If you’re an IT person, you’ve probably experienced the daunting challenge of explaining technical matters to colleagues with non-technical backgrounds. Particularly in the case of explaining technology to executives, you need to be able present your case from a perspective that makes sense to them.

You’ll need to make sure that you and your audience have a shared understanding of basic concepts. For example, does your CFO understand that data backup must also include effective retrieval of backed up data? Do they understand the concepts of automation and retention? Are they aware of any financial penalties the company face if it fails to meet regulatory requirements?

You’ll also need to present the business need for backup and recovery in a way that makes sense to them. While you might expect a CFO to automatically understand the need to mitigate risk, this is not always the case. Their primary focus is often on reducing costs; it will be up to you to make a compelling argument that failure to mitigate the risks potentially associated with data loss is likely to be more costly in the long run.

IT managers often compare backup and recovery processes to insurance to make this point. Discussing backup and recovery as a type of insurance that offers financial risk management in case of disaster is likely to appeal to a CFO or other executive whose primary concern is budget.

In this vein, providing your CFO with actual costs for ineffective backup and recovery can help to illustrate your point. Break down, as accurately as possible, the costs associated with lost employee productivity, lost revenue, and the costs associated with recovering data. Will you need to bring in outside help to assist with recovering data from unreliable tape backups? Is it possible you’ll you need to hire computer forensics experts to recover data from hard drives that are not currently being backed up properly?

It’s also worthwhile to touch on less quantifiable losses. Will your clients lose confidence in your ability to deliver your services or products reliably? Will your company be liable for failures associated with any data loss?

You should also explain to your CFO the ways in which your proposed data backup and recovery plan will make sure your company is getting the most value for its money. Be prepared to discuss the scalability of your proposed solution to your data needs, so you can assure your CFO that your company will be able to spend only what it needs to at any given time.

Keeping operational costs down will also be appealing. For example, be prepared to describe how your solution takes less time to recover data, or requires very little human intervention to perform and monitor backups.
It’s up to you to go beyond mere technical explanations when you discuss data backup and recovery with the decision makers in your company. And you can’t assume that they have a clear grasp of the risks the company faces or the advantages of any solutions you propose. Framing your discussion from their perspective will help you to help them to make the right choices for everyone’s success.

What is Cyber Espionage? According to this comprehensive definition from Wikipedia, “cyber spying” or “cyber espionage” is:

“The act or practice of obtaining secrets without the permission of the holder of the information (personal, sensitive, proprietary, or of classified nature) from individuals, competitors, rivals, groups, governments, and enemies for personal, economic, military, or political advantage using methods on the Internet, networks, or individual computers through the use of cracking techniques and malicious software including Trojan horses and spyware.”

With the likelihood of U.S. economic sanctions against China in response to repeated acts of civil cyber espionage, many U.S. companies are asking if they might also be targeted. The possibility of such attacks is definitely increasing, as cyber espionage is not strictly limited to the political sphere; financially motivated hacker groups appear to be on the rise. These groups’ efforts are focused on acquiring business secrets that can be sold to third parties, or used for insider trading. Closer to home, similar attacks from former employees or business competitors are a real concern.

What kinds of information might be targeted in a cyber attack?

Generally, the answer is anything that could give your competitors an advantage. For business owners, this could mean having your competitors gain access to information about your product features, pricing, customer or vendor contracts, M&A plans, employee information, and more. Customer contact information is also of interest to attackers, who might use it to engage in phishing attacks.

What steps can you take to protect your company?

There are several steps you can take to mitigate the risk of cyber espionage:

●    Use up-to-date malware and virus removal software. If you aren’t already doing this, now is the time to start. Your network is most likely to be infected when employees visit websites that contain viruses and other malware. While you can employ web usage controls to limit the sites your employees access and to monitor the ones they do, you can still be infected when employees use their own devices, such as laptops, flash drives, and so on. Keeping your virus removal software up-to-date can greatly decrease this problem.
●    Have a process in place for properly suspending or terminating the accounts of problem employees or employees who are no longer with your company. It’s easy to overlook the importance of promptly removing access, but the most sure way to protect against misuse of access is to remove it.
●    Enforce the use of “strong” passwords. This means both educating your employees concerning the risks of using common passwords, and requiring them to use complex, unique passwords instead.
●    If you have data on a public cloud, consider whether it is sensitive or not. If it is, it may be in your best interests to move it to a private cloud where you have more control over security.
●    Train your employees on all aspects of cyber security. We discussed the need for strong passwords above; additionally, educate your employees on other security issues. For example, offer guidelines for how to identify suspicious emails, and how to report them when received.

As more companies move to cloud-based services, security in the cloud is becoming a greater concern. How can you make sure your company’s sensitive data is protected while still taking advantage of the convenience the cloud offers?

What is the Cloud?

First, we need to understand exactly what we mean when we talk about the cloud. Confusingly, the term can be used for very different things. People may be referring to the public cloud, to a private cloud, or to a hybrid of public and private.

A public cloud is one that is accessed by multiple users and organizations. With a public cloud, providers offer applications and storage via the internet to the general public. Lower cost is the main advantage of a public cloud. Limitations include security concerns for sensitive data.

A private cloud is accessed by only one organization. While a private cloud can reduce security concerns and offer the opportunity to customize for an organization’s needs, it also involves the additional costs of development.

A hybrid cloud, obviously, is a mix of public and private, allowing organizations to use different solutions for different needs.

To take advantage of cloud services effectively, organizations need to be aware of their needs. For example, companies that deal with health information or financial, or other sensitive data will want to avoid storing that data in a public cloud.

What Issues Do Your Company and Your Employees Face?

One of the greatest difficulties faced by employees is cumbersome security requirements. For example, according to a July 1015 study done by Dell, approximately 85% of users are faced with the need to have and keep track of multiple passwords for the different services they use on the job. Additionally, 82% of users who work remotely reported that they are required to use additional security measures. Ultimately, the study showed that 91% of users feel that their productivity is impacted by the steps they have to take to meet security needs.

The case of multiple passwords is especially worrisome, as employees tend to be focused on completing tasks over meeting security requirements. This can lead to disastrous workarounds, including using the same password for all cases, making a hacker’s job easy, or even writing down passwords and keeping them in poorly secured locations. If you’ve ever written a password on a slip of paper and “hidden” in under your keyboard, you know how easy it is to fall into the habit of workarounds.

However, most companies know that security has to take priority over ease of use. This makes sense, especially when dealing with sensitive customer data. How can companies balance these two competing needs?

What Solutions are Available for These Issues?

One promising approach is known as “context aware” security. This approach involves varying levels of security requirements depending on different factors. For example, a company might require only a standard level for a user whose geographical location is in California, but place additional scrutiny on a user logging in from an Eastern European country. This is a more sophisticated approach than those available in the past, which would either allow all users to log in easily regardless of geographical location, or would subject all users to intense scrutiny regardless of location.

More generally, encouraging IT professionals to move away from a “silo” approach to security will alleviate the need for multiple passwords. In the “silo” approach, new features are added to systems independently of each other, without much thought given to how each addition will interact with old features. In the short term, a quick and easy way to provide security in this environment is to require users to create a new password each time they need to be given access to a new feature. But in the long term, this is costly in terms of encouraging users to get around security with risky workarounds. Taking the time to have a coherent overall plan for adding new features will minimize this risk.

Having a social media presence is a requirement for companies today. Most customers expect to be able to find out about and interact with you on Facebook, Twitter, LinkedIn, and possibly other sites such as Instagram or Snapchat. With this increased visibility comes an increased burden. You need to protect your company from hackers who may wish to use your social media accounts for their own ends. Unfortunately, most social media platforms do not provide adequate security options for organizations.

How can social media accounts be hacked?

Over the past few years, we have seen major organizations whose accounts have been hacked. In 2103, these included the Twitter accounts of Associated Press, 60 Minutes, and others. More recently, Target’s Facebook page was used by a person outside their organization to humorously ridicule complaining customers. While amusing, the fact that this could happen without Target’s knowledge should raise concerns for any company with a Facebook account.

How did hackers manage to use these organization’s accounts? While the Target case involved simply replying to other commenters on Target’s Facebook page while using a Target Logo for a profile picture, more extreme methods can be employed. For example, a proven method hackers have employed to acquire login and password information to accounts is phishing. In several cases, the hackers simply sent out emails to individuals in a company telling them they needed to reset their account passwords and providing a link to do so. This link directed the victims to a false page designed to look legitimate. Victims entered their account information, accidentally giving it to the hackers. In an attack such as this, it only takes one user with account information to be fooled for the attack to succeed.

What are some best practices to protect against these attacks?

1.    Regularly monitor posts on your accounts. In the case of Target’s Facebook page, regular monitoring of the account, especially after enacting a policy that was predictably controversial (gender-neutral displays for children’s toys), would be the best defense against having a person outside the organization appear to speak for it.
2.    Use alert service applications to monitor activity on your accounts. These applications automatically check for varying kinds of unauthorized access.
3.    Use a password manager. Among other features, these can provide random password generators that make is simple for you to create strong passwords.
4.    Control the number of people in your organization who have access to your social media accounts. Keep this number low, and maintain records of who has access. You may want to consider using a social media management system such as HootSuite or SproutSocial, as these make it possible for you to allow members of your organization to post content without knowing account passwords.
5.    Have your IT department change account passwords regularly.
6.    Avoid using a work email address when you set up your social media accounts. Hackers can easily guess at work email addresses (FirstName@YourCompany.com, Marketing@YourCompany.com, etc.) until they hit on one that works.

Protecting against hacking will be an ongoing process. However, following the above tips should provide your organization with additional security.

How likely is your business to be able to recover after a disaster? According to FEMA (Federal Emergency Management Agency), 40% of businesses affected by disaster never reopen. Additionally, 25% more fail within the next two years. The consequences of a poorly thought out or non-existent disaster recovery are clear. No business or organization should risk overlooking this critical need.

Natural disasters including hurricanes, earthquakes, and floods come readily to mind when thinking of disaster recovery. And during California’s severe drought, wildfires are of course of grave concern. There are other kinds of disasters to be aware of too. Can your business recover from data loss caused by a power surge? Can your company still function if the majority of the employees are struck by an influenza epidemic? How well can you recover from a security breach?

Your disaster recovery plan should also take into account relatively mundane concerns that can still have a profound effect on your business, including loss of internet service for an extended period or a server crash at a busy time.

Cloud technology is one way of minimizing your risks during a disaster, since it can allow you to place key functions off site in areas at less risk. And while no one can plan perfectly for all possibilities, there are several steps you can take to further minimize your risks. Before disaster strikes you can plan ahead, making sure to consider the following:

●    Your business location – If a disaster means you can’t do business in your usual location, you’ll need to have an alternate location planned. You may need to arrange to transport employees, equipment, data, and supplies.
●    Staying in touch with your customers – Also develop a plan for how you’ll let your customers know your new temporary location and how to contact you.
●    Documenting your property – In addition to keeping an up-to-date inventory of all of your equipment, consider taking pictures of your property to assist your insurance companies if they need to assess damage.
●    Meeting your emergency cash need – Develop processes for how you’ll manage cash flow. You’ll want to be sure necessary bills continue to be paid as well as being able to deposit payments from your customers.
●    Identifying what’s needed to keep your business running – Prioritize your critical business functions and consider how quickly you’ll need to get each function back up and running.
●    Educating your employees – You’ll need to be able to communicate with your employees during a disaster, of course. But all of your planning will be for nothing if they aren’t trained in your disaster recovery processes before a disaster actually happens. Make certain that your employees know what they need to do ahead of time and that they have access to important contact information for vendors, suppliers, your insurance companies, etc.

A final step to consider in any disaster recovery plan is to re-analyze your processes