m.a.collins
, , ,

5 Reasons Every Business Owner Should Care About CMMC

iStock

What is CMMC, and why should you care?  CMMC stands for Cybersecurity Maturity Model Certification.  It’s a new initiative implemented by the Department of Defense (DoD) to better protect critical defense information (both classified and unclassified).  Essentially, in order to do business with the government, you now have to prove you are taking cybersecurity seriously through this certification model.  While your business may not qualify for CMMC, there are five reasons you should care about what it signals for all businesses.

Last year, I had a few friends (not customers) privately reach out to me to discuss security breaches of different sorts.  As I advised those friends through their particular scenarios, I inevitably learned that they fairly easily could have avoided the security breaches altogether.  Of course, just as a doctor many times can easily diagnose common illnesses, the same often is true of a security advisor.  I’m careful not to chide my friends in these instances, because I certainly don’t want to add insult to injury.  Nevertheless, it is incumbent upon all business owners to take cybersecurity more seriously and to engage resources to help them before they experience a breach, not after.  How does CMMC do just that?

1. CMMC will inform regulated industries and critical infrastructure.

As CMMC is rolled out to Defense contractors, other regulated industries will take note.  Health and Finance industry regulators, in particular, will be interested to see how CMMC implementation can drive initiatives toward better regulatory controls.  How effective was the adoption of these new regulations?  How were DoD contractors able to soften the blow of the financial expense of implementing security requirements?  What lessons can other regulators learn about the rollout of new security regulations?  All these will be questions regulators will be employing to find ways to properly motivate businesses to hold themselves accountable to the personal data entrusted to them.

Here’s a sobering security stat:  According to CNBC, roughly 85% of America’s critical infrastructure is privately-owned.  This means that the oil pipeline shutdown from May of 2021 could be just the beginning.  As these regulations get applied to the private sector in regulated industry, they likely will translate to every business via more practical avenues, such as the insurance industry.

2. CMMC will inform cyber-insurance policy coverage

The increase in business security breaches is already pushing the insurance industry to raise rates and tighten controls.  According to Chainalysis’ Ransomware Update in May of 2021, ransomware increased at a rate of 4x in 2020 (from $92.94M in 2019 to $406.34M in 2020).  These increases are burdening the insurance industry with finding ways to better mitigate their risk.  One way of mitigating the risk is paying resources to work with law enforcement officials to recover and/or freeze the ransom payments before the malicious actors can benefit from them. 

Some insurance carriers have implemented security questionnaires that automatically deny coverage for those entities falling short on basic cyber-hygiene.  The natural result is higher cost of business for insurance companies which translates to higher prices for insurance coverage.  These increased prices and required security screenings will force businesses to take security more seriously.  The higher your operational maturity as it relates to security, the lower your insurance costs will be.  It’s that simple.

3. CMMC provides security best-practices for all businesses.

CMMC is built upon the NIST 800-171 guidelines.  These guidelines serve as best practices for all organizations, no matter what the size or industry.  Some of these practices are simple ones that you hear regularly, like don’t reuse passwords and use multi-factor authentication for your user accounts.  Some are not so obvious, though.  For instance, how many businesses have smart devices in your organizations (TVs, thermostats, alarm systems, Alexa, etc.)?  Are any of those devices on your primary business network?  Do you have a policy and process for how those devices get implemented in your business?  Do you routinely check your network for such smart devices?  The introduction of everything smart (IoT – Internet of Things) is going to complicate businesses security.  There’s no way around that.

4. CMMC practices give businesses the best chance to protect against ransomware and other attacks.

For far too long, bad actors have thrived due to ignorance surrounding security best practices.  These bad actors exploit and monetize the low-hanging fruit of security illiteracy.  Implementing the CMMC best practices approach to security not only makes it more difficult to successfully hack an organization, it also makes your business more resilient to successful attacks.  Securing a business is not only about defending against attacks but also being able to recover and continue operations in the face of one.  Those who ignore these best practices unnecessarily put their businesses at risk.  These risks, when compounded and exploited, pose existential threats to the affected businesses.  Those who do survive lose potential revenue from downtime, critical resources from cutbacks, brand reputation losses, and more.

5. CMMC best practices mitigate the monetization of security breaches.

The more businesses and organizations that implement security best practices, as found in the CMMC framework, the less opportunity exists for bad actors to monetize security breaches.  For instance, if you fall victim to a ransomware attack but you have ways to recover from that attack without paying the ransom, you directly impact the hackers’ ability to monetize their otherwise successful attack.  By reducing the ability for hackers to monetize these breaches, we collectively disincentivize (at least monetarily) the ransomware industry in particular.

Conclusion

In our industry, it’s principally difficult to explain to our clients why they need new security protections.  We want to educate our clients on cybersecurity without using scare tactics.  We don’t want our clients to think we are manufacturing new ways for them to spend money, while also informing them of new security implementations they need to consider.  Everyone readily admits that technology has drastically changed in the last five years. Nevertheless, it seems that few are interested in changing their five-year-old (or worse) approach to security. 

There tends to be a mindset of what’s the least we can spend and still be “secure.”  That’s a failed approach, though, because in truth cybersecurity is a moving target.  No final destination for security exists in our smart-everything world.  There is such a thing as cyber-maturity, though.  Cyber-maturity (an ever-maturing approach toward cybersecurity) is what will serve us best in this time.  CMMC can help us all have a more informed approach to security, and that’s ultimately why it should matter to every business owner.

/by
Charlie Waters
, ,

When is the “IT Guy” not enough?

Before we start to answer this question, let’s first consider answering when an “IT Guy” (or Gal) IS enough.  Some organizations are adequately served by what the industry calls “Break/Fix” service.  Simply put, when something goes down, you have a resource on speed dial who can come out and get things up and running again.  Many companies use this model successfully or, at least, some variation like perhaps buying a block of hours – this is the same as break/fix except you are buying time in advance and often at a discount.  Perhaps some of your work is still on paper and your processes are mostly manual.  And on the surface, this arrangement is workable (even if not ideal) for businesses who have very simple technology needs.

When Break/Fix Breaks…

At some point, as a business becomes more operationally mature, it begins to leverage technology as a competitive advantage and the underlying technology to drive more efficient workflows becomes more complex.  You are now running servers with key line of business applications that require running a database.  Your workflows are more efficient, your company can scale its efforts, and processes have become automated, reducing human error.  As a result, organizations begin to value its technology operations as being strategic and mission-critical to company success.  As the operational maturity level (OML) continues to increase, an inflection point is reached where the break/fix model no longer works and is a hinderance to efficiency and security.  Your needs have outgrown the old model. 

Think about it this way – the incentive for the break/fix IT guy is misaligned with your organization.  They are rewarded (paid) when your technology is down, not when it stays up and running.  This creates a dynamic where addressing root cause issues of technology failures and building more robust (but also more complex) systems is not in the best interest of the person doing the work.  Why should they invest energy to prevent failures rather than band-aid symptoms or develop workarounds to keep things just stable enough to not get fired?

Yeah, but…

Some IT folks have the integrity to do things in the best interest of their clients despite this not being in their own financial interests.  Unfortunately, I have seen too many of the former and very few of the latter, so the odds are high your “IT Guy” could be taking advantage of you.  Perhaps this isn’t even a conscious decision, but simply the cause and effect of being rewarded to maintain the status-quo.  The other reason is they simply lack the knowledge and experience to manage things in a better way.

Taking a deeper look at the problem…

Let’s examine the usual case:  You hire someone who is inexpensive and eager to grow their skillset.  Their only experience is building a PC or two and setting up the family’s home network.  They know just enough to be dangerous, but they have more knowledge with IT than you do.  You decide to give them a try.  Your company’s network has now become their personal IT playground.  He/she will happily persuade you to try new things in your environment.  Let’s consider when this “new thing” is the backup system for your important documents and company QuickBooks files.  He tells you the system can be implemented with minimal cost because the software is “free” (perhaps Open-Source Linux or something) and you happen to have an old PC that can be repurposed to host the system.  What could go wrong?!

Well, let’s list a few potential issues:

  • Due to inexperience, the tech didn’t ask or know where all the critical data resides and failed to include the QuickBooks files in the backups.  The QuickBooks PC dies and there are no backups.
  • The single drive in the backup server starts failing, but the condition is not known because nothing is monitoring the performance of the hardware.  Your primary application server crashes and there are no good backups (due to the failing hard drive) because your tech never tested restoring the data.
  • A flood in the IT closet destroys both the server and the backup system resulting in total data loss – and there is no off-site copy.
  • One of your employees clicks an email link, unleashing a ransomware attack on your network and because their account had admin privileges on the network, the server and backup files are also encrypted, resulting in total data loss.
  • Your main server crashes and it takes a week for your tech to source new hardware, rebuild the server from scratch, and then restore your data from the backup.  Everything worked as designed, but your tech didn’t consider how long your company could be down while everything was being rebuilt.  Your business just lost a week of productivity.

Truth or Consequences?

We wish we could say these horror stories are complete fabrications, but you would be surprised (or maybe not) at the many ticking time bombs we have come across. To be sure, we won’t name names here, but trust us when we say, “We have seen it all!” The fortunate ones are those who made the switch to more professional IT management before things went south. It would not be a bad idea to quiz “your guy” about what measures are in place to ensure these things don’t happen. You’ll likely get one of two reactions – a smile (with a laundry-list of precautions being taken) or sweat (with a ton of excuses)! You be the judge. And this pop-quiz of sorts doesn’t require being technical…it is easy to read whether someone is confident and knows what they are saying or trying to talk you in circles to avoid answering the question. Reminds me of final exam essay questions where you don’t know the answer, but hope you can write enough to eventually touch on the correct response.

In any of these scenarios, your company will have paid a hefty price for the inexperience of your IT guy.  Important lessons were learned by both parties.  Your business has just become aware of the need to be more operationally mature, and your IT guy knows what not to do next time.  Layer on top of the operational issues, the constantly evolving need for better security, and the problems become even more complex and the risk to your organization that much greater.

Oh, but he is an employee, so there’s more…

Here are some other limitations of having a single resource (perhaps your employee) running IT:

  • Who fixes problems when he/she is on vacation or out sick?
  • Where is the escalation path when issues are outside of your tech’s skillset?
  • You hired them at a low salary, but now they have experience and a resume (at your company’s expense), and they leave you to make 50% higher salary elsewhere.
  • Your IT needs have grown, and you need: a desktop technician, a network/server admin, and an IT Director.  Even if there is overlap in the technical competencies, now you are spending $200K+ (over $16K per month) to hire and retain competent technology staff.

Take note that many of these problems are also inherent in outsourcing IT to a single-guy shop whether the agreement is structured as break/fix (with the problems discussed above) or fixed-fee.

Managed Service Providers to the rescue!

We have looked at why the break/fix model doesn’t work for many organizations AND why hiring IT staff has serious limitations.  There is a sweet spot in Small Business where the MSP model thrives – higher OML organizations who value quality IT services but cannot afford to staff a full IT department.

MSPs operate with fixed-fee monthly services and provide outsourced IT resources for your business.  They staff experienced technology professionals who fill the various roles of an IT department.  MSPs provide best-of-breed tools to monitor and manage your systems, all-you-can-eat help desk support, and even strategic IT management (usually with a virtual CIO service serving as your IT Director).

Managed Service Providers buffer your organization from the challenges of hiring and retaining quality staff, plus provide redundancies in various technical competencies.  MSPs can offer technology talent a better compensation package: 401K, flexible PTO, career tracks with promotions, training programs, performance pay, and other benefits.  And the employee doesn’t have the stress of being on an island with no other technical resources to help when needed.  They are part of a team.

Win-Win

All of this and the MSP’s interests are aligned with the needs of your organization.  A fixed-fee monthly contract means both companies benefit when technology is stable and end-users are productive and happy.  This is a win-win since the cost of outsourcing support is less than staffing an IT department.  So, to answer the question, “When is an IT guy not enough?”: When your organization values the benefits of well-managed technology, but it is not practical to staff your own IT department.

/by
Charlie Waters
, ,

Into the Weeds with Speeds and Feeds

AP English Strikes Again!

Today I will take a detour from our normal topics covering security and the continued progression toward cloud and mobility.  Instead, I want to get in the weeds a bit with what us techies call “speeds and feeds”.  In other words, what are technology standards and why do they matter to you?  Glad you asked!  I will start by showing my answer, then explaining how I got there.  This will be a bit like when I took AP English in high school and would turn in an outline, followed by the rough draft, only then to add all of the spit and polish for the final paper – except, being the hard head that I was (and still am if you ask my wife), I would write the final paper first, then reverse engineer the outline and rough draft from there.  But please keep that little secret between just you and me.

TLDR;

Our recommended operating standards for Small Business look something like the following:

  • Business Class Broadband of 100M down and 20M up with a static IP address for management
  • Laptop or workstation with Windows 10 Pro, Intel i5 4 Core CPU, 16GB RAM, 512GB SSD Hard Drive
  • Firewall with security subscription appropriately sized for subscribed Internet speed
  • Gigabit managed network switches with 10G fiber between connected switches
  • Wireless “AC” access points
  • CAT6 copper ethernet cabling

<RANT>An interesting side note here:  We recently upped our minimum recommended size for hard drives from 256GB to 512GB because of the incredibly large updates pushed by Microsoft every six months.  These are equivalent to downloading and installing the entire OS while keeping a backup copy of your existing operating system in case of the need to roll back to the previous version.</RANT>

Running the Small Business “Enterprise”

A quality Managed Services Provider recognizes the broader ramifications of simplifying the general network design.  A single IT team can support a hundred different organizations because the infrastructure is consistent across all its clients.  It is as if these businesses are all part of one enterprise except for their unique line of business applications.  With software support, we can successfully vendor-manage any issues with these applications.  Technical training and competencies can be aligned to support a finite stack of manufacturers and products.  This translates to faster, more effective support, which lowers support costs, improves issue resolution times, and increases client satisfaction.  Accordingly, our new support contracts provide the firewall, backup hardware, switches, and access points along with M365 subscriptions, security tools, and endpoint management software – standards create more predictable outcomes and multiplies service team effectiveness.  Our three pillars for choosing these products are:

  • Appropriate size and features for small business,
  • Lowest cost and best reliability without sacrificing the above, and
  • Quality vendor support and training to enable efficient installation and maintenance of systems.

This combination creates a win-win for the MSP and its clients!  The safeguard for the client is being backed by a tech company who will not only spec and sell the equipment but own the results.

From English to Calculus

Let us clear the big caveat; there is no cookie cutter approach to IT.  Okay, so why have these standards?  Figuring out the proper specs for workstations, servers, and networks is not exactly rocket science, although it can be somewhat complex.  Solving for this becomes a multi-variable math equation.  The composite system requirements for all software in use can be distilled down into design specifications for technology operations, but there are also some reasonable estimations we can make for SMB.  Software is relatively consistent across a wide variety of organizations except for niche “line of business” applications.  Also, Managed Service Providers generally serve businesses too small to justify staffing a complete technology department (and why outsourcing to an MSP makes sense).  This means the complexity and size of the networks are reduced making the parameters for these technology standards more predictable.

Always Outliers

There are the exceptions to be sure.  An engineering firm or fabrication shop using CAD requires higher end workstations with more RAM, faster processors, and dedicated graphics card, for example.  Even these share common traits with a gaming PC or a Radiology PACS reading station.  The specifications are easy to solve for by looking up the requirements for that application.  But the key point here is we can standardize the ninety percent use case and then invest more expensive engineering/consultant resources for the outliers.  This means we can go fast and be right except when we need to slow down for the other ten percent case.  And while the adage of “Good, Fast, Cheap…pick two” holds true, we can make recommendations for any part of your infrastructure efficiently understanding how these systems perform across a wide variety of clients.  Therefore, we do not need to hold a ten-legged (read: expensive) committee meeting to assess and recommend your next laptop or network switch. 

When Best Buy is not the Best Buy

This means the best opportunity for reducing the total cost of ownership of your IT is to follow the recommendations of your trusted technology partner.  They are responsible for managing your environment along with many others to keep infrastructure and support costs to a minimum.  I know the $299 laptop special with Windows Home Edition at Best Buy is tempting, but it may result in higher support costs, additional hardware upgrade expenses, and reduced worker efficiency.

/by