Friday, June 29, 2012

To Cloud Backup or Not To Cloud Backup

To backup your company data in the "Cloud" with an online backup provider or to backup to only a local hard drive? That is what many small business owners are asking themselves these days.  

For a small business with inadequate (or no) Disaster Recovery Plan, online backup can be a huge step in the right direction from a data protection standpoint.  A company's data is considered one of the most valuable assets a business possesses, and should be protected in the event of a total disaster such as a fire, flood, earthquake, or theft.  Therefore, having an offsite backup is very prudent.  However, business owners should consider some of the security concerns associated with putting your data on someone else's computers. 

Acccording to Kevin Beaver, information security consultant with Principle Logic LLC, "How do you know your backups are going to be secure? It's more than just 'we encrypt' and 'you'll have a login,'" said Beaver. "Online backup environments are just like any other Web application. There are literally tons of security flaws that can be exploited to put your backups at risk. Don't fall for the common 'we're SAS 70 certified' response. Ask for an independent penetration test/security assessment of Web-based environment and ensure the vendor's assessing for new security flaws on a regular basis."

Security expert Jon Toigo, CEO of Toigo Partners International echoed this sentiment. "A lot of cloud vendors will tell you everything you want to hear in order to get your business, but it would take a lot of time and energy for you to go and investigate whether they can deliver what they are saying they can. Interview other customers and make sure there are ironclad security policies in place before choosing a vendor."

If you personally don't have the time to weed out the "Cloud" hype from reality, then consult with your computer services consultant or contact Avisotek. 

Also, data backup should only be one component of a full Disaster Recovery Plan.  If your server or computer that stores all your company data has a complete meltdown, how quickly do you need to have that computer up and running?  Two hours? One day? 72 hours?

How quickly data can be restored from a Cloud backup provider depends on your Internet bandwidth and how much data needs to be recovered.  Your can easily recover one Word document in 10 minutes or less. However, recovering 200 GBs of data or thousands of files is another matter.  It could take days or even a week.  You will need to know what the data transfer rate is in order to calculate how long it will take to fully recover ALL of your data in the event of a complete disaster.  If it is going to take too long, then you will need to explore other alternatives.

Put the "Plan" into Recovering from a Disaster

Four Essential Elements For an Effective Disaster Recovery Plan

Step #1: Identify Which Systems Are Absolutely Critical to Operating Your Business

There are three areas you need to assess: data, systems, and communications.   Determine the data that is critical.  Your customer database and accounting may be critical, but your employment applications forms may not be.  On what computer systems is this data stored?  Your company data may not be stored  in one location.  Data can be scattered over many computers.  Also, determine which computer systems are critical.  Perhaps, your company website availability is not important, but being able to access the Internet is.  Sure, you need to access your customer database, but is printing also critical?  Lastly, how do your customers communicate with you?  How long can your business survive if all forms of communication are disrupted?  What percentage of customers get a hold of your company through the telephone, email, or website?   If 90% of you customers choose to contact your company using the telephone, then you could consider your phone system is far more critical than email.

Step #2: Determine How Long You Can Be Without These Critical Systems

If you clients could not contact you because all you communication systems are disrupted, how long will it take before they will contact a competitor?  If you cannot process orders, at what point will you lose revenue and potentially loose customers?  If you need your systems functional in 24 hours, then a solution that will get those systems functional in 7 to 10 days is not the right solution for your business.

Step #3: Know the Value of Your Critical Computer and Communications Systems 

It is easier to figure out what the replacement costs of you computers are, but what about that customer database?  How many hours have you spent entering information, comments, orders, etc?  How much did you pay employees to enter this data?  Sure, you will need this information for insurance purposes.  You do need to make sure you are properly covered.  And, you can't determine the best coverage until you know the replacement value of your systems and how much business you may lose as a result of the system being down.  But, insurance companies do NOT cover data loss, only lost business.  How long would it take to reconstruct your customer database?  How much would it cost you to have all that data re-entered into the database?  You may be surprised to find out that your database may be valued at tens of thousands of dollars.

Step #4 Have a Disaster Recovery Plan in Writing!

This is the most important element that you must have.  When a disaster occurs you must be ready to recover and get your business up and running otherwise your business will be a statistic. As simple as it may sound, just thinking through in advance what needs to happen if your server has a meltdown or a natural disaster wipes out your office, will go a long way in getting it back fast.  At minimum, the plan should contain details on what disaster could happen and a step-by-step process of what to do, who should do it and how.  Also include contact information for various providers and username and password information for various key web sites and services.  Writing this plan will also allow to think about what you need to budget for backup, maintenance, and disaster recovery.  If you can’t afford to have your network down for more than a few hours, then you need to a plan that can get you back up and running within that time frame.  You may want a redundant server, allowing your office to run off the redundant server while the real one is being repaired.  And, with “virtualization” there are real inexpensive options to having a redundant server.  If you can afford to be down a couple of days then there are less expensive solutions.  Once written, print out a copy and store it in a fireproof safe, and offsite copy, and a copy with your IT consultant. 

"Open for Business" disaster planning recovery series is an excellent source for those wanting to properly and fully plan for staying open for business in the event of any major disaster.

Thursday, June 7, 2012

LinkedIn Password Compromised - What Should You Do?

Yesterday, LinkedIn confirmed that millions of LinkedIn users passwords have been compromised.  Later, LastPass’s and LeakedIn websites offered tools to enter your LinkedIn password to find out if it had been compromised.  Why bother! Just change your password! It would take less of your time than going to one of these websites....and you should be changing your password regularly anyway.

I agree with Jim Bliss comment to article "How to Check If Your LinkedIn Password Was Stolen" on

Why LastPass’s and LeakedIn’s password checking tools (above) are really not a good idea:

1) They only check a subset of the leaked passwords. Therefore, even if you get a ‘clear’ result this can not be relied upon as there are many leaked passwords that are not checked against.
2) Recommending users to enter their passwords into third party sites is asking for trouble, desensitizing users to the problems of phishing.
3) Sooner or later (if not already) a site will spring up claiming to check passwords only to store them for nefarious use (yes, without a corresponding username / email address it is arguably less problematic; however, it would still be useful data for a cracker enabling them to hash the captured password and see if there’s a match and, bingo, you’ve done their work for them).

Far better advice, IMO, is to ignore the checking tools and just change your password.
Checking with these tools provides no security or assurance whatsoever.