We have a problem
If your entire firm’s data was locked with CryptoLocker on Tuesday, would you be out of business on Wednesday? Could you recover? Zanshin is a Japanese concept of a state of awareness, relaxed alertness. In martial arts, the term is associated with remaining awareness, being focused without distraction. When it comes to your appraisal firm, is cyber security a top priority? It should be.
It’s keeps me awake at night thinking about the global number of people (and the tools available to them) hacking away at our office infrastructure, cloud resources, cell phone apps, and elaborate wire transfer schemes through phishing. Do you have backups that actually restore? How long would it take you to restore it? Do you know where all your stuff is? Do you know all your logins and passwords?
Pen test (also known as a penetration test) is ethical hacking to test the security (and compliance) of your office systems. Companies like A-LIGN provide this service. For a couple bucks a month, some companies actively phish your employees to see how good they’re trained.
A phishing example might be going to the CEO’s Facebook page and notice they’re currently enjoying a trip to wine country. The bad guy would then go to the company website to determine who handles accounting. This faux cybercriminal sends a fake email on behalf of the CEO to the bookkeeper talking about how much fun they’re having in Napa Valley. Then comes the casual ask, “Can you wire money to this account? I totally forgot to ask you before I left on my trip, thanks!” Context seems legit.
In the last couple of years, I have participated in Digital Hands (a managed security services provider – MSSP) security summit. Top-notch speakers including CTOs from Fortune 500 companies, FBI cyber agents and academia. These very informative seminars have taught me tiered cybersecurity impacts:
- Tier 1 Critical Business Impact
- Tier 2 Operational Damage
- Tier 3 Minor Informational
A Tier 3 breach would be annoying, but not hugely disruptive. A Tier 2 would be damaging and costs real money loss and time. Your clients would notice. A Tier 1 breach may not be recoverable for many firms.
So what’s the solution? One suggestion is 3-2-1 backup. This rule is to have at least three copies of your data, two backup copies on different storage media and one off-site. Cloud backups are very inexpensive, like 5TB for $75 with IDrive. Confirm that the backups are working with email failure alert notifications. Hire a MSP like LM Consulting. Pay for a pen test. Make sure you document (on old school paper) logins and passwords for every service that you use. Create off-boarding procedures for ex-employees.
Practice zanshin, be focused with passive awareness to potential business loss. Be aware of the real cost of Tiers, especially a firm-killing Tier 1 breach. I hope you avoid having to say, “we have a problem.”