Here’s the transcript from Iddo Porat’s presentation:
Ryan: So now continuing on with March being Disaster Preparedness Month, I’d like to introduce to you, our speaker today who is the owner of CMIT Solutions on Indianapolis’ Southside and Iddo and I connected many years ago.
Ryan: And just over the years, I still get your emails every week with your tech tips that you have from the perspective of making sure that your businesses’ technical infrastructure is secure and you’re looking in the right direction.
Ryan: So here to share with us today how to protect your data for your business.
Ryan: Iddo Porat, let’s give Iddo a hand.
Iddo: Good morning, I want to see if I can share this thing here now.
Iddo: Always fun right? Are you seeing what I’m seeing? Right so, thank you again.
Iddo: Just give you a brief, information, CMIT Solutions obviously mentioned we do IT support for small, medium-sized businesses.
Iddo: That includes, we work with quick fix people that we just help, issue one-offs or managed services which is more proactive. We can help with network security purchases and so on.
Iddo: And actually, CMIT has kind of a large network. We have over 225 locations across the US and Canada.
Iddo: It is only a couple in Canada, but we also have a network of technicians and knowledge base that we can pull in.
Iddo: So, just a little overview.
Iddo: Talking about disaster, you know, try to look at the issue as a whole and can take multiple forms. We can think of natural disasters, which here in Indiana, obviously we have floods and fires and tornado, hurricanes, not so much, and earthquake is a possibility I’ve learned.
Iddo: Earthquake I think Saint Louis is a fault area that has been dormant for like 100 years. So that can kick in eventually, hopefully not in our lifetime, but we never know. And then there’s the other side of it.
Iddo: Uhm, you know, we see a lot of viruses, malware, ransomware, phishing, to go with that. Sometimes the updates that cause issues, equipment failure, as well as obviously the human error.
Iddo: So, taking all of those, kind of into account, I will ask you, do you know, suspect, what’s the number one cause of technology disaster? And this is participation. I can’t move until I hear an answer.
Bill: How about viruses?
Iddo: Viruses, ok.
Ryan: Is it unknowing employees?
Iddo: Yeah, come close, so you know the number one is human error. And, I think when you take that into account, the human error is, like you mentioned, it’s knowledge, it’s an awareness of this stuff.
Iddo: It’s the viruses, it’s clicking on things, but I’ll go into it a little more.
Iddo: What can be part of, the human error, but you know the majority of stuff is to do with us working on the computers, and looking at overall, with security and data breaches. 81% of data breaches are caused by like to do with password- either weak password, a password that are reused across multiple sites, or just stolen, which again leads into, kind of, everything tying together.
Iddo: So, human factor, kind of mentioned it, majority of breakdowns are because of that. It could be as simple, you know we talked about power outages and some other disaster. So having a UPS, especially if you have a server, laptops, not as much because they have an internal battery, but if you have a desktop computer or server you want to make sure you have a backup battery and you want to make sure that your battery is working.
Iddo: Even those, sometimes you get the alarms on them because the battery after two or three years usually goes bad and you have to replace those.
Iddo: Shutting down the computer while it’s still working, if you press the button and you shut it down, you know or as simple as deleting files, either maliciously or by mistake. I actually had a call last week from a client that asked me if I can retrieve some files from them because they deleted them. So I they tried to delete the file, they deleted the folder instead. It had a bunch of files in it.
Iddo: And as we get that call, “Can you help me? Can you find this? I can’t find this anymore.” And luckily, that was part of our like backup process and we were able to restore the folder with all the files from the night before.
Iddo: Other issues, spilling drinks, coke or coffee on the computer. Computers don’t like it.
Iddo: We talked about, kind of, phishing, malware, ransomware, clicking on things and then you have the theft and loss. People carry the laptops with them. You leave it in the car and somebody breaks into the car and takes it. That’s a lot of them or just losing it. Losing it in the airport, losing your equipment.
Iddo: So, all of those are issues. Some additional wonderful stats. 43% of cyber attacks in the US in 2020 were targeted at small businesses. Now I’ve heard different statistics around that. A lot of it is with malware and spam and phishing. They send it out wide, so there’s a lot more small businesses than large businesses.
Iddo: Sometimes they’ve targeted for the large businesses, but when they just send it out because it’s easy to just send it out there, it’s hitting all sized businesses and then 40% of all small businesses hit by cyberattack experienced at least 8 hours of downtime. When you do get hit, depending how, and if you’re getting ransomware and stuff, OK, if you’re not able to retrieve your data, then you’re going to be down for a while.
Iddo: So that’s why it’s important to have a plan and 92% of companies with business continuity or data recovery protocols in place, were back within 24 hours after an attack, which is a good start. You know. Basically, if you have a plan and you have a process that your chances are good to recover.
Iddo: So now to the fun part, like the meat, some of the easy stuff. We talked about password being the important part of it. Using weak passwords, if you’re using your password on multiple sites, if you are posting your password, keeping it on your screen and it’s accessible. All of those are easy to fix. Basically, you don’t want to use password, password123, a number. It used to be Monkey 123 was the biggest one I think at some point. But you want a more complex password.
Iddo: Now they’re pushing to a longer password, even though, if the complexity is not, but using a passphrase, you hear that a lot. But definitely more than 8 characters and then you want to use something like a password manager or a tool that will let you, help you have a different password for every site and have your password secure location, so password manager is like a vault.
Iddo: You put your passwords in there. You can generate random passwords. You know, most of my passwords, I couldn’t tell you what they are, they just duplicate with letters and numbers and symbols and some of them are 32 characters long. So, if I had to remember those, I would be in big, big trouble.
Iddo: But you have a password manager that stores it, and when you go to the website you can click. It works on your phone. And you can manage the password so it helps do some of that stuff. Some other tools would be using multi factor authentication.
Iddo: So, if you raise your hand, if you know what multi factor authentication is or two factor authentication?
Iddo: Multi factor authentication means you’re using password and something else, usually with your bank account like you can have them text you, so you get a text with a number and you have to enter the number in there or a lot of them, there’s a Google Authenticator or Microsoft Authenticator, that sends you a 6-digit number and you can pull them up and see the number in there.
Iddo: And, basically that helps you with the, with having a more check and balances system, if you want to call it. If your password gets compromised, you still need to enter this code to do it, and they call this, hopefully, harder to get because either they have to dup[licate] your phone, which these days is possible, unfortunately, or if you have the authenticator application then you need to put that and it’s a way to a more secure email.
Iddo: And actually, if you’re doing a cyber security policy, a lot of them are requiring it now for your main email system and for main applications. Virtual private network, I would recommend for, if you are working off a laptop and you are walking around and going to copy houses or getting free Wi-Fi different places. That’s Wi-Fi you don’t know how secure, that Wi-Fi is when, you are in your place of business, and hopefully you have a firewall protecting you on the pure Internet access and you have your security stack supporting you, you’re doing good.
Iddo: But when you are traveling with your laptop and going to different places. That network is not secure, that network, you could be actually going through a compromised network where they can try to come see what you’re doing and capture some of the data so using a virtual private network or VPN basically encrypts the data between that goes over that Wi-Fi goes over to secure servers, which is from the virtual private network provider, so there it’s secure and then your path is secure so it’s easier to work that way, and then security awareness training, is educating, because obviously you heard about social engineering.
Iddo: We heard about phishing. We talk about malware. If you need to keep employees and yourself educated on what to do, what not to do, don’t click on links, make sure that the email address matches.
Iddo: If you’re using financial transaction, phone and call the person and confirm the bank account that you’re transferring to. I’ve seen, I’ve had clients that received emails with, they try to or basically spoof, pretend it was them sending email and the PO (purchase order) and basically have somebody send money to the other place and if the person hasn’t called to confirm, did you change your bank account, that would have gone through.
Iddo: So just, kind of, have our policies and procedures and then education about those policies and procedures on how to do stuff securely. And then we push this a lot. It’s back up, back up, back up, back up. If something happens, the only way to get it back is that you have a good backup and then what you hear a lot is the 3-2-1 backup rule, which hopefully a lot of you have heard.
Iddo: Basically, the basics of it is that you want 3 copies of your data. One of them could be the one that you’re normally using, but then you want two more copies on different media, meaning you have one on your hard drive, then you want it in other places and you want one of them to be offline. And mostly these days is cloud.
Iddo: So, basically you have the backup, that’s a second copy and the end cloud version, that separately, and the reason for that is when you when you are back up if you have a USB drive that you’re backing up to, which is your basic way that a lot of small businesses do.
Iddo: You plug a USB drive and you backup your files to it or you just save a copy or you drag it them over. If that’s connected to your computer all the time, if something infects your computer, it’s going to infect that USB drive as well, and now your backup is gone. So, at the minimum I have people who do rotation of USB drives.
Iddo: And that’s kind of some basic, but you can also get, cloud backup, goes to the cloud and the key there is that you want to make sure that the, you know, dealing with only the latest version that you have some version control in there, that you’re keeping data more than a couple of days. Because with a breach, as you see, a lot of them stay in their computer. They stay in there for several weeks, if not several months. They look to what you do. They encrypt your data, they try to disable your backups.
Iddo: So, make sure you do backups and make sure that you test them occasionally.
Iddo: Look through there. Make sure that you are able to retrieve the data and your drives, your backup drives are not still active so, bottom line is that you need to evaluate your risk.
Iddo: It’s not an if, but when an accident or disaster will happen, it can be a simple one. Or it can be a big, you know, if there’s an earthquake and your office goes down. You know your data might not be your first priority, but if you’re trying to get back up, it will be eventually, but it could be as easy as a power outage that shut down the computer and close the hard drive error. And how do you get your backup there or spilled your coffee on the computer and now it’s out and also 95% of the PC.
Iddo: Unfortunately, I’m not backup other quickly, just make sure you backup. I had the client called me after they got hit with ransomware. Their drive was encrypted. They did use a backup service, but unfortunately they only backed up one of the drives, not both drives that were on the computer.
Iddo: And half of the data was just encrypted and we were not able to get to it. So, it’s important to know what your critical data is, and to make sure that you back it up.
Iddo: Disaster recovery plan and business continuity plan.
Iddo: So, we talked about kind of having a plan of what to do. Disaster recovery basically is how you’re going to get your data back. And business continuity is more kind of manager research is kind of how do you work and minimize? So the disaster recovery is usually part of the business continuity. But this continuity is more about how you continue to work and minimize the impact of this situation. And it shouldn’t be help, help, help.
Iddo: By that time it’s usually too late and it’s just, think about it ahead of time, because if again if you don’t have a backup, it’s going to be hard to get stuff back.
Iddo: Just a little more on that, kind of, part of your plan, you need the speed. Would you hear the lingo that you hear is RTO and RPO, is recovery time objective and recovery point of projecting? One is, how much time can you afford to be down? So, if you can say I’m down for a day, then you have a day to recover your data and the second one is recovery point, how much data am I willing to lose?
Iddo: So, you could be working in a computer and backing up every hour if it’s important. Or, you can say I can backup once a day or maybe once a week and maximum I lose a weeks worth of data and then you need to address this scope, time span and kind of, to what level do you go with everything into the plan and the information and then testing you want to test some stuff, you can, you know, you can just kind of walk through it, or you can actually simulate the full disaster. It depends on your comfort level and your needs.
Iddo: Right, tripping up. I have a resource, if anybody wants to shoot me an email, I can send you over to 15 way to protect your business from a cyber attack. It kind of talks, we hit a lot of these points, already talks about multi factor authentication. It talks about passwords, security, encryption, again, if you move, you’re working on your laptops, and you are moving around, you want to make sure your drive is encrypted. If you lose your laptop and you have unencrypted data, that’s usually a breach of information.
Iddo: But if you have it, if it’s encrypted, that’s usually in a non-event, from a breach of information. So, if you have any compliance reason then it’s important to have it, but if not, it’s just a good way, like if you have client information in there, you have Social Security number, you have tax information on your laptop. You want to make sure the data is encrypted so it doesn’t go away.
Iddo: And I’m done, with the questions.
Ryan: Iddo, I have a few questions for you.
Iddo: Yes, sir.
Ryan: The first one is how do you recommend protecting the data on for, say, example a laptop, if it gets stolen?
Iddo: So, with laptops like I can tell you like my laptop, I actually have two backup processes. I back it up to a drive locally so it’s easy and fast for me to get data back and I have the cloud backup. That basically pushes it over to the plan in image. So, if I had a fire and everything burns in my office, I still have the data out there. And bring it back up, but it could be as easy as having a USB stick with your most important data on it that you say my process is to copy it, either every day or once a week.
Iddo: I copy to the USB drive and I keep that USB at home and not in the office or vice versa. It’s a different place. So there’s a lot of automated tool, automated backups right now that you know are fairly inexpensive that will help you keep your data safe.
Ryan: And then, I guess, my next question is, what password manager would you recommend to someone who isn’t using one yet?
Iddo: The big ones that I see would be, LastPass is a big name out there, [unintelligible], Bitwarden. Even some of the Antiviruses, Norton Antivirus suite has a password manager in there. But you want to make sure that you’re using a good password for your password manager, so you don’t want to use too simple of a password on the password manager itself, and if possible most of them will let you do 2 factor authentication.
Iddo: So, using a password in the code, secure that manager with all this information. Most of them will give you a yearly subscription. You can get it either small business, like family version of it or an enterprise, bigger one. They usually, the enterprise tool one will let you share passwords, if you have employees, you can actually share password without letting them know what the password is. So there’s some additional tools in there.
Iddo: But all of them will let you work on the computer and on your phone, usually in the mobile device.
Ryan: And so, what’s the ideal length and complexity for a password for it to be good and secure?
Iddo: You know, I keep on seeing it going back and forth. Most places will require a minimum of 8 characters, complexity wise, you know I, I know it’s always upper and lower case and the numerical and the symbol.
Iddo: I’ve been reading more. The push has been more to password phrases and not necessarily as complex, but longer passwords. I’m trying to do usually 20 to 30 characters when I create them, some websites will limit you at 16, so. You know, I would say if you’re using in the teams, you’re probably pretty good and then I would still try to use, not just alphanumeric.
Iddo: You know with alpha, but it’s only 26 when you add the special here, it just adds complexity. And it’s a factorial. The event differentiation, right, so it just makes the pool a little bigger.
Ryan: Awesome, thank you.
Kim: You know, I just want to thank you for never judging me when I’m that person on the other end of the line going, Help, help. I’m that break, fix girl, I appreciate you.
Iddo: Yeah, I would say, as long as you have a friendly face, it’s easier to help, right? It’s when people are angry at you when something goes wrong. It makes it more difficult.
Kim: Yeah, uhm, remember the day that I was sitting in my office and all of a sudden, as big as my screen, was an 800 number and it had an alarm that was really obnoxious and it was taking over my entire office and it was like, Wah Wah Wah Wah. I just didn’t know what to do. And I was thinking about calling that number, but I kind of knew that you didn’t want me to call that number, so I called you and I screenshotted it. And I let you hear it, and you said Kim, shut your computer off, it’s like.
Kim: Oh, OK. And then it had to go get malware [removed] or whatever they did with it to get that virus gone but I appreciate you always being on the other end.
Iddo: Of course, yeah, it’s usually with the, depending on the virus and the malware, I think some of them are more like a website that tries to take over. So, shutting down, closing the application works, but if you have encryption and stuff, sometimes they tell you to unplug it from the network and don’t touch it and let somebody look at it, because sometimes when you reboot, it goes to the next stage of the malware so. But it’s always important to unplug it from the network to make it make sure it’s not propagating to other computers on your network.
Kim: Makes sense, thank you.
Iddo: Here’s my contact info. I guess, does anybody has any other follow up a question or if you want the 15 ways document, happy to just send it to anybody who wants it.
Ryan: Does anyone else have any questions for Iddo?
Audience Member 1: I just have a comment. I wanted to thank you for this presentation. As a photographer, I guess I do have to backup a lot of those photos and I have, you know, several files and huge files, and sometimes, I guess I’ve thought about it, but it this just drives on the points of why it’s important, because sometimes my clients do come back and want photos from several years ago.
Audience Member 1 : So, thank you so much for being generous and sharing this information and I will be reaching out to you ’cause I think I need help so.
Iddo: Happy to help and like I said the easiest is like, drive, but it really depends on what you need. If you are buying them just over the Internet, you have to be careful to make sure you read the terms. Some of them won’t back up programs, some of them will only backup document folders and stuff like that. So just be careful, read the fine print of what they’ll back up for you.
Iddo: Hey Ryan, one more point. Nobody said shepherd pie. It’s also a good pie.
Ryan: Oh yeah, that’s a good one.
Kim: No, I don’t like my food to touch.
Ryan: Awesome, well everyone, if we don’t have any other questions for Iddo, let’s give him a hand for his presentation today.
