Cyber Security

This is a HOT topic! We held a webinar with cyber insurance experts; there were several breakout sessions at the recent CFMA conference; and we presented to four (4) local Chambers during a lunch event focused on cyber.

This is when quite a few business owners tune out! They think they’re too small and this doesn’t apply; that could not be further from the truth! This is a numbers game and it’s worth a fortune. The big companies may be a bigger pay out, but it takes longer and a lot more effort and planning, more resources. Smaller companies are less secure and there are so many of them that the odds of success are quite high. YOU are their EXACT target. MSP Success magazine reports that 43% of cyber attacks in 2021 were against small businesses. Roughly 60% go out of business in six (6) months following a cyber attack, according to the same report. Kind of sobering, so keep reading…

There are some physical and some ‘soft’ components to cyber security. The physical components include the server (on premise and hosted), firewall, wi-fi, routers and switches, laptops/workstations, tablets, and phones. For many of us, backups are also physical (although there should be an off-site component, as well).

‘Soft’ components include log on credentials, email, SaaS (Software as a Service) applications, Contact Relationship Management (CRM) software, remote access solutions, documents and files, financial software, industry-specific software, internet service (ISP), anti-virus and anti-spam. Insurance, domain hosts, and backups can be added to this category as well. Each of these items have their own considerations and we have stories! For now, we’ll focus on some questions for you and your team. It’s important to know what you have to protect, what is at the highest risk, and what controls you can confirm or can begin rolling out to move forward. It’s important to know that this is not a ‘one and done’ task. This needs to be a regular topic with a budget and someone who ‘owns’ the project.

So what data is where? Here’s a list to get you started: ACH bank info for clients and vendors; client data including contacts and financial history; client credit card numbers; company credit information; log on credentials for banks, utilities, and critical software; drawings/blueprints of public buildings; employee direct deposit info and other personal info such as Social Security numbers; new hire forms; and so on.

Where is this data? Do you have thumb drives or external hard drives? Where are they? What kind of data is on them? Think about the data list you just made; do any employees have copies on local computers or home computers? Maybe you use Drop Box or SharePoint; do you have security in place and are these backed up?

Where are your backups? Have they been tested lately? Years ago, testing tape backups was a pain. Current backup solutions are much easier to test. Many in our industry suggest the 3-2-1 rule; 3 copies, 2 off-site, 1 onsite. Image-based backups are the standard and encryption in transit is a must. A true disaster recovery solution allows you to mount a server image locally or in a secure cloud.

Consider the types of risk: Human (#1, BTW), Natural, Technical, and Environmental. Here’s a ‘fun’ game—run through some scenarios. If ‘X’ information was not available, what would be the impact to the company? Say if email went down, could we function? What if jobsite documents weren’t available; the open receivable or payable list was gone; could you get payroll out? One of our Texas clients was a victim of the odd ice storm in February 2020. The payroll service couldn’t get the checks to their office and didn’t know where they were. What’s your backup plan? (We helped, BTW)

There’s so much to cover! I’ll leave you with eleven controls to reduce risk as shared at the CFMA conference, a place to start. 1) Patching; 2) Know your data; 3) Stay current with technology; 4) Training; 5) Anti-Virus/EDR; 6) Monitoring; 7) Password & Encryption; 8) Data backups; 9) Control Admins (should be minimal); 10) Manage Vendor Risks; 11) Cyber Insurance. Lots to consider; we’re here to help! – CMW