Over the past couple of weeks, we have looked at disaster recovery from the perspective of RPO, RTO, and MTO. Then we took a look at creating a Business Impact Analysis. This week, let’s evaluate how “time” figures into your calculations of potential losses, how to determine how much time you can afford to lose, and how managed IT services can help. This is an exercise that should involve all aspects of your business and you should be asking this question to at least one person from every department: “How long can we be down before the loss of critical systems starts to have a serious negative long-term impact on our business?”

Zero Downtime

The answers may vary by department and, depending on the department and depending on your business, the answer may be zero acceptable downtime. Solutions for zero downtime do exist. These solutions allow for immediate transition to a secondary yet fully functional and operational infrastructure from a remote location. Needless to say, back-up like this is expensive, but for some businesses, it is imperative to their survival. Most businesses will determine that their requirements are less draconian.

Acceptable Downtime

When considering acceptable downtime, you must also account for what we call “dependencies.” If your calculations tell you that you can be down for 36 hours, for example, you also need to deduct from the 36 hours the amount of time you will need for your servers, networks, and all your other critical functions to be up and running. And you must also consider time to acquire replacement equipment, availability of personnel, etc. Based on these “dependencies”, your effective downtime may be far less than 36 hours. These are factors that must be discussed with your managed IT services provider as they will figure heavily into your recovery.

Don't Forget Your RPO

In working through these time calculations, do not lose sight of your RPO – your Recovery Point Objective. In simple terms, this means: how much data can you afford to lose? This will be the data lost between your last backup and the point at which you are fully online again. This includes your ability to service your customers/clients. This will be impacted by how often you run back-ups. If you haven’t backed up often enough, will you be able to, or be comfortable in asking your customers/clients to provide documentation to help you fill in gaps in your data caused by downtime since your last data backup? At best, it is embarrassing. At worst, you create a lack of confidence in your business among your customers/clients, and possibly lose revenue to which you are entitled because you cannot produce invoices, or even the existence of customers to whom you may have provided goods or services.

If you would like to catch up and read our past two blogs on disaster recovery, or any of the other topics we cover regularly, check out our blog. Keep an eye out for our next blog in which we will discuss risk assessment and how to achieve peace of mind. Better yet, give us a call today. We are a managed IT services company that has been protecting Atlanta’s small to mid-sized businesses since 1992 and we would love to speak with you. Call us at 770.629.9615.

Last week we began our discussion on disaster recovery with a look at RPO (Recovery Point Objective), RTO (Recovery Time Objective), and MTO (Maximum Time Objective). This week we’re going to give you a little insight in how IT companies set these parameters. Of course, there is no magic bullet or yellow brick road to instantaneously give us answers, but if you start with some good information, you are probably going to get good solutions. A large part of your calculation will consider how much the cost will be if your business is effectively shut down for any length of time.

The Cost of Loss

How much do most businesses lose because of IT problems? A study by Coleman Parks Research not too long ago estimated that small businesses lose an average of $55,000 a year due to downtime, data loss, and the cost of recovery. Mid-sized businesses are losing an average of $91,000. And these losses are before any major disaster. You may be asking, why aren’t I seeing this loss? How can it actually exist if I am not seeing it? IT companies know the answer is that it occurs in almost unnoticeable dribs and drabs. It’s the customer complaint that isn’t answered properly because accurate records couldn’t be found. Or business lost because the phone system was down for ten minutes. Or, even worse, angry customers because of a data breach. Yes, small companies suffer data breaches. You don’t hear about them because the media isn’t interested in the losses of a small company.

3 Step Business Impact Analysis

Your first step in understanding your potential loss should be the creation of a Business Impact Analysis. Many IT companies will have a version of this to help you implement. The primary steps include:

1: Create a list of your business’s core functions and the data required to keep these functions running. This includes processes critical to generating revenue: sales, accounting, etc. You should be including customer/client contacts, purchase orders and contract items, accounting and your other corporate records, as well as any other documents that will prove important to your business continuity.

2: Supporting infrastructure: what will you need if you have to replace damaged or destroyed equipment and/or software in the event of fire, flood, storm, or theft? It’s important to know what you will need to get your business up and running again. AND you need to know where and how you will obtain everything. Every day you are not operating, you are losing money.

3: Calculate your potential losses. Work with your accountant or in-house financial officer to figure out how much your company will suffer financially if unplanned business interruptions occur. Money that may be recovered from business interruption insurance is part of this. Calculate your losses from each part of your business to include loss from sales, loss of goodwill, aging and loss of value of inventory, etc. Now, here is the critical part: your potential loss will be a major factor in deciding how much you should spend on disaster prevention.

Next week we will continue this discussion by looking into the effect “time” will have on your disaster prevention decisions. In the meantime, we would love to start a conversation with you about disaster prevention and disaster recovery. If this is a concern of yours, and it is truly something every business executive should be thinking about, give us a call at 770.629.9615. We’ve been helping businesses just like yours as one of the top IT companies in metro Atlanta since 1992.

There are many kinds of disasters that can compromise your IT network. Fire, flood, and tornadoes are just a few. These can all bring your network down and your business to a standstill. But cybercrime, including data loss and theft, can also prove disastrous without proper IT support.

Recent surveys show that most small to mid-sized businesses have no disaster recovery plan in place. That’s a pretty scary scenario given that about 50% of all small businesses have reported some sort of data loss. In fact, according to the Association of Small Business Development Centers (SBDC), about a quarter of these businesses will experience a “crisis level” loss each year.

What Have You Got to Lose?

Think about all the electronic records in your business – customer contacts and purchase records, email, finance, etc.  –  now think about how devastating this kind of loss can be. You can lose some of your records or you can lose all your records. There have been many cases of total loss through ransomware attacks that lock up every file and that cannot be undone.

But even lesser losses can be problematic. Statistics show that the average data loss costs the victimized company more than $10,000. This includes lost business, lost future customers, the cost of reloading compromised files, etc. It builds very quickly. But these problems are unnecessary as worst case scenario prevention and recovery plans are affordable to the point where it is truly foolish to not explore your IT support options.

Know Your Limits

We are going to cover this area in some depth over the next few weeks and today we’re going to start with three of the key IT support metrics companies should be using in determining the level of risk they can tolerate, the level of data loss they can afford to suffer, and how quickly they must get back online.

Recovery Time Objective (RTO): This states the maximum time you are willing for your company to be down. “Not at all” is generally not an acceptable answer because, although such planning is possible, the cost of IT support doing so is generally prohibitive for most companies. The actual answer often depends on the type of company you are. If you are a manufacturer, it’s one thing. Quite another if you sell products online.

Recovery Point Objective (RPO): This is the point in time to which you need your data recovered, in other words, how much data can you afford to lose? Again, it’s a question of dollars spent in setting up your back-up / recovery process vs. dollars that will be lost.

Maximum Tolerable Outage (MTO): This is kind of a first cousin to RTO but looks more closely at loss of business relationships and the daily continuity of your business. Or, how long can you be down before the effect on your business relationships becomes a disaster?

Want to learn more? Check out our blog next week and the weeks after as we continue this discussion. Better yet, give DynaSis a call today at 770.629.9615 or contact us online. We have been providing IT support and IT security for small to mid-sized companies throughout metro Atlanta for more than 25 years.

If you are running a small to mid-sized business today, you are using technology, including desktop and laptop computers, communications devices, and software of all types. If you are like most businesses, your employees range from highly technologically proficient to barely comfortable. Security is also a major consideration as studies reveal that the number one cause of cyber intrusions that leads to ransomware attacks and data breaches is employee error. As your company grows you are faced with the reality that you need outsourced IT services for your people to call upon when they have questions, when problems arise, and when it is time for employee security training.

3 Ways to Handle IT Services

When it comes to managing IT services for your business, you have three main options.

• You can hire an in-house team, although that “team” may start out as a single person. While this is usually a good option for larger companies, as a small to mid-sized business, your expensive IT employee (and technical employees are expensive) may find him/herself only using a small portion of his/her time actually performing the tasks for which he/she was hired. And what about the times when that employee is not in the office, like weekends, sick time, vacations?
• Another option can be to call in help when it’s needed. Then you are at the mercy of an outside person’s schedule…a person who may not even be all that familiar with your hardware or software, nor your business operation.
• The best option is to retain outsourced IT services from a company that has the breadth of experience and the depth of personnel to handle your employees’ questions, problems, and security concerns.

You will often find that outsourced IT services are less expensive than employing your own IT department, even a department of one. With the right company, you will also receive support around the clock, 365 days a year. No worries about vacation time, IT people resigning unexpectedly, or supporting your team when they are on the road, working from home, or pitching a foreign client six times zones away.

What’s Included in Outsourced IT Services?

If you are going to be paying a third party for outsourced IT services, there are many services you can and should expect, but just a few of the major ones are:

Proper Documentation and Routing of IT Support Tickets

If the problem isn’t explained properly, it may not get fixed. If it isn’t sent to the right person, it may not get fixed. Escalation should also take place when appropriate. If you are limited to service from your in-house team, they probably don’t have anyone to escalate to.

IT Training

IT today is a moving target and ongoing training is essential. The problem in most SMBs is that this ongoing training usually doesn’t take place. Employers don’t want their IT people away from the office and, frankly, aren’t willing to pay for the training. A qualified managed IT support company will have ongoing training and updating for all its technicians.

Password Resets

Password security these days is critical. If your in-house team isn’t consistently updating password strategies and employee training, they are not providing you with the level of service you need.

These are just a few to the considerations in determining how to handle your helpdesk needs. If you want a more complete presentation on how to make this decision, we suggest you read our recent white paper, Why Outsource Your IT Support, or even better, since we have been servicing the small to mid-sized business community since 1992, give us a call today at770.629.9615.

Imagine you had a computer (we know you do, but play along). Imagine how much you could accomplish with that computer. Now imagine that you had four employees…but only one computer. If they all took turns on that computer, productivity would be a bit impacted. Well, maybe not a “bit”, but a lot. Now imagine four computers, one for each of your people. A lot more work, but a lot more expense. Now imagine that instead each of your people working at separate full-blown computers, your IT service set your company up so that they were working at four “dumb” workstations that all relied on a single more powerful “server” computer  store applications and files and feed them to the workstations as needed. Here is what you have accomplished:

• The total equipment cost is less.
• Maintenance is easier and less costly.
• Computing power for each employee is greater.
• Since files and apps are all stored in one place, a high-level of security is more easily accomplished by your IT service.
• Backup and, if ever needed, restoration is easier.

Virtualization

This whole process is called “virtualization”. By using virtualization software, your IT service able to effectively turn a single computer into four computers. Under this scenario, the workstations we mentioned above are called “clients” and are served by the “server” computer. The virtualization software is called a “hypervisor”…yes, it comes from the word “supervisor”.  What your IT service did was take one more powerful computer and with the use of this software, turn it into four “virtual” computers, also known as virtual machines, or VMs. Each of these VMs is called an “environment.” (Sorry for all the Geek talk).\

What’s also really cool is that each of these virtual machine environments can run its own operating system. Windows, Linux, Apple OS. All can run simultaneously on this single computer and feed appropriate apps and docs to each client.

Now imagine a company with a lot more than four employees. Imagine a company with 50 employees. Instead of 50 full-blown computers, because of virtualization, your IT service can set your company up so you are using only 10 more powerful units, with 50 “dumb” workstations. Yes, the savings are multiplied, but we have accomplished a lot more than that. A server computer that serves five or six workstations does not need the computing power of five or six single computers. The full computing power of a basic computer may be needed on rare occasion but is extremely unlikely to be needed all the time and the need for the full computing power of six computers at the same time would be so rare that it is almost unthinkable. All this matters because, since the computing power of the server computer is shared between the six workstations, and since it would be rare indeed for even one workstations to require its full computing power, the server can get away with, say, the equivalent of four regular computers’ computing power, which your IT service can install for a lot less money. The computing power is then shared, applied to each workstation as needed.

Virtualization is a powerful tool that is used extensively in cloud computing and is something you may want to learn more about. If you do, read our recent article (with some cool illustrations) on Understanding Virtualization. And if you want to know how it can benefit your company, give us a call here at DynaSis at 678-373-0716, because we have been at the forefront of small to mid-sized business computing since 1992.

Here at DynaSis, as a managed IT services provider, we offer prospective clients complimentary IT and Network Assessments. The assessment gives the business-person a good look at where the company’s IT infrastructure stands at that moment regarding a number of potential security issues as well as understanding where it stands in terms of updates and upgrades. We then ask people to consider four questions:

• Wouldn’t you like your IT investment to not be just an expense, but be an asset?
• How harmful would it be to have your IT network “go down”?
• What would be the effect of total data loss?
• Are you willing to accept 2^nd rate service because you are a smaller company?

We’re not going to review these one by one because the answers are pretty obvious. What may be less obvious is where to start, and that is with the Assessment. The Assessment serves as a roadmap and without it, a managed IT services provider is likely to recommend unnecessary changes, and miss some that would be highly beneficial, in the end creating a framework that does not accomplish what you are looking for.

There are some basic yet important goals that your IT services company should be helping you accomplish:

Availability

Does 99% uptime sound good? Not by our standards. That is 1% downtime, or 5,256 minutes annually. Our goal between 99.99% and 99.999% uptime, or 5 minutes to one hour downtime per year.

Security

This is an important subject on its own and we encourage you to read a white paper we published earlier this year entitled Cyber Security 2018. As a managed IT services company, we are very much aware that the majority of cyber crimes are now committed against small to mid-sized businesses. Cyber criminals know that “enterprise” size companies have invested millions of dollars in protecting themselves, so small to mid-sized businesses have become the low hanging fruit.

Mobility

Everyone is on the go. Employees work from home, in airports, hotels, clients’ offices, even on vacation. Mobility today means a lot more than having a smartphone. It means being able to access your files anytime, anywhere. It means being able to collaborate with your team members no matter where they are. Again, this is a subject worthy of discussion on its own, and we would be happy to speak with you.

Productivity

People want to be productive and ensuring that your IT infrastructure is functioning at peak levels is necessary. In fact, studies show that millennials who are interviewing for all levels of management positions frequently inquire about the tools with which they will be provided to accomplish their jobs. An assessment will help here, too.

………………

What we have discussed in this week’s blog is merely the tip of the iceberg when it comes to the information that can be gleaned from an IT Network & Security Assessment. For a deeper look, we recently published a full white paper called The Value of an IT Assessment and we suggest you take a look. We believe you will find it eye opening.

At DynaSis, we have been providing managed IT services for more than a quarter century and we would love to start a discussion with you, so please give us a call at 678-373-0716.

The results of two recent surveys indicate that computer network support professionals working for “enterprise level companies” agree that a company’s own employees are often its weakest link in protecting against cyber-crime. (For specifics on these surveys and more information on the subject of employee training in general, read our White Paper on the subject.) So, as an owner of executive of a small to mid-sized business, consider this: if this problem is so prevalent in these enterprise level companies with large IT departments, where does this leave you?

It is well-known in computer network support circles that in this day and age of cyber-criminals who are relentless in their development of new ways to attack virtually everyone’s IT network that employee training is a key element. It is also known that careless and / or unintentional employee actions are the number one access point for these criminals. While all the other forms of network protection are still vital, employee education remains one of our best safeguards.

Here are some notes on areas that employees need to be taught, and then on which to be continuously reminded and updated:

Unbreakable Password Protection

Computer network support professionals are amazed at how many people still use easy to break passwords. Criminals use algorithms that can rapidly test millions of possible passwords, so if they have a reason to guess at part of a password, finishing it becomes a real possibility. Larger companies install protections against this, including automated requirements for regular changes as well as strong parameters. Try this. Current thinking among these computer network support people has changed from combining letters, number and characters, to letters only. Here’s why: if you combine three unrelated words of five letters each, (for example: househumanroses) those fifteen letters give you 1,677,259,342,285,730,000,000 possibilities. That’s 1.6 sextillion. And that’s only using lower case. Imagine if you mix upper and lower.

Downloading Unauthorized Software

Another activity that drives computer network support people crazy are the many software programs that can be downloaded for free with a simple mouse click. While many are truly useful, others may launch very destructive malware, including ransomware that can lock down an entire IT network.

Phishing and Spear-phishing – Social Engineering

These are tactics used to trick people into divulging sensitive information. You may not fall for the plea for assistance from the Nigerian Prince, but many people are fooled by realistic looking fake emails from banks, utilities, charities and others. One specific word of caution: the IRS never calls and never sends emails.

Social Media Scams

Fake Twitter Accounts: We all make typos. Studies show that a small percentage of people will inadvertently make mistakes and not correct them when typing. If you mean to send a tweet to a company called ABC123, but type ACB123, there may well be a fake account out there with that name, set up to trick you. These scam artists will set up hundreds of these accounts (ABD123, ABE123, ABC 123, etc.) to benefit from your mistakes.

……………………….

The reality is, there are too many ways that employees can make mistakes or be fooled to cover in this blog, so, again, we refer you to the white paper we wrote on this subject. Once you better understand the risks, you can set up training programs for your people. If you don’t have an in-house computer network support team to conduct employee training classes, speak with us here at DynaSis. We’ve been doing it since 1992 and would love to do the same for you. Call us today at 678-373-0716.

Most companies these days allow, or even insist, that employees use one or more of their own devices for work. Rather than causing resentment, the majority of employees actually prefer using their own phones, tablets or laptops, rather than having to carry two of the same type device. They are comfortable with the devices they understand and are probably upgrading them faster than the company network support team would be doing, thus giving both the employee and employer the benefit of more current technology.

That being said, there are concerns that many employees have, some real, some perceived, that must be addressed and, additionally, network support and security for devices the company doesn’t own can be challenging. On the employee front, those who are required to use their own devices often feel they are losing privacy, including the possibility that their personal information may be accessed. This can be overcome with adjustments on the network support side and explanations (in lay terms) to the employees.

We won’t get into too much technical detail here, but on the employer’s side the issue of keeping company data secure demands serious consideration. This requires the creation of an “Acceptable Use Policy”, but please keep in mind that policies like this are only helpful if they are enforced.  (If you want more information about BYOD policies, check out our White Paper on the subject.) If you are going to allow or require BYOD, here are some guidelines on how to begin:

Pilot Program

Start small. If you only have a few employees, you may want to include everyone, but if you are mid-sized and growing, limit the participants until you’ve got the bugs worked out.

Involve All Constituents

A strong BYOD policy will involve every department in the company: sales, marketing, HR, finance, R&D, etc. Make sure people from each of these are involved in the set-up and roll-out discussions.

Employee Training

Employee training today is important in many areas of cyber security. Employee email accounts are the number one source of access for cyber intrusion of all types. BYOD is no different. This is an important network support issue.

Industry Specific Security

PCI, HIPAA, GLBA, DSS and others. You don’t want to be 100% in compliance in-house, then fail to keep employee devices adequately protected.

Device Level Security Isn’t Enough

Proper network support and security requires multiple defense layers. Hard as you try, you may not always be successful in keeping every device secure, so your network must provide protection for this.

Additional Costs

Yes, by asking/allowing your employees to use their own devices, there will be savings, perhaps substantial. However, there may also be additional expenses to install updated infrastructure technology. All in all, however, the switch should help your bottom line.

Again, if you would like to learn more, check out the White Paper, or, even better, give us a call. We have been providing IT network support for more than 25 years and would love to chat with you. Call us today at 678-373-0716.

Cybercrime complaints to the FBI exceeded 300,000 in 2017 with an estimated loss of almost $1,500,000,000. The thing is, the Department of Justice estimates that only 1 in 7 criminal incidents are ever reported. That brings the estimated totals to 2,100,000 incidents and $10,500,000,000 in losses. Why is that?

First of all, if you believed you caused the attack because of an error in judgment, chances are you aren’t going to be so fast in letting anyone know. Neither would your employees. Now, very few employees, fortunately, are going to actively work at allowing cyber intrusions into your network, but simply clicking on a deceptively realistic looking phishing or spear-phishing email can open the door. Companies with effective in-house or managed IT support providers can usually determine whose mistake it was, but for many small to mid-sized businesses, the unintentional culprit will never be found.

But in some ways, that’s beside the point. The point is that your employees should have been well-trained enough that they aren’t susceptible to this kind of fraud.

If you are the boss and you know about the cyber break-in, your attitude may be that it’s unlikely that the perpetrator will ever be found so why bother? You are also way more likely to pay a ransomware demand than report the crime. It just seems easier. Except that in about 20% of the cases, the de-encryption code you need to unlock your files either never arrives or doesn’t work. This 20% would have been much better off dealing with prevention than with trying to rectify a really tough situation.

There is another growing area of cyber-crime, although it is not committed through entry into your IT infrastructure. This is IT support fraud and in 2016 there were more than 10,000 cases reported. Again, law enforcement believes the 10,000 are the tip of the iceberg. The reported losses were $800 each on average. Most of these were perpetrated against individuals, not businesses, but in today’s work-world, with many people using their own devices for work, sensitive business information that resides on an employee’s personal laptop may be stolen and used for illegitimate purposes.

The gist of this blog is to encourage two things: first, report all cyber-crime. You can never tell which case will be the one to break open a crime ring. Second, make sure your employees are well-trained in cyber-crime prevention. Fact: most ransomware and other malware intrusions are caused by employee errors that can be prevented.

Need more info? Try this article we published not too long ago, or, better still, give us a call at DynaSis at 678-373-0716

Many people are surprised to learn that today’s number one cyber security threat is email. Deeply concerned about all levels of IT security, we recently published a white paper analyzing the various threats and how to thwart them, as well as how we here at DynaSis work to make our clients’ email accounts secure. In this white paper, we went over things like “zero trust” and how effective current phishing and spear-phishing techniques have become…and how to protect yourself by educating your employees.

Zero Trust as a Security Model

This is a critical part of email security in today’s world. Sorry. It might sound unfriendly, but when we trust no one, we are more vigilant. It’s not that we don’t trust people’s integrity, especially when it comes to our most trusted employees, it’s that we simply don’t have the luxury of trusting their judgment when they are up against brilliantly (unfortunately) crafted schemes designed to inflict harm. This is especially true in this world of BYOD (Bring Your Own Device To Work). Not only are the bad guys trying to work their way into your system through your company-owned devices, they are also working on getting in through the personally owned devices your people are using to access the company network.

In addition to phishing and spear-phishing (including expanded definitions), we go over email spam, viruses, malware, ransomware, social engineering and state-sponsored hacking. And we remind you, as we do here, that all this can start with a simple, single email.

Best Practices

But we don’t just leave you hanging. We review “best practices” and how they can be used to keep the bad guys out. We go over specifics like auto-listing, RFC check greylisting, global reputation checks, recipient validation & active directory, anti-spoofing, email firewalls, and policy controls. Whew! That’s a lot of stuff, but it’s all important.

Mimecast

As a managed IT support provider and after reviewing all the software available (and with 25 years-experience, we are experts at conducting reviews) we have chosen Mimecast for our clients. You can click here to check out Mimecast on our website, or here to read about it in our white paper. Check out our entire website at www.DynaSis.com, or better yet, give us a call today at 678-373-0716.