) shows it can happen to anyone at any time.

Is your business aware of the risks?

Forget about backup generators. Do you even know where the weak points are in your business?  Do you know every single-point-of-failure that could bring your company down?  If you don’t, you should get busy and find out. Not sure where to begin? Contact us and we can help you start the process.  After all, being in the dark is the worst place to be, especially when watching the World Series.

 

Need more information? Check out our Valued Added Solutions and why Fluid can help.

How to Build Your IT Structure from the Foundation Up

aligning business and ITMy father ran a fence and ranch supply business for 30 years without having any technology. He was quite proud of this. All receipts were handwritten and he did not take credit cards. But the simple truth is his business couldn’t exist that way today. You can’t run a business without technology anymore. Not just because it’s inefficient, but also because technology is now critical to providing customers with the best service and experience.

What are the baseline IT needs for my company?

Every company has baseline, foundational IT needs upon which business-specific technology is built. The great news is that baseline technology is similar for almost every company in every industry – so establishing your technology foundation should be pretty straightforward.

The Foundational Layer

In every company there will be layers of technical solutions, which are stacked to meet business needs. Business-specific technology is built on top of baseline technology, and users (employees, customers, vendors, ect.) are set up on top of it all.

Think about your baseline technology as the plumbing for your house. Plumbing is done first, unseen, and is critical to supporting the daily needs of the household. You build the house over and around the plumbing – and you build your business-specific technology over and around your baseline technology.

So what, specifically, is your baseline technology? It’s the core technology for communication and collaboration. They don’t call a technology network a “network” for nothing – your network connects all the pieces together so you can communicate.

Baseline technology typically includes:

  1. Security
  • Examples: firewall, anti-virus software
  • Examples: network switches, routers, wireless access points
  • Examples: network cabling for computers, phones, video, etc.
  • Examples: physical or cloud-based servers to host business software
  • Examples: laptops, desktops, tablets
  • Examples: Local or remote printers
  • Examples: Windows Server, remote access, email, data backup, accounting
  1. Networking
  1. Cabling
  1. Servers
  1. End-user devices
  1. Printing and imaging
  1. Core baseline software

Keep in mind that even baseline technology is not a “one and done” solution. All technology has a useful life — typically in the 3-5 year range — and must be replaced at the end of its lifespan. Plans and budgets should be developed to replace each accordingly.

The “House” Layer

Baseline technology – or your technology foundation – is very standardized and repeatable. It’s like toilet paper – everyone needs it and it must be continually replenished.

The next layer of technology, built on top of your baseline layer, is your business-specific technology. Think of this as the “house” that’s built over the foundation of the baseline layer. Most business verticals have a range of hardware and software solutions specific to the particular business – so this is where things get narrower in scope.

For example, someone in the oil and gas industry may use Well Pro 101 for their wells and OGSYS for geology data. A home builder may use BuildLinks software for construction management. These are solutions built on top of the baseline technology.

What Kind of Structure Do You Need?

When the time comes to determine your baseline and business-specific technology needs, at least two people need to be in the room:

1)    A skilled technical resource to define solutions to meet all your baseline needs

2)    A business person that can define the business requirements for the right business solutions

This is where the real value is – aligning the technology to the business!

Once you confirm your baseline technology needs and your business-specific technology needs, you will then need someone to support it all. Typically, IT support services are also broken down into baseline and business-specific.

Business-specific technologies are more commonly supported by the vendor that provides the solution. For example, BuildLinks, Inc. will support your BuildLinks software, and Programs 101 will support your Well Pro 101 software.

For your baseline technology support, however, there are thousands of IT service firms to choose from, because the technology is basically the same for any company in any industry. Choose someone who understands how all of the technology works together with your specific business needs and requirements.

Not to toot our own horn, but assessing your business requirements is where Fluid always begins every new client relationship – no matter how small or how large your company. We develop an IT roadmap for you and continually update it over time to ensure continual alignment between IT and business. Whoever you choose to work with, make sure they understand your business.

News Flash!!! Data Backup is NOT Disaster Recovery… you should have both!

Data Recovery Showdown: Backup vs. Disaster Recovery

Data-RecoveryAs the founder and CEO of Fluid IT Services, I cannot count the number of times I have had the following conversation.

Me: Do you have data backups of your critical data?

Client: Yes, we backup every day.

Me: Do you have a disaster recovery plan?

Client: Yes, as I mentioned, we backup every day.

This makes me cringe because it immediately tells me the client’s business is at significant risk — and they don’t even realize that they are even susceptible.  It’s time for a little education on backups versus disaster recovery.

Data backups are just that — a backup of your data stored somewhere.  The ideal situation for data backup is as follows:

  • All data is backed up on a daily basis to an external source (like an external hard drive) in your office
  • Mission-critical data is backed up offsite using the internet to a third-party location
  • Periodic validation of the backup data (typically monthly or quarterly)

We often find that companies do numbers 1 and 2, but almost none do the most critical step 3 — validation.  Data backup software can run “successfully” and look good, but that does not mean the underlying data itself is good.  If data is corrupt, backup software will not know this, and it will back up the “bad” data successfully.  The only way to know if the backup data is good is to actually look at it periodically to confirm it is accurate.

We recommend clients restore select files from their backups on a regular basis and examine them for accuracy.  The best method is to execute a full system restore once a year to ensure all files are valid.  However, many companies cannot afford the downtime nor have the expertise to do such a drill.  A partial file restore is better than none at all.

However, data backups do NOT provide the ability for a company to recover quickly in the event of a disaster that compromises their core data.  A disaster could be as dramatic as a tornado taking your building out, or something as simple as flooding, theft or a prolonged power outage.  In any of these scenarios, you may have your data backed up, but you have no place to put that data to get your systems up and running.  Consequently, recovery time can often take weeks.

Disaster recovery, on the other hand, means having not only your data in an offsite location, but the additional hardware required to bring all your systems online quickly — in hours, not days or weeks.

A disaster recovery solution includes the following:

  • Data backed up on a regular basis to an offsite data center
  • Hardware in place to bring all systems online when a disaster is declared
  • Technical resources available to bring the systems online and redirect users to the offsite location

Most small- to mid-sized organizations have disaster recovery as a “to do” item on their list. But due to the high cost of building and maintaining a second location, they are unable to ever cross it off of that list.

The good news is today there are many options for checking disaster recovery off of your to-do list by using third-party solutions, such as Fluid IT Services.

With Fluid Disaster Recovery as your service solution, we can back up your data to an offsite location on a recurring basis and be ready to bring those systems online in multiple ways:

  • Warm Recovery – Data is in the offsite data center, but the actual systems are not made active until the customer declares a disaster and requests specified systems be brought online.
  • Hot Recovery – Data is in the offsite data center and the systems are live and running at all times for an immediate cutover to the disaster recovery site in the event a disaster is declared.
  • We can also do a combination of the two, based on the criticality of your systems.  For example, file sharing can be on a warm recovery while accounting  systems are on a hot recovery plan.

Do not let the fear of high costs deter you from having a disaster recovery plan and solution.  The fact is your business cannot survive without one.

Car Spa Focuses on its Core Business by Moving Data Management to the Fluid Cloud

After a winter storm with power outages revealed limitations and inadequacies of Car Spa's in-house IT systems, Car Spa engaged Fluid. The results for Car Spa were greater IT efficiency, availability, and security detailed in this case study. Read More