Posts

You KNOW you could have / should have done more to protect your business data… but now it’s too late and your computers have been compromised.

What should you do in the event of a data security breach?

 

1. CALL IT DATA SECURITY PROFESSIONALS ASAP!

Just like a fire or medical emergency, time is of the essence. The attack may still be underway or causing further damage.

  • In the case of a virus or malware, the more people who open the email, the more computers will be infected.
  • Hackers can continue downloading files as long as they have open access. Less than 48 hours after a breach, the attacker will have control of a network – you need to act fast.
  • If the threat is coming from inside the building (an employee or contractor who either inadvertently or with ill intent caused the breach), you’ll want your IT team to be able to clearly see the source of the issue.

You don’t want a junior IT guy giving it his best shot. If you don’t have an experienced IT partner, NOW is the time to find one! (Note, however, that just like calling 911 to summon a helicopter to medically evacuate you off a cliff and into to an emergency room, finding an IT partner during a data security crisis is likely to be both difficult and expensive.)

The risk here is that if you have under-trained IT personnel panicking and changing settings, it may be difficult for your IT team to understand what really happened and diagnose the root cause of the issue. Don’t make the problem any worse than it is. Call in IT Professionals.

2. Assess and contain the damage.

Your IT professionals and senior leadership team need to set aside blame (at least for now) and be in tight communication about what happened and how to proceed in fixing the data security breach.

Hopefully you have a disaster recovery or business continuity plan in place, along with documentation of your passwords and backup of all your systems.

Your damage control team needs to decide:

  1. Is the breach contained?
  2. How severe is the damage?
  3. What steps do we need to take now?
  4. Who needs to know? If sensitive data was exposed, you’re likely legally required to notify those who are potentially impacted and/or government agencies.
  5. How can we prevent this from happening in the future?

3. Take data restoration steps.

Every situation is unique. Some actions need to be taken immediately, while others may happen over the coming days, weeks and months. Depending on what happened, restoration from a data security breach could mean:

  • Restoring files from backup
  • Changing all passwords
  • Taking a system offline until security updates can be applied
  • Paying the ransom on the ransomware (which is a terrible idea, for so many reasons!)

4. Communicate.

First to employees and then to anyone affected outside your organization, you need to clearly communicate:

  • What happened
  • How you’re fixing the issue
  • Any steps those impacted need to do to protect themselves

5. Get committed to data security.

Small businesses are not immune from cybersecurity attacks. With fewer resources to fight and recover from a breach, it’s even more important for you to Integrate security into your platform. One component of our data security offerings is to use Microsoft 365 for:

  • Identity & access management
  • Threat protection
  • Information protection
  • Security management
  • Device and application management

We also believe strongly in user data security training.

Many employees share passwords, not considering the data security ramifications. In over 63% of data breaches, attackers gain access through weak, default, or stolen user credentials.  Your technology and people need to work together to keep your business protected from malicious cybersecurity attacks.

Beyond user training, there are a few other ways you can safeguard your business:

Microsoft 365 for Data Breach Recovery

One of the solutions we use in our data security practice is Microsoft 365, which has all the perks of Office 365, plus advanced security and device management tools. Microsoft 365 helps us both with remote network monitoring, but also for data breach recovery.

Here’s some of what Microsoft 365 can do after you’ve been breached:

  • Automatically investigate and mend endpoint threats
  • Recommend what to investigate and remediate
  • Investigate company-wide emails to remediate threats
  • Visualize a hacker’s lateral movement
  • Recover OneDrive files
  • Remove ransomware

Call Us for Data Breach Prevention

We don’t want to be your 911 IT emergency call. We want to be your day-to-day IT partner who keep your IT systems health and your systems secure with IT services like:

  • Continually monitoring network traffic for anomalies
  • Maintaining backups and testing restore procedures
  • Having a “red book” of system admin credentials and vendor contact information
  • Enforcing IT policies and procedures
  • Keeping hardware and software up-to-date

Don’t wait until it’s too late – give us a call today – 1.586.263.1775.

 

Data Breach FAQ’s

What is the most common cause of data loss?

The most common cause of data loss is hardware failure – make sure you’re always backing up your hardware! Other causes include; human error, software corruption, theft, and viruses.

What happens when there is a data breach?

A data breach puts ALL of your personal and financial records at risk. This makes you vulnerable to identity theft, compromise of customer data, compromise of employee data, loss or risk or intellectual process, and virus attacks.

How to protect yourself after a data breach?

Take data restoration steps: 
1. Restore files from backup.
2. Change all passwords.
3. Take systems offline (if needed) until security updates can be added.
4. Integrate security into your platform.

How serious is a data breach?

A breach in your hardware will always be serious. It can lead to destruction, alteration, loss, or access to all personal data. Assessing the problem ASAP will lessen the blow.

In the not-so-distant past, the standard way to buy small business software was to buy the number of licenses you need, install the software on a server or on all the company’s workstations, and periodically upgrade the software to a new version.

That model is quickly becoming obsolete as more software vendors have moved to the SaaS model of software delivery.

What’s is SaaS?

SaaS stands for Software-as-a-Service. Rather than buying software, you pay a monthly fee to access the software you need through a cloud computing environment.

What are the benefits of SaaS solutions?

While one might argue that the primary reason software companies have moved to offering SaaS solutions is for the recurring revenue model, SaaS customers actually have a lot to gain by switching to a SaaS solution:

  • No big upfront software and hardware costs.
  • Upgrades are automatic and continual.
  • Data is often significantly more secure than when it’s hosted on a company server.
  • Often, licensing can flex as your business needs change, allowing you to easily add or remove functionality and user licenses.

One of the complaints we hear is that with a SaaS solution, you’ll NEVER own the software. The recurring software licensing fee continues as long as you continue to use the software. As an IT Services provider, we see lots of old homegrown databases and small business software solutions that aren’t costing the company much money-wise but are creating risk. Over time, the software becomes unsupported and the data becomes unreliable.

Are you evaluating SaaS solutions?

Today, every business is a technology business. Unless you’re still working in an old-school, paper-based environment, practically any small business software solution you’ll consider will be primarily available as a SaaS offering. In a prior article, we shared how to evaluate cloud vs desktop software.

In this article, we’ve put together the top 10 SaaS considerations to help you select a system that’s stable, secure and will help your business leverage technology for growth.

10 SaaS Evaluation Criteria

1. What are the capabilities of the system?

SaaS vendors love to position themselves as an all-in-one solution. You see this offered in many popular sales and marketing programs such as:

  • Hubspot
  • 17 Hats
  • Infusionsoft

Some SaaS vendors do a better job of delivering on this all-in-one promise than others. Your job is to evaluate what you need, what you’ll use, and what the software does well. Email marketing may mean sending outgoing emails only – or it may mean advanced marketing automation. The details can get hidden in the fine print.

It can be very easy to get caught up in the bells-and-whistles of the software, or to make assumptions about what a feature means, only to find out later that the software you just purchased is missing a key function needed for day-to-day functioning.

SaaS software evaluation criteria

2. What’s included at each pricing tier?

We hate to see clients run into a “that costs extra” situation, where they can’t get the functionality they need unless they spend more money to buy upper-tier licenses. Unfortunately, it’s common for marketing information to be unclear, often because the software is being consistently improved.

Microsoft Office 365 is a great example of the need to understand licensing limitations. You may read online that you can integrate VOIP calling functionality into Office 365, not realizing that capability only exists if you buy a certain license type. A thorough evaluation and advice of an IT professional is helpful when trying to determine licensing needs.

3. How do you know your data won’t be hacked?

Major vendors like Microsoft, Google, Amazon have multiple levels of security in place that is continually and extensively tested to thwart cyber criminal activity. Studies have repeatedly shown that – despite the increase in cyber security breaches – your data is actually much safer in a cloud-based SaaS solution than it is on a physical server in your office.

If you’re working with a smaller SaaS vendor, you need to ask about their data security policies. In addition, your company needs to take steps to create and follow IT policy and procedure best practices. The best lock in the world won’t keep criminals out if you leave the door wide open.SaaS data security

4. What’s their privacy policy? How do you know they won’t sell your data?

As the saying goes, “If the software is free, you are the product.” Many social media sites are monetized through advertising. In asking this question, your job is to understand how they will use the information stored on their servers, either in aggregate or through targeted marketing.

5. How can you ensure the SaaS vendor won’t lose your data?

What are their backup and recovery policies? Do they offer a service level agreement with an up-time guarantee?

Technology start-ups are particularly vulnerable to data loss. They may be cash-crunched and cutting corners to put all their time and energy into feature enhancements to gain new customers. Only when tragedy strikes – a hurricane, fire, flood or burglary – do they realize that their backup process failed – or that it will take weeks to get back up and running on a new server. There are countless stories of software companies that have vanished overnight, leaving their customers without critical accounting, customer or sales data.

With so many readily available, and affordable cloud-hosting backup solutions available, data loss is inexcusable. Don’t let a SaaS vendor’s mistake cost you your business.

6. How easy is it to setup the new system?

 Moving to a new software system usually isn’t as simple as just downloading your existing records and then re-uploading the data into the new system.

  • What needs to be done to clean up existing data before it’s imported into the new system? Migrating to a new software program presents a great opportunity to clean out old and unnecessary information. Do you need to be able to access historical information? If so, how will you accomplish that goal?
  • What new opportunities exist with this software that’s weren’t possible in the past? Where do you need to change your procedures to capitalize on your technology investment?
  • What decisions need to be made up front that will be hard (or impossible) to change later?
  • Who will do the setup? Can you setup the system on your own? Does the SaaS vendor or its partners offer technology consulting services to help get the system properly configured?

7. How easy is it for users to learn the system?

User adoption is critical – yet training for new software is often overlooked. Software companies go to great lengths to make their software easy to use, and especially to look easy in a demo. The software may in fact be easy to use – once you know where to look.

  • Naming conventions may be different. What’s an account vs. a customer? What’s a lead vs. a list?
  • Functions may be hidden in unexpected places. If you’ve been using QuickBooks forever, switching to FreshBooks or Wave may leaving you scratching your head on where to find features that you know must exist, but they’re not on the page where you’d expect to find them.
  • The software is always evolving. As updates are published, how are new features communicated to users? Do they send out emails, create walk-throughs, or expect you to regularly visit their user forum?
  • Is onboarding available? Many SaaS vendors offer a series of videos and walk-throughs to orient new users to the system.

8. Is software customer support included? What types?

Software support can be free or paid; self-service or on-demand. Before you become a customer, ask about customer support options like:

  • Live chat
  • Help “More Info” Icons within the software itself
  • Phone support
  • Support hours (Is it 24/7/365? Is it OK if it’s not?)
  • Blogs and forums
  • Help desk ticketing
  • Facebook community pages
  • Vendor or partner consulting services

9. Can we connect this software program to other software systems? Can we extend or customize the software?

In a prior post, we shared how important it is to select small business software with API Integration. Small business data silos create problems because it’s so easy to lose sight of the “truth” and only see one aspect of the business. Ask if the software works natively with Zapier, PieSync or other integration tools. Look and see if they have software partners that extend the functionality of this solution.

10. What happens if I leave?

Can I take my data with me? How can I download it? You don’t want to spend years and years building your business online, only have to have it disappear. Even social media sites like Facebook, LinkedIn and Twitter provide you with options to download your history.

Any SaaS solution you evaluate should make it easy to leave – and allow you to take your data with you.

Are you evaluating SaaS Solutions right now?

Let us help you select and implement the right small business software solution. Contact us for more information.

Request a Tech Check

disaster recovery planning

Hurricanes. Floods. Fires. Tornados. Natural disasters remind us that we can’t control everything. What we can control is how we prepare in advance and how we respond afterward.

Read more

small business data security breach

According to to the Privacy Rights Clearing House, over 900 MILLION records have been compromised in 7,283 public data security breaches since 2005. While that number may seem HUGE, it’s actually a gross underestimation, because that figure does not include private security breaches.  Read more

Small business password security

Small Business Password Security is a Big Deal

With the Cloudflare security leak fresh in our memories, now is a great time to remind everyone – especially small business owners – about the importance of small business password security.  Read more