virus

The Biggest Backup Mistakes Businesses Make

March 22, 2019 by securewebsite

Companies rely heavily on technology for their day-to-day operations – from customer service and ordering to manufacturing and accounting. Consider the technology, from hardware to software, your business uses to keep it moving forward every day. Now imagine what would happen if something went wrong and it stopped working. Whether a virus has paralyzed your operating system or a hacker has infiltrated your network, could you recover quickly to keep your business functioning? How will you recover lost data files crucial to your daily operations?

Disaster scenarios are not anomalies. Unfortunately, it happens on a regular basis and can have serious implications for businesses. This is why backup is so imperative to today’s business operations. While you may be thinking that you’re covered because your business has data backup, you might be surprised to know that this may not be functioning the way you think it is. There are several mistakes modern organizations make when it comes to data backup that every business owner should know about how to stay on top of their business backup.

Know What You Need

According to a piece in Small Business Trends online, more than half (58 percent) of small businesses are not prepared for a data loss. The article goes on to show that 140,000 hard drives fail in the U.S. each week. That’s right. Each week. Furthermore, it states that 60 percent of small to medium businesses that lose their data shut down within six months of the loss.

“On average, small companies lost over $100,000 per ransomware incident due to downtime,” according to an online article by CNN Business. “For one in six organizations, these attacks caused 25 hours or more of downtime.”

Businesses need to understand the massive impact system failures, regardless of the cause, can have on their operations. One of the first things business leaders should do to properly prepare their backup and disaster recovery (BDR) plan is ask themselves the following questions:

What data is mission critical to my business? Consider customer records, inventory, accounting, etc.
Where is that data stored, which systems run those applications, and how is it currently being backed up? Think about where business critical data is being stored, how often it is being backed up, and if your company regularly tests its backup systems.
How much data can my business afford to lose and how much downtime can it handle without long-term consequences? The answer to this question is your recovery time objective (RTO). How long can your business go without being able to process sales, manufacture products, provide services, pay employees, invoice clients, etc.? How quickly do you need to be able to rebound from such a disaster to prevent a loss of revenue, clients, and reputation?

The answers to these questions will help you outline the backup and disaster recovery needs specific to your business. Your IT manager should be able to answer all of these questions. If you don’t have an internal IT manager, a professional third-party IT vendor such as ORAM Corporate Advisors can help you formulate and implement a BDR plan that works for your business.

Cover Your Cloud

Another big mistake people make is not backing up what they have stored on the Cloud. The Cloud is not just some empty space where things are stored. It is actually a third-party storage option. In other words, instead of storing things on your own server, your things get stored on someone else’s server.

You need to ensure that you don’t forget to back up your Cloud email, storage, and files. I would not trust a third party to maintain that data for me. At ORAM, we recommend Backupify as a terrific back up option for everything you have on the Cloud.

Though you have stored all of this information on the Cloud, backing up that data is important for a variety of reasons. First, you may need to back up that information to meet industry standards or government regulations. You also want to be prepared in the event your business is attacked by a virus, ransomware, or other hack. Additionally, there are disasters that can unfold such as earthquakes, hurricanes, fires, and others that are beyond your control that can negatively impact your data. Internal threats such as disgruntled employees can compromise data that is imperative to your business as well by simply deleting it. Backing up your software as a service (SaaS) avoids, or at least reduces, the impact of such devastating crises.

Testing, Testing, Testing

One of the biggest backup mistakes people make is not testing their backup systems. Businesses will install applications or programs and let them go to work. They fail to define what exactly is being backed up and then they never test it.

For example, consider some of the online services businesses use such as Carbonite. Back in the day, Carbonite didn’t back up their QuickBooks files. People would install the software on their computers and think everything was backed up but, lo and behold, it wasn’t. Databases, like QuickBooks, were not getting backed up because the file was constantly in use by other software, therefore, they weren’t able to take a snapshot to back it up.

To date, some backup programs like Carbonite don’t backup everything you may need to have restored in the event of a disaster scenario. While some software is very good at backing up common files such as documents, photos, and spreadsheets, they can fail to backup less-common file types such as secondary files or files larger than 4GB. When it comes to backup, this could put a real damper on your business operations should the worst happen.

Backup testing should be fully automated so as not to pull human resources away from your business operations. The automated system should test backup and restoration services for the following:

Virtual Machines
Applications
Databases
Individual Files

Ideally, your automated backup testing should occur each time your system is completely backed up though this rarely happens. Backup testing should happen on a regular basis not only to ensure that backup is happening as it should but also that it can handle the additional data your company is creating as your business expands.

Additionally, testing should do more than just check that your data is being backed up. It should also test your recovery so you have information about the length of time you can expect to be down if your system is struck by disaster. This allows you to be specific with your clients, partners, and others about when they can expect your systems to be functional again rather than giving an arbitrary message that your system will be up and running again “soon.”

Backup Everything You Need

Another thing I would say is a backup mistake people make is not taking a full snapshot of their environment. As an example, for a long time people did file-based backup. They simply backed up the files on their computer. In reality, you don’t want to backup just the files on the computer.

Using an old-school analogy, you want to put the tape in the VCR and hit play. That’s what we call a snapshot. We say, “Ok. This device has failed. Let’s do a restore to a point in time and then we can just go from there.”

In the era of ransomware, crypto viruses, and other threats to business operations and data, you want your business to be able to be back up and running as fast as possible. Whether it’s a server or a computer, you need to be able to hit that VCR play button for a certain point in time. This allows the business or the person to move forward as fast as possible.

This environmental snapshot is important. Statistics from World Backup Day, which occurs on March 31 each year, shows one in 10 computers is infected with viruses each month yet 30 percent of people have never backed up their data. This statistic alone demonstrates the importance of having automated backup software such as Mozy working on a regular basis to protect your business.

How can these mistakes be avoided?

The best way to avoid these common business backup mistakes is to ensure you have proper procedures in place that meet the specific requirements of your business and that they are functioning properly. Confirm that your business network is backing up weekly and consistently test a full restore of your systems to ensure that everything is backing up, so you never have to worry. Check to ensure that your data is not only being backed up regularly and backing up everything, but be sure that your recovery plans are functioning smoothly as well.

Be sure to do your homework when looking for the best backup and recovery plan for your business. PC Magazine put together a piece in January, “The Best Cloud Backup Services for Businesses for 2019” with a full chart of backup software options in the Cloud. The chart compares various software with ratings for everything from price to encryption in transit and regulatory compliance.

Check with your internal IT manager or consult with a third-party IT vendor such as ORAM Corporate Advisors to make sure you have the right processes and procedures in place. This third-party consultant can also help you with regular testing to make sure your network is backing up as it should and that your recovery system is also functioning effectively and efficiently. They can make software recommendations based on the unique needs of your business. For many businesses across several industries, such testing can also achieve regulatory compliance requirements as well.

If you have questions about developing a backup and disaster recovery plan, implementing it, or for testing, please call the experts at ORAM at (617) 933-5060 or contact us online. Schedule your free initial consultation today to achieve your IT goals within your budget.

The Modern Office and Business Continuity

March 7, 2019 by securewebsite

What you need to know to protect your company

The modern office requires that all components of your business environment work together harmoniously to ensure the best use of your IT infrastructure and seamless scalability as your business grows. One of the major components of the modern office is business continuity. This is an imperative piece of a solid IT plan for every company regardless of size or industry.

Business Continuity

When IT professionals discuss business continuity, they are generally referring to a proactive approach of having the right processes and procedures in place to ensure mission-critical functions continue to work properly in the face of a disaster or while a business is recovering from one. When it comes to business, there are many moving parts that still need to continue operating smoothly whether your company experiences a devastating fire or a nasty data breach.

The IT and business statistics are shocking. In the last five years, one in three organizations were hit by a virus or malware attack, according to DataCore, and more than half of companies (54%) experienced downtime that lasted more than eight hours. That’s a full day of work lost! While DataCore shows only 35 percent of outages are caused by natural disasters, 45 percent of outages are operational and another 19 percent are due to human error. These site outages can cost businesses thousands of dollars in lost revenue and restoration costs for every incident. Gartner, Inc., a global research and advisory firm, estimates that only 35 percent of small and medium businesses (SMBs) have a comprehensive business continuity plan and the financial loss for every hour of downtime can reach into the thousands even for SMBs.

Business continuity requires comprehensive planning before tragedy strikes an organization to allow them to overcome long-term challenges that would otherwise stop them in their tracks. With prior planning, business continuity ensures your entire business returns to full functionality as fast as possible following a crisis. That means everything from vital employee records and payroll to stored data access and email.

Think Cybersecurity

One of the first steps in a complete cybersecurity plan is business continuity. To start, you’ll want to ensure your business employs the best technology to combat the latest threats from ransomware and malware to other types of breaches. This means updating protections such as antivirus and firewalls, using multifactor authentication, and engaging your employees in ongoing, meaningful cybersecurity training.

Cybersecurity plans, which are typically handled internally by the chief information security officer (CISO) in larger businesses, should be designed as a living document that can expand and adjust when necessary to meet the changing needs of your business. Small to medium enterprises often don’t have a dedicated CISO so they can outsource this responsibility to organizations like ORAM Corporate Advisors.

Written Information Security Plan

As part of your business continuity plan, you’ll need a written information security plan (WISP), which also happens to be a requirement of many regulatory bodies, especially for businesses who contract or subcontract with the government and financial institutions. While government regulations vary from state to state and with the federal government, in Massachusetts this written document should contain, “certain minimum administrative, technical, and physical safeguards to protect” personal information such as names, driver’s license numbers, social security numbers, and financial account numbers. You’ll need to check with both your state and federal government to determine which regulations impact you as well as any industry-specific regulations. This is another place a CISO or third-party IT vendor can help.

Your WISP should designate an individual responsible for maintaining your IT program. This may be a business owner, CISO, or even a trusted advisor such as ORAM. It will also need to identify any reasonably foreseeable data security risks as well as protect and restrict access to electronic data that may include personal information for your employees and/or clients. This plan should also outline the oversight of third-party service providers and ensure those providers comply with local, state, federal, and industry regulations as well.

Because your business and its processes, risks, and procedures are unique, your WISP will be very specific to your organization. It cannot effectively protect you from culpability in the event of a breach or loss if it doesn’t address the particular risks of your company or if it includes practices that have not been put into practice in your business. Through coordination with your IT team and/or third-party IT vendor, you will need to identify “reasonably foreseeable risks” to ensure your WISP includes the practices your business adheres to.

In addition to IT functionality, your WISP will also address the non-technical operations that will still need to work in a disaster situation to keep your business moving forward. For example, it might address the accounting measures you have in place to keep employees and bills paid and clients invoiced if the worse should happen.

What Crisis Looks Like

Stolen laptops, lost cell phones, and an employee clicking on a phishing email that infects your entire network. These are all crisis that can and often do occur in the business world. Think of all the critical information that can be lost, stolen, or even held ransom. What do you do and who do you talk to? This is where planning ahead and having a WISP helps. It will outline how to respond to a variety of incidents.

Lost your company cell? Your WISP will inform you of who to call to wipe the lost phone and deactivate it before serious damage can be done. Did your organization experience a data breach? Your WISP will have identified a data backup plan so that nothing is completely lost. Has a virus made accessing email impossible? Your WISP will have determined if your email is stored locally, in the cloud, or both to decide how to get it up and running again fast. This thinking ahead with recommendations by your IT team or third-party vendor will help ensure you have continued access to business email which is the lifeblood of most commerce today.

Recovering from Incidents

One of the best things your WISP will do is outline policies and procedures for how to react and recover in a crisis situations. Regardless of the disaster that strikes, your WISP will point you to who to contact and how to react. Part of your WISP will address incident response and crisis management to minimize the impact when things do go awry, as they inevitably do.

Incident response and crisis management involves having the ability to maintain critical business functions during a disaster scenario. It also encompasses having plans in place for a rapid recovery from catastrophic incidents. If your business were to experience a flood, fire, or data breach today, would it be able to recover quickly and efficiently? Business continuity is all about having a plan in place that expects the unexpected and is prepared to handle it.

When it comes to IT and business continuity, the big question is, “How do you operate tomorrow?” If you don’t know the answer, it’s time to get a plan in place starting with an evaluation of the foreseeable risks your organization may face and a WISP to address them. Think of it as an insurance plan that also helps your business with regulatory compliance. When disaster strikes, your business’s IT team, CISO, or third-party IT vendor should have already given you advice. Hopefully, you have followed it. Then you know who you can call when things go wrong so they can tell you how to react to keep your business moving full-steam ahead.

If your company or organization needs assistance with risk assessment, developing a WISP, and planning for business continuity, call the trusted advisors at ORAM today at (617) 933-5060 or visit us online. Our experienced professionals are here to help and we are dedicated to partnering with small businesses to assist them in achieving success.

The Modern Office and End User Support: What it is and how it can help your business

February 21, 2019 by securewebsite

End-user support is an information technology (IT) term that is often used in business yet many people don’t understand what all it entails. Furthermore, business leaders don’t know how end user support can improve the productivity of their company. Here we take a look at what end-user support is and how it can keep your business moving forward.

What is an End User?
First, we must tackle what an end user is. Anyone who uses a particular product or program, typically your employees, is an end user. Think about the desktops, laptops, tablets, software, and even cell phones used by your employees to conduct business and fulfill their duties. They are the end users of your business IT.

Why Might End Users Need Support?
Whenever a new employee is onboarded, they need to be made a user so they can access the hardware, programs, and information within a company so they may perform their work. This means they need to be set up with a company email, account access, file access, and cybersecurity training that is specific to your organization.

In addition, employees will sometimes have trouble using the hardware and programs your business has purchased in order to operate. That can mean a computer with a virus, a laptop attacked by malware, or simply a program missing a necessary patch or update. While your employees may be great at what they do, not everyone is an IT expert. They may need help addressing issues from configuration to spam filtering in their business email.

Whether you have a small company without an IT department of its own or your business is a large one with an IT department is overwhelmed, these issues all must be addressed. When new employees are waiting to be onboarded or existing employees have hit the proverbial IT wall, they cannot work until these issues are resolved. That means downtime and a loss of productivity which negatively impacts your organization’s bottom line. That’s where outsourcing to IT specialists like those at ORAM can really assist your company.

What Does End User Support Look Like?
End-user support is about providing immediate, ongoing assistance whenever your employees need IT help. Think about having all email, account access, and training ready for new employees the minute they walk in the door on their first day. Imagine running into a snag with your email and being able to simply pick up the phone to fix the problem right away. Consider never having to worry about program updates or patches because they are applied automatically before you even get to the office. All of these very real IT issues are covered by end-user support.

The goal of end-user support is to provide businesses with the “modern office.” That means keeping end users productive and moving at all times. The question then becomes how does end-user support keep your business moving? In football terms, end-user support is like a lineman running in front of a running back to keep him protected and clear the path so he can do his job of advancing the ball. End-user support ensures issues with security, network connectivity, and active threats are held at bay. It also ensures your network is as reliable as possible, keeps up with patches, and hardware needs are covered.

With end-user support, your employees will have the tools to be continuously productive with little to no downtime. In addition, you will have the security of knowing those tools are also being used in a responsible, compliant, and efficient manner. Regardless of the size of your business, end-user support can help you manage your ongoing IT needs without sacrificing uptime, connectivity, or cost. Depending on which IT company you work with, your end user support may include:

• Antivirus Management and Support
• Configuration Services
• Hardware and O/S Maintenance
• Performance Monitoring
• Mobile Device Support
• Patch and Update Management
• Onsite Desktop and Laptop Support Services
• Incident Management and Resolution
• Priority Response Level and Problem Management
• Self-Service Knowledge Base
• User Account Administration
• Policy Management
• Email Content and Spam Filtering
• Encryption Services

Who Offers End User Support?
End-user support can be handled internally by your IT employee(s) if you have them and they aren’t completely overwhelmed themselves. The other option is to outsource your IT needs to a company like ORAM Corporate Advisors. Such IT professionals can work in tandem with your existing IT employees or can work in place of hiring your own IT staff.

Without the cost of hiring internal IT staff or additional staff, your network can be secure and running efficiently at all times through end user support. You won’t have to pay for support until you need it and help requests can be managed and resolved quickly and easily. Your business will also have all of the tools it needs to be continuously productive while achieving regulatory compliance.

If you need more information about end-user support, please contact ORAM anytime at (617) 933-5060. We can even schedule a free initial consultation to review your end user support needs. Our IT specialists are always available to answer your questions and help you when your business needs it most.

Cybersecurity Awareness Training: How proper training can turn employees into your best security asset

August 10, 2018 by securewebsite

Cybersecurity has become a major focus for business leaders today and rightly so with the number of major data breaches on the rise. Just look at the number of breaches in the first six months of 2018 from an infiltration of U.S. power companies by Russian hackers to 150 million users of Under Armour’s MyFitnessPal app having their personal data stolen. The threat to today’s businesses is very real but employees can be a business’s best security resource if properly trained.

The report, Magic Quadrant for Security Awareness Computer-Based Training, by Garner, a leading computer trends analyst, reported, “People impact security outcomes much more than any technology, policy, or process. People play an undeniable role in an organization’s overall security and risk posture. This role is defined by both inherent strengths and weaknesses: People’s ability to learn and their capacity for error.”

The Human Factor
Human error leads to breaches all the time. Whether an unsuspecting employee in your business clicks on a phishing link that exposes your entire network to a malicious virus or someone misplaces a phone, tablet, or laptop with unsecured access to proprietary data, human error can lead to big security problems.

Study after study shows the largest threat to any business, by far, is the people who work there. The 2018 Data Breach Investigations Report by Verizon shows malicious employees were responsible for 28 percent of attacks. In addition, the same report revealed human error was responsible for another 17 percent (or nearly one in five) breaches studied in the report.

Though these types of statistics show the desperate need for ongoing, repetitive, and engaging cybersecurity awareness training, many business leaders fail to see its importance and value.

Terrible Training Stats
Employees should be the first layer of security for every business but the fact of the matter is they have become the largest threat to business security today in major part due to a lack of proper cybersecurity awareness training. A report by SolarWinds MSP, Cybersecurity: Can Overconfidence Lead to an Extinction Event?, demonstrates that despite how important cybersecurity awareness training is, only 16 percent of respondents in the study considered it a priority.

An incredible 71 percent of companies studied in the SolarWinds investigation admitted to including such training only as part of the onboarding process or as a one-off annual event. Another 13 percent of organizations studied said that they offered no cybersecurity training to employees at all.

Why Training is Imperative
As mentioned earlier, breaches among businesses of all sizes are on the rise and the costs to remediate such attacks are also increasing. The FBI reported a 2,370 percent increase in exposed losses between January 2015 and December 2016. Additionally, a total of more than $5 billion was stolen from businesses in cyber theft between October 2013 and December 2016. That meant there was an average loss of $100,000 per incident and losses are projected to top $9 billion this year alone.

With this in mind, the primary goal of cyber security awareness training is to change the behavior of your employees so they are less susceptible to social engineering: Being manipulated, influenced, or deceived by someone to take action that isn’t in the best interest of your business. Some of the most common examples of social engineering attacks include phishing or spear-phishing by phone, email, postal service, or direct contact in order to trick people into doing something that will harm your company. You have the power to stop this by incorporating cybersecurity awareness training into your business before it’s too late.

When to Train?
The most-effective cybersecurity awareness training programs are ongoing. The first training for every employee should occur during the onboarding process. Thereafter, there should be frequent training opportunities and reminders, even if they are brief such as a once-a-month, computer-based training that only takes a few minutes.

Every employee should be offered a deeper training annually to update them on the latest threats to businesses in their industry and remind them of what they can do to help prevent attacks. There should also be additional trainings whenever a potential threat is identified or a cyber incident has occurred within the company so there are no repeat events.

What Should Be Covered?
One of the best ways companies can mitigate their cybersecurity risk is through proper training. The wrong way to approach training is as a once-a-year or semi-annual exercise where everyone is gathered for a training involving a long, boring PowerPoint presentation. This can feel more like a punishment for your busy employees rather than a valuable learning opportunity.

Not only should training be consistent with frequent, easy-to-follow training sessions, it should vary by topic and address the particular access to valuable data each employee has due to their individual role. Not everyone learns in the same way and not everyone needs to learn the same material.

Offer trainings aimed at specific roles taking into consideration how much access each has to valuable data and how they are most likely to be targeted by hackers. By offering interactive, role-based training in small, digestible portions with greater frequency, your employees will see it as valuable and easier to implement.

There should also be an emphasis on defeating social engineering attacks such as phishing emails that could lead to network-wide disaster. The aforementioned Verizon report determined that while 78 percent of people don’t click on a single phishing campaign all year, an average 4 percent of targets in any given phishing campaign will click it. Even more astonishing, it was found that the more phishing emails someone has clicked, the more likely they are to do so again.

Assess for Success
Cybersecurity training should also be assessed with frequent, short quizzes through training and reinforced through pen testing. This ensures employees absorb the valuable lessons being taught so they can act as the business’s first line of cyber defense.

How to Train
One of the most effective and more commonly used methods of cybersecurity awareness training being utilized by businesses today is interactive, computer-based training. It wields modern technology such as laptops, tablets, smartphones, and Internet of Things (IoT) devices to engage your employees in learning about the invaluable role they play in protecting your business.

“Showing a trainee how to recognize that out of nearly 20 types of files an email attachment could come in, the only one that is absolutely safe to open is a file ending in .txt can be a security game changer,” according to the whitepaper How to Fortify Your Organization’s Last Layer of Security- Your Employees. “Providing short, three- or four-question quizzes at regular intervals during a training module helps employees review and reinforce their understanding of particular training elements and can increase their trust in the impact the course is having and motivate them to complete it, thanks to congratulatory messages after each quiz.”

At the end of the day, human beings can become your best means of defense only when the proper security awareness training is employed. It can show them how they may be susceptible to social engineering, which is considered to be the single greatest security risk in the years to come, and that they can defeat it. Such training also demonstrates that you are willing to invest in them as much as you are in the technology they utilize each and every day. With such insight and education, your employees will feel empowered to protect the business you all are working so hard for.

If you need assistance with developing and implementing an effective cybersecurity awareness training program, contact Oram today at (617) 933-5060.