Letting an IT manager go, how do you do that?

One of the worst situations that you can be in is acrimonious separation of an IT person from an organisation.

A bad separation, just like a bad divorce can have significant impact.

Large organisations have systems, policies, procedures and processes in place that protect the organisation, when they are used of course.   If followed they protect the organisation well.

SME’s on the other hand have different problems.

We have come across smaller organisation that still have old staff members on the books with full administrator access to everything that is still being done in the organisation.

The problems this creates can be huge.

They have access to privileged accounts.   Accounts that can do anything on the organisations digital world.

Just a few ideas of what they can do!

  • They can steal your trade secrets and take them / sell them to your opposition.
  • They can steal your client list and use them for a number of bad things – competition, blackmail, sabotage.
  • They can cause software issues, lock outs and shut downs
  • They can lock legitimate users / all users out of the organisation.

Another problem!

In most cases the IT person is there because they know computers.   They were allocated the role when they joined and you may even have paid for some education and training packages to make them better.

This just puts them in the position of holding the keys to the kingdom.

If you are going to remove an IT person from your organisation, the best thing you can do is outsource your IT, for a short time or indefinately.   They have the expertice to protect your organisation and they are under contract to ensure your systems are safe.

Roger Smith is a highly respected expert in the fields of cybercrime and business security and is a Lecturer at ADFA (UNSW – Australian Centre of Cybersecurity) on Cybercime, Cybersecurity and the hacking techniques used by the digital criminal.   
He is an Amazon #1 selling author on Cybercrime with his best selling book, Cybercrime a clear and present danger, going to number one in 3 sections of Amazon.   
He is the primary presenter for the Business Security Intensive (BSI) and author of the Digital Security Toolbox which is given away for free at the BSI.   He is a speaker, author, teacher and educator on Cybercrime and an expert on how to protect yourself, your staff, your clients and your intellectual property from the digital world.

17 reasons why we should be listening to the digital security expert

The same way that we listen to accountants, solicitors and motor mechanics, the digital security expert has an important role to play in supporting your organisation.

Digital security is becoming one of the most important areas of modern business.

For some reason we believe technology in business is easy.  So easy in fact, that we just install it and forget about it.

Anyone can do it.

Like other professions what you do and what you can do are total opposites.  An accountant, for instance, can make you more money by legally changing your tax requirements, or a solicitor can get you a reduced fine or jail sentence better than you could if you were representing yourself.

So a digital security expert can make your organisation more secure because they have studied business and technology, but more importantly they have a better understanding of what the bad guys are doing.

Here are 17 ways that a digital security expert can make your organisation more secure:

  1. They study the bad guys – being a digital security expert is not about selling the next best thing (if there is such a thing).   Being a digital security expert is more about understanding your enemy.   The more you study the cybercriminal the better you get at predicting their next move and being able to be one step ahead.
  2. They keep abreast of what the bad guys are doing  – digital security experts use the same world that the cybercriminal uses to perpetrate their trade.   They are in the dark web, watching, recording and documenting what the bad guys are going to do next.
  3. They understand business requirements  – what most people do not understand is that the digital security expert has to understand business.   They have to understand marketing, management and cash flow.   They need this information to ensure the recommendations that they give to their clients will not impact their business, or have minimal impact on the way business functions.
  4. They understand technology  – in most cases a digital security expert is at the same level of technology understanding that the bad guys are.   To ensure that your business is not vulnerable to a cyber-attack they have to know the technology to ensure it is safe.
  5. There is no such thing as being too small to be a target  – if you have a digital footprint,(yes we all have one) no matter how small, then you are automatically a target of cybercrime.   If you have a smart device, an email address or an Internet connection then you are a target.
  6. There is no such thing as 100% secure  – against popular belief, there is no such thing as being totally secure.   The digital world is ever changing, so are the tactics, strategies and targets of the cybercriminal.   There is always someone else out there who knows that little bit more.
  7. Everyone is a target  – if you have a smart device – you are a target.   If you have an email address – you are a target.   if you have a web site – you are a target.   The larger your digital footprint the bigger the target you are.  The more your footprint will be targeted by the automated systems that are sold by the criminal gangs.
  8. Technology is not the only answer  – there are four components of being secure in the digital world.   Technology is one of them.   The other three are management, adaptability and compliance.   All four components together make a more secure environment than just technology alone.
  9. People are your best defence  – your staff and users can be either your best Defence or your biggest problem.   If you educate them with proper digital hygiene then you will not only get them to protect themselves but also the flow on effect is that they protect your organisation.
  10. Complex, unique and long passwords are good for business  – we all hate these.   To access the digital world we need a username and password combination.   The more we rely on the digital world the more important these components are.   All passwords should always be complex (letters, numbers, symbols, capitals), more than 8 characters long and they have to be unique for each site.  That’s pretty easy isn’t it?
  11. Penetration testing will prove you have it right  – penetration testing is one of the best ways to test your defences.   Penetration testing should also be carried out across all components of the business.   From websites, to cloud Infrastructure, from social media to smart devices.   A contracted penetration tester should have carte Blanche across the whole network.   You are not on a witch hunt or targeting the IT department, you are finding holes in your organisation and finding ways to resolve the risks before you are compromised or hacked by the bad guy.
  12. Think when using social media  – social media is great.   It is also one of the best systems used for social engineering by the bad guys.   Information that is posted to social media sites is there forever.   Educate your staff about the dangers of social media.   Put a social media process in place to ensure that trade secrets and intellectual property is not posted out there, and each post is checked before going live.   In the heated exchange of a social media discussion, think before posting.
  13. Get paranoid  – paranoia is the understanding that everyone is against you.   In the digital world this is truer than our normal world.   Does that make you paranoid? Not really but having the understanding that everyone in the digital world is out to get you makes you more secure.
  14. Use common sense  – everyone remembers the old Nigerian Prince scam, people are still getting caught by it.   There are a number of things to remember on the digital world – if it is free then it is not (you always have to give something to get something), if it’s free it could be infected with malware, if it’s free somewhere along the line you will have to pay a lot more than what you expected.   Using common sense to make that decision is critical.
  15. Email is a broadcast medium – We often forget that although email is targeted, sent specifically to individuals or groups of people, it can go astray.   It could be sent to the wrong person via the email fields being filled in automatically.   Email can also be forwarded, printed and scanned, sent to people who it was not intended.   Like all types of communication be careful with email.
  16. Digital security is a whole of business endeavor  – we are constantly told that digital security is an IT problem.   No it’s not, it is a whole of business endeavor.   Everyone and every department has an impact and input on the digital security of the organisation.
  17. Have a mantra  – I have a mantra “digital security is my problem”. What that means is that I take personal responsibility for protecting myself and protecting others.   The more people who change their attitude to this mantra the more secure your organisation will be

A digital security expert can and will make your business more secure and like any other profession, what they bring to the table is well above normal expectations.   Like accountants and solicitors their expertise can save you substantial amounts of money, sleepless nights and angst, just by them doing their job.

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME digital security framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

 

(Video) What is Business Continuity?

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses –  Business Continuity

[Beginning of transcript]

Hello! My name is Roger and I’d like to talk to you about what is Business Continuity.

Business Continuity, along with disaster recovery, are looking at critical compartments and functions of the organization and make sure that they will continue to run if there’s an interruption to your business.

So, it counteracts business interruptions to a level where you know that if something is going to happen or something has happened, you will be in a situation where it will be a better problem day forward.

So, with the business continuity plan, you have to have solutions to problems and business continuity does solutions have to have an understanding of how they are going to impact the business of the organizations.

There are two main components of Business Continuity:

Your Recovery Point Objectives –which ones do you want to get up and running again and how fast you need to do that is called a Recovery Time Objective.

And those two components are what you should be looking at in the business to find out what is going to be good for your business and how fast you need things up and running.

But with that Business Continuity, there’s a lot of things. You have to understand that if you have a disaster and you need the business continuity plan or the business continuity has to come in to it, you need to know that you have to spend money to get back to where you were and who has the purse strings and how people access that money is part of business continuity.

Also, you need to have a compliance component. The compliance component make sure that your business is up and running and protecting everything that it needs to protect your tasks.

Thank you very much.

[End of transcript]

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   Rapid Restart Appliance Creator.   He is a Speaker, Author, Teacher and Educator on cybercrime and how to protect yourself from the digital world. 

Two attitudes to cybercrime that have to change!

There has been a large amount of discussion on why cybersecurity is important to all Organisations.    No matter your size or your focus we are all targets of cyber criminals.  The biggest and hardest thing to do is convince small and medium businesses and not for profit Organisations that cybercrime is in fact rampant in the digital world.

I often hear, we are too small to be a target, it will not happen to me and we have nothing worth stealing.   These are classic examples of the SME’s mentality when it comes to cybercrime.

Recently I came across two more reasons that SME’s are not embracing the dangers of cybercrime.

We make hammers

I was recently talking to a small hardware retailer at a networking function.   When I explained to him what we did – educate and protect Organisations against cybercrime to build business resilience – his comment was

“Why should I worry about that, all I do is sell hammers”.

This is a major flaw in the SME business world.  Organisations forget that no matter what you do, how you do it and how you make money we do it in the digital world.  Protecting your digital assets is just as important as using them for the business.

The digital world is cost effective and convenient.   We use it for everything – sales, marketing, communication, accounting.   Connecting to the digital world = target.

Being targeted because they are connected, does not seem to enter into most business minds.  We take enormous care to make sure that we cannot be robbed in the real world.   We are blazee about our digital assets.

We are all citizens of the digital world;

  • Using the digital world = target!
  • Connecting to the digital world = target!
  • Being a member of the digital world = target!

You may sell hammers, or build patios, or run electrical cable, or dig holes, we all still have systems in place that are connected to the digital world.

How do you communicate – email, social media!

How do you bill your clients – accounting package or cloud based system!

What other uses is your smart device used for – on line banking, looking for information.

Each one of those system, in today’s world – is a target.

Make sure you protect it!

Practice you recovery

If disaster struck, would you survive?

One of the largest problems as a managed services provider is that we can do everything that is required of us.   We can create disaster recovery plans, business continuity plans or install backup solutions.   We know that they will work and will protect the organisation.   But how do we prove that?

If the C level, board or management levels are not interested then it is a total waste of time.   There is an advert for a mattress company that goes “a 50% saving on a bed that is not right for you is a 100% waste of money”. The same is true of an untested disaster plan.

An untested DR plan, BC plan or backup are a total waste of time if;

  • It is not tested
  • The right systems are not included in the plans
  • No one knows what to do
  • No one is willing to invest time and money in the outcomes

Where you do not want to be.   The first and only test is when a disaster happens.   That will bring you a world of pain.

The only way to confirm that your plans are going to work is to see what happens if the systems are turned off.

Try it sometime.

It will definitely show you what you can expect in the aftermath of a cyberattack, a natural disaster or just a failed hard drive.

Managing the risk of a cyber-attack is very important to all SME’s.   If you have a digital component it is a risk to your business.   Make sure you mitigate that risk to a level that you are happy about.

Winging it and no plan are not alternatives.

There are so many stories about Organisations that did not have backup, did not have DR or BC plans, or thought that did not have to worry about digital security.

Most of them are now out of business.

Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework.   He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.

(Video) Business Continuity for SMBs

Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses the need for small and medium business to have some level of business continuity plan

Hi. My name is Roger and today I would like to talk to you about business continuity for small business. What is business continuity? Well business continuity is making sure that if something does happen to your business then you have a good platform to be able to continue doing business.

And there’s a number of things that make business continuity, or BC as we call it, profitable for your business as well. Now, business continuity is based on things like what happens if we have another cyclone like the hurricane like Sandy? Or we have similar tropical storm like the one that wiped out the pacific area recently.

Now those are things that have a continuity component to make sure your business is capable if something happens. But what happens if the small thing happens? Your marketing manager wins a lottery and [Indiscernible 00:01:08] not playing anymore.

Okay so you just lost your marketing manager. How much of an impact is that going to have on your business? And that impact on your business is going to be pretty quickly.

So the first thing when it comes to business continuity is you need a plan. You need a plan that sets out the things that you consider are really important. Natural disaster – this is what we do. Marketing manager wins lottery – this is what we do. And by making sure that the business continuity from point of your business is secure and set up properly.

You know that if the marketing manager wins a lottery and moves out, the assistant marketing manager knows not only what he does, he knows how it’s done and why it’s done and who he’s talking to. That is part of your business continuity.

But a business continuity plan has to be written down. It has to be one page to 150 pages. It has to specify what you are going to do because if you don’t do that, a) you haven’t thought it through so you’re playing it badly on the wing at the time which is not a good place to be, and b) it needs to be written down so everybody knows what they have to do.

As I said, marketing manager walks out, assistant marketing manager knows the role. CIO walks out, IT manager takes over. That is part of the business continuity. But because you are doing that you are also increasing the resilience in your business.

The business resilience then becomes a very important component of how you are going to go forward. So business continuity for small business, very important. And it’s something that you’ll need to take to the next level by having a proper plan.

Thank you.

[End of transcript]

 

Business continuity is not just backup and redundancy

Contingency Planning mind mapIn all SME’s there is always the fight over business continuity, disaster recovery and business resilience.   The usual arguments are based around cost and what you actually get for your money.

One of the areas that is seldom though about is historical data.   If something happens how can you roll back that database, get a copy of that old deleted email or a copy of a very important spread sheet from 6 weeks ago or more difficultly 6 months ago.

Some disaster recovery systems are only based on duplicating the data to an off site location, it is normally a regular process of writing over the old just so that the organisation has an up to date copy of the data.   Copying data to a USB drive or an external Hard drive is great if all you are interested in is the ability to recover if the building burns down.

This fails when someone has been using the test database to input real data, where the financial information has been compromised and you need to go back and dissect the information from old backups or you have been infected with a virus and do not know when it started.   When that happens, that off site DR copy is not going to help.

Not every SME does this but there is a high proportion that do not have a way to look at old information or have the capability to bring it back into the business.   Without this capability your business could suffer substantially.   A busy office, doing 200 transactions a day, rebuilding the accounting information could take days to resolve, not the type of problem that a business would like to face.

That is when you need a proper back up system, one that takes regular snap shots of your data and keeps that information in a different back up stream.

There are a number of product in the market that does this but all of them have a cost.   Just get one that suits your business,

Moving to the cloud – a basic checklist

Smart IT programmer drawing information technology diagram

Smart IT programmer drawing information technology diagram

Your moving to the cloud, you have taken the plunge and you are going to move critical components of your business to the cloud.   You have investigated and approved the move and how it will be done.   The next step is the actual project of moving your data and infrastructure to the new systems.

Do you have a plan for the move?

Although the cloud and virtualisation are totally different from normal business in infrastructure requirements there are still some similarities that can be used to make the move as smooth as possible.   Here is a five point checklist for the move.

1. Create a new continuity plan
Before you start migrating data to the cloud base you need to know that if something happens that you have a recovery point.   Make sure that the migration of data does not compromise the source.
A business continuity plan for the new data location needs to be in place prior to the new system going live.   The moment new data is written to the new location the old data is obsolete.   You need to have a business continuity plan that ensures that the moment new information is written to the new location that you have a way of recovering it.
In most cases the business continuity plan is not in place until well into the testing process.   It is something that needs to be In place prior to the migration not something that is tacked on at the end.

2. System visibility
Visibility  and availability are tied together.   If the system is not visible to the users, management and in some cases the outside world then you will not have the required availability of the cloud based system.   System visibility is a combination of security, access and policy.   Each one of these components needs to be looked at prior to moving to the cloud.

3. Centralised control systems 
In most cases a centralised control system is required to ensure that the cloud based system will be accessed correctly.   A centralised system is required for the addition of and removal of users – new users need to be added in a timely manner, old users need to be removed smartly.   Both addition and subtraction of users should be done through your HR process.   Never leave access to your systems to a user who has left the company to work with someone else.
The centralised control should also have some level of management and reporting at a system level.   In true cloud systems this allows management to add and subtract CPU, RAM and storage space as required.

4. Disaster recovery 
Disaster recovery is a huge requirement for moving to the cloud.   Where is the data stored, is there separate geological locations for the data and is there a system in place that backs up the data to a separate location.   Another important feature of this quire net is keeping track of news and event happening around where your data is located.  If there are floods, fires and earthquakes in one location then there better be a secondary location for your data.

5. Testing
Once the cloud based system has been deployed and before all users have access is the best time to test the business continuity and disaster recovery systems.   If it fails here then it can be fixed, if it fails in production then you could be looking for a new job.

These are five checks to make concerning moving to the cloud.  Other check that are also important – do you have a service level agreement with the Vendor?   Is there the possibility of data lock out?  Does the contract specify who’s data it is?

Moving to the cloud is a business decision that needs to be backed by good project management and technical skills.   The decision to move is easier that the actual process of moving.

MANAGED SERVICES – TAKING OWNERSHIP OF YOUR PROBLEMS

3D Small People - AngryIn business the greatest threat to the information and data within your business is the speed to which you and your staff have access. Problems like everyone’s email not working are a big decision, but it is easy to delegate the repair to either internal teams or external companies. When things go wrong you want them fixed NOW and fixed FAST.

What about the niggly things?  Your user wants to print to the third tray on the printer and cannot, your receptionist wants to send out a letter but the mail merge database is no longer connected.

As a business owner or management level executive you don’t want to triage the problems.  Most of the time the management or staff does not have the time or the expertise to look at and resolve the problem, and often the person with the problem is told to “get over it”.   This is not a good state of affairs.   The problem then festers and grows till it does have a major impact on the business.

The best solution for these problems is to get them fixed.   How can you do that without additional cost to the business?   What you then have is a catch 22 situation.

Wouldn’t it be better just to contact your support company and know that it is all covered under the managed services agreement?
The business world is full of computer support and managed services companies that want your money, now don’t get me wrong we are a managed services company, and a good one at that, just ask our clients.   The difference between the other MSP’s and us is that we take ownership of any and all of your technical problems.

So what is the benefit of being one of our clients?

If you have signed up for out 5Nines support program, especially the platinum plan – trouble free technology – then all of your problems are our problems. Your problems are our problems, we take ownership of any problems or complaints that are generated by your staff during working hours that are related to computers, printers, internet, and email… practically anything.

Unfortunately we have no control over the coffee in the lunch room but for a taste of the problems we will fix:

• My mail is not working = our problem;   solution – remote in or send technician onsite;     Cost to you $0 (covered as part of the Service Level Agreement (SLA)).
• How do I create a mail merge document in word 2003 or 2007 = our problem;  Solution – remote in and talk user through problem and show what needs to be done;               Cost to you $0 (covered under the SLA)
• Helpdesk has noticed that one of the computers is reacting sluggishly = our problem; Solution – remote in and fix problem and then report to management;                  Cost to you $0
• System reports problem with a service on the server = our problem – Solution – dispatch technician;          Cost to you $0
• My computer is not working = our problem; Solution – dispatch a technician with a “loaner computer” then replace and repair;               Cost to you $0

The SLA dictates when they will be seen and response times to problems associated with your network.   They are an agreement between you and the MSP to ensure that you and your technology is protected 24/7.

Service levels should relate to items like these but they also depend on a triage process to ensure that a small problem is not related to a bigger unidentified problem .

• Server crash  = our problem – Technician onsite within 60 Minutes;           Cost to you $0
• Workstation Crash = our problem – Technician onsite within 60 Minutes;           Cost to you $0
• Service down = our problem – Technician working on the problem remotely within 30 Minutes;       Cost to you $0
• Printer problem = our problem – Within 4 hours;          Cost to you $0
• User problem = our problem – Next business day;        Cost to you $0

Finally, for any business there needs to be metrics that are measured and reported on. This is also true about your managed service provider. Daily, weekly and monthly reports on the condition of your infrastructure are important for decision making. To improve your business and ensure that the technology is correct and directed at your business, a quarterly report and meeting should also be included as a standard for your managed service.

As you can see not all managed service providers are the same and it is a case of choosing the right one for your business. R & I ICT Consulting Services can help manage and solve these important IT decisions and leave you with more time to get on with the day to day running of your business.

Do you budget for a system failure?

3d man director on stage, ACTION !System failures can happen anytime.   A system failure is something that happens with your technology that reduces your ability to do work.   When that happens it can be a costly exercise in both money and time.

The question is how you budget for something that may or may not happen and may or may not have a significant impact on your business.

A small inconvenience like an application hanging on a work station, the printer not functioning properly or a user receiving that email in one minute instead of 20 seconds is usually seen as an inconvenience.   The way of the modern world that inconvenience can expand into a full blown psychological tantrum.   If it happens enough times then your business can suffer.   Additionally there is always the hobby technician on staff who knows computers and then everyone stands around an watches while he

How often have you done business with someone who has said to you on the phone “the computers are slow today this may take a little time” and thought to yourself typical.   There are times when the computers are slow but it usually comes down to user error – doing too much, too many application open, clicking on the same icon numerous times – that is the problem.
Then there are the big system failures, hard drive failure, server failure, database failure and they will have a huge detrimental effect on your business both to rectify the problem and in lost productivity.   These problems and issues need to have a systematic approach to be rectified.

So how do you budget for these types of problems?   Most of the time, when it happens a small and medium business has to dig deep to find the financial resources and technological know how to rectify the problem.   This is not budgeting this is just hoping that it won’t happen to you.

One of the best solutions to how you budget for a system failure is to have a managed services provider manage your business infrastructure.   Why would this help?   Most managed service providers, the good ones at least, have an all you can eat policy on technical support.   This means that anyone in your business during working hours can call, email or fax the help desk and know that they will have the problem resolved.   The resolution may come from talking through the solution, remote management of the PC by a technical expert or having a technical person actually come to your office.

Furthermore a managed service provider will also monitor and manage your main systems.    With a decent monitoring system in place they will know when the system is having problems well before it has a significant impact on your business allowing your business to replace and upgrade systems when it has the least impact on your business.   In addition to the monitoring they would provide you with a monthly report showing whay your system is doing.

The budgeting component comes into play because for all of this work that a managed service provider is going to do will cost you X amount of dollars per month.

With a managed services provider you are budgeting for a failure by having a static monthly cost and professional services at your call.   This would improve your business bottom line.