Posts

The Opening Dilemma

Without a consistent national strategy and leadership, decisions on how to open are economy are left to state and local leaders.  While very few states have me the limited criteria published by the CDC, states are proceeding and are in various phases of re-opening. At the same time, we have failed to contain COVID-19 at the national level. We are not facing a second wave, as the first wave is not over. We see progress in former hot spots, while other areas are seeing record-setting spikes in cases and hospitalizations.

The challenge we face as business owners is how to adapt.

It is one thing to be closed or limited in operations and then re-open.  It is a whole different scenario if we continue to see slow downs, halts, and backtracking.  None of the CARES Act or other relief packages account for businesses need to scale back or close a second time (or third time, or more). Recalling employees only to furlough them again is a damaging cycle. It is hard to plan if you are unsure how you will be able to operate next month or next quarter.

When will this end?

COVID-19 will be behind us when we have a vaccine that is proven to be safe and effective. We will not know this until months after large percentages of the population have been vaccinated, possibly 12 to 24 months from now.  Until then, expect the need for remote work, extra safety precautions, changes to business conditions, and starts/stops with re-opening.

Near Term Flexibility / Long Term Plan

The best advice we have heard, and shared, is to be flexible in the short term while planning for your long term.  In the short term:

  • Understand the phases, guidance, and rules at the local and state level for your business. These may differ for each of your business locations.
  • Understand the phases, guidance, and rules facing your customers.  This is harder to track and manage, but possible if you ask your customers for this information when you engage with them. Doing so will identify issues and help you overcome obstacles.
  • Do not rely solely on local guidance and rules. Unfortunately, re-opening guidance and restrictions have become politicized.  While relying on local rules may provide legal cover, doing so may harm your business if employees or customers get sick.
  • Expect the uncertainty to continue. We scrambled to adjust to closing and continue to scramble as reopening rules come into play and change. Many of the adjustments we made were fine as stop-gap measures.  Now is the time to step back and formalize the changes.  Make sure that your policies and procedures are accurate and up to date. Make sure users are working on company systems and not “shadow IT” services. Make sure your data is on company systems and properly protected.
  • Consider making temporary changes permanent, at least in part.  Many of us realize that more jobs can be done remotely, and done well, than previously thought.  You can take advantage of this long-term in several ways, including reducing the size of your physical offices, recruiting outside of your immediate geographic locations, and offering staff more flexibility.  Doing so can strategically lower costs and improve productivity.

If you want to discuss your near-term or long-term plans, please contact us. We are offering free and discounted services to help you ensure your next steps carry you forward.


 

5 Ideas for Successful Remote Shopping and Customer Pickup Services

As more areas of the country move into Phase 1 of re-opening the economy, you may be able to offer remote shopping and curbside (no contact) pickup.  While you may already have a way to hold items for pickup by customers, moving completely to the “take out” model of business requires you to make changes and scale your processes.  Here are 5 ideas to improve your customer experience:

1. Accept Online and Advance Payments

Customers paying online or by phone before coming for their pickup dramatically reduces the in-person interaction needed to complete the sale. This is safe for your employees and your customers.

  • Adding a shopping cart experience to your website is not a simple process; check with your web developer and verify they have the experience to create a secure, easy to use flow for your customers.
  • If adding a shopping cart experience to your website is not feasible in the short term, you have alternatives:
    • Check with your current card processing service; many offer payment portals that can work well in this situation.
    • Spin up a separate online store using a turnkey solution, like Shopify, to which you can upload inventory and product information
    • Create an online payment account via services like PayPal or Venmo (make sure you have or create a company-specific account)
  • Remember that you must still comply with PCI regulations.  Make sure employees know that when taking credit card information, they should not write down or otherwise record the information expect to put it into the POS or card processing systems.

2. Offer Video Shopping Appointments

Allow customers to schedule video shopping appointments, during with a member of your staff can walk the store and help your customers pick out items.

  • Use a secure video meeting tool. If you use Microsoft Office 365 or G Suite, you already have access to video meetings via Microsoft Teams and Google Meet, respectively. Employees should NOT be using personal accounts, email addresses, or phone numbers to setup or run these sessions.
  • Roll out a scheduling tool that lets customers pick from preset, available times.  Bookings is a free tool included with MS Office 365.  Tools like Calendly integrate with both G Suite and Office 365 services.
  • Get a few tripods with phone/tablet holders.  This will allow a single employee to manage the camera while displaying merchandise. It also makes for a “steady” shot and better shopping experience.

3. Live Chat with Customers

Give your customers an easy way to get in touch with you once they are on your website.

  • Live chat is an inexpensive way for customers to communicate with your team.
  • Most live chat solutions allow your staff to answer questions and transfer the conversation.  Staff working from home can cover the live chat service and answer most customer questions. The chat can be transferred to in-store staff as needed.

4. Create a “Service Desk” for Customer Questions

Going beyond live chat, let your customers interact with you however they want, when they want.  At the same time, you can enable staff working from home to support the team working in-store.

  • Setup a cloud-based service desk phone system that allows multiple team members to answer calls, text messages, and voice messages.
    • Employees sign in as ‘agents’ and can indicate when they are available / not available to answer calls.
    • The system will route calls to an available ‘agent’ in a round robin basis or other priority that you configure.
    • Using a “soft phone” application, your employees access the system via computer or mobile device; their personal phone numbers and information remain private.
  • Setup a shared inbox to allow your staff to respond to, and manage, email communications.
    • More than a distribution list, a managed shared inbox lets your team assign emails and discussion threads to employees and track their work and progress.
    • Using the shared inbox, employees’ personal information and individual work emails remain private.
    • Employees can connect/disconnect to the service as needed to cover shifts

5. Measure Customer Satisfaction

Follow up every sale with a thank you email and solicit customer feedback.

  • Cloud-based customer satisfaction (CSAT) tools let you embed one-click feedback questions into your email templates. These often use familiar green, yellow, and red icons to indicate satisfaction levels.
  • CSAT tools can also solicit comments. These comments can be used to identify and resolve customer issues, as well as generate testimonials for your web site and marketing efforts.
  • More advanced CSAT tools can also ask a “Net Promoter Score” question, so you can measure how many of your customers would recommend your business to others.

A Final Note: As you implement these (or other) ideas, procedures, and technologies, remember to take care of your “back office” and employees. Initiating or improving your customer pickup services means new and changed processes. You may also decide to change roles. For example, some stores dedicate one team member per shift to process online payments as a way of managing access to the tools and information.  Take the time to train your staff and make sure they are comfortable with the changes.  Also, solicit their feedback and ideas. They probably have suggestions that will help you impress your customers.


Please contact us for a free Response and Recovery Assessment. We are happy to discuss ideas and solutions, and to assist with getting the technologies and training in place.


 

Ensure Your Team is Working from Home Safely

(Published 4/21/20)


The rush to get your employees setup and working from home is over; now is the time to take a step back and make sure your team is working effectively and that you are protecting your data and that of your customers.

Here is a simple checklist:

Give Employees Business Software

If you have MS Office licensed through an Office 365 subscription, you have the ability to install each user’s license on multiple computers and devices. Use this licensing to make sure your team does not run into version compatibility issues.  If you have an Office 365 subscription, you can also ensure employees are logged into your domain/tenant and files are automatically backed up to OneDrive or SharePoint file systems.

Give Employees Endpoint Protection

If employees are using home computers for work, the non-work activity on that machine poses a malware and ransomware risk to your business.  Even if your employee has a consumer antivirus tool in place, you should layer next-gen, advanced threat protection.  Solutions like Webroot are designed to coexist with local protections. The solution also gives you control over the security footprint of machines accessing your systems and data.

Give Employees Web Filtering / DNS Protection

Between 20% and 35% of malware attacks originate from infected websites and DNS attacks.  Adding web filtering/DNS protection allows your employees and their families to safely surf without putting your business at risk.

Properly Configure Desktop File Sync Utilities

Whether using Office 365 or G Suite, enabling a desktop sync tool gives your employees seamless access to your cloud-based files. Rather than syncing, configure the agent to serve as a mapping tool. Files cache locally while in use for performance; data remains securely in your cloud; users have easy and familiar access.

Put a Policy in Place

Make sure you have an appropriate policy in place, to protect your employees and your business. We are sharing a simple draft policy you can use and adapt to your needs.

Protect Yourself from Personal Devices

(Published 4/12/20 – Get our Sample Policy)


For many businesses, employees are working from home for the first time. Given the rush to change how our businesses operate, many of those employees will be using home computers or personal devices.  While enabling companies to continue operating, doing so can place your business, data, customers, and employees at risk.

If you do not already have a policy in place, we have published a sample policy covering employee use of personal computers and devices. The policy, intended to augment your existing company policies (such as appropriate use), covers Company and Employee responsibilities.  Since you may need to install software and utilities on the device to ensure compatibility, secure access to your systems, and compliance with your data privacy and protection requirements, the policy strives to create a balance that ensure employees will not lose personal data or use of the device for personal reasons.

You can access the Sample Policy here, free of charge. Please review the policy with your HR and IT resources and modify it as necessary for your business.

As noted in the policy, you should expect to provision current versions of software and the necessary data protection tools. For example:

  • Most Office 365 licenses allow you to install the desktop software on up to 5 computers and 5 tablets/smartphones for each user.  These rights mean that you can provide employees with the same software on their home computers as they use in the office. Doing so improves productivity.
  • Employees may have antivirus protection software installed, which may or may not be current or sufficient for your needs.  You may want, or need to layer on advanced threat endpoint protection software that will not interfere with existing tools, such as Webroot.
  • Employees likely do not have dns/web protection services installed.  As the computer is used for personal activities, adding web protections can prevent web-based malware from impacting your data and business.

Please contact us for a complimentary Cloud Advisor session.  Without obligation, we can discuss your needs, discuss how to best protect your data/business, and recommend affordable solutions to consider.

Zoom Privacy Policy is a Risk

Updated 4/05/20

Updates:

  • 4/05/20: Zoom posted an updated Privacy Policy, back dated to 3/29/2020.  This policy clarifies Zoom’s actions and intents and changes some terms and conditions, indicating that Zoom is now doing the right thing with your personal data.  Zoom has also expanded users’ ability to use passwords and waiting rooms to control meeting access.  We still recommend reviewing the policy and using the “do not sell” process.  We also recommend using conferencing systems within your productivity suite, Office 365 or G Suite, as these are secure and integrate with your email, calendar, and file services.
  • 4/01/20: MIT Tech Review summarizes the security issues with Zoom, including information about a Class Action Lawsuit.
  • 3/31/20: Vice.com reports that Zoom is leaking personal emails and photos to strangers.
  • 3/31/20: The Intercept reports that Zoom is not using End to End Encryption as claimed in their marketing materials and user interface. 
  • 3/31/20: New York Times reports that Zoom, the videoconferencing app whose traffic has surged, is under scrutiny by the New York attorney general’s office for its data privacy and security practices.
  • 3/30/20: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic

On March 18, 2020, the Zoom.us posted changes to its privacy policy that impact all users, even those without accounts attending meetings as guests.  This change follows a dramatic increase in Zoom users (and stock price), as Zoom has been offering its services for free to many businesses and schools.

Under this version of the Zoom’s privacy policy, Zoom is collecting more information, in our assessment, than is necessary to provide users with the service. Zoom also acknowledges providing this information to third parties. The information Zoom is collecting includes, but is not limited to:

  • Name, physical address, and other similar personally identifying information
  • Information about your job, such as your title and employer
  • Your Facebook profile information (when you use Facebook to log-in to Zoom or to create a Zoom)
  • General information about your product and service preferences (including software installed and/or in use on your computer)
  • Information about your device

Per Zoom’s policy, downloading and using the Zoom app provides Zoom with consent to share any personal information they collect with third parties.

In reference to the use of third party services, the policy states

“We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services).”

In other words, Zoom may use the personal information of any person using their services to market to that person across their use of the Internet.

Additionally, we do not see any effort by Zoom to determine the age of individuals using the service, so they are likely collecting and using the personal information of children.

Vice.com is reporting that Zoom’s iOS app sends data to Facebook even if you do not have a Facebook account.

Impact

Our current assessment of the impact is as follows:

  • Data collection is based on the way each meeting participant enters the meeting.  Even if the organizer is on a paid and secure business or education edition, meeting attendees using the free client or entering as a guest are subject to dating mining and sharing.
  • For businesses and schools, some of the data Zoom collects and shares is prohibited under the Children’s Online Privacy Protection Act (COPPA).
  • For schools and libraries, not using the K12 version of Zoom for faculty and students may result in violations of the Children’s Internet Protection Act (CIPA)
  • Zoom does provide a means for users to instruct Zoom to “Do not Sell” their personal information. This help with California Consumer Privacy Act (“CCPA”) and  EU’s General Data Protection Regulation (“GDPR”) compliance.  It may not be practical to advise all meeting attendees of this option.

In short, Zoom’s privacy policy may conflict with your business’ privacy policy and how you manage and respect your customers and their data. The policy may also create regulatory and legal issues.

Recommendations

If you organization uses G Suite or Microsoft Office 365, you already have the ability to securely conduct audio and video conferencing with services that do not mine and share attendee data.

  • G Suite
    • Hangouts Meet (the new service) is secure and HIPAA compliant.  Individuals outside your organization can join via shared URL, without providing personal information. Through June 2020, Google has enabled all G Suite users to conduct meetings with up to 250 participants and provided organizers with the ability to record meetings. Participants can mute their own audio/video and can present to the meeting. Meeting include dial-in numbers and pins to allow access from phones.
    • Participants can join via web browser or use the free iOS and Adroid Apps.
    • Traditional Hangouts and Chat, while not HIPAA compliant, are still secure and work within organizations and with guests.
  • Office 365
    • Teams (and formerly Skype for Business) is a secure video/audio conferencing service with screen sharing, waiting rooms, and other helpful features.  As with all of Office 365, Teams can be deployed to meet HIPAA compliance. Teams does not collect and share personal information.
    • Teams, by default is device-to-device conferencing.  You can add the ability for individuals to connect by phone for a small monthly fee for each meeting organizer that needs this function.
    • Participants can join via web browser, or use the free apps for Windows, Mac, iOS, and Android.

Before adding another service or tool for audio/video conferencing, take full advantage of the services you have. Contact us if you need help with user training and support.

If you are not using G Suite or Office 365, several communications and conferencing services are offering secure, free access for up to 90 days.  These include, but are not limited to, Dialpad, UberConference, Ring Central, and Cisco WebEx. Please contact us for help selecting and deploying the right service for you and your teams.

 

Data Protection

Customer Notice Update: Email Advanced Threat Protection

Data ProtectionGiven the demand and need to improve your protection from the devastating impact of ransomware, crypto attacks, and other forms of cyber attacks we are extending the Advanced Threat Protection Priority Opt-in discount period through March, 2020. We understand that adding a service, even a critical service, impacts your budget and costs. Our Priority Opt-In discounts, and other measures (see below), intend to minimize the impact.

Email Advanced Threat Protection (ATP) and Multi-factor authentication (MFA) are necessary, baseline services for protecting your business

Beginning April 1, 2020, we require Advanced Threat Protection for all of our customers’ email service, unless you specifically opt out. Opting out is appropriate if you already have an advanced threat protection service in place.

If you opt out, the cost of our data recovery efforts will not be covered under our unlimited support plans (See our Support Services SLA). When we add ATP to your service, we will discuss with you when we can add MFA.

We will mitigate the cost.

We are sensitive to your budget.

  • ATP requires a technical setup and typically incurs a setup fee along with the monthly or annual subscription.
  • We are discounting both the setup and subscription fees for all customers. For customers requesting Priority Opt-In, we will waive the ATP related setup fees completely.
  • MFA implementation is covered by our support plans as an administrative change.  If you do not have on of our support plans, we will provide an affordable, discounted quote for the project.
  • For customers without an unlimited support plan and/or those that choose to Opt-Out, we will discount our hourly fees for recovery work.

For more information on specific discounts and pricing, and to let us know if you want to Opt-In, to have Priority Opt-In, or to Opt-Out, please visit this web page and complete the form.

We realize that this is a significant change for most of our customers.  We also understand the importance of these protections.  Please contact us with questions or concerns

Thank you for being part of our community,
Allen Falcon
CEO & Pragmatic Evangelist

Data Protection

Customer Notice: Email Advanced Threat Protection

Data Protection

(Updated January 20, 2020)

We continue to witness the devastating impact of ransomware, crypto attacks, and other forms of cyber attacks on our customers.  The recovery cost and frequency of attacks are increasing at alarming rates. The average cost for a small or midsize business (SMB) to fully recovery from a cyber attack has increased to between $145,000 and $180,000. This includes loss of direct business, remediation costs, damage to reputation, and employee downtime.  At the same time, the number of ransomware attacks so far in 2019 has doubled when compared with the same period in 2018.

As a managed cloud service provider, you have heard from us that you “should” have more protections in place. Our position is changing: these protections are a “must”.

Multi-factor authentication (MFA) and email Advanced Threat Protection (ATP) are necessary, baseline services for protecting your business. 

Beginning April 1, 2020, we will require and will begin adding Advanced Threat Protection to all of our customers’ email service unless you specifically opt out. If you opt out, the cost of our data recovery efforts will not be covered under our unlimited support plans (See our Support Services SLA). When we add ATP to your service, we will discuss with you when we can add MFA.

We will mitigate the cost.

We are sensitive to your budget.

  • ATP requires a technical setup and typically incurs a setup fee along with the monthly or annual subscription.  We are discounting both the setup and subscription fees for all customers. For customers requesting Priority Opt-In, we will waive the ATP related setup fees completely.
  • MFA implementation is covered by our support plans as an administrative change.  If you do not have on of our support plans, we will provide an affordable, discounted quote for the project.
  • For customers without an unlimited support plan and/or those that choose to Opt-Out, we will discount our hourly fees for recovery work.

For more information on specific discounts and pricing, and to let us know if you want to Opt-In, to have Priority Opt-In, or to Opt-Out, please visit this web page and complete the form.

We realize that this is a significant change for most of our customers.  We also understand the importance of these protections.  Please contact us with questions or concerns

Thank you for being part of our community,
Allen Falcon
CEO & Pragmatic Evangelist

Cloud Management

Security Drives Need for Cloud Management

Cloud ManagementIn a recently published report, one of Forrester Research’s five key cloud predictions for 2020 is that cloud management providers will tackle cloud security.  With the Capital One breach, the first major breach in a public cloud, the industry has a new focus on security public cloud services. Small and midsize businesses (SMBs) are more likely to use public cloud services over specialty providers and private clouds. As such, SMBs need to focus on cloud management.

Effective cloud management can prevent holes in your security protections and save you money.

Cloud management, as a practice, formalizes access, licensing, usage, security, and spending for your cloud services. Instead of focusing on each cloud application or service independently, Cloud Management as a practice oversees and manages the big picture.

Seven key components of Cloud Management are:

  1. Document which cloud services are needed and used based on each person’s role within the organization
  2. Based on need, determine the level of access for each person/group based on their roles and responsibilities
  3. Understand and document subscription and licensing rules for each service, to ensure you can optimize subscriptions and spend
  4. Create standardized on-boarding work flows to ensure new employees and those changing roles are
    • Provided access to only the cloud services they need
    • Are assigned appropriate access to features, functionality, and data within each system
    • Access to data is consistent across cloud services
  5. Create standardized off-boarding work flows to ensure:
    • All cloud services accounts are deactivated, preventing orphan accounts from being left open
    • Data within each cloud service is archived or transferred to other user(s), preventing data loss
    • Cloud subscriptions/licenses are modified to prevent unnecessary costs
  6. Track licensing and subscriptions to:
    • Adjust your subscriptions to match your need, as allowed by each cloud service
    • Identify and remove unused licenses
    • Understand and manage your spending
  7. Actively search for, identify, and manage use of unauthorized cloud services to:
    • Minimize or eliminate “Shadow IT” risks with respect to security, data loss, and compliance
    • Identify and move users from duplicate services to authorized services
    • Provide training on authorized apps and services, preventing the need to use other services
    • Identify cloud services needed or wanted by staff, but not yet available through and authorized app or service

By applying the basic tenants of cloud management you can reduce your security risks, optimize your services and licensing, and better manage your spend.


Cumulus Global offers Cloud Management tools and services.  Contact us for a free, no obligation Cloud Advisor session to learn more.


 

Cyber Threat Series Overview

Protecting your network, systems, apps, data, and people is no easy task as the scope and variety of attacks continues to multiply.  You want and need to protection, but must make smart buying and decisions. Too little or too much means higher risk or unnecessary cost.

We see your business as a target not because we know cyber criminals have you in their sights, but because most cyber attacks throw a wide net and catch those who are unprepared. Appropriate measures to prevent, protect, and respond to cyber attacks has business value and should be part of your IT strategy and plans.

As a series of blog posts, this Cyber Threat Series intends to educate and inform. We will cover the types of risks and attacks and how to prevent them. We discuss solutions. We take a pragmatic approach that respects priorities and budgets.

Topics will include


Contact us to discuss your cyber threat protections. The Cloud Advisory session is complimentary and without obligation.


 

Dark Web Threat Alerts

When Your Identity is on the Dark Web

Dark Web Threat AlertsAs a courtesy to our existing clients and prospective clients, we have been running complementary Dark Web Summary Scans of their domains. These summary scans let us know how many email addresses from each domain currently appear on dark web and identity theft websites. We can then perform a more detailed scan and analysis to identify the specific user identities.

The results are fascinating.

Of 200 domains recently scanned:

  • 87.4% had at least one potential identity compromised
  • The average number of potentially compromised identities is 41%
  • 16% of the companies had more exposed identities than users, indicating breaches occurred from multiple sources

What does this mean?

Just because employee@yourcompany.com appears on a dark web or identity theft site does not mean that the user account on your system has been breached.

It does mean, however, that a breach is likely. And, the more exposed identities for your domain, the greater the risk.

How does it work?

Chances are, your employees are using their work email address, employee@yourcompany.com, as their login identity for other systems.  These other systems are often work related services like Uber, Dropbox, online banking, credit cards used for business expenses, etc. Studies show that about 80% of people use the same or substantially similar passwords across systems.

If there is a data leak or breach at one of these third party services, hackers will test the identity on other systems.  If you have an employee whose email and password were leaked in one of the Dropbox incidents, for example, cyber criminals will test that email address and password, along with similar passwords, across common services like G Suite, Office 365, Facebook, LinkedIn, Instagram, and others.

A compromised identity on a third party service can easily lead to a breach of your systems.

What to do:

  • Get the Details:
    Get a detailed scan on your domain to clearly identify which user identities are exposed and at risk.
  • Mitigate Your Risk:
    Work directly with identified staff to reset passwords. Run additional scans on their systems for malware.
  • Communicate:
    Educate, train, and guide users on the risk of identity breach and how to avoid becoming a victim. Provide guidance, coaching, and policies around the use of company email addresses on other systems and best practices for password selection and management.
  • Challenge:
    Periodically test your employees using “honeypot” and “sandbox” methods to determine who is following best practices and who remains susceptible to attack.
  • Monitor:
    Monitor your domain, and personal accounts of key executives, for future issues and respond accordingly.

Next Steps

Your best next step is to contact us (email or web) to

  1. Request a detailed Dark Web Scan
  2. Discuss security education and testing services
  3. Setup on-going monitoring for your domain