Hit A Fiduciary Home Run With A Backup, DR, Cybersecurity Triple Play
October 4, 2021 Jim Kandrac
The old adage that the only secure computer is one that is not networked to anything has never been more true; however, it is also irrelevant even if it is funny. No computer can exist in a vacuum and is only useful if it is connected to other machines – and potentially lots of other machines. The level of malicious activity out there on the networks of the world has never been higher, and you had better get used to the idea that the situation is going to get worse every year, and the IBM i platform is absolutely not immune to any of it.
Here’s our advice: Deal with it, or deal with far worse – possibly what we call a “resume generating event.”
So here is the deal from UCG Technologies, which we call the Triple Play: Cloud Backup, Disaster Recovery as a Service, and Cybersecurity Training. And it is especially aimed to help IBM i shops to do their fiduciary duty and get their overall security and recovery situation under control.
At this point, I personally am spending about 25 percent of my time on cybersecurity issues in one form or the other, either making sure UCG and its customers are secure or helping companies dig out of ransomware issues after being hit.
This is how much the situation has changed. Four years ago, in looking through our insurance for our cybersecurity offerings, there were around 35 actions that we had to do to make sure our insurance would cover us against either ourselves or one of our customers getting hacked or phished or whatever. Today, there are 155 actions on that list to make sure we are in compliance. Despite the ratcheting up of security issues that have to be tightened up to be fiduciarily responsible, what I see if that companies continue to be extremely complacent and they are going to have to step it up. Everything has to be locked down and watched, and everybody from the owner of the company or chief executive officer down to the most infrequent end user logging into the system has to be educated when it comes to security.
Here is a good example of how you need to be complete. We recently had a very large client customer who I cannot name. They have their IBM i production systems and 35 X86 servers running parts of their applications and networks, and we have a backup and recovery appliance on site, and two appliances we backup to in co-location facilities for disaster recovery. We got it down. But the development group added several servers and used Veeam to do backups, and it wasn’t locked down. All of their systems got hit with ransomware and while UCG had 95 percent of their data in three separate locations – all AES 256-bit encrypted – the Veeam machine “and” its backups on the same network got hit. All of the data that was “not” protected by UCG’s VAULT400 was lost and had to be re-created to the best of their ability.
During our post-mortem Zoom call, UCG presented and discussed the importance of the 155 actions we must take to be in compliance with our insurance and recommended they do the same. This action list was met with very high acceptance by the CIO, CISO, and director of IT.
It’s the simple things that organizations keep not getting right. Multifactor authentication is one. Mandatory password changes every 45 days is another one, and this company referenced above didn’t do either. And we had to remind them after they reloaded their applications to go in and change their passwords – you cannot leave the old ones.
As part of the Triple Play, we think that doing phishing tests and email exposure tests is of paramount importance because you are only as good as your weakest links. And even if we do the tests to get end users and others on the system used to looking for malware so they don’t click on it, even if you have MFA and even if you do change passwords, anyone can click on something in a moment of impulse and you can still get compromised.
Either you get it, or you don’t get it, or something happens that makes you get it. The first one is the easiest path in the long term, even if it is a hassle in the short term because you have to brace yourself for all the things that need to change to get on a good security footing.
UCG Technologies is very good at backup, disaster recovery and cybersecurity training – this is what we do, and we can help. But it is on the companies to be responsible and actually do the things that will make their systems as secure as possible. This one breaks my heart: While most of the companies that buy our cybersecurity through the Triple Play deal have plenty of users take all the training, in some organizations only about 25 percent of the users actually do the training. Unless it is mandated from the top down, you are wasting your money and our time. They paid for it, and many end users and corporations do not take it seriously. Some of them feel like they are spying on their users, trying to bait them, but that is not the point. It is better to train your people to be cautious and see how they react to an actor who is only pretending to be bad.
Speaking of mandates, has anyone out there been mandated to get the COVID-19 vaccines? Why should this not apply to cybersecurity training as well? By not mandating cybersecurity training, you are putting 100 percent of the company at risk every day. I would 100 percent mandate training. Unlike the COVID-19 vaccine, there are no side effects to taking the cybersecurity training, yet people continue to complain to human resources. If you don’t take it seriously and click on that free personal pan pizza offer, you get three strikes and then you are out.
Protecting an organization’s data is not a single-faceted approach, and companies need to do everything they can to both proactively prevent an attempted attack and reactively respond to a successful attack.
Cyber attacks become more sophisticated every day. The dramatic rise of the remote workforce has accelerated this trend as cyber criminals aggressively target company employees with online social engineering attacks. It is crucial that employees have proper training on what not to click on. Cyber threats and social engineering are constantly evolving and UCG’s cybersecurity training (powered by KnowBe4) is designed to educate employees on the current cutting-edge cyber-attacks and how to reduce and eliminate them.
A company is only as strong as its weakest link and prevention is just part of the story. Organizations need to have a quick response and actionable plan to implement should their data become compromised. This is the role of cloud backup and disaster-recovery-as-a-service (DRaaS).
Data is a company’s most valuable asset. UCG’s VAULT400 cloud backup provides 256-bit encrypted backups to two remote locations for safe retrieval should a cyber-attack occur. This is a necessary component of any protection strategy. Whether a single click on a malicious link brings down the Windows environment or an infected SQL server feeds the IBM i, once the data is compromised, there is no going back unless you have your data readily available.
Recovery is not a trivial task, especially when you factor in the time sensitive nature of restoring from an active attack. This leads to the third play of the Triple Play Protection – DRaaS. Companies have myriad concerns once an attack is realized and a managed service disaster recovery allows employees to keep focus on running the business in a crisis state.
The combination of training employees with secure backup and disaster recovery offers companies the best chance at avoiding financial disruption in an age of stronger, more frequent cyber-attacks.
Reach out to UCG Technologies to discuss your company’s security needs and develop a data protection plan that fits you best.
Jim Kandrac is founder and president of UCG Technologies.
This content was sponsored by UCG Technologies.