5 Important IT checklists that no SMB should miss: Part-2

In our last blog, we discussed 2 of the 5 important IT checklists that every SMB should have. In this post, we cover the other 3, namely, IT training, Data Backup, and BYOD checklists.

IT Training checklist

Your IT staff is not the only one who needs IT training. Everyone in your office does. An IT training checklist serves as a good process document for any new staff or for any staff working on new hardware or software. Following the IT training checklist can help cut down the learning curve, and ensures the hardware/software is leveraged in the best possible way, thus making your staff more efficient. Here’s what your IT training checklist can offer.

  1. Rules and regulations regarding software and hardware use
  2. Links to user manuals/instruction videos with how-tos for the software and hardware in use
  3. Information about whom to contact if there’s a need for troubleshooting
  4. Training schedules for each hardware/software, cyberthreats
  5. Information about whom to contact if there’s a perceived cybersecurity breach

Your IT staff is not the only one who needs IT training. Everyone in your office does. An IT training checklist serves as a good process document for any new staff or for any staff working on new hardware or software. Here’s what your IT training checklist should contain.

Data backups checklist

There are a number of factors that can affect the accessibility and quality of your data. Data backups are key to ensuring your data is not lost. You should maintain a checklist or a policy document that covers this aspect. Your data backups checklist should cover

  • What are the different data sets that need to be backed up
  • How often do each of those data sets need to be backed up
  • Where (location/device) will the data backup occur
  • How will the data backup happen
  • Who will be responsible for the data backup

BYOD policy checklist

In the current business environment where companies allow their employees to use their own devices for work purposes, a BYOD (Bring-your-own-device) checklist is a must. This checklist should answer questions like

  • Who is allowed to bring their devices to work (employees of some departments that deal with sensitive data like, the HR/accounts may not be allowed to do so)
  • What kind of devices are allowed/approved? For example, you can specify a version below which a certain OS may not be allowed, as it may be outdated, exposing your entire network to any security threat that it may be vulnerable to
  • Who is responsible for ensuring the security patches and antimalware protection is up-to-date

Having these checklists/policy documents do not ensure your IT infrastructure is always safe and secure, or never suffers a downtime. These checklists merely help in cutting down instances of security breaches or downtime and go a long way in helping you respond positively to any IT crisis that may befall your business. What we have discussed here is just the proverbial ‘tip of the iceberg’. Your checklists have to be comprehensive, in-depth and cover every angle with a clearly defined action plan for any IT contingency. Reaching out to an experienced MSP for assistance will ensure you leave no loose ends.

5 Important IT checklists that no SMB should miss: Part-1

IT checklists are a great way to analyze, understand and take the necessary steps to meet your IT requirements. In this blog, we discuss 2 of the 5 important IT checklists–Hardware/software and Cybersecurity.

When creating a checklist for hardware/software purchase, use, and installation, answer the following questions.

  1. How do you determine what hardware/software is needed?
  2. What about installation? Who will be doing it? Incorrect installation can end up resulting in loss of time and, in case of faulty hardware installation, it can also mess up the new hardware
  3. What is the process for the procurement of new hardware and software? Do you have regular vendors who you approach or do you start looking for a suitable one once the requirement arises
  4. Establish a policy for operating systems, because not all hardware/software is compatible with all OS.
  5. What about updates, security patches, and upgrades? Who will be responsible for them and how often?
  6. Who is responsible for software installation when there’s a new user requirement

Cybersecurity training can help reduce incidences of cybersecurity breach due to a lapse of judgment from your employees. Here’s what your cybersecurity checklist should cover- all security-related aspects of your IT. For example

  1. Create and implement a password policy that you want your staff to adhere to. Cover password hygiene, acceptable passwords, password sharing, reuse, password update rules, etc.,
  2. When someone quits your organization or no longer works in the profile that they were working in, how is the access issue addressed? Spell out the rules and regulations regarding the removal of a user from the network, changing passwords, limiting access, etc., Along the same lines, also cover new user initiation into the IT network.
  3. Include policies for data sharing–which data can be shared, where and by whom, who has access, the level of data access rights, etc.
  4. Spell out the plan of action to be taken in the event of a cybersecurity breach. Whom to contact, how to quarantine the affected systems, what steps are to be taken from the legal perspective (disclosure of the breach, data security violation penalties, and so on…) how to prevent such future events, etc.,
  5. Your cybersecurity checklist should not only cover the digital aspect of IT security, but also the physical aspect of it. Establish rules and regulations for physical access to data.

Interested in learning more? Watch out for our next blog that offers pointers on IT training, data backup and BYOD checklists.

Know your IT risks

Whether you have your in-house IT team, or have outsourced your IT needs to be taken care of by a Managed Services Provider, you need to know what are the possible risks to your business from the IT perspective. Having an IT risk checklist can help you be better prepared for an IT emergency.

Getting started

In order to assess your IT risks, you need to first know your IT landscape. Answer questions like

  • What role is IT going to play in the success of your business
  • What areas is IT supporting your business in, currently
  • What new roles can you foresee for IT in improving your business efficiency
  • Do you have any new technology in mind that you want to implement in the next year
  • If you have your in-house IT team, what kind of staff structure do you see in the next year
  • If you are planning to expand your in-house IT team, how many team members will you need to bring onboard and what will be the cost associated with this decision
  • Would it be more effective and efficient to hire an MSP instead to supplement your in-house IT department
  • What is your IT budget for the year

The checklist for your IT risks

The next step would be to create a checklist of your IT risks. At this stage, you should be answering questions like

      • What IT risks are most relevant to you? For example, data privacy is a serious concern for a business operating in healthcare, while phishing can be a bigger concern for an accounting firm. Another angle to look into are environmental risks. For example, do you operate in a hurricane-prone area, or someplace prone to wildfires? Make a list of risks most relevant to you and assess the possibility of them happening to you. Such assessments will help you arrive at the key safety measures that you need to take, as a business, to keep your data safe.
      •  

      • In the worst case scenario, if your IT infrastructure were to fail, how long can you survive before it will be difficult for you to bounce back? Can your business operate without your key IT systems working? If not, how long can you afford to keep it shut?

      Whether you have your in-house IT team or rely on an MSP for your IT maintenance, this exercise will help you understand your key IT goals and the possible impediments to them, and help you survive in the event of an IT emergency.

What to consider when investing in cyber insurance

As a business, you are probably aware of the term, cyber insurance. With the cybercrime rates rising consistently, cyber insurance is increasingly becoming a necessity for survival. Here are a few things to consider before you sign up with a cyber insurance service provider.

Risk analysis

First, perform an internal risk analysis. Research to understand what kind of cybercrimes are most rampant in your industry and ensure your insurance policy covers those for sure. Like we discussed before, the most basic of cyber insurance covers data breach and associated costs, but you definitely want more than just that.

What is the scope of your policy

Be clear about the scope of your policy before you sign the dotted line. Remember that cyber insurance functions on the same principles and policies as like any other insurance, which means there will be deductibles, waiting periods and exclusions. Be sure to ask your insurance service provider about them. You don’t want to find out you weren’t covered by insurance until after the attack, at the time of claim. Here are a few things to ask your insurance company in this regard.

  1. Does the policy cover you if a breach happens via your sub-contractor or vendor and makes you liable to your clients? If your cyber insurance doesn’t cover those, then make sure your vendors and sub-contractors have cyber insurance to cover you or sign some kind of an indemnity contract with them so you are covered in the event of such incidents.
  2. In case of an action by your employee causing the breach, such as clicking on a fraudulent link or sharing data accidentally to a dubious email ID, will you still be covered?
  3. Ask your insurance provider to clearly spell out any deductibles, exclusions and window periods that may exist
  4. Check with your insurance provider on what would be your liabilities as the insured. For example, there may be rules regarding anti-virus measures, data safety and security measures, IT training, timely data backups and IT audits, etc., that you may have to follow in order to be eligible to be covered under the insurance in the event of a breach

Before you sign up, do your research thoroughly, get proposals from multiple insurance service providers and opt for a policy that covers your needs the most and the best. Sometimes, service providers may be willing to make additions or modifications to an existing policy to meet your exact requirements, which may work best for you.

Cyber insurance: What’s the cost and what does it cover

Cyber insurance covers a range of elements, the most basic being the legal expenses incurred as a result of falling victim to cybercrime. This includes legal fees, expenses, and even any fines that you may have to pay or financial settlements that have to make with your customers or third parties who have been affected as a result of the incident. Apart from this, depending on the coverage you opt for, your cyber insurance may cover the following.

Notification costs

In the event of a data breach, the business is required to inform all affected parties of the breach. This involves reaching out to them individually and also through the press. Cyber insurance may cover the costs related to this process.

Restoration costs

After a cybercriminal attacks your IT infrastructure, you will have to spend money restoring it. There will be considerable expense in terms of recovering the lost data and repairing or replacing affected IT systems.

Analysis costs

In the event of a data breach, you will have to conduct a forensic analysis to identify the root cause of the breach and figure out how to prevent further occurrences. Cyber insurance may cover the costs of such an investigation.

Downtime costs

When your business operations shut down, even temporarily, due to IT issues, you lose revenue. You could get a cyber insurance policy to cover such downtime costs.

Extortion money

In some cases of data theft like a ransomware attack, cybercriminals usually demand a certain amount of money as ransom or extortion to let you access it again. Considering how rampant ransomware attacks are these days, it may make sense to opt for a policy that covers this angle as well.

How much does cyber insurance typically cost

Depending on the coverage and risk, annual cyber insurance costs range anywhere from $1000 a month to about a million dollars. But, what you need to ask yourself is, how much can it cost you if you ignored cyber insurance? The answer is, it could cost you your business, your customers and your brand reputation. With cybercrimes rising at alarming rates, cyber insurance is not a luxury that only the big players should invest in. It is the need of the hour for any business, irrespective of its industry or size.

Cyber insurance 101

What is cyber insurance

With cybercrime becoming a major threat to businesses across the world, irrespective of their size, cyber insurance is fast becoming a necessity more of a necessity than a choice. However, the concept of cyber insurance is still fairly new and not many SMBs are aware of its benefits. Cyber insurance is an insurance that covers your liability in the event of your business becoming a victim of cybercrime. For example, a data breach puts you at risk of lawsuits, makes you liable to your customers/other parties whose data has been compromised because of/via your organization. Cyber insurance covers the financial aspect of such liabilities, making it easier for you to deal with them.

Why do you need cyber insurance

Many organizations think of cyber insurance as an added cost. They believe they don’t need it for various reasons.

Bigger organizations think their IT security measures are watertight and they won’t fall victim to cybercrime, and they also tend to believe that even if they are affected in a one-off case of cybercrime, they are solid enough to discharge their liabilities and come out of the incident with their brand value intact.

SMBs, on the other hand, think cybercriminals are most likely to target the bigger players and they don’t need cyber insurance. But, in reality, it is the smaller businesses that are at a greater threat–primarily, because

  1. They lack the resources to strengthen their IT infrastructure and their staff is less likely to be trained in identifying cyber threats, making them more vulnerable
  2. They are less likely to recover from the damage to their financial and brand health as a result of falling victim to cybercrime

The bottom line is, every organization–big or small, needs cyber insurance today. Cyber insurance, however, is not a replacement for cybersecurity. Having cyber insurance doesn’t mean you can be lax about cybersecurity. It is meant as a buffer, to help.your business survive when something slips through the cracks. An MSP can help you tighten your cybersecurity and prevent data breaches and other untoward incidents. Also, being well versed with the IT industry, your MSP can help you understand the IT risks that you need to get covered for. They can also help you pick out the right cyber insurance policies, in some cases, some of them even being insurance advisors or agents.

SD WAN – What’s up with that?

So what is this SD-WAN that you have been hearing about? SD-WAN, the acronym for Software Defined Wide Area Network is a new take on the traditional Wide Area Network (WAN). A standard WAN’s goal was to connect users at a branch to a main campus or central office. A WAN is fundamentally hardware-based, using routers to connect users to a central data center. Network administrators or engineers determine how data is moved across the various communication lines. WANs no longer are effective it handling the multi-directional, low-latency demanding applications that have arisen in the workplace of today. There are multiple drivers that encourage the adoption of SD-WAN technology, but security and the rise of cloud data storage and SaaS applications are key among them. The other is cost. Traditional WANs can involve considerable CAPEX costs. They also involve more cumbersome and labor intensive administrative activity that can be streamlined by moving towards a software defined model. WANs are not “agile” and the SD-WAN model increases real-time flexibility in handling traffic.

Why might you consider SD-WAN? Most likely as your organization increases its use of cloud and SaaS services. One simple example. Under a WAN model, users have to experience “backhauling” from their location to the data center or “headquarters” before they can access the cloud. This basically means taking the long route. It slows the user experience. It also doesn’t make a lot of sense because it uses a hub and spoke model. Think back to when most major US Airlines used the hub model. All of their flights routed through one or two hub airports, so no matter where you wanted to go, you had to fly to the hub, then back out again. It was not a user-friednlty experience, and it certainly wasn’t efficient use of a flyer’s time. And, if weather or some other disruption slowed traffic our of the hub, the entire system suffered delays. The WAN model, suffers from a similar problem. SD-WAN works to address that.

Also, a WAN can reroute traffic in real-time. This can mean greater efficiency and optimization of traffic routing and resources. As your organization increases the complexity of your users’ access needs, you should talk to your Managed Service Provider about the pros and cons of moving toward a SD-Wan model.

Good Fences Make for Secure Data

Investing in firewalls, anti-malware and data encryption software

Firewalls and anti-malware tools can help you by keeping unwanted actors out of your IT network. These tools work by restricting access to only pre authorized users and these are primarily defensive measures. Data encryption software, on the other hand, is more proactive and works to code your data and store it in a different form such that it makes sense to only those who are authorized to access it, using a decryption key. Proactive measures are your strongest approach to data protection.

Timely security patches and updates

Make sure you apply security patches and perform software updates on time. Usually software makers release product updates and security patches when they find vulnerabilities and security lapses in their software. Don’t ignore those alerts that a software upgrade is available. It may contain more than just a few new features. The timely application of these patches and updates ensures that the discovered vulnerability is not exploited by cybercriminals.

Seems like a lot of work? Not if you outsource it to a trusted MSP partner.

While cybersecurity is indispensable, trying to do it all in-house can be complicated and expensive. Signing a service agreement with a managed service provider (MSP) to manage your IT infrastructure is a great solution to this challenge. You can benefit from their expertise, knowledge and staff strength, without having to worry about getting it all done on time.

SMB and Some Basic Employee Security Issues

SMB and Some Basic Employee Security Issues

Training teams

Your employees are your first line of defense. Training is a basic requirement and should be conducted for every employee. This necessitates involving Human Resources so that businesses incorporate cyber security training from the first day of onboarding. must train their employees on cybersecurity best practices and also constantly update them with information about the latest scams and techniques adopted by cybercriminals. This will help employees identify situations where they may end up becoming victims of cybercrime or unwittingly compromise the organization’s cybersecurity. Untrained employees may end up becoming unintended participants in cybercrime.

BYOD Policy

With remote operations becoming the norm, organizations must spell out the dos and don’ts for their employees who are using personal devices for work. While there’s not much that companies can do to monitor and restrict usage when employees use their personal devices, a broad framework of best practices will certainly help. Addressing the details of how your data is accessed remotely is a very important part of a total BYOD policy.

How the Coronavirus crisis is the gateway to the other kind of virus

How the Coronavirus crisis is the gateway to the other kind of virus

To say the COVID-19 pandemic gave the whole world a tough time would be an understatement. Economies collapsed, joblessness rose, people lost their loved ones and livelihoods to the disease. Adding to this situation was the need for social distancing and self-isolation which took a toll on mental health of millions across the world. 10 months into the pandemic or perhaps even before, people started growing tired of it and just when it seemed like humankind will give up collectively, there was a light at the end of the tunnel–Vaccines.

While the news of the first vaccine being approved and then administered in December 2020, was a huge victory for humankind and rightly welcomed with claps and cheers, cybercriminals were cheering too. For cybercriminals, this was a great opportunity to exploit the eager, mentally fatigued and vulnerable populace. Emails were sent with phishing links disguised as genuine which urged the recipients to fill a form to access their vaccination schedule and vaccine information. Some emails were made to look like it came from the FDA, United States CDC or the NHS (UK). Some had attachments that required recipients to download them and run exe (executable) files that planted malware into their systems. “E-commerce” sites were created overnight on the dark web and enticed people into ‘placing orders for vaccines’ at $250 each, in the ‘Black market’.

The point is, this is not the first organized cybercrime modus operandi and certainly won’t be the last. So, how do you protect yourself? Here are a couple of tips.

  • Do not download or open attachments or click on links from unknown, unverified sources or a source that you don’t trust.
  • Sometimes, the email or message may seem to be from someone you trust, but their account may have been compromised and used to send out the malicious link or attachment to you. Or, there may be a slight variation in the email ID (spelling), so while you get the impression it is a genuine email, the reality is different.
  • If something doesn’t add up, or if it doesn’t feel like the message was in fact written by the person you know, either ignore or call and verify if they did indeed send it to you.
  • Install firewalls that have the capability to identify and block dangerous sites, so you will be alerted of possible security threats and inadvertent clicks won’t take you to dubious clone sites
  • Make sure your antivirus software is up-to-date

From a business perspective, discuss a strong cybersecurity plan of action with an MSP. This includes investing in the right anti-malware tools, ensuring all your software programs are updated, and updating security patches released by your software vendors as soon as they are available. Educate your staff on common cybercrime tactics so they don’t accidentally expose your IT network to cybercriminals.