You come to work with all systems operational: patients are being checked in. Nurses are filling out charts. Doctors are prescribing medicine. Everything in your hospital is working exactly how it should.

In an instant, that changes. Your system is down, and now patients can’t get checked in, nurses can’t access records and crucial information that might save a life, can’t be accessed.

Can you afford that?

Technology unites us all. From banks to hospitals, we’re living in a period where technology is not only evolving but so is the experience you need to maintain your daily technology operations and innovate. Where technology gains in efficiency and security, so to do the ways in which hackers and malicious cyberattackers decide to threaten it.

In the last 3 years alone, over 11.7 billion records were lost or stolen by hackers in the United States, according to an IBM Study, in 2019. And when data breaches happen, targets feel the burden for years.

Why do companies look to outsource their information technology needs?

With threats increasing and technology advancing, companies are looking to their internal teams to help protect them from high-level attacks and to secure their confidential information, on top of staying operational for day-to-day business. But when you are a small to mid-sized company, those resources might not exist or have the capacity to truly protect your environment.

Below are some of the top 3 reasons we see companies turning to outsourced managed I.T.

Want to learn more about implementing multi-factor authentication for your business? 

We’ve talked a lot about the importance of changing your password and making sure you choose passwords that aren’t easily guessed. And while you should always beef up your password game, no matter how strong a password is, there’s still potential for attackers to gain access through a phishing scheme or an email interception.

Want to learn more about implementing multi-factor authentication for your business? 

It’s likely your company depends on several pieces of technology to consistently deliver a seamless product or service to your customers. When you consider that, protecting your technology assets and the IT environment that supports them for day-to-day business is a crucial aspect of your overall business strategy. 

Have questions on how this affects your business? 

Cloud services have modernized the way company's work and allow for collaboration in any place, with any device. At Five Nines, we’re big fans of Office 365 applications, but there are so many features of the platform, that it can get confusing to understand which ones you should use, and how they integrate. Let’s break down some of our favorite applications and how you could leverage to improve your workplace communication and collaboration.

Have questions on how this affects your business? 

As we close out the end of the year and look ahead, it’s important to keep cybersecurity top of mind in 2020. As a business, taking the time to educate your team about cybersecurity can help create a security-conscious company culture, where people are not only aware of the risks, but they’re also able to spot them before they unknowingly create a costly mistake for the company.

Have questions on how this affects your business? 

As technology continues to change, the number of ways your company can be targeted in a malware attack grows. At Five Nines, we put a major emphasis on educating our clients about what potential attacks could do to their operational systems, while also preparing their network to fight these attacks and keep systems secure as the designated IT services provider. While we do install anti-virus software for our clients, it’s only one tool in our belt, given that additional layers of security are needed now that hackers are more sophisticated. Before we get into why you can’t solely depend on anti-virus to stay secure, let’s define terms that are crucial to understand when we’re talking about anti-virus software and security. 

Malware is a broad term that really defines any malicious code or program that gives an attacker explicit control over your system. It may refer to all types of malicious programs including viruses, bugs, bots, spyware, etc. and even ransomware.

Anti-virus - Anti-virus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.  It’s the most commonly used weapon against malware.

Layered Security -- Layered security, also known as layered defense, describes the practice of combining multiple security controls to protect assets, such as resources and data. 

Now that we have some context, let’s talk about why anti-viruses can’t keep up with the increasing number of malware attacks. While there’s been thousands of cyber-attacks, one that really called attention to this growing issue of anti-virus protection happened in 2013. Over the course of three months, attackers installed 45 pieces of custom malware and stole crucial information from The New York Times. The Times — which uses anti-virus products made by Symantec — “found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it.” The IT services team just didn’t catch it.

To get rid of the hackers, The Times, “blocked the compromised outside computers, removed every back door into its network, changed every employee password and wrapped additional security around its systems.” Ultimately, this is just one example of how hackers can create software that surpasses anti-virus software. They’re now able to design a piece of malware, run it on a computer with that anti-virus product to see if it will be detected, and if it is, then they can modify the code until the anti-virus software no longer detects it. What this means is that unless a traditional anti-virus software has seen a particular threat in the past, it won’t necessarily protect your computer. There are other new products that are able to ward off some of these new threats. For example, Cylance Inc. develops anti-virus programs with Artificial Intelligence to prevent, rather than re-actively detect, viruses and malware, this is also referred to as “Next Generation Protection”. So, what else can you do to stay secure?

1. Keep Your Systems and Software Up-To-Date: One of the most common ways hackers launch attacks? Exploiting vulnerabilities in operating systems and software that are out of date. Simply put, when technology reaches its End of Life or End of Support date, patches, bug fixes, and security upgrades automatically stop, putting your technology at risk for an attack. Educating your team about when and how to update software and systems can keep you safe. Our IT services team works to monitor when these End of Life/End of Support dates as well.
2. Firewall installation: You will want a business firewall to keep your company data protected.  You can implement a firewall in either hardware or software form, or a combination of both. Your IT managed services provider can help you set this up and monitor it for success on an ongoing basis.  There are next-generation firewalls as well. Unified threat management (UTM) provides multiple security features and services in a single device or service on the network. UTM includes a number of network protections, including intrusion detection/prevention (IDS/IPS), gateway antivirus (AV), gateway anti-spam, VPN, content filtering, and data loss prevention, just to name a few.
3. Encrypting Information: If a hacker can infiltrate your system, encrypting your files can make the information useless if it is stolen. Encryption is the most effective way to achieve data security because it turns your crucial information into code. To read an encrypted file, someone would need access to a secret key or password that enables them to decrypt it. BitLocker, Microsoft’s easy-to-use, proprietary encryption program for Windows can encrypt your entire drive, as well as protect against unauthorized changes to your system such as firmware-level malware. 
4. Password Management: We’ve talked about this before, and we encourage you to create a password protocol for your company. Changing passwords often and ensuring the passwords are difficult to guess are two ways to protect yourself. You can read more about our password tips here.
5. Image-Based Backups:  It’s important to be in a position to recover your environment with backups if you encounter a breach. At Five Nines, we use image-based backups to keep your business running. Image-based backups are just what the name states: an image of your entire operating system, rather than individual files on your PC. 

The purpose of multi-layered security is to stop cyber attacks on different levels, so they never reach the heart of your system and affect essential information. While it’s crucial to use anti-virus software, it cannot be your only line of defense. 

Have questions on how this affects your business? 

It's likely you have insurance plans for all of the unforeseen circumstances in life: apartment fires, cell phone accidents and even getting sick. You may think of these plans as no-brainers, but have you considered whether you need the same insurance for your cybersecurity? 

According to a recent study completed by IBM in 2019, it’s estimated a data breach on average can cost a business roughly 3.9 million dollars. That number is still hard to pinpoint, given that many major companies may not report breaches due to PR concerns. Costs may vary for every business, but cyber-related security breaches are affecting organizations all over the world, large and small. 

A cyber-insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage, isn’t a tech solution, but it can be a fail-safe for your business when something goes wrong. A policy can help you decrease your risks by offsetting costs that are related to a cyber breach or event. 

There are a few aspects you need to discuss with your team, whether that’s your IT services provider or internal team, before purchasing cyber insurance and deciding what policy may best protect your organization:

1. What it covers: Cyber insurance typically covers expenses related to first parties as well as claims by third parties. Common reimbursable expenses include: forensic investigations that were needed to determine what happened, remediation costs for recovering data and services, monetary losses due to business interruptions, required data breach notifications to notify customers and affected parties about the breach and even legal expenses associated with lawsuits or extortion. Your IT support team can also help you understand what it covers as well.
   
2. Who needs it: If you have even a single computer in your organization, then you have electronica data or services that are important to your business operations. At Five Nines, we strongly believe that cyber insurance is a mandatory component of a complete business risk-management strategy.
   
3. How to determine what you need: Consider how your business would be impacted if your data and IT systems were unavailable for a day or two. If you’re in a regulated industry, you likely have mandatory expenses if personal identification or health information is breached. Though it’s never recommended to pay the ransom if your data is held, the demand could be tens, hundreds or thousands of dollars – those costs can be colossal compared to a cyber insurance premium.

After you evaluate these areas, you should meet with an insurance agent to discuss coverage amounts, premium costs, and deductible or retention costs. Some providers have packaged ‘business policies’ with a small amount of cyber insurance included, but those coverage amounts are often far from adequate. While every business has different insurance needs, a few general indicators of a policy with good coverage are:

• Look for a standalone cyber policy from a leading provider such as Chubb, Travelers, Hartford, Beazley, AXIS, Hiscox, Zurich, Liberty Mutual, or similar.
• Consider a policy with a deductible/retention of $10,000 or more. Policies with lower deductibles may be an indicator of inadequate coverage or an excessively-high premium.
• Line-item coverage limits should be in the hundreds of thousands or millions for specific cyber incident costs, such as Business Interruption coverage, Breach Notification and Remediation coverage, Crisis Management coverage, Extortion or Ransom coverage, and Data Restoration coverage.
  

  You won’t be able to 100% protect your company from cybercrime, but you can set yourself up for a best-case scenario ahead of time by obtaining cyber insurance. Take the first step by talking to your IT team to assess your insurance needs, then contact a reputable insurance provider to review policies.

  Need cyber insurance but don’t want to do it alone? Let’s chat.

Have questions on how this affects your business? 

As business owners, we typically prefer not to think about what would happen if we suddenly lost all of our company’s data and crucial information through a breach or accident. With client trust on the line and possible lack of compliance with regulation, there’s major potential for disaster. Ignoring this is a blind spot that puts our business, and our customers in jeopardy. While IT support can help, we still have to be mindful of planning ahead. 

If you’ve been through a personal data loss with your own computer or phone, then you know there are often ways to restore information, but that still takes time and effort. And the “disaster recovery process” only goes smoothly if you’ve completed backups.

To take a step back, it’s important you understand there’s a distinction between a backup and what’s called “disaster recovery.” A “backup” is the process of creating an extra copy (or multiple copies) of data. You back up data to protect it. You might need to restore backup data if you encounter an accidental deletion, database corruption, or problem with a software upgrade.

Disaster recovery, on the other hand, refers to the plan and processes for quickly reestablishing access to applications, data, and IT support and resources after an outage. That plan might involve switching over to a set of servers and storage systems until your main data center is up and working again. Or, working with your IT support to develop more solutions. 

If you want your business to continue running smoothly after a breach or data loss, you have to have a master plan for recovery. Being from the state of Nebraska, we’ll use a simple football analogy to explain: If a quarterback fumbles the ball, how does the team pick it up as quickly and as efficiently as possible so they can make another touchdown? No teammate is pausing to ask each other, ”What should we do?,” they’re bobbing and weaving into the next play.

Remember, a backup strategy is different than your disaster recovery strategy.  Copying your data is the first step and creating a disaster recovery plan as an insurance that guarantees its recovery is the second one. To create your company’s disaster recovery game plan, what you should consider is the cost of downtime for your business (how long can you afford to be out of the game before your fans leave the stadium) and these three plays:

1. How often are you currently completing back-ups without errors or exceptions? Include your personnel in the plan, your internal team members and your IT support, and determine how frequently backups should be performed, who will perform them and who will be on call to restore data in the event of an emergency. Also build a QA process into your plan to ensure the data that is backed up is consistent and free of errors.
   
2. What are your data retention requirements? Backups are typically performed daily to ensure the data is retained. But, your team should consider what your RTO (recovery time objective) is in your overall plan, so there’s a baseline understanding of what the maximum amount of time is that YOUR business can be without IT systems.
   
3. How would you recover if something happened? Would you have your IT support team ready to step in and help support new infrastructure if your hardware or resources became compromised? It’s important to consider the little details. How are you actually double checking the relevant data you need is backed up? Do you understand the type of files and whether that type needs to be backed up? What is your IT support team responsible for versus your internal staff? Building a complete disaster recovery plan means sitting down with your team and thinking about every scenario. 

By having a process in place, disaster recovery planning does become an integral part of your business’ IT strategy, and when you plan, you show your customers you truly care about keeping them safe too. 

Need help developing a disaster recovery plan and managing your backups? Let’s chat.

Have questions on how this affects your business? 

2020 is quickly approaching and it’s already time to start strategically planning to hit next year’s IT goals. Our rule of advice is that your team should sit down and map out your technical environment for the next 18 to 24 months, and set a 3-year budget that goes hand in hand with your strategic planning. You won’t know what you’ll need to spend until you do your homework, so here’s what matters when it comes to building a successful IT plan for 2020.

1. Identify what equipment is currently performing well versus what may need to be replaced.

This process is known as “IT asset management” and it typically involves gathering all of your company’s hardware and software inventory information and completing an audit. Your team will need to identify what needs to be replaced, what can be potentially reused and where the gaps are in your technology equipment. Your IT services provider can also help with an audit. You want to take note of how your equipment is currently performing, the age of the hardware and inventory all hardware or anything that has a renewal date such as a warranty, domain, or SSL certificate so you can budget for those costs as well.

2. Stay aware of end-of-life and end-of-support dates for your technology.

Your IT services provider should be alerting you about when these dates are fast approaching. To learn more about the difference between the two, you can read our previous post here. Essentially, end-of-support means that the product provider you work with has decided to no longer provide a support line. And, end-of-life date is a term used to describe when a product is no longer for sale. You should plan for both of these scenarios as businesses can experience compromised data security, decreased productivity, higher maintenance costs, non-compliance and problems with scalability.

3. Complete a risk assessment with your team.

Create a series of questions that assess your standards, guidelines and best practices and use the assessment on an annual basis to understand where the gaps were. Was there a data breach you weren’t technologically prepared for in 2019? Did you run into complications with equipment you’re currently using that cost you man-hours? Your team should look at what was effective and ineffective in your IT infrastructure. And, you can use cybersecurity standards such as NIST or ISO to understand what may be a priority for 2020 to protect your business.

4. Consider if you have the right tech talent on your team.

Whether it’s an IT services partner or an internal hire, decide who you need on your team to execute the strategy you’ve developed for your business. If you’re needing to bring in an external partner or new hire, you’ll want to include this cost in your overall budget and consider what the return on the investment may be.

5. Prepare a budget that prioritizes your company’s needs. 

Your IT services team can be a resource to rely on when deciding where you want to allocate your dollars. As we said, map out a 3-year budget to go with your strategic plan. Consider what the top priorities are, what you have coming up in your IT pipeline (new projects where IT may be key), pay increases for your IT talent and all of the equipment and renewals that may need to be replaced. Even getting vendor proposals and recommendations ahead of time can help you better estimate what you'll likely need to spend on initiatives. Your team should look at your overall business structure and make budgetary decisions based on how IT can sustain, protect or considerably decrease your bottom line. 

While we know this process of IT strategic planning can take time and energy, it's worth it to eliminate future headaches that may come from lack of preparation.  If you’d like to better understand how to plan for IT in 2020, we are here to help. Contact us today.

Have questions on how this affects your business? 

Change is hard.

Ask any business owner and they’ll tell you that the slightest change can cause ripple effects throughout an organization if not properly administered. Changing the way you manage and maintain your IT is no different, which is why it’s important to understand the details of your new relationship with a managed service provider.

MSP’s, like Five Nines, offer a varying degree of ways they deliver services to their clients. Because of this, understanding the agreements in place will ensure there are no surprises as the relationship progresses. Here are a few different things to keep in mind when reviewing a managed service agreement.

Service Model

Generally, there is a flat monthly fee you will pay all managed service providers. The recurring amount you pay covers a differing amount of service delivery models.

1. Time & Materials (T&M): these agreements are generally a smaller (think retainer) monthly fee, with additional charges for support that isn’t considered regular maintenance or monitoring. You can expect an invoice, in addition to the monthly fee, at the end of the month for the amount of time that was spent supporting your environment.
2. Select: in a select agreement, your monthly payment covers a specified amount of time allocated per month to your business. Any time that goes into supporting your network that goes over your allotted time will be charged at an hourly rate.
3. All-You-Can-Eat: this monthly fee is determined either by the amount of employees at your business (Five Nines' model) or amount of devices that are being supported, and covers all support (both onsite and remote) with no additional fees.

What hardware do you own?

A common trend throughout the managed service industry is offering hardware-as-a-service (HaaS), which means MSP's will place hardware within the environment that offers an added benefit of security and manageability. They’ll do this charging a monthly fee for those services, which reduces the amount of capital needed up front to switch providers.

Always keep in mind what hardware is yours and what is your MSP’s. This is helpful if you ever decide to switch providers, knowing you’ll have to replace or buy that product from the provider.

Additional Monthly Services

Along with with the monthly support fee, there are some fairly common additional charges that will be on your managed service agreement:

• Backups: backups are the most critical aspect of your environment and must be properly maintained in case of a data breach. Oftentimes, there is a separate charge for backup software and offsite storage costs, which are always worth the peace of mind to ensure 100% backups.

• Additional Software: most MSP's are going to offer some variation of software that adds additional security benefits, such as antivirus and anti-spam tools. Five Nines includes both of those in their monthly support amount, but a tool like encrypted email is a service that you will be charged for.

These different pieces are generally what make up managed service agreements, but it’s always important to carefully review all charges on a proposal or invoice. Having a clear understanding of what you’re paying for will give you the peace of mind that your network has the proper tools to stay up efficient and secure.

 What does it look like when IT becomes an asset? Click below for the free Five Nines Power Hour "IT As An Asset", as we dive into IT responsibilities, service requests and security, as well as technology standards, budgeting, and IT training and knowledge.

ABOUT THE AUTHOR

Scott Pulverenti

Account Executive 

As an Account Executive, Scott is responsible for building relationships, solving problems, and extending the Five Nines brand into new markets.

Facts About Me

- I've recently become an avid runner. My goal is to run a full marathon!

- I'm a huge baseball fan - Go Royals!

- If I'm ever feeling down, you can usually find me chowing down on some grilled hot wings from the Watering Hole.

- In my free time I really enjoy cooking! I like my eggs over-easy, peppered, and with Louisiana hot sauce.

- I'm a bit of a history nut and have been spending a lot of my time recently reading about the American Revolution.