Letting an IT manager go, how do you do that?

One of the worst situations that you can be in is acrimonious separation of an IT person from an organisation.

A bad separation, just like a bad divorce can have significant impact.

Large organisations have systems, policies, procedures and processes in place that protect the organisation, when they are used of course.   If followed they protect the organisation well.

SME’s on the other hand have different problems.

We have come across smaller organisation that still have old staff members on the books with full administrator access to everything that is still being done in the organisation.

The problems this creates can be huge.

They have access to privileged accounts.   Accounts that can do anything on the organisations digital world.

Just a few ideas of what they can do!

  • They can steal your trade secrets and take them / sell them to your opposition.
  • They can steal your client list and use them for a number of bad things – competition, blackmail, sabotage.
  • They can cause software issues, lock outs and shut downs
  • They can lock legitimate users / all users out of the organisation.

Another problem!

In most cases the IT person is there because they know computers.   They were allocated the role when they joined and you may even have paid for some education and training packages to make them better.

This just puts them in the position of holding the keys to the kingdom.

If you are going to remove an IT person from your organisation, the best thing you can do is outsource your IT, for a short time or indefinately.   They have the expertice to protect your organisation and they are under contract to ensure your systems are safe.

Roger Smith is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.   
He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one in 3 sections of Amazon.   
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

(Video) What is Business Continuity?

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses –  Business Continuity

[Beginning of transcript]

Hello! My name is Roger and I’d like to talk to you about what is Business Continuity.

Business Continuity, along with disaster recovery, are looking at critical compartments and functions of the organization and make sure that they will continue to run if there’s an interruption to your business.

So, it counteracts business interruptions to a level where you know that if something is going to happen or something has happened, you will be in a situation where it will be a better problem day forward.

So, with the business continuity plan, you have to have solutions to problems and business continuity does solutions have to have an understanding of how they are going to impact the business of the organizations.

There are two main components of Business Continuity:

Your Recovery Point Objectives –which ones do you want to get up and running again and how fast you need to do that is called a Recovery Time Objective.

And those two components are what you should be looking at in the business to find out what is going to be good for your business and how fast you need things up and running.

But with that Business Continuity, there’s a lot of things. You have to understand that if you have a disaster and you need the business continuity plan or the business continuity has to come in to it, you need to know that you have to spend money to get back to where you were and who has the purse strings and how people access that money is part of business continuity.

Also, you need to have a compliance component. The compliance component make sure that your business is up and running and protecting everything that it needs to protect your tasks.

Thank you very much.

[End of transcript]

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

(Video) What is Business Continuity Planning

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses –   what is Business Continuity Planning

[Beginning of transcript]

Hello. My name is Roger and today I’d like to talk you about Business Continuity Planning.

So, What is Business Continuity Planning? Well, that is making sure that if something happens to your business, that the business is going to continue as business as normal or if something has happened and it has a detrimental effect on you, how far or how long is it going to take before you get back to business-as-usual.

Today in business continuity plan, you have to have an impact analysis of what risks and mitigate those risks to make sure that you have the best in place of things if things go wrong that they could recover from.

So, you need to have your Recovery Time Objectives – what is critical to the business, how fast does it need to be backed-up? If something fouls and it is critical to the business, can it be done at all? And if it does go down, what are you going to do about it?

But also, you need to do a risk assessment and this is all about risk. You’re looking at the risks of the business and making sure that you are taking overly-expectant consideration in making decisions based on those facts. If you need email to work all the time, then that is a business continuity consideration. If you need your database to be accessible at all times for the website, then that is a business continuity assessment. And then you have to mitigate all those risks to put systems in place so that your business continues no matter what.

So if you have a on-site, website server and your internet goes down, then you lost a large component of your business. So how do you make sure that doesn’t happen? Well, you have to download systems or you move your server, you mover your website to a cloud or to a cloud-server or to a hosted system. But on top of that, you have to also keep monitoring and testing to make sure that if things are changing, how do we make sure that business continuity is changing with them. And if we add things or remove things, we have to change the plan to make sure that we are no longer consuming the old technology and we are now using the new technology.

Thank you very much.

[End of transcript]

(Video) How can the Cloud be a better way of doing business?

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses –  How the cloud can be a better way of doing business.

[Beginning of transcript]

Hello. My name is Roger and today I’d like to talk to you about How the cloud can be a better way of doing business.

We all heard about the cloud. It’s a case of we demand move a capital expense on hardware and software to an operation expense where we are only paying for the use of systems. And because we’re doing that, it’s now a lot more cost-effective to use the cloud to do what we need to do.

It’s not going to cost me $25,000 to set up a server, it’s going to cost me $500 a month. And if you think about $500 a month could be expensive, so you look around for cheaper ways of doing things. But also, the cloud makes it convenient.

I consider the café down the road and I can pay my bills or I can transfer money to my employees or I can buy stuff. And that makes it really convenient for me as a business owner to be able to do anything I want.

And that is one of the reasons why the cloud is becoming a better way in doing business because it is cost effective and it is convenient. And those two things are really important to any small business.

Thank you.

[End of transcript]

(Video) How to create a Business Continuity Plan

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses –   How to create a Business Continuity Plan

[Beginning of transcript]

Hello. My name is Roger and today I’d talk about creating a Business Continuity Plan.

Now, Business Continuity Plan is really important for any business going forward but it has a 5-point life cycle and that life cycle is used to make sure that you are always up-to-date with your business continuity. So the first thing that we have to look at is what risks are in the business and what risks will impact the business to stop it from going forward and continuing to do business.

We don’t have to design a solution around what those risks are and then we have to implement those designed systems to make sure that we are looking at how things are going to run and how things are going to be at a business continuing level.

From there, we need to test it. Now, testing can be one of two things. One of the two things is you can do a hypothetic ‘what happens if this happens?’ Will these things be in place and that’s great. Or you can do it physically – turn off something. What happens if I turn off this? Oh no, that’s broken.

And then from there, we can maintain it. And that maintenance they looks at all of the new additional components that we bring into the business as we go forward as a business. So, new technology – better business continuity.

But going back to the analysis, we have to look at business impact statement – what systems impact the business the most? What is the most critical part of the business? What is the biggest threat and how do we analyze that threat to make sure it is all right. And then, once we’re done with that, we need to go, well, if we’ll lose this, what requirements are we required to recover from that problem?

We need to have a business continuity plan for security for ourselves and we also need to put into account as an individual business what components could go well to that plan. And with every organization, it will be different. You might have two problems but they might have different requirements to make sure that they have business continuity and their business continues no matter what.

Thank you very much.

[End of transcript]

Two attitudes to cybercrime that have to change!

There has been a large amount of discussion on why cybersecurity is important to all Organisations.    No matter your size or your focus we are all targets of cyber criminals.  The biggest and hardest thing to do is convince small and medium businesses and not for profit Organisations that cybercrime is in fact rampant in the digital world.

I often hear, we are too small to be a target, it will not happen to me and we have nothing worth stealing.   These are classic examples of the SME’s mentality when it comes to cybercrime.

Recently I came across two more reasons that SME’s are not embracing the dangers of cybercrime.

We make hammers

I was recently talking to a small hardware retailer at a networking function.   When I explained to him what we did – educate and protect Organisations against cybercrime to build business resilience – his comment was

“Why should I worry about that, all I do is sell hammers”.

This is a major flaw in the SME business world.  Organisations forget that no matter what you do, how you do it and how you make money we do it in the digital world.  Protecting your digital assets is just as important as using them for the business.

The digital world is cost effective and convenient.   We use it for everything – sales, marketing, communication, accounting.   Connecting to the digital world = target.

Being targeted because they are connected, does not seem to enter into most business minds.  We take enormous care to make sure that we cannot be robbed in the real world.   We are blazee about our digital assets.

We are all citizens of the digital world;

  • Using the digital world = target!
  • Connecting to the digital world = target!
  • Being a member of the digital world = target!

You may sell hammers, or build patios, or run electrical cable, or dig holes, we all still have systems in place that are connected to the digital world.

How do you communicate – email, social media!

How do you bill your clients – accounting package or cloud based system!

What other uses is your smart device used for – on line banking, looking for information.

Each one of those system, in today’s world – is a target.

Make sure you protect it!

Practice you recovery

If disaster struck, would you survive?

One of the largest problems as a managed services provider is that we can do everything that is required of us.   We can create disaster recovery plans, business continuity plans or install backup solutions.   We know that they will work and will protect the organisation.   But how do we prove that?

If the C level, board or management levels are not interested then it is a total waste of time.   There is an advert for a mattress company that goes “a 50% saving on a bed that is not right for you is a 100% waste of money”. The same is true of an untested disaster plan.

An untested DR plan, BC plan or backup are a total waste of time if;

  • It is not tested
  • The right systems are not included in the plans
  • No one knows what to do
  • No one is willing to invest time and money in the outcomes

Where you do not want to be.   The first and only test is when a disaster happens.   That will bring you a world of pain.

The only way to confirm that your plans are going to work is to see what happens if the systems are turned off.

Try it sometime.

It will definitely show you what you can expect in the aftermath of a cyberattack, a natural disaster or just a failed hard drive.

Managing the risk of a cyber-attack is very important to all SME’s.   If you have a digital component it is a risk to your business.   Make sure you mitigate that risk to a level that you are happy about.

Winging it and no plan are not alternatives.

There are so many stories about Organisations that did not have backup, did not have DR or BC plans, or thought that did not have to worry about digital security.

Most of them are now out of business.

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

(Video) How playing a game can improve your DR

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses how playing a game can improve your DR process

Hi. My name is Roger. Today I’d like to talk to you about how playing a game can improve your disaster recovery. Disaster recovery is understanding what your business is going to do when everything goes catastrophic. So what are you going to do when building winds down? What you are going to do if flood waters come through? What happens if you get a cyber attack and they take out your main systems?

So disaster recovery is really important because it makes sure that you have the plan to go forward and go onto your business continuity and make sure everything works. But how do you test it. You don’t want to be in a situation where the first test that you do of your disaster recovery is when the flood water is flowing in under the door. Because that is not a place to be. And I can tell you it’s an experience that I wouldn’t wish on my worst enemy. So how do we test it? One of the ways we can test it and have an impact on the business is to actually physically do it. [Indiscernible 00:01:12]. What’s everybody going to do when everyone’s running around in circles? That is not really good and economical way of testing a disaster recovery. And disaster recovery needs to be tested regularly. Once every six months, once every three months, once every year minimum. So it needs to be done. But you don’t want to take everybody out of the loop and make sure that they literally stop working. If you stop working, all of that money, all of the revenue these people are generating is just going out the window. So what you need to do? Well, one of the things we’ve come up with is you play a game. You pick all your primary people around a table in a boardroom and you go [Indiscernible 00:02:00] and he will say, okay you’ve lost this.

Now what is your business disaster recovery system going to make sure that you can do about that? Is the back up in place? Where is the back up? Who’s got the back up? Is the backup [Indiscernible 00:02:18]. So let’s take out the server. The server has what? What are you guys going to do if you don’t have Exchange? Office 365, you just take an internet connection.

What are going to do now? That is what disaster recovery is all about. by finding out how you react to those cards [Indiscernible 00:02:43] will then you will find holes that you can resolve and make sure that when the real problem happens, when flood comes underneath the door, did you have a solution in place that is going to go, turn that off, pick it up and move it over there, hand it in, turn it off and off you go. Because that is you disaster recovery plan. So if you want to have a decent disaster recovery plan without using a revenue usually involved in testing it, then please contact us, we will quite happily come on the [Indiscernible 00:03:21] and make sure you that can do it. Thank you very much.

[End of transcript]

 

(Video) Business Continuity for SMBs

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses the need for small and medium business to have some level of business continuity plan

Hi. My name is Roger and today I would like to talk to you about business continuity for small business. What is business continuity? Well business continuity is making sure that if something does happen to your business then you have a good platform to be able to continue doing business.

And there’s a number of things that make business continuity, or BC as we call it, profitable for your business as well. Now, business continuity is based on things like what happens if we have another cyclone like the hurricane like Sandy? Or we have similar tropical storm like the one that wiped out the pacific area recently.

Now those are things that have a continuity component to make sure your business is capable if something happens. But what happens if the small thing happens? Your marketing manager wins a lottery and [Indiscernible 00:01:08] not playing anymore.

Okay so you just lost your marketing manager. How much of an impact is that going to have on your business? And that impact on your business is going to be pretty quickly.

So the first thing when it comes to business continuity is you need a plan. You need a plan that sets out the things that you consider are really important. Natural disaster – this is what we do. Marketing manager wins lottery – this is what we do. And by making sure that the business continuity from point of your business is secure and set up properly.

You know that if the marketing manager wins a lottery and moves out, the assistant marketing manager knows not only what he does, he knows how it’s done and why it’s done and who he’s talking to. That is part of your business continuity.

But a business continuity plan has to be written down. It has to be one page to 150 pages. It has to specify what you are going to do because if you don’t do that, a) you haven’t thought it through so you’re playing it badly on the wing at the time which is not a good place to be, and b) it needs to be written down so everybody knows what they have to do.

As I said, marketing manager walks out, assistant marketing manager knows the role. CIO walks out, IT manager takes over. That is part of the business continuity. But because you are doing that you are also increasing the resilience in your business.

The business resilience then becomes a very important component of how you are going to go forward. So business continuity for small business, very important. And it’s something that you’ll need to take to the next level by having a proper plan.

Thank you.

[End of transcript]

 

A one man band, why you should worry about cybercrime?

3D Small People - AngryThis post is addressed to all of those small business, the businesses who have an email account, a laptop, an accounting package, a couple of smart phones and tablets and a desire to utilise them to their best.   So I am talking to Tradies, Mom and Pop businesses, small sub-contracting businesses and micro businesses.

Welcome to the digital world and it is nothing like the real world.   The digital world can be and is a very dangerous place.   The criminals only have to get their attack right once to win.   We have to protect ourselves and your information all the time.

Most cybercrime attacks in the digital world use malware to target all connections to the internet through automated systems.   These automated systems make up 85% of attacks and they are happening all of the time.     18 computers/devices get compromised every second through these automated systems and although they may not have anything of importance on them the actual hardware can be used to target others on the Internet.   This in the long run costs you money in traffic or reputation.

Here is the best way to protect yourself:

 Passwords

Every password that you use has to have the following features.

  • They have to be more than 8 characters long,
  • use numbers, letters and symbols and
  • have to be unique for every web site or location that you need a password.
  • Your email account is the keys to your kingdom, if you lose access to it then you are in very big trouble.

Using cloud technology

Cloud technology has come a long way in the last 3 years.   In a business sense we can now do a large amount, if not all, of our business in the cloud.   From cloud based CRM for client management to accounting software for billing and invoicing.   From web based email to project management for managing projects they are all there in the cloud.

The good thing about the cloud is that most of the products are accessed through a web browser and can be accesses from any system that has browser capability.   Although the underlying platforms security is managed by the vendor it is the user’s responsibility to have a secure password to ensure that no one else can access the information.

Bank accounts and credit cards.

There are so many ways that a criminal can gain access to your bank accounts.   A key logger through a virus or malware.   A RAT (remote access Trojan) that can actually take over your digital device and do whatever it is programmed to do.

But the bank accounts are not the only problem.   Pay wave is becoming a target for criminals, to a level where an RFID scanner can access your credit card, in your wallet, from 30 feet away.

End point protection

All devices that have a connection to the Internet have to have some sort of personal protection.   You can go with a licensed copy of an anti-virus or you can go with a free system, no matter what they have to be protected at all times.   We recommend the free AV – Forticlient as it does most of things that you need.

In addition to real time protection you also need to to a regular scan of the whole system.

Patching

How annoying is it when the system comes up and tells you that it has updates to apply.   This is a good thing.   The systems are updating code that has been found to have errors or inaccuracies in it that will allow an attacker to gain full control of your machine, phone or tablet.   These errors are what malicious code targets through viruses and worms.

All systems use subsystems like Java and Adobe and these are also regularly updated by their manufacturers.

Backing up / business continuity

Even when you think that nothing can go wrong, that when something does.   Having all your information in the cloud, email, accounts, CRM or project management, what happens if you can no longer access your information?   How long will your business last without email, or the ability to invoice clients.

This is why some level of backup, disaster recovery and business continuity is required.   Thinking through to a point where if this happened what will my business look like, how will it work is very important for the everyday operations of the business.

When it comes to cyber and digital security, what happens if you get a virus from an email on your laptop, or visit a website and get a malware infection on your smart device?   Where is a copy of your schedule, or your contacts?   This is why you need some level of backup.

Paranoia and awareness

Have I instilled a little bit of paranoia in you yet.   To tell you the truth, that is good.   On the Internet everyone is targeting you, so in fact you are not actually paranoid, just being very aware.

Small operations have enough to worry about when it comes to business.   By being aware that cybercrime is a legitimate threat to that business is important.   Being aware of the problem means you will make additional decisions based on those threats.

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

Business continuity is not just backup and redundancy

Contingency Planning mind mapIn all SME’s there is always the fight over business continuity, disaster recovery and business resilience.   The usual arguments are based around cost and what you actually get for your money.

One of the areas that is seldom though about is historical data.   If something happens how can you roll back that database, get a copy of that old deleted email or a copy of a very important spread sheet from 6 weeks ago or more difficultly 6 months ago.

Some disaster recovery systems are only based on duplicating the data to an off site location, it is normally a regular process of writing over the old just so that the organisation has an up to date copy of the data.   Copying data to a USB drive or an external Hard drive is great if all you are interested in is the ability to recover if the building burns down.

This fails when someone has been using the test database to input real data, where the financial information has been compromised and you need to go back and dissect the information from old backups or you have been infected with a virus and do not know when it started.   When that happens, that off site DR copy is not going to help.

Not every SME does this but there is a high proportion that do not have a way to look at old information or have the capability to bring it back into the business.   Without this capability your business could suffer substantially.   A busy office, doing 200 transactions a day, rebuilding the accounting information could take days to resolve, not the type of problem that a business would like to face.

That is when you need a proper back up system, one that takes regular snap shots of your data and keeps that information in a different back up stream.

There are a number of product in the market that does this but all of them have a cost.   Just get one that suits your business,