As CEO of PCIT I would like to extend a heartfelt thanks to our clients who have worked with us over the last 12 months to protect their data and digital resources. Together we have defied the odds and won against a host of hackers in a big way. Referencing a recent global survey by the Osterman group compared to PCIT’s operational results we find our clients had significantly less malware, less downtime from malware and never paid a dime to get their data restored. According to the survey of over 540 global companies Canadians PAID the ransom 82% of the time and approximately 1/3 of those surveyed were forced into this situation.
If our customers had not been so proactive in educating their staff and promoting a security conscious approach we would have never gotten this far. In the summer of 2015 our message to clients was ‘Information Technology could NOT control the security of their data and their network without everyone’s participation and ownership of this concern’. At that point many of our clients had invested in best in class technology but were also open to taking the next step. Together we had great results. If we were keeping score for 2015 it would look something like this.
|Typical Canadian organization surveyed||PCIT Customers|
|Profile||5,400 staff + a CIO, IT Director or Chief Information Security Officer + lots of internal IT staff, respondents across Canada||250 or less staff, mostly have PCIT as 100% IT resource, a few cases where PCIT is responsible for operational results and works along side -1 full time internal staff, Peace River region focused|
|suffered security attack last 12 months||72%||60%|
|Percent who last data due to ransom ware and PAID between $1,000 – $50,000 to get it back||72%||0%|
|Percent who lost data when they refused to pay the ransom||82%||0%|
|Severe downtime – It took more than a day trying to restore endpoint functionality||63%||0%|
|More than 9 hours to remediate||60%||0%*|
|Upper management and C-Level executives are at higher risk||8% target C-suite, 22% target managers||Typical Cndn organization results seem very similar – don’t have hard data|
|High Risk||43% lost revenue, 25% stopped operations||Data not available – would estimate the actual results were much much lower|
|Confident they can stop security issues (after all they have lost of ‘smart people’ on staff, and likely someone solely in charge of security)||51%||? I really doubt most of our clients are that confident. Guessing results would come in under 20% as being confident they can stop security issues. Most would probably have an internal resource if they felt they could afford it and find one. However, these results are starting to speak for themselves.|
*PCIT did have a remediation that took more than 9 hours in 2014 but it was just after C-level management requested we remove one of our recent security best practices as it ‘was frustrating the staff’. Less than 2 weeks later 3 million files were erased after a C-level executive experienced a security breach. Subsequent to that the security best practice was re-engaged and has remained ever since.
To me these results stress a couple points. First, we have great clients who have been diligent in working with PCIT in this regard. Very few push back and ask us to own the security results when we say we need everyone’s help. Second, our ‘secret sauce’ appears to be working. In early 2015 we began benchmarking PCIT’s security results across our entire client base and comparing it to individual customers results. In this manner we could very clearly identify when our clients were hindering or helping the protection of their data and their operations.
Finally, I believe a deep analysis of the above table completely and totally disproves the fallacy that having an in house resource is the best way to support IT. The facts appear to heavily weigh against the fact that that no matter how smart, how helpful, how well trained, and how well intentioned internal resources are most Canadian organizations have NO IDEA how large their security exposure is.
I can actually picture the conversation in most boardroom’s as being sympathetic to internal IT resources after having to pay a $20,000 ransom like the University of Calgary just did. Executive’s not knowing how to manage IT try to get results by hiring, providing budget and gauging results by how well they ‘feel’ about the work that is being done. To most managers having to pay a ransom can be excused because the bad guys are ‘really really bad‘ and they just know their ‘guy(s)’ or ‘gal(s)’ are good. Results seem to speak otherwise.
If there are organizations who want to manage technology results by more than a ‘feeling’ we would love to discuss if our approach would be a fit.
In the final 4 months before 2016 ends here are some practical suggestions to get $2 back for every $1 spent.
Lower Operating Expense by $1-4,000 per month with Autoworked
PCIT has a new service called Autoworked that can eliminate hundreds of hours of computer input via automation technology. It is very exciting for several customers. The biggest barrier to date has been educating potential customers that there is a very new and creative method to doing common work most never considered possible to automate. Organizations with 3 or more staff involved in accounting related work can typically free up the equivalent of 1 full time staff member. It may sound harsh but manual data entry into accounting systems is on the way to being eliminated.
Leverage proven technology related methodology
Let me give a real example we just ran across last week. A junior energy company asked us to move one of their branch office in northern Alberta. In the process we found 3 bottlenecks to productivity that were virtually invisible but pervasive. The local area manager had a folder in Outlook filled with IT related emails about some changes he needed. Multiplied by several other area managers across Canada this energy company was losing TIME from some of their most valuable resources. In this case the resource was a productive, experienced area manager. What he was dealing with wasn’t downtime or poor support. Instead the company had good quality network gear, a great remote connection technology and a solid Virtual Private Network (VPN).
We told the area manager he was losing hours because the design was dated and inefficient for both field users and administrators. It was also missing redundancy at key points of failure further increasing the productive time lost.
Net result from all of this was that a small investment of $10k per site was going to immediately stop this area managers inbox from being filled with IT related issues. The value he could generate with the time savings was way past the $10k spend. What was needed was an approach that was accountable to the uptime delivered. An approach that also took some effort to measure productivity versus an acceptable standard would be even better. What the client had instead were great technical contacts who were ‘doing their job’ very efficiently. To them the standard being delivered was fine. To an outsider technology was being supported but it wasn’t being leveraged. An easy payback of $2 for every $1 invested within 4 months was possible.
Leverage Automated Invoicing Technology
Because pcit has shown potential customers how to eliminate hundreds of hours of data entry we have had several contacts ask us if we can automate field related ticket entry into their invoicing system as well. What we’ve found so far is that the ideal solutions are industry specific. If the reader happens to be in the construction or Oilfield Services industry they may want to discuss our findings to date. There are some proven tools out there that could deliver a payback very quickly.
Fortunately, up until now our clients have had a zero negotiation policy when it comes negotiating with cyber-terrorists. These criminals hold people’s data and network for ransom instead of kidnapping people. Our current negotiation policy is to have a valid backup and be 100% confident it is working everyday.
I know from being in the trenches it takes steady professional human involvement to be 100% confident. Even then a frequent stress test is important to really prove everything in the system works when it is called upon.
We have probably seen 15 times now when our clients data has been almost 100% completely gone unless the ransom is paid. Not once have we asked our clients to open a bitcoin account to pay the terrorist.
When the FBI’s official position is to pay the ransom, the University of Calgary pays the ransom and other really big organizations pay the ransom it is reassuring we have kept our clients from that position.
It turns out terrorism is a good business. This concept has been so lucrative instead of being shut down since appearing over 18 months ago the types of threats are increasing in severity and cost to go free. If this continues it will likely increase the cost of insurance because when data is lost someone is going to pay. If the client has an IT contractor I’m pretty sure the client won’t feel like they are the one who needs to pay….
I believe end user training, disciplined security procedures, and a great backup are all a part of preventing a digital ‘kidnapping’. Technology can also play a great role in prevention. If you have a sense of uneasiness about the security of your data perhaps we should talk.
Working with the team here at pcit there is always that little sense of question everytime we hear a breach occurred. Everyone wants to reach Bernhard, our backup specialist, right away to confirm everything is ok. Once we hear everything is ok calm then ensues. We go on with the restore, the removal of the infection and everyone else goes back to work knowing the resolution is at hand. Another digital heist prevented with no ransom paid and fortunately no lost data.
The wave of automating workflows is rising with every passing day. For 10 years large organizations have been steadily marching towards removing manual repetitive workflows. Now with an economic slowdown in many sections of the economy interest is rising across organizations of all sizes how to lower their operating costs. In the current environment the cost of not automating is rising. Centre 2000 and the Chamber of Commerce offered a great venue to introduce what we consider a leading platform to automate some of the most common areas of repetitive manual input.
Our event was focused on how organizations in Grande Prairie can use automation to cut operating costs without cutting service levels or product quality. In our discussions with many local organizations it is not uncommon to be able to lower monthly operating expenses by $1800 – $4,000 per month. Implementation time is typically in less than 30 days.
Anyone ever getting a chance to attend one of Brad Sugars seminars on wealth will probably find it informative, helpful and fun. Thanks to ATB Financial and Tiffany our banker there, for the invite.
Brad covered some valuable financial topics such as saving for investing, lowering consumption for investing, business investing and real estate investing. I found his thoughts on business valuation and purchase approaches to be very insightful. As a total real estate non investor he did also make a very realistic and compelling case for using debt financing wisely. His thoughts that real estate is not a great return but via rental and debt financing it is easy and possible was great perspective. I can’t wait to go thru a few of his books.
Brad also mentioned that his general principle is to never as an owner invest in training his staff. He made the statement to always have professionals train them. Very interesting, and this looks like an initiative pcit will need to explore further.
The content was a little crude but also is with a good sense of humour. I am not sure if having my children at his seminars as Brad recommended would be my first choice. They may get the impression his communication style is a good one.