Posts

m.a.collins
, , ,

5 Reasons Every Business Owner Should Care About CMMC

iStock

What is CMMC, and why should you care?  CMMC stands for Cybersecurity Maturity Model Certification.  It’s a new initiative implemented by the Department of Defense (DoD) to better protect critical defense information (both classified and unclassified).  Essentially, in order to do business with the government, you now have to prove you are taking cybersecurity seriously through this certification model.  While your business may not qualify for CMMC, there are five reasons you should care about what it signals for all businesses.

Last year, I had a few friends (not customers) privately reach out to me to discuss security breaches of different sorts.  As I advised those friends through their particular scenarios, I inevitably learned that they fairly easily could have avoided the security breaches altogether.  Of course, just as a doctor many times can easily diagnose common illnesses, the same often is true of a security advisor.  I’m careful not to chide my friends in these instances, because I certainly don’t want to add insult to injury.  Nevertheless, it is incumbent upon all business owners to take cybersecurity more seriously and to engage resources to help them before they experience a breach, not after.  How does CMMC do just that?

1. CMMC will inform regulated industries and critical infrastructure.

As CMMC is rolled out to Defense contractors, other regulated industries will take note.  Health and Finance industry regulators, in particular, will be interested to see how CMMC implementation can drive initiatives toward better regulatory controls.  How effective was the adoption of these new regulations?  How were DoD contractors able to soften the blow of the financial expense of implementing security requirements?  What lessons can other regulators learn about the rollout of new security regulations?  All these will be questions regulators will be employing to find ways to properly motivate businesses to hold themselves accountable to the personal data entrusted to them.

Here’s a sobering security stat:  According to CNBC, roughly 85% of America’s critical infrastructure is privately-owned.  This means that the oil pipeline shutdown from May of 2021 could be just the beginning.  As these regulations get applied to the private sector in regulated industry, they likely will translate to every business via more practical avenues, such as the insurance industry.

2. CMMC will inform cyber-insurance policy coverage

The increase in business security breaches is already pushing the insurance industry to raise rates and tighten controls.  According to Chainalysis’ Ransomware Update in May of 2021, ransomware increased at a rate of 4x in 2020 (from $92.94M in 2019 to $406.34M in 2020).  These increases are burdening the insurance industry with finding ways to better mitigate their risk.  One way of mitigating the risk is paying resources to work with law enforcement officials to recover and/or freeze the ransom payments before the malicious actors can benefit from them. 

Some insurance carriers have implemented security questionnaires that automatically deny coverage for those entities falling short on basic cyber-hygiene.  The natural result is higher cost of business for insurance companies which translates to higher prices for insurance coverage.  These increased prices and required security screenings will force businesses to take security more seriously.  The higher your operational maturity as it relates to security, the lower your insurance costs will be.  It’s that simple.

3. CMMC provides security best-practices for all businesses.

CMMC is built upon the NIST 800-171 guidelines.  These guidelines serve as best practices for all organizations, no matter what the size or industry.  Some of these practices are simple ones that you hear regularly, like don’t reuse passwords and use multi-factor authentication for your user accounts.  Some are not so obvious, though.  For instance, how many businesses have smart devices in your organizations (TVs, thermostats, alarm systems, Alexa, etc.)?  Are any of those devices on your primary business network?  Do you have a policy and process for how those devices get implemented in your business?  Do you routinely check your network for such smart devices?  The introduction of everything smart (IoT – Internet of Things) is going to complicate businesses security.  There’s no way around that.

4. CMMC practices give businesses the best chance to protect against ransomware and other attacks.

For far too long, bad actors have thrived due to ignorance surrounding security best practices.  These bad actors exploit and monetize the low-hanging fruit of security illiteracy.  Implementing the CMMC best practices approach to security not only makes it more difficult to successfully hack an organization, it also makes your business more resilient to successful attacks.  Securing a business is not only about defending against attacks but also being able to recover and continue operations in the face of one.  Those who ignore these best practices unnecessarily put their businesses at risk.  These risks, when compounded and exploited, pose existential threats to the affected businesses.  Those who do survive lose potential revenue from downtime, critical resources from cutbacks, brand reputation losses, and more.

5. CMMC best practices mitigate the monetization of security breaches.

The more businesses and organizations that implement security best practices, as found in the CMMC framework, the less opportunity exists for bad actors to monetize security breaches.  For instance, if you fall victim to a ransomware attack but you have ways to recover from that attack without paying the ransom, you directly impact the hackers’ ability to monetize their otherwise successful attack.  By reducing the ability for hackers to monetize these breaches, we collectively disincentivize (at least monetarily) the ransomware industry in particular.

Conclusion

In our industry, it’s principally difficult to explain to our clients why they need new security protections.  We want to educate our clients on cybersecurity without using scare tactics.  We don’t want our clients to think we are manufacturing new ways for them to spend money, while also informing them of new security implementations they need to consider.  Everyone readily admits that technology has drastically changed in the last five years. Nevertheless, it seems that few are interested in changing their five-year-old (or worse) approach to security. 

There tends to be a mindset of what’s the least we can spend and still be “secure.”  That’s a failed approach, though, because in truth cybersecurity is a moving target.  No final destination for security exists in our smart-everything world.  There is such a thing as cyber-maturity, though.  Cyber-maturity (an ever-maturing approach toward cybersecurity) is what will serve us best in this time.  CMMC can help us all have a more informed approach to security, and that’s ultimately why it should matter to every business owner.

/by
m.a.collins
,

The Five Flaws of the Break-Fix Approach to IT

Some business owners view their IT infrastructure like they do their plumbing or HVAC maintenance – they prefer only to pay to fix problems as they manifest.  There’s nothing wrong with plumbing or HVAC companies.  They are some of our best customers.  However, the comparison is severely flawed, mainly because plumbing and HVAC systems are generally static infrastructures, and they aren’t the object of attacks from without (yet).  The old break-fix approach to managing IT is on life support, mainly because of five inherent flaws.

Break-fix approaches to IT inherently lead to a giant ball of band-aids.

Whenever a tech is dispatched to resolve a problem for a client in a break-fix arrangement, that tech is there to find the quickest remedy possible.  The tech knows that too much time spent will result in a complaint from the customer.  Thus, the tech proceeds to take the shortest route possible to restore functionality.  This band-aid approach only addresses the symptoms manifested, while it ignores the underlying root cause.  The conundrum for both the tech and the customer is that the customer doesn’t want to pay the tech for the time it would take to diagnose root causes, and the tech feels pressured to get in and out as quickly as possible.  Over time, this leads to an inefficient and cumbersome wad of band-aids that usually has to be completely overhauled to overcome.

Break-fix approaches to IT misalign missional objectives. 

The band-aid approach leads nicely into the next flaw.  Have you ever wondered if an auto mechanic has your best interest in mind?  Again, there are many great auto shops out there, but sometimes you can’t help but wonder if you’re being taken advantage of in some scenarios.  The break-fix arrangement creates competing incentives against the provider and the customer.  The computer shop only gets paid when there are problems to be solved.  The customer is literally incentivizing computer problems.  Conversely, in a contract arrangement, the service provider is rewarded for operational efficiency and penalized by customer downtime.  In that kind of arrangement, both the provider and customer have completely aligned incentives and objectives.  You both become a team who works together to do everything possible to eliminate issues entirely.

Break-fix approaches to IT cost more in the long run.

When the organizational objectives and incentives are aligned, the natural result is more efficiency and less downtime.  If the service provider is competent at all, you will see a marked improvement in IT operations.  When problems are addressed in a contract arrangement, finding the root cause and eliminating it is the primary incentive for the service provider.  Being proactive and working to eliminate problems before they create downtime or other inefficiencies is top priority.  These proactive and thorough approaches to IT management enable you to come out ahead in the long run.  Furthermore, you have a built-in consultant who can help you navigate your technological hurdles and leverage technology as a force multiplier for your organization.

Break-fix approaches to IT severely handicap your ability to recover from a disaster.

Most companies discover they have a backup problem when faced with an occasion requiring them to rely on it.  Imagine having your critical data encrypted from ransomware, and learning that your backup data was encrypted along with it.  Imagine a drive failing, and discovering your last successful backup was from months or even years ago.  Unmanaged backups create these scenarios, and they are completely preventable using modern backup and recovery technologies.  While the goal is always never to need the backup, when you do need it, you REALLY need it.  Make sure you have a managed backup solution in place. Gambling with company data is a losing proposition.

Break-fix approaches to IT are nearly impossible to budget accurately.

The break-fix model of IT support naturally ebbs and flows.  Even when you have a couple of years of history to help budget, you are one severe event away from blowing that line item.  A drive dies in a server or critical workstation, and you have an unplanned expense.  How can you effectively budget for IT support when you are one successful cyber-attack or one critical device failure away from a ton of unexpected remediation time?  Some of that can be assuaged by planned upgrades, but cyber-attacks and other threats to today’s businesses by nature are unplanned events.

The Obsolescence of Break-Fix

It’s time that we put the death knell into the break-fix approach to IT support.  It hasn’t served businesses well.  It has proven to create IT dysfunction.  It has misaligned the objectives and incentives toward efficiency and operational integrity.  It costs more in the long run, and it is nearly impossible to budget accurately.  We’ve moved on from the TRS-80s, the Pentium chipsets, and on-premise email servers – it’s time to move on from the break-fix model for IT support.

/by
Charlie Waters
,

Strategy: Turning Your Business Inside Out

Inside What?

Does the current pandemic have your company turned inside out?  Hopefully not, but maybe some other crisis will.  Why not just go ahead and turn your company inside out on purpose?!  Better on your terms than something external.  Let me explain.  Today I am working from home, productive, but under quarantine (exposed, but so far symptom free, and I thank God for that).  This is not the first time I have had to work like this.  In a prior company, I was the VP of Service for a prominent Middle Georgia Managed Services Provider (MSP).  Like Total Computer Solutions, we provided a full compliment of outsourced IT staff to aid local small businesses.  From Virtual CIO (read: IT Director) to Service Coordinator to Help Desk Technicians and Engineers, the resources in my department were critical to support the strategic mission of a business down to the day-to-day computer problems.  As with that business, there were (and are today) a variety of conditions which made working from home a luxury on some occasions and an absolute necessity in others – ice storms, local flooding, power outages, and today – pandemics.  Who had COVID-19 on their Bingo card for 2020?  Today, I am the COO for TCS which means I am responsible for the operations of Service, Sales, and Finance – Facilities and Human Resources are also shared responsibilities in our core departments.

But this article is not about me or my background…more about YOUR business strategy.  This is an opportunity for me to share how prior planning and enhanced technical capabilities can enable your business and work force to thrive under similar work from home scenarios.  I am going to share with you my secret to business continuity turning your business inside out.  If the concept of Disaster Recovery/Business Continuity is new to you, a little Google-Fu will produce a wealth of information on the topic.  Simply put, DRBC is the planning and development of capabilities to recover full business operations from a disaster while maintaining some level of functionality during the recovery effort.  I can work from home today, with minimal impact to my ability to communicate and coordinate our business operations, due to some advanced planning and the right mix of technologies.  But I am getting ahead of myself.

Company Culture for $200

It really starts with culture.  Company culture is the foundation upon which the rest of the business grows and thrives.  Without the right culture and management structure, keeping team cohesion and productivity during adverse business conditions can be difficult, if not downright impossible.  Fortunately, I have had great mentors in my career and picked up some tools along the way to help build and support a healthy culture around our people, process, and products.  For an MSP, our product is really our people.  True, we do sell stuff, but it is largely commodity goods and not the real differentiator between a good MSP and a bad one – the key is our team and we cannot thrive without a solid culture in place.  Our CEO Michael Collins is the primary champion of our culture here at TCS, so he and I have a Batman and Robin approach to reinforcing our values and team environment from the big picture down to everyday decisions.  This must be baked into the DNA of who you are as an organization.

Business structure must enable and support this culture.  We also use the Entrepreneurial Operating System (EOS) to drive the management of our business.  Rob Betzel, a friend who also happens to be my former boss, is a great local coach for both Company Culture and EOS.  I am forever grateful to him and others who have invested their time and energy into equipping me with the management principles and tools I have today.  Who knew you could make business leaders out of computer geeks?!  With a good management system/tools in place…we have a very high powered engine.  But what good is this high powered, superbly crafted engine without the proper fuel?

Culture is that fuel.  Everyday we fill the business engine with a tank of clean-burning high octane or some concoction of low octane fuel with lead, sulphur, water, and other contaminates.  Your company values, lived out, are the ingredients.  They cannot be merely a sign on the wall or words on your web site.  Integrity, teamwork, professionalism, accountability, and other key traits are the essential ingredients to maintaining workforce productivity, especially when working remote.  Sometimes, as managers, we have to make very tough decisions about who remains on the team when these values are not upheld.  Proper coaching and positive reinforcement can often help a struggling employee, but the best time to get this right is in the hiring process.  Having to micromanage an employee to get them to do their job well in the office simply is not going to work under these new conditions.  If you do not have this right yet, DO NOT PASS GO, DO NOT COLLECT $200 until you have this fixed.  As mentioned here, there is a wealth of local talent who can help you with this.

Communicate and Collaborate

Okay, company culture is good?  Check.  Now to turn your business inside out.  This really centers on communication and collaboration.  Here is what I mean by that (and this is the big secret) – design your business technology around having a mobile workforce who happens to work inside your building at times…cutting the corporate tether so to speak.  Easier said than done, for sure.  The planning and implementation must be a strategic top-down initiative.  On a side note, technology should always be connected to business strategy rather than existing for its own sake, letting the tail wag the dog.  In other words, bend technology around the needs of the users rather than the other way around.  And this strategy is more straightforward for companies primarily with knowledge workers as opposed to skilled labor who perform their work on the job site.  Even for skilled labor, their hub can be moved from the office to home (or an ad-hoc office) and dispatched to work onsite rather than reporting to the office first.  And for organizations who deliver their primary services onsite (i.e.: healthcare), support positions can often be moved off premise for the sake of distancing.  Telemedicine has emerged out of this trend.  There is no one size fits all solution, and these nuances must be considered.

Essentially this means formulating a cloud-centric but locally supported business technology infrastructure.  Consider moving employees to laptops with docking stations versus workstations.  This immediately enables mobility.  Voice communications – hosted phone system with softphones that run on your PC or even using your cell phone to make and receive calls using your business line.  Move QuickBooks online…easy.  You have already moved your email to O365, right?  RIGHT?!  Utilize Microsoft’s 365 suite beyond email to sync your documents to the cloud – no need for a file server or NAS is many cases.  Cloud-to-cloud backup is needed to protect your data no longer on premise.  MS Teams can be used for business chat along with audio/video conferencing.

In fact, yesterday I ran our weekly management meeting using Teams and was able to facilitate the meeting with no loss of productivity while working from home this week.  Management scored me an across the board 9 out of 10 for running the meeting which is pretty good considering the tough audience I serve.  Yes, we are results focused enough to score facilitating meetings (thanks again to EOS).  Shared management scorecard, no problem – click save and the rest of the team automatically gets the updates via cloud sync in the background.  With Microsoft 365 we can even edit Word documents and Excel spreadsheets as a group, live in the document at the same time.

Often critical line of business applications are the toughest nuts to crack.  The best option may be to keep what you have, even if that means on premise servers for now, and see if your application vendor offers a cloud hosted solution (sometimes you will see this advertised as SaaS – Software as a Service).  Cloud is not cheaper, but the benefits often make sense given the flexibility it offers along with a more robust business capability.  If you have already made that move, kudos!  Otherwise, TCS can facilitate a process for you to evaluate and identify a new vendor who offers this critical capability.

A side benefit of moving to a subscription “as a Service” model for consuming IT services is a more predictable and flat operational cost (OpEx) as opposed to large periodic or sometimes unpredictable capital expenditures (CapEx).  This is a main reason why MSPs operate under fixed-fee monthly contracts.  You are paying for an outsourced and fully staffed IT department, not simply an hourly rate to fix your latest application error.  Your technology infrastructure is a very dynamic environment that must be watered and fed to keep it running efficiently.  And moving to the cloud doesn’t mean your support needs magically disappear, it simply moves the management to the other side of the Internet wire.  Be sure you have an experienced technology partner to help you navigate these waters.  Having a handyman for odd jobs is fine, but you wouldn’t build a new house without a qualified architect.

Don’t You…Forget About (Securing) Me!

Culture, communication, and collaboration are in order, great!  My pastor would be proud my 3-point alliteration.  Ah, but we have a 4th point…security (or Cybersecurity gets me to 4 Cs).  We cannot overlook security in all of this.  Believe it or not, this Inside Out approach can improve your business security.  Yes, we have firewalls, encrypted wireless, content filters inside the office, but the most effective security (read: defense in depth) strategy is to assume your corporate network is what security experts refer to it as the “soft gooey middle”.  Simply put, start by assuming your office network is not safe and build defenses around your endpoints and applications.  When those are secure, along with a VPN or other secure remote access technologies, the reach of your information systems can be safely extended and working from Starbucks can be just as safe as the towering defenses of the ubiquitous grey office cube with its mystical, magical, always impervious to outside threats, wired ethernet connection (tongue firmly in cheek).

And all the stuff you have now moved to the cloud, it must be secured as well.  Wrap a security layer around O365 email to protect against phishing attacks, for example  If you are a regulated business (and who isn’t these days?), there are particular requirements for how your security is implemented and this also affects which cloud vendor(s) you choose.  Who owns your data?  Where is it physically stored?  Can you get your data back if needed?  As you guessed, there is no cookie cutter approach and security is best designed and managed by trusted professionals who understand the vulnerabilities and regulatory requirements along with appropriate risk mitigation strategies.

Wrapping It Up

TLDR; In summary, with the right company culture and structure, along with the appropriate mix of secure business technologies, your organization can remain business as usual through events that would cripple lesser equipped companies.  This Inside Out strategy takes what would otherwise be an existential threat and turns into a competitive strength.  Total Computer Solutions can design and support this sort of environment for your business and make “Turning Your Business Inside Out” a positive.  We would love to engage with you whether you are an existing contract client or have questions about how TCS can assess your business technology, partner with you, and help road map a strategy that is right sized for your organization.  We are all neighbors serving neighbors after all and TCS has been in that business for over 33 years.

Want More?  TCS Recommended Reading Includes:

/by