Posts tagged Disaster Recovery Plan
Cybersecurity and the Workforce: Strengthening Weak Links

Cybersecurity Awareness Month, annually observed in October in the U.S., is an excellent time to reflect on cybersecurity practices, training, business risks, and strategies to manage this risk for companies. Annually, cyber incidents (intrusions, breaches, and similar security gaps) cost U.S. businesses disproportionately more than the costs associated with active cybersecurity risk management. For example, cybercrime is up 600% due to the COVID-19 pandemic, as more people work from home and are online more hours each day.

The COST:

Cybercrime estimates top $10.5 trillion – TRILLION – annually by 2025.  The average cost of a data breach to a U.S. business or organization is about $2.98 million, and phishing costs, on average, $14.8 million per successful attack. Some of these costs can be avoided and risks mitigated for businesses and organizations through investment in cyber defense capabilities and kit, smart employment policies, effective training integrating applicable ISO standards, and enforcement of cyber hygiene practices.

Can’t Tools Fix This:

Cybersecurity hygiene and risk management primarily come down to the end user. Security is a journey, not a destination. The tools, patches, systems, and networks are helpful. Still, effective cybersecurity postures depend disproportionately on the conduct and cyber discipline of the end user, their training, personal and professional restraint, and instincts. Purchasing a full security stack of tools does not finish the job. It’s just the beginning.

Personal cyber hygiene practices are almost always the number one risk for organizations. Hollywood portrays complex hacking efforts that can penetrate networks without help – which is true – but most intrusions and hacks start with a virtual invitation by a network insider through phishing, spoofing, or similar techniques. One good analogy is that a thief can steal money by cracking a safe in a bank vault, or he can walk right into an open door at the bank where the cash drawers have been left unguarded, and the safe deposit boxes have the keys unattended.

Who is affected:

Companies ranging from publicly traded multinational corporations to privately held C and S corporations, small business LLCs and partnerships, to nonprofits and public institutions have scaled cybersecurity interests. These different business and corporate organizations are not neatly binned, because cybersecurity is matrixed – multinational corporations often make grants to nonprofits; university research foundations frequently exchange data with companies, hospitals, and grant sponsors.

Cybersecurity risk is not wholly reliant on a company’s hygiene and employee practices but also on the cybersecurity posture of partners with which organizations do business. Moreover, for federal contracts, cybersecurity standards can be imposed on subcontractors via flowdown clauses. Organizations should also consider negotiating cybersecurity incident indemnification clauses into contracts and ensuring adequate insurance coverage. Considering partner cyber hygiene practices is an essential consideration in engaging in transactions, pricing, and regulatory/compliance planning.

This factor is markedly true in mergers and acquisitions. Organizations must actively assess and manage risk when deciding in whom to entrust the keys to the cybersecurity kingdom

Culture:

Security culture can also be generational.  Generation Z are digital natives – that is, a person born and matured during the information age of digital technology from birth, rather than having had to learn it as adults – yet the National Cybersecurity Alliance has been found to “have higher cyber incident victimization rates” than older generations.[1]  Why?  First, they’re more immersively connected – with tech familiarity comes more ubiquitous connectivity, and thus more opportunities for mischief or mistakes through “security fatigue.”  Another reason is that cybersecurity is often taught in the workplace, but seldom is taught in schools.  New high school and college graduates entering the workforce may present a particular vulnerability until effective organizational training and policy enforcement takes hold.  Finally, younger people may be more open to the proposition that information is a public good, and therefore efforts to protect and segregate it are bad.  This may be philosophically appealing, but commercially naïve in an era of foreign intelligence lurking, ransomware, denial of service attacks, and economic espionage.  The Massachusetts Air National Guardsman who leaked a trove of Top Secret documents in 2022 until his arrest in April 2023 did so by posting them in Discord chat rooms to benefit his online gaming activities, not any nefarious activity related to espionage.  According to the charging documents, he may have been simply too inexperienced to understand the consequences of his actions.

Policy:

Finally, businesses, nonprofits, and public organizations must build cybersecurity training and compliance policies into employment handbooks and contracts. Organizations must be willing to enforce these policies through progressive discipline where warranted and consider more drastic measures where an employee or contractor’s conduct, willful or negligent, exposes the company or nonprofit to increased cybersecurity risk. In the right circumstances, an employee’s error can pose a catastrophic or even existential threat to a company.

Halloween ends Cybersecurity Awareness Month, and while this commentary has been a bit of a parade of horribles, it is not intended to be scary – only to inspire organizational leaders and managers to be wary. No cybersecurity risk management plan is foolproof, but organizations can manage risk through well-planned and resourced cybersecurity infrastructure, hiring, training, policy development, business processes, and enforcement of standards.

[1] Claire Nuñez, How to Embed Gen Z in Your Organization’s Security Culture, Security Intelligence, December 15, 2022, available at https://securityintelligence.com/x-force/gen-z-cybersecurity-culture

Need Help With Your Cyber?

Troy McCollum is the founder and CEO of Layer 9 IT,  Virginia full service outsourced IT company focused on the legal, financial and medical verticals.

Butch Bracknell is a cybersecurity and business law attorney with the Norfolk law firm of Crenshaw, Ware and Martin PLC.  Crenshaw Ware & Martin has been providing business counsel for Hampton Roads, Virginia, and Eastern North Carolina businesses for 100 years.  www.cwm-law.com 

For a free consultation, call us at 757-644-3291. Or schedule a call by sending us a message.

Let’s work together and remove your IT barriers.

Protecting Your Business From Data Disasters

Data is everything to a small business – which means if you lose access or control, you’re facing an emergency.

It sounds dramatic, but the research backs it up.

According to several sources, 93% of companies go out of business within one year if they suffer a major data disaster without having first created a combat strategy.

And since 68% of businesses lack a plan for that worst-case scenario, losing data would be a death knell.

Fortunately, your business doesn’t have to be one of them. With the following steps, you can have a rock-solid disaster recovery plan.

Step 1:
Know How A Disaster Recovery Plan Differs From A Business Continuity Plan

The main difference: business continuity plans are proactive, while disaster recovery plans are reactive.

A business continuity plan ensures that, no matter what disaster, your business can continue to operate and provide for customers.

A recovery plan ensures your business can back up and recover critical data should it get lost or held for ransom.

Step 2:
Gather Information And Support

For your plan, start with executive buy-in.

This means everyone, from the CEO to entry-level employees, needs to execute the plan if you suffer a data disaster. When staff members are aware of the high stakes, it allows for cross-functional collaboration – a necessary step to prevent system breaches.

When creating your disaster recovery plan, account for all elements in your applications, data, and tech systems.

Look for any issues involving server security and physical access to your systems. If these are compromised, you’ll be thankful for your plan.

Also, determine the critical processes you need during a worst-case scenario when you have limited capability.

Step 3:
Create Your Strategy

Photo courtesy of John Schnobrich @johnschno

When creating the game plan, you’ll need a good grip on your budget, resources, tools, and partners.

If you’re a small business, consider your recovery timeline.

This is where you start, and it should also give you a customer communication plan as your business returns to full operating capacity.

Step 4:
Test The Plan

To know if you’re fully prepared, you must test the disaster recovery plan.

Familiarize your employees with the practical steps in the event of an emergency. Working through scenarios will help you detect weak areas.

If an actual data disaster befalls your business, your systems and employees will spring into action.

To review, these are the quick actions for a robust disaster recovery plan:

  • Get executive buy-in for the plan

  • Research and analyze how your business systems could be impacted

  • Prioritize the most necessary systems to the functioning of your business

  • Test your disaster recovery plan for effectiveness

With these steps, your business can survive any data disaster.

Need Help With Your Plan?

When you’re running day-to-day business details, a disaster recovery plan is a lot to think about.

Is it thorough enough? Do you have the expertise? Is your equipment sufficient?

An unreliable network will hold your business back — that’s why you need a trusted technology partner. Our proactive approach keeps you ahead of security breaches and downtime.

Layer 9 helps business leaders just like you.

For a free consultation, call us at 757-644-3291. Or schedule a call by sending us a message.

Let’s work together and remove your IT barriers.