Main Points

Performing an IT Health Assessment is necessary because you have to periodically inspect the work that your IT guys are doing. People will respect what you inspect. Make sure that you aren’t being cornered by terms you don’t understand.

Welcome! To another episode of IT Insecurities the show dedicated to helping you as a business owner conquer your insecurities about information technology by giving you the information you need to succeed. 

MY Name is Nathan Zimmer, the self proclaimed Geek Speak Guru and Tech Talk Translator  coming to you today from an undisclosed location here in Tulsa Oklahoma. It is currently 4:11 AM on a Saturday.  

I am amped and excited today to bring you some more knowledge you can’t get in college, and I would know… but my goal is to talk about boring things  in a way that won’t leave you bored or confused. 

If you haven’t already checked out our previous podcast you can by clicking the link below.

The Importance of Systems: Why we do what we do

On today’s show we break down “IT Health Assessments.  Why do we need them?” and look at what the Security Breach stats from Forbes really mean for you as a small business owner.  

Why do we need an assessment? There is some business owner out there who is asking even now why do I need to do an assessment? My business is running fiiiiiine.

Well dear listener I’m glad you ask, I would direct you to the stats. I have with me today a few numbers that could be shocking.

• 59% of organizations experienced at least one outage over 12 months 
  • Spiceworks (October 2018)
  • IT Disaster Recovery Planning & Services
• 40% of small businesses never reopen after a disaster
  • GovTech/FEMA (July 2018)
  • IT Disaster Recovery Planning & Services

So the answer to why you need this would be you don’t if you want to permanently dissolve your business.  

But according to 2017 Disaster Recovery Statistics that Businesses Must Take Seriously

96% of companies survive ransomware if they have a reliable BC/DR solution

 I have a report published back in August of 2019 and here’s the title…

Data Breaches Expose 4.1 Billion Records In First Six Months Of 2019

Today I want to break down these horrifying stats and see 3 specific action steps we can take to mitigate the risk of your business being one of these companies affected.

“According to Risk Based Security research newly published in the 2019 MidYear QuickView Data Breach Report, the first six months of 2019 have seen more than 3,800 publicly disclosed breaches exposing an incredible 4.1 billion compromised records.

Perhaps even more remarkable is the fact that 3.2 billion of those records were exposed by just eight breaches. As for the exposed data itself, the report has email (contained in 70% of breaches) and passwords (65%) at the top of the pile.”

This is crazy. Many of these breaches occur but without some form of IT Health Assessment the business would never know its records were even compromised.

“The majority of breaches reported this year had a moderate to low severity score,” the report stated and exposed 10,000 or fewer records.

This is important because many businesses wrongly assume they are too small to be on the radar of the threat actors. The truth is that it is all about the data, and small businesses often have less well-guarded data stores.

Your average cyber-criminal is lazy and will scrape up any data exposed by running automated online scripts looking for unsecured databases. The big breaches make the headlines, but bread and butter everyday incidents make the money for most threat actors out there.

Overview

1. Determine where you are at.  Perform an IT Health Assessment
2. Build a plan.  Get everyone in the room from all areas and disciplines
   1. Reference Bill Cambell
3. Hold employees accountable
4. Train on procedures
   1. Use the quote from forbes

#1 Perform an IT Health Assessment

You have to know where you are to know where you are going.  

Businesses run on goals.  Financial Goals, Production Goals, but in small businesses IT goals usually don’t get the primary focus.  

The whole point of having IT is to get the most out of your technology.  That doesn’t happen by default. You have to have goals for things you want to see implemented in your company.  Many business owners don’t know that their systems could operate more efficiently.

But before you can attain your goals you have to obtain a better knowledge about your systems.

“ And you will know the truth, and the truth will set you free.”

The information we present in this podcast is really just the first step in finding the truth about where your IT business systems are at

And that in the end that truth will set you free.

Over the 20+ years of working with businesses we’ve developed what we affectionately call our Motion Management System.  

It’s a 6 step process that we use to help businesses manage their computer systems and help them reach their business goals. 

And a lot of the information today comes directly from the questions that we would ask in our free IT assessment.  This is really just a way for us to get to know any potential business that wants to work with us.  

We include questions in the 5 areas of business IT health.  

1. Technology
2. Data
3. Security
4. Automation
5. Training

And today we will take you through some of these questions we ask our clients when they sit down with us for their free IT assessment. 

The best way to think about this process is to keep a doctor’s visit in mind.  When you go to the doctor they start by asking you some basic information about your body.  

• Is there a history of high blood pressure?
• Have you traveled outside of the country recently?

They establish a baseline of information and then when the doctor examines you and goes to prescribe a medication he knows that what he’s giving you is the right thing.

It’s the same thing with the IT health assessment.  It’s like a doctor’s visit for your company’s IT systems.  But to continue this analogy further scheduling your free IT assessment with us is like going to the doctor and only having to pay for the prescriptions he prescribes but getting the actual visit for free. 

One thing that is helpful is one meeting where you air all issues out in the open.

It’s important to get all your staff in the same room.  An talk about the issues. This is part of the IT Health Assessment and essential to productivity of your IT systems.

• Dont send out an email and hope everyone is going to care about this. 
• Encourage people to talk in the meeting openly about what problems they’ve seen.

 Have there been any problems you haven’t heard about?  What are they?

This is important because when you know the type of issues you’ve been having you can determine what systems you may need to implement.

• Denial of Service
  • Multiple computers try to access your server all at one time making it really, really, slow.
• Social Engineering Attack
  • Manipulate people into giving you access to information you shouldn’t have.

Social Engineering Attack

According to the 2016 and 2017 Accenture report says that 69% of companies experience some kind of social engineering attack. 

According to a 2018 study, two out of ten employees or about 17 percent of people fall victim to these social engineering attacks unwittingly compromise allowing hackers access to his or her computer, or even the entire company’s network.

At the same time according to a cyber security report put out by fireeye says that it takes an average of 146 days to detect a successful phishing attack.  

That’s basically 5 months before you realize what happened!!

I actually have an example phishing email to read.

HR@knowbe4.com

10:45 AM (1 hour ago)

to: stus

Stu,

I noticed that a user named securitybull72 (claiming to be an employee) in a security forum posted some negative comments about the company in general (executive compensation mainly) and you in specific (overpaid and incompetent). He gave detailed instances on his disagreements, and doing so, may have unwittingly divulged confidential company information regarding pending transactions.

The post generated quite a few replies, most of them agreeing with negative statements. While I understand that the employee has the right to his opinion, perhaps he should have vented his frustrations through appropriate channels before making this post. The link to the post is located here (it is the second one in the thread):

www.spiceworks.com/forums/security/234664/2345466.

Could you please talk to him?

Thanks.

Action Steps

• Train employees!!!!   

“If you think that this is because they are not techies or they do not know what social engineering is, think again. The study found that three percent of security professionals were guilty of not being cautious enough to check out the link or make sure files attached to emails are safe to download.”

It’s not just the untrained its everyone. That’s why it’s so important to train and test employees. This is part of the IT Health Assessment. Determine where your training procedures are currently.

• Test Employees 
  1. Actually send out your very own phishing attack or social engineering attack and see if they fall for it.  
• Backup your systems incase you do fall victim
  1. People are people.  One of the biggest insecurities in IT is not the technology but the people who use it.
• Email filters — filter emails into spam 
• TOA – Top of Mind Awareness 
  1. Keep your team security conscious and up to date on the latest threats and scams.

#2 Build a Plan – Get everyone in the same room

The next thing you want to do is bring your senior staff together.  What of these issues can we address? Get everyone in one room together and encourage communication. 

#3 Hold your employees accountable

Action Step

1. The biggest problem with being insecure about technology or not knowing about technology is that it hinders your ability to hold your employees accountable.

Here’s the thing, it’s all about accountability.  Many times business owners get involved with their IT systems when something goes wrong. They don’t pay attention to what an IT technician or what their employees are searching until you get a virus on your systems all because someone wanted to click the link saying they want a free trip to Hawaii.  And that right there is the best way to always be caught off guard with a lawsuit or potential production halting incident. ]

When you don’t have someone who can clearly outline what kind of maintenance is being performed on your systems each month then there is no accountability.

“People respect what you inspect.”

And really that is what the whole show is about.  

We publish these shows to train you as a business owner so that your IT support staff doesn’t take advantage of you. We give you some of the basic information you need to succeed and maybe you don’t know everything there is to know but you know enough to know when an IT support technician is scamming you or being lazy.

In other words you know enough to ask the right questions. 

#4 Train on procedures

“The majority of breaches reported this year had a moderate to low severity score,” the report stated and exposed 10,000 or fewer records.

This is important because many businesses wrongly assume they are too small to be on the radar of the threat actors. The truth is that it is all about the data, and small businesses often have less well-guarded data stores.

Your average cyber-criminal is lazy and will scrape up any data exposed by running automated online scripts looking for unsecured databases. The big breaches make the headlines, but bread and butter everyday incidents make the money for most threat actors out there.

Train. Continue to train. Train some more. Then when you think that they know, train some more. Make sure that the IT Health Assessment includes this training.

Final Thoughts

“Imagination is more important than knowledge. For knowledge is limited, whereas imagination embraces the entire world, stimulating progress, [and] giving birth to evolution.”

Imagine what you could do if your systems worked for you and not against you.

If you want to see what these systems really entail, remember to subscribe to the podcast and contact us a call at 918-218-2228 or at info@centupli.com to schedule your FREE IT HEALTH ASSESSMENT today.  

As always this is Nathan Zimmer giving you the IT knowledge you can’t get in college about the processes and systems that work.

For more helpful information checkout some of our blog posts and other resources.

• Why is IT Disaster Protection Important?IT Disaster Protection is important? Yes! Take a look at some of the amazing people who have benefited from our services. Testimonies According to this article, “Small Businesses Are a Vital Part of Community Resiliency but Often Overlook Vulnerabilities” that By the Number wrote, 90% of businesses fail in the aftermath of a disaster. Centupli […]
• Data Restoration: How does it work?Data restoration processes are extremely important for your business’s success. Although many people don’t see the need for data protection, all businesses regardless of the size need some form of backup. It’s extremely important that your businesses successful. Without the ability to restore data, your business is waiting to fail. Nothing is more important than […]
• Tulsa Data Protection: What can you do?Tulsa Data Protection is important. What can you do to protect your data in Tulsa? Are there standardized data protection methods that can be implemented? The answer is yes, and Centupli knows how to do it. Allow us to better prepare you for any type of natural, man-made, or technical disaster that might come against […]

Let’s Work Together!

Schedule a free assessment today and see how your business can prosper!