Saving thousands – even tens of thousands on your Information Technology (or IT security) budget in 2017 is possible. The suggestions below show that outstanding information security results are possible independent of large security budgets or specialized security consultants. Our customers representing hundreds of PC’s users have consistently and methodically lowered their security incident count and the severity of security breaches over the last 24 months. Recently we celebrated the last 6 months with having only 1 client with only 1 virus on only 1 computer. (This was back in May and we hope that client never does this again, as it will mess up everyone’s stat’s!) This update will show how a manager or executive can hold a technical team accountable for great results and control a security budget. It will also identify how a technical team can institute specific security actions that together dramatically lower the risk profile.
Before outlining the steps and methodology of how this works let us offer proof that outstanding results are possible. Our validation comes from a comparison of PCIT’s clients to a survey of 540 Canadian and worldwide organizations by the Osterman Group. In this survey 72% of the Canadian organizations experienced a security attack within 12 months while 60% of PCIT’s clients experienced the same. However, what happened after the incident was even more striking. The survey reports 63% of those attacked experienced severe downtime of over 9 hours. None of PCIT’s clients experienced severe downtime. Most telling is that the survey respondents appear to have a significantly higher budget on digital security and even dedicated security resources.
The most effective method to lower security results is surprisingly low cost. This #1 tool is not a special antivirus software, next generation firewall, two-factor authentication, biometrics, independent network penetration testing, or other esoteric approach. PCIT sees the most effectiveness in network security simply by measuring incident rates of a single network and then comparing those results to a peer group. As PCIT delivers IT services for many clients across the Peace River region this has become an easy process. First, every virus, data breach or malware incident is recorded. Next we track how many of these occur each month for each client. Last we compare that clients’ results with our entire client base. A sample table is below.
This methodology is so powerful because it provides owners or executives responsible for IT security actionable data that they can relate to. If they have more malware than their peers it becomes clearer to a non-technical person that a change needs to be made. If the IT resource can then pinpoint where the differences are between them and their peers approving a specific action to get better results becomes a lot more justifiable.
The dynamics of this approach are hard to communicate in a short paragraph. What we have seen is that while the severity and sophistication of reported security incidences in the news has increased over the last 24 months our clients have methodically lowered their risk profile. Many have experienced this without increasing IT security spending even $1. What comparing results to peers and bringing open accountability has done is create a culture across many organizations and industries of security awareness and accountability. It is this culture and user action that has been the biggest ‘second order’ effect of sharing security results in this manner.
Over the last 24 months we have helped various organizations eliminate or greatly reduce the effect of malware, viruses, and data breaches in their environment. Our clients have seen these results with relatively modest network security budgets. We conclude great, even outstanding, network security is possible independent of large capital spending or dedicated IT security specialists.
We would be pleased to release at no charge or obligation our best practices related to network security for any interested party.
A significant development in communication has occurred the last 1 ½ years that your organization should seriously consider taking advantage of.
I believe the benefits of this communication service are almost 100% positive with virtually no downside. In testing, comparing and reviewing competing systems it is my conviction at this point in time there is no comparison. Even more interesting is that this tool for most of our readers will be free.
The service I would like to strongly endorse is called Cisco Spark. It is so good, and currently so superior to other services if you have no current platform consider starting a test right away. Organizations with a competing solution should consider dropping what they are using and moving to Spark.
What makes this service so good and others not worth keeping? To answer this question in a paragraph would be similar to trying to describe an iPhone when it first came out to the existing smart phones that were on the market at that time. Such a comparison was hard to sum up in a few words. No doubt, the iPhone was a bigger leap forward in productivity than Spark is to other alternatives but it is similar in that there is one clear leader. I remember when the first iPhone came out a local Doctor who was very technical told me in no uncertain terms the iPhone would take over the market. I had a Blackberry at the time and thought it was pretty hip. His conviction opened my mind to the possibility of doing things a better way even though I didn’t have concrete facts.
Many reviews of competing systems are available online should you feel that type of research is warranted. I believe that describing a long list of features is likely to miss the forest for the trees so to speak in this case. A better analysis would be to get 2-3 people together to try this service and watch the results. Those tests should involve a committed leader, people who care about productivity and also aren’t afraid to adapt and work in a new way. Even better would be to start a test with someone outside of your organization. In our case, we tested the service with vendors and our bookkeeper. We tested Spark with projects and new initiatives as well. In every case the design and functionality was very strong.
Over the last year in using Spark we have faced a few frustrations with stability, feature changes and updates. Still, in hindsight I wish our office had gone with my initial conviction to standardize on this service right away. Instead, I kept trusting competing products were ‘good enough’. Somehow I doubted this product was the leader it seemed to be and that some ‘missing’ feature was worth having. Over that period internally I faced feedback like ‘this was just another tool’ and doubts that Spark’s competitive edge would pass. So far Spark has maintained its big lead. To gain a similar lead visit here or ask PCIT to help with the initial installation.
As CEO of PCIT I would like to extend a heartfelt thanks to our clients who have worked with us over the last 12 months to protect their data and digital resources. Together we have defied the odds and won against a host of hackers in a big way. Referencing a recent global survey by the Osterman group compared to PCIT’s operational results we find our clients had significantly less malware, less downtime from malware and never paid a dime to get their data restored. According to the survey of over 540 global companies Canadians PAID the ransom 82% of the time and approximately 1/3 of those surveyed were forced into this situation.
If our customers had not been so proactive in educating their staff and promoting a security conscious approach we would have never gotten this far. In the summer of 2015 our message to clients was ‘Information Technology could NOT control the security of their data and their network without everyone’s participation and ownership of this concern’. At that point many of our clients had invested in best in class technology but were also open to taking the next step. Together we had great results. If we were keeping score for 2015 it would look something like this.
|Typical Canadian organization surveyed||PCIT Customers|
|Profile||5,400 staff + a CIO, IT Director or Chief Information Security Officer + lots of internal IT staff, respondents across Canada||250 or less staff, mostly have PCIT as 100% IT resource, a few cases where PCIT is responsible for operational results and works along side -1 full time internal staff, Peace River region focused|
|suffered security attack last 12 months||72%||60%|
|Percent who last data due to ransom ware and PAID between $1,000 – $50,000 to get it back||72%||0%|
|Percent who lost data when they refused to pay the ransom||82%||0%|
|Severe downtime – It took more than a day trying to restore endpoint functionality||63%||0%|
|More than 9 hours to remediate||60%||0%*|
|Upper management and C-Level executives are at higher risk||8% target C-suite, 22% target managers||Typical Cndn organization results seem very similar – don’t have hard data|
|High Risk||43% lost revenue, 25% stopped operations||Data not available – would estimate the actual results were much much lower|
|Confident they can stop security issues (after all they have lost of ‘smart people’ on staff, and likely someone solely in charge of security)||51%||? I really doubt most of our clients are that confident. Guessing results would come in under 20% as being confident they can stop security issues. Most would probably have an internal resource if they felt they could afford it and find one. However, these results are starting to speak for themselves.|
*PCIT did have a remediation that took more than 9 hours in 2014 but it was just after C-level management requested we remove one of our recent security best practices as it ‘was frustrating the staff’. Less than 2 weeks later 3 million files were erased after a C-level executive experienced a security breach. Subsequent to that the security best practice was re-engaged and has remained ever since.
To me these results stress a couple points. First, we have great clients who have been diligent in working with PCIT in this regard. Very few push back and ask us to own the security results when we say we need everyone’s help. Second, our ‘secret sauce’ appears to be working. In early 2015 we began benchmarking PCIT’s security results across our entire client base and comparing it to individual customers results. In this manner we could very clearly identify when our clients were hindering or helping the protection of their data and their operations.
Finally, I believe a deep analysis of the above table completely and totally disproves the fallacy that having an in house resource is the best way to support IT. The facts appear to heavily weigh against the fact that that no matter how smart, how helpful, how well trained, and how well intentioned internal resources are most Canadian organizations have NO IDEA how large their security exposure is.
I can actually picture the conversation in most boardroom’s as being sympathetic to internal IT resources after having to pay a $20,000 ransom like the University of Calgary just did. Executive’s not knowing how to manage IT try to get results by hiring, providing budget and gauging results by how well they ‘feel’ about the work that is being done. To most managers having to pay a ransom can be excused because the bad guys are ‘really really bad‘ and they just know their ‘guy(s)’ or ‘gal(s)’ are good. Results seem to speak otherwise.
If there are organizations who want to manage technology results by more than a ‘feeling’ we would love to discuss if our approach would be a fit.
In the final 4 months before 2016 ends here are some practical suggestions to get $2 back for every $1 spent.
Lower Operating Expense by $1-4,000 per month with Autoworked
PCIT has a new service called Autoworked that can eliminate hundreds of hours of computer input via automation technology. It is very exciting for several customers. The biggest barrier to date has been educating potential customers that there is a very new and creative method to doing common work most never considered possible to automate. Organizations with 3 or more staff involved in accounting related work can typically free up the equivalent of 1 full time staff member. It may sound harsh but manual data entry into accounting systems is on the way to being eliminated.
Leverage proven technology related methodology
Let me give a real example we just ran across last week. A junior energy company asked us to move one of their branch office in northern Alberta. In the process we found 3 bottlenecks to productivity that were virtually invisible but pervasive. The local area manager had a folder in Outlook filled with IT related emails about some changes he needed. Multiplied by several other area managers across Canada this energy company was losing TIME from some of their most valuable resources. In this case the resource was a productive, experienced area manager. What he was dealing with wasn’t downtime or poor support. Instead the company had good quality network gear, a great remote connection technology and a solid Virtual Private Network (VPN).
We told the area manager he was losing hours because the design was dated and inefficient for both field users and administrators. It was also missing redundancy at key points of failure further increasing the productive time lost.
Net result from all of this was that a small investment of $10k per site was going to immediately stop this area managers inbox from being filled with IT related issues. The value he could generate with the time savings was way past the $10k spend. What was needed was an approach that was accountable to the uptime delivered. An approach that also took some effort to measure productivity versus an acceptable standard would be even better. What the client had instead were great technical contacts who were ‘doing their job’ very efficiently. To them the standard being delivered was fine. To an outsider technology was being supported but it wasn’t being leveraged. An easy payback of $2 for every $1 invested within 4 months was possible.
Leverage Automated Invoicing Technology
Because pcit has shown potential customers how to eliminate hundreds of hours of data entry we have had several contacts ask us if we can automate field related ticket entry into their invoicing system as well. What we’ve found so far is that the ideal solutions are industry specific. If the reader happens to be in the construction or Oilfield Services industry they may want to discuss our findings to date. There are some proven tools out there that could deliver a payback very quickly.
Fortunately, up until now our clients have had a zero negotiation policy when it comes negotiating with cyber-terrorists. These criminals hold people’s data and network for ransom instead of kidnapping people. Our current negotiation policy is to have a valid backup and be 100% confident it is working everyday.
I know from being in the trenches it takes steady professional human involvement to be 100% confident. Even then a frequent stress test is important to really prove everything in the system works when it is called upon.
We have probably seen 15 times now when our clients data has been almost 100% completely gone unless the ransom is paid. Not once have we asked our clients to open a bitcoin account to pay the terrorist.
When the FBI’s official position is to pay the ransom, the University of Calgary pays the ransom and other really big organizations pay the ransom it is reassuring we have kept our clients from that position.
It turns out terrorism is a good business. This concept has been so lucrative instead of being shut down since appearing over 18 months ago the types of threats are increasing in severity and cost to go free. If this continues it will likely increase the cost of insurance because when data is lost someone is going to pay. If the client has an IT contractor I’m pretty sure the client won’t feel like they are the one who needs to pay….
I believe end user training, disciplined security procedures, and a great backup are all a part of preventing a digital ‘kidnapping’. Technology can also play a great role in prevention. If you have a sense of uneasiness about the security of your data perhaps we should talk.
Working with the team here at pcit there is always that little sense of question everytime we hear a breach occurred. Everyone wants to reach Bernhard, our backup specialist, right away to confirm everything is ok. Once we hear everything is ok calm then ensues. We go on with the restore, the removal of the infection and everyone else goes back to work knowing the resolution is at hand. Another digital heist prevented with no ransom paid and fortunately no lost data.