How to Protect your Company from Cyberattacks

Let me begin with a hard truth: Your company is at risk from cyberattack.

It’s true; every firm is at risk, and most will be attacked in some form, at some point in time. It’s nearly inevitable.  However, there are things you can do to protect your firm from a cyberattack, and ways you can mitigate the damage if you are attacked.

What kind of company data needs to be protected from a cyberattack?

There are three categories of company data you need to protect. They are the company’s intellectual property, employee information, and client data.

Company Intellectual Property

The company’s intellectual property includes processes and procedures, firm standards, templates, and forms.  It also includes firm documentation and how-to information, like patents, formulas, recipes or other proprietary information.  It includes marketing information, client names and client information, the types of projects you are pursuing, and other competitive information.

Client Data and Information

The next thing that must be protected is client data.  Client data includes work product – such as project drawings, designs, and schedules.  It also includes information about move dates and expansion plans.  In addition to protecting client project information, you need to protect client intellectual property.  This includes clients’ employee names, information about projects you’re working on for them, client growth patterns, and departmental or organizational structures.

Employee Information

Finally, you need to protect your employees’ personal information.  Personal information like the names of employees, their addresses, social security numbers, and other personal information like spouse and children’s names.  You also need to guard employees’ financial information, information about direct deposit and bank information, as well as payroll and salary information.  Finally, you must safeguard employee personal health information like doctor’s names, health claims, coverage amounts, and other confidential information.

What do you need to be protected against?

 

File Corruption / Loss of Data

You need to maintain data integrity.  You could be attacked by malware, ransomware, or viruses. Your data integrity can be compromised by file corruption, backups that fail, or files that cannot be restored.

There might also be data errors caused by a translation.  For example, if you send files to others as part of your work process and you translate those files from one program format to another, there might be errors or changes caused by the translation programs.

Access to your Data

In addition to the integrity of the data, you need to protect data access (who can get into and access your information).  You must guard against a compromised network or security access problems.  Penetration testing can check your vulnerability against an outside attack.  There’s also a type of attack called “denial of service” that can prevent you from accessing your data.

A malicious or disgruntled employee might change passwords or erase or steal files.  A technology disaster can cut off access to your data.  A server or disk drive can fail, or your internet connection can fail or be disrupted.  A building or office disaster can keep you from accessing your data.  If your office is compromised by fire or another building problem, you might not be able to physically reach your office.  If there is a fire or problem in another part of the building, you might be forced to leave and lose access to your data.  Then there are plain-old hackers, people who try to break into your network to either cause damage or steal information.

Hackers often use social engineering to get to your data.  Social engineering takes advantage of peoples’ good nature; they use peoples’ willingness to help to break in.  For example, a hacker might play on someone’s fears by telling them they have a computer virus infection and trick them into loading software, or giving away passwords or user account names.  Unfortunately, people are generally trusting and sometimes naive – we don’t want to believe others are malicious. For this reason it’s important to understand that employees can be tricked very easily into sharing or giving access to confidential information.

Reputation

The last and most important thing is to protect your company’s reputation and your client’s confidence.  Your clients count on you to keep their data safe.  If there is a security breach or a problem with client data it is very difficult to regain their trust.  You can’t unring the bell.  It is easy to restore a client’s files but it may be very difficult to regain a client’s trust.

How can you protect your firm from a cyberattack?

To protect your firm, it’s important to always be prepared; expect that you will be attacked at some point.  Every firm should prepare for and expect some type of cyberattack.  Firms that work more collaboratively – especially when using BIM – are at higher risk.  Being more collaborative means being more open, which, in turn, increases your risk.

Planning

Expect the unexpected by developing a plan to deal with cyberattacks.  You will never eliminate all risk, but you can mitigate most of the risk with a good plan.  Your plan should explain step-by-step what to do in the in the event of a cyberattack and explain to employees how to get help. Your plan should not be overly burdensome or people will find ways to work around your security.  You can spend a lot of time and money on a security plan, so it’s important to decide how much to spend to get the greatest benefit.

Training

Take the time to train your staff.  Your staff needs to understand the risks and know what to do in case of a cyberattack, as well as how they can protect themselves from a cyberattack.  There must be policies and penalties for violating the rules.  Encourage your company to take security seriously.

Backup / Disaster Recovery (DR) Plan

You must have good backups and a disaster recovery plan.  You should have three copies of your data, the original copy, a local onsite backup of the data and an offsite copy of your data.

[Check out our blog post on how to write a disaster recovery plan for your business]

Check your backups and archived files. Having multiple copies of your data is useless if it’s all corrupted. For archived data, keep in mind that certain file types might be discontinued or no longer usable with current software.  For example, does anyone still have old Lotus spreadsheet files? .WKS or .WK1 files?  You can’t open them using current spreadsheet software. You might need to archive a copy of the original software and operating systems used to read and access old files or develop a plan to update old archived data. Test restore your backed-up files and don’t assume everything will just work.

Passwords / Encryption

Consider encryption – at least for laptops and mobile devices.  Laptops are often lost or stolen, or might be left in a hotel, airport, or cab.  If the mobile devices are encrypted, you’ve lost a piece of hardware, but your data is safe.

People must use secure passwords.  I know, I know: employees hate using secure passwords that are hard to remember, but requiring a new password every 90 days is not asking much.  That’s only four times a year! Consider using multi-factor authentication wherever possible.  Multi-factor authentication uses a third party to authenticate access to an account.  Any account that needs to be very secure – whether it’s a bank or legal account, or just a secure website – should be using multi-factor authentication to be safe.  VPN connections to your office network should also use multi-factor authentication.

Monitoring

Monitor your network access.  You need to know who has been on your network and when.  If you see anything strange, question it.  Do employees really need to be on the network at 3 AM?  It might be legitimate, but you should know what they’re doing and why.

Good Policies (with teeth)

Implement written policies that describe and outline what you expect from your employees.  You should have a policy for email usage, a general IT policy, an equipment policy, and an internet usage policy.  You should outline how to protect the firm’s intellectual property and what you expect employees to do to keep it safe.  Your policy should also describe what happens when the rules are not followed and there’s a problem.  As I mentioned before – there should be penalties.  Policies need to have teeth to be effective.  Employees should know that they must follow the rules or bear the consequences.

Anti-virus / Anti-malware / System Patches / Updates

Finally, make sure that your systems are up to date with the latest security.  Check your anti-virus and anti-malware software to make sure it is up to date and scanning properly.  Change the default passwords on all hardware.  Download and install all operating system security patches.  If you are still using old software that is no longer supported or updated, you are at risk. Work with your vendor to get your software up to date.

Get Help

If you don’t have a disaster recovery plan or IT security strategy, now’s the time to make it happen. If you need help protecting your firm from cyberattacks, Advance2000 can help.

 

IT Security Consultation

Back to Basics: Writing a Disaster Recovery Plan

Disaster Recovery is the process or procedures that take place AFTER your business has experienced a technology based problem or other major business interruption. It describes the steps to take to recovery from a disruption in the business due to a disastrous event or technology failure. Disaster Recovery’s goal is restoring your systems and data to the most recent state before the disaster incident occurred.  With Disaster Recovery, in contrast to backups, you do not care about going back in time 30 or 60 or 90 days, you just need to recover the last known and good operational state.  Backups are a part of that process.

Business Continuity is the uninterrupted continuation of business. Your business needs a Disaster Recovery Plan to assure Business Continuity.

What should I include in my Disaster Recovery Plan?

In addition to addressing technology, a comprehensive Disaster Recovery Plan should also address non-technology issues, such as legal or human resource business disruptions. You need to prepare for all types of disasters.  Your Disaster Recovery Plan must answer the Who, What, Where, When, and How questions to get your business operational again.

Who?

Who is responsible for carrying out the plan? Disaster recovery roles should be planned and practiced before a disaster strikes. For example, a technology outage may require a communication plan to inform staff, as well as clients. Responsibilities should be assigned to teams to avoid a single point of failure.  Staff roles and responsibilities should be recorded and communicated to all staff. The disaster team might include the following teams /roles:

  • Firm Leadership
  • Communication
  • HR
  • IT Recovery
  • Public Relations / Client Relations / Internal and External
  • Facilities and Corporate Services
  • Damage Assessment
  • Financial Recovery / Insurance
  • Legal / Risk Management
  • Projects / Project Liability
  • Operations
  • Client
  • Crisis Coordinator
  • Crisis Management team
  • Security / Employee Safety

What?

What are the types of disasters? They are not all technology. What steps do I take in case of a disaster?

  • Technology
  • Human Resources
  • High Profile Attrition
  • Legal
  • Workplace Violence / Terrorism
  • Physical (office is damaged or unavailable)
  • Transportation (weather – no one can get to office)
  • Public Relations
  • Firm Health / Financial / Bankruptcy
  • Project Related (job site accident / building collapse)
  • Reputation (Public perception)

There are also degrees of disasters.

  • Level 1 – 4 depending on duration and severity

Where?

Depending on the type of disaster, you may need to work offsite for a period of time. What if your office is flooded or there is a fire in another part of the building and access to your office is restricted or denied for safety reasons? Factors outside your control might cause you to have a problem even though your systems are not directly affected.  Do you have a DR site chosen?  How fast can it be ready for use?

When?

Your plan should identify a timeline and set recovery goals. It is not enough to know what to do, you should also set the timing and sequence of events in your plan. Part of an effective Disaster Recovery Plan is a recovery timeline. How long will it take to get your business back in business? You need to know.

How?

When developing your plan, understand the options to keep your business safe.

  • Backup and Recovery – Backup can take many forms; tape, disk, optical or online (cloud).
  • Cold Disaster Recovery Site – This is a recovery site that is prepared after a disaster has occurred.
  • Warm Disaster Recovery Site – A combination of a Cold and Hot Disaster Recovery Sites
  • Hot Disaster Recovery Site – This is a recovery site that is prepared before a disaster has occurred and is on standby in case of a disaster.
  • Business Interruption Insurance – Insurance is available to protect your business in the event of a technology disaster.
  • Data Archiving – What should you do with old backups? Legally, how long do you need to keep data?

You need a PRINTED Disaster Recovery Plan – Your plan should be in hardcopy form so it can be accessed with no electricity or network and it should be stored OFFSITE in case the office is inaccessible.

Get your Disaster Recovery Plan in order and sleep easier at night…

CONTACT US if you need help creating your plan.

Back to Basics: Safeguarding Your Business – Backups and Disaster Recovery

How long can your firm afford to be out of business? How long will it take to recover from a technology disaster? You should protect your data and your business with a proven secure online backup and disaster recovery solution.

Other than your employees, your data is the most important part of your business. Just backing up your data is not enough. You need to have a plan to get your business up and running quickly in the event of a technology failure.

Did you know that rebuilding a file server from scratch and restoring all its data can take a week or more? Is your business ready for that? Are your clients ready to wait days while you restore their data?

How long can your business afford to be out of commission? 1 day? 1 week? 1 month? The statistics vary, but a significant number of businesses that experience a disaster do not survive. A written and tested Disaster Recovery Plan combined with data backup mitigates your risk.

Three important steps to safeguard your business

Step One: Set up secure online offsite backup. Online Backups protect your data by safely and securing replicating your files and data to the cloud. Understand what you are buying, is it 30, 60, 90 or unlimited days of backup? Make sure your backups are stored geo-redundantly, that is in more than one location. You can’t afford for your backup to be inaccessible in case a regional outage takes down your office AND your backup provider.  Get your backups OUT OF THE OFFICE.  At a minimum, do not keep your backups in the same location as your live data.  That is trouble waiting to happen.

Step Two: Create a Disaster Recovery Plan. Disaster recovery is restoring your technology infrastructure (after a disaster) to insure that your business keeps working. Consider using an online Disaster Recovery site. There are cold, warm or hot disaster recovery sites that can allow your business to keep working. Understand the differences between them and choose the right site depending on your budget and tolerance for risk. If you depend on your employees being productive and billable, you cannot afford to have them to sit idle while you repair or replace broken equipment.

Step Three: Test, Test, Test. Testing and reporting is part of any good backup or disaster recovery plan. You must regularly test your solutions to insure they work and that they are protecting your business. Don’t ASSume that you are safe, test.

If you work with a provider that offers both online backup and online disaster recovery, you can start with online backup, and later add disaster recovery along with your online backups. This way you will never pay for additional services you don’t need. You can grow from a simple online backup into a full disaster recovery solution easily and without risk. Your solution provider can also help you design and document your disaster recovery plan. Safeguard your investment in equipment and people.

Questions to ask your backup provider:

What is the RTO (Recovery Time Objective) – how long will I be down?
What is my RPO (Recovery Point Objective) – how much data is acceptable for me to lose? 1 hour, 4 hours, 1 day?
Do you have High Availability Solutions? Can your DR site take over running my business instantly?
Geo-Redundant Storage – Is my data stored in multiple locations?
Testing and Reporting – How often do you test backups and how do I know they work?
Safe Secure Datacenters – Where is my data being stored? What safeguards do you have in the datacenter?
Low cost – what is a fair price for backup? What does my downtime cost? Compare the two and decide.  Balance risk and cost.  Don’t go cheap, you can’t afford it.
DR / Business Continuity Planning Services – Do you offer both Backup and DR or just one. Can you help me write a disaster recovery plan?
Easy to use? – What is the user interface like, who monitors my backups, do I get alerts if they fail?
How long have you been in business? Will you go out of business with my data?
If I change providers, what happens to my data? Will they give it to you? Does it disappear? Most providers have a window of time they will keep your data, do you need longer term archive in addition to backup?
Can you ship my data on a drive? If you have to perform a large restore, you will not be able to do it over the Internet. Can they overnight a drive with your data? For what price?

Do you need help with backup or DR?  Contact Us and Advance2000 can help you protect your business.

How the Cloud Will Get You Through The Storm

November brings the official end of hurricane season, winter is on the way. Now is the time business leaders and IT professionals should be learning the lessons of a summer and fall full of powerful storms and hurricanes.

Advance2000’s private distributed data centers provide decision makers the most cost effective, high performance, fastest to deploy disaster recovery solution available today. We are ready to secure your business in the cloud, protecting your data and employees for the next time Mother Nature strikes.

These two customer stories illustrate why you need to act now rather than wait until disaster strikes.

A large engineering firm with offices around the world heeded the lessons learned from Super Storm Sandy in October 2014 and migrated their project data from individual regional offices to the Cloud. They quickly realized that this decision not only produced the desired goal of safeguarding their project data but also gave them almost unlimited access to the information from any device, at any time, in any kind of weather. Their next steps were easily laid out, move all other data assets to the Cloud. This included email, telephony, BIM data, etc. The migration was done over time and carefully planned and orchestrated. This year when their Miami and North Carolina offices were hit with multiple weather events and cities like Washington DC and New York were also threatened, they didn’t miss a beat.

Their customers’ expectations and deadlines were never impacted by the storms. Projects continued to move forward. Any employees directly in the storm’s path were able to get to safety but still have access to every corporate asset as though they were sitting at their desk using their company provided computer.

The Cloud got them through the storm because they were prepared.

A mid-sized design firm with offices in New York City and North Carolina has been a customer of Advance2000 for many years. They purchased a premise based telephone system twelve years ago. They too were impacted by Super Storm Sandy and they too had Advance2000 come in to address their vulnerabilities such as; access to data, email, communications with customers and employees. However, in this case, the decision makers quickly forgot about the storm. They said it was “a 100-year event” which meant it would be the next guy’s problem long after they retire. Then came Hurricane Matthew and more nasty storms this past fall. They had over 80 people directly affected by the ensuing floods. Most of them were safe in their homes but completely cut off from their offices. It simply was not safe to travel or in some cases illegal to venture out due to mandatory evacuations orders given by the government. Business was stopped for 8 full days. They discovered that their customers in other parts of the country and world ran out of sympathy very quickly.

This firm is now moving forward with plans to safeguard their business by migrating to a distributed data center solution. Their plan is to be fully in the Advance2000 Cloud by March 2017. They will be prepared for the next storm that hits.

Why Advance2000 Cloud During the Storm?

  1. Business Continuity– Whether the problem is Mother Nature or manmade, Advance2000 is prepared. Multiple redundant privately owned data centers, physically and digitally secure, layered power back up and 24/7/365 U.S. based Helpdesk.
  2. Bring your own Device (BYOD)– If people are not able to get to the office they can access their Virtual Desktop and Communications platforms (email and telephones) from any device that has Internet connectivity. This includes their personal computers, tablets, laptops or smartphones.
  3. Disaster Recovery “lite”– While working from an Advance2000 based Virtual Desktop, your work is instantly saved, secured and backed up. Your data is protected no matter what the weather.
  4. Safe Working Environment – You can provide a safe working environment for your employees. There is no need to travel during a dangerous storm to meet a deadline. The Advance2000 Virtual Desktops provide your users a state of the art, HIGH performing computing experience connecting from even the most basic device. All your most demanding software applications will run like you are sitting next to your server, while you work from the safety of a shelter, airport or from your home on the couch.

For more information about Advance2000’s Cloud and how it can protect your business, contact Adam Glass direct at 732.245.3294 or Contact Advance2000.

Photo Credit: “Hurricane Matthew” nasa.gov