3 Real-Life Cybersecurity Incidents… and What They Can Teach You

READ TIME: 4 MIN

February 8, 2023

3 Real-Life Cybersecurity Incidents… and What They Can Teach You

Before getting into the gritty details, let us first acknowledge that no one—be it an individual or a business—likes being “made an example of” in front of an audience. Being the victim of a cyberattack is painful in a number of ways, not the least of which is the public embarrassment or stigma associated with data breach. Our aim in this article is not to place blame, but to highlight the valuable lessons that other businesses can learn from these real-life incidents.

Incident 1: Malicious Web Browser Update

A large insurance company with a nationwide presence was the victim of a ransomware attack that began with a social engineering scheme. The threat actors created a fake web browser update that was delivered through a legitimate website, and after successfully tricking a single employee into clicking on the fake update, they were able to breach that employee’s workstation.

From there, the threat actors moved through the company’s systems, disabling security monitoring tools, deleting backups, and encrypting data throughout. In compliance with ransom demands by the attackers, the company reportedly paid $40 million to obtain a decryption key and to prevent public release of employees’ sensitive data, which threat actors claimed to have stolen.

What Can Be Learned:

As with many cyberattacks, this one highlights the importance of employee security awareness training, as a simple employee error opened the door to an extensively damaging attack and data breach.
Another key point is that before launching the ransomware attack in full, the threat actors located and destroyed backups. This illustrates the importance of business continuity and disaster recovery strategies that include offsite backups that attackers cannot access from inside the company’s network.

Incident 2: Ransomware Attack

The next cybersecurity incident involved a regional hospitality business with about 2,700 employees, that operates a collection of music venues, restaurants, and hotels in the Pacific Northwest. In late 2021, the company’s employees found that they could not access digital files as usual—the result of a malware infection. As soon as the company identified the problem, they shut down key systems to prevent the attack from progressing. The immediate effect of the attack was that they were unable to use any point-of-sale machines, and online access to functions like room reservations was immobilized.

The long-term issues have cut deeper, however, as the ensuing investigation revealed that the threat actors accessed sensitive employee information (e.g., social security numbers), which could be used in identity theft, from thousands of employee records that spanned decades. On top of this, employees have filed a class action lawsuit against the company, alleging that insufficient cybersecurity measures allowed the ransomware attack to happen.

What Can Be Learned:

The downtime the company experienced is a common side effect of cyberattacks, which demonstrates the importance of planning ahead with business continuity strategies to ensure that critical infrastructure remains operational in a crisis situation.
Although reports to date have not explained the root cause of this ransomware attack, what this case makes clear is that post-attack lawsuits are a reality. In such cases, being able to show due diligence to protect sensitive data before an attack occurs is important. Conducting cybersecurity risk assessments and using a multi-layered cybersecurity strategy that addresses threats from a variety of angles are helpful strategies toward this end.
Cybersecurity risk management assessments may also be useful in qualifying for cyber insurance, which can help with business and legal costs associated with cyberattacks.

Incident 3: Spear Phishing/Business Email Compromise

In a world of ever more sophisticated, technology-based cyberattack vectors, it is easy to forget about the more basic cyber scams. But they’re still in use and still a threat. As an example, consider the business email compromise (BEC) attack that befell a small construction company in Texas.

The company received an email from what they thought was one of their contractors. The email said that they were having problems receiving payments, and it asked that payment instead be mailed to a different address. What the company didn’t notice was that the sender’s email address had been spoofed, meaning that it looked very similar to an actual email address from the contractor, with only slight differences. Unfortunately, the construction company dutifully sent a check for $210,312 to the BEC attackers before learning that the request was not legitimate.

What Can Be Learned:

Employee security awareness training on a routine basis is paramount. Spoofed email addresses use subtle substitutions to make them easy to miss, and employees need to be sensitized to this threat to make sure it doesn’t slip through.
When in doubt about an email’s authenticity, reach out directly (don’t reply to the email) to the ostensible sender to verify.

These are just a few real-life examples of cyber incidents that in their different ways have been very costly to the businesses victimized. Taken together, these stories illustrate the importance of protecting access to your systems through strategies ranging from employee awareness training to strong password policy to multi-factor authentication.

Should threat actors navigate past these barriers, solutions that can detect malicious activity and limit access within your network (e.g., SIEM, IAM) are important in slowing threat actors down. Finally, resilience strategies are important for ensuring that critical systems keep running and that backups are maintained where threat actors cannot reach them, keeping them safe from loss or destruction.

Is your business doing all it can to manage cyber risk? Our cybersecurity experts can help.

The descriptions of cyber incidents in this blog post are based on actual events, but identifying information has been omitted out of respect for the businesses affected.

Share On Social

Aligning IT During a Merger or Acquisition

READ TIME: 4 MIN

January 25, 2023

Aligning IT During a Merger or Acquisition

Mergers and acquisitions (M&As) are as promising and exciting as they are intimidating. For many small and medium-sized businesses (SMBs), merging with another organization offers the opportunity to expand beyond their immediate geographic markets and possibly diversify the products and services they offer to command a larger market share.

These attractive prospects come with some tantalizing financial possibilities: Expanding your business’ reach and taking advantage of new efficiencies brings the promise of increased revenues and reduced expenses. Over-eagerness to capture these benefits, however, can result in costly miscalculations, and in truth, only 47% of M&As result in positive returns in the first year¹.

A major stumbling block for many SMBs is not taking the time to create and follow a post-merger integration (PMI) plan, a key component of which is IT integration. In fact, only 40% of businesses formally develop a PMI plan², and many fail to appreciate the importance of strategic IT integration planning.

To give your business the best chance of success with your M&A, it is wise to construct a thorough IT integration plan, keeping the following in mind:

The due diligence stage of M&A planning must include IT.

A company’s IT infrastructure is integral to its strategic performance. Importantly, in 50-60% of M&As, the new synergies and efficiencies firms seek to gain are at least partially related to IT³. Taking the time to fully understand both organizations’ IT realities helps with accurate valuation as well as thorough integration planning, so that you’re ready to hit the ground running immediately after the deal is done.

Map out the full IT infrastructure of both organizations.

This can be a time-consuming and tedious step, but one that deserves thorough attention. In this step, you need to do a full accounting of each company’s infrastructure, including every piece of hardware, every application in use, and all subscriptions and licenses. Some important questions you need to be answering with this information include:

How do applications and other infrastructure elements relate to operations, especially those operations that are closely associated with competitive advantage?
What applications and data are mission-critical?
Do you foresee functionality gaps, i.e., functions the new organization will require that are not supported by current infrastructure?
What communication systems are in use?
Is there outdated hardware that needs updating?

Get a thorough understanding of the IT talent across both organizations.

This includes not just titles but organizational roles, IT operational practices, and IT budget and other resources. It is also useful to learn:

What skills and experience are possessed by IT employees across both organizations?
Are there any skills gaps to address as you move forward with the deal?
How do the organizations handle proactive and reactive IT issues, and are processes compatible?

Determine the desired future IT systems for the post-merger organization.

This is where you’ll need to make some tough decisions, as there will inevitably be elements of one or both organizations’ infrastructure that will need to change. Here are some considerations to guide those choices:

“Best of both worlds” approach: Changes to tech always evoke a certain level of resistance in employees, but a great way of minimizing such resistance is by crafting a new infrastructure using a “best of both worlds” approach. This is where you incorporate the most effective tech from each organization to best meet the business goals of the post-merger organization.
Be careful with legacy systems: Don’t rush to eliminate legacy systems just because they’re old. Legacy systems are often still around in a business because they are mission-critical, and premature discontinuation of such systems can seriously hamper operations.
Consolidate when possible: Vendor consolidation is an important step, as it allows the new organization to take advantage of volume discounts due to its larger size. For example, software subscriptions may be less expensive when purchased at higher volumes; just make sure that you verify transferability of software and other licenses during the due diligence phase.
Identify redundancies and streamline: This is also an ideal time to look for functional redundancies across applications, and to streamline across the newly formed organization to reduce IT costs. Keep in mind that in the average company, over 30% of software spend is wasted⁴; the creation of a new, post-merger infrastructure is the perfect opportunity to weed out such overspend.
Reassess cybersecurity and cyber resilience: Finally, don’t forget to rethink your cybersecurity, as your new infrastructure will likely have new security needs. Combining elements of two previously separate IT systems may leave holes in your security posture that will need to be filled. With your new infrastructure, there will also be a need to reassess business continuity and disaster recovery, to make sure you are prepared to withstand crisis events like ransomware attacks and natural disasters.

A thoroughly planned IT integration plan can make the difference between a chaotic post-merger environment and a smoothly functioning one that is ready to capitalize on the synergies that make M&As worth the work.

Offering in-depth IT assessments and executive-level technology leadership services, NexusTek puts the expertise you need for a successful M&A at your fingertips.

References:

1, 2. Kengelbach, J., Berberich, U., & Keienburg, G. (2015, October 14). Why deals fail. BCG. https://www.bcg.com/en-ca/publications/2015/why-deals-fail

3. McKinsey & Company. (2011). Understanding the strategic value of IT in M&A. https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/understanding-the-strategic-value-of-it-in-m-and-38a#0

4. Flexera. (2022). State of ITAM report. https://info.flexera.com/ITAM-REPORT-State-of-IT-Asset-Management

Share On Social

Understanding the Impacts of a Ransomware Attack

READ TIME: 4 MIN

January 11, 2023

Understanding the Impacts of a Ransomware Attack

Ransomware attacks continue to plague businesses of all sizes, with 82% of attacks hitting small and medium-sized businesses (SMBs)¹. And with the rise of “ransomware-as-a-service,” in which cybercriminals sell ready-made ransomware tools for use by other attackers, it has become more urgent than ever for businesses to protect themselves against this insidious form of cyberattack. To do so, you need to grasp the realities of ransomware attacks:

Stage 1: Employee Unwittingly Grants Access to Network

In most cases, ransomware attacks begin with phishing emails or other types of social engineering attacks, where threat actors try to trick employees into sharing credentials or downloading malicious software by clicking on links or attachments in emails. In some cases, malware is downloaded when an employee visits a malicious website, also known as “drive-by downloading.” Most employees have no idea that they’ve opened the door to a ransomware attack at this stage.

Stage 2: Threat Actors Go After the Data

In the next stage, threat actors put their malicious program to work, encrypting the victim’s data. This renders the company’s data unusable, which forces the company to suspend most if not all business activity. Even worse, ransomware attackers are now more likely to locate and encrypt the victim’s backups as well. With control over the victim’s data, the attackers now have the leverage they need to execute their extortion scheme.

Stage 3: Victim Receives Ransom Note

In the third stage of the attack, a ransom note appears on the victim’s screen. The note threatens the company that if they do not pay a certain sum, usually in cryptocurrency, then their data will be encrypted indefinitely and possibly even destroyed or shared with the public. In this way, ransomware attackers create urgency and fear in their victims, which often compels them to pay up in order to receive the decryption key. And while 66% of companies believe that they would never pay the ransom, in truth, about 65% do pay when faced with the realities of unusable data and an immobilized business².

The Aftermath: How a Ransomware Attack Impacts a Business

As the above suggests, ransomware attacks are major crisis events that can bring a company to its knees. The impacts are various and can include:

Downtime, which costs the majority of SMBs between $10,000 and $50,000 per hour³.
Ransom payment, with median payment of $36,360 and average payment of $228,125 (note that law enforcement agencies strongly discourage paying the ransom)⁴.
Permanent data loss whether the ransom is paid or not, as many ransomware attackers do not make good on their promise of sharing a usable decryption key in exchange for the ransom.
Loss of intellectual property, possibly leading to loss of control over patented information and trade secrets.
Post-attack remediation costs, including costs to replace or recreate lost or damaged files and restore damaged systems, the total cost of which averages $139,000 for SMBs⁵.
Reputation damage among partners, vendors, and the public, often leading to lost business from current and prospective customers.
Lawsuits, often resulting from threat actors releasing sensitive or proprietary information accessed during the attack, which 86% of attackers threaten⁶.

Protecting your business from ransomware attacks requires proactive measures to reduce the likelihood of attack, combined with strategies to limit the damage threat actors can do should they gain access to your company’s network.

Contact NexusTek to learn about multi-layered cybersecurity solutions that hit all the angles.

References:

1 .Drapkin, A. (2022, February 7). 82% of ransomware attacks target small businesses, report reveals. Tech.co. https://tech.co/news/82-of-ransomware-attacks-target-small-businesses-report-reveals

2. Fruhlinger, J. (2020, June 19). Ransomware explained: How it works and how to remove it. CSO. https://www.csoonline.com/article/3236183/what-is-ransomware-how-it-works-and-how-to-remove-it.html

3. Infrascale. (2020, May 13). Infrascale survey highlights the heavy costs of business downtime. https://www.infrascale.com/press-release/infrascale-survey-highlights-the-heavy-costs-of-business-downtime/

4. Coveware. (2022, July 28). Fewer ransomware victims pay, as median ransom fall in Q2 2022. https://www.coveware.com/blog/2022/7/27/fewer-ransomware-victims-pay-as-medium-ransom-falls-in-q2-2022

5. Help Net Security. (2022, September 15). SMBs are hardest-hit by ransomware. https://www.helpnetsecurity.com/2022/09/15/small-businesses-ransomware-targets/

6. Coveware. (2022, July 28). Fewer ransomware victims pay, as median ransom fall in Q2 2022. https://www.coveware.com/blog/2022/7/27/fewer-ransomware-victims-pay-as-medium-ransom-falls-in-q2-2022

Share On Social

Tech Trends for 2023: Don’t Fall Behind

READ TIME: 4 MIN

January 4, 2023

Tech Trends for 2023: Don’t Fall Behind

Welcome to 2023, and we hope your New Year is off to a wonderful start!

No technology blog would be complete without its annual “Tech Trends” article, so we’ve looked into our crystal ball to discover what we predict will be some of the most impactful trends in technology in the coming year. We hope you find this informative and that your business has a stellar 2023!

Broad Trend: Sustainability

Sustainability continues to grow in importance to both consumers and businesses, with 90% of businesses now adopting some form of environmental, social, and governance (ESG) practices¹. Many consumers now make buying decisions based on a company’s ESG performance, and they have become shrewd evaluators of the authenticity of a firm’s stated commitment to sustainability. In fact, the term “greenwashing” has been coined in reference to ESG practices that appear disingenuous or of little practical benefit.

Specific Trend: Migrating to Cloud

The perils of greenwashing have become so acute that Forrester projects that “greenwashing becomes a serious business risk” in 2023². Technology experts such as Gartner’s David Groombridge view IT as being at the center of effective sustainability programs, suggesting that firms adopt a “sustainable by default” policy for all technology decisions.

For businesses looking to improve their sustainability performance, migrating to the cloud is a logical place to start. Compared with on-premises IT infrastructure, cloud data centers make much more efficient use of energy due to factors like higher server usage levels, data center location, and hardware efficiency. What this means for an individual business is that they can obtain the same amount of computing power while consuming far less energy than they would with on-premises infrastructure. This makes cloud computing an ideal means of shrinking your carbon footprint.

Broad Trend: Zero-Trust Cybersecurity

As cloud computing has gained prevalence, many voices have expressed concern about the security of the cloud. Under the traditional perimeter-based cybersecurity model, a company grants trust to users located inside the business’ network, denying trust to those located outside of that perimeter. But where exactly is that perimeter if your workloads are in the cloud and your employees work from remote locations of their choice?

This is an excellent question, one that is underscored by the fact that 20% of companies report experiencing a security breach due to a remote worker³. The answer? We need a new paradigm of security: Zero-trust cybersecurity.

Specific Trend: Multifactor Authentication & Identity Access Management

Zero-trust cybersecurity is not a single solution. It is a state of security that is established by using a collection of solutions that together function to protect a company’s infrastructure in its entirety. As business infrastructures grow ever more diffuse, different methods are needed to ensure that access is granted at appropriate levels and to the right people. Solutions such as multifactor authentication (MFA) and identity access management (IAM) function to support these objectives, using multiple criteria to verify users before granting access on a least-privilege basis.

Specific Trend: Endpoint Management Solutions

You may have heard about solutions like endpoint detection and response (EDR) and mobile device management (MDM)–these security solutions also support a zero-trust cybersecurity program. Endpoint solutions like EDR and MDM enhance security by allowing a company’s IT team to remotely monitor for malicious activity and manage the wide range of devices used by today’s employees, such as mobile phones, laptops, and tablets.

Because employees often use a mix of company and personal devices, also known as bring-your-own-device (BYOD), it is important for IT to have the ability to establish administrative policies and monitor for malicious activity on any device connecting to the company network. Endpoint management solutions give IT departments this capability.

Broad Trend: Optimize Efficiency

With ongoing inflation and a generally uncertain economic outlook for 2023, another overarching theme for many current tech trends is making the most efficient use of your technology tools.

Specific Trend: Automation

Automation certainly falls under the efficiency umbrella, as it gives your company the capacity to manage a range of predictable and repetitive tasks using IT tools rather than employee power. Gartner predicts that by 2024, companies that have implemented large-scale automation may see cost reductions of up to 30%⁴.

For example, business process automation applications are great tools for automating workflows that consume large amounts of employee time. This not only frees up your employees to work on important tasks, but it also reduces the likelihood of data processing errors in key areas like customer orders, inventory, job applications, and other human resources documentation.

Specific Trend: Optimizing IT Spend

Another great way to increase IT efficiency is to eliminate unnecessary spending on applications. If this seems like a no-brainer, consider this: On average, about 33% of a business’ software spend goes unused. In other words, the average company wastes a good chunk of money on things like unused software licenses or redundant applications (e.g., paying subscriptions for three applications that all do basically the same thing)⁵.

Offering IT Spend and other strategic assessments, plus cybersecurity, cloud hosting, productivity & collaboration applications, and managed services, NexusTek has the expertise and tools you need to get ahead of the curve in 2023.

Interested in exploring new IT possibilities for your business?

References:

Overby, S. (2022, December 5). CIOs get serious about sustainability. CIO. https://www.cio.com/article/415205/cios-get-serious-about-sustainability.html
McLellan, C. (2022, November 2014). Tech in 2023: Here’s what is going to really matter. ZDNET. https://www.zdnet.com/article/tech-in-2023-weve-analysed-the-data-and-heres-whats-really-going-to-matter/
Nicoletti, P. (2022, September 29). Remote work security statistics in 2022. CyberTalk.org. https://www.cybertalk.org/2022/09/29/remote-work-security-statistics-in-2022-2/
Weston, M. (2022, December 7). Digital transformation trends in 2023. Information Age. https://www.information-age.com/digital-transformation-trends-in-2023-123500903/
(2022). State of ITAM report. https://info.flexera.com/ITAM-REPORT-State-of-IT-Asset-Management

Share On Social

Holiday Hacking: Watch Out for These Deceptive Tricks

READ TIME: 4 MIN

December 21, 2022

Holiday Hacking: Watch Out for These Deceptive Tricks

While most of us get into the holiday spirit, threat actors gear up for their holiday hacking sprees. To outsmart sophisticated hackers, you have to understand how they operate. Consider the following as you develop your cybersecurity strategy—if a trickster cyber attacker were planning their holiday hacking methods, here’s what they might do…

Extend a Fake Job Offer

A tried-and-true method of gaining access to a company’s network is by tricking employees into downloading malicious files. This type of attack falls under the umbrella of “social engineering” schemes, which often prey upon employees’ trust and benevolence—a rather ruthless form of trickery, indeed.

In one recent example, a notorious hacking group gained access to a cryptocurrency platform, getting away with over $600 million in stolen funds¹. How did they gain access? By tricking an unsuspecting engineer at the firm with a fake job offer that induced him to download a pdf that was infected with spyware. The rest is history.

Scan Remotely to Identify Vulnerabilities

The story above might be falsely reassuring to some small and medium-sized businesses (SMBs). “After all,” you might surmise, “we’re not a cryptocurrency platform with hundreds of millions of dollars at our fingertips, so why would a hacker target us, right?” Wrong.

In 2022, threat actors have tools that allow them to randomly scan billions of IP addresses with ease. What are they looking for? Vulnerabilities that allow them easy access to networks, akin to an “unlocked front door.” Like any other criminal, hackers take advantage of easy opportunities to commit their crimes—the nature or size of the target is secondary. In other words, you don’t have to be an enormous, high-profile enterprise to be a cybercrime target; you just have to leave the front door unlocked to be targeted.

Purchase Credentials on the Dark Web

Speaking of easy ways to gain entry into a company’s network, are you aware that some cyber attackers simply BUY access to their future victims’ systems? Yes, it’s true. In fact, Uber was attacked this year by threat actors who purchased a password on the dark web². Once inside, the hackers were able to download information from one of Uber’s finance tools.

It is believed that the credentials were harvested from a device belonging to one of Uber’s contractors, after the device was infected with malware by the original threat actors. If cybercriminals were looking for an easy way into a company’s network, they might simply peruse the marketplace for stolen passwords. Hence the importance of multifactor authentication to stymie hackers’ efforts to log in!

Use Drones to Impersonate Wi-Fi Network

Unimaginative attack strategies like buying credentials on the dark web might eventually bore sophisticated hackers, who often demonstrate a penchant for creativity. In such case, they might try to replicate an attack that targeted a financial institution in the U.S. earlier this year—one that used drones, no less!

The threat actors in this attack placed devices on two drones and flew them to the roof of the company’s building³. The devices aboard the drones functioned to impersonate the company’s own Wi-Fi network, which then resulted in at least one employee unknowingly logging into the counterfeit network.

The hackers were then able to obtain that employee’s credentials and start their own penetration of the company’s network. Continuous monitoring for aberrant user behavior is what alerted the company to the intruders’ presence, and without such monitoring, it could have been much worse.

Use Password Spraying

Many hackers might try a simple brute force attack where they enter multiple passwords for the same username over and over, only to eventually be locked out of the system. Growing frustrated due to repeated lock-outs might lead them to try password spraying, another prevalent method of attack.

In password spraying, threat actors try the same password with a long list of usernames. The passwords might be known default passwords or commonly used passwords; for example, the password “123456” is used by over 3.5 million Americans⁴. Password spraying preys upon those who fail to change default passwords and/or use weak passwords that are easy to guess, making good password hygiene a must.

As a managed cybersecurity provider, NexusTek offers a range of preventive and responsive security solutions that help SMBs defend against even the most sophisticated threat actors. From employee awareness training and ongoing threat monitoring, all the way through incident response and remediation, NexusTek has your cybersecurity needs covered.

Would you like to discuss your company’s security posture with a cybersecurity expert?

References:

1,2. Lever, R. (2022, October 28). Data breaches in 2022. U.S. News & World Report. https://www.usnews.com/360-reviews/privacy/recent-data-breaches

3. TechFunnel. (2022, October 31). Halloween special: The scariest cyber attacks of 2022 (so far). https://www.techfunnel.com/information-technology/halloween-special-the-scariest-cyber-attacks-of-2022/

4. Tietsort, J. R. (2022, October 3). 17 types of cyber attacks commonly used by hackers. Aura. https://www.aura.com/learn/types-of-cyber-attacks

Share On Social

How Inflation Impacts Business Technology… and What to Do About It

READ TIME: 4 MIN

December 7, 2022

How Inflation Impacts Business Technology… and What to Do About It

Across the globe, inflation has exerted its influence over pricing in virtually every industry, and business technology is no exception. Compounding the problem, the global microchip shortage has combined with inflationary pressures to hit tech pricing especially hard.

According to analysis conducted by IDC, server and storage pricing has increased 10-15%, while business laptops and PCs have shot up in price by a jaw-dropping 18-20%¹. The same report indicated that software pricing and some cloud services were affected as well, showing 5-7% price increases.

All of this adds up to an unpleasant conundrum for IT decision makers at small and medium-sized businesses (SMBs). After all, the technology that your business literally runs on cannot be simply removed from the budget for the next year. But, most SMBs do not have big, roomy budgets that can easily accommodate ongoing inflation, which IDC predicts will continue well into 2023 and possibly even into 2024.

This creates a reality where many IT decision makers are faced with the task of doing more with less. We’ve compiled the following suggestions to support your business in such efforts:

Eliminate Redundancies & Maximize Current IT Investments

A great way to get more “bang for your buck” is to weed out any redundant or unnecessary IT. One study found that, on average, about a third of a company’s software spend is ultimately wasted². A big one to look for in this category is unused software licenses that you can eliminate. A careful self-audit is likely to reveal that your company is paying for cloud-based and/or desktop software licenses that are not being used by your employees.

Also, with the proliferation of software solutions on the market, it is easy for SMBs to end up with multiple applications that have overlapping areas of functionality. This often happens due to shadow IT, which is when project teams or individual workers download cloud-based software without the knowledge of the IT department. A more efficient approach is to select software with robust functionality, and then maximize use of that functionality instead of layering on a variety of redundant applications.

Another angle to consider is consolidation. Can you perhaps bundle different IT hardware or software purchases with a single vendor that has the bargaining power to offer better rates? Managed service providers and value-added resellers (VARs) typically have such leverage with technology manufacturers, allowing them to secure better rates for customers than they can on their own. A thorough cost assessment can often reveal tens of thousands of dollars of overspending, if not more.

Consider Cloud Computing

Although cloud computing has not been immune to inflation, migrating more of your workloads to the cloud might still be a viable way of trimming your IT budget. Because you purchase only the amount of computing power you need, you avoid paying for on-premises hardware that has computing and storage capacities you don’t need and will never use (which is very common with SMBs).

Economies of scale work to your advantage with cloud computing; cloud providers house and run thousands and thousands of servers in their data centers, and the price savings they get from economies of scale are passed on to customers. Also, some cloud providers offer monthly flat-fee pricing, which controls costs and ensures that you’ll never be surprised by huge bills resulting from service usage spikes.

Make Efficient Use of In-House IT Talent

Finally, remember that making the best use of your IT talent is another great way of keeping your IT budget in check during periods of inflation. Robert Naegle, VP Analyst at Gartner, suggests that IT retention programs, along with making the most efficient use of existing IT talent, are key strategies for containing IT costs².

Both of these aims can be met by co-managing your IT infrastructure with a managed services provider (MSP). This is because co-managed IT allows your in-house IT team to focus on higher-value tasks—improving job satisfaction—while outsourcing routine, but time-consuming, tasks to your MSP. Another perk is that co-managed IT is often less expensive than dealing with the inevitable replacement costs when in-house IT staff leave.

Providing co-managed IT services, cloud solutions, and professional assessments including IT Spend Assessment, NexusTek offers a range of services to help you make the most of your IT budget.

Are you interested in exploring strategies to streamline your IT budget?

References:

(2022, June 8). IT inflation: Where it is headed, and what to do about it. https://blogs.idc.com/2022/06/08/it-inflation-where-it-is-headed-and-what-to-do-about-it/
(2022). State of ITAM report. https://info.flexera.com/ITAM-REPORT-State-of-IT-Asset-Management
(2022, June 28). How should CIOs respond to inflation? Q&A with Robert Naegle. https://www.gartner.com/en/newsroom/press-releases/2022-06-28-how-cios-should-respond-to-inflation

Share On Social

Cybersecurity Isn’t Enough — Become a Cyber Resilient Organization

READ TIME: 4 MIN

November 9, 2022

Cybersecurity Isn’t Enough — Become a Cyber Resilient Organization

“Cybersecurity isn’t enough…really?” you might be asking. Before you throw your hands up in exasperation, a word of explanation. We aren’t suggesting that cybersecurity isn’t important or worthwhile. We certainly aren’t suggesting that small and medium-sized businesses (SMBs) should skip cybersecurity altogether. Cybersecurity is as essential to the protection of your business assets as locking the doors to your office when you go home at night.

But, cybersecurity plays just one part of a business’ overall data protection strategy. A massively important part, to be sure, but it’s not the whole story. Cybersecurity gets a lot of attention, but an equally important cyber objective for any company in this digital age is cyber resilience.

What Is Cyber Resilience?

The National Institute of Standards and Technology (NIST) defines cyber resilience thusly:

The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. Cyber resiliency is intended to enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.¹

So, in other words, cyber resilience is all about maintaining your business’ ability to continue functioning normally—even in the face of adverse events like cyberattacks or natural disasters. While cybersecurity is aimed at proactively keeping cybercriminals at bay, cyber resilience is aimed at keeping your systems running even if hackers do get in.

Preventing Data Loss or Destruction

A key objective of cyber resilience strategies is keeping your company’s data safe from loss or destruction. Although cybersecurity strategies limit the risk of data compromise, human error can result in data loss or corruption through accidental deletion or inadvertent malware installation. In fact, 1 in 3 SMBs reported data loss incidents caused by human error².

As you might rightly assume, a consistent and thorough data backup strategy is integral to cyber resilience. Alarmingly, however, 40% of SMBs conduct NO data backups, and 58% do not have a data backup process for their endpoints³.

A much happier statistic is that 93% of data loss incidents are preventable⁴. Implementing a disaster recovery plan helps your business to secure its data against adverse events of all types. With routine local backups, you create your first line of defense against accidental or malicious data compromise.

Since some incidents can compromise primary backups, maintaining offsite backups is your second line of defense. For example, ransomware attackers often go after backups once they penetrate a company’s network, because paralyzing their victims’ backups gives them more leverage. Having a second set of backups in another location helps to defang ransomware attackers’ strategy.

Keeping Critical Systems Up and Running

Another major prong of cyber resilience is making sure that your business-critical infrastructure continues to function in the case of crisis events like ransomware attacks. One of the ways that ransomware attackers coerce their victims into paying the ransom is by bringing their business to a screeching halt. Threat actors know that downtime hits SMBs hard—most lose anywhere from $10,000 to $50,000 per hour of downtime⁵.

With critical systems frozen, victims quickly do the math and realize that paying the ransom is less costly than downtime. Many SMBs wrongly believe that this couldn’t happen to them. But the truth is that 20% of SMBs who were hit by a ransomware attack experienced downtime as the result of the attack⁶.

This is where business continuity planning comes in. With a business continuity plan, your company will have an IT “plan B” should your primary infrastructure falter for an unforeseen reason. With redundant infrastructure at the ready, you don’t have to worry about the tens of thousands of dollars (or more!) your business would lose due to unplanned downtime.

NexusTek offers the solutions your business needs to achieve both cybersecurity and cyber resilience, from customizable security plans with 24/7 monitoring to protect against threats, to business continuity & disaster recovery plans to protect against data loss and costly downtime.

Are you ready to make the leap forward to cyber resilience?

References:

1. National Institute of Standards and Technology. (n.d.). Cyber resiliency. https://csrc.nist.gov/glossary/term/cyber_resiliency#:~:text=The%20ability%20to%20anticipate%2C%20withstand,NIST%20SP%20800%2D172

2. Reilly, C. (2017, August 2). Ransomware shuts down 1 in 5 small businesses after it hits. CNET. https://www.cnet.com/news/privacy/malwarebytes-state-of-ransomware-shutting-down-1-in-5-affected-small-businesses/

3. & 4. The SMB Group. (2020, February 10). Small business data protection: What small businesses need to know. https://www.smb-gr.com/wp-content/uploads/2020/08/10-Feb-Data-Protection.pdf

5. Infrascale. (2020, May 13). Infrascale survey highlights the heavy costs of business downtime. https://www.infrascale.com/press-release/infrascale-survey-highlights-the-heavy-costs-of-business-downtime/

Share On Social

What Is Cloud Migration? A Step-By-Step Overview

READ TIME: 4 MIN

November 2, 2022

What Is Cloud Migration? A Step-By-Step Overview

Although many small and medium-sized businesses (SMBs) are now running at least a small portion of their workloads in the cloud, 63% still rely heavily on internal servers¹. Migrating to the cloud, which involves moving your IT resources from on-premises infrastructure to one or more cloud-based environments, has become increasingly attractive because it helps to future-proof your IT and can reduce total cost of ownership by 30-40%².

But, to obtain such desirable outcomes, you need to understand how the migration process works and how it can go wrong. Following is a high-level overview of the cloud migration process.

Discover Applications and Servers:

To start, you need to have a full accounting of your IT resources.

This includes your on-premises resources as well as anything currently running in the cloud.
Be careful to take account of any shadow IT, which are applications that may have been added without your IT team’s knowledge or involvement.
Determine which applications are business-critical, which you wish to access remotely, and which you would prefer to keep on-premises.

Weigh Your Cloud Options & Assess Connectivity:

The cloud is not a single environment. There are multiple cloud providers who offer a variety of cloud types and services. You also need to take connectivity into account.

Are you interested in public cloud, private, or a combination of the two? Do you want to keep some of your workloads on-premises or move fully to the cloud?
Most SMBs choose a multi-cloud or hybrid cloud structure, which allows you to run different applications in different settings based on best fit. A multi-cloud approach can also allow you to get the best price value for different applications.
You’ll need to determine your preferred distribution of management of infrastructure elements. Do you want the cloud provider to manage the entire infrastructure, from servers to data and applications? Or would you prefer to manage elements like data and applications in-house and have the cloud provider manage the rest of the infrastructure? Your choice will likely depend on the expertise of your in-house IT team and level of staffing.
Keep in mind that your internet connection will need to be sufficient to handle the increased bandwidth of accessing data and applications hosted in the cloud. Given the number of users and the requirements of the applications they will be accessing, make sure that your internet speed is fast enough to handle the new demands.

Analyze Configuration & Dependencies:

This is a step where many SMBs struggle. In fact, understanding application dependencies was the #1 challenge for SMBs in migrating to the cloud, reported by 57% of technology decision makers³.

To plan a migration effectively, you need to understand the relationships between applications, infrastructure, and operations. This is because the functionality of applications may depend upon specific relationships that may not be present or possible in the new cloud environment.
If this step is overlooked or not completed properly, applications may not function normally once migrated to the cloud, and in the worst cases, they may not function at all. This is a time-consuming and costly error.

Evaluate Compatibility Issues:

This is another area that can be challenging for SMBs to manage; 43% reported hitting stumbling blocks related to compatibility issues during migration⁴.

It is important to recognize that your destination cloud environment may use different operating systems and APIs than your on-premises environment.
Similar to issues of fit related to app dependencies, compatibility problems can create performance issues or even application failure in the new cloud environment.

Decide Which Applications to Migrate:

Once you have taken stock of your current environment and its attributes, you can begin making decisions about your future environment.

For applications that will not be successful using a “lift and shift” approach—meaning, they cannot be migrated to the cloud as-is—you will need to decide whether to leave those applications on-premises or modify them so that they will work in the new cloud environment.
Some legacy applications may not have a SaaS equivalent and may require refactoring or even rewriting the code to run successfully in the new cloud environment.
Whether it makes sense to invest in refactoring or rewriting will vary from one business to the next; many businesses choose to keep such applications on-premises while moving other applications to the cloud, adopting a hybrid cloud model.

Consider Compliance Needs:

If your business operates within an industry that carries additional data privacy and security regulations, this is another important consideration when planning migration.

If some or all of your data is subject to regulations like HIPAA, GDPR, or FINRA, it is important to choose a compliant cloud provider.
Make sure that a new cloud provider understands your regulations and is willing to complete any required documentation to support your compliance.

Formulate Security Strategy & Policy:

Moving to the cloud requires that you establish new security practices and policies.

With your data now in a remote location and accessible from a variety of endpoints located in diffuse settings (e.g., as with remote work), it is important to establish a zero-trust security protocol with a layered security regimen that protects all areas of vulnerability.
If you will allow employees to use their own devices (i.e., BYOD) or work from home, it is important to have security policies in place that stipulate cyber safe behavior.

Plan Migration Roadmap:

A careful, step-by-step roadmap is required to make sure that all applications and data are moved successfully while safeguarding against data loss and disruption of your business operations. Completing data backups is an essential step, as is testing the new systems to make sure all data transferred to the cloud successfully and all applications run as needed.

NexusTek offers cloud readiness assessments to help you through each step of your migration, along with IT spend assessment to help you determine the most cost-effective infrastructure choices. Whether you need a second set of eyes or full support with your cloud migration project, our expert engineers are here to help.

Are you ready to move your business forward by migrating to the cloud?

References:

(2021, June 25). Research: SMB IT stack decisions based on fulfilling business needs. https://www.techrepublic.com/resource-library/research/research-smb-it-stack-decisions-based-on-fulfilling-business-needs/
(2021, August 25). Small business cloud adoption in 2021. https://www.impactmybiz.com/blog/infographic-small-business-cloud-adoption/
(2022). State of cloud report. https://resources.flexera.com/web/pdf/Flexera-State-of-the-Cloud-Report-2022.pdf?elqTrackId=f3bb660986704d2980404386aa003141&elqaid=6925&elqat=2
(2021). The definitive guide to migrating to the cloud. https://www.vmware.com/learn/396671_REG.html?src=WWW_us_MKT_n3U2aSwVcTXZxbqIMsFd&int_cid=7012H000001lFP0

Share On Social

Bridging the Gap Between CIOs and CFOs

READ TIME: 4 MIN

October 5, 2022

Bridging the Gap Between CIOs and CFOs

Moving your business forward with its digital strategy requires common ground between technology leaders and financial decision makers. When the working relationship between the Chief Information Officer (CIO) and Chief Financial Officer (CFO) is strong, digital strategies are 51% more likely to be funded¹. This indicates that a strong CIO-CFO relationship is key to developing digital maturity, which gives a company a distinct advantage over competitors.

What Is a Strong CIO-CFO Relationship?

Unfortunately, only 30% of CIOs and CFOs have “strong digital partnerships,” which Gartner defines along two dimensions². On one dimension, strong relationships are characterized by high levels of collegiality as opposed to being adversarial in nature. This means that the CIO and CFO view each other as colleagues with a shared mission, rather than as opponents that they need to overcome.

On the second dimension, relationship strength is indicated when both parties have respect for the other’s areas of expertise and unique contributions to business strategy. This means that the CFO views the CIO as more than just a technology manager or budget owner, but also as an important part of the company’s larger strategic team.

Building Stronger Alliances Between the CIO and CFO

Recognizing the importance of collegiality and mutual respect is one thing, but developing these key dimensions of a strong CIO-CFO relationship is quite another. IT and finance are both complex specialties that require enormous amounts of arcane knowledge to master. This intense specialization can understandably lead to technology leaders and financial decision makers developing what seem to be different languages.

To support your company’s efforts to build mutual understanding and respect between IT leaders and financial decision makers, we have compiled the following collection of recommendations:

Involve IT Leaders in Strategic Planning

Involving technology leaders in strategic business planning has become essential in the digital age, as technology is integral to the core functions of most businesses. However, 66% of business decision makers reported routinely purchasing new IT without the involvement of technology leaders³. This problematic practice can not only lead to poor IT decisions, but also to limitations in an organization’s capacity to manage challenges related to new tech, such as integration difficulties and low adoption.

To illustrate, 89% of “collaborators,” or companies where collaboration between IT and financial decision makers is the norm, felt very confident or extremely confident that they could handle challenges related to new technologies⁴. On the other hand, only 55% of “non-collaborator” business leaders expressed such confidence, suggesting that when technology leaders are not involved in IT decisions, companies are more likely to struggle with their digital initiatives.

Approach Technology Decisions in Terms of Strategic Business Goals

Although it is problematic that CIOs are so often excluded from technology decisions, the reasons for such exclusion are concerning as well. Among decision makers who avoid consulting with IT leaders regarding new technologies, 31% state that they do so because IT leaders’ decisions are not aligned with their digital transformation strategy⁶. This illustrates how important it is that IT leaders approach technology decisions based on the business goals that non-IT departments are trying to accomplish.

Build Empathy and Understanding

When CIOs and CFOs better understand each other’s roles and challenges, their relationships strengthen; however, such mutual understanding is often lacking. Illustrating this divide, 94% of CIOs feel that they understand how technology impacts company financials; however, only 62% of CFOs concur that their counterparts have such understanding⁵. On the other hand, the same study found that while 80% of CFOs think they understand how to adapt financial management to support digital strategy, only 55% of CIOs feel the same.

Possible ways of building mutual understanding between CIOs and CFOs include job shadowing; for example, technology leaders may benefit from shadowing colleagues in departments like marketing or product development. Creating integrated teams or embedding IT professionals in different departments can also help with developing technology leaders’ appreciation for business needs that may be better served by new IT.

Develop Shared Metrics

Developing shared metrics for measuring the effectiveness of new technologies can also be helpful in creating a common language across CIOs and CFOs. While technology leaders may be more likely to measure IT outcomes in terms of user behavior, CFOs are more likely to focus on relevant financial metrics. When IT user metrics do not clearly map onto metrics that indicate the business value of technology solutions, CFOs might have trouble seeing the true business value of the investment. Developing new metrics that more clearly represent the value of digital investments can help to clarify—for both parties—whether and to what extent new tech investments support business goals.

Bring in an Interpreter

One final suggestion is to involve an “interpreter”: a technology leadership consultant who can help bridge the gap between the IT and financial decision-making sectors of your business. Technology leadership “as-a-service” provides companies with seasoned technology consultants who also possess in-depth understanding of business strategy. Because technology leaders have a foot in both worlds—technology and business strategy—they can foster communication and decision making that helps to align a company’s digital strategy with its business goals and financial realities.

NexusTek’s Virtual Chief Information Officers (vCIOs) provide executive-level technology leadership that helps businesses to bridge the gap between business strategy and technology, providing the expertise and guidance needed to get the most out of your digital transformation initiatives.

Would you like to take your company’s digital strategy to new heights?

References:

1,2,4. Gartner. (2022, July 25). How your CFO-CIO partnership drives digital funding—Or not. https://www.gartner.com/en/articles/how-your-cfo-cio-partnership-drives-digital-funding-or-not?utm_medium=social&utm_source=linkedin&utm_campaign=SM_GB_YOY_GTR_SOC_SF1_SM-SWG&utm_content=&sf259316965=1

3,5. The Economist Intelligence Unit. (2018). From gatekeeper to enabler: The role of IT when digital transformation is the norm. https://impact.economist.com/perspectives/sites/default/files/eiu_bmc_from_gatekeeper_to_enabler.pdf

Share On Social

Recognizing and Preventing IT Employee Burnout

READ TIME: 3 MIN

August 31, 2022

Recognizing and Preventing IT Employee Burnout

The experience of burnout goes beyond simply having a bad day—burnout is a psychological syndrome that results from chronic exposure to adverse or stressful conditions in the workplace. As a business leader, it is important to understand that when your employees are burned out, both they and your business suffer. A Gallup survey revealed that employees who are experiencing burnout are 63% more likely to call in sick, 23% more likely to visit the emergency room, and 2.6 times more likely to be actively seeking another job¹.

Many leaders recognize that IT professionals as a group may be at higher risk for burnout, but would you know how to recognize the signs of burnout in your IT staff? Spotting the signs of burnout early and addressing the underlying causes is vital for supporting your IT team’s emotional health and for promoting retention of your top technology professionals. Alarmingly, 42% of IT employees experiencing burnout expressed an intention to leave their jobs within the next 6 months².

Recognizing the Signs of Burnout

Scholars who specialize in burnout research often describe burnout in terms of three dimensions. These are (a) exhaustion, (b) cynicism, and (c) reduced professional efficacy:

Exhaustion: Exhaustion is the individual stress element of burnout. When employees are experiencing exhaustion, they may feel depleted or overextended. Importantly, a recent study found that 62% of IT workers reported feeling “physically and emotionally drained,” indicating a vulnerability to burnout³. IT employees experiencing exhaustion may show signs like increased absenteeism and lower energy, and express feelings of being overwhelmed.
Cynicism: Cynicism constitutes the interpersonal element of burnout. Employees who are experiencing this aspect of burnout may feel distant or disconnected from their jobs and coworkers. They may feel cynical about the importance of their jobs or the company as a whole, feeling as though their work has little meaning or value. Unfortunately, 43% of IT professionals reported feeling less engaged with their work, with 27% expressing a lack of value or purpose in their work, reflecting the experience of cynicism⁴. IT professionals experiencing cynicism may express negative views about their jobs or coworkers, and exhibit frustration and irritability.
Reduced Professional Efficacy: A diminished sense of professional efficacy is the self-evaluative element of burnout. When employees feel a lower sense of professional efficacy, they may start to feel negatively about their own performance on the job. They may feel as though they are not up to the demands of their job, or that they are not as productive as they should be. Of concern, 51% of IT professionals feel that they are accomplishing less than they should, and about 33% feel inefficient on the job, suggesting perceptions of lower professional efficacy⁵. When feeling lower levels of professional efficacy, IT employees may begin to perform at a lower level, have trouble concentrating, or have difficulty with creativity.

Preventing Burnout in IT Employees

Taking effective steps to decrease the likelihood of burnout in IT employees requires understanding the factors that lead to its development. Researchers have found that three of most common factors that predict burnout are (a) unmanageable workload, (b) unreasonable time pressure, and (c) lack of manager support⁶. Accordingly, a recent study of IT workers found that 2 in 5 were at risk of burnout, due to longer work hours, poor work-life balance, and more demanding workloads⁷.

An effective strategy for addressing these predictors of burnout in your IT team is co-managing your IT infrastructure with a managed services provider (MSP). Partnering with an MSP can address predictors of burnout in multiple ways:

Managed help desks take day-to-day, urgent requests for technical support off your IT employees’ hands, reducing time pressure. Relying on a managed help desk also reduces the overall workload for your in-house IT team, reducing the likelihood of burnout.
Proactive support with routine maintenance tasks (e.g., updates, patching) shifts time-consuming tasks off your IT team’s to-do list, making their workloads more manageable.
Taking action to reduce your IT team’s workload and time pressure demonstrates manager support for their well-being, which is also important for preventing burnout.

Talented IT professionals can be challenging to find, and showing that you care about their experiences of their jobs is an important part of an effective retention plan. Co-managing your IT infrastructure with an MSP is a practical way of helping your IT professionals to avoid developing burnout, helping you to hang onto your top IT talent.

Would you like to discuss how partnering with an MSP can improve your IT team’s experience?

References:

1,6. Gallup. (2020, March 13). Employee burnout: The biggest myth. https://www.gallup.com/workplace/288539/employee-burnout-biggest-myth.aspx

2,3,4,5,7. ZDNet. (2022, March 4). Tech workers face a ‘burnout crisis’ unless employers act now. https://www.zdnet.com/article/tech-workers-face-a-burnout-crisis-unless-employers-act-now/