So in this article I will once again upset and annoy some tech folk who hide behind certifications and standards instead of actually putting in place measures to protect your data.
The first is ISO27001 – a framework built around Information Security Management Systems (ISMS).
Risk Management – You have to perform your own internal assessments continually.
The second is Data Sovereignty – If your data is stored inside Australia then you and your data is protected by Australian law (The law doesn’t always apply).
While I understand both play a role in helping keep your data safe, I have never seen either actually keep your data safe; hence I will not hide behind them and use them as selling points.
It DOES NOT matter where your data is located; when your local server or cloud hosted server allows unlimited login attempts from anywhere, including Russia, China or North Korea and your remote access authentication mechanisms are flawed.
- Do you use 2 Factor Authentication? Or can someone login using the username of Shaun and a dictionary word like Eucalyptus
- Is your username/password combination unique and complex?
Do you control what your staff can access?
- Do your staff have dropbox or similar installed and can siphon out sensitive data?
- Can they access personal email and therefore send themselves sensitive documents?
In those scenarios the onus is on you, the business owner or manager to mandate your own controls and methodologies around protecting your data. When your information is stolen from an insider without your knowledge or a hacker gains control of your system no framework or law will help you, it’s already too late.
I know the following will divide many in the tech industry but I am only speaking from experience. So many sales folk and techs will throw around phrases designed to make you feel warm and fuzzy about your investment without actually factoring in the real world and how it works.
The first is a phrase from Internet Providers of all sizes – 1 to 1 contention.
This merely means that from your router to the ISP you are getting guaranteed bandwidth but it of course comes at a premium price. Eg. A 40/40 (that’s 40 megabits and not megabytes) in Maroochydore will set you back about $600 from TPG. Megabits is the connection speed while the actual download speed is approx 4 megabytes per second.
So you have guaranteed bandwidth at your disposal – that’s amazing…Until…
- Someone sends out a bulk email with a 15mb (megabyte) attachment to 400 recipients (that’s 6gb of traffic)
- Someone dumps thousands of photos from their phone into dropbox and dropbox is not rate limited.
- Your fleet of 25 windows 10 computers decide it’s time to upgrade, downloading a 4gb update – that’s 2.5gb of traffic.
If just one of those events occurred, the entire business would be rendered offline and become completely unproductive.
The issue here is all of these are business functions in modern times, but the setup and sale of the service is archaic. The internet provider would simply state “my service was operating as intended” which leaves you as the business owner at a loss.
A modern approach!
For $600 you could easily get 3 NBN connections running at 100/40 (or close to it) with load balancing setup on a quality business grade router and be saving money month after month. (In my experience the NBN is amazing – not perfect but much faster than ADSL2 and the price is right). Depending on the location you could also add in a fixed wireless option.
How would it all work?
The mass email out could utilise the first connection, dropbox and windows updates connection number 2 while all general web browsing could utilise connection number 3 – and not a single person in the office would experience any delay with all scenarios occurring simultaneously.
Don’t get me wrong, that single connection if setup correctly could handle the load with prioritisation and Quality of service – but again from my experience it is never done very well or will see your monthly spend increase as many internet providers will charge additional. Having a single connection also leaves you with a single point of failure if the connection fails – your offline.
My recommendation is several internet links through tier 1 internet providers and/or a fixed wireless connection offering you bandwidth, redundancy and flexibility at a solid price point.
Tonight 2 former colleagues of mine are restoring and decrypting data after their customers were hit with the GrandCrab.V2 ransomware while I kick back having full confidence in our Managed Antivirus. It has being known to stop these attacks and many more like them.
I spent the time researching and testing before making the switch, time and effort that is now rewarding.
I feel for them, I have been there and despite the pay day we as IT consultants could gain from these events – we absolutely hate dealing with ransomware infections.
They are stressful and time consuming.
Ransomware As A Service is lucrative and here to stay and without the right protection you or your business could be next – it’s only a click away.