This is the second entry in a series of Partner Technology Spotlight articles created with the help of our MSP partners. The series’ purpose is to educate our customers and partners about topics that they might find helpful.
The subject here is backup and disaster recovery, which can affect any business – especially those that aren’t prepared. We asked our friend and partner Kyle Elworthy of Network Essentials to share his insights on this potential problem, and how your business should make sure it doesn’t become a victim.
What is the typical size of your customers’ businesses?
It varies, but the sweet spot is 25-50 people.
Do most businesses pay enough attention to disaster recovery and backup?
No, they don’t focus enough on their data and how it’s being handled. Most business owners don’t really consider what their main assets are. Their people are the most expensive asset they have. The second most – maybe it could be first – is intellectual property, or data. They don’t have data storage policies, though some may know that their IT company is backing it up.
I’d say that 95 percent of the CEOs we deal with let someone else look at our reports – they know what we’re doing, but don’t really look into the details of what we give them. How we back up the data is the most important thing we do.
If there’s a catastrophe or a major outage, we need to be able to bring that business back up. If we don’t, 50 employees could lose their jobs, affecting them and their families. Their whole lives could be impacted, and we can’t afford to have that happen.
Do most companies manage their disaster recovery and backup needs on their own, or are they working with managed services providers (MSPs) that don’t pay enough attention to it?
It’s a combination of the two. Often, we’re replacing a single person that has been managing IT efforts. I’ve been in that position – you get to a point at which money is no longer being invested in technology, so you move on to learn more somewhere else.
If someone is stuck in the same position for, say, 12 years, there’s not much motivation to learn new technologies that will help the business improve. People can get lazy, and stop doing basic things. That’s while the company has a false sense of security, thinking that a longtime employee has everything covered.
Think about salespeople, for instance. Are they pulling your intellectual property onto their laptops, or filing it in Dropbox? What happens when they leave – do you know that your data is walking out the door?
A good friend in Charlotte had a salesperson leave with a database with over 2 million contacts of former and current client information. That’s a significant problem for a business owner – you have expectations that things are being backed up, but maybe they’re not.
If a company is handling disaster recovery and backup in-house, what basic safeguards should it start with?
Start with a data storage policy that dictates where sensitive data is stored, and who has access to the data. That might seem basic, but many companies ignore it. Then, you can go down the rabbit hole as far as you want, dictating which groups have access to which data. That will build your security policy.
The second thing is to create a Recovery Point Objective (RPO) and a Recovery Time Objective (RTO). These are the two things we use with our clients to benchmark how important their data is.
With RPO, if there is a mission critical failure, how much data can you afford to lose? Is it 15 minutes, two hours or 24 hours? RTO gauges how long your systems can afford to be down before it affects your bottom line.
We use these metrics to triangulate. For instance, if we lose 15 minutes of data and are down for more than an hour, it costs X thousands of dollars. That helps us put controls in place to allow us to recover in those quick timeframes.
Any business with more than 10 people usually can’t be down for more than an hour without its bottom line being affected.
For the individual IT person, the difficult part about this is doing the research to understand new technologies. Some vendors will manage systems for you, and handle issues when you send them service tickets. You can also get trained, buy equipment and install it, or go through online training for software-based systems. It’s easy if you know the technologies, and we’re fortunate to have peer groups that help us do that.
What are the biggest advantages to using a company like yours as opposed to handling backup and disaster recovery in-house?
We have people checking backups three times per day around the clock. If anything fails, we take care of the problem. We also report on those issues on a monthly basis. We own them and explain them.
We also initiate testing on a monthly basis, so that we can trust and verify our backup reporting. Most internal IT people don’t do that due to other responsibilities.
Do you ever get calls from people after the fact, when they’ve already lost the data?
We’ve received many of those. We have engaged The Charlotte Cybercrimes FBI unit has called on several occasions with news that a company has been hit by the crypto virus, inquiring for consultation and direction. That’s the worst call we can get, because when backups aren’t in place, there’s not much you can do other than pay the ransom and hope that you get the key. The downside to this action is that you cannot be sure that the criminals are going to send the key and this increases the likelihood that you become a target for future campaigns.
The Charlotte city government was hit this way in 2017, and it took more than two months to completely restore their services. The systems we use would have had them back up in 24 hours.
Is preparing for a hurricane different than preparing for something like ransomware?
They’re basically the same. The only difference is that when we know a storm is coming, we can staff up to handle multiple client outages if necessary.
What are the onboarding considerations for your new clients?
Stakeholders need to be involved. We need to know where a prospect’s data is to know that we can back it up and prove that we’re doing it. Believe it or not, many companies don’t know where their data is stored.
We then go into the process of writing their data storage policies and backup policies. It can be time-consuming, but once it’s done, the business owner has a much better understanding of how the company’s data is stored and used, and of the ability we have to protect that data.
For example, if somebody quits, we have processes in place to wipe external machines and lock machines out so that the data can’t travel.
Any interesting anecdotes about companies that weren’t prepared for backup and disaster recovery?
CEO wire transfer frauds are common. Ninety percent of breaches begin via e-mail. The perpetrators are very well funded, with MBA-level talent. They research companies as part of a process called “whaling.” They find a high-value target, and identify the easiest way to compromise that person – usually, it’s the administrative assistant.
To compromise the administrative assistant of the CEO for a $50 million company, they’ll do research on that admin. For example, let’s say it’s a woman who is an animal activist. They’ll send her an e-mail that notes her participation in the local humane society, and invite her to an animal adoption event. When she clicks on the link in the e-mail, software will be installed on her machine.
Once the e-mail is compromised, they attempt to hide their actions by turning off logging and creating rules to send any emails they send to trash. Then they’ll exfiltrate all compromised email accounts to determine patterns of communication between her and the CEO.
We’ve been involved in cases with the FBI that occurred in businesses where the owner uses the business in conjunction with a personal checkbook. In one, e-mails from the CEO to the admin were spoofed, asking for transactions of approximately $50,000 before the breach was discovered.
In another example, the party that infiltrated the e-mail was able to set itself up as an authorized signer with the company’s bank. It then sent a “mule” to the bank with a real driver’s license and other personal information, and tried to transfer $3 million out of an account. Again, the offenders studied communication patterns, verbiage, etc., between the admin and CEO. Only a $2 million transfer cap prevented this scam from working.
According to the FBI in the Charlotte area, there are about 76 active investigations of similar occurrences involving $3 million or more.
Any final words of advice on this subject?
Know where your data is, and trust and verify that it’s being backed up based on your RPO and RTO. Here’s a video we produced that offers some additional insight.
Do you have any questions about backup and disaster recovery, business phone systems or another idea for a topic you’d like us to cover? Contact us now!