Posts

SaaSOps: Adapting the enterprise model for small and midsize businesses

SaaSOpsThe term “SaaSOps” was first coined by David Politis, founder of BetterCloud. SaaSOps, short for Software-as-a-Service Operations, is the suite of processes, skills, and responsibilities for managing the lifecycle of software delivered as a cloud service. Most small and midsize businesses use multiple SaaS applications.

By effectively and efficiently managing these applications, we reduce operating costs and security risks.

The 5 SaaSOps Processes

Adapting the enterprise model for small and midsize businesses (SMBs), SaaSOps encompasses the following five processes.

1. Adoption

SaaS Adoption begins with discovery.  Discovery includes both (1) Selecting SaaS applications your business needs or wants; and (2) Identifying the SaaS applications in use by your team. In today’s world of cloud services, individual employees are likely signing up to use SaaS applications that they want or think they need. These are often free, or low cost, consumer oriented services. Often referred to as “Shadow IT”, these apps sit outside your control and outside of your security protections.  Selecting which SaaS applications you will use, as a company, and which you will not, sets the stage for successful operations.

2. Optimization

Optimizing SaaS operations requires cross-application and in-application analysis.  By examining SaaS applications and services, and how they are used, you can identify and remove redundant features and data sets.  Streamlining applications and systems in-use lowers complexity, support requirements, and cost.  Within applications, license management is key to ensure you do not under- or over-license your services.  Beyond the cost implications, unused licenses pose a security risk.

3. Management

SaaS Management includes the lifecycles for both users and applications.  If done well, SaaS Management automates common tasks prone to administrative error.

User lifecycle events focus on properly managing on-boarding, off-boarding, and mid-lifecycle changes.  These events cover accounts, access, security, permissions, and integrations users need to perform their jobs across your SaaS applications and services.  User lifecycle management also includes group management.  The ability to automate group membership based on user attributes gives you the ability to manage uses based on roles and responsibilities.

Application management focuses on application configuration, ensuring accounts, access, security, and data management. Active configuration management creates a dependable service for users.

4. Security

This includes five key integrated security pillars:

  1. Discovery of sensitive data, including data subject to industry or legal regulations.
  2. Mitigation of oversharing of data, externally and within your organization.
  3. App monitoring and remediation, spanning availability, access, and performance.
  4. User behavior analytics, providing data to support operations, planning, and improvements.
  5. Least privilege access management, ensuring

5. Experience

SaaSOps changes — improves — your business’ overall experience with your cloud-based services. The impact is visible to your employees and your IT administration.

  • Automation simplifies tasks and reduces administrative, security, and other errors while improving your IT team’s ability to respond quickly to change and support requests.
  • Change management ensures decisions to alter services are known and documented and helps ensure you remain compliant with policies, industry standards, and regulations.
  • Managed Access and Rights reinforces company policies, maintains compliance, and enables employees to access the applications, services, and data needed for their jobs.

In Summary

As your use of cloud services grows, implementing SaaSOps solutions becomes an important management tool.  Beyond monitoring and managing costs, SaaSOps helps reduce management and administration errors, provides a better experience for IT teams and end users, and improves security. The incremental cost to deploy SaaSOps tools delivers savings while reducing risk.

Call To Action

Schedule time with one of our Cloud Advisors or contact us to discuss how best you can support your remote and hybrid workers. The conversation is free, without obligation, and at your convenience.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

The State and Future of Remote Work

As noted in a recent article published by American City Business Journals, the state and future of remote work are still up for debate.  Remote work and hybrid work arrangements continue to face resistance. Our reduced need for office space still impacts city centers and commercial real estate markets.  And yet, employees still want remote and hybrid work arrangements. The desire to have work-from-home options is strong enough that many employees will take pay cuts in exchange for the flexibility.

Some of the Data

Work from Home Research noted that paid full days worked out of office was about 27%, year to date, in 2023.  This represents a very slight decrease from recent months.

In February 2023:

  • 60% of employees worked full-time in the office
  • 28% of employees worked in a hybrid arrangement
  • 12% of employees worked remotely full time

40% of employees continue to work some or all of their time outside the office.

A recent study by Robert Half found:

  • 28% of job postings were advertised as remote
  • 32% of employees who work in the office at least one (1) day per week would take an average 18%  pay cut to work remotely full time

Data from the Federal Reserve indicates that:

  • From 2020 to 2021, during the surge in remote work, productivity jumped from 108.57 per hour to 115.3 per hour
  • In 2022, productivity dropped slightly as more employees returned to the office

Using the Data

Remote and hybrid work arrangements will likely continue as companies and employees work to find the right balance for the company and employees.  As small business leaders, we understand that remote work is an attractive feature of job postings, and 1/3 of employees would take a pay cut or change jobs to work remotely.

We need to manage our remote and hybrid work arrangements in ways that employees see as flexible and accommodating. 

In-person interactions with colleagues can improve morale and enhance company culture. It makes sense that we want most employees in the office, interacting face-to-face, at least some of the time.

Employees see most hybrid work arrangements as designed to meet the needs of the company, not employees.  Employees see incentives, such as free meals and other “perks”, as gimmicks to attract employees to the office without addressing employees’ needs.  We need to present hybrid work arrangements honestly in terms of company needs and priorities and those of the employees. If we provide a real balance of needs and priorities, employees will feel respected and heard. They will be more accepting of change.

The Role of Technology

We have no doubts about the power of technology to empower your employees to do their best work — in office or remotely.  Many small businesses scrambled to support remote work at the onset of the pandemic.  These solutions were often rushed and, as such, less efficient or effective than needed.  Too many of us, however, have not stepped back to assess, revise, and improve our IT support for remote and hybrid work.

We need support and technologies in place to ensure the long-term viability of remote and hybrid work.

Employees, when working remotely, want and need the same resources and abilities as when they are working in the office.  They want the same user experience regardless of where or how they work.  At the same time, we need to ensure our systems and data remain secure and protected.

When assessing your IT services, make sure you have the SPARC you need:

  • Security
  • Performance
  • Availability
  • Reliability
  • Cost

Leveraging cloud services, you can provide secure access to your systems and data, with a consistent user experience, at a reasonable cost.

Calls To Action

1. Read our recent eBook, Cloud Strategies for Small and Midsize Businesses. In this eBook, we: Set the stage by looking at how small and midsize businesses acquire and use technology and IT services; Explore the challenges we face moving into the cloud; and Map out four strategies for enhancing your use and expansion of cloud services.

2. Schedule time with one of our Cloud Advisors or contact us to discuss how best you can support your remote and hybrid workers. The conversation is free, without obligation, and at your convenience.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Cloud Computing Trends, Challenges & Provider Insights in 2023

Cloud Computing Trends

Earlier this month, CRN published a story covering Flexera’s 2023 State of the Cloud Report.  Flexera provides software and systems to manage enterprise private and public clouds.  The report on cloud computing trends originates with an annual survey of 750 technology leaders across sectors, geographies, and size of the business.  While the report classifies small and midsize businesses as those with under 1,000 employees, we still find the results interesting and relevant.

As small businesses, our concerns are spending, security, compliance, and managing cloud services. The cloud model hits our income statements and balance sheets differently than historical IT services. The need to protect our businesses, and our customers, has never been greater. And, we find it difficult to understand if we are spending efficiently and effectively.

We take a look at the top 3 cloud challenges, discuss managing clouds, and explore cloud waste.  Understanding these issues, you will better understand how to create better cloud solutions. You will also be better able to set expectations from those providing cloud solutions and related services.

Top 3 Cloud Computing Challenges

For 2023, SMB respondents identify the top three cloud computing challenges as:

  • Managing Cloud Spend (80%),
  • Security (73%), and
  • Compliance (71%).

These concerns make sense. The spending model for managed cloud services, based on subscriptions or usage, is an operating expense.  Most smaller companies are used to making capital expenditures and paying for service contracts and managed services.  Additionally, many of the IT firms working with small businesses will replicate on-premise networks and servers in a public cloud service. They may lack the expertise and tools to actively manage costs.

Concerns about security and compliance reflect the increasing need and demands of protecting sensitive business and personal information.  We face the same increased regulations and expanding industry standards as larger enterprises. But we do not have the in-house resources or the same access to experts. We place our trust on local or regional IT service firms.

Latest Trends and Developments in Cloud Computing

Undefined Cloud Management

Following closely behind the top 3 cloud challenges, governance (67%) and subscription management (61%) indicate that small businesses are not sure how to best manage their cloud services.  As cloud infrastructure matures, the number of options expand.  To make simple decisions, such as whether to subscribe monthly or make an annual commitment at a lower per unit price, we need to understand the operating cost models.  We need standard operating procedures, such as on/off-boarding and access controls, in place.

Cloud is still new. We need our IT service firms and managed service providers to guide, if not lead, our cloud management efforts. Co-management is a viable strategy, provided it includes policies and procedures as well as products and services.

Cloud Waste

On average, the survey results show that businesses spent 18% more than budgeted on public cloud services last year.  The greatest contributor to the overspend appears to be Cloud Waste.

Cloud waste is spending on cloud services that go unutilized or are under-utilized.  Reducing cloud waste can be as simple as

  • Shutting down unused resources after hours
  • Selecting lower cost regions / data centers
  • Periodically right-sizing systems and resources

Policies that scale resources in real-time based on usage will increase efficiency, but require expertise and planning during the solution design process, monitoring, and refinement over time.

How to Pick a Cloud Computing Provider

Traditional managed service providers, or MSPs, are experts in buying, monitoring, and managing things. They focus on network components, servers, systems software, and end user devices.  To get the most value from our cloud services, we need partners that understand service and cost management.

Managed cloud service providers, or MCSPs, understand how the “as-a-Service” model is different. Security, compliance, and cost management only work when they are built into the requirements, design, and management of your cloud services.

Before picking your cloud provider, ask about their management and co-management models. Understand if they actively work to monitor and manage security, compliance, and costs. Ask them to explain how.

Call To Action

Get a copy of our recent eBook, Cloud Strategies for Small and Midsize Businesses. In this eBook, we: set the stage by looking at how small and midsize businesses acquire and use technology and IT services; explore the challenges we face moving into the cloud; and map out four strategies for enhancing your use and expansion of cloud services.

To discuss how your business can better utilize a broader range of cloud services, please contact us or schedule time with one of our Cloud Advisors at your convenience.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

IT Security for Small Businesses

Security, Privacy, & ComplianceStreamlining IT Security for SMBs

Streamlining IT security is a more balanced message about why and how to protect your business. Over the past year, we have covered the on-going, and increasing, threats to small businesses.  We often highlight the scope and severity of the risk, including how security trends will affect small business.  Hopefully this information, along with cost-effective solutions, prompts you to act. At times, we may appear to be fear-mongering.

Sound business practices, not fear, should be your motivation to protect against cyber attacks.

The market is awash with cyber security solutions. These range from single-protection products to complex advanced security monitoring and response services.  The number of options, and competing claims, is overwhelming.

Our Recommendations on IT Security for Small Businesses

Focus protections on the most common, and most damaging, types of attacks.

1. Focus on Risks

We know that:

  • More than 80% of cyber attacks start with, or involve email via phishing and other social engineering tactics
  • Ransomware is the most common type of attack
  • Business email compromise (BEC) is the most costly type of attack
  • Attacks via DNS and web content are becoming more of a risk

As such, small and midsize businesses should focus on preventing these types of attacks. Plan to limit your security approach and spending to prevention and recovery from these risks.

2. Use our CPR model as a guide

Communication and Education

Make sure your team knows how to spot an attack and what to do if they suspect an attack.  They should know the risks and steps you are taking to protect your business.

Periodically sharing articles or updates may be sufficient to strengthen your business.  Subscribing to a security awareness training service is an affordable way to provide this education. Your cyber insurance policy may require this service.

Protect and Prevent

To protect your business from the greatest risks, put the following solutions in place:

  • Multi-Factor Authentication (MFA)
  • Encrypt data at rest, including on servers, desktops, and laptops
  • Use advanced threat protection (ATP) on all email accounts for inbound messages
  • Ensure your endpoint protection (local anti-virus) is a next-gen solution
  • Use DNS/Web protection to prevent harmful downloads

Specific to business email compromise attacks and ensuring your legitimate emails are not flagged as dangerous, ensure your domain configuration include the following protocols and services:

  • An accurate and complete Sender Policy Framework (SPF) record
  • DomainKey Identified Mail (DKIM) for all sources of email (including marketing tools)
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Respond and Recover

Even with protections in place, cyber attacks can be successful.  Ensure that you can return to operations quickly, even as a full recovery may take time. Your ability to recover and respond should include:

  • Backup/Recover data stored in the cloud (Microsoft 365, Google Workspace, etc.), as well as on local servers, desktops, and laptops
  • Continuity services so you can run images of key servers, desktops, and laptops if they are damaged by an attack

Note that continuity services also protects you from the impact of hardware issues, theft, and other losses.

Start with an Assessment to See Where Your Small Business Stands with IT Security

For a limited time, our Rapid Security Assessment is free of charge. Complete a 3 minute survey and receive a detailed report benchmarking your basic security services with respect to the most common cyber attacks against small and midsize enterprises.  

To learn more, please join us on May 17th at 3:00 PM ET for Streamlining Security, our May 3T@3 Webcast or schedule a no-obligation call with one of our cloud advisors.


Six Best Remote Work Strategies 

Remote Work Strategy in Action

If you have remote workers, then how you manage your business and employees has, and will continue to change. We often talk about the technology that makes remote work efficient and that can help integrate teams. But supporting remote workers requires a broader perspective and understanding of the workplace.  As employers, we remain responsible for providing a safe, effective workplace regardless of where our employees work. Here a few considerations as you plan your hybrid business and remote work strategy.

If you have remote workers, then you should consider the following six best practices for a remote work strategy.

Six of The Best Remote Work Strategies

  1. Are responsible for their work environments, including the same health and safety regulations that apply in the office.
    • Ensuring safe and appropriate workspace ergonomics, sound levels, lighting, etc. are responsibilities of the employer.
    • Provide your remote workforce with appropriate furniture, lighting, and ergonomic tools.
    • And yes, an employee working from home might be eligible for Workers’ Compensation if they trip over their dog while working.
  2. Need to accurately track and manage working hours for non-exempt employees.
    • Avoid wage and employment related liabilities by ensuring hourly workers are compensated for all work time, including when they respond to the random off-hours email.
    • Setting clear policies and expectations can help avoid work hour, wage, and employment issues.
  3. Are responsible for ensuring their work is secure.
    • Remote work environments must be managed and secured to the same levels as those working in the office.
    • Data privacy regulations, such as HIPAA, PCI, and SEC17, do not end at the office door.
    • Networks, systems, applications, and data require the same levels of protection regardless of location.
    • Similarly, physical protections must be in place for printed documents.
  4. Can be accountable for intellectual property stored on personal devices.
    • Establish a clear policy and procedures for the use of personal devices for work.
    • Include the need for the company to install software or productivity tools to manage the business’ information on the device, including but not limited to cyber protections, personal/work data separation, local encryption, backup/recovery, and the ability to remotely remove work related data in an emergency.
  5. Want to avoid “in-person” bias.
    • Remote workers need mechanisms and unified communication options to participate in the informal conversations and interactions we take for granted when working in an office environment.
    • Supervisors and managers should help workers establish and build effective relationships, including those that offer mentorship and guidance, with direct co-workers and others in your firm.
    • Measures of performance should, explicitly, avoid the implicit bias that in-person visibility correlates to better involvement and teamwork.
  6. Should understand the tax implications for your business, and employees related to working remote.
    • Having employees in other tax jurisdictions can make proper payroll tax withholding and filing more complex.
    • States may or may not have reciprocal agreements and some states are imposing new rules.
    • Remote workers may create nexus in some jurisdictions, triggering sales tax and other tax obligations.
    • Work with your attorney and financial advisors to understand your requirements and to ensure compliance.

Next Steps to Create a Remote Work Strategy

Cloud infrastructure technologies help facilitate remote work and hybrid work environments. You can deploy systems, apps, and tools to make remote and hybrid work efficient and secure. Remote and hybrid work models, however, span every aspect of your business.  Policies, procedures, operations, and culture all require attention, planning, and support.

Work with your legal and financial advisors, and your HR resources, to ensure  your remote/hybrid plans will benefit your business.

Business Email Compromise – The Costliest Type of Cybercrime

Email, Communications, & MobilityBusiness Email Compromise

While the massive number and scale of ransomware attacks get the most media attention, Business Email Compromise (“BEC“) attacks are the costliest type of cybercrime.

What is a Business Email Compromise (BEC)?

In a BEC attack, the criminal impersonates you and convinces somebody who trusts you to send money. While successful attacks often begin with unauthorized access to your email account, savvy criminals use email and domain impersonation techniques. They trick others into thinking that you are asking for, or instructing them to complete, a money transfer.

As we noted in a recent post, real estate agents and brokers are prime targets of Business Email Compromise attacks because they regularly discuss transferring large amounts of money with their clients. As noted in this recent email scam article from the Associated Press, however, BEC attacks are hitting a wide range of small businesses, nonprofits, and schools.

Business Email Compromise attacks succeed when cyber criminals are able to collate enough information about you to gain access to your account or impersonate you.  Here is how they do it:

  • Given that you use your email address to log into many systems, a third party breach can provide attackers with your email address and enough information to calculate your password.
  • Third party breaches often provide hackers with enough personally identifiable information (PII) about you to launch a successful phishing attack that captures your username and password.
  • Scanning social media posts can also provide hackers with enough PII to successfully phish for your identity.
  • Malware, known as an Advanced Persistent Threat (APT), that makes it past your endpoint protections can gather usernames, passwords, and other information while running undetected on your computer.

How to Prevent Business Email Compromise

Protect Your Identity

To keep your email account secure, you need to protect your identity.

  • Understand the risks and follow practical advice for safe online hygiene. Use unique, complex passwords across systems; avoid oversharing personal information; and learn to recognize phishing and impersonation attacks.
  • Use “Next-Gen” endpoint protections to prevent zero-day attacks, APTs, and more traditional forms malware.  These solutions use heuristics, AI, and behavioral analysis of files to identify an attack. They can also “roll back” changes to stop an attack.

Secure Your Email Service, and All of Your Services

Even as you protect your identity, you still need to secure your email service through proper data protection and security services.

  • Advanced Threat Protection (ATP) protects your account from phishing attacks, bad links, infected attachments, and other risks. ATP verifies sender information and test links and attachments in a “sandbox”, allowing safe messages to arrive in your inbox.
  • Two-Factor Authentication (2FA), or Multi-Factor Authentication (MFA), can prevent access to your accounts if your username and password are compromised.
  • Ensure that all of your information is encrypted at-rest and in-motion. Your email service should use Transport Layer Security (TLS) to encrypt messages between sending and receiving services.  Encrypt files on your local disk, on any file servers, and in the cloud.

Prevent Email and Domain Impersonation

As noted in a recent blog post, you can use three (3) different levels of email security to prevent email and domain impersonation.

  • Sender Policy Framework (SPF): Authenticates addresses you use to send email.
  • DomainKeys Identified Email (DKIM): Digitally signs messages to ensure emails are not altered en-route.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC): Authenticates email origin and instructs recipients how to process bad messages. A DMARC service will track and report any potential issues.

These protocols and a DMARC monitoring service offer the best protection against BEC and impersonation attacks. They also help improve the deliverability of your email. Our ebook, Email Security: Good, Better, Best, dives deeper into this topic.

For a limited time, our Rapid Security Assessment is free of charge. Complete a 3 minute survey and receive a detailed report benchmarking your basic security services with respect to the most common cyber attacks against small and midsize enterprises.  

 

Security Trends Will Impact Small Businesses

Security, Privacy, & ComplianceSpeaking at a recent CRN-hosted security summit for midsize enterprises, Paul Furtado, Gartner’s Vice President of Midsize Enterprise Security stated, “The only thing harder than defending yourself against a cyberattack is telling your executives and your partners why you didn’t do enough to protect yourself.”  His comments reflect current security trends from our historic “Trust but Verify” security model to one that is “Never Trust; Always Verify” — also known as Zero Trust.

Expectations are changing and our tolerance for breaches is dropping.  More than 56% of successful attacks exploit known vulnerabilities with patches available for more than 90 days.  Frankly, many of us are failing at the fundamentals of IT security and this needs to change.

While smaller in size, SMBs remain prime targets of cyber attacks.  With “Ransomware as a Service” readily available, finding and attacking vulnerable small businesses is inexpensive and effective.  SMBs are more likely to have fewer security protections; SMBs are less likely to be able to recover from an attack and more likely to pay ransoms.

Here are 7 security trends that warrant our attention and action:

1 Zero Day Exploits

As the name implies, Zero-Day  Exploits take advantage of newly discovered security holes before our tools and systems can be updated to prevent an attack.

Next Gen solutions are needed to protect from attacks on devices, in the flow of email, and in web traffic.

2 Insider Threats

Insider risk refers to every account that has access into an organization’s environment such as service accounts, custom integrations, and API accounts. Insider threats, meanwhile, are the small percentage of insiders actually doing something that will cause a security incident, intentionally or not.  For example, the increased use of QR codes allows attackers to create malicious QR codes that install keyloggers and screen grabbers to steal identities and multi-factor authentication tokens.

We need Security Awareness Training to help individuals understand the risks and build safe habits.

3 Regulatory Changes

As noted, security expectations are changing.  State and federal laws are changing. Passed by the Senate this year, the Strengthening American Cybersecurity Act will require businesses to report significant cyber events within 72 hours and ransomware payments within 24 hours. These requirements lay on top of other federal regulations, multiple states’ privacy laws (CCPA, MA PII, etc.), and industry regulations (PCI-DSS, etc.).

With cyber insurance and cyber response services in place, small businesses are more likely to avoid fines, losses, and legal actions.

4 IoT

Internet of Things devices, and similar automation technologies are popular and often lack basic security features.

As IoT-based solutions move into smaller businesses, we need to secure and monitor devices and the networks on which they run.

5 Supply Chain

Bad actors know that attacks on supply chains can be more effective than attacking an intended target.

If your smaller business is in the supply chain of a larger company, expect security to become an issue.  They are likely to request — or demand – additional security measures as a condition of your business relationship.  And, be ready to demonstrate (prove) that you actually do what you claim on the security checklist.

6 Data Mining

Data mining enables attackers to not only go after your business, but your vendors and customers as well.  Imagine attackers telling your customers their private data will be released if you do not pay the ransom.  Even more common, imagine your customers receiving emails “from” (impersonating) you instructing them to send money.

We need to start protecting unregulated data in the same ways we protect regulated data.  Encryption, for example, does not prevent a breach but ensures the data cannot be used.

7 Ransomware

It would be nice to think we are past the ransomware pandemic, but we are not.  Over 80% of ransomware attacks are on small and mid-size businesses. Because attacks have moved beyond encryption to data exfiltration, attackers are likely to understand your business and set ransoms that are steep, but payable (often 1% to 1.5% of annual revenue).  Businesses hit by ransomware average more than 20 days of significant business disruption. On average, they permanently lose more than 35% of their data.

A response and recovery plan that includes business continuity ensures that you can keep your business running while you recover from and respond to an attack.

Your Next Step

Please contact us to evaluate your security footprint and needs, and discuss possible next steps, or schedule a no-obligation introductory call with one of our Cloud Advisors.

Resources for Small Business Owners and Solopreneurs

Different Types of Email Security Features

Different Types Of Email Security Solutions Can Help Protect your Business

When launched Cumulus Global 15 years ago to provide small and midsize businesses (SMBs) with email security and security solutions. As early adopters, we saw how managed cloud services and solutions made enterprise grade solutions affordable and effective for small businesses.  While much as changed over the past decade and a half, we still face email-based threats.

Email Attacks are Easy

According to Verizon’s 2021 Data Breach Report, email remains one of the most common vectors for attacks. And, phishing attacks are at the top of the list. Email phishing attacks remain prevalent because they are relatively easy. Cyber attackers are able to say one step ahead of our defenses, in large part to the rise in social engineering. With more of our personal information available through social media, attackers can use psychological tactics and personalized messaging to target specific individuals (spear phishing) and business leaders (whaling). In doing so, they garner sensitive information and gain access to systems and data.

Business Email Compromise

Business Email Compromise (BEC) attacks impersonate your email domains or emails for specific users. In most instances, BEC attacks look and feel like legitimate emails from your business. Combined with social engineering tactics and personalize information, they are hard to spot and often successful.  Cyber security attacks can be “internal” that target your employees, or “external” that use your business to defraud your customers and associates.

Email and Domain Impersonation

Preventing email and domain impersonation attacks bypass account level security, including multi-factor authentication. To prevent these attacks, recipients should only accept email that can be authenticated as coming from your domain.

Different Types of Email Security Protection: Good, Better, Best

Currently, you have three levels of email domain security that can protect your business and your identity: Good, Better, and Best.

Good: SPF Sender Policy Framework

SPF verifies emails sent from valid IP addresses, either from your domain or authorized senders. While most small businesses have an SPF record configured, errors cause individual emails, or emails from marketing and CRM systems, to be flagged as spam by the recipient. Cyber attackers can spoof email addresses to give the appearance of a validated sender.

Better: DKIM DomainKeys Identified Mail

DKIM verifies that have been digitally signed by the sending domain, or by services sending email on behalf of the domain. Proper configuration is technical and involves cryptographic key management; errors can lead to fake messages with valid DKIM signatures. Cyber attackers can remove the DKIM signature using sophisticated relay attacks.

Best: DMARC Domain-based Message Authentication, Reporting,
and Conformance

DMARC authenticates email origin by aligning identifiers from SPF and DKIM, and instructs recipients to deliver, quarantine, or reject failed emails by policy. DKIM helps improve email deliverability. Is the best protection against email and domain impersonation attacks, whether they target your employees, vendors, or customers. Reporting enables you to see email sources and manage your policies.

Protect Your Business With Our Email Security Services

While you set up SPF and DKIM with DNS record entries, DMARC is best implemented as a service. Doing so provides you access to settings, reports, and analysis tools. For most small and midsize businesses, the level of protection DMARC provides is worth the minimal cost.

You can learn more with our eBook: Email Security: Good, Better, Best.

To discuss your email security configuration, make an appointment with one of our Cloud Advisors, send us an email, or fill out our contact form.

4 Pillars of Cloud Security: The Most Important Strategies to Know

Learn about the four pillars of cloud security that can help you reduce risk, increase agility, and run more efficiently: (C/I/A), external threat protection, data loss protection, and compliance.

While Cyber Security month comes and goes, the four pillars of cloud security remain integral to long term business success.  In what seems like a never-ending process, we continue to face new and advancing cyber security threats to the integrity of our data, identities, and businesses.  For those of use with small and midsize businesses, we need to ensure our systems and information are secure. At the same time, we want to keep our IT systems simple and manage our budgets.

Four Strategies for Cloud Security

To strike the right balance, we need to assess our current security foundation, identify gaps, and fill in services where needed. Doing so creates a security foundation that covers your basic needs.  From there, with the four pillars of cloud security in place, you can add services and build the security footprint you need to meet industry expectations and regulatory requirements.

A sound cloud security foundation is built on four pillars of cloud security.

1. Basic C/I/A

Ensure the confidentiality, integrity, and availability (C/I/A) of information you create, receive, maintain, or transmit.

This first pillar of cloud security establishes your basic security infrastructure that protects against attacks and prevents breaches across your IT systems.  It also creates your ability to respond to issues and recover, key to ensuring business continuity and resilience.

2. External Threat Protection

Identify and protect against reasonably anticipated threats.

This pillar of cloud security focuses on the attacks and threats from outside your business. From phishing, ransomware, and business email compromise, to DNS and advanced persistent threats, the focus is on protecting your data, applications, systems,  and people from harm.

3. Data Loss Protection

Identify and protect against reasonably anticipated uses and disclosures.

Data breaches and data loss result from configuration issues, application errors, and individual actions. Permission errors, inappropriate sharing, and other actions are often accidental, resulting from a lack of understanding of policies and/or how systems work. They can, however, result from intentional acts of misconduct. Proper data protection and security solutions will help protect against these internal risks and threats.

4. Compliance

Ensure workforce and business compliance.

Nearly all businesses must meet basic legal requirements to protect sensitive information. Most businesses must also adhere to industry and additional legal requirements.  This cornerstone encompasses the policies and procedures that ensure your team, and your business meet your compliance requirements. IT also includes the tools and methods to enforce policies and report on compliance.

Tactics for Implementing the Four Pillars of Cloud Security

To ensure your cornerstones are set and your cloud security foundation is place, conduct a security footprint assessment.  For each pillar of cloud security, identity the services you have in place and those that may be needed. The assessment should cover the “CPRs” of security:

  • Communication/Education
  • Protect / Prevent
  • Respond / Recover

For more information, send us an email or complete our contact form.