Don't let bureaucracy slow down your cyber security program

Fluid Security FrameworkBusinesses don’t have the time, budget or skills to adequately cover and mitigate all the very real security risks that could take them out of business at any time.  Nor do companies want to hire full time staff just to manage security. In a new global report from the Center for Strategic and International Studies along with Intel Security, the importance of senior leadership supporting cyber security implementation is made crystal clear. Here's a great summary of the report from Help Net Security: Attackers thrive in a fluid market, while bureaucracy constrains defenders.

Fluid handles this by providing a comprehensive layered approach to security for the entire organization, creating a security fabric to cover it all – Security-as-a-Service.

It’s not a matter of if but when you will have a security incident.  Be prepared.  Be proactive. Be responsive.  Be responsible.  If you would like to learn more about Fluid’s Security-as-a-Service offering, please contact us.

 

Understanding Office 365

fluid-office-365I recently asked a very savvy business colleague the question “What is Office 365 to you?”  Their response was “Outlook”.  This is very surprising and telling because it comes from someone who has been using Office 365 for over a year! Ever since Microsoft launched Office 365 on June 28, 2011 (yes, it is already 5 years old!), there has been tremendous confusion in the marketplace about what really is Office 365.   Five years later and there is even more confusion and misunderstanding.  Whether you are a single consumer or a 500 employee company, I find a tremendous gap in what people think Office 365 is versus what it really is and can do.

There are over 85 Office 365 product SKU’s!

Although the person I questioned may be using Office 365 for just email and Outlook, it is something far greater; basically an entire ecosystem of solutions that can be catered for your specific needs.  Further complicating the matter, the Office 365 ecosystem continues to grow, with new offerings added all the time.  For example, Dynamics 365 was recently released this fall.

Office 365 has different product licensing and pricing for consumer, corporate, government and academic user types.  Certain Office 365 products are available if you have 300 employees or less, which are not available once you cross that threshold.

The core basic concept and offering of Office 365 is the bundling of mainstream Microsoft products with the bundles defined to meet specific user and/or company needs.

You can buy pre-bundled packages

For a small company, you can buy packages based on your specific needs.  For example –

  • Office 365 Business Essentials – for companies that need email and file sharing, but don’t need Microsoft Office, this package includes only Exchange Outlook email, OneDrive Business, Skype for Business, and Team Sites (SharePoint)
  • Office 365 Business – for companies that need the MS Office suite, but don’t need email, this package includes Outlook (no email, OneNote, Word, Excel, PowerPoint, Publisher and OneDrive
  • Office 365 Business Premium – for companies that need both email and the MS Office suite, this package includes Exchange Outlook email, OneNote, Word, Excel, PowerPoint, Publisher, Skype for Business, Team Sites (SharePoint), and OneDrive

However, these packages are only available to companies with less than 300 employees.  If there are 300+ employees you must uses the ProPlus or Enterprise editions, which also have multiple bundled package offerings.

The Enterprise level also provides additional software solutions, such as –

  • Microsoft Access
  • Skype for Business voice capability
  • Power BI business analytics

 

You can add-on numerous individual products incrementally

Additional Microsoft solutions and products may be added incrementally to an Office 365 account based on specific business needs.  These may include services such as –

  • In-Place Hold to preserve deleted and edited emails for legal requirements
  • Hosted Voicemail
  • Data Loss Prevention to help identify, monitor and protect sensitive data, such as PII and PCI
  • Offsite backup of laptops/desktops using OneDrive
  • Microsoft Project Pro for Office 365
  • Microsoft Visio Pro for Office 365
  • Azure cloud services
  • Intune mobile device management
  • Sway (how many of you have even heard of this product?!)

Had enough yet?!

Did you know OneDrive is now robust enough that it could replace other mainstream solutions such as Box.com and Dropbox at a fraction of the cost?  Or that you can backup server data offsite using Azure with your Office 365 subscription?

This short article should make it clear that Office 365 is a very robust set of solutions, but equally as complicated to understand.  It’s no wonder, when asked, many think of Office 365 as black hole with no hope of understanding it all.  The good news is you don’t have to, but you do need to know to ask for help.  It’s amazing how many people and companies do not know where to go for help or know but don’t ask.

Fluid is one of a few Microsoft Cloud Solution Provider (CSP) Partners, which means we not only have expertise in Office 365, we provide end-user support directly.  We can also help educate you on the best fit for your needs, as well as provide end-user training on the Office 365 products you already have to ensure you are maximizing the value of the solutions.

If you need help with Office 365, call Fluid today!

IT Security Framework for Accounting Firms

The AICPA released two sets of criteria for public comment this week (Sept 2016) regarding cyber security. Both focus on different elements, but the common theme is the AICPA trying to develop a common framework for audit firms to evaluate the cyber security of their clients (risks and compliance). While this will prove to be very helpful, it got us thinking at Fluid: Do CPA firms themselves have a framework for their own security? Are CPA firms adequately protected from data breaches of their client’s financial information? Are accounting firms prepared to react to and recover from a malicious threat that may cause data loss or temporarily impact the productivity of the team?

Data security is a pressing issue for CPA firms given the rising level of attacks and the sensitive financial data accountants work with. A few data points –

  • Over ½ a billion personal records were stolen in 2015
  • Phishing campaigns targeting employees rose 55% in 2015
  • Ransomware increased by 35% in 2015 (362K reported cases)
  • 1 in 220 emails sent contain malware (431M new malware variants found)

While developing your own cyber security framework may seem daunting given the rapidly shifting threats, the task at hand can be greatly simplified if you break it down into the components parts (and work with professionals). At Fluid, we support our clients in 4 primary areas that each firm must address to have a comprehensive security plan.

1) Compliance Management:Fluid Security Framework

Does your firm understand all levels of compliance required given the data your firm interacts with? This can range from data retention compliance standards to data-center configuration standards. Often great compliance management starts with proper documentation, but rely on staff training and monthly monitoring to ensure/validate compliance.

2) Perimeter Management:

Think of your IT perimeter like the physical perimeter of a secure building. Are all entries and exits secured and guarded? Firewalls, cloud services, and email are major vulnerability points that should be managed and monitored for security purposes. BYOD and the proliferation of mobile devices has extended this perimeter, but these additional problem have solutions if they are approached systematically.

3) Vulnerability Monitoring and Threat Response:

You may know your weaknesses today, but that will change tomorrow; you need to monitor for attacks and have an active response if any attacks are detected. Much of this can be automated, but some expert oversight can make sure you don’t have any unintended gaps.

4) Cloud Backup and Disaster Recovery:

Even the best-run IT Departments may run into an occasional problem, ranging from accidental data loss to a malicious breach. We’ve found from our experience with clients that having a robust, offsite backup in a secure cloud environment can minimize the impact of most problems and greatly improve recovery times.

 

Whether you know it or not, your firm has ongoing IT activities in each of these 4 areas, which require ongoing focus and continual improvement – security is never ‘one and done’.

If you want to review your security practices, give us a call. We can help.

DNC That Coming! Email Security for Your Business

I was sitting down to write a blog on security, focused on some of the latest data published regarding how IT security impacts small to medium businesses and before I could begin I was lobbed a softball by the Democratic National Convention – a leak (breach) of Democratic Party emails last weekend allegedly conducted, or at least backed, by Russia.

So what happened?

“On Sunday, Hillary Clinton’s campaign manager, Robby Mook, accused Russia of working through hackers to access 19,000 emails at the Democratic National Committee that were dumped into the public domain last Friday by WikiLeaks. The emails showed DNC staffers working to help Clinton’s campaign during her primary fight against Bernie Sanders, despite the DNC’s publicly neutral stance,”*

Why is it important?

We’re an IT Services and IT Security Company, so we’ll try to leave politics aside for this blog. In that spirit, what can we learn from an IT perspective from the leak?

 

Email isn’t just communication, its valuable personal and corporate data

Sometimes we separate email from other corporate data, but that’s a mistake. In a typical company email system, hackers could potentially find information on corporate strategy, personally identifying information, financial information, IT system passwords, and other information that could help in further attacks through phishing, etc. Our email isn’t just communication, it’s data that needs to be protected.

While these hackers weren’t looking for credit card numbers in the DNC email, they did learn (and expose) a lot of information about strategy, tactics, and plans that were certainly not intended for the public. In the 19,000 emails, how much personally identifiable information (PII) was present? PII in security speak, within the thousands of emails there could be the need for risk mitigation and damage control, not to mention the potential for law suits and other fines.

 

Not all email is secure, use encrypted email for sensitive information

Many people still “trust” email as a secure communication method and willingly share private information such as credit card numbers, social security numbers, healthcare information to name a few. In the hands of the wrong people that can be very dangerous and costly many people. Email is not secure by default and must be encrypted prior to sending to have proper security for sharing any private information. If you’ve ever received an email from your doctor or financial institution that sends you to a website to login to read your email, that is a secure, encrypted email.

 

Security experts are giving you plenty of warning. The time to listen is now.

Security experts have been beating the drum for a while now – cyber attacks are growing at an alarming rate and frequently the target is shifting to small businesses. Another troubling aspect of this breach is that “Federal investigators tried to warn the Democratic National Committee about a potential intrusion in their computer network months before the party moved to try to fix the problem, U.S. officials briefed on the probe tell CNN.” If true, and the FBI warned the DNC and they did not act, it creates a massive problem for the DNC leadership and their credibility. Action in fact was swift as the DNC Chairwoman, Debbie Wasserman Schultz, announced her resignation on Sunday. Further evidence showed “The DNC brought in consultants from the private security firm CrowdStrike in April. And by the time suspected Russian hackers were kicked out of the DNC network in June, the hackers had been inside for about a year.”**

A year! That is a long time to be gathering data and suggests more is likely to be leaked. In fact, WikiLeaks founder Julian Assange virtually has already stated as much. All those emails, all that data is still out on the public domain where anyone with access to the internet can see them.

Federal Investigators may not be calling you with warnings about your small business, Security experts have been beating the drum for a while now – cyber attacks are growing at an alarming rate and frequently the target is shifting to small businesses. It’s time to listen to the experts and take basic steps to protect your company.

 

Borders don’t protect your company in cyber attacks

It’s being reported that these attacks came from Russia. Borders can’t protect us from the rest of the world when it comes to cyber attacks. Prosecution and restitution for damages caused by an attack is not going to happen. As an example, once funds are extorted into a foreign country through ransomware, consider it gone with no recourse.

For your business, the foreign nature of attacks is alarming due to the lack of accountability and prosecution, for the DNC breach, the motivation and ability to influence our country’s political process is very alarming.

It’s been stated that the intent was to expose DNC members that used email to sway people to one candidate over the other, something that fundamentally against the DNC charter. Was this done to just embarrass the DNC or was it a wider sweeping intent to impact our actual Presidential election process in November? If it was in fact Russia, did they do this to make the DNC look unscrupulous in hopes to sway voters to the other Party? The repercussions are HUGE – potentially impacting the outcome of who will be our next President!

Protect yourself!

Some simple steps could have avoided this disaster or at least mitigated it. Just a few things to consider as you run your business –

  1. Robust IT security monitoring and management to proactively detect malicious attacks
  2. Defined governance process and procedures to define what is and is not acceptable
  3. Employee training programs on what to look for, what to NOT put in email
  4. A defined Security Response Procedure to act quickly and decidedly if attacked
  5. Take any warnings seriously and address them now

If you can’t check each one of these off your list, call us and we’ll make sure you can. And don’t be surprised when a new wave of hacked emails is made public.

 

*https://www.yahoo.com/news/chris-van-hollen-russian-dnc-000000889.html

**http://www.cnn.com/2016/07/25/politics/democratic-convention-dnc-emails-russia/index.html

5 Data Security Tips for Accounting Firms

cloud securityFrom working hand-in-hand with our CPA firm, Accounting services, and Bookkeeping clients over the years, we know a thing or two about data security and how best to protect your firm from data losses or data breaches.  In today’s world, accounting firms must do everything they can to protect their client’s sensitive financial information.  We’ve pulled together a few best practices for you to keep in mind.  

1) Assess your current data protection and security levels

If you never measure your security performance, you never know if your network and data are secure or not.  That is, until you learn from a breach or malicious virus that you had poor security after all.  We recommend an outside firm provide an annual security assessment and review.  You may not have the time or budget to implement all suggestions, but at least you will know your weaknesses and you can develop a plan to improve over time.

 

2) Physical security, Information Systems Policies

Your network can be bullet proof to hackers and your data encrypted, but if your team isn’t trained or your office isn’t physically secure, your data is still at risk.

  • Ensure the physical security of your office with card keys, visitor logs and badges, and proper locks on doors leading to all critical infrastructure.
  • Use cable locks to ensure laptops, desktops, tablets, and any other critical devices are locked to desks.
  • Policies for each employee
    • Clean desk (no sensitive information left on desks, whiteboards or print stations)
    • Password policies that define the proper construction and maintenance of passwords
    • Acceptable use for utilizing company data and technical assets
    • Mobile device policies to help employees understand the risks associated with mobile devices
  • Keep users informed and accountable
    • Training classes are great vehicle for delivering written policies and procedures
    • Weekly (or even monthly) information security newsletters can help remind users of the importance of information security, as well as provide updates on the latest trends and threats.

 

3) Secure technology solutions

This is the sweet spot.  We feel you need to start from the outside and work toward each user device to implement proper security.

  • Are your cloud vendors PCI compliant? It’s a great standard that can generally be trusted.
  • Follow best practices when setting up office infrastructure
    • Place a business grade firewall at the front of the network that is supported and continually updated
    • Ensure WiFi networks use strong passwords and encryption protocols. Keep guest networks separate from internal networks.
    • A business-grade Anti-virus solution for all PCs
    • Standard email defense software
  • Do you know what compliance regulations your business or your customer’s business requires you to have?

 

4) Automated backup and disaster recovery

What if you are hacked or a malicious virus infects your system?  If major financial institutions or fortune 500 companies have some vulnerability, you probably will to (even if you follow some of these tips).

Can you recreate lost data or data held hostage by a malicious virus?  Do you conduct a periodic test of your data backups to confirm their validity?  Do you have multiple layers of backup – local, onsite, offsite?

A good, up-to-date backup or disaster recovery solution can be your “get out of jail (almost) free” card if you run into a problem.

 

5) Address your BYOD policy and it’s security implications

The use of personal devices on a company network to handle client data is always one of your largest security concerns.  If you allow company data on personal devices, there are some steps you can take to limit the security vulnerabilities this may cause.  Here are a couple of ideas:

  • Have a policy in place that states when it is acceptable to use personal devices for work purposes. If it is acceptable, provide guidelines to help employees understand the risks of using personal devices for business purposes.
  • Have a mobile device management (MDM) solution deployed to help manage all company data on personal devices.

 

The cost of proper security, if done proactively, will generally be much cheaper than the cost of a data breach or work stoppage from an IT problem.  Your firm can work on some of the solutions on your own.  A proactive IT partner like Fluid IT Services can help you with the rest.  Give us a call and we’ll help you out!

Billions Lost to CEO Email Scams

internet security conceptI am emailed hundreds of articles and blogs every day, and although 80% may not be of particular interest, there is always a nugget or two worth reading. Today was no exception, and I received one that particularly caught my eye. Posted this morning: April 16, 2016 written by Brian Kebs from www.KrebsonSecurity.com was the very eye-catching title –

"FBI: $2.3 Billion Lost to CEO Email Scams."

As a CEO and one that receives at least two to three scam emails that make it past our email defense, this one really hit home. As I read the article, it became eerily apparent that our company had been hit by this scam many times over the past four months. It made me think if our little company has been hit that many times, how many of my other CEO friends have been or may be hit shortly? This is my small attempt to spread the word and hopefully help someone avoid a costly and embarrassing disaster.

Here's how it basically works –

  1. Staff in your financial department, typically the CFO, controller, etc. receive an email directly from the CEO’s legitimate email account asking to authorize a wire transfer of funds.
  2. The CEO being very busy and authorizing many transfers to run a business quickly sees the email and answers ‘yes’ assuming it must be legitimate since it came from your inside CFO.
  3. The CFO then provides the wiring instructions, and the amount is transferred to the bad guys.

In the blink of an eye, your company is out thousands if not millions of dollars. Although you might think a request like this would raise red flags, it is very brief and includes names that are all legitimate within the company. Furthermore, it is very common for CEO's to authorize wires through the course of normal business. I authorize a minimum of two to three a month.

Taking an excerpt from Krebs excellent article –

The U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years.

In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270 percent increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every U.S. state, and in at least 79 countries.

A typical CEO fraud attack. Image: Phishme

The FBI estimates that organizations victimized by CEO fraud attacks lose on average between $25,000 and $75,000. But some CEO fraud incidents over the past year have cost victim companies millions — if not tens of millions — of dollars.

Last month, the Associated Press wrote that toy maker Mattel lost $3 million in 2015 thanks to a CEO fraud phishing scam. In 2015, tech firm Ubiquiti disclosed in a quarterly financial report that it suffered a whopping $46.7 million hit because of a CEO fraud scam. In February 2015, email con artists made off with $17.2 million from The Scoular Co., an employee-owned commodities trader. More recently, I wrote about a slightly more complex CEO fraud scheme that incorporated a phony phone call from a phisher posing as an accountant at KPMG.

The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.

As you can see in the email image above, it looks very innocuous and legitimate. My accounting team has received this very email from me at least 4 times in the past few months. Thankfully, they know better and we have two-factor authentication, as suggested in the article. Once we request a transfer, there is a second step required that only I can do with information only I would have.

In talking to our in-house security expert, this type of scam is actually not called phishing but whaling because it targets a much smaller number of high profile individuals with access to larger sums of money.

I encourage you to share this information with your accounting team as well as your clients where appropriate. It is deceptively simple to fall for, and I know at least two of my CEO friends that were literally one button click away from transferring over $60,000 before they did the last second double-check and avoided the disaster.

You can read the full article here –

http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/

 

 

Why Is My Office WiFi So Slow?

Most offices use WiFi today to provide alternative Internet access for staff and visitors. It can be very frustrating when WiFi performance becomes a problem – especially when WiFi speeds are no longer fast enough to meet business needs. Read on to diagnose your slow WiFi, and learn exactly how to speed it up.

How WiFi Works

To figure out why your WiFi may be slow, it helps to have a basic understanding of how WiFi works.

WiFi speeds are directly related to the underlying Internet service speeds provided by your Internet service provider (ISP). If your Internet service has a maximum speed of 5 Mbps, then your maximum WiFi speeds can only be 5 Mbps – and realistically, WiFi speeds will typically be slower.

WiFi is always less reliable than wired Internet access because of the inherent limitations related to wireless technology.

As the density (number of devices accessing WiFi) of a wireless network increases – not only in your office space but also in the surrounding spaces – the quality of your WiFi connection can decrease. Here is a normal scenario that plays out in offices all the time:

You start an office with five employees, who bring smartphones, laptops, and tablets that connect to your WiFi. There are no other tenants in the office spaces around your suite.

Over the next 12 months, you increase to 15 employees who connect to WiFi. Now all the surrounding office suites are also occupied, and each of those offices have 5-10 people accessing WiFi.

You decide to allow your guests to access WiFi, and you provide them with a guest password.

At this point, the WiFi density has increased dramatically and everyone is vying for the same wireless frequencies. Even though the other office suites are on different ISPs, the Internet is being broadcast over the same frequencies and everyone is sharing those frequencies.

It’s hard to catch this gradual increase in usage in your own office – but it’s even harder to notice it in the offices that surround yours. But this overall increase in WiFi usage is going to deteriorate your WiFi performance – and the technical setup that used to work for your business may now needs some upgrades.

The Limitations of WiFi

Businesses and WiFi users often expect WiFi to do more than it can do, too.

You may want to use tablets throughout your building, or wirelessly access software in the cloud while also doing VOIP (voice over the Internet) calls. While these things are technically possible, the WiFi performance will likely be poor. As you move around, you may enter dead zones (areas where the WiFi signal is poor). Also, the basic technical limitations of VOIP solutions ensure that wireless Internet calls are not going to deliver the same consistent quality that you’ll experience from a wired Internet connection or a landline phone (though this technology is improving quickly!).

More companies are also wanting to provide better WiFi access for their guests, who are often important customers. This is a great idea – but it does put additional pressure on the WiFi service. The more guests you have using your WiFi service, the less WiFi service is available for your internal staff.

How to Speed Up Your WiFi

So what’s a modern business to do?

Here are five tips:

  1. Have your IT service provider perform a detailed wireless assessment of your office space. Doing so will tell you
    1. The density of usage in your office and surrounding spaces
    2. What areas in the office have poor coverage
    3. What frequencies are used and how much
  2. Based on the wireless assessment, have your IT team make improvements by adding or moving wireless access points (WAPs) to cover dead zones. They can also fine-tune WAPs to use the frequencies with the best coverage.
  3. Cap your guest WiFi. First, make sure you guest WiFi network is secured by its own password. Then, segment it from the company WiFi with a “cap” configured to keep guest users from hogging all the WiFi bandwidth. For example, if you have 5 Mbps total bandwidth available, cap the guest WiFi to use no more than 1 Mbps to ensure employees always have the bandwidth they need to do their jobs.
  4. Evaluate how your office is using WiFi to confirm your current setup can actually meet expectations. If you are asking it to do too much, you should lower your expectations accordingly.
  5. If you have done all of the above and still want/need better service, go to your ISP and ask them to provide options and pricing for an increase in service. Going from 5 Mbps to 10 Mbps doubles the available bandwidth for everyone to use – and that includes WiFi.

In most cases, the best approach to increasing your WiFi speed is to educate yourself. Find out how your office is using WiFi and confirm what is actually possible with your current setup.

The smartest way to do this is to get a wireless assessment. We perform this assessment using very specific hardware and software tools. Once you’re armed with this information, you can figure out exactly what to do to improve your WiFi performance.

Does Overseas IT Support Really Work?

As an IT services company, this is a question we get all the time: Will offshore or overseas support work for our business?

It’s a legitimate question, and one that deserves a thorough answer because overseas IT support can be a very effective cost-saving measure.

The Growth of the Overseas Outsourcing Trend

Many years ago, large enterprises started outsourcing their IT services and support overseas to save money. Pretty soon, this practice spread into small and medium businesses and throughout every business segment. Initially, this outsourcing did exactly what it was supposed to do: it provided necessary IT support while saving the company money.

The problem that businesses began to face, however, was a dramatic decline in the quality of service and support. Sure, companies were saving money, but they were driving customers away because those customers would not tolerate the drop in quality of service.

Overseas support also caused the practical issue of language barriers. Strong accents made even simple communication very frustrating. This is a touchy issue that many people don’t want to discuss, but it’s a very real business problem. This is not an indictment of the overseas support people’s skills or abilities at all – it’s just a reality when two very different languages and business cultures are trying to communicate.

More than likely, you have experienced this yourself when you call for support for one of the products you own. I sure have. Every time I call AT&T for support with my home telecommunications services, it is a frustrating experience. Because the AT&T support representative on the other end of the line has a thick accent, the call takes two or three times as long as it should. We spend so much time trying to understand each other – and often I don’t get the resolution I need.

It’s no wonder many business owners and managers hesitate when it comes to outsourcing their support needs to overseas teams.

But. But! There are cases where overseas IT support can work.

When Outsourcing IT Support Overseas May Be the Right Move

When the support role requires limited interaction with staff and end-users, it can work well for businesses. This is especially true when the role is very technical.

Software development is a perfect example. This can easily be done by someone overseas at a fraction of the cost of local U.S. support. As long as the software support process is clearly defined and the technical requirements and specifications are detailed.

When outsourcing to overseas support is successful, these support resources end up costing the business less money, of course. But there’s a second benefit many companies don’t consider: the time zone difference.

Time zone differences are often an issue in real-time business operations. But with non-urgent technical support, it can be a good thing. If your support team is 8-12 hours different from your local time, and you log a support request during your workday, the support team will be working on that request while you sleep. So when you come into the office the next day, you should have an answer waiting.

When Offshore IT Support Fails

The more a support person has to interact with your staff or end customers, the more challenging it becomes – and the more the quality of service declines.

We have tried using overseas IT support for our clients, so we know this from experience. We had to pull the plug a few months in because the support didn’t meet our quality-of-service expectations.

However, we do still use overseas support for some internal tasks that do not require direct interaction with customers and do not require extensive interaction with our internal team.

The Answer Is: It Depends

In my experience, the likelihood that offshore IT support services will work for your business is directly related to the amount of interaction required.

The higher the interaction level, the lower the success rate.

Conversely, tasks that can be done with little or no interaction are very good candidates for overseas support.

A great example of tasks that would match well with offshore support would be routine research and list-building tasks.

If you need to have a support person contact or communicate with customers or staff – overseas support may not be a good move for you.

In summary, the potential for success or failure is dependent on the tasks you need IT support personnel to perform.

Avoid Getting Hit By An IT Tornado

Knowing what not to do when starting a new endeavor in your small or medium-sized business can save you lots of time and money.

Starting up an internal IT department or assigning that responsibility to a single individual is no different.

In this article, I’ll show you four IT-related areas that you’ll want to cover to keep ahead of the game.

1. Identify an Internal Point Person for IT

Most SMBs don’t have the budget to hire an IT person. By default, there is either no one given operational responsibility for IT or it is informally tossed around to various people like a hot potato.

It's not surprising that non-IT people don't want this responsibility. But leaving it unaddressed, ignored and informal makes matters worse because it forces everyone to be involved to some degree.

Every company -- no matter the size -- should have IT as a fundamental operational area and discipline within their business. This means they should have a person responsible for it. When it comes to importance, IT is not much different than accounting. But you never find a company, no matter how small, that doesn’t have someone responsible for it.

The person responsible for IT does not have to be technical or know how to “do” IT. But they do need to manage IT operations.

Many times, this falls to the financial controller or CFO due to the costs related to IT. The most important thing is that the person knows what the role entails and what areas of responsibility they have.

Fundamentally, the IT “manager” should have operational responsibility for business critical elements such as:

  1. Development of a basic IT strategy that is mapped to overall business goals
  2. Development of an annual budget for IT based on a strategy
  3. Managing third-party technology vendors
  4. Assuming the role or designating a single “gatekeeper” for managing all requests for IT services and support
  5. Conducting annual or semi-annual reviews with business leadership and key IT vendors to ensure an IT strategy is being followed and modified as necessary
  6. Ensuring the company follows a standardized approach to IT (g. standard desktops), project management, and gathering requirements (for new software, etc.).

2. Involve IT Early

One theme we continually run into is companies not involving IT soon enough -- or at all -- in business decisions. Many areas of IT have led times that cannot be shortened regardless of how loud you might yell. The result is key business goals that are missed, which has a direct negative impact on the business.

Some examples we commonly see are:

  1. It’s Friday afternoon and the office manager casually mentions the new employee starting on Monday that will need to be “set up.” Adding a new employee (user) requires planning and lead time for any equipment that must be ordered, additional software licenses, email and other systems setup, etc. The lead time to order a new workstation alone is often 2-4 weeks. Giving IT at least 30 days’ notice ensures the new employee will have a machine to work on.
  2. It’s Monday, February 8th, and the owner says the company is opening a new branch on March 1. The space is already leased. The furniture, painting, and prep have been scheduled. Ten new employees will be starting on March 1 in the new space and will need access to systems. We already know the problem we may be facing with getting all the machines in on time from #1 above. But the bigger problem is Internet service in the new office. Not only do you have to find out what Internet service options are available at the new address, but once a business-class Internet solution has been decided upon, it typically takes 30-45 days to get the service in place after documents have been With only three weeks’ notice in this example, the company may have a new office with no Internet for 1-2 weeks. Being productive with no Internet service is difficult.
  3. The marketing department hired a new vendor to provide a customer relationship management (CRM) solution. The vendor will also be developing custom capabilities for the department. If IT is not involved in this decision, the company discover some unfortunate surprises: the vendor’s new solution does not work with existing software, they have horrible support, their software is using outdated technology, the CRM doesn’t meet compliance requirements, etc. No one wants to be in the position to say “I wish I had known about this six months ago.”

Moral of the story -- always involve IT as soon as possible and let them opt out if they aren’t needed.

3. Avoid Consumer-Grade Anything

In the IT world, there is a big difference between business-grade solutions and consumer grade. Many companies avoid business-grade solutions due to the higher cost. What they aren’t factoring in is the costs related to downtime due to failed equipment, higher support costs to maintain and manage the equipment, and overall lack of features, functionality, and business security requirements.

When added up, these costs are always higher than the cost difference between business-grade and consumer-grade solutions.

A common example we see includes running to Best Buy to purchase critical equipment, which might include:

  1. A Linksys network switch
  2. A laptop for a new employee
  3. A Cisco router
  4. A Netgear wireless device

All of these items are critical infrastructure components for the company and purposely not built with all the robust capabilities a business requires. They are built with homeowners in mind, making these extra capabilities unnecessary.

IT should be involved up-front in the decision-making process. They can make recommendations based on specifications that meet business needs while also meeting the quality requirements of IT for features, security, and support.

4. Keep Support Agreements up to Date

Many companies take a “buy it and forget it” approach to their critical equipment.

Virtually every piece of technology a company purchases should come with a warranty and support agreement from the manufacturer.

These support agreements are typically 1, 2 or 3 years in length. If the support agreement is allowed to lapse, IT staff will not be able to get the support they need in the event of an issue, which is not an “if” but a “when” proposition.

A great example would be the company firewall support contract. The renewal notice is sent to the office manager and after a year or two of use, they have no recollection of the device and ignore the email. Consequently, the firewall support contract lapses. Then, when the firewall goes down, IT is brought in to fix the issue. They call the manufacturer to get help and are told they cannot provide assistance because there is no support for the unit. What should have been a 1- or 2-hour outage now becomes a week while everyone scrambles to get the support renewed. This is a significant negative impact on the business.

Keeping an inventory of all IT assets, along with their support renewal dates, is tedious. But not difficult and will pay dividends in avoiding painful, unnecessary outages.

IT is Critical for Businesses of All Sizes Today

Having someone in charge of IT operations that can provide oversight in all these areas, even if delegating it to their IT vendor, will avoid a business tornado. If you don’t have anyone in charge of your IT, don’t hesitate to contact us here at Fluid IT Services. We’d love to talk to you about what would work for your specific business.

5 Tech Trends Your Business Must Know

Technology moves at a fast pace, and trying to keep up with everything can be overwhelming. But there are some trends you must understand and plan for your business to survive. These five IT trends are impacting businesses in a big way. Here’s what you need to know -- and how you need to plan for them.

Security Blanket

Security is top of mind for every company. With the constant media attention on security breaches, hacks and deficiencies it’s been pounded into our brains.

Being aware is one thing.

Being protected and prepared is altogether different.

Providing comprehensive security, both physical and logical, for a company is challenging today. It used devices. There were also fewer software vendors, many of which had their applications running on company-owned infrastructure or collocated infrastructure in a single datacenter.

In hindsight, we had it easy.

Today, companies are using numerous software

  • Box or Dropbox for file sharing
  • Office 365 for email
  • SalesForce or Sugar for customer relationship management (CRM)
  • QuickBooks for accounting
  • Another for practice management or manufacturing
  • Another for document management
  • Another for voice over IP (VOIP)

You get the idea. It is not uncommon for even the smallest of companies to have six or more different vendors providing a line of business applications. As you might imagine, securing all these solutions in a consistent way that meets a business's requirements is a nightmare.

Aside from the normal security functions of data security, secure authentication, encryption, and ensuring all vendors stay current with their security practices, you have the added layer of business-specific compliance.

If you must be compliant with HIPAA, SEC, PCI, etc., then all vendors must meet those specific security requirements and prove it on a regular basis.

You need to have a blanket of security covering the entire business spectrum, including all vendors.

This is a new reality. Dealing with it proactively can save you a great deal of time, unnecessary risk and of course, money.

Vendor Sprawl

With the evolution of the cloud, companies are now using more third-party vendors than ever to deliver services, solutions and software. It’s not uncommon for a company to have six or more different cloud software vendors providing solutions for specific line-of-business needs.

It’s na

Companies don’t want to waste time and money entering data into systems two or three times. They want software vendors to integrate their solutions with each other and pass that data along, so there is a unified, authoritative source.

While many of the mainstream cloud SaaS (software as a service) providers have built-in integration with other applications, it only takes one or two to break the chain.

Once this happens, businesses have a critical decision on their hands:

  1. Go with a different solution that can integrate but lacks all the functionality they need.
  2. Pay the software vendor to build integration to their other solutions.
  3. Do neither and settle for duplicate entry because they can’t lose the functionality or can’t afford the cost.

Compounding this issue is the exponential speed at which new software solutions are being produced and the extraordinary amount of vendor transitions occurring through mergers and acquisitions. A great product with excellent customer support is now a part of 800-lb Gorilla Inc.

All of the sudden you’ve become a number with no support.

  1. Do you switch and go through the integration issues all over again?
  2. Is the new solution vendor stable?
  3. Will they be around 2-5 years from now, or will they be made obsolete by the latest innovation?

Another major challenge and headache is vendor management. How does a company manage all these vendors at the same time?

Many times companies are forced to use non-technical personnel for these tasks. Being non-technical, it’s all but impossible for them to know when a vendor is truthful and transparent regarding a legitimate technical limitation versus something that can be done, but they just don’t want to do it.

It’s more important than ever to have , even if they are also a third party.

Companies should have someone on their side, on their team (virtually or actually), providing advisory and vendor-management services to maximize the value of all vendors.

This also helps eliminate any finger-pointing that invariably happens when something goes wrong, and there are multiple parties involved.

Vendor sprawl is real, and it’s a challenge that should be dealt with strategically -- not as an afterthought.

User Behavioral Impact

If you have kids under the age of 25, you know -- they have literally grown up with technology in their hands.

It is typical for your teenager to know vastly more than you do about today’s technologies. My daughter is constantly telling me, “Arghh! Just give it to me dad and I’ll handle it.” And I’m the one in IT!

As our youth grows up in a world of multiple devices and countless apps (I think my daughter must have 10,000), the technology world is moving past us at blazing speeds. Through smartphones, tablets, iPads and wearables, the next generation of users are engulfed in technology from the time they wake until the time they put their heads down at night.

Immediate access to the new universe of technology has changed the way users behave and will continue to impact behavior in the future.

Can you imagine a millennial sitting at their cube waiting five minutes for a web page to load using a 1200 baud modem? No way!

As technologies have become more reliable, faster and ubiquitous, available anywhere at any time for any device, the demand on the IT infrastructure has increased.

Expectations for immediate technical support are no longer a luxury, but a requirement.

Users no longer want to hear about legitimate technical limitations. They want solutions, and they want them now.

User behavior will not only become more demanding, it will also become more complex because users will insist on access to all of their applications with a single ID and password (single sign-on).

Devices will work together, passing information seamlessly along with 99.999% uptime.

For older generations in the workforce, this will become increasingly frustrating -- and it will be career-limiting because it leads to a “keep up or get out” work environment.

The Advisory Gap

For IT to be of maximum value to any business, it needs to align with the business it’s supporting.

Knowing the top 3-5 business objectives for the next 12-36 months is critical. Without that knowledge, the IT staff will be in constant reactive mode, putting out fires.

Ensuring technology enables and drives the business will help create measurable value, rather than an IT helpdesk.

Having excellent IT support processes and t

All companies, regardless of size, should eliminate this blind spot by recognizing the value of IT strategy and planning. Adding it as a recurring element in their business will create value. Ultimately, IT should have a seat at the business strategy table.

It’s amazing to me that when I ask company business leaders what their top 3-5 business objectives are for the next 12-36 months, I get blank stares. Regardless of the size of the business.

After more prompting and pointed questions, I finally get some answers. They know the main objectives in their heads, they just haven’t articulated them.

Here’s the rub. If the company leadership can’t easily articulate their strategic business objectives, how can you expect the staff, who’s running all the operations, to know it as well?

The truth is, they don’t.

To address this problem and bridge the gap, companies need to recognize the value and need for an IT advisory-level service -- call it a virtual CIO -- and find a trusted, experienced resource that can provide it.

Without it, it’s akin to flying a plane with no flight plan. I’m not sure I’d want to be a passenger on that plane!

CIO-level advisory services should be a regular and recurring part of any business. Of course, a small five-employee company may only need a CIO-type review once a year. A larger company may need such services once a month to ensure IT stays ahead and aligned to the business. But without it, you're flying blind.

Beyond the Smoke and Mirrors

Like many industries, IT is very good at making colossal promises in their marketing material, websites and sales teams.

This is worse than ever before given the cut-throat competitive nature within IT today.

Every IT vendor out there is promising the world in order to keep that highly coveted dollar -- especially if it is recurring revenue.

Take Office 365 as an example. Microsoft is notorious for releasing products early and letting the public do its testing. Office 365, with the behemoth marketing engine behind it, makes a lot of promises, and it is a good product. But that doesn’t mean it will actually do all it says, do it well enough, or provide the performance and support a business requires. Setting up one new user in Office 365 is one thing. Migrating 100 user accounts from one email platform to Office 365 is an entirely different animal and not an overnight project.

With the explosion of web-based cloud software solutions comes an equal amount of promises. Have you ever heard this one: "Absolutely, our software will integrate with their software, no problem." Only later do you find it doesn't work as advertised.

The obvious problem is the business has planned their operational efficiencies and productivity (aka $$$) around that promise. When things don't go as smoothly as promised, it's the company business that suffers, often with painful consequences – lost revenue, lost customers, inability to add new customers … the list goes on.

For a non-IT-savvy person, seeing through the smoke and mirrors can be difficult, if not impossible.

Making matters worse is the nature of cloud software solution contract terms – “sign up for a 12-month subscription with a nasty termination clause.”

Once you find out all the warts, it’s too late. Not only from a monetary standpoint, but also in the chaos created in your business by making a change.

Having a senior IT person represent the company and thoroughly vet all the options (there are always more than one) can go a long way to avoiding this terrible scenario.

Are You Already Covering These 5 IT Must Haves?

The first thing you need to do to make sure your business is prepared for these five trends is to get your managers and IT team together for a frank discussion. Figure out which areas you might not be covering then creates a strategic plan to address them before they hurt your bottom line.

If you have any concerns or run into something you’re not sure about, don’t hesitate to contact us here at Fluid IT Services.

 

The Fluid View of a Great Team

funny progress bar with talent loadingHow do you attract and retain the best people? How do you build a team of talent?

These are questions and challenges every company faces.

We’re no exception. Like most other companies out there, our people are our number one asset.

Our people are so critical to our success, and to the success of the businesses we serve, we have put a lot of focus on defining, creating and nurturing the Fluid culture.

We’ve found that the best people don’t just have superior technical and engineering skills – they are also passionate about customer service and exude our cultural values.

Like three legs of a stool, skills, customer service and culture keep our company – and our clients’ companies – upright.

So what’s our secret to a stellar team and a thriving company culture?

The 8 Power Words

The foundation of the Fluid culture is our 8 Power Words.

  1. Fun
  2. Dedication
  3. High Performance
  4. Devotion
  5. Accountability
  6. Family
  7. Strength
  8. Compassion

These eight words keep us aligned with our company values, give us a target to work toward, and provide a framework that ensures we’re actually living our values and not just giving them lip service.

Each word has a specific meaning, and no word is more important than another. These 8 Power Words are the cornerstone of who we are and a part of everything we do.

Our employee-of-the-month and employee-of-the-year awards are directly tied to measurable and demonstrated achievements aligned with each word. Yes – we even measure commitment to family.

Why do we do this? Because we have discovered that an environment that consistently challenges and stretches our capabilities — while maintaining a sense of fun and keeping family first — enables us to achieve greatness.

That fun starts with a sense of humor in the office – raucous laughter down the hall is a familiar and welcome sound – but it also extends to our passion for technology. We get to work with the latest tech, explore cool gadgets and play in the technology sandbox on a daily basis. This drives excitement and innovation in every corner of our company, which leads directly to better service for our clients.

A Great Team Keeps Growing

As a growing company, nothing is more exciting than finding that next technology expert just waiting for an opportunity to bloom with a great team. We are constantly on the hunt for these exceptional individuals.

To attract those talented employees and keep them happy and engaged, we offer flexible work schedules, new-hire welcome events, regular happy hours, company events – and maybe most importantly – we reward innovation.

When I hear, “I never had this at any other job,” or “This is the best job I’ve ever had!” or “This has been amazing. You really do care about us,” that’s the most amazing feeling.

We are always on the lookout for the best and the brightest. Are you the next reason for us to have a new-hire celebration?

The 2015 Fluid Employee of the Year Is...

DSC_0047Choosing the Fluid Employee of the Year is no cake walk. Not because we lack good candidates – but because we have so many great candidates! We take the selection process very seriously. We tie it directly to our cultural values and our 8 core values (a.k.a. our Power Words) of Family, Strength, Dedication, Accountability, High Performance, Fun, Compassion and Devotion.

There are no favorites here at Fluid – no politics – just a very real dialogue about what our employees have accomplished each month. Sometimes the process of selecting Employee of the Year is simply gut-wrenching because there are so many people who are passionate about what they do, work hard every day, and genuinely care about our clients and one another.

THIS is what makes Fluid so special.IMG_0405

And THIS is why we are so pleased to announce our 2015 Employee of the Year: A man who has earned this title over and over again, standing out even within this team of superstars.

Congratulations, Devin Kindred!

Devin’s role morphed and expanded in 2015. He started out as a senior engineer, then took on the role of Director of Client Services. If that wasn’t enough of a monumental increase in responsibility, he also took on the management of the Help Desk team and Service Ops.

Devin handled these changes with grace, dedication and a great attitude.

He treats clients with respect, works hard for them and is focused on enabling their businesses to grow.

DSC_0097Devin is always willing to help his colleagues with projects and tasks. He has a sixth sense about when a teammate might need a pick-me-up -- and even with everything on his plate, he finds the time to mentor new team members.

Here are just a few things Devin’s teammates had to say about him…

“I’m amazed at how quickly and efficiently he seems to deal with everything on his plate, and he always seems so non-stressed and unruffled.  I have a feeling he’s like a duck – calm on the surface but paddling like crazy below the water.” “If I had a dollar for every client who had positive feedback, pure respect and complete trust in Devin, I would be one wealthy lady. He helps our clients grow and succeed with so much care and pride in what they do and with what we do.”

“He is steady, reliable, and one of the hardest workers I have ever worked with. His positivity and charismatic attitude help lift everyone up around him.”

Thank you, Devin, for everything you do for our team and for our clients. We are lucky to have you!

100 Companies Relied on Backups: Why Only 32 Survived

backups fluid it servicesYou’re probably running regular data backups and have a sense of security that your business critical data is safe from failure. There’s an old saying, “Your data is only as good as your last backup.” But that’s only half of the story. The other half is: “Your backups are only as good as your last restore.” You’re already on top of the game by backing up your data, but you need to do more. You need to test your backups.

If you aren’t testing your backups, you’re not alone. According to an article in CIO Magazine, a survey reported that 59% of SMBs were backing up their data, but only 32% were testing their restore processes at least once a month.

The ultimate test for any backup is to restore it. Only then will you know if you’re backup system is performing properly, and user errors haven’t been introduced that might skip important data.

Benefits of Testing the Plan

In this article, we discussed the importance of having a checklist in place for restoring your backups. Here are two ways to test your backups:

  • Go through your checklist periodically confirming steps are still valid, noticing any areas that can be improved
  • Perform a full restore simulation

 

A full restore simulation will stress your backup plan. It will also let you know who is needed, how long you can expect a restore to take, which systems are affected and if all data is accessible and on hand.

Why do backups fail?

Even if you have a great restore process in place, sometimes things can still go wrong. Knowing what they are can you help you head off additional problems. Here are a few reasons why backups fail:

  • The full backup is corrupt because something in the system corrupted it.
  • Backups create a chain, and when something in that chain is corrupted, a restore cannot continue past that point in the chain.
  • The backups worked, but the data contained corruption before it was backed up.

 

Validating backups on a set schedule can minimize unexpected disasters.

We know that there’s always an excuse not to perform restores to validate your backups: limited time, no formalized process for it, not enough disk space, etc. But making sure your backup is good to go in case of emergency can mean life or death for your business. We can’t stress its importance enough.

Are you ready to integrate backup testing into your process?

Testing your backups can be the difference between doing down and coming back up or simply going down for the count. Don’t go into this process blindly.

Having an experienced IT team on your side to help you through the backup restore process on a regular basis greatly increases your chances of minimal downtime with a successful outcome. Don’t hesitate to contact us here at Fluid IT Services – we can help you create a backup testing process that works for your business.

When Is The Right Time To Hire A CIO Who Can Take Your Small To Mid-Sized Business To The Next Level?

Why You Might Need To Outsource Your CIOA CIO (Chief Information Officer) can provide a great deal of value to any business — large or small. They not only help set technology standards, but they help the company keep an eye on the future. Smaller businesses often struggle to support this position, however, because they often operate on tighter budgets. The role is frequently divided up among many members of the executive team.

Before you lump CIO responsibilities onto other members of your team, consider outsourcing the role.

What Is A CIO, and Do I Need One?

CIOs are generally found in large or enterprise companies, specifically those with over 250 employees. This executive level role helps ensure that any selected technology is able to move the company forward. The CIO is also forward looking, keeping an eye on which new technologies might benefit the company.

A CIO is:

  • Dedicated to extracting maximum value from implemented technologies
  • Strategically focused rather than tactical
  • Constantly learning about the latest technologies that can provide value

Small to mid-size companies usually do not have a CIO position. When a CIO is not present, responsibilities are usually piled onto an IT Manager, Director or even shared across several managers. But for more complex use of technology or when technology implementation becomes large or far-reaching, these quasi-roles can break down.

IT managers are usually tactically focused. They may have some focus on strategy but day-to-day tasks can distract from having a purely strategic focus. A CIO will not have such distractions.

In businesses that have distributed software via cloud services or SaaS, knowing where everything is located and which data is coming to and from the company is important for the integrity of security and privacy. Especially for any company that must be HIPAA compliant (to name only one type of compliance), ensuring compliance of complex systems is critical. This is where a CIO can play an important role.

"In addition to handling issues as they've come up, Fluid has done a great job of getting out in front of things and consulting with us. They let us know when we need to start thinking about upgrades or capacity increases -- letting us know what's on the horizon for the technology of our company. When we've had issues, they've been very good about thinking out of the box and really being an outsourced CIO."

The CIO's Role in Driving Business Growth

To drive business growth, the CIO’s role shouldn’t be isolated to IT. Instead, the CIO should be integrated into overall business strategy discussions. Even better if the CIO steps up and becomes actively involved in helping shape the overall business strategy. Having the CIO report directly and regularly to the CEO rather than IT support groups can build trust with other C-level members. The result is a more cohesive business strategy and greater potential for the business.

What many businesses don’t realize, however, is that the CIO doesn’t have to be in-house in order to drive the business forward. Partnering with an IT provider who puts business first can be a way to get the benefit of having a CIO without adding to company headcount.

Looking To Bridge the Gap?

Your company may not yet require (or be able to afford) a CIO on-staff. And many IT providers have limitations when it comes to overall business strategy. Finding the right provider who has both IT expertise and business focus can solve a lot of problems for small to mid-sized businesses or larger companies that can’t yet budget for a CIO position. If you’re ready to work with a team that can move your IT from break/fix support to business driver, don’t hesitate to contact us here at Fluid IT Services.

Are Cloud Services Lulling You Into A Security Breach Nightmare?

Are Cloud Services Lulling You Into A Security Breach Nightmare?More companies are turning to cloud services to host their servers and software. In fact, Cisco is predicting that by 2018, 28% of the total cloud workloads will be Infrastructure-as-a-Service (IaaS). IaaS allows companies to move the burden of server and software management out of their offices and into the cloud. Such a move lets businesses focus more time and effort on their core business strategies.

However, cloud services don’t lessen the need for tightly integrated and coordinated security plans. Knowing who to call at any given time and which teams will be involved, should any type of data breach occur, now has elevated importance.

As one of our clients discovered not too long ago, a data breach can be a “near death experience” for any business. Here’s how to prepare your business to handle a data security breach quickly and less painfully.

The Key Players

When server and software management are done in-house, there is a convenience of knowing everyone needed is on location when security issues arise. Speed of putting teams together usually isn’t an issue given the proximity of team members.

Once server and software management become more distributed (e.g. cloud services) and more teams become involved, though, resolving problems can become more complex and time consuming without proper coordination.

It’s important to know who the key players are. Some might include the following:

  • Server hosting company
  • Backup service company
  • Software service company
  • Security management/analysis company

 

The number of players will depend on how distributed your systems are.

Once any type of security problem arises, having one or two people available to coordinate multiple distributed teams will become critical. An overall team leader can mean the difference between a few hours of work to resolve data breach issues, or a few days.

Backup Validation - One of the Most Critical Tests You Can Perform

Consistently running backups is a great practice. But without periodic validation, they’re just a black box. When you need them most, you might reach for your backups only to find they don’t restore or that you haven’t been creating the right backups (full vs. incremental, file vs. OS, etc.).

Just as consistent backing up is good practice, consistent backup validation should be part of that practice.

Backup validation does require more work. Backups are automatic and require little human interaction. On the other hand, backup validation is a manual, labor-intensive process. But the time invested can far outweigh the surprise of incorrect or non-functional backups.

Your Response Plan

We’ve seen that several teams might need to be involved in the case of any cloud-based data breach. To create a robust response plan, having a coordinator who can quickly route information between teams and contact people as needed is critical. Additionally, periodic validation of backups to determine what exactly is being backed up fills another potential hole in any response plan.

Creating a checklist ahead of time will help with workflow as you progress through any security issue. Certain teams can have their own checklist for their specific tasks. A coordinator checklist will help in orchestrating overall progress of teams.

To summarize, your plan should look similar to the following:

  1. Decide on an overall multi-team coordinator
  2. Conduct a periodic validation of backups
  3. Create checklists for each team
  4. Create a checklist for the coordinator to help orchestrate all teams

 

If you’d to read more about data protection, 5 Simple Yet Powerful Ways to Protect Your Data is well worth the read.

A response plan for a data breach scenario involves constantly looking for any point of potential breakdown and providing suggestions for possible solutions. While a data breach can be a time-consuming endeavor to resolve, being prepared lessens the chance of data or revenue loss.

Is Your Company Prepared?

Your managers and your IT team need to work together to make sure your whole company is as secure as possible. If you have any concerns at all about your data security, don’t hesitate to contact us here at Fluid IT Services.

Why the Management Team Is Your First Line of Defense Against Data Security Threats – Part 3

How to Create an Incident Response PlanWhat would your managers do if hackers attacked your business? What would they do if your system got a virus? Or an employee’s computer caught some nasty malware? An incident response plan is critical for your business’s information security. And your management team has a great responsibility in creating and triggering that plan.

Your Incident Response Plan

A clear-cut, well-rehearsed incident response plan can be the difference between hours of downtime and days of downtime.

When everyone knows their role and the actions required of them during an incident, your team can work together to get the company back on track.

Step 1: Identify the team

Who is responsible for responding to information security incidents? “Your IT team” is not an acceptable answer.

Gather individual IT staff names and contact information, and detail each person’s responsibilities. Also note contact information for service providers and appropriate law enforcement.

Many incident response decisions are business-driven and not technical, so also include the names, contact info and responsibilities of the appropriate business-management personnel. If, for example, the business experiences a Crypto virus attack, the business leaders (guided by the IT team) will ultimately decide if they will pay the ransom or restore the data from backups. Know who your decision-makers are and include them in your incident response plan.

Step 2: Create your documentation

Create three levels of documentation.

  1. A high-level document that outlines the policies
  2. A detailed document that covers the implementation of the incident response plan
  3. A technical document that the IT team can use as a guideline. This includes quick-response guides for common scenario

All three of these sets of documents should include the team contact information from Step 1.

Step 3: Define the triggers

When will the incident response plan be triggered?

  • When a network intrusion is detected?
  • When a system is acting strangely?
  • When an employee suspects their computer might have malware?

Define potential risks, threats and points of failure here. Then ensure your managers share this information with every employee!

Stress Testing

Once your backup solution is in place, ensure it is tested regularly. Backups are useless if they are not usable.

Run simulations to develop and maintain “muscle memory.” This will also help keep data security at the top of everyone’s mind.

Is Your Company Prepared?

Your managers and your IT team need to work together to make sure your whole company is as secure as possible. If you have any concerns at all about your data security, don’t hesitate to contact us here at Fluid IT Services.

What in the World… Series Went Wrong?

 

Anyone in the United States or much of the world for that matter, is very aware of that giant of sporting spectaculars, the fall classic known as the World Series.  The first game was an absolute thriller, starting off with a leadoff first pitch inside-the-park homerun (last accomplished in a World Series in 1929 and first leadoff since 1903), continuing for 14 innings over 5 hours and 9 minutes, tying the record for the most innings in World Series history.  Pretty heady stuff, but that wasn’t even the big story.

“We are experiencing technical difficulties”

What stole the show was the inexplicable 4 to 5 minute blackout that literally shutdown the game and made millions of viewers blast four letter tirades at their televisions.  The problem - the Fox broadcast lost power, which would never have been noticed had the first generator not failed, but the backup generator also failed.  What are the chances of that?!  Both backup generators ‘failed’.  I’m sure someone at Fox will become the ceremonial fall guy for that one.

With Fox paying around $500 million for the broadcast rights to the World Series this is a no laughing matter and a very expensive “technical glitch”.  It is very obvious what the immediate impact is in a situation like this – millions of pissed off viewers, panic stricken Fox technicians, irked broadcasters (Joe Buck was NOT happy) and mortified Fox executives.  But what about the aftermath?  Is there any lingering negative effect on the Fox brand, trust, and goodwill?  Only time will tell.  The point is, it was the worst possible thing that could happen at the worst possible time on the world’s largest stage.

But they did everything right, didn’t they?

Technically speaking, Fox, if they did as they say, had the right setup – a backup generator with a second backup generator in the event of a power failure and unlikely failure of the first generator.  This is what we call N+1 in technology speak.  It means for critical systems, always have one more than you need to failover to if there is an issue.  This certainly met the criteria for a ‘critical system’ and they had N+1, but it still wasn’t enough.  You can bet Fox is opening their wallet today to spend whatever it takes to avoid issue again, even if it means having four generators on standby with a person physically watching each one throughout the broadcast.  By the way, having more redundancy than one more backup than you need is typically called 2N+1, where you have twice the redundancy, or in this case 3-4 generators.  We may see just that outside the stadium on Wednesday night.

It’s not if it happens, but when

The situation was bad enough, but had it happened during one of the 162 regular season games back in April it would have registered as a blip on the radar.  Happening during the first game of the World Series blew up the radar and made every front page – it become the story.  If you are a business owner or operator, you should take notice.  I’m sure Fox thought this could ‘never happen’ but now we know otherwise.  What if this happened to your business at the absolute most critical time?  What would it cost you?  What would you be willing to spend to prevent it from happening again?

Sadly, most small to mid-sized companies do not have redundant systems simply due to the cost and the minimal risk of a critical failure actually happening.  The cost vs. risk just won’t justify it… unless it happens to you.  However, this very public SNAFU happening in the most unlikely of situations to one of the world’s largest companies (number 97 on the Fortune 500) shows it can happen to anyone at any time.

Is your business aware of the risks?

Forget about backup generators. Do you even know where the weak points are in your business?  Do you know every single-point-of-failure that could bring your company down?  If you don’t, you should get busy and find out. Not sure where to begin? Contact us and we can help you start the process.  After all, being in the dark is the worst place to be, especially when watching the World Series.

 

Need more information? Check out our Valued Added Solutions and why Fluid can help.

Why the Management Team Is Your First Line of Defense Against Data Security Threats – Part 2

Training Your Team in Information SecurityIn part 1 of this series, I talked about how managers should work with the IT team to set up strong anti-virus solutions for your offices. And in my recent post about hacker-proofing your businesses, I outlined how employees play critical roles in information security.

But here’s an important point, and something that – once again – managers must be responsible for:

Employees must be taught how to defend the business against hackers.

Cultivating a Security-Minded Culture

Information security starts at the top. For any security solution to succeed, it needs to have the support of those in leadership positions.

First, gather your management team and your IT staff and create an information security governance plan. Write detailed policies and procedures that not only keep the environment clean and operational, but also serve as a point of reference should employees have questions. This will also help hold staff accountable.

Second, empower your management team to create training programs for employees. An organization that teaches its staff what they can do to prevent a compromise will be less susceptible to hackers and loss of data.

Information Security Training Basics

Your IT team should not be the only people focused on protecting your company’s data. Managers should learn and then teach the following basic protocols:

  • Do not access personal email within a production environment
  • Do not open email attachments from unknown or untrusted recipients
  • Avoid installing unauthorized software in the production environment. If in doubt, talk to management and/or IT personnel
  • Be suspicious of others asking for sensitive information

For more detailed information on these topics, read our Hacker-Proofing series: Dangerous Applications and Content, and Social Engineering.

Open Up the Lines of Communication

Make sure your managers have open lines of communication with IT and with employees.

According to a Verizon study of data breaches, more than 80% of breaches happened because Wi-Fi systems were not protected with passwords. This may seem like the most basic thing your IT team can do to protect your network – and your management team probably feels the same. Encourage your managers to question things when it comes to your information security! It’s better safe than sorry.

Other things managers may want to get a handle on:

  • Data encryption. Is sensitive employee and client data — such as social security numbers and credit card accounts — encrypted?
  • Physical security. Are the offices protected by security alarms or motion detectors? Is hardware locked down?
  • Data storage. How much customer data is your business actually storing? How often is it purged?

What to Do When You’ve Been Hacked

If you think your company data has been compromised, or your system has a virus or malware, contact your IT team immediately.

Part 3 of this series will go into detail about an incident response plan.

Why the Management Team Is Your First Line of Defense Against Data Security Threats – Part 1

Managers: Defenders of Data Computer viruses and malware can be devastating for businesses. Recent Crypto virus attacks left businesses down for days, and cost them in both downtime and ransom money.

And we’ve all seen the news reports about businesses that lost confidential customer data to hackers.

Keeping your company’s data out of the hands of hackers is a cat-and-mouse game. New viruses and malware are created continuously.

Your management team is the first line of defense.

Define Your Defense

Though the IT department and each employee have responsibilities when it comes to defending your business against hackers, a defense solution is still necessary.

Empower your managers to work with your IT staff to create a definitive solution to viruses and malware.

This solution should include a service that can monitor for threats in real time. This will enable you to catch malicious data before it enters your production environment.

Remember, though, that just because you have an anti-virus program installed doesn’t mean that you’re protected against other forms of malware. Some programs only scan for viruses, and malware can sneak through. Have your IT team review your anti-virus system thoroughly and determine if you need a more robust program to protect your business.

Keep your anti-virus/anti-malware programs up to date. These programs are only as good as their current definitions. Communicate to your managers that they must drive this point home with employees. Delaying updates can be as easy as clicking a button on the screen – so assert the importance of updates and make sure management cascades the information.

Beyond Anti-Virus Software

It’s not enough to just cover the obvious entry points of your business’s network. There are multiple points of entry for malicious agents — so ensure your organization is protected node to node.

This includes a good firewall that receives regular updates. This will scan traffic for viruses before it enters your office environment.

A good firewall will help keep hackers from getting access to your system in the first place. It will monitor your network traffic and prevent hackers from compromising business systems.

Once again, this is a place where managers and IT staff should work together to determine exactly what firewalls are needed for the office. Managers will have a much better idea of overall day-to-day business operations – and thus possible vulnerabilities – than either the IT department or individual employees.

Managers: Defenders of Data

Your management team is your first line of defense when it comes to protecting your business’s data. Ensure they have an open dialogue with your IT team so your information security remains tight.

Don’t have an IT team that really knows your business and is comfortable working with your management team? Let’s talk!

Hacker-Proof Your Business: Social Engineering

Hacker-Proof Your Business: Social EngineeringNever heard of social engineering? Well, the hacker trying to get at your business’s data sure has. TechTarget defines social engineering as:

A non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter.

As I pointed out in part 1 of our Hacker-Proof series, hackers are actually pretty smart. They not only know how to code, but they know how to trick users into falling for scams.

But hackers don’t always use technology to break into your system. Sometimes they simply use conversation.

Hazards in Your Inbox

Be wary of emails from unknown recipients — especially those that ask probing questions about your organization or someone’s role within the company.

Some scammers will attempt to appear as a vendor trying to glean information. The particular information they are gathering compromises your system and gives them what they need to break in. These people are usually very good at what they do. Their conversation will be polite and seemingly legitimate.

Your personal email isn’t off-limits to this type of behavior, either. Recruiters are notorious for blowing up our inboxes these days, and social engineers know this! It doesn’t take a genius to impersonate a recruiter – and remember, hackers are smart.

Though this is more of a phishing scam than a social engineering attack, it’s worth noting here because too many people still fall for it: the fake “your password needs to be reset” email. Beware of these emails from scam artists!

I got this email the other day that looks VERY official, and if I wasn’t paying attention I might even click on it.

card security procedures

But there were a few things that tipped me off right away.

  1. There is an attachment. Always a red flag!
  2. It asks me to download and save the attachment. Major red flag!
  3. It tells me to open the attachment. Obviously, this is how the virus is activated.

I hovered over the “from” address and it showed the sender as Americanexpress@aecom.com. I knew “aecom” was probably not an AmEx address – and a Yahoo search confirmed it.

yahoo confirms it

Dangers Lurk Outside Your Inbox, Too

Social engineering isn’t limited to emails. Hackers also use social media, phone calls and even in-person visits to your company site. However they can pull you into a conversation most easily.

Some examples we’ve seen are false on-site technicians, fake LinkedIn and Facebook groups, and phone calls from bogus financial institutions.

How to Protect Yourself

The first thing you can do to protect yourself from a social engineering hack is to be skeptical. Never give out confidential information – or even seemingly non-confidential company information – without verifying the identity of the requestor first.

The second thing you can do is to be aware of common tricks. For example, no legitimate financial institution will ask for your social security number or system password over the phone. If someone you don’t know asks you for that information, it’s a red flag.

I am going to assume that you’re using strong passwords on all your systems, and you’re updating them frequently. (Ahem.) If you feel like you might have been the victim of a social engineering hack, change your passwords. Then let your IT staff know about the situation immediately so they can minimize the damage.

Don’t have an IT team that can come to the rescue in the case of an information security threat? Let’s talk!