Business Continuity Planning, why do we need it

 
I was recently working with one of my not-for-profit/ngo clients on disaster recovery and business continuity.  It reminded me why cloud-based services are so important and is a reason I often overlook when helping clients move to cloud-based services. If you want to know some other reasons for going cloud - read this articlE.
 
The biggest and most important reason is business continuity (or the older disaster recovery terminology). 
 
Firstly what is business continuity, at its core it's the ability for your organisation to recovery and continues working in the face of a disaster. In the not too distant past, this was considered the responsibility of the IT department, but the reality is that IT is just a small fraction of business continuity, yet plays a vital role. And the whole organisation has to be across BCP and implementing it. 
 
Since this is a technology blog, I'll focus on the technology side. Although some non-IT tips abound here as well.
 

Can you RPO your RTO?

 
RPO - recovery point objective - in essence, how much data are you prepared to lose. If no data is your answer, this can get very expensive or possibly not. If 24hrs of data or even a week of data, then costs to ensure your RPO is meet can go down considerably
RTO - recovery time objective - how quickly can we recover and have our data back in a place. The shorter the RTO typically the more expensive the solutions. 
 
For large organisations, having an RPO/RTO measured in seconds to minutes, means they will be investing hundreds of thousands to millions of dollars to achieve this, as the technologies involved can be complex and expensive and involve having data replicated instantly between primary datacentres and backup data centres and then making sure it all works and is tested on a regular basis. For most NFP/NGO organisations, this was simply not attainable, it is cost prohibitive and they don't have the technology people resources to pull this off, that is until very recently.
 

Cloud/Clout your RTO and RPO

The number 1 reason to consider moving any and all your applications and services to the cloud is business continuity. 

Imagine if your;
  • accounting system
  • payroll system
  • CRM system
  • logistics system
  • HR system
  • email system
  • file storage system
just to name a few, were all in the cloud. You would be able to access them from anywhere on the planet, as long as you have an internet connection.

Now imagine your current office building was demolished in a freak storm, gas explosion, flood etc. Yet all your IT systems were still available to you and in the short term your employees could work from home and now your BCP plan is just focussed on reestablishing a new office, you would be 100% ahead of 90% of most organisations.


Don't imagine it

It can be done, we have helped a number of our clients get to a point where their physical office space is basically irrelevant, sure you might need to buy some new desktops/laptops \(if your office was no longer available), but all your data and all your system would still be available. I have worked with several organisations that now run with a recovery point objective of 5 minutes of data loss, and a recovery time objective of essentially 0 (as relates to IT data systems), because their systems and data are in the cloud and available from anywhere.


If you would like to know how we have done this contact us today or better yet, make an appointment for a free consultation
 
 

7 things every NFP/NGO needs to know about Cyber-Security

 
Cyber-security is one of the new technology buzzwords, but what does it mean?
 
In essence, cyber-security is ensuring that your organisation's data, whether on-premises or in the cloud is secure. The concepts around cyber-security have been around for a long time, yet are often ignored.
 
Here are some of the things needed to ensure that, at the very least, the basics are covered;
 

1. Network protection – your front door

Your connection to the internet is your front door to the world from a cyber-security point of view, just like your front door at home, it should be bolted and shut at all times and preferably have a Crim-SafeTM security screen as well.
This is done through the use of a quality firewall (more details here). In addition to a firewall, protecting your nfp/ngo organisation with intrusion prevention, malware detection/prevention and content filtering (preventing people from accidentally going to hacked/hacker websites), are a must have these days.
 
A home-style ADSL router – is not a firewall, while it does provide some basic protections, these are not suitable in work-based setting, I’ve personally replaced my home ‘router’ with some CrimSafeTM level security protection.
 

2. Inter-office connectivity – your back doors

If, like a lot of nfp/ngo’s, you operate across the Asia-Pacific region and have country program offices, ensuring you’re connectivity between these offices is protected is also vitally important. In our experience, virus protection is severely lacking in a lot of developing countries, leading to infections of computers and network, when files are shared.
 
Your remote offices should have the same level of network protection as your main office.
 
In addition, if you have centralised technology services (e.g. file storage) ensuring that data transmitted, between your office and remote office or home users, is protected at all times. There are different ways to do this, but a solid virtual private network (VPN) between your offices is a good starting point.
 

3. Anti-virus/Anti-Malware protection – protecting your kitchen

In our home, the kitchen is the hub/hearth of the home, people come through the front door and head straight to the kitchen. It’s where a lot of work and socialising is done.
 
Protecting your desktops and laptops, your workplace is vitally important. Ensuring your staff have a cyber safe work environment (safe kitchen/lounge).
 
Regardless of whether you are Australian/NZ based or whether your staff travel or you have remote offices across Asia, every computing device (laptops, phones etc) should be protected by world-class anti-virus and anti-malware software.
We’ve helped a number of organisations deal with malware and virus outbreaks. In nearly all cases these outbreaks have been a result of inadequate protection, particularly when travelling across Asia Pac.
 
We’ve road tested many different solutions over the years and can help with recommendations, but the key here is EVERY device, in your nfp/ngo, that connects to your network must be protected.
 
 

4. Bring your own device (byod) another back door!?

Many nfp/ngo’s allow staff to use their own devices (iPhones, Android Phones, iPads and even laptops) to access to organisational resources, such as email, file sharing etc.
 
Usually this is done for convenience, but also because outfitting every employee with a company phone/ipad is expensive and means less dollars are committed to the work of your nfp/ngo.
 
However, there are some things to consider;
  • Do you have a BYOD policy? One that spells out what can or cannot be done
  • Do you have a technology solution, one that will ensure devices have some minimal compliance and protection standards e.g. PIN or Thumbprint enforced access, the ability to remotely wipe organisation data – if the device is lost or people leave the organisation
  • Are the devices protected by anti-virus/anti-malware products 

5. Strong passwords

I cannot stress enough the need for strong passwords, I’ve written an article just on that subject alone, and could rave on about it for days.
 
Strong password can be enforced by most modern software applications, and if a strong password policy is not turned on, it should be.
 
Passwords should be changed regularly, every 90 days is best practice, but the reality of your organisation's needs might mean this is more or less often than this.
 
At the end of the day, your nfp/ngo cyber security is only as strong as the passwords that protect you.
 
 

6. Education

90% of cyber-security breaches occur due to social engineering. It is far easier to get someone within your organisation to take action and download something malicious or enter critical details/password on a fake site, than it is to brute force attack a firewall, or attempt to break passwords on your systems.
 
Common social engineering hacks including phishing emails and email spoofing. A phishing (fishing) email will attempt to get you to click on a link/take action e.g. open an attached ZIP file. Email spoofing is where an email appears to come from someone higher up in management and instructs other staff to take an action e.g. transfer money to an account.
 
The primary defence against such attacks is education, education, education.
 
Phishing emails were once easy to spot, they were misspelt, bad grammar and clumsy, but they are getting more sophisticated all the time.
 
 

7. Multi-factor authentication (MFA) / One Time Passwords (OTP)

What is MFA/OTP? It’s like having to produce 100 points of ID to open a bank account, except that one of your IDs constantly changes its number i.e. your passport number is constantly changing, while your driver’s license and Medicare number remain the same.
Most systems that store information will typically require you to have a username and password, to gain access to most technology solutions.
 
An MFA/OTP enabled application, is where you are required to provide a 3rd piece of information, often called a token, that is always changing and is only valid for a limited time – typically 30 to 60 seconds.
 
Some would argue that all logon’s to all systems should require multi-factor authentication (MFA), but the reality is a little more pragmatic than that, security must fit the needs of the organisation and not impede people in their work.
 
In our experience, if you have nailed the above security areas (firewalls, antivirus, education etc), then MFA can be rolled out selectively. You would certainly want to have MFA on your bank accounts, organisationally and personally and any other areas where you store sensitive data e.g. donor records
 
Not all MFA's are equal - A client had a SMS/Text based MFA enabled. They were hacked, their phone number hijacked and transferred to another Provider and SIM by hackers. They then used the SMS message base OTP to gain access to their personal bank accounts and stole almost $3000. Not all MFA solutions are created equal.
 
 

Extra note: Fundraising, are you PCI compliant?

One final note, if like most nfp/ngo organisations you are reliant on raising funds from donors to enable the work of your organisation. Do you store donor data in your systems? Do you store or handle credit card information? If so, are you PCI compliant?
 
We have worked with many organisations to ensure they are either PCI compliant, or have removed the need to be PCI compliant, by removing the handling and storage of credit card details.
 
A cyber breach can be significantly exacerbated if donor credit card information is stolen. Not only the damage to the donors, but the reputational damage to the organisation can be hard to recover from.
 
 
 
If you would like a free consultation or help finding the right solution to your business problem, you can BOOK an appointment directly or send a contact request via our contact page

Firewalls, your security perimeter

 
So what is a firewall? In simplest terms, it's a device (hardware and/or software) that blocks network traffic. 
 
Why are they important? A firewall protects your network home or office, from the internet. If you were to place a computer directly onto the internet without a firewall to protect you, your computer would be infected with a virus within seconds to minutes. I demonstrated this to a friend many years ago when internet connections where 56K dial-up modems and there were less wild computer virus'. The computer we connected without any sort of anti-virus software or firewall technology (software firewalls didn't exist back then) the computer was infested within 5 minutes.  
 
These days, your desktop/laptop operating systems (Windows 7, 8, 10 and Mac OSX, iPhone, iPad, Android) have built-in software firewalls. These software firewalls are effective, but only to a degree and any computer left connected directly to the internet would be eventually become hacked.

If my computer has a firewall, why do I need one at home? Because all your other home devices, smart TV, Streaming Media devices, smart fridge, typically do not have security or firewall capabilities. 
 

Hardware firewalls

Hardware firewalls are the defacto standard for any office regardless of size. Depending on the organisation's needs/requirements, will depend on how complex a firewall setup will be and can get, and this can be a very complex world indeed. The needs of a bank are significantly more complex than say a medium-sized company selling salt. 
 
This article is aimed at SOHO to Medium sized businesses and as such won't deal with the complexities of larger corporate firewall needs. However, the principles of network and data protection are the same.
 

NATs (network address translation)

The most basic of hardware firewalls are NAT routers (network address translation). A NAT router is what every ADSL/Cable/Fibre/NBN connection comes with as standard. Your internet provider will send you a router or require you to provide a compatible router for their service.
 
These routers create a private network on the inside of the router and typically have 1 connection to the internet. By default, they allow data flow in one direction only, Private Network -> Internet.  Internet traffic is blocked by the device. See diagram below. However, these are entry-level devices and many have been shown to be hacked or have significant flaws that they can be relatively easily hacked.
 
 
Above is a typical home network setup and
sadly many businesses are setup in a similar way, just more devices on the private network.
 
 
 
The more advanced brands of NAT Routers allow you create holes into your network. The holes are used for network communication or access to internal resources. Unfortunately, these devices are not capable of doing what is called stateful inspection of packets i.e. they are NOT monitoring the traffic that is coming through the hole to determine if it's friendly or malicious. 
 

Firewalls that acts as router

A better way to construct a network is to ensure that your edge devices are Firewalls that can router traffic, nearly all firewalls can act as a router (direct traffic from 1 location to another). 
Below is a simple of example of what this might look like
 
firewall router
The fundamental difference is that a firewall typically (not always) is inspecting each packet of data that flow through the firewall and will flag or block packet that could be malicious. However they are not perfect and still a relatively dumb device, meaning that it has little smarts to detect and deflect hacking attempts. Any hole through the firewall (e.g. to an internal mail server) could still be hijacked by a hacker, or worse you or your employees go to a website with malicious code and download a virus or malware.
 

Smart Firewalls

Just 10 years ago, the ability to monitor traffic across a series of devices (firewall, intrusion detection, intrusion prevention, content filtering devices) would cost a business $250,000. I purchased this sort of equipment for various organisations I worked for over the years.
 
Today, however, 1 Device, what I refer to as a smart firewall, can provide an array of features for a fraction of the cost, $2000-$5000 dollars.
 
A smart firewall should be able to do the following
 
  1. Stateful packet inspection (standard firewall capability
  2. Content filtering - e.g. prevent accessing to porn or social media sites
  3. Malware detection - preventing the downloading of malware
  4. Intrusion Detection - detecting if a hacking attempt is taking place and alert someone
  5. Intrusion Prevention - methods to protect traffic flow to attempt to prevent an intrusion in the first place
 
Over the last couple of years, we have been deploying smart firewalls for all our clients, I've even deployed one on my home network.
 
 
If you would like a free consultation or help finding the right solution to your business problem, you can BOOK an appointment directly or send a contact request via our contact page

Passwords, huh, what are they good for?

At the end of the day, absolutely nothing (to paraphrase a classic), particularly if you are using a weak password, which in my experience 90% of the population do.
 
Do these passwords sound familiar to you
 
  password, password123, Password1234, your partner's name, your dog's name, your child's name, your dog and child's name, your child's name and the year they were born. 
 
Which password are you?
 

What constitutes a strong password?

The conventional wisdom was that a strong password contained at least 8 characters and number and 1 special character such as  `~!@#$%^&*()
This has resulted in a culture where we have short passwords with some character substitutions for example;
 
  • Password - hacked instantly
  • P@ssword - hacked in 3 hours
  • P@ssw0rd - hacked in 9 hours
  • P@ssword1 - hacked in 4 weeks

  • Sweetpea - hacked instantly 
  • Sw33tpea - hacked 2 hours
  • Sw3etpe@ - hacked in 9 hours
  • Sw33tpea! - hacked in 4 week
Based on password testing at https://howsecureismypassword.net/  this also assumes 1 computer, so that password that can't be hacked for 4 weeks looks fine until you bring to bare a bank of computers, which are parallel processing decryption technologies or a mainframe computer and that password is useless. And when quantum computers are a reality (which not far away) all bets are off.

Emerging wisdom,

in the password space is to use a phrase, a series of words strung together that may or may not make sense to anyone by you.
 
  • Whykickamoocow - hacked in 837,000 years (fictional place in New Zealand, that my parents tricked us with many years ago)
  • Whykick@moocow - hacked in 29 million years

  • Ilovepineapple - hacked in 837,000 years
  • IlovepineApple - hacked in 837,000 
  • Ilovepine@pple - hacked in 29 million years 
As you can see from the above data, having a phrase as a password significantly increases your password strength, adding some character substitutions such as the @ sign for an A - gets you to millions of years.

 


The best solution

However, the best passwords to have are long passwords minimum of 15 characters and more if you can - of random characters.
The problem with this is that most people would never be able to remember their passwords, but a 15 character random character password such as  R#bc!$9lkgL5w$K  would take 16 billion years to hack.

Password vaults are your answer, i've been using LastPass  www.lastpass.com for over a year now. I only have to remember 1 master password, and Lastpass not only saves all my password to all my websites/web services, it will generate long and strong (random character) passwords. A password vault should also be able to share a password with friends or colleagues, as well as run on different platforms and browsers e.g. Phone App, Chrome, Safari, Internet Explorer, Mac/PC etc.
 
 
If you would like a free consultation or help assessing your cyber-security readiness, you can BOOK an appointment directly or send a contact request via our contact page

Cyber Security - Do I need it?

Not that long ago i attended a cyber security conference, what i learnt, literally scared the bejeebus out of me. 

One of the services we offer is web development and for a long time i have ensured that all web sites developed by LLOC have a WAF installed (web application firewall). Nearly every website we look after is under constant attack, fortunately the WAF blocks 99% of the attacks, but occasionally a hacker get through and 9 out 10 times this is because they have hacked the actual web hosting company. This barrage is constant.

So I thought I was prepared when I headed to the conference. Not even close.

The short version is that hacking is part of our lives and is probably never going to go away. Years ago i was the victim of a card skimming racket and lost $2000 from my account, fortunately my bank reimburse me, but that has put me on high alert every since.

Just weeks ago a client of mine had their phone SIM hacked, which allows the attackers to gain access to there bank accounts (they were able to get the verification codes sent to new SIM with the same number) and they lost over $3000 in the process.

So if you think this can't happen to you, think again

The Scary world of IoTs

IoTs (internet of things) are devices like your smart TV, your smart fridge, those smart lightbulbs your installed in your home, that smart frontdoor lock. Countless new 'Smart' devices and appliances are been developed constantly and 99% of the time without any consideration to security, they have no inbuilt firewalls or defence systems. There is an expectation that if you install smart devices which can communicate with the internet, that you are responsible for making them secure. Yet 99% of people have no idea how to or even that they have to. 
 

Who is hacking and why?

Who, just about anyone with a computer, with a little knowledge and some automated software tools can start a hacking career

  • kids

  • teenages

  • adults

  • organised crime (crypto virus, stealing and selling information)

  • state backed organisation from most of the major and many minor countries

Why, because they can, because they want to prove they smarter than you, to prove to their peers they are better than them, to steal, to spy, the reason are numerious and endless
 

How? 

There are so many ways that hackers can access attack you, the most effective way is what's called social engineering, using your own good nature against you. For example; there is often told tale, of a small child sent into a reception at a large corporation, she has a USB drive and the child asks if the receptionist can print off something for their mummy who is attending a meeting, or needs some homework for school printed, our nature is to want to help, so dutifully the receptionist takes the USB and inserts it into the reception computer to print 'the document', but the USB contains a virus, which then rapidly spreads through that organisations network. This is not fiction.
 
Here are just some of the ways people are hacked
  1. phising (fishing) emails, designed to trick you into taking some action - e.g. change your banking password. They will redirect you to website which will either steal your info as you type it, or result in downloading a virus
  2. The Nigerian Prince scam, another form of phising, with the promises or large payout - people still fall for this and its many variations
  3. Stealing your SIM; or more accurately SIM swap; where a hacker has enough info on you to get your mobile number moved to another SIM, which means they now get your SMS and phone calls, and able to get your verification codes from your banks
  4. Malware that steal your information
  5. Malware that encrypts your data and then demands a ransome to unlike it - ransomeware
  6. Direct hacking of your devices, phones, computers, tablets
  7. Direct hacking of your website to install malcious code
  8. Direct hacking of your home and/or office network
 

How can i protect myself?

There are many measures you can take to protect yourself, here are my top five suggestions
 
  1. DO NOT click on any link in any email, unless you are 110% sure you know who sent it, and even then, where you expecting them to send you a ZIP file or a link to some website (email addresses can be faked)

  2. Anti-virus/Anti-Malware software. This should be installed on EVERY device you have, your laptop, your phone, your tablet. Yes some operating systems are more secure than others, but that still does not prevent you been redirected to a malicious site. Whether you are a Windows PC or Apple Mac, and Android or iOS user - install AV software, and pay for it, the costs of this software is a very small insurance policy against what could befall you

  3. Multi-Factor authentication. This means that at least 3 pieces of information needs to be known in order to access your bank or other online services. Your username, your password and a 3rd randomly changing password (sometimes called a ONE time password OTP) that you have to enter to gain access to a system. 

  4. STRONG Passwords. What is a strong password.... something that is more than 10 character long, random, and nonsensical except to you.  READ THIS ARTICLE on Passwords for more information

  5. Improved firewalls for your home and business. 99% of homes and 90% of small businesses have inadequate firewall technology in place. READ THIS ARTICLE on Firewalls and why you need them
 

Protect your money

If your bank or credit union does not offer multi-factor authentication (MFA) or One Time Password (OTP) facilities - its time to change banks. 
An MFA is typically a random number of 6 numbers, synched to the back end systems at the bank and is valid from 30 to 60 seconds
Typically banks offer MFA in one of three ways
  1. sending OTP in a text message - if you have this facility it's time to upgrade to another method - this is prone to hacking and SIM swap scams
  2. Software token - such as google authenticator or Symantec VIP - this is a great option, always available on your phone, if you lose your phone or change phones you will need to setup new on new device
  3. Hardware token - these are typically small devices (think flash drive size) that have a small LCD with a rotating number, some banks charge a small fee to get the token (worth the cost)
 

How we can help!

We can do a cyber-security assessment of your business or even personal environments.
We can make recommendations on the best technology to suit your organisation.
We can make recommendation on best Anti-Virus/Anti-Malware solutions for your organisation.
 
 
If you would like a free consultation or help finding the right solution to your business problem, you can book an appointment directly or send a contact request via our contact page

More Articles ...

  • 1
  • 2

Want to find out more?

CONTACT US