Document Security — Does Your Security Policy Protect Digital and Physical Documentation?

Disclaimer: As there are books about document/data security, consider the following as an introduction. Discuss the points raised and estimate how your company would be rated if tested by an ethical hacker or penetration tester. Perhaps you might want to hire a penetration testing company to evaluate your digital and on-premise security?

Digital transformation is simplified as the aim to eliminate paper-based documents and go ‘fully digital’. As much as we would like to, it’s generally impossible to achieve a paperless office. Barriers include financial, accounting, legislative and compliance requirements that require retention of original paper documents for a specified number of years. Some industries (legal, for example) have yet to make all their processes digital and physical form-filling is common in many situations. Therefore, any worthwhile security policy must consider both physical paper-based documents and their digital counterparts.

How can companies ensure adequate protection of physical and digital files? What are the common attack vectors involved? Does your security policy consider remote and onsite attacks?

Risk Management

The first step in creating a security policy is to identify risk. Attack vectors include but are not limited to:

  1. Remote hacking – Industry best practices recommend a comprehensive cybersecurity strategy. Many companies use industry standards such as HIPAA as a guideline. Recent requirements in Europe in relation to data privacy (such as the GDPR) also force a strategy as part of compliance. The key message is that companies are responsible (and can be penalised) for failing to protect data adequately as most jurisdictions have corresponding data privacy regulations, especially for medical and financial data and any other personally identifiable information (PII).
  2. Internal threats – disgruntled employees are a viable attack vector. In addition, employees can unwittingly allow a hacker to breach your network after falling victim to phishing, ransomware or other remote attack based on social engineering techniques.
  3. A combination of the above – where the remote attacker has a willing accomplice onsite.
  4. Decommission, donation, recycling or theft of onsite equipment such as PCs, laptops, smartphones optical media, hard drives and memory cards can all introduce risk. This is true because even when wiped, forensic techniques can successfully recover data.
  5. Insecure storage areas – when filing cabinets and digital backups can be accessed by anyone.
  6. Sharing – consider the numerous ways we can share or capture data. Our smartphones can act as personal computers, take photos, share via chat program, upload to any number of free cloud storage providers, share on social networks and, of course, use the internal storage of the phone to store files for later review. Shadow IT, where users install their own unauthorised programs, could also allow dispersal of confidential data.
  7. Security Updates and Patches – Prompt updates prevent hackers from exploiting security vulnerabilities. Best not to ignore them.

Okay, so now you have an idea of the potential threats. It’s worth noting that hackers will take the easiest route to acquire data. In film and TV, sophisticated hackers acquire passwords and systematically break through all cybersecurity defenses, but the reality is very different. It’s much easier to hack the user or use ‘low-tech’ or ‘no-tech’ methods than breach firewalls and other security features.

Social Engineering

As reported in MeriTalk, citing ISACA’s survey STATE OF CYBERSECURITY 2019, PART 2,  cyber threats remain consistent but have increased in volume in 2019, with the top three most prevalent attacks coming from cybercriminals, hackers and non-malicious insiders. All three accounted for 70 per cent of all attacks reported by survey respondents. 44% said phishing was the most common attack, 31% said malware and 27% claimed social engineering was most prevalent.

However, since phishing is a form of social engineering, and malware creators often use social engineering techniques to fool the user, the truth is that social engineering of the human factor is the most lucrative option for any hacker. We are the weakest links in any security system.

How to Protect All Your Files

Firstly, be paranoid. Then, be very paranoid. Be aware that the size of your company does not matter. You may be in an industry attractive to hackers or be a client or supplier of a target company. In addition, it’s generally a numbers game, with cybercriminals, hackers and wannabe hackers all launching volume attacks using easily acquired tools and hacking packs. Being a hacker doesn’t necessarily mean you need skills. The “as-a-service” model also applies to the hacking community and on the Dark Web, you can acquire all you need to start hacking. Clearly, to protect your files and documents, a detailed security policy is necessary or perhaps, different security policies for each process. The SANS Institute offers a wide variety of free security policy templates that can be personalised for your company, which saves time in policy creation.

I’ll save you some more time… Assume that your company is a viable target and protect files and documents accordingly. The following is not an exhaustive list but will offer some suggestion to enhance your security posture and protect confidential data.

  • Identify potential risk and create the appropriate security policies.
  • Ensure OS and software updates are promptly installed. Likewise, security patches and firmware updates if appropriate.
  • Use antivirus, malware and spyware tools.
  • Use permission/user management to control data access. The aim is to prevent unauthorised data access.
  • Use device level monitoring to prevent the install of unauthorised software (shadow IT) and ensure all company-owned mobile devices have a remote wipe feature if lost or stolen.
  • Ensure security awareness training is an ongoing process, where users are informed of the latest attack methods. Basics include not clicking on links within emails from unknown parties.
  • When disposing of equipment, ensure data is destroyed by sending to a certified recycling company. Ensure data recovery is not possible by shredding or incinerating the device.
  • When disposing of paper-based documents, fine cross-cut shredding or incineration is best. Low-tech hackers are not above searching rubbish bins for clues.
  • Ensure non-employees cannot sneak onto your premises.
  • In public areas, be aware that shoulder-surfing (looking over your shoulder) is possible. It’s an easy way to gather info directly from your screen. Similarly, visual hacking is a threat, with smartphone cameras allowing easy capture of information.
  • Confidential documentation should be locked away, with on-premise security essential.
  • Consider the many ways files are shared online and aim to restrict as many as possible. Some companies operate using a whitelist of essential websites, blocking any that allow sharing of data.
  • Protect your hardware – Some companies use tamper evident labels to prevent low-tech hacking using memory sticks, cards and other solutions to directly acquire data from target systems.
  • Consider Wi-Fi access. Do you allow guest access or segregation from your network or even prevent it entirely?
  • In electronic manufacturing, all employees and visitors are scanned with a wand (just like in the airport) and must store all electronic devices in a provided locker before access is granted. Is this worth considering?
  • Social Media – Ensure employees are aware that social media info posted is often used in convincing spear phishing campaigns. Never post anything that will aid social engineering or disclose company workings, even something as innocuous as a planned vacation or lunch times can help a hacker.
  • Encryption and password management – both are highly recommended. It’s also important to remove data access promptly if an employee leaves the company.

By no means a complete list, but still difficult to implement securely. NOW consider how difficult it is to prevent against an insider threat, when that user already has access to your network…

In conclusion, cybersecurity is an ongoing process, but it is very important that paper-based documents are also considered. Ensure printouts and other files are disposed of correctly and not thrown out with the general rubbish. Security awareness is not limited to cybersecurity but must also consider real-world activities such as copied ID cards, premises security and storage and disposal of physical documents. Penetration testing is a worthy exercise that will highlight any insecure areas in your organisation. With the number of data breaches increasing each year, ethical hackers can identify problems and close off any vulnerabilities. How confident are you that all documents are secure?

Update Management —Prompt Installation Required to Maintain Network Security

In most companies, at least those who believe in managing security correctly, the rollout of all updates is controlled by the IT team. Only users with administrative access can install security patches, firmware and software updates or service packs. Basic users are also blocked from installing software on company assets. This is good practice and prevents shadow IT (where users can install unapproved and unsupported software). It does annoy users, as they must ask IT to add any applications they feel are necessary to add productivity to their roles. However, it does make sense and aids security, ultimately creating a list of approved software that satisfies all company activities.

Unfortunately, this activity is not enough as, regardless of hardware and software configurations, updates are necessary on at least a weekly basis, whether related to the OS, applications or installed hardware. Some experts recommend prompt installation while others advise performing some research before installation, to make sure the update does not have a negative impact on operations. I advise a combination–it’s better to verify on an offline machine before rolling out the update to all.

What is the ideal way to ensure reliable yet prompt update installation? In a traditional office environment, is it practical to supervise individual installs? Can we rely on all updates or will they cause additional problems?

Unfortunately, there is no single solution, given the plethora of hardware and software configurations available. It’s impossible for manufacturers to test on all possible system configurations not to mention on connected peripherals and other software. Therefore, as security vulnerabilities and other issues are identified by end-users and real-world usage, patches and updates are released. Managing all these updates on a company network is a task that requires prompt action but in a way that ensures business continuity, given that some updates cause problems.

How Important is Update Management?

Ignoring updates is not a good idea as hackers exploit known vulnerabilities, secure in the knowledge that companies are often slow to implement security updates. It’s not enough to focus on OS patches as commonly used applications such as MS Office, Acrobat and many more are all attractive targets, exploited to launch cyber-attacks, ransomware, or simply to harvest data. Therefore, a process is needed to stay on top of all updates.

Are you Prepared for Updates?

A company’s activities are often defined by processes, procedures and compliance requirements. Documentation is key to ensuring a defined strategy for all aspects of the business. Most will have a security policy, cybersecurity strategy, disaster recovery policy and other documents to ensure a defined process is maintained and improved where necessary. Update or patch management is no different. Define your process and follow it. If you haven’t decided how to officially handle updates in your organisation, it’s worth starting. Let’s make a few assumptions first:

  • Most companies will have similar (if not identical) desktops and notebooks. In most cases, they will at least be from the same manufacturer if not the same model. It makes sense to do so as discounts are available for volume orders. A mix and match approach to desktops is rarely observed.
  • All will have the same OS.
  • A complete audit of the network has provided an inventory of all hardware and software on the business network.
  • Installations and updates are managed by the IT team, with users unable to perform admin functions on their machines.
  • System restore or other rollback function is installed on every machine in case a patch or update requires removal.

If all the above are not true, it complicates matters for the IT team. In my opinion, driver updates for hardware and application updates rarely cause problems and can easily be rolled back on a machine if problems occur. OS patches are another matter and need more careful rollout, given that they will apply to all machines. If flawed, a patch can grind operations to a halt. It’s for this reason, I’d recommend a dedicated machine for testing updates before rolling out updates to the entire network.

Define a Process

Therefore, a potential process could include a review beforehand. Ask some questions. These could include but are not limited to the following:

  1. Is the update plugging a security vulnerability or just a performance/feature update? Security updates receive priority.
  2. Have any problems been identified by those who have already installed the update? Google is your friend in this case.
  3. Who is affected by the update? If everyone, test on standalone machine before rollout.
  4. Is a network rollout possible or is it necessary to update each individual machine? Most sysadmins perform updates after hours to mimimise downtime.

Of course, there are other issues, especially for software companies or those who use software with a browser-based GUI. Such issues should be identified during online research.

In conclusion, it’s best to act on new updates as soon as possible. Automatic installs are possible but carry some risks. It may be best to avoid automated installs in some cases and follow a manual process based on prior experience with your company systems (most admins will identify a pattern of problematic updates). Regardless of the method used to process updates, ignoring them is not an option, especially when you consider that doing so could allow a data breach or result in network downtime. Can you take that risk?

Outstanding ways of using texts for network monitoring

According to Lynne Truss, texting is a supremely secretive medium of communication that you should be careful about what you use it for. For your company, this should not be a daunting task. Well, you can use SMS alerts in different departments and functions.

Remember, the success of organizational activities relies on the interlinking of various systems. Therefore, you can use texts alerts to ensure network systems are functional round-the-clock. Here is how you can achieve this.

Reliable notifications

With emails, you will have no choice to wait until the next day when the network is running. Remember, email alerts rely on network coverage to be sent to the receiver. Over-relying on these services puts your company at risk of losing millions of dollars during the network downtime.

The beauty with SMS alerts is that you get notified once an error is experienced. Moreover, you do not have to worry about internet connectivity as cellular services are still active. Thanks to preconfigured messages, you get to note the exact network data packet that has glitches.

Network Monitoring Implementation

For your business to excel, you have to interlink the various departments and IT components. In case of a failure in the infrastructure, then you should be able to get a notification. Remember, the malfunction of one part can have a domino effect on the overall performance of IT services.

Notably, there are several network solutions in the market. Depending on the nature of the services, you may opt to settle for open source software or all-in-one monitoring. The latter makes it possible to monitor the various sub-sectors.

Sense of urgency

For decades, marketers have been using SMS alerts to reach out to customers. Here, you can use to push promotions, coupons, and release new updates. The beep or vibration is bound to showcase a sense of urgency. The same applies to network monitoring.

As an IT staff, it will be challenging to assume constant beeps and rings from your cellular device. Let’s face it is easier to ignore an email notification in comparison to SMS alerts. Once there is a breach, then you will get a notification on your smartphone or tablet.

Loss of revenue and data

According to Statista, most companies incur an hourly revenue loss of between $300,000 and $400,000. The revenue losses also include the cost of getting the systems online and the productivity of employees. It is worth noting that most operations come to a standstill during the downtime.

Besides the loss of revenue, recurring network downtime soils your organization’s reputation. If you run a data center company, then the repercussions from outages are grave in comparison to others. To reduce these losses, you should consider integrating SMS alerts into your system.

In case of an outage, you will receive a notification on this effect. Remember, you are likely going to experience outages once in a while.

Final word

Troubleshooting a network system can be a nightmare, especially when you are offsite. To circumvent this hurdle, you should find texting alerts that best suit your network system. Feel free to contact IT specialists to help you out today.

SMSEagle at Open Source Data Center Conference 2019

We are happy to announce that SMSEagle is a proud sponsor of Open Source Data Center Conference (OSDC) 2019! The OSDC takes place May 14 – 15, 2019 in Berlin.

The Open Source Data Center Conference 2019 focuses on innovative strategies, forward-thinking developments and new perspectives in dealing with complex data centers. This year’s agenda includes some of the most important representatives of the international Open Source scene.

The program includes inspiring speakers and interesting topics such as:

Nikhil Kathole | Red Hat | Simplifying your IT Workflow with Katello and Foreman
Kosisochukwu Anyanwu | Kinvolk | Virtualisation in Docker, using KVM as Hypervisor
Dan Barker | RSA Security | 5 Steps to a DevOps Transformation
Thierry De Pauw | ThinkingLabs | Feature Branching considered evil
Matt Jarvis | Mesosphere | Introducing Maestro – Kubernetes Operators the easy way

The whole program is available at osdc.de/agenda.

The aim of the event is to present state-of-the-art solutions and pioneering concepts for developers, decision-makers, administrators and IT managers who work with complex IT infrastructures. OSDC attracts more than 150 open source enthusiasts to Berlin every year. Speakers and participants take the opportunity to inform themselves about the latest developments and jointly launch new IT projects. An evening event offers the ideal setting for informal exchange.

More at osdc.de.

Network Security – Why Security Awareness is Essential for Internal Threat Management?

Security awareness is often linked to anti-terrorism programs around the world but in the IT world we are referring to cybersecurity awareness. Many of you are already switching off, yawning and considering leaving this page but hang on a moment…

The subject may well have been harped on by management, consultants and IT teams and this instinctive reaction to tune out is down to poor implementation in the past. Advocates of security awareness are often condescending, are too technical or fail to link practical threat examples to real-world situations. Other failures include a lack of management buy-in. This “do as I say, not as I do” attitude has the opposite of the desired effect, no significant increase in security awareness and a growing employee resentment when management errors in this area are not penalized.

Be Aware of the Potential Threats

It’s not as simple as telling employees to stop clicking on links in emails and in social media, although this is part of it. Requests to reset passwords or requests to update online banking details are designed to gain logon info i.e. fishing for information. That’s why they call it phishing and there are many forms. Security awareness is not limited to computer usage but can extend to any form of social engineering – a term used to describe methods of hacking the user or company while avoiding technological countermeasures. Methods can include shoulder surfing (the ‘hacker’ simply gets required information by looking over an unsuspecting employee’s shoulder), dumpster diving (extracting printed documents from the rubbish bins outside) or indeed by gaining onsite network access (perhaps by joining employees who smoke outside and then entering the premises unobserved when they return). Employees who leave their phones or laptops unattended could unwittingly allow a hacker time to install a program that remains inactive until connected to the company network. There are many other examples of social engineering.

“Any security awareness training must include social engineering, as many of these threats do not require any IT or computer knowledge. The aim is the same, to gather information that can in turn be used to either hack the employees or the company network. For example, a discarded printout may contain names of senior employees that are then used to send convincing emails to all employees, perhaps requesting them to change their network logon credentials,” said Radosław Janowski, Product Manager.

Dispel the Myths

Hackers rarely have positive motives and are generally classed as cybercriminals, with their primary motives being either financial or disruptive. Ones that act on behalf of governments are after classified or proprietary data. Ethical hackers and security companies know their methods and produce countermeasures as new threats are identified.

Let’s start with some obvious facts that most industry experts agree on.

  1. Hackers will go after the easier targets and hacking the end user is a much easier prospect than hacking the technological barriers that are included in the modern network, whether it involves endpoint protection, AI-related analysis or any other security assets such as firewalls. In the same way, hackers will hack smaller companies as a means of eventually hacking their larger clients or suppliers. This means, YOUR COMPANY IS NOT TOO SMALL TO BE HACKED.
  2. Security awareness training takes take time and money and the potential benefits are sometimes ignored, especially by smaller companies.
  3. The age, sex or IT knowledge of the end user does not indicate an enhanced awareness of the potential threats or how they will be carried out. A BBC article focused on the on the results of a survey which indicated that British people aged 18-25 lacked cybersecurity awareness, using the same password for multiple services and sending sensitive data (including passport information) over email and messaging systems. detective inspector Mick Dodge, national cyber protect coordinator with the City of London police said: “Your email account is really a treasure trove of information that hackers won’t hesitate to exploit… You wouldn’t leave your door open for a burglar, so why give criminals an open invitation to your personal information?”
  4. Internal threats are much more difficult to handle than external ones, as most technological solutions are designed to block external network attacks.

As Przemysław Jarmużek, Technical Support Specialist at SMSEagle, pointed out: “Companies that ignore security awareness training are putting themselves at risk unnecessarily. Cost is not a barrier when free courses are available online. The inconvenience of losing an hour’s productivity each month is nothing compared to the time lost if data loss or network outage occurs. Not everyone is an IT expert and security awareness training must consider that. In addition, perhaps the most important aspect of security is that everyone who accesses the company network, whether on LAN or using Wi-Fi, needs to be aware of how hackers attack the user. In adopting a security-conscious culture, everyone at SMSEagle has mandatory awareness training and this includes senior management.”

In conclusion, if you take nothing else from this post, it is that security awareness is essential, a free course is available to all (I’m sure there are others) and that ongoing security awareness training is a must as new security threats are identified. It’s not necessary to spend hours per week on training. Instead make sure that all employees take the initial course for an hour or two then perhaps a half an hour each month will suffice, to advise everyone on new potential threats and to show the attempts that were made the previous month, even the common lottery winner alerts or other email scams. If you foster an “us vs. them” proactive attitude (against hackers) within your company, then every attack that is prevented will seem like a victory for all.

SMSEagle is exhibiting at ITPartners 2018

IT Partners is a French trade fair organized annually at the Disneyland Paris in Paris, France. This is a leading event for the French IT channel, telecoms and audiovisual, and includes representatives from global IT markets. It covers a number of areas including infrastructure, software and services, mobile communications and networks and the Internet of Things.

This year on 14th & 15th of March SMSEagle was presented at the fair in the booth of our French Sales Partner NMS Distribution.

Photo of NMS Distribution team with Solarwinds, Flowmon and SMSEagle.

What Every Disaster Recovery Plan Must Include

Business continuity (BC) and disaster recovery (DR) are not the same thing, although there are some common characteristics. A BC plan is designed to include all departments in a company, but a DR plan is often focused on restoring the IT infrastructure and related data.

“A disaster recovery plan is an essential IT function and if not in place could result in company bankruptcy or severe reputational damage when data cannot be restored”, Przemysław Jarmużek, technical support specialist at SMSEagle. The financial costs involved are just another factor, he added.

What elements of a disaster recovery plan cannot be omitted? What’s the purpose?

Few company owners are psychics but things like insurance and DR plans reduce company risk, providing a framework for companies that allows rapid recovery of data and/or replacement of key hardware/software components.

Know your Network

Your company network administrator must have more than a fair idea of the software and hardware that are currently part of your network. Therefore, an ongoing inventory list is essential, most of which can be achieved by using network monitoring and auditing tools. These will allow a comprehensive list of computers connected to your network and the software on each. Note that license management is another part of this inventory control process and additional hardware is also added where appropriate. This additional hardware could include multifunction printers, hubs or routers and anything else that is needed for network functionality. Consider this inventory as your shopping list when disaster strikes. It is also worth noting which items have a long lead time (servers, for example). Creating an inventory of spare parts is a good idea and could save the day when disaster strikes.

Know your Disasters

It is pointless to instil fear in company owners about impending disasters. They are as aware of the risks as we are. Each company will have its own risks. Many of these risks are directly linked to its location, whether extreme weather conditions, risks of flooding, forest fires or loss of essential services and equipment. These are the most obvious, but to lapse into management-speak briefly, why not think outside the box?

Even the Pentagon has used a hypothetical zombie apocalypse to test their response methods and maintain a working government under these conditions. Consider alien invasions and any other scenario that could conceivably or inconceivably shut down company operations. How long would it take to resume work if each scenario happened?

If your company can continue operating during a zombie apocalypse (when essential services are down) then yours is truly a robust DR plan.

Now What?

What actions will you take for each disaster type? Obviously, if there is a flood scenario, the aim is to protect equipment again water damage. Perhaps placing all equipment high above the floor is a solution but how high is necessary? Given that you have drafted a list of possible and impossible scenarios, make sure that your solutions to each one is well documented, logical and possible at short notice. Bite the bullet and purchase or modify the equipment necessary to protect your IT infrastructure.

Unfortunately, not all water damage is caused by flooding, perhaps a water tank leaks through the ceiling of your server room and casually destroys the server, firewall and 24-port hub before you can move the server rack. How long will it take you to restore the server and network? Do you have a spare server, firewall and hub? In this scenario, a company is caught unprepared, unaware that water is stored above their equipment. Know where all water is stored and dispersed throughout your building and avoid such problems.

From this simple example, you must focus on minimising risk in as many areas as possible.

Tactical Teams

When a disaster happens, the priority is to make sure that all employees are safe and to inform them of current events.  Once this task is completed, who leads the disaster response? When a disaster occurs, it is too late to leap into action, assigning responsibilities on the spot. Responsibilities and tactical team members must be assigned as part of the DR plan. In addition, if zombies eat your designated team leader, then the backup must take over. Define employee responsibilities and have backups in place in case they are delayed or incapacitated. This last item is perhaps the most important. However, to be most effective, any interruption in network service should generate an alert to multiple DR team members. This is often achieved by cost-effective (and self-powered) network monitoring devices that utilise a GSM/3G network to send SMS messages and emails as soon as network traffic stops.

In conclusion, while the above lists the key elements of any successful disaster recovery plan, it is also worth noting that an untested plan is less than useless. Test your DR plan during off-peak hours to ensure it will work when needed. Test how long it takes to restore all your data from backup. Such activities will ensure that if the worst happens, you and your company will emerge unscathed to resume your company operations.

NXS-9750 device won IT Product 2018 competition in ComputerWorld Czech Republic

We are happy to announce that SMSEagle NXS-9750 device was awarded the prestigious IT Product award in 2018 of the twelfth edition of the IT Product of the Year contest of ComputerWorld magazine in Czech Republic!

ComputerWorld is a publication website and digital magazine for information technology (IT) and business technology professionals. It is published in many countries around the world under the same or similar names. Each country’s version of ComputerWorld includes original content and is managed independently.

The aim of the competition is to highlight products with characteristics that distinguish them from competing products of the same category. The evaluation emphasizes the positive difference from the competition and the benefits for the customer. This way, both the innovative products and the products with interesting functional improvements, significantly simplified control or, for example, with an exceptionally favorable price can be awarded to the final of the competition.

More information:

IT Product of the Year 2018 contest of ComputerWorld

Product prize description

 

SMSEagle devices can be purchased in the Czech Rep. and Slovakia through our sales partner IT AWACS.

Is your Disaster Recovery Plan Designed to Reduce Downtime?

Numerous reports, surveys and statistics confirm that commercial entities of all sizes are woefully unprepared for unexpected events. Ivenio IT stated that 54% of companies with less than 500 employees have a disaster recovery (DR) plan in place while 74% of larger companies had one. For smaller companies in the U.S., the figures are even worse with a Nationwide 2015 press release indicating that just 25% of companies with 50 or less employees had an active DR plan. Given the cost of downtime, surely we can do better?

We must as, according to Zetta’s infographic and online survey, there is much to improve, not least of which includes usage of the hybrid cloud and the fact that only 45% who experienced downtime issues bothered to make changes to their DR plans after the event.

Before delving into the benefits of a logical DR plan, an understanding of its meaning is necessary. Firstly, business continuity (BC) and DR are not the same thing, although there is an obvious overlap in business goals. BC reflects the efforts to avoid loss of service or downtime while DR reflects the response required to resume activities after the worst has already happened.

Disasters can include cyber events, extreme weather conditions, fire, flooding, loss of a key staff member, service interruptions from third parties (most commonly electricity or broadband), hardware failure and human error.

“This list is not exhaustive, and the formulation of any disaster recovery plan must include a risk analysis step in the early stages to identify potential risks that apply to your company or industry. Once risks are identified, you can brainstorm on ways to solve them immediately or at least initiative a process that will solve them in the fastest possible time”, said Radosław Janowski, product manager at SMSEagle.

Sounds reasonable, but how about an example?

Disaster Recovery in Action

Okay, let’s take a simple example to demonstrate DR in the real world. Company X is located in a commercial district and their primary data server goes down due to water damage from a leak in the ceiling. As the smoke indicates, the server is out of commission and business activities grind to a halt along with the company network.

Fortunately, Company X has a DR plan in place. The risk of server loss was correctly identified and the solution proposed was an offsite real-time backup in the cloud (in a data center that is not impacted by local power or service outages). This means that all Company X clients are unaware of a technical issue and business continues uninterrupted. Company X employees are not connected to their local server but they can also continue working using a mobile broadband option. It’s not ideal but gives the IT team (and a plumber to fix the leak) the time necessary to repair the damaged hardware and restore everything from cloud backups.

There you have it. DR in action. The disaster occurs, the DR team (usually IT) are notified automatically and the backup solution is in play while the cause and effect of the disaster is fixed.

“Automatic notification is key as any delays only increase costs. In this example, if equipment is not moved from under the leak, then instead of a single server, perhaps an entire rack (with hubs, routers, firewalls etc.) is compromised”, said Przemysław Jarmużek, technical support specialist at SMSEagle.

Automating alerts is certainly necessary, given that disasters need not occur during office or support hours.

Strategise then Plan

When designing a DR plan, brainstorming is necessary. Think about every aspect of your business and the infrastructure that supports it. Think about your service and utility providers. Think of the unexpected. Even discussing a zombie apocalypse has implications that are of benefit in a disaster recovery process, even if it relates to building security. Once you have exhausted ‘what if…’ scenarios, you are ready to offer strategies to solve them.

“Preparing for the unexpected is not a wasted exercise but makes excellent business sense.”, said Radosław Janowski, product manager at SMSEagle.

Once you define potential threats, you can then create a prevention strategy that includes response and recovery options that evolve as needed.

In conclusion, ISO/IEC 27031, the global standard for IT disaster recovery, states that “Strategies should define the approaches to implement the required resilience so that the principles of incident prevention, detection, response, recovery and restoration are put in place.”

Do your DR (for IT disasters and others) strategies follow this approach? They should.

Stats and Surveys Confirm Rising Downtime Costs for Data Centres, SMBs and Enterprises

Whatever the size of your business or its activities, network downtime has an impact. An obvious observation, it’s true, but have you ever tried to quantify it in terms of actual monetary damage? Have you considered the fickle nature of customers? Reputational damage? Does your disaster recovery plan include the time taken for hardware replacement in the event of a catastrophic failure?

If you have, well done. If not, then there are several surveys that demonstrate the real damage caused by unexpected downtime, whether you run a data centre or your internet activities are limited to an internal network.

“In most cases, network outage causes business disruption. In some cases, where redundant services are not in place, your business effectively grinds to a halt”, said Przemysław Jarmużek, Technical Support Specialist at SMSEagle.

You don’t have to be in a technical industry to be impacted by downtime.

“Take your typical professional service provider, such as those in a legal or accountancy area. When their network goes down, they must resolve it as quickly as any other company, given that technology is ubiquitous when communicating with clients. Many have industry-specific solutions for case or client management to facilitate regulatory requirements that are inoperable when the broadband connection is lost. Clearly, in such situations, an emergency alert system must include a means of detecting a lost connection and informing those who can fix it, whether an inhouse IT team or a contracted external company,” said Radosław Janowski, Product Manager at SMSEagle.

Costs Are Rising?

Okay, we know that downtime is to be avoided but what are the costs and are they rising or reasonably constant? Several surveys provide the answers we seek. Let’s consider data centres as they are key to cloud services, e-commerce stores and access for remote or travelling employees.

A 2016 Ponemon Institute survey demonstrates the rise in downtime costs for U.S. data centres from 2010 to 2013 and in turn to 2016. While the cost varied, the low, average and highest costs increased each year. For example, in 2010, the average downtime cost per minute was $5,617. In 2013, this increased to $7,908 and in 2016, rose to $8,851.

Other important conclusions from this survey include:

  1. Companies that depend on data centres have downtime costs that are rising faster than their counterparts who are not dependent on data centres.
  2. Uninterruptible power supplies (UPS) is the number one cause of unplanned outages, affecting 25 per cent of those surveyed.
  3. Cybercrime is the fastest growing cause, causing 2 per cent of outages in 2010 but 22 per cent in 2016.

“UPS and cybercrime can both bring down a network, preventing traditional network alerts. I recommend a solution that can alert those responsible for the network in a timely manner, one that has its own battery and can use mobile networks as a communication option. In fact, we make those solutions”, joked Janowski.

Other Relevant Surveys

Downtime costs will vary by company, size, industry and reliance on third-party data centres but one thing is clear. Downtime is bad and prompt response times by IT teams reduce costs…

Let’s look at some other surveys that show downtime costs, a useful reference for those seeking to justify a robust disaster recovery plan, regardless of whether the outage is caused by hardware failure, ransomware or service failure.

2017

  1. An Imperva survey of 170 security pros at RSA focused on ransomware with those impacted indicating that downtime caused ranged from less than 8 hours to more than 2-3 days. In fact, 59 per cent of those surveyed were more worried about the cost of downtime compared to 11 per cent for paying the ransom. On the positive side, for ransomware related downtime, the costs were less than $5,000 for 44 per cent of respondents.
  2. CloudEndure’s survey focused on disaster recovery and, as it was in 2016, human error is the biggest risk to service availability and responsible for 23 per cent of downtime. Network failures were in second place at 17 per cent and in third, external threats.

“Human error is a common problem but can be reduced by regular in-house training by the IT team”, said Jarmużek.

  1. ITIC’s annual survey of 709 global companies covered small and medium business, SMEs and large enterprises and offered some interesting insights. 79 per cent of all companies, regardless of size, expect 99.99 per cent uptime. This equates to 52 minutes of downtime per year…

2016

  1. IHS Inc’s 2016 press release and related survey claimed that downtime is costing North American organisation $700 billion each year.

In conclusion, downtime is possible and costly. The only way to combat it effectively is to build redundancy into as many systems as possible and by ensuring those tasked with fixing any technical issues are promptly informed to reduce the costs associated with prolonged outage. A robust disaster and response plan will allow your company to prepare for almost any eventuality. Is yours up-to-date? What’s your hourly downtime cost?