Why would you listen to me about business security and business protection?
At the moment we all need all the help we can get.
I need help in marketing, sales, management and many more areas, actually too many to mention.
Most people on the other hand are really good in these spaces.
Like you I have expertise and mine is security.
This expertise was born from a love for all things computer and digital more than 35 Years ago.
I cut my teeth on mainframes, 10 KG disks and programming in Fortran.
I then transitioned into spaces occupied by Amiga (blast from the past), Windows and Apple.
When I left the navy and in my new civilian learnings I earned a large number of vendor certificates.
That got me jobs in ISPs, networking, managed services and security.
Like everyone else, I thought I knew it all.
In 2008 I was hacked and I discovered that my intimate knowledge of these systems only just saved me from losing a substantial amount of money.
It made me realize that with all of my knowledge when it comes to security and protecting my assets, I was a babe in the woods.
If I was an easy target, then the rest of the cyber and digital users were just plain easy.
So I dived into this space and 4 years later I was quite an accomplished hacker and I wrote the book “Business security basics”.
Working at times for 24 – 48 -72 hours straight, which drove my wife mad, I learned an intimate knowledge of what they could do, how they could do it and why we need to learn all we can about it.
In 2014 I wrote another book “Cybercrime a clear and present danger”, we developed (and continue to develop) business security systems and requirements that move organisations from easy target (sitting ducks) to a lot better protected (moving targets).
The name of the next book is “From sitting duck to moving target” should be released next year.
I realized that everyone needs help in this space.
So here is an easy way to learn what you need to do to protect your organisation.
At no cost, except for an hour of your time, let me show you what you need to do for your business to protect it from today’s cybercriminals.
Sign up for the FREE 60 minute Friday webinar happening tomorrow at 1030.
Building a secure framework around your business using available technology
[Start of transcript]
—anti-virus on any system that is connecting to the internet.
Why we still need it
And this is why we need it, because the viruses that are out there, and they are out there, there’s a lot of them, they need to find homes for themselves, and the only way they can do that is through the technology that we’re utilizing. And that anti-virus means that you’ve got a 99.9% chance of stopping that virus coming into you.
End point protection – AV, malware, spyware
Anti-virus goes to the next level as well, because anti-virus also needs things like endpoint protection. Anti-virus, malware, spyware. And that endpoint protection has two components. It’s actually on the system itself, whether that’s your tablet, your phone, your laptop, your computer, or your server, and it’s managed from somewhere, managed from a central location so that anytime anti-virus attaches to your network it gets pushed out, the newest versions to your system, the newest updates that are required.
But we also need to authenticate. We also need to, all of that technology and software that’s coming into our networks, we need to have some way of finding out who’s accessing it and how they’re accessing it. And that who’s accessing it and why it’s being accessed is part of the authentication protocols for your system.
Username and passwords
The most important part of authentication is your username and passwords, and we all know how complicated usernames and passwords are. I’ve just read an article recently about the difference between a professional person and a non-professional IT person on how they manage usernames and passwords.
So a professional, I have a complicated password. I use a password manager, mainly because I have access to 200-300 sites or reasons to have access to 200-300 sites, and I’m never going to be able to remember.
But there’s also other things you can use. You can use a password. You can actually create a base password that you add on different components of. The security, we’ll talk about cloud later on, is cloud is only secure as your usernames and passwords on your terrestrial systems. Because if you don’t have—if you use password and password, then the hackers are going to be able to hack that without a problem in the world.
The other thing about passwords, and especially when it comes to hardware and software installation, is some things come with a default password. They actually come with admin and password, or admin and admin. And this is what default passwords are known by. You can do a quick search on the internet. You can go default password for this model.
And then it will tell you admin/admin or admin/password, admin/blank. But that also then goes on. So you need to change those passwords, those default passwords, before you put something into production.
It’s probably better, as you’re setting it up, the first thing you do, it’s forced on you by some of the high-end security systems, things like Cisco and 40Net, they require you to change your password the first time you log onto the system, and that’s really important.
The next part of a technology is encryption. And we’re seeing encryption from a number of places that require information that needs to be encrypted for some reason. Now, we all use encryption when we go to buy something from EBay, or now everything on Facebook is encrypted.
And that’s because that information is there not only because nobody can intercept the communication between the device and the back end, and that back end is also encrypted to make sure that data is secure.
But why do we need encryption? Well, one of the main reasons we need encryption is so that people are no longer able to eavesdrop on the communication between device and back end. But on top of that, if someone actually does get into the back end, or gets into the front end, and steals the database, it’s all encrypted, then they’ve got another problem for themselves.
Normally it would be just in plain text, you know, Joe Bob has got this email address and this credit card number. All that sort of information is in the database. But if it’s all encrypted, then all they get is gobbledy-gook. And that gobbledy-gook is really good because you no longer have a problem with it.
Why we need to employ it in transit
So we need to have some level of encryption, and that level of encryption comes about because we’ve got information being transmitted between your device and the back end and that’s what’s called in transit. And that transmission that comes between you and back again, if it’s encrypted then people can’t read it. If people can’t read it, there’s no problems with it.
Why we need to employ it at rest
But we also need to encrypt our “at rest.” It needs to be encrypted so that when it is located on a hard drive, and even though you employ cloud computing, it’s still residential on some piece of hardware somewhere. It doesn’t matter where it is. It would be nice to know if you know where it is. But it doesn’t matter where it is, as long as it is at rest it is encrypted.
VPN – Virtual Private Network
We have a system called virtual private network, which is really a tunnel between a device and your system over the internet. So it’s literally a system where you can protect all of that information that you put past as intellectual property by making sure that the information is always unreadable. And that’s why we need virtual private networks. We used to have systems dial in, but now virtual private networks are so much easier to use and so much easier to set up.
And then we’ve got Wi-Fi. Who here has logged onto a Wi-Fi connection that didn’t require a username or a password? Do you know why it’s not a good idea? Because going back to the encryption component, that username and password, or just the password, the WPA passphrase, actually encrypts the information that you’re putting into the system.
And that passphrase, along with a few other components of your computer, gives you a unique encryption component that then can be used by them to make sure it’s more secure. And again, once again with Wi-Fi, if it’s got default usernames and passwords, change them, because you don’t want other people getting onto your Wi-Fi and using your system to attack other people.
Principles – Dos and don’ts
So we’ve now got some principles around what we’re doing as a business and an organization. Because we know that we need to have newer technology. It doesn’t have to be super new, but it needs to be newer technology. And as I said, with things like Wi-Fi, there are definitely dos and don’ts.
Use complicated passwords and passphrases. Use complicated usernames and passwords for VPNs. Make sure that your technology is doing exactly what you want it to do. And you want to make sure that along the lines of how you protect your business, these are things that you really need to do.
Now later on, we talk about management in our framework. But management of the technology actually has its own systems in place. Normally we have policies and procedures and processes that are managing the people who use the technology, but you need to have some level of system management to make sure that they systems are set up properly.
Setting up those systems, because it is very important about how you do it, you need to have a level of visibility. You need to be able to say, “If I set up a firewall, how do I go about doing it?” for instance. “If I’m installing anti-virus, where does it get installed? What does it get done by?” These are the systems that make your system, your organization, more secure.
But along with visibility, we also have accountability. We have an accountability component because we need to know who set that firewall up, who changed the rules of that firewall. Did they change the rules, or did they just make a rule up that they didn’t know was going to work and then didn’t worry about it? Who did that? Why did they need to do it?
And then we need to have some component of manageability. It’s no use having systems in place that nobody knows how to manage. And for small or medium businesses, understanding technology can be a huge burden because it means you are either not focusing on your core business, or you have someone else who’s not focusing on their core business.
Technology, I know everybody wants convenience and low cost and everything else, it doesn’t matter how convenient the system is, what you are seeing is 10% of what the system can do. Because that 10% is what makes our business work. That other 90%, we don’t even know about. And that’s what the bad guys really want you to do, is they want you to be unaware of where to go.
One of the things we come about with small or medium businesses is everything is in one place. Your database is on a server. Your exchange is on a server, and there’s no segregation or separation of that information. That separation of that information is really important. Small businesses usually, staff, with the account system, everybody has access to the account system.
But as you get bigger, you don’t want that so you need to start separating your data. The other thing about data separation is if you’ve got a Wi-Fi system that has a guest component, or someone has even a Wi-Fi system that doesn’t have a guest component, the best thing you can do is—
Yes, they can log onto your Wi-F and use your Wi-Fi as long as they’ve got the proper passphrase, but you don’t want them inside your network. Because if they’re inside your network, they can do so much damage without even knowing what they’re doing. So data separation means that you make sure that if someone on the Wi-Fi needs to access your network, then they can VPN in, and that separation is critical to protecting your organization.
And because we don’t want a flat network, if you’ve got people who want and need access to specific IP or patents, for instance, then you don’t want everybody having access to it because you’ll lose that intellectual property and trade secrets. And if you’ve got information about how you tender, or how you bill on a tender, or what your cost is for a tender, then you don’t want someone else, your competition for instance, knowing that’s how you work. This is why you don’t want a flat network. You want to make sure that flat network is a tiered access so that people, only specific people, can get to specific information.
Another thing about technology is we worry about how we manage patches. Patch management is really important across the board. Because patch management literally tells you which component you’re patching and which component you’re not patching. Patch management is again, going back to the difference between a professional and an everyday user, a professional would sit down and to, “It doesn’t matter what those patches are, I’m going to apply them all. Most people just get selected by, “I’ll just click the button and go here and score the lot.” That’s what you need to do to make sure. Because you never know when that compromised system, or that system that can be compromised, even though it was a benign compromise, couldn’t do anything you couldn’t get out of, might turn into a cancerous attack. And you need to be able to manage those updates as well.
Finally, we’re looking at best practice. All hardware and software comes with “This is how you should install it. This is the best place to put it. This is how you should set up your firewall. This is how you should then take the next step to go to the next level.”
That best practice is designed by the people who made this hardware and software, so the best practice is coming from literally the horse’s mouth. They are telling you to set up x machine, you need to do x, and if you don’t do x, it’s not going to work to the best capacity that it can.
Why we need them
But also, when it comes to that level of expertise, you need to have the expert advice, because they have created a machine, for instance, that connects your Wi-Fi to the rest of the network. So you need to know what is the best way of doing it, and how you are you are going to do it, and why you need that device in the first place because it does a specific role and protects your business from a specific thing that makes it harder.
So, in conclusion, we’ve looked at the technology. And the technology component of my framework has a number of systems.
Hardware – So we have hardware, which is literally the hardware components of what we use to do our business.
Software – On top of the hardware, then we have software.
Anti-virus – And protecting that software is anti-virus. That’s only a first-level defense, because all of the other things that we’re doing should be making that defense around your organization a lot more secure.
Authentication – We need to make sure that the right people are getting at the right information in the right way, and they cannot run away with that information or make it very hard for us to make sure that information is secure. This is where authentication comes in, so the right usernames and passwords have access to the right information.
Encryption – And all of that information that we’re downloading or moving around our network is all encrypted, so nobody can pick it up and store it somewhere else unencrypted so they can steal that information.
System Management – We need to manage the systems that we put in place. We need to incorporate management policies and procedures so that when the systems are installed, this is how you do it. We do a lot of installation of things like servers, for instance. We have a checklist. That checklist includes what is installed, how it’s installed, where it’s installed, and how the system is set up.
We know that there’s not going to an administrator, an account called administrator because that is part of our system management. We know that the passwords are going to be more than eight characters long. They’re going to adhere to a specific setting that we’ve got in our system. That is why we need to manage the systems properly.
Data Separation – We need to separate our data from public to private to super private to secret. And that data separation is really important for that business. It might mean that you only keep your really important information on a USB stick that you keep in your pocket, hopefully with a backup.
But you know that the only person who has access to that information is you, unless of course you lose it, and then you’d better hope that it’s encrypted. Because if it’s unencrypted, then you have a problem.
But going back to USB sticks for instance, alright? USB sticks are like a ubiquitous part of our business at the moment. Everybody has USB sticks. Everybody has USB hard drives. And there’s two problems. One is how do you make sure that information on that system, if I plug it into my computer I can read it?
You don’t want that to happen. You want to be able to go plug it in, yes, there’s data there but it needs to be unencrypted to be able to access it. Because it’s your data, you usually have the key for that problem. But if you lose that hardware, you lose that USB stick, then you have got a level of protection that is there just in case you lose it.
But the other one about USB sticks is the bad guys have found a way of using them to their systems. What they’ll do is they’ll actually seek car parks with old USB sticks. A friend of mine got caught in Las Vegas with this. Crossing the car park, she picked up a USB stick, looked at it. It has Boeing on it. Boeing Airlines. A legitimate company, rather large.
Obviously someone from Boeing had dropped it, so she took it home. Took it into her hotel room. Instead of handing it into the reception area, she just took it upstairs and plugged it into her laptop, and she was quite happily looking at all the information on it. What it was, was a slideshow.
To make the slideshow work, you could just click on a slide element and it would come up as a product. But if you wanted the slideshow to work, there was a little thing that said slideshow.exe, and she clicked on that. She wasn’t able to use her laptop until she got home because nothing worked after this. That’s one of the reasons why you’ve got to be very careful with what’s happening.
Best Practice – In addition, we have the last thing, which is best practice. Best practices are the way—is professional advice on how you do things. Installing a firewall from Cisco? Then you use the best practices from Cisco. Installing a Wi-Fi system from Linksys? How do they recommend you set it up? That is best practice
Where does this all fit into the framework?
As I said, we’re looking at the framework which is technology, management, adaptability and compliance.
How do you know if it is all in the right place?
We need to know that all of this information is in the right place and all of that technology is working to our benefit in making our business so much more secure. So we don’t need those legacy systems, and if we do need the legacy systems, let’s go and find another system that works the same way to a level we can then utilize for our business.
Where to from here?
So, where to from here? As the little man in the maze said, “What now?” What you need to do is upgrade your systems. You need to make sure you are using the best systems that are available, the newest systems available. That includes, and I’m not really delighting in Windows 10 at the moment, but it is important that you use that type of system.
If you’re using Windows 8.1, great. But if you’re using XP, get rid of it, because it is a huge problem. If you’re using an old iPhone 5 for instance, or an iPhone 4, I use an iPhone 4 for recording, but that’s the only thing I use it for. It hasn’t got anything else on it apart from it plugs into my computer and I can download the movies onto it. That’s really important going forward on how we do it.
So, if you want more information, I have two books out. One you have to buy, the other one is free. If you want to get in contact with me, then I am on Twitter. I’m on Facebook. I’m on LinkedIn. Just drop us a line.
Seminar and Webinars
We do run these webinars and seminars regularly. We’ve got another webinar tomorrow at 12:00, on a Lunch and Learn series. But we run seminars as well, and we do Google Hangouts just to make sure that we are getting in contact with as many people as we can.
So thank you very much. Are there any questions? If there’s no questions, thank you very much for your time. It has been very nice talking to you.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – Business Continuity
[Beginning of transcript]
Hello! My name is Roger and I’d like to talk to you about what is Business Continuity.
Business Continuity, along with disaster recovery, are looking at critical compartments and functions of the organization and make sure that they will continue to run if there’s an interruption to your business.
So, it counteracts business interruptions to a level where you know that if something is going to happen or something has happened, you will be in a situation where it will be a better problem day forward.
So, with the business continuity plan, you have to have solutions to problems and business continuity does solutions have to have an understanding of how they are going to impact the business of the organizations.
There are two main components of Business Continuity:
Your Recovery Point Objectives –which ones do you want to get up and running again and how fast you need to do that is called a Recovery Time Objective.
And those two components are what you should be looking at in the business to find out what is going to be good for your business and how fast you need things up and running.
But with that Business Continuity, there’s a lot of things. You have to understand that if you have a disaster and you need the business continuity plan or the business continuity has to come in to it, you need to know that you have to spend money to get back to where you were and who has the purse strings and how people access that money is part of business continuity.
Also, you need to have a compliance component. The compliance component make sure that your business is up and running and protecting everything that it needs to protect your tasks.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – Cloud, mobility and IOT
[Beginning of transcript]
Hello. My name is Roger. Today, I’d like to discuss the Cloud internet things and mobility for small and medium businesses. And it’s now the catch-phrase and soon to be followed by things like 3-D printing, because Cloud IOT, mobility, BOYD ( bring your own device) helped changed the face of business in the last five years.
They changed business in two ways: they made it cost efficient to use in some of of the systems because you’re negating from operational expenses of viable hardware and software to a capital . . . try again, you go to a capital expense viable hardware and software and making it all work to an operational requirement. So, you’re paying as a monthly fee, just like you’re paying your telephone bill and your electricity.
And the cloud is made to happen and the cloud is making it happen across the board, worldwide now. Someone in Somali can run a multinational business just as long as they have an internet connection. But the internet affairs is a lot of things that we really factor in. The air-conditioner over there, depending on how complex it is, will have some component of internet things.
You see, the internet things will compromise to a level where the refrigerator will send out 10,000 spam emails or a television has been taking photos of what is happening in the world. And then, there is of course the utilization of both of these components that makes the mobility of your workforce a really important factor in having your business because you are now in that level where he can say to a person, “Here’s your tablet and everything you need on it is now ready to go”.
But as I said, 3-D printing is going to be something that is going to be revolutionized in the manufacturing business because they are going to be able to take a design, get printed and get delivered to you in a matter of days, something that we haven’t been able to do for a long, long, time.
So, what we’re looking at with cloud IOT mobility is the industrial revolution part-2, that we haven’t quite come up in another year on what we are going to call it again because we are still in the middle of it.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd, Amazon #1 author on Cybercrime and founder of the SME Security Framework | Speaker | Consultant | Trainer discusses – How the cloud can be a better way of doing business.
[Beginning of transcript]
Hello. My name is Roger and today I’d like to talk to you about How the cloud can be a better way of doing business.
We all heard about the cloud. It’s a case of we demand move a capital expense on hardware and software to an operation expense where we are only paying for the use of systems. And because we’re doing that, it’s now a lot more cost-effective to use the cloud to do what we need to do.
It’s not going to cost me $25,000 to set up a server, it’s going to cost me $500 a month. And if you think about $500 a month could be expensive, so you look around for cheaper ways of doing things. But also, the cloud makes it convenient.
I consider the café down the road and I can pay my bills or I can transfer money to my employees or I can buy stuff. And that makes it really convenient for me as a business owner to be able to do anything I want.
And that is one of the reasons why the cloud is becoming a better way in doing business because it is cost effective and it is convenient. And those two things are really important to any small business.
Roger Smith, CEO at R & I ICT Consulting Services Pty Ltd and Amazon #1 author on Cybercrime discusses system monitoring and why an SME needs it.
[Start of transcript]
Hi. My name is Roger. I’d like to talk to you today about what sort of monitoring is needed by a small and medium enterprise of a non-profit organization.
In today’s world, if something breaks it usually stops what you are doing pretty drastically. If your hard drive fails in your laptop or in your pc then naturally that becomes just a paper weight on your table, and you don’t that to happen. You don’t want to be in a situation where when it fails is the first time you realize you had a problem and this is where my team monitoring comes into it.
Most many services providers will have a managed component that is probably free or very inexpensive as part of their package. Because it’s really important to them to understand (a) that you’ve got a problem and (b) to fix the problem before you realize you have a problem, which makes them look really good. And that’s what it’s all about, making them look really good in your eyes.
So, instead of having the hard drive failure or having had the pc running for a long time and then come up and say, ‘well it’s running out of space’. You need to know that sort of thing. And this is where that sort of monitoring comes in.
When they install the monitoring system, they actually do it on all of the pcs, all of the laptops, all of the tablets and phones, and they create a baseline. That baseline is how it works now. So they can see what happens over the course of a couple of months and a couple years. And when you need to replace it, or when you need to upgrade it, if your processor is working overtime just because you’re doing graphic design then you need a better computer to do the job.
And as I said, the good thing about a managed service provider provides if they got a monitoring component is that they will look at the system and go, ‘that’s going to break, we better do something, here’s our hard drive, go and put it in and swap all the data out’. And that is why you need to have it.
Hi. My name is roger and today I’d like to talk about how mobile is your business technology. And why does your business need to be mobile. Business world has changed rather drastically in the last couple of years but more and more people are doing business on mobile phones, tablets, laptops.
Because they can. Because all the associated systems utilize the cloud technology component of any business. So if you want be able to collaborate and you don’t know quite how to do, but you have an application that does that.
Then the application needs to be able to be used in a coffee shop. And you need to be able to get into that application at home. And if you’re [Indiscernible 00:00:52] where you’re doing project management, all of those emails that then come through the system saying you need access to the system at all time.
But the mobility is really critical about one other thing and that’s the connection to the digital world that device has. This 3G or 4G is irrelevant. As long as there is a component that connects you to the rest of the digital world then you can utilize and make your business mobile. But mobility doesn’t mean everything has to go into the cloud.
By having components like info soft for instance which is a sales component you can utilize, you don’t really need it on phones. You may need it on tablets because you can then go and have a meeting with someone and take notes directly into the system.
Very hard to do it as a phone device. But it can tell you when you have an appointment, and where you have to be, and why you have be there and what you are talking about. So mobility today in business is really really important because that’s the way we are going.
In the next five years we may not need offices because everything will be in the cloud. You will be working from home, everybody will be able to work in coffee shops. A great idea have a business where everybody can come to you and between everything else and all you can serve coffee. So how mobile is your business technology? It depends on your requirement.
With all of the hype that is flowing around this cloud computing stuff it is about time we started to point out that there is a problem, you know the elephant in the room type problem. Cloud technologies as a definition is going to save you a bucket full of money type problem.
It seems that CIO’s, IT departments and vendors (VMware, Cisco, HP, DELL, Microsoft) have come to a conclusion that if they do not embrace a cloud solution then the business will fail. On top of that, the driving force behind the hype seems to have no cohesion in the actual definition.
The number of products that are being sold with a cloud attachment, cloud in their name or supposedly a cloud solution are nothing short of marketing hype. This hype, according to Gartner, is going to start damaging business decisions based on the cloud phenomena.
Cloud is not a physical purchase – it is not a capital expense. It is about access. If there is any component that is hidden in a cupboard, under the stairs or in a rack, then the solution is not a cloud. All of the vendors have a solution that they sell to you that has a physical component but again if it is a physical component then it is NOT a true cloud solution.
Cloud solutions are dynamic, they grow and shrink with your use and allow for business to have a front facing system that allows for those changes. If you are adding CPU cycles, additional Hard drives or space then the product you are using is not a cloud.
If I have to make a call to the helpdesk to add, remove, provision or change any component of my cloud then the solution is not a cloud. The simple act of having to make a physical change to the cloud environment means that your solution is not a cloud.
Cloud is pay as you go. If I have to sign a 3 year or 12 month contract then the product is not a cloud product. Software as a service literally means pay as you go if I stop paying then the cloud stops delivering. There are no contractual obligations involved.
If a supplier has added “cloud” to their normal offering then it is not a cloud product. If it is the same as what it was 5 years ago then it is not a cloud.
I was watching the Technology in Business program on SKY recently and they had a number of CIO’s from some of the big players in the ICT arena and I found that when it comes small and medium business and not for profit organisations they really have no understanding of the requirements. They are still peddling their products and generating the “cloud hype” but they are not putting forward the true solution that businesses are looking for.
I can remember when clustering was a business changer. The process of clustering allowed a number of servers to present to a business as a single piece of equipment. Any one server can be restarted or changed without the business noticing. The cloud is supposed to be able to do that.
The cloud presents a business to its users and customers as a single piece of equipment. It is supposed to be disaster resistant and add to a business’s resilience. It adds to the businesses business continuity. Yes Cloud computing is the next evolution of ICT but the way that it is being sold at the moment makes a mockery of the term.
In Australia, at the moment, there is no true cloud offering. The solutions that are based on virtual servers, connecting them together and keeping them together in a physical location will keep IT vendors busy and their customers locked into a solution for many years to come. Will they grow with their requirements, probably not? These solutions are available in Australia but they are NOT cloud solutions
I am afraid that the elephant needs to be let out, the vendors and suppliers should start to look at delivering a true cloud offering before the term cloud becomes obsolete and no longer applicable to business.
In all SME’s there is always the fight over business continuity, disaster recovery and business resilience. The usual arguments are based around cost and what you actually get for your money.
One of the areas that is seldom though about is historical data. If something happens how can you roll back that database, get a copy of that old deleted email or a copy of a very important spread sheet from 6 weeks ago or more difficultly 6 months ago.
Some disaster recovery systems are only based on duplicating the data to an off site location, it is normally a regular process of writing over the old just so that the organisation has an up to date copy of the data. Copying data to a USB drive or an external Hard drive is great if all you are interested in is the ability to recover if the building burns down.
This fails when someone has been using the test database to input real data, where the financial information has been compromised and you need to go back and dissect the information from old backups or you have been infected with a virus and do not know when it started. When that happens, that off site DR copy is not going to help.
Not every SME does this but there is a high proportion that do not have a way to look at old information or have the capability to bring it back into the business. Without this capability your business could suffer substantially. A busy office, doing 200 transactions a day, rebuilding the accounting information could take days to resolve, not the type of problem that a business would like to face.
That is when you need a proper back up system, one that takes regular snap shots of your data and keeps that information in a different back up stream.
There are a number of product in the market that does this but all of them have a cost. Just get one that suits your business,
Smart IT programmer drawing information technology diagram
Your moving to the cloud, you have taken the plunge and you are going to move critical components of your business to the cloud. You have investigated and approved the move and how it will be done. The next step is the actual project of moving your data and infrastructure to the new systems.
Do you have a plan for the move?
Although the cloud and virtualisation are totally different from normal business in infrastructure requirements there are still some similarities that can be used to make the move as smooth as possible. Here is a five point checklist for the move.
1. Create a new continuity plan
Before you start migrating data to the cloud base you need to know that if something happens that you have a recovery point. Make sure that the migration of data does not compromise the source.
A business continuity plan for the new data location needs to be in place prior to the new system going live. The moment new data is written to the new location the old data is obsolete. You need to have a business continuity plan that ensures that the moment new information is written to the new location that you have a way of recovering it.
In most cases the business continuity plan is not in place until well into the testing process. It is something that needs to be In place prior to the migration not something that is tacked on at the end.
2. System visibility
Visibility and availability are tied together. If the system is not visible to the users, management and in some cases the outside world then you will not have the required availability of the cloud based system. System visibility is a combination of security, access and policy. Each one of these components needs to be looked at prior to moving to the cloud.
3. Centralised control systems
In most cases a centralised control system is required to ensure that the cloud based system will be accessed correctly. A centralised system is required for the addition of and removal of users – new users need to be added in a timely manner, old users need to be removed smartly. Both addition and subtraction of users should be done through your HR process. Never leave access to your systems to a user who has left the company to work with someone else.
The centralised control should also have some level of management and reporting at a system level. In true cloud systems this allows management to add and subtract CPU, RAM and storage space as required.
4. Disaster recovery
Disaster recovery is a huge requirement for moving to the cloud. Where is the data stored, is there separate geological locations for the data and is there a system in place that backs up the data to a separate location. Another important feature of this quire net is keeping track of news and event happening around where your data is located. If there are floods, fires and earthquakes in one location then there better be a secondary location for your data.
Once the cloud based system has been deployed and before all users have access is the best time to test the business continuity and disaster recovery systems. If it fails here then it can be fixed, if it fails in production then you could be looking for a new job.
These are five checks to make concerning moving to the cloud. Other check that are also important – do you have a service level agreement with the Vendor? Is there the possibility of data lock out? Does the contract specify who’s data it is?
Moving to the cloud is a business decision that needs to be backed by good project management and technical skills. The decision to move is easier that the actual process of moving.