The story I am about to tell is true and arguably the worst nightmare in business. Please do not let this happen to you.
Calls were coming in from customers and internal staff alike. No one could access the servers and everyone’s computer had a strange message on it. Every machine in the entire company had the same message. It was a vicious ransomware attack. The initial demand was 50 bitcoins (~$500k at the time) in exchange for the codes to restore the computers. The culprit had a history of rarely providing the codes after payment was made. They just extorted more until all the money was gone. To make matters even worse, backup tapes did not exist. The only backups were on hard drives and they were infected too. The company was out of business. Then a stroke of pure luck, or divine intervention, happened. A single server was found with settings that thwarted the attack. It had enough data to rebuild the database, restore the business, and save the company. Disaster averted. Imagine your entire business going away in an instant because of technology. It is not “if” something like this will happen to you, but “when” and to what severity. Regardless of the industry your company is in, there are some technology fundamentals that need to be in place to ensure you are prepared and able to capitalize on growth.
Technology “Insurance Policy” There are two fundamentals that must be adhered to at all costs, data backup and recovery validation. Without going into too much detail, you must have a solid data backup plan in place. These have been around for decades and are relatively easy to implement. Basically, you take a full backup of your data from the servers/computers and store it in a secure, remote location. These could be on old-fashioned tapes, hard drives, or even newer cloud-based backup services like Backblaze. They must be away from the office and very secure. At a minimum, this allows you to restore your business to that single point in time. They also need to be secure enough that a hurricane, tornado, flood, terrorist attack, or any other event cannot take out both the offices and the backup. Once you have the initial backup, you then create “incremental” backups on a periodic basis (weekly, daily, hourly, or less). This depends on your risk tolerance. How much data can you afford to be without if something happens? The goal is to ensure that if something really bad occurs, you have the backups to restore the business. This process is a step in what’s called a Disaster Recovery plan. Depending on the size of your business and requirements, this plan could be a couple of pages of notes or an entire book. Research DR plans and educate yourself.
Best Laid Plans Often Fail – Test! The second most important step is to test the recovery process. Can you truly rebuild your technology and data if something bad does happen? The only way to know is to test it. This should happen at least twice a year. If the data is on backup tapes and hard drives, have the IT staff rebuild the server(s) from scratch using the backups. How long does it take? Does it work properly when restored? Does the process support your business? If the results are not sufficient for you, invest in a consultant that can help you. There are advanced technologies and cloud-based solutions out there that can shorten the backup and recovery times significantly. You can even have “hot” sites setup that are mirror images of your current environment that can be brought to life in minutes. Your technology downtime from a total destruction of your office could be minutes or even less if you need that kind of service. If you are unsure how important this is compared to your other priorities, re-read the opening story.
Data Security and Privacy Now that you have a process to backup and restore your data, let’s move on to the next most important step, data security and privacy. Ask yourself this….if your competitor got a copy of your email system, servers, and financial data, how much harm could they do? Major damage I would guess. If a hacker got access to your data and your client’s data, now you’re in a catastrophic situation. Many industries have guidelines around data security and privacy that you need to adhere to. Healthcare has HIPAA. Then there are government imposed requirements like Privacy Shield, Patriot Act, and GDPR. Many companies have guidelines they expect you to follow if you want to do business with them. They may include data encryption, SOC 2 compliance, and on and on. Educate yourself on the rules based upon your industry. At a minimum, there are some basics you can put into place.
Firewall and Router – firewalls, routers, and switches all help control and direct traffic to and from your network and the internet. Make sure they are a sufficiently current model and are updated with the latest software versions. These are the first line of defense against hackers getting into your systems. They should all have strong password protection with filtering tools to block the bad guys. Email Monitoring – many viruses, malware, and hacker attacks are initiated from emails that were inadvertently opened because they look real. An email security monitoring service knows what to look for within the emails and can block them before they ever make it to the end users. These come in cloud-based, server, or software tools depending on your level of requirement. Desktop protection – All desktops should be running anti-virus software like Symantec, AVG, etc. Depending on the level of protection, they can monitor for other less common virus, phishing, or malware attacks. Make sure they are updated automatically (or near so) as new waves of attacks can happen quickly. IP Leakage – I also recommend tools/processes to monitor for intellectual property leakage. The greatest single threat of intellectual property loss is not your competitors or hackers, it is your employees. Employees email work to themselves at home or place company related items on a network drive for remote access. Some even store login and password information at home. While they may have good intent, doing this can create a major security risk. For many corporations today, the biggest concern is not that a hacker breaks into their highly sophisticated computer network but accesses their system through less secure means (i.e. vendor portals, remote access by contractors, etc.). For a determined hacker today, it is so much easier to hack into someone’s home computer and get highly sensitive data along with everything you need (i.e. login and password) to access their work email.
Employee Training is a Must! The best defense against security and privacy issues is a well-educated team of employees. Hold training at least annually on data security and privacy best practices. Give real examples of how violations can occur (i.e. writing down login and password on a sticky note on your monitor) and what the impact would be. Make it fun but real for them. This is your data and livelihood! Balance Internal and Contract Resources The amount of knowledge and work to be done around technology, data privacy and security, can be overwhelming. Especially for a small or medium sized company looking to grow and needing funds elsewhere. I recommend a balance of internal and contract resources. There are companies out there that will manage all your internal computers and network to make sure they are current with the latest security technologies. The cost is very reasonable and less than what you would pay full time employees. When you start getting into the sophisticated configuration of network equipment, consider outsourcing that as well. It can get very complex and cause problems if not done right. I do recommend investing in internal resources with training and knowledge to effectively oversee the vendors. This should not be someone that just knows PC software but someone that is trained and certified in network and security. Do not skimp. Pay for them to go to ongoing training courses so they can stay current. If you are not tech savvy, do not rely solely on your staff to interview and qualify them. Hire a firm to help with technical interviewing. Hold this person responsible and treat them well enough that they stick around.
Summary Preparing a company for growth means getting it ready for more employees, higher scalability, more things happening at once. This imposes a significant risk as more cooks are in the kitchen and more people have access to your prized data. The items discussed in this article are baseline items you need to address to ensure the protection of your company when rapid growth begins. If you wait until after the growth starts, you will forever be behind and playing catchup (although one could argue with technology you are always behind).