Listen to this ComSpark Podcast interview to learn more about the potential impact of cyber attacks on your business and why you should care.

Visit itallyllc.com/blog to read more from our blog. If you’d like to learn more about working with IT Ally™, schedule a 30-minute consultation with one of our key advisors.

[This article was originally published on itallyllc.com.]

SMBs need to use IT as a competitive advantage

When SMB chief executives ask themselves about the modern trends they need to be paying the most attention to, the first item that pops into my mind is how today’s lightning-fast technology changes are affecting every aspect of a business. Clearly, we have seen a number of innovative and emerging technologies surface recently—machine learning, artificial intelligence, robotics, big data, cloud computing, etc. It is difficult to choose just one!

However, I believe that the biggest trend is one regarding leadership and culture—specifically, how we think about the technology management vs. the technology itself. One sure thing about technology is that it will continue to evolve and outstrip the pace of technology management.

Technology Management is as important as the technology itself

Compared to other disciplines such as finance and accounting, technology management is in its infancy. As we have seen in the industry, there are new roles evolving that were not even in existence three or five years ago; roles such as data scientist, cloud architect, agile developer, and chief digital officer to name a few.

As IT leaders, we should never fall in love with the hottest current trend or technology, rather we should be thinking about how it will be used to solve a real business challenge. Technology for technology’s sake is never a good thing. This mindset and style of leadership is crucial, as the business/technology convergence becomes the norm regardless of the size of company, industry or geography.

plan-think-act

Technology will always continue to evolve, disrupt and invent new ways of conducting business. Because of this, I believe that a business such as IT Ally™ will become even more important in advising SMBs on how to leverage technology to grow, secure, and ultimately differentiate their businesses. In my opinion, technology has leveled the playing field for SMBs such that size no longer dictates the survival of the fittest.

Numerous examples have played out over the past decade, whereby well-established, resourced and funded technology companies became extinct. This can be due to the availability of the technology and the uniqueness of the business model to which it is attached. Consider Netflix, Uber, Airbnb, Amazon, eBay, FB, Google and I am sure many more to come.

Business model innovation and disruption will continue everywhere and companies (large and small) will need to determine how to leverage technology as a strategic weapon as a means of survival. Organizations that can master the customer experience will be the ones who dominate their markets. Technology will be a key enabler to achieve this dominance and longevity.

Enterprise Perspective for the every day business

In my prior roles as a CIO in large global businesses, I was often responsible for technology transformations which included the creation of a multi-year, business-led IT strategy. In most instances, this also included large-scale modernization of legacy systems to improve both the customer and end-user experience, as well as adding new or enhancing existing digital capabilities to the IT infrastructure.

Although the strategies and the technologies were unique for each company, the playbook was the same in that I brought together a number of key business and IT stakeholders across multiple lines of business to create a roadmap for change.

Fundamentally this was about leadership, not technology. The result of this carefully planned transformational change ultimately served to differentiate us positively from our competition.

Technology trends that are leveling the playing field for SMBs

Regarding the latest technology trends for SMBs, the list looks similar to those I have seen in my past role as a CIO. For example, we see SMBs beginning to leverage artificial intelligence, data analytics, machine learning and robotics as key strategies to drive efficiency, scale and differentiation. Cloud adoption has become the platform for digital transformation. Cybersecurity risk is being proactively addressed and significant investment is being poured into improving the customer experience. Although access to this technology is becoming more available, it is a double-edged sword figuring out how to leverage it properly.

Assessing IT Management Maturity

For most large enterprises, IT Management is an evolving and ongoing challenge given the pace of technology change, the inherent complexity of business processes, entrenched legacy systems, data quality and ugh, I am exhausted just writing about it. When it comes to SMBs, IT Management is in its infancy, often relegated to a few individuals that are essentially building it on the fly.

This scenario creates an even bigger challenge given the outpacing of technology versus technology management. So what is an SMB owner to do about this? Our suggestion is to first take stock of your management maturity by conducting a formal assessment. This doesn’t have to be a science project but should have the breadth and depth of focus that is enterprise-grade, yet relevant for the SMB. 

I decided to start IT Ally with the simple mission of helping SMBs leverage technology to achieve their business objectives. This is not only a passion of mine but something that I believe is essential in the modern business landscape. I see this mission as of even greater importance to SMBs than their large corporate counterparts in terms of survival, growth and differentiation. My goal is to help fill this need.

If you’re interested in connecting with us, schedule a 30-minute consultation with one of our key advisors.

[This article was originally published on itallyllc.com.]

 

If you’re like most small business owners, cybersecurity is probably a big question mark. The digital world is constantly evolving and it’s hard to keep up. For small and medium businesses (“SMBs”) or companies with 1-999 employees, the statistics are alarming.

While you’re busy doing what you do best and running your small business, hackers are actively trying to find new ways to breach your company. They want to compromise your system, steal your data and profit from the damage they cause to you.

Even worse, this damage is “life-threatening” for small businesses. 60% of SMBs that are breached go out of business within six months. It is estimated that more than half a million SMBs shut down each year because of cybersecurity breaches.

To address this substantial risk, your business is in a bind:

It wouldn’t be cost-effective to pay for full-time IT security personnel or expensive consulting firms. But you know you need to address this issue that could impact your company’s future.

For a business owner who understands the importance of cybersecurity and wants to begin to see what you’re up against, here are five questions to consider.

Ask Yourself These 5 Cybersecurity Questions

1. Are your employees your first line of defense… or are they holding the door open for hackers?

As a small business, the percentage of employees who have access to business-critical data and systems is much higher than at a corporate giant.

This means more than ever, your employees are your first line of defense. If one of your employees is breached, it’s much more likely they have access to sensitive information than one of the tens of thousands of employees at a Fortune 500 company.

So cybersecurity is “all hands on deck” for your small business — is your entire team prepared for this responsibility?

We recommend holding regular training seminars and sending frequent security bulletins to keep employees in the know about the latest threats. If they don’t know what to look for and how to react, they might inadvertently expose your company to any number of harmful IT risks.

2. What are you doing to prevent a breach from happening at all?

In the news, you only hear about breaches after they happen. Of course, it isn’t front-page news when a breach doesn’t happen!

That doesn’t mean diligence isn’t important. What is your company doing to prevent these risks from ever happening? Installing up-to-date antivirus software on all your employee’s devices is a great start. However, it’s only the beginning of the complete prevention strategy you need to have.

Do you have the right IT processes and policies in place, and if so, do you know how well your employees follow them? Do you have a regular employee training and IT risk prevention program? Have you secured sensitive data access to appropriate personnel only?

These are all questions your business must consider to ensure a disaster isn’t on the horizon. You should have policies in place that guarantee continued security and plan for regular audits to make sure your plan is working.

3. If a breach does happen, how will you handle it? Have you planned for the worst?

Despite your best efforts to fend off hackers, sometimes they make it through. They’re quite crafty and inventing new techniques every day.

Are you prepared to react if a breach does happen? Based on what data was lost or which system was compromised, how will your business proceed? Do you have cyber liability insurance or a validated backup of your data?

When a breach happens, it’s important to react with speed and authority. When Equifax was breached in 2017, the company’s reputation suffered significant damage. In large part, this was due to the manner in which they addressed the situation.

Perhaps Equifax could have avoided a breach altogether if they had the appropriate policies in place, and they could have reacted with more poise if they had an advance plan for what to do. (Fox Business described it as “a story of crisis response gone very, very wrong.”)

Per CNN Tech, Equifax was aware of the security flaw for two whole months before hackers exploited it to access data. In the CNN article, a security expert called the way Equifax addressed the security flaw as a “systemic failure of process.”

Of course, this is partially a PR question, but it’s also a matter of closing the breach, convincing customers the right systems are in place to avoid the same situation in the future, and resuming normal business operations as soon as possible.

If a critical breach like this happened to your business, could you recover?

4. Are your systems and software exposing your business to any security risks? Is your sensitive data protected?

You now have more useful software and data at your disposal than ever before. Since these technologies can give you a powerful competitive advantage, you’re probably using a wide variety of software, cloud applications and devices.

Each of these is a potential doorway into your company. For example, all the benefits of cloud applications are paired with comparable risks.

It’s great for employee productivity. They can access their work from anywhere and collaborate with their colleagues more seamlessly than ever before. But it’s riskier to store data in the cloud than the “old-fashioned way” on your local network.

This doesn’t mean you should go back in time a decade and close up all your cloud access and collaboration applications. It’s just important to ensure your sensitive data is secured.

Consider conducting “penetration tests” and vulnerability scans to confirm your internal and external system access are protected.

If hackers gain access to internal emails about organizing an employee’s retirement party, it’s probably not the end of the world. But it’s a different story if they get their hands on customer financial information, proprietary business processes, or trade secrets that give your company an edge.

Your company should have some basic cybersecurity principles in place and processes to audit adherence to these practices.

Examples of such principles are granting employees access only to the data and applications they absolutely need, prohibiting open access to networks that also store sensitive data, and preventing employees from emailing sensitive attachments to people outside your company.

Defining these policies and sticking to them will give you more peace of mind that your business is protected.

5. Do you have a plan in place for ongoing oversight of your company’s cybersecurity?

It’s not enough to perform an audit of your cybersecurity every now and then. Your business needs to commit to a cybersecurity program involving IT policies and employee education to stay safe going forward.

Companies are too often reactive to breaches that have already occurred. While it’s necessary to make cybersecurity a proactive focus, the stakes are too high to merely wait and hope you’re protected.

After you initially audit your cybersecurity and determine your risk exposure, prioritize a list of policies and processes you’ll need to stay compliant. Ensure your employees and vendors are on the same page. Establish routine audits and other measures to evaluate adherence to your cybersecurity policies.

And once again, employee education is the most important piece of a cybersecurity strategy. The best enterprise cybersecurity policies won’t protect you if your employees are exposing your business to risks.

What Should You Do?

As a small business owner, you may not know the answers to these questions yourself. Ask your IT staff, vendors, or whoever is responsible for managing IT in your business. Whatever it is, do something.

It is time to be proactive and begin to develop an understanding of where you stand from a cyber risk standpoint. It’s imperative to consider your exposure to cyber risks and plan accordingly before a breach ever happens.

To learn more about IT Ally™ and our comprehensive set of IT Effectiveness Assessments, please visit us at www.itallyllc.com.  Or, schedule a 30-minute consultation with one of our key advisors.

[This article was originally published on itallyllc.com.]

Your small business is perfectly immune from cyber attacks, right?

You know, cyber attacks like those targeted against Equifax in which they lost sensitive data for 143 million US customers, or the 3 billion Yahoo accounts that were breached, or when Target lost payment data for 40 million cards?

Why would hackers target small companies when there are so many huge corporations ripe for the picking?

If you think cyber attacks aren’t a serious threat for your business, think again: 60% of all targeted attacks are towards small to medium-sized organizations. And out of those data breaches that are successful, 90% impact small to medium-sized companies.

What explains the higher success rate? Research shows 82% of small to medium-sized businesses are not adequately protected from cyber attacks.

Cyber attacks are a PR nightmare. They are often so damaging to your reputation with customers that it’s impossible to recover. In fact, of small and medium-sized businesses that are breached, as many as 60% go out of business within six months.

These staggering statistics show it’s absolutely imperative to take cybersecurity seriously so you aren’t the next business with a huge, expensive headache on your hands, a seriously damaged reputation, or worse.

These 9 cybersecurity risks are very real risks for small and medium-sized businesses. It’s difficult to take all the necessary safety measures to keep your business and data safe, so your company probably has at least a few of these to address.

Can you afford not to know whether your business is protected?

9 Cybersecurity Risks Common For Small Businesses

1. Lack of adequate training

We’re mentioning this one first for a reason—it’s incredibly prevalent, but it’s easy to do something about it and often is your first line of defense to protect against these risks.

Most cybersecurity breaches are a result of human error. With “phishing” emails, hackers trick employees into giving up their passwords and other information by sending communications that appear to be legitimate. For example, an email may appear to be a routine credit card statement or order confirmation from Amazon, but it’s actually a fake email from an opportunistic hacker.

Employees click these emails because they are inadequately trained to identify and avoid these communications. And even if they suspect something is fishy, they may not know the appropriate steps to take.

What to do about it: We recommend regular security education, including periodic training sessions and email bulletins about the most common cyber attacks.

Why it matters for small businesses: It’s easier to drive these training initiatives for large businesses who have entire teams of people devoted to cybersecurity and compliance. For small businesses, training can slip through the cracks and there may not be someone internally who is qualified to deliver the training. But that doesn’t mean it isn’t crucial.

2. Inadequate protection against malware and ransomware

Hackers have been targeting businesses with malware (computer “viruses”) for years.

Ransomware is a particularly nasty iteration you’ve probably heard mentioned in the news recently and has become a lucrative business for the bad guys. Essentially, hackers take control of your data or devices, lock you out, and only restore your access once you pay their “ransom” fee.

Imagine being faced with a choice between paying a hacker $2,500 (or more) or never being able to access your customer data again. What would you choose?

It’s best of course to avoid the situation entirely by protecting your business against ransomware and other typical malware threats that compromise your data and device security.

What to do about it: Employee training is the most important component of an effective malware and ransomware prevention strategy. Further, companies should maintain protection solutions to avoid device infections and continuous cloud backups for disaster recovery if something slips through the cracks.

Why it matters for small businesses: Just one virus on an employee device could give hackers access to all your company’s data and control over what to do with it. From there, they can sell the data on the black market, encrypt it (via ransomware) to sell it back to you, among other nefarious strategies — none of which are good for your company.

3. Outdated or unpatched software

Keeping software up to date is tricky, and hackers love that.

Many software updates and patches are released to fix security issues. This is why software vendors try so hard to enforce automatic updates and regular update intervals.

Cybercriminals learn quickly, so your software may be perfectly secure now but introduce a huge security hole in just a few weeks.

What to do about it: Establish and stick to a regular patch and update schedule for all your applications. If you don’t currently follow any regimented policies, identify the applications with the most sensitive data and tackle those first.

Why it matters for small businesses: Small businesses have a smaller IT staff to ensure regular software updates, and this comes at a cost. Outdated software exposes your small business to a 3x greater risk of a security breach.

4. Poor data management practices

Chances are, your business has a lot of data you’d prefer to restrict to the appropriate personnel at your company, such as financial data, trade secrets, customer information, or proprietary processes.

Many small businesses pass sensitive spreadsheets, account credentials, and other protected information back and forth by email regularly.

Email is the most convenient option, but that convenience ends when the data ends up in the wrong hands.

What to do about it: Your small business needs a written policy about backing up and securing your data, and your employees should be educated regularly. Periodically, consider evaluating awareness and compliance via surveys and audits.

Why it matters for small businesses: Since just one data breach puts 60% of small companies out of business, it doesn’t make sense to pass customer spreadsheets, trade secrets, and confidential plans back and forth by email or other insecure file sharing solutions. Unfortunately, the practice is all too common.

5. Lax access control

It’s not just important to transmit data securely—your business should also have an intentional policy around who has access to certain data in the first place.

With so many risks associated with data security, it’s best to restrict access to parties who really need it.

In the cybersecurity world, this is called the principle of least privilege—give users access to the permissions and data they need, and nothing more.

What to do about it: Audit which employees have access to the data and applications on your network, making adjustments according to the principle of least privilege. Going forward, create and follow an access control template to keep your data secure.

Why it matters for small businesses: Your company’s competitive advantage may hinge on certain processes or information remaining secret, or the wrong data breach could jeopardize customer trust forever.

6. Insecure network

Whether you host data on your own network or in the cloud, security is vital.

At your office, guest devices, employee mobile devices, or personal laptops should not be permitted to connect to any network that also stores any sensitive data.

And if you use cloud data storage or cloud applications, managing access is critical as well. Hackers are quite effective at probing every possible opportunity to get their hands on your sensitive data.

What to do about it: Conduct regular audits of your company network and cloud security. Put the right policies in place to design new systems with security in mind. Leverage access control best practices and use a “whitelist” system for application access to your network (only explicitly permitting those applications that need access and are verified to be secure).

Why it matters for small businesses: The right hack could jeopardize vital business operations for days or weeks, and small businesses feel revenue and productivity losses especially hard.

7. Weak password policies

It doesn’t matter how secure your business technology is if your employees give away the keys with insecure passwords.

Many think password security is no longer an issue, but as recently as this year, a study found an average of 19% of business passwords are easy to compromise.

Think about that: without the right password security policy, at least one in five of your employees could be holding the door wide open for hackers.

Even if employees use secure password, that means very little if they use the same password for other platforms or personal use. In that case, their password to access your secure data only remains secure until those other platforms are breached.

What to do about it: Implement a regular interval at which employees must change their account passwords, such as every six months. Add system controls to ensure passwords meet certain strength requirements, such as length and avoiding dictionary words. For access to particularly sensitive applications and data, consider two-factor authentication for an extra layer of defense.

Why it matters for small businesses: Since a higher percentage of employees will naturally have access to sensitive information, they need to be your first line of defense.

8. No disaster recovery plan

Are you ready for an outage or hack? Are you sure?

Accidents happen. As much as you can and should try, it’s impossible to anticipate and avoid any incidents affecting the security and availability of your data and systems.

Your business needs rigorous, thorough “disaster recovery” plans, so if your data falls in the wrong hands, a critical application goes down, or an employee poses an insider threat, you and your team are ready to spring into action.

What to do about it: This is certainly a bigger issue to tackle—but one of the most important. Identify the biggest threats to your business by asking “what if…” and start by establishing policies and plans to answer those questions.

Why it matters for small businesses: As a small business, it’s less likely you have backups and contingency plans than large companies who pay people to think about those risks all day. And outages and disruptions can be incredibly detrimental to your revenue and customer trust.

9. Lack of documented and enforced security policies

You need written IT security policies, plain and simple. As of now, do you have any?

If you do have them… are they communicated to your employees? Do your employees actually understand?

In our experience, the answers are “not really”, “no”, and “definitely not” in the small business space. These are tricky concepts to grasp and this is a rapidly evolving space.

For most small businesses, it doesn’t make sense to have a cybersecurity specialist on your payroll full-time. And your IT team (if any, depending on your company size) is busy with activities critical to running your company today.

What to do about it: After you assess your exposure to the risks in this post, consult with experts and develop documented policies and procedures. Then, train your team and put the appropriate measures in place to track and improve compliance. The future of your company just might depend on it.

Why it matters for small businesses: For small companies, security is a real team effort. The best way to navigate cybersecurity is to make it second nature for everyone working for your company—get everyone on the same team protecting your business from rapidly changing risks.

Now What?

Feeling overwhelmed?

That’s understandable. The stakes are high. And for many small businesses, these concepts are completely new—and until now, off the radar.

After reading this post, we bet you feel compelled to take action to protect your small business. The first step is conducting assessments and audits to determine how exposed your business really is. The second step is putting new policies in place that will protect your company going forward.

We provided some helpful resources and first steps in this post to get you started. IT Ally™ also has your back. We offer several cybersecurity assessments that can get your business on the right path in no time.

The assessments check for many of the risks covered in this post.

IT Ally believes in delivering enterprise value to small businesses, so our assessments are comprehensive and offer the same value a Fortune 500 might get by engaging exorbitantly priced IT consultants.

Your small business needs an Ally — we’d be honored to help. Get in touch to start the conversation or schedule a 30-minute consultation with one of our key advisors.

[This article was originally published on itallyllc.com.]