They’re not here yet, but plummeting temperatures and snow weather warnings will soon get you thinking about how the Winter conditions will impact your business. Maybe key staff are unable to commute, distribution channels could be disrupted or communication lines might go down. Simply put, sleet, snow and flooding will all wreak havoc on your operations and the only way to limit the disruption is to be well prepared.
Before the season’s stormy weather sets in, businesses should prepare themselves for the worst. We’re lucky in the UK that we rarely see major natural disasters (earthquakes, volcanoes, tsunamis) on account of us being away from active fault lines, but the weather can still cause significant problems. Every company, therefore, needs to have a business continuity plan in order to prevent future disruption. And today is the perfect time to review your plan and ensure that when the weather does change, you’re prepared.
Why should you review your business continuity plan?
A business continuity plan is designed to identify the potential impact crises could have on your business. It ensures relevant procedures are in place to limit these. However a plan is only as good as the information it contains and, as such, must be reviewed regularly to ensure that it is fulfilling its intended purpose. Technology evolves, people move on and new members of staff join the team, so your original plan won’t remain relevant forever.
There are different views on how often a business continuity plan should be tested. It will usually depend on the type of organisation, key personnel turnover and the number of business and IT changes which have occurred since the last test. Best practice states that you should review your plan at least once a year. In this review, you should bring together key personnel to analyse the plan. Prior to this review, you may also want to ask staff to provide feedback on the plan to incorporate into your review. Whenever there are significant changes in personnel, equipment, operating software or recovery strategies you should review your plan.
Testing your business continuity plan
Some organisations will test their business continuity plan between two and four times per year. Common types of testing include:
Tabletop Exercises: usually involve the test team reviewing the plan in-depth. They will look for gaps and ensure that all business units are represented.
Structured Walk-Throughs: each member of the recovery team walks through their plan components to identify any weaknesses. Sometimes these tests may include role-play or drills. The team will usually have a specific type of disaster in mind for the walk-through.
Disaster Simulation Training: Usually an annual task as it is time-consuming. You create an environment which will simulate an actual disaster, with all equipment, supplies and personnel required. This is to see whether you would still be able to carry out critical tasks during the event.
Regular tests and reviews will identify any weaknesses, prepare your team and ensure effective procedures. As the old saying goes, fail to prepare, prepare to fail. The more frequently you plan, review and test for a possible crisis, the less likely there will be gaps. Meaning your business has a better chance of being able to continue or quickly resume, normal operations.
Happy Halloween, reader! Forget about ghouls and ghosts though because today we’re talking about something seriously scary. Working in the managed IT support and consultancy sector, we always hear about the latest breaches, newest methods of attack and many other security horror stories.
But even with scammers devising dozens of devious new attacks every day, zombie computers that answer the call of the botnet and stealthy malware which lurks in dark recesses of the network. By far the scariest thing we see when auditing businesses is that so many are ignoring old and known risks. It’s the stuff of IT nightmares!
What follows are the six most fearsomely frightening security stumbles we still see businesses make…
1. No centralised (pumpkin) patch management
With cyber-attacks a constant threat, maintaining systems security is critical and requires constant vigilance. However despite the threat of attack many businesses often still decide not to implement some of the latest security updates. One reason is that they decide they cannot afford the risk of disruption to services that patching can sometimes cause. This is a false economy. Leaving your business open to vulnerabilities could end up costing you more than the potential patch disruption.
Once a vulnerability has been disclosed it’s only a matter of time before hackers use that information to devise exploits. Heartbleed is one such example. Attacks against systems vulnerable to Heartbleed, a vulnerability within OpenSSL, allowed the disclosure of a small amount of data held in the system’s memory – which was potentially enough to retrieve usernames, passwords or other sensitive data.
A good patch management schedule should keep operating systems, services, firmware and applications patched and up-to-date. The patches should be applied regularly, on an agreed schedule and soon after any newly identified critical vulnerabilities are disclosed.
2. No multi-factor authentication
Passwords alone aren’t particularly secure. Weak passwords are like a cheap lock, easy to break and a useless defence against criminals. Despite the consistent advice telling them otherwise, many people continue to use classic passwords like 123456, qwerty and password. To try and combat this many IT teams will implement password policies, but sometimes these can often exacerbate the problem.
Typical advice is that passwords should be: a minimum of 7 characters and contain uppercase, lowercase and numeric characters. However, that’s actually quite an easy requirement to bypass standard Microsoft technologies. For example, many users would pick Password1. As hackers become better at cracking passwords, what was once critical for password security is becoming less important
It’s important to strike the right balance when setting rules which determine how frequently users should change their passwords. Forcing users to create highly complex passwords and change them frequently is often a recipe for disaster. Users will simply choose simpler and simpler passwords so they can remember them. Or they will end up just making small variations to the same password. For example, changing one character or one number. It’s also common to find passwords written down if requirements are too complex.
Lock Out Rules
When it comes to preventing brute force attacks rules which require the account to lock after a certain number of failed log-in attempts are the most effective. When establishing these rules consider the sensitivity of the account, how likely authorised users are to enter the wrong password and how much of a hassle it is to fix the situation when users get locked out.
The ideal option is some form of two-factor authentication, e.g. a password and a key fob. Sure, someone may find out a password but it’s unlikely they will also have an authentication fob. On the other hand, if someone were to find the fob it would be unlikely they could access your systems because they wouldn’t know where you worked or your password.
3. Not testing backup and restores
While it’s great that companies are investing in backing up their data, it’s no good if, when disaster strikes, the backups won’t work. All too often testing is the missing step when it comes to backing up data. This problem has only become acuter as backups become more complex. You must test simple backups much more frequently than Disaster Recovery plans – at least once a quarter. You will also need to test whenever there is a major hardware or software change to your backup system.
Your tests should be as realistic as possible, duplicating the condition you will face when you actually need to restore. If possible, test on the hardware you will restore to. Especially if you will restore to a different machine than the one that created the backup. Many businesses are also backing up to the cloud with no real plan on how they will restore operations should they lose a key system.
4. Running critical services on ADSL
Outages at the big providers are still a frequent occurrence and you only have to look to last month to see the painful impact of a major outage. Faulty domain name servers resulted in a widespread outage for Sky Broadband and BT customers starting at 07:00 and lasting for 9 and a half hours –wiping out the day for affected homes.
However, home users weren’t the only ones affected. Many businesses were hit by the outage as well – but this really shouldn’t have been the case.
Asymmetric Digital Subscriber Lines (ADSL) services aren’t a suitable solution for businesses. They are rarely backed up by a service level agreement (SLA) which strips you of your ability to claim compensation if their downtime damages your business and are typically down for extended periods when they do go down.
But despite all this, we still see businesses using them worryingly often. If you’re running a business of any meaningful size, you need leased lines at a minimum. These give you a reliable connection, are backed by SLAs and, if you invest in redundancy, can provide connectivity even during a disaster.
5. Not encrypting devices
Imagine having to explain to a client or your board that their sensitive information has been stolen or released to a third party? Terrifying? Well, it’s a real possibility for the business we’ve seen still failing to apply encryption across all devices.
A scary stat for both business leaders and customers alike is that encryption is used in only 4% of breaches. For customers, this means their private information is being released to criminals in an easy-to-read format. And for businesses, this means they will be facing higher fines due to their negligence.
Full encryption capabilities on all devices have been a necessity for years now and with the enormous quantity of data being shared and stored, the opportunity for a leak has never been greater. It’s now easy for information to fall into the wrong hands and, as far as the law’s concerned, that’s a data breach.
Any device which stores corporate data needs to be encrypted. If a CEO loses a phone on a business trip, that’s a data breach. If a laptop is stolen, that’s a data breach. If a USB stick is lost outside the company premises, that’s a data breach. But if in any of these cases, the information on the machine is encrypted, the risk drop to almost zero.
There’s a large range of IT systems that can help automate and control much of this problem without much complexity so there’s no reason businesses shouldn’t be doing something this simple.
6. Ghost accounts and shadow IT
We’ve seen these two threats in many businesses before and they’re both as scary as they sound.
Ghost accounts are the accounts of ex-employees who are still active on the network. They often crop up when an employee leaves and their account isn’t disabled as it should be.
As many as 50% of companies say ex-employees still have access to corporate accounts. For a disgruntled employee seeking revenge, this is an easy route to deal damage to your business. But what’s scarier is an unknown attacker leveraging the unmonitored account’s access rights to gain a presence deep within your network.
The simplest route to prevent ghost accounts is having a clear policy and process surrounding an employee’s departure which contains disabling their accounts. But technologies like Identity and Access Management can also help restrict the root of the problem. By only providing accounts with the exact permissions they need, any account compromise – ghost or alive – has a much more limited impact.
Shadow IT is another basic risk we regularly see not being controlled. Shadow IT is hardware and software which is running on the corporate network which is used by employees but unknown to the IT team. Shadow IT opens innumerable risks for a business and, unless you’ve taken proactive steps against it, it’s likely already on your network.
Controlling your shadow IT requires more than just tech since the problem has its roots in culture too. We have details on controlling your shadow IT in this blog. Fixing the problem can be a long road but ignoring it is simply not an option your business can afford.
Another year has passed, and now we’ve already come to the end of the first full week of January 2016. As we’re back into the swing of things here in the office, I thought now was a great time to review the technology predictions we made for 2015 and see how they fared.
After 20 years in IT this year it appears that I still have a relatively good handle on the market. I’m no oracle but hopefully, our clients can gain some peace of mind knowing that we are always looking forward. Not simply reacting.
Here’s how our technology predictions stacked up
What happened in 2015:
I wouldn’t have been surprised if we saw a major breach on a mobile platform but we didn’t really see that, except for a large potential around Android and security certificates. We did, however, see a real uptick in attacks and exploits against applications installed on mobile devices. This is pretty logical really – go for the open window rather than the front door. This will be an ongoing concern throughout 2016 unless perhaps you use a Blackberry device (which the outlook still isn’t looking great for I must say) or a robust MDM (mobile device management) solution, such as Airwatch or Good.
What happened in 2015:
This was pretty much a given really and although the figures aren’t out really out yet some research firms in October are stating global growth of the market at around 30% – Amazon has been reporting in figures that point toward an 80% growth on their side. As stated, the rise of smaller niche players has certainly started to make an impact across all sectors. Although many are simply spinning their marketing rather than truly engineering around particular sectors. I would expect this to change over the coming 24 months.
What happened in 2015:
Thankfully the Big Data noise dropped significantly. It was ridiculous and the market, in general, stopped labelling BI (Business Intelligence) as big data. You’ll see the second coming of BI this year en-masse as firms need greater information to make appropriate business-focused decisions.
What happened in 2015:
Hybrid cloud is pretty much the norm in all but small enterprises. We are thankfully returning to proper engineering – using the right tools (architecture) for the right jobs. In many ways, there has been a reversal. People are using the cloud for their main business operations and replicating key systems back on-site for continuity purposes. The tech is now cheap, the skills aren’t so expensive and are much more widespread – it makes sense.
What happened in 2015:
Gartner was stating back in September that they expect global security spend to rise to $75.4bn by the end of 2015. That’s a jump of 4.7% which is certainly significant. I would have expected an extra 1-2 % but it appears that the upping of prices of many security systems has led to a prioritisation of spending. Again, I expect spending to rise by a similar percentage in 2016 with all the noise around security threats ‘growth’.
What happened in 2015:
The noise around IoT has been relatively deafening throughout the year and has continued to grow. Everything is now becoming connected, from old manufacturing equipment (retrospective) through to TVs and heating in the home. We’ve seen 90% of large network operators (over 100,000 IP addresses) actively deploying or have already deployed IPv6 according to a BT survey which will aid in further growth of IoT technologies. Another key point from the same survey is that two-thirds of enterprise companies also signalled IPv6 deployment activity.
What happened in 2015:
We’ve certainly seen an uptick in the demand for improved disaster recovery and business continuity. Particularly in the finance, legal and manufacturing sectors. Regulators are driving much of this but clients expectations of their ‘suppliers’ are also higher. I’ve not seen any real demand for the ISO 22301 standard (Business Continuity) as I believe that anyone considering protecting their business from disruption understands that this falls into IT security and the ISO 27001 standard covers the whole area.
What happened in 2015:
As detailed people do generally do need more from their device than the iPad can deliver. It’s old tech and for the last seven quarters sales have declined – that’s significant. We’ve seen Microsoft Surface outsell the product, particularly online, with a 45% of online sales vs Apples 17%. Sure online sales aren’t everything but you cannot ignore those figures. Yes, Apple has launched a business-focused iPad device but once behind in the game, it’s a long hill to climb back up. The iPhone is still popular as it’s still superior to the rest of the market for the everyday user in my opinion. This gives Apple a good foothold to pull back from. Personally, I’d expect to see an uptick in the Microsoft Lumia sales in 2016 as they really start to pull the eco-system together.
Ransomware is a type of malware designed to block access to a user’s system or files until a ransom (usually paid in a cryptocurrency such as bitcoin) is given to the hacker.
There’s a multitude of strains of ransomware out there. Notable examples include CryptoLocker, Crowti (also known as CryptoWall), Tescrypt or Teslacrypt, Teerac, Critrioni, Reveton, Troldesh and WannaCry. But all of these can be simplified down to two main types: encryption ransomware and splash-screen ransomware.
What is encryption ransomware?
This is the type of ransomware most people are aware of. It works by encrypting any files it can discover. Which can be anything from important documents to corporate databases, to personal photos and videos. Once encrypted, these files will be rendered useless. And in most cases will have their extension changed to make them unopenable.
Encryption ransomware will typically use a type of encryption called asymmetric encryption to lock your files. What this means is that the encryption key that encrypts your files is different to the decryption key which decrypts your files. Making the only way to get the decryption key and access back to your files – if you have no backups – is paying the ransom.
What is splash-screen ransomware?
Splash-screen (sometimes called lock-screen) ransomware restricts access to your files by placing an unclosable, unmovable and persistent window on your screen. The only way to remove this screen is to pay the ransom and only then will you be able to access your files and programs again.
Sometimes these splash-screens just include a message telling you that you’ve been infected and need to pay a ransom. But sometimes hackers take things a step further, including the logo of the police, FBI or similar organisation, then claiming that your computer has been locked due to illegal or malicious activity and demanding you to pay a ‘fine’ to have it unlocked. This, of course, is just another example of hackers using social engineering to try and coerce victims into paying up though.
How can you protect yourself against ransomware?
If you’re simply relying on anti-virus to protect you from ransomware, then that’s not a great business strategy. A new malware specimen emerges every 4.2 seconds and while anti-virus protection can block some of these. Other variants could slip past the filters. Luckily there are lots of other tactics you can implement:
Invest in employee training
Employees are often the weak link when it comes to security. You must make them aware of the impact their day to day actions can have on the business. If your workforce is unable to spot a phishing scam, for example, then your company is vulnerable. Investing in security awareness training can be greatly beneficial for your business and will help employees.
Perform regular back-ups
You should already be doing backups as part of your business continuity. But if you’re not, then make it a priority to perform regular, point-of-time back-ups you can restore from. Continuous back-up is ideal, but at the very least, you need to be doing one backup every day.
Even then though, a ransomware attack would mean losing a day’s worth of work. Something which could be a significant loss to a small company, let alone a large one. So make backups as often as possible.
Ensure backup locations are not networked
It’s no good to backup all your data if a ransomware infection can locate and encrypt it. Making sure that the backup location is not a mapped drive is one way to do this. Don’t copy files to another position on the PC, instead backup to an external drive which does not have a drive letter or which you only connect when performing the back-up.
Regularly patch or update your software
Hackers often rely on people running outdated software with known vulnerabilities which they can exploit. To decrease the likelihood of ransomware infection, make a practice of regularly updating your software. Alternatively, look into patch management for your business as a way to automatically manage the installation of patches for you.
Layer your security
Whilst relying solely on anti-virus is a bad idea, that doesn’t mean you should get rid of it altogether. Anti-virus should be one layer of your overall security suite, containing anti-malware software and a software firewall. A system like UTM can help you with this.
At a minimum though, ensure you are scanning at the email gateways, firewall and end-user devices if you are relying on anti-virus.
Filter .exe files in email
If your gateway email scanner has has the ability to do so, you may wish to set up a rule to deny emails sent with the “.exe” extension. .exe files, or executable files, are capable of executing code which can be used to instigate a ransomware attack. There are other types of extension capable of executing code to be aware of. But .exe is the most common one.
Ransomware is a dangerous threat to both home and business users of technology and as a result, needs to be treated that way. The worst thing you can possibly do is think that it won’t affect you. Anyone with an Internet connection is a potential victim. And hackers don’t care if they’re targeting individuals, small businesses or multinational enterprises. All they care about is taking your money.
Disaster recovery and business continuity are integral to creating a reliable and stable business. With the cost of downtime skyrocketing and a Forrester survey revealing only 2% of businesses were able to recover from their latest incident in under an hour, the importance of having an effective business continuity plan in place has never been higher.
Using the cloud to provide disaster recovery and business continuity solutions is a major way businesses can ensure they maximise their downtime whilst minimising the disruption caused by an outage or IT failure.
Benefits of cloud-based business continuity:
Traditionally, the backup of an important file – let’s say the client database – stored in the disaster recovery backup would be as up-to-date as the last time a physical tape was copied over. This could mean that a day’s worth of work would be lost due to an IT failure if the tape was taken daily. Of course, if the tape was taken less often, more and more data and hours would be lost in the result of the main data being lost.
Cloud-based disaster recovery, on the other hand, can store a nearly live copy of the file. Reducing the time lost due to data loss to a matter of minutes or possible seconds.
The fundamental structure of cloud has allowed for business to reduce the operating and upfront costs of IT. This is no different for disaster recovery. Replicating key business systems is now much less expensive as there is no need to purchase the dedicated infrastructure required for a disaster recovery system.
Thanks to the economy of scale, the costs are now shared between every user of the cloud provider’s service. Overall making establishing an effective disaster recovery system less expensive and more accessible for businesses.
Rapid recovery times
In the past, if a major IT failure occurred, in would roll a truck with a stack of servers maybe hours or maybe days after the business went down. This is of course if the business was actually lucky enough to have a deal with a disaster recovery provider.
Cloud-based disaster recovery systems are able to failover automatically, reducing the amount of downtime experienced after an IT failure to the scale of minutes. In turn, lowering the costs incurred from idle employees and preventing customers from being unable to access your service.
Offsite backup as standard
In order to keep your business’ data truly secure there must be a copy kept offsite – outside the physical business premises and away from the main file server or data center. This is so that if something does affect those locations, the backup is not lost as well.
Using a cloud provider automatically means your data will be being stored offsite, instantly adding a layer of reliability to your backup.
If you aren’t already backing up to a cloud platform or using it for business continuity, then it’s worth looking into. If security concerns are holding you back, be aware that security and encryption systems can give you military-grade protection without serious costs.
Security as a service (SECaaS) is the outsourced management of business security to a third-party contractor. While a cyber-security subscription may seem odd, it’s not much different from paying for your anti-virus license. The difference is that SECaaS is the combination of a lot of security products wrapped up into one more central service.
The range of security services provided is vast and goes down to a granular level. Examples range from simple SPAM filtering for email, all the way through to cloud-hosted anti-virus, remote automated vulnerability scanning, managed backups, cloud-based DR and business continuity systems and cloud-based MFA systems.
The services are either delivered directly from the vendor where the reseller takes a commission or they are delivered from specialist firms who have the in-house skills capable of building, integrating and managing specialist security services for their customers.
Just a note here: you may have heard of SaaS (software as a service). This is different to SECaaS.
1. Is SECaaS dangerous?
Putting your security in the hands of another business may seem like a big risk. And if done incorrectly, it’s almost guaranteed to have a less than ideal outcome. But businesses have had success with SECaaS and there’s no reason you can’t either.
The most likely cause for an issue is choosing a supplier based solely on price. A business offering SECaaS that’s been around for a few years and has a range of clients but charges £50 per user per month is going to be very different from the business that offers “cloud-based security” for £10.99 per user per month.
Do not instantly go for the cheapest option when considering SECaaS.
Sure, you might be paying nearly 5 times as much. But if your SECaaS provider has the lowest price on the market they’re skimping on something. And if there’s one thing you don’t want to skimp on, it’s your cyber-security.
2. What are the advantages of SECaaS?
Despite what was just said about avoiding cost-cutting when it comes to cyber-security, one of the main draws of SECaaS is the long term price savings it can have. Because you don’t actually own the infrastructure, you don’t need to pay for its floorspace or for its upkeep (prices which can fluctuate based on external factors). Instead, you only pay a flat rate that is unlikely to change.
Your provider is the person keeping up to date with the changing threat environment, not you. That means that you can focus more on your own business goals instead of diverting time towards understanding the various threats out there and ensuring that your defences deal with them.
A good SECaaS provider is going to consist of people who know everything there is to know about cyber-security and regularly keep up with trends and changes in that area. As a result, they’ll have a much greater range of expertise which you can utilise to keep your business safe. This also lets you keep your core employee focus on your own sector rather than branching out and getting a dedicated cyber-security expert.
Frees up time from repetitive tasks
Time-consuming admin tasks that need to be done can be performed by your SECaaS provider instead. This can be things like reading system logs or monitoring the overall network status.
3. What are the disadvantages of SECaaS?
Reliant on SECaaS provider acting
This is the main reason that you should be choosing a high-end SECaaS provider.
Because SECaaS providers are the holders of a lot of data, they (and as an extension, you) become lucrative targets for cyber-criminals. If they are breached then you are breached so ensuring they have made big investments into their security is paramount.
To make sure that your chosen provider is continually investing in their security, be sure to keep in regular contact with them. Ask questions about what they are doing to address the latest types of exploit or flaw and dig deep into the specifics of what type of security they have in place on their own systems. Is it minimal or is it high-grade and comprehensive?
Whilst in the decision stage you should also be asking each provider exactly what kind of security they have in place or what is their policy is around topics like staff training. If they can’t prove that they are taking their own security seriously, you can bet that they won’t be taking yours seriously either.
Increases vulnerability to large scale attacks
The uniform security measures SECaaS providers have over multiple clients allow them to keep up a comprehensive level of security. But it also means that if a vulnerability is found for a business who use the same SECaaS provider as you, then that same vulnerability can be used against your security.
Because one vulnerability gives so many potential attacks for a hacker, probing the security of the SECaaS provider is much more rewarding for cyber-criminals. This means they put in a more concerted effort towards breaching the SECaaS provider’s security. This can inadvertently make you a prime target for cyber-attacks.
Be aware though, as a business (even a 2-10 employee one) you’re already a prime target for cyber-attacks. If done properly, the perceived increased danger of choosing SECaaS can be made negligible. Especially when compared to the increased overall security you would receive from a high-quality SECaaS provider.
3. Why is SECaaS being offered more often?
Security providers are becoming aware that with the rise of small businesses. There’s a growing market for security services that don’t need expensive internal employees or risky infrastructure investments.
Many growing businesses also don’t have the up-front funds to develop a hardware heavy security system. Therefore, they find a monthly plan to be much more manageable for their finances. For example, implementation of two-factor authentication and disaster recovery may have cost £100K five years ago. But SECaaS can deliver the same project on a £1,000 budget with no CapEx.
Because of the flexible nature of SECaaS, many of the decisions can now be addressed head-on. There is no longer the same level of risk anymore surrounding topics like setting up security infrastructure. Businesses can switch SECaaS providers more easily. So, this ‘de-risking’ of cyber-security has made the SECaaS market ideal for businesses who want to avoid making a bad decision.
Finally, with the rise of the cloud and increased internet speeds. Services offered over the internet are now on a par with in-house solutions. This has meant that cyber-security being offered as a service is now very feasible and is genuinely useful.
So, you may now be asking yourself if you should consider SECaaS for your business. Unfortunately, there’s no comprehensive answer. If you want to improve your security, without draining your budget, then it’s worth reviewing. But if you already have a fairly comprehensive security setup in place it may be better to ensure that it actually is as comprehensive as you think it to be and then just sticking with what you have, upgrading it and maintaining it as you already are. Alternatively, you could look into a UTM system for your business if you’re uncomfortable with SECaaS but want to make your security more comprehensive.
We are fortunate in the UK that major incidents such as earthquakes, wildfires, flooding or terrorist attacks are rare. Yet when they do occur, we often find ourselves ill-prepared for the trials they present. In countries that regularly deal with these catastrophes, a disaster recovery plan is a standard part of a business plan. However, this is not always the case for organisations in the UK.
To give an example of what can happen, we can look to the Holborn fire in 2015. It’s the perfect example of how an event out of your control can cause significant disruption to your business. In the case of the Holborn fire, an electrical fault caused damage to a major gas main, resulting in an underground blaze that lasted for 36 hours… in the middle of London. It wasn’t until six whole days later that power in the area was finally restored.
Can you imagine the impact of one day where you’re unable to access any emails, files or client details? Here we’re talking about nearly a whole week! Many businesses who suffer a major disaster never fully recover – losing orders, contracts, key employees. Some even go out of business entirely.
As IT is now a pivotal part of so many businesses, the associated cost of downtime is rocketing. Prolonged IT downtime can also damage the reputation of your business, as it impacts your service and availability for clients. So what can you do?
You build your business continuity plan.
How to create a business continuity plan
Contingency planning is now essential for any organisation with business-critical IT. However, one of the most difficult elements is establishing which elements need protecting and how to do this.
An effective Business Continuity Plan (BCP) must assess the dangers and be departmentally broad. It should consider the needs of the whole business, and take into account the many factors such as systems, people, technologies and suppliers.
Your plans need to work off of two key variables:
Recovery Point Objective (RPO) – This is essentially the amount of data your business can afford to lose in the event of a disaster. For most businesses, this number will be a low percent.
Recovery Time Objective (RTO) – This is the target amount of time it should take for systems to be restored and for you to go back to normal operations.
These objectives vary for each organisation, so perform evaluations on each system to develop individual RTO and RPO. You will need to review and redefine these are regular intervals as the business needs and environment develops.
But resorting to your plan should be a safety net. Ideally, you should instead prevent the impact of a disaster from becoming debilitating. To solve this, you can use technology.
How to protect your systems from disaster
You can protect your critical IT systems by using a hybrid solution which means adopting secure cloud technologies alongside existing onsite infrastructure. The cloud is a cost-effective way to safeguard essential assets. It allows you to replicate crucial data, systems and services for instant recovery in the event of a disaster. Cloud’s adaptability to exact requirements also suits the individualised nature of BCP.
Through using a hybrid approach, you can gain full or partial protection to your critical IT systems as in the event of a systems failure, employees can work remotely accessing the systems they need from the cloud.
On a final note, remember, when establishing a business continuity plan – don’t only focus on the effect natural disasters could have. Security breaches must be part of the overall plan as well as personnel availability. A malware-driven system failure or bout of illness could have a significant effect on business operations.
Distributed Denial of Service (DDoS) attacks are a form of cyberattack that aims to disrupt access to a service (such as a website) in order to extort the owner or to serve as a distraction whilst another attack occurs. DDoS attacks are usually driven by a botnet (a network of infected machines) which overwhelm the service and prevent access to legitimate users.
DDoS attacks usually attempt to overwhelm services using one of two methods. Either by sending a massive number of connection attempts or by using up all available bandwidth. Any business or organisation can be a target for this type of attack. In some cases, DDoS attacks can even be directed at individuals, although this is rare.
What’s the difference between a DoS attack and a DDoS attack?
The difference between these two attacks is that a DoS attack typically comes from one machine which is utilising a single connection, whereas a DDoS attack uses multiple machines and multiple connections.
What are the types of DDoS attack?
1. Bandwidth flooding
Also known as a volumetric attack, this attack involves saturating a server’s bandwidth with bogus packets to the point that legitimate users can no longer communicate with the server.
2. Resource flooding
This attack involves sending an overwhelming number of resource request to the server or gateway devices such as a firewall; causing CPU usage to peak. Since the CPU is being used for menial requests, genuine requests either fail to get through or are processed incredibly slowly.
3. Application-level flooding
This attack targets the software which runs on the server with the aim to flood it with so many requests that the software crashes, taking the server offline.
How can I stop DDoS attacks?
The number one question is how do we protect ourselves from these attacks or at least mitigate our risks?
Well, there are devices that companies can purchase that claim to prevent DDoS attacks such as SMB\E firewalls but these won’t help you if you are a victim of large-scale attacks.
So firstly you need to review your attack surface and mitigate risks. For example, say you run an e-commerce site, it’s probably not advisable to run it from your premises. You may find an attack on this site not only knocks out your e-commerce site but also other critical business services, such as email, remote workers and access to cloud services.
Depending on your environment, you may wish to host critical services and servers in a provider’s cloud infrastructure. Another option is to look at co-location (rented space in a data centre). Most cloud providers are going to have access to bandwidth far greater than anyone else – do check this though! Cloud hosting platforms are great for being able to scale out quickly in terms of system resources and network connections when you see high demand. Increasing numbers of web servers and balancing traffic between them may also help you in a TCP connection attack.
Volumetric attacks on bandwidth are a lot more brutal so how do we defend ourselves against these? Again you can use cloud providers for your online sites so they can deal with the volume. However even they will struggle with the scale of the attacks seen by Sony and Microsoft.
So what else can we do? Well, you can buy services from third parties who will route the attack via them and take the initial impact whilst trying to counteract the hackers, or you could have geographically separated infrastructure that sees a mirror site of your current environment which can ease the strain in an attack.
There’s a fair chance that you may never experience a DDoS attack on your IT systems. However, you should take the time to understand what the risks are and how/if you will mitigate them.
As the UK sinks further into the depths of winter, the Managing Director of an outsourcing provider has outlined measures businesses can adopt in order to minimise potentially devastating snow disruption.
Last year’s snowfall is estimated to have cost the UK economy upwards of £1bn through lost productivity as workers were prevented from going to work.
Robert Rutherford, MD of QuoStar Solutions, the IT consultancy and outsourcing provider, issues the following advice to reduce the snow disruption set to hit the UK:
“With forecasts of snow again hitting the headlines, businesses – large and small – should be ensuring they have the IT infrastructure in place to allow staff to adequately work from home, to minimise the impacts caused by the inevitable travel disruptions which will accompany the cold weather. With the weather getting more extreme each year and reflecting on last year’s heavy disruption from snow, businesses need to make sure they are prepared this time around.
“Simple methods – such as hosting your IT systems in the ‘cloud’ – are a real winner for businesses at times like these. This type of set-up is cost-effective and allows all staff to ‘log in’ to the office remotely and work effectively, using just a home computer and internet connection.
“The most important thing is to make sure your business keeps running and you can keep serving your customers even if your employees can’t make it into work. ”
I regularly receive questions in relation to cloud and Software as a Service (SaaS), and how it affects Business Continuity plans. So I have compiled these into a blog article. The areas covered are a good starting point if you’re looking into your disaster recovery/business continuity plans in relation to cloud or SaaS.
How can cloud, or SaaS, affect business continuity plans?
When it comes to planning a business continuity strategy, many businesses will see (SaaS) as the answer to their prayers. Often because they will believe – or will be told by a salesperson – that they can now ignore business continuity in relation to the SaaS solution they have purchased. Unfortunately, it’s often an “out of sight, out of mind” scenario; you’d be surprised how many buyers will simply accept a salesperson’s promise. This is obviously completely negligent and puts a business at risk.
As an example, one particular company is currently migrating to our services after its systems went down for a full working day due to an air conditioning failure at its current supplier’s ‘data centre’ – which meant that staff had to open the windows! I can’t think of any calibre of data centre where the air-conditioning could fail. Let alone one that has windows that can be opened to cool it!
Typically, assuming that you choose a reputable business to deliver SaaS, the company will build its systems to a much greater level of resilience than many businesses could ever build internally. At the end of the day, its whole business depends on the service provided, and even small outages can deeply damage its reputation and revenue, let alone the reputation and revenue of its customer base. In the majority of cases, as long as you choose a solid SaaS solution, your business will be much more resilient to failure, and it will also strengthen your business continuity plans.
How should you evaluate your existing business continuity plan when moving to cloud computing / SaaS?
You must include any major third-party supplier within your plans when moving to cloud computing. Some areas you need to cover are:
You need to ensure that the provider’s plans fit your requirements for availability and return to service – so look at the service level agreements.
You need to plan for your provider to potentially stop trading for a set amount of time and permanently.
What happens if the provider is bought out and the new owner wishes to cease the service?
Know how you will you get your data out of the provider in a disaster situation, and how you will be able to access your data. For example, your entire CRM or ERP exported in Excel format may be useful for the short-term.
Ask for detail on their infrastructure and evaluate it as your own.
Check the provider’s indemnity.
Check support availability. Some SaaS providers may only run support services during US working hours and you’ll want a heavy UK focus.
Think about systems integration. Undertake an in-depth analysis identify which internal systems and services interface with the SaaS solution and how a disaster will affect them.
Evaluate your provider as if they are part of your own operation. They hold your data so, in effect, an element of your business is outsourced to them. Be sure and comfortable, know how you will get your business operational if your cloud / SaaS provider suffers a disaster.
Also, think about the below:
It is important to re-evaluate areas that perhaps don’t need to be as resilient internally due to the SaaS solution. This may deliver cost savings: for example 24×7 support, redundant hardware, network support.
If there’s a transport strike or snow storm and staff are working remotely from home, how are you going to be sure that any communication into your SaaS service is secure? As a business, are you willing to take that risk? Or will you build an IT solution that will protect your company’s data and communications on unsecured PCs and laptops?
Does cloud computing / SaaS make it easier to carry on in the event of an incident?
Using a SaaS solution could make it easier for an organisation to continue operating if its business suffers a disaster from a technical / systems availability standpoint.
If it is your business that suffers the disaster, then disaster recovery/business continuity plans for that application/service aren’t directly your problem. Your SaaS services should keep on running automatically. It’s very likely that you can build a solution that will allow your staff can access your system remotely through their home internet connection or from your disaster recovery site.
Traditionally, if a multi-site business were to lose service at the main HQ (where the internal server rooms/data centres are based), then it would be dead in the water. However, with SaaS solutions, this may no longer be a problem. Satellite offices solutions can continue to run and even operate much of the main HQ’s function.
What questions should you be asking cloud computing or SaaS vendors with respect to their own business continuity plans?
The key questions any business should be asking cloud computing vendors with regard to business continuity plans include:
Can I see the business continuity plans, at least on a broad level? It’s unlikely that you’ll be able to see a full business continuity plan since they are business sensitive by their very nature;
What would happen if the data centre your systems/data sits in was hit by a jumbo jet? Ask them to explain.
Ask how they will manage the people side of the business and their 3rd party suppliers in the event of a disaster.
How do they guarantee services such as the connectivity and power into its data centres when a disaster strikes?
How do they deal with hardware failure? What are their contracts for fix? Do they carry spare equipment? What resilience is built-in?
Does the vendor replicate all of your data? And if so, to what location? Is it in the same city, county or country? From a security standpoint, you would expect it to be across multiple cities.
Who are your provider’s other clients? Are their business activities similar to yours?
Can you see your vendor’s data centre specifications?
What are their downtime figures within the last 18 months?
How often they do a full disaster recovery test and can you see the last report?
Ask your provider how you will be able to get your data out?
Some SaaS providers may allow you to back up your data out of their platform and into your own premises. This may incur additional charges, but you’ll need to balance that against your level of comfort.