ALERT: Threatening Emails are Spiking

ALERT

In the last 72 hours, our clients have reported an alarming increase in threatening emails. These emails contain enough personal information to legitimately trigger worry, fear, and in some cases, panic. 

This post covers three types of threatening messages and how to respond.

The Attacks

This type of attack is known as a “Exposure Threat” or “Fear of Exposure” attack. Attackers threaten to release embarrassing or sensitive information about you or your business. They may share bits of information or make claims that imply or confirm that they really do have some information. 

Here are three common forms of the threat:

1 “We Know Where You Live”

The email arrives in your inbox from what looks like a “legitimate” Gmail, Yahoo!, or other email service. The subject line contains your name or that of a family member. The message includes your full address and a valid phone number. In some cases, this threat may also include a picture of your home or office. 

Most often, this type of email does not include any explicit threat or demand.

The implication “we know where you live” is intended to instill fear. The goal is to make you more likely to respond and cooperate with future threats. 

2“We Know What You Did”

This form of attack claims to have documents, images, or video of you doing something embarrassing or illegal. The attacker will claim to have access to your email account, or all of your contacts, and will threaten to share the information if you fail to pay a ransom.

This is an explicit form of extortion.

The attackers are betting that the fear of exposure will cause you to pay the demand and prevent you from reporting the attack.

3“We Have Your Information”

This form of attack threatens to disclose sensitive information about you, your business, or your customers. The threat is the damage a data breach causes. This can include serious and costly legal, regulatory, or contractual issues. The attackers may share a sample that “proves” they have the information on hand.

This attack typically includes a specific threat and an extortion demand.

The preview information shared by the attackers may be from sensitive files, but it may also be available from other sources. This form of attack warrants some investigation.

How to Respond: Do NOT Panic!

First and foremost, do NOT panic. The success of these attacks is dependent upon your fear and your reaction. If you receive an email that is like one of these cases or similar, how you respond can make a difference.

No Specific Threat

  • If the email does not contain a specific threat or demand, your best response is to mark and report the email as spam. Doing so should direct future emails directly to your spam or junk folder.
  • You can take the extra step of reporting the message as abuse to the email server. Here are links to report email abuse for Gmail, Sky/Yahoo!, and Xfinity/Comcast.

With a Specific Threat

  • If the email contains a specific threat, you can and should report the message as spam/junk. We recommend your report this to your IT service provider. Your IT team should investigate the possible risks and take appropriate preventative and responsive measures.
  • Extortion is a crime. While many local law enforcement departments do not have the expertise to investigate cyber crimes, most state police organizations have cyber crime units. You can also report the attack directly to the Internet Crime Complaint Center (IC3). The IC3 will route your report to the FBI and other relevant agencies. Depending on the nature of the attack, the response may range from acknowledgement of the report to a full criminal investigation.
  • If the email includes a threat to show up at your home or business if you do not respond or comply. we strongly recommend reporting the threat to law enforcement.

Possible Data Breach

  • If the threat indicates that the attacker has, or can, access sensitive data, promptly take additional steps to protect yourself and your business.
  • If the attack references personal information, placing locks on your credit reports is always a good step. If the threat mentions (or indicates) a source, such as your bank or investment accounts, report the incident directly to that institution or business. Discuss protections they can put in place on your behalf.
  • If the attack references information from your business, promptly investigate the possible breach. This may involve scanning systems for malware and advanced threats, analyzing logs for unauthorized access, and verifying compliance with security measures. The level of your investigation should match the level of risk. Your IT service provider can help you assess the situation and determine the best course of action.

Your Next Steps

You can protect yourself and your business from these attacks, and other cyber attacks before they happen. Our Security CPR model provides a guide.

  • Communicate and Educate: Learn about, and help your team understand, the risks, nature, and impact of cyber attacks. Communicate the need for vigilance and how their behaviors can enable or prevent a successful attack.
  • Protect and Prevent: Put cybersecurity policies, procedures, systems, and services in place commensurate with your business’s risks, needs, priorities, and budget. This includes advanced threat protection for email and strong settings for your SPF, DKIM, and DMARC protocols in your DNS record. 
  • Respond and Recover: Ensure that you have systems, processes, and services in place to respond and recover should an attack be successful. Beyond restoring data and systems, have resources available to address the legal, regulatory, and customer service issues that often arise. Ideally, have solutions in place that allow you to keep your business running while you respond and recover.

For help assessing your current cybersecurity protections, please send an email or schedule time with one of our Cloud Advisors to discuss our cybersecurity assessments and solutions.

About the Author

Chris CaldwellChristopher Caldwell is the COO and a co-founder of Cumulus Global.  Chris is a successful Information Services executive with 40 years experience in information services operations, application development, management, and leadership. His expertise includes corporate information technology and service management; program and project management; strategic and project-specific business requirements analysis; system requirements analysis and specification; system, application, and database design; software engineering and development, data center management, network and systems administration, network and system security, and end-user technical support.

5 Cybersecurity Standards for Small and Midsize Businesses

5 Cybersecurity StandardsAs small and midsize business leaders, we understand the need to comply with regulatory and industry requirements. We also want and need our IT services to support our business priorities and fit within our budget. So how much cybersecurity is enough? Our cyber insurance partner, Datastream, analyzed policies and coverages for nearly 8 million businesses across dozens of industries globally. The most common cyber attacks exploit weak credentials, human behavior, and out-of-date software to gain access to your systems and data. From there, they can not only launch ransomware attacks, they can initiate business email compromise and other costly and damaging attacks. The result: Datastream identified a bare minimum set of 5 cybersecurity standards

The 5 Minimum Cybersecurity Standards

To address the most common and costly forms of cyber attacks, implement these 5 cybersecurity standards.

1 Multi-Factor Authentication (MFA)

MFA requires a secondary physical authentication when logging in. Whether by text, authenticator app, one-time passwords, or magic links, MFA can prevent attackers from using compromised credentials. According to studies by Microsoft, more than 90% of cyber attacks can be blocked if MFA is in place.

While the minimum standard is coverage for email access and remote network connections, we recommend using MFA for access to any and all critical systems, applications, and data.

2 Encryption

Do you encrypt all sensitive information at rest, including backups?

Most of our systems and applications encrypt data in transit (in motion). Encrypting data at rest, regardless of where it resides, prevents your data from being easily accessed and used in a cyber attack. Encryption should be in place on workstations and personal computers, not just on servers and in cloud-based services.

Just as important, backups should be encrypted. Unencrypted backups provide cyber attackers with easy access to data. Backups should also be stored off-site or in the cloud using immutable storage. This strategy prevents corruption of backup sets in the event of a ransomware attack. 

3 Data Recovery

In the last 6 months, has your company tested its ability to recover all business-critical data and systems within 10 days or less, from offline or cloud backups that are no more than a week old? 

Backing up data and systems is easy. Recovery is hard. Knowing that you can reliably restore your data and systems demonstrates your level of protection and how well you have reduced risks. Documenting this will impact your cyber insurance premiums.

While the 10-day recovery window is a minimum expectation, it may not be sufficient for your business. We recommend analyzing your business needs and setting goals to return to operations in a way that minimizes the impact of any disruption.

4 Automated Hardening Policies

Do you implement automated hardening policies?

Hardening systems is the process of limiting the attack surface of your systems, applications, and data. Hardening tactics include:

  • Removing unused applications and accounts
  • Disabling unnecessary services, ports, protocols, and features
  • Limiting administrative permissions and access
  • Logging appropriate activities, errors, and warnings

The process of configuring and managing hardened systems is easiest to manage with a remote monitoring and management (RMM) system in place.

5 Patches and Updates

Do you apply critical patches and updates to key IT systems and applications within two months?

Updates and patches to operating systems are familiar and comfortable. We regularly receive and apply updates to our smartphones, laptops, and desktops, most often as part of a default, automated process. We may not, however, be as diligent with our business systems and applications.

Updates and patches to databases, applications, and other software often require validation and may require changes to settings and integrations. Regularly reviewing updates and patches, and having a process in place to verify and apply updates, ensures that your systems have current security fixes and features.

Your Next Steps

Having these five cybersecurity standards in place represents a no-nonsense minimum that protects your business and can improve your cybersecurity coverage and premiums.

Our eBook, Cyber Security Requirements for Cyber Insurance, dives deeper to define basic, preferred, and best practices. You can, and should, scale your cybersecurity to meet your business’s specific risks, priorities, and budget.

We offer multiple assessments to help you understand and benchmark your current cybersecurity.

  • Rapid Security Assessment
  • Cyber Insurance Risk Assessment 

These assessments are free with a Referral Code. Contact us or schedule time with one of our Cloud Advisors to learn more and obtain your code.

Help us keep the ideas flowing. If you have any blog posts that are leadership thoughts you want to share, please let us know.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Best Practice – 3 Ways to Get Better IT Bids Quotes

Better IT QuotesA common statement we hear from sales experts and consultants is that 60% of IT buyers believe that they have found the solution they need before they contact their first vendor. While we are not sure of the accuracy of this claim, anecdotally we see more small and midsize businesses asking for IT quotes for specific products or services rather than a solution for a need or opportunity.

This makes sense to us. With so much information easily available, we are more comfortable researching solutions on our own. For small and midsize businesses, particularly those without dedicated IT resources, we tend to rely on market leaders, solutions seen as “best in class”, and vendor information.

We see challenges with this approach:

  • Vendor sites are designed to be easy to digest and often lack details about specific functionality you may need, integration capabilities, and training/support expectations. Selecting a solution that will work well for your business requires deeper discussions and analysis.
  • Market-leading solutions often attain that status based on enterprise-level revenue and sales. These solutions often lack design, implementation, support, and pricing options suited for small and midsize businesses.
  • “Best in Class” solutions often lack integration with the IT systems and services used by small and midsize businesses. These solutions typically evolve for enterprise and midmarket entities. Understanding the need for “best match” and “best fit” helps avoid solutions that become administrative, management, and support burdens.

To avoid these challenges and get better IT quotes, we recommend these three practices as part of your research and selection process.

1 Define Your Requirements

The first step is to clearly define your requirements. 

This advice may sound obvious, but small business owners often see an issue, or an opportunity, and dive into looking for a solution. 

Assess and define your requirements for the issue or opportunity at hand. Then, step back and analyze how any solution will need to integrate and interact with other aspects of your IT services. For user-facing services, assess the impact on workflows and any training and support services that may be needed.

Not all needs and wants are equally important. Prioritize your requirements. As the process moves forward, you will evaluate solutions against your prioritized list. If you need to work within a specific budget, the prioritized list can guide decisions concerning scope.

2 Request Solutions over Products

With a complete set of prioritized requirements, talk to service providers and vendors about solutions, not products.

Preconceived notions about which product is appropriate create blindspots and biases. These preconceptions often result in product and service selections that do not adequately meet needs, do not integrate well with other systems, or prove difficult to manage, administer, and support.

Focus less on “best in class” and “market-leading” solutions and more on “best match” and “best fit”. Make sure that the solution:

  • Meets your prioritized requirements.
  • Integrates with (or cleanly replaces) existing IT systems and services
  • Can be implemented with reasonable training and support efforts

IT solutions that work within, and improve, your IT ecosystem support better IT and business results.

3 Consider Value over Cost

Small and midsize businesses have smaller IT budgets. This is appropriate and understandable. At times, our focus on budget limits how we make decisions. We may:

  • Look too closely at the cost while neglecting the value. 
  • Focus on purchase and deployment costs without considering the full cost of ownership over time.
  • Pick a lower-cost solution that does not integrate well with our other systems and services.
  • Choose solutions that increase administrative, management, and support complexity.
  • Sacrifice integration, training, and support to lower costs without considering the impact over time.

Price is an important consideration. Focusing on value, however, creates better results over time. Consider:

  • How will the solution benefit your business objectives – directly and indirectly – over time?
  • Will the solution simplify processes and workflows for individuals and/or teams?
  • What level of training is needed for team members to fully understand and utilize the capabilities of the solution?
  • How well does the solution integrate with your existing IT services with respect to data, identity, security, communications, collaborations, and workflows?
  • Does the solution fit well with your current work environment (office/hybrid/remote, fixed vs flexible hours, etc)?
  • Does the timing of the change fit within your current business activities and cycle? If not, does the change warrant action at this time?
  • What are the hard and soft costs of inaction or pursuing another solution?

Your Next Action

The next time you are looking for a solution, go beyond your own research. Engage with a trusted IT resource early in the process – before you ask for an IT quote. 

Let us ask the “why,” “what if,” and “what about” questions that help identify requirements and priorities. 

Be open to suggestions and solutions that may not grab the headlines or industry attention, but could be the best match for your prioritized needs and the best fit for your business, IT services, and budget.

Our Cloud Advisors are ready to help and assist with any questions or concerns. Contact us or schedule time with one of our Cloud Advisors

About the Author

Bill is a Senior Cloud Advisor responsible for helping small and midsize organizations with cloud forward solutions that meet their business needs, priorities, and budgets. Bill works with executives, leaders, and team members to understand workflows, identify strategic goals and tactical requirements, and design solutions and implementation phases. Having helped over 200 organizations successfully adopt cloud solutions, his expertise and working style ensure a comfortable experience effective change management. hBill Seybolt bio picture

 

Leadership Thoughts: Noteworthy Blog Posts – Aug ’24

As small business owners and leaders, you carry the responsibility for the direction and success of your business.  And while Cumulus Global provides managed cloud services that help you thrive and grow, we understand your responsibilities are broader than just IT. As a way to share some leadership thoughts, here is a curated list of blog posts from trusted experts that we hope will inform and inspire.

Human Factors

Legal and Compliance

Management

Marketing

  • AI Tools to Improve Lead Generation
    • Does your lead generation information flow through your Customer Relationship Management (CRM) system? Does your CRM provide insights, automation, and improved lead management? I’ll share how you can use AI to dynamically personalize content on your website or in your emails based on the visitor’s behavior and preferences.
    • Mike Grossman, Mike Grossman Consulting, LLC
  • Should I Be Using Threads for My Business?
    • Given the immense popularity and potential of this microblog-style social media app, you might be wondering if Threads is worth exploring for promoting your organization. I wanted to take a minute to outline some key highlights about the platform and offer my thoughts on how you can evaluate its suitability for your needs.
    • Nicole Porter, Monomoy Social Media

Productivity

Strategy and Leadership

Wellness

Technology and Security

  • Cyber Security Requirements for Cyber Insurance
    • Meeting basic cyber security requirements helps insure your cyber insurance coverage is appropriate and affordable. In this eBook, we outline the cyber security components you should have in place before getting your cyber insurance policy.
    • Cumulus Global eBook, August 2022
  • Improve Your Email Deliverability and Security in Five Steps
    • Email services are stepping up protections. Here are 5 best practices that help ensure your emails get delivered and that you are protected from identity and business email compromise cyber attacks.
    • Cumulus Global eBook, April 2024

Help us keep the ideas flowing. If you have any blog posts that are leadership thoughts you want to share, please let us know.

Cumulus Global Offers Free IT Asset Disposal with Managed Cloud Services

Managed Cloud Services by Cumulus Global

Cumulus Global Offers Free IT Asset Disposal with Managed Cloud Services

The company adds IT asset disposal and  lifecycle management to the Basic and Business tiers of its Managed Cloud Service offerings.

Cumulus Global proudly announces the addition of IT lifecycle management services to our Managed Cloud Service offerings. Available at the Basic, Business, and Enterprise levels, these services include asset tracking, access to low-cost extended warranties and accidental damage coverage, and free IT asset disposal services. 

“Properly disposing of IT assets and used electronics is necessary but not easy,” stated Cumulus Global CEO Allen Falcon. “Finding a reputable firm, disposal fees, handling fees, and shipping becomes expensive for most smaller organizations.”

The program, included in the company’s Managed Cloud Service offerings at no additional costs offers two levels of service.  For smaller quantities, customers box and inventory the items and receive prepaid US Postal Service shipping labels.  For larger quantities, a disposal team will come on site to box and ship the items.

“We are meeting an important and growing need for our clients,” noted Falcon. “Our service simplifies the process and saves money. It is a win-win for our clients and the environment.”

The addition of lifecycle management services is part of the Cumulus Global’s commitment to increasing value for clients.  These IT asset disposal and lifecycle management services complement the existing security, support, data protection, and co-management components of the company’s Managed Cloud Services.  Organizations interested in learning more can schedule an introductory call with a Cumulus Global Cloud Advisor.

About Cumulus Global

Managed Cloud Services for Small and Midsize Businesses, Governments, and Schools

Cumulus Global (www.cumulusglobal.com) is an industry-leading managed cloud service provider with a mission to deliver solutions with tangible value.

  • What We Do: We translate your business goals and objectives into solutions and services.
  • How We Do It: We start with your business needs and priorities. Planning and migration includes guidance to help your team adopt and utilize new services. Your team benefits from co-managed services, ongoing support, and client success services that help you adapt as your business changes and grows.
  • What We Offer: Managed cloud solutions featuring Google, Microsoft, and more than three dozen providers.

For more information, schedule a no-obligation introductory meeting with a Cloud Advisor.

Sustainability: 1000 Trees and Growing

ReforestationBack in January of this year, we announced that Cumulus Global was expanding its sustainability program. To help offset the carbon footprint of our offices and operations, we have strengthened our partnership with Evertreen and are committed to planting 100 trees per month.

Our forest has grown to over 1,000 trees across 7 countries and 3 continents. 

Over the next 30 years, the trees we have planted to date will remove over 300 tons of CO2 from the atmosphere. That is the equivalent of driving an average American car 750,000 miles. As we continue to plant, the amount of CO2 our forest cleans will continue to grow.

In addition to the climate benefits, our forest is producing food, reducing soil erosion, protecting watersheds, and providing local jobs.

As an IT firm, planting trees to offset our carbon footprint is part of an overall commitment to sustainability that includes using 100% renewable energy, reuse, and recycling.

We Can Help You Do More

One of the best ways to improve sustainability is to recycle electronic waste (e-waste). E-waste recycling has challenges, including but not limited to, finding reputable recyclers and cost.

Our Basic and Business Managed Cloud Services include lifecycle management for your computer with unlimited, no-cost, e-waste recycling.

For a small number of items, we provide a prepaid label. Just box up the items and drop them off at your local post office. If you are looking to clear the shelves or empty the closet of e-waste, we can have a recycling team show up to box, label, and ship everything for you. All for free!

As an added bonus, our IT asset disposal partners partner with Veritree to plant trees with every recycling order.

Call to Action:

For more information about our Managed Cloud Services, please contact us or schedule time with one of our Cloud Advisors

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

A Model for Business Resilience

Aviate Navigate Communicate

The recent global systems outage, caused by CrowdStrike’s failed update, exposes a key flaw in how we view business resilience. When asked how we make our businesses resilient to failures, human acts or errors, disasters, and other disruptions, we tend to focus on the technologies and services we put in place to prevent/protect and restore/recover.

Business Resilience 

We define Business Resilience as your ability to get and keep your business up and running (even if it is running at a degraded level) until you can fully restore and recover.

Given the impact of the CrowdStrike failure on the airline industry, here is an aviation-themed model you can use as a guide.

Aviate

When an emergency happens in flight, the pilot’s first focus is to aviate – to ensure the plane keeps flying. If you can’t keep the plane in the air, your direction of travel does not really matter. 

The same is true for your business. If you cannot keep your business running at a minimally viable level, you can run out of time and/or money before you are able to restore and recover.

Navigate

Once the pilot knows that the plane will continue to fly, they can assess their current location and take the necessary direction and steps they need to land safely.

Once you know that you can continue to operate, even if only at a base level, you can step back and map out the potentially complex steps needed to restore, recover, and return to normal operations. You can then navigate the technical, operational, customer service, legal, and other processes needed for your safe landing.

Communicate

Once the pilot can safely navigate to a landing, they have the time and focus to communicate. Although, pilots do communicate during the aviate and navigate phases, they limit communications to only information air traffic control, ground operations, emergency responders, and others need in order to assist with the situation. Additional details and analysis come later.

The same is true for you and your business. While you are aviating and navigating, you will want and need to share necessary information with those who need it. These communications need to be “to the point” and focused. You will have the time and focus to share more detailed information as you approach, or after you make, your safe landing. You will have the time needed for review, analysis, and planning after your return to normal operations.

Call to Action:

If you are unsure or lack confidence in your business’s resilience to disruptions, we can help. Contact us or schedule time with one of our Cloud Advisors

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Resilience, the CrowdStrike Failure, and the Real Impact on Your Business

Resilience

We have not written or posted much about the CrowdStrike failure. CrowdStrike is designed and priced for large enterprises. We offer endpoint protection, detection, and response services that are better designed for the small and midsize organizations we serve. In large part, the CrowdStrike failure has not directly impacted our clients and other smaller businesses.

However, the CrowdStrike failure has, and will, indirectly impact you and your business.

Technical Impacts

The biggest technical impact will be the role of automatic updates. The CrowdStrike failure was due to a programming error in a software update that was sent and applied automatically. Customers did not have the ability to limit or test the update prior to deployment.

Going forward, expect vendors to rethink how and when they use automatic updates. What for expectations that you, the customer, should test and approve changes. This shift will transfer more of the responsibility from vendors to your IT team. If you do not have the resources to test and verify updates, you will be taking on more of the responsibility should issues arise.

If you have an IT provider or managed service provider, you may need to negotiate this additional work into your contracts.

Business Impact

The most significant impact of the CrowdStrike failure is on our understanding of “Resilience.” When we talk about endpoint protection services like CrowdStrike, backup/recovery solutions, advanced threat protections, encryption, and other services, we are talking about tools that help our businesses become and remain resilient to cyber attacks, improper user activity, disasters, and other disruptions. 

These technical solutions provide some of the “Prevent & Protect” and “Restore and Recover” components of our Security CPR model and services. With the CrowdStrike failure, a tool intended to improve resilience exposed a weakness in our resilience: what happens when your solution becomes the problem?

Our understanding of resilience needs to change. We must move away from thinking about resilience as a function of IT. Resilience is a business-level function that encompasses all aspects of your organization.

Anecdotally, we learned that during the CrowdStrike failure: 

  • Airlines in Hong Kong wrote out boarding passes by hand and kept lists in notebooks to track manifests and seating assignments.
  • Lacking computers to centrally monitor infants and non-operational security doors in a California Hospital maternity ward, nurses were held over and stationed at each infant’s bedside, and security guards were tasked with guarding doors.
  • A small distributor wrote labels, bills of lading, and customs documents by hand for thousands of shipments.

The Big Question

Answer the following question for your business:

  • Can you run your business, even if it is in a degraded mode, without one or more of your key systems? If so, for how long?

Your answer is key to understanding how resilient your business is to disruption, the potential operational and business impact of a disruption, and your ability to recover and survive.

Call to Action:

If you are unsure or lack confidence in your business’s resilience to disruptions, we can help. Contact us or schedule time with one of our Cloud Advisors

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

7 IT Blind Spots Small Businesses Miss the Most

IT Blind Spots

Your small business depends on your IT services to run effectively and efficiently. Even so, like many small business leaders, you likely have one or more “IT Blind Spots”. The blind spots are not “all or nothing.” They evolve from decisions about what IT services are needed, wanted, and worthy of spending on at a particular point in time. Over time, internal and external factors change. If we do not take a fresh look, our IT services will not keep up. 

While not intentional, these blind spots create unnecessary risks and expenses. Here are the seven (7) blind spots we see the most.

1Security and Privacy

As small business owners and leaders, we understand the need for security – especially in today’s environment. We wonder, however, how much security is enough and what we should prioritize. We see small businesses with antivirus protection on their computers, strong passwords, and basic backup/recovery. While these services were the benchmark for basic security, they are now insufficient.

Check your IT blind spots for other core security services, including multi- or two-factor authentication (MFA/2FA), advanced threat protection (ATP) for email, advanced endpoint protection and response, encryption, and immutable backup/recovery services.

If you do not have these in place, your security is likely insufficient to protect your business.

2Duplicate Services

It has never been easier to sign up for new services. With a few clicks, payment information, and a quick setup, your new, cloud-based application or service is up and running. The convenience is great when you need something specific or a new solution. The low barrier to entry, however, makes it easier to sign up for apps and services that duplicate others you already have in place.

Check your IT blind spots for these duplicate services. We most often see companies paying for Zoom or GoTo, even though they have Microsoft Teams or Google Meet for online meetings and presentations. Some spend on Slack and other tools instead of using Teams or Google Chat services that are already in place. Rather than managing permissions to share files from Microsoft 365 or Google Workspace, small businesses often spend more on Dropbox and other services. While these are the most common duplicate services, we often see others across a wide range of apps and functions.

3Shadow IT

We used to define Shadow IT as any IT service in use without proper vetting or authorization. Today, we expand the definition to include consumer-grade hardware, software, and services. Team members using unauthorized IT services typically create security risks, increase costs, reduce control of company information, violate information privacy rules, and put data at risk. While less costly up-front, consumer-grade equipment, software, and services typically lack the security and integration needed for business use.

Check your IT blind spots and survey your environment for Shadow IT. Team members often go rogue for personal preference, convenience, or because they do not understand how to use features and functions already in place.

4Latent Apps and Services

When was the last time you looked to see if you were paying for IT services that you no longer use or need? With the low barrier to entry for cloud services, we often see companies that have signed up for an app or service, only to later decide that it is not the right solution or to see usage decline over time. Without a set process for on/off-boarding IT services, these often remain idle, incurring monthly or annual fees.

Check your IT blind spots for applications and services. Review company and staff personal credit cards for recurring payments. Scan Microsoft 365 and Google Workspace accounts for apps and services with federated logins.

5Business Continuity

While almost all small businesses like yours have backup/recovery in place for most of their systems and data, most still lack a business continuity solution. Even without a big disaster, the loss of a single, key system can be crippling.

Check your IT blind spots for business resilience. Can you run your business without your IT systems and services? For how long? Which systems and services can you live without for a short period of time and which are critical to your business? The answer to these questions dictates the types and extent of business continuity services you need. Focus on what you need to reasonably run your business while you make repairs and complete larger recovery efforts.

6Cyber Insurance

Most small businesses know that they should have cyber insurance in place, and many do. Too often, however, we see small businesses signing on to policies with inadequate or inappropriate coverage. We also see many businesses overpaying for cyber insurance to cover risks that could easily be reduced with incremental security services.

Check your IT blind spots for appropriate cyber insurance coverage and rates. If your policy was not purchased through a specialized agent or broker, an independent review may be worthwhile. If you do not yet have a policy, check out our resources and ask about our cyber insurance readiness assessment.

7Utilization

Multiple services tell us that most small businesses use about 15% of the capabilities in their Microsoft 365 or Google Workspace services. Your investment in Microsoft 365 or Google Workspace includes a rich set of features and functions – major and minor – that help your team collaborate and work more efficiently, individually and as a team.

Check your IT blind spots to understand how well your team is using the tools available to them. A little bit of education, training, and guidance can boost productivity within Microsoft 365 and Google Workspace by up to 60%.

Call to Action:

If you suspect, or just wonder, what is in your IT blind spot, we can help. We can help you check your blind spots and assess what, if any, changes are necessary or recommended. Once decided, we can help you plan and execute those changes. Contact us or schedule time with one of our Cloud Advisors

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Leadership Thoughts: Noteworthy Blog Posts – Jun ’24

As small business owners and leaders, you carry the responsibility for the direction and success of your business.  And while Cumulus Global provide managed cloud services that help you thrive and grow, we understand your responsibilities are broader than just IT. As a way to share some leadership thoughts, here is a curated list of blog posts from trusted experts that we hope will inform and inspire.

Human Factors

Legal and Compliance

Management

Marketing

Productivity

Strategy and Leadership

Wellness

  • 7 Tips for a Successful Workplace Wellness Program
    • In today’s fast-paced world of hybrid work, finding a balance between work and wellness is more important than ever. Prioritizing wellness at work is not only essential for individual health and happiness but fosters a positive and productive work environment with less absenteeism and lower healthcare costs.
    • Michell Grasso, Synergy Wellness Center

Our IT Ideas That Still Hold True

A few of our past IT leadership thoughts that remain true and relevant today.

  • Cyber Security Will Change Companies
    • IT change management is a structured process for evaluating proposed IT system or service changes. This procedure is carried out prior to implementing the requested change on an organization’s network, reducing or eliminating network outages.
    • Cumulus Global Blog, June 2022
  • What is a MCSP?
    • The need to monitor and maintain equipment and infrastructure drops off while your need to monitor and manage services, apps, and data increases.
    • Cumulus Global Blog, November 2017

Help us keep the ideas flowing. If you have any blog posts that are leadership thoughts you want to share, please let us know.