Posts

Google Jamboard Shutdown – Save Your Jams

JamboardAs previously announced, Google is shutting down Jamboard on December 31, 2024. Even if you never bought a physical Jamboard, the Jamboard app has bounced around the Google Workspace ecosystem for a while as both a stand-alone app (jamboard.google.com) and as the whiteboarding tool in Google Meet.

Jamboard’s end-of-life is December 31, 2024. This is the last day you can migrate any Jam files to a supported partner application. After this date, files will begin to be deleted, and you will lose access to your saved Jams.

If you have used Jamboard, this change is significant. If not, now is a good time to check out third-party whiteboarding collaboration tools to see if they can enhance your meetings, interactions, and collaboration.

Evaluating Alternative Whiteboard Applications

Choosing the right alternative whiteboard application requires thoughtful consideration of several factors:

  1. Assess Team Needs: Identify your team’s specific requirements. Are tool integrations essential, or is real-time collaboration across different devices a priority?
  2. Review Usability: Evaluate the usability and learning curve of each option to minimize disruption to workflows.
  3. Consider Costs and Scalability: Look at both costs and scalability limitations, especially if your organization is likely to grow.

Three Recommended Tools

Three popular alternatives to Jamboard include FigJam, Lucidspark, and Miro. Each offers unique features designed to support collaboration and creativity.

  1. FigJam: Known for its intuitive and user-friendly interface, FigJam is ideal for teams looking to brainstorm and ideate virtually. It integrates seamlessly with Figma, making it an attractive option for design-focused teams. FigJam supports real-time collaboration, sticky notes, and a variety of templates that can speed up the creative process.
  2. Lucidspark: Lucidspark is a versatile platform that emphasizes visual collaboration. It offers features like voting, commenting, and breakout boards, which can enhance team productivity. Lucidspark is designed to accommodate both small teams and large organizations, with robust integrations into various project management and productivity tools.
  3. Miro: Miro is renowned for its comprehensive set of tools aimed at enhancing team collaboration. It offers a wide array of templates, extensive integration capabilities, and supports interactive presentations. Miro’s strong emphasis on team management and project tracking makes it an ideal choice for larger teams or organizations looking for an all-in-one solution.

Your Action: Export or Migrate Your Jam Files

To preserve important Jamboard content, you can migrate your Jam files to one of these partner platforms. Each platform has an easy migration process, allowing you to continue your projects and activities with minimal disruption.

To move Jamboard files to a new whiteboard application, follow these steps:

  1. Educate and Train: Provide training sessions to help your team adapt to the new application. Many platforms offer tutorials and webinars for new users.
  2. Plan Ahead: Start the transition process soon to avoid the end-of-year rush. Allow time to address any challenges or questions.
  3. Leverage Support: Use the new product’s customer support services. They can provide valuable assistance to facilitate your migration.
  4. Monitor and Adjust: After migration, monitor how well the new platform meets your needs. Make adjustments as needed to optimize its use.

Following these steps, you can ensure that your transition from Jamboard is as seamless and efficient as possible, allowing your team to continue collaborating without interruption. As always, feel free to send an email or schedule time with one of our Cloud Advisors for assistance.

About the Author

Chris CaldwellChristopher Caldwell is the COO and a co-founder of Cumulus Global.  Chris is a successful Information Services executive with 40 years experience in information services operations, application development, management, and leadership. His expertise includes corporate information technology and service management; program and project management; strategic and project-specific business requirements analysis; system requirements analysis and specification; system, application, and database design; software engineering and development, data center management, network and systems administration, network and system security, and end-user technical support.

What is Pen Testing and Why You Should Care

Penetration TestingCyber threats are evolving at an alarming rate, posing significant risks to your business. Penetration testing, commonly referred to as “pen testing,” is becoming a vital, proactive tool for assessing your risks.

Pen testing simulates a cyber attack on a computer system aimed at identifying vulnerabilities and testing the security of IT systems. Pen testing goes beyond electronic systems; it encompasses the entire IT ecosystem, including human elements and physical security. 

As cyber threats diversify, pen testing has become an important cybersecurity practice and an emerging requirement for cyber insurance.

Types of Pen Testing

Pen testing falls into various categories, each targeting different aspects of your business’s IT infrastructure:

  • External Testing:
    Evaluates vulnerabilities in the systems that are visible from the outside, such as web applications, servers, and network devices. It simulates attacks attempting to breach your network from the Internet.
  • Internal Testing:
    Examines what could happen if an attacker gains access to the internal network. It highlights potential damage and data exposure risks from within your organization.
  • Targeted Testing:
    A collaborative effort between your IT team and the testers, providing real-time insights into the attacker’s perspective and your response.
  • Blind Testing:
    Testers receive limited information about the target, mirroring the knowledge an actual attacker might have. This helps assess your organization’s security posture from an outsider’s perspective.
  • Double-Blind Testing:
    An advanced form of blind testing where neither the testers nor the IT staff are aware of the test. It evaluates the effectiveness of the security monitoring and incident response processes.

Benefits of Pen Testing for Businesses

Investing in pen testing offers businesses several compelling advantages:

  • Identifying Vulnerabilities:
    Pen tests expose weaknesses in systems, applications, and networks, allowing you to address them before they are exploited.
  • Prioritizing Risks:
    Not all vulnerabilities carry the same weight. Pen tests help you prioritize risks based on their potential impact and likelihood, guiding you on where to focus your efforts and resources.
  • Enhancing Security Measures:
    Insights from pen tests can guide the implementation of stronger security controls, such as multi-factor authentication, data encryption, and improved access management.
  • Boosting Cyber Insurance Prospects:
    Many insurers require regular pen testing as part of their coverage criteria. Demonstrating proactive security measures can lead to better terms and premiums.
  • Regulatory Compliance:
    For industries with stringent regulatory requirements, pen testing can help you assess compliance with standards like HIPAA, PCI-DSS, and GDPR. It can also help you benchmark against cybersecurity frameworks, such as CIS, NIST, and CMMC.

Getting Started

The best way to get started with pen testing is to perform a basic, preliminary scan of your environment. Referred to as a “Level 1” test, this snapshot provides a baseline assessment. From this assessment, you can determine what, if any, mitigation efforts are needed to improve your security, meet compliance requirements, and/or secure cyber insurance.

Your Next Step

Cumulus Global offers a free Level 1 Pen Test to qualifying organizations. Click Here to Request your test and to access related resources.

About the Author

Bill Seybolt bio pictureBill is a Senior Cloud Advisor responsible for helping small and midsize organizations with cloud forward solutions that meet their business needs, priorities, and budgets. Bill works with executives, leaders, and team members to understand workflows, identify strategic goals and tactical requirements, and design solutions and implementation phases. Having helped over 200 organizations successfully adopt cloud solutions, his expertise and working style ensure a comfortable experience effective change management.

Google Gemini Licensing Explained

Gemini Licensing Explained

Google’s recent announcement that Google Gemini is now a core service within Google Workspace has led to some confusion regarding the distinction between the Gemini App and Gemini for Google Workspace and your Gemini licensing options.

This blog post provides clarity on the products and their pricing.

The Gemini App

The Gemini App runs at gemini.google.com. There are two versions of the Gemini App: Gemini and Gemini Advanced.

Gemini is free and runs as a web app and a Chrome extension. It offers a range of features, including: 

  • Summarization
  • Translation
  • Q&A
  • Brainstorming
  • Writing suggestions

Gemini integrates with other Google apps and is free to use.

Gemini Advanced is a stand-alone paid service, and it is included as a core service in most Google Workspace subscriptions. It offers all of the features of Gemini, plus:

  • Access to a larger language model
  • The ability to create custom models
  • More robust image generation
  • Priority support

If you have Google Workspace, Gemini Advanced is included as a core service at no additional cost. Stand-alone access to Gemini Advanced costs $19.99 per month and requires a Google One account for security.

Gemini for Google Workspace

Gemini for Google Workspace is an add-on to Google Workspace that brings Gemini directly into Gmail, Drive, Docs, Sheets, and Meets.  Integrations into Chat and other Google Workspace apps are expected in the near future.

Pricing depends on your Google Workspace subscription tier. With an annual commitment, Gemini for Google Workspace pricing is as follows:

  • Business Tier: $20/user/month 
  • Enterprise Tier: $30/user/month

You can subscribe on a month-to-month basis for $24 and $36 per user, respectively.

Gemini for Google Workspace for Education has two pricing options with an annual commitment:

  • Gemini Education: $16/user/month
  • Gemini Education Premium: $24/user/month

Your Next Step:

Give Gemini a try. For a limited time, we are offering a Gemini $10 Trial for Google Workspace clients that includes Gemini Advanced, Gemini for Google Workspace, and learning tools.

Google occasionally offers free trials and incentive discounts. Schedule a quick consultation to discuss your specific Gemini licensing options. Our Cloud Advisors will help you navigate offers, options, and pricing.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Preparing for Your Cyber Insurance Renewal

5 Cybersecurity Standards

As you approach your annual cyber insurance renewal, you can take specific steps to ensure you have appropriate coverage and reasonable premiums.

The cyber insurance market has matured greatly over the past two years and continues to evolve rapidly. Insurers have become significantly more savvy regarding risks, protections, recovery costs, and potential liabilities. As a result, carriers are more precise in their underwriting practices.

Reviewing your cybersecurity risks and protections is a wise investment of time and resources. In a recent blog post, for example, we outlined 5 minimum cybersecurity standards that – if in place – can significantly reduce your premiums.

Here is a roadmap:

Review Your Original Application and Security Declarations

When you first applied for cyber insurance, you completed an application and, in most cases, a security survey/questionnaire. If you have not formally asked to complete a new questionnaire, take the initiative to review and update your answers.

As a part of the review, document any changes in your cybersecurity protections. Make note if you added new protections or updated procedures.

If you’ve removed or replaced any cybersecurity tools, specify which ones and the reasons for the change. It’s important to track modifications as your needs and environment evolve.

Reassess your Cybersecurity Protections

Policy renewal is a great time to step back and reassess your cybersecurity. Compare your protections to industry, regulatory, and compliance standards relevant to your business.

Our eBook, Cyber Security Requirements for Cyber Insurance, outlines basic, preferred, and best-practice protections to consider before getting or renewing your policy.

As part of your analysis, consider completing new assessments, such as Penetration Testing and Security Audits of your Microsoft 365 or Google Workspace tenant. These evaluations can offer valuable insights, helping to inform decisions and set priorities for future cybersecurity improvements.

Deploy Additional Protections

Based on your review and assessments, determine if you should modify your cybersecurity protections. As you consider changes, prioritize your choices and efforts. hYou can make low-effort changes, as well as changes that address higher-level, critical risks.

You do not need to address every risk and gap. Instead, focus on demonstrating improvements and prioritizing the most likely and impactful risks for your business.

Put Your Policy Out to Bid

Finally, put your policy out to bid. Avoid simply adding coverage or riders to your general liability business coverage.

Cyber insurance is a specialized coverage, and the industry has become more adept at evaluating risks and potential liabilities.  Partner with a broker who specializes in Cyber Insurance to market your coverage to multiple, specialty carriers. This will help you find the best balance between coverage and price.

Your Next Steps

If you are ready to move forward, here are four steps you can take today:

  1. Schedule time with one of our Cloud Advisors.
  2. Ask your Cloud Advisor about discounted and free Security Assessments.
  3. Evaluate options and deploy additional protections, if needed and appropriate.
  4. Shop your policy for the best plan and price with our partner, DataStream.

As always, our Cloud Advisors are ready to help. Contact us or schedule time for a quick online consultation.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Understanding the Google Class Action Lawsuit Notice

Google WorkspaceBeginning on September 23, 2024, Google Workspace administrators began receiving notices from Google Operations related to a class action lawsuit filed against Google in 2020. This Service Alert blog post summarizes the information and discusses next steps as they relate to users with Google Workspace accounts.

Background

In July 2020, a class action lawsuit was filed against Google LLC, alleging unauthorized data access. The case, titled Rodriguez et al. v. Google LLC, is being heard in the United States District Court for the Northern District of California. The plaintiffs, comprising four Google account holders, claim that Google unlawfully accessed their devices and data. The access was via non-Google mobile apps, even when the “Web & App Activity” (WAA) and “supplemental Web & App Activity” (sWAA) settings were turned off or “paused.”

This lawsuit has significant implications for Google account holders using non-Google mobile apps while signed into their Google Workspace accounts between July 1, 2016, and September 23, 2024. Despite Google’s denial of the allegations and no court ruling yet on the merits of the case, the lawsuit has proceeded with class certification. 

The notice received by Google Workspace administrators is part of the initial efforts to distribute notices to potentially affected users.

Key Allegations and Legal Claims

The plaintiffs in this lawsuit assert three primary legal claims against Google:

Invasion of Privacy:

  • The plaintiffs allege that Google unlawfully accessed their mobile devices to collect, save, and use data concerning their activity on non-Google apps.
  • These apps incorporate certain Google software code into the apps while WAA and/or sWAA were turned off or “paused.”

Intrusion Upon Seclusion:

  • Similar to the invasion of privacy allegation, This claim focuses on unauthorized intrusions into private activities.

Violation of the Comprehensive Computer Data Access and Fraud Act (CCDAFA):

  • Plaintiffs contend that Google violated this act by unlawfully accessing and using their data.

The plaintiffs are seeking monetary damages and changes to Google’s practices. Google denies any wrongdoing and maintains that it did not violate any laws.

Class Certification

The court has certified four classes to assert claims for damages based on specific criteria. The two classes covering invasion of privacy and intrusion upon seclusion apply only to non-managed user accounts.

The court defined Google Workspace accounts as “Enterprise” accounts.  For these users, the court defined two classes for claims under the CDAFA.

The classes cover:

  • Usage in the period from July 1, 2016, to September 23, 2024
  • Users with their WAA and/or sWAA settings turned off
  • A non-Google-branded mobile app transmitted activity to Google via the Firebase SDK and/or Google Mobile Ads SDK.

Class 1: From an Android device 

Class 2: From a non-Android device

The Role of Workspace Administrators

Workspace administrators play a crucial role in managing the implications of this Google class action lawsuit for their end users. The Court ordered Google to notify all relevant end users who may be class members. 

Workspace administrators must ensure that they comply with their obligations under the Google Workspace Terms of Service. Per sections 3 and 7, which pertain to legal notices and updates, Workspace administrators must forward messages to end users with accounts during the period of the claim. 

Google will send Administrators lists of end user email addresses. Administrators should forward class notification emails to these users. 

Per the Court Order, Administrators must:

  1. Be prepared to receive and distribute the notices; and
  2. Distribute notices appropriately, maintaining the confidentiality and security of the information as stipulated by the court.

Email Notices and What They Mean for End Users

The court-appointed Class Notice Administrator, Epiq, began sending email notices to all eligible end users as of September 23, 2025. These notices inform users of their status in relation to the class action, specifying whether they are included in the classes for damages or for seeking changes to Google’s practices.

The email notices will provide critical information, including a contact number and additional resources for users to determine their eligibility and understand the implications of the lawsuit. 

End users should read these notices carefully and follow the instructions provided to ensure they stay informed about their rights and any potential compensation.

Stay Informed

To stay informed, you may want to periodically visit the dedicated website www.GoogleWebAppActivityLawsuit.com. You can also call the contact number (855-822-8821) for additional information and updates about the lawsuit.

Your Next Steps

Given the court order, we recommend that Google Workspace administrators use Google Groups to create a distribution list. Your list should include current employees and the personal email addresses for past employees who worked between July 1, 2016 and September 24, 2024.

If you are a client or have a Google Workspace subscription and have questions, please contact us to connect with one of our Cloud Advisors.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Prevent Your Email From Being Pushed Aside or Blocked

With the ever-present nuisance of spam and threats of cyber attacks, email services continue to add features and protections. Some of these will prevent your email from being delivered, and others will prevent your message from being seen. 

Here are 3 actions you need to take so your messages arrive and are seen.

1 Ensure Your Emails Validate Properly

Yahoo, Google, and other email services now require validation for emails. Initially targeting volume marketers, the validation checks can prevent your emails from reaching their destination. To ensure your emails reach your recipients, you must have DomainKey Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocols in place.

Our eBook, Improve Your Email and Deliverability and Security in Five Steps, provides five steps you can take to ensure that your business and marketing emails reach your intended recipients. These steps also help protect you from costly and damaging email identity and business email compromise cyber attacks.

2 Use a Marketing Email Service

Google, Microsoft, and other email services limit the number of emails you can send individually and as an organization. Additionally, these email services lack the controls required by the CAN-SPAM Act and other regulations. 

Marketing email services include the necessary controls, including address publishing, unsubscribe links, and email preferences. They also provide tools for managing contacts, lists, and content.

Using a marketing email service enables you to send bulk emails without being flagged as a spammer. You can protect and maintain your email reputation by using the services to manage your email marketing and response campaigns.

3 Include AI Trigger Words In Your Content

Microsoft Outlook includes a Focus Inbox, while Google Workspace offers Priority Inbox. With iOS 18, Apple will auto-filter email into four segmented inboxes: Primary, Transactions, Updates, and Promotions.

With artificial intelligence (AI), the content of your email determines whether it lands in the primary inbox that people check most, or a secondary folder that may go unnoticed. Messages will be prioritized when they include phrases with:

  • Contextual Relevance: Phrases that indicate important actionable content
  • User Behavior: Messages that are typically opened and acted upon more frequently
  • NLP Recognition: Phrases commonly used in critical communications, as they signal priority
  • Transactional Nature: Content commonly used in transactional messages

In addition to identifying these emails for the focus, priority, or primary inbox views, the AI engines will prioritize messages to ensure recipients see them first.

AI trigger words and phrases should be included but need not be the focus of your message: Sample AI trigger words and phrases include:

Registration Confirmed Preview Meeting Invite
Exclusive Invitation Important Update X Day Left
New Feature Subscription Details Action Required
Invitation Enclosed Event Registration Priority Access
Add to Calendar Event Details

Using AI trigger words will improve the visibility of your emails. Expect that preferred phrases will evolve and change over time.

Your Next Steps

Our Cloud Advisors are ready to help you review your email service configuration. Contact us or schedule time with one of our Cloud Advisors to learn more.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

3 IT Trends We See Now

Working with hundreds of small and midsize businesses, we often see trends in IT interests, plans, and initiatives. Given all the hype, we expected to see Generative AI as a big trend this fall. While our clients are interested in it and beginning to use it, Generative AI is not among the top three trends this fall.

Here are the 3 trends we see now.

3 Incremental Cybersecurity

With a never-ending string of cyber attacks, new regulations, and expanded expectations from customers, insurers, and others, your peers are reassessing their cybersecurity measures and making adjustments. 

Like your business, most small businesses have some cybersecurity measures in place. Adding incremental services is a fiscally smart way to increase prevention, fill gaps in protection, and ensure a more effective response. 

Universal multi-factor authentication (MFA), penetration testing, security awareness training, and improved recovery and continuity solutions are among the services your peers are adding.

2 Virtual Desktops

Remote and hybrid work are the norm. So is bring-your-own-device, or BYOD. The challenge is ensuring your team has a consistent user experience that is productive and secure.

Virtual Desktop, sometimes referred to as remote desktop solutions, provides a cloud-resident environment that is secure and effective. With a virtual desktop infrastructure (VDI), such as Azure Windows Desktop, your team accesses a secure work environment from any device with Internet access. Apps run and data remains in the cloud – only screen, keyboard, and mouse traffic touch the local device.

By removing the end user device from the security envelope, you do not need to put security software, or company data, on employees’ personal devices. You reduce the scope of your management (and the cost) while having more control over your environment.

1 Managed Cloud Services

Your IT and cloud services are more sophisticated and capable. Keeping current, ensuring the environment is secure, and helping your team use your IT services most effectively takes time. Instead of letting things slide, your fellow small business owners and leaders are moving towards Managed Cloud Services.

Managed Cloud Services, like more traditional managed IT services, put monitoring, management, administration, and support into the hands of experts. You get an integrated bundle of security, services, and support that matches your needs and your budget.

While Managed Cloud Services often comes with some increased costs, the enhanced value gained outweighs the cost.

Your Next Steps

Our Cloud Advisors are ready to help you assess if and how Virtual Desktops and Managed Cloud Services may benefit your team and business.

To assess and adjust your cybersecurity, check out these resources:

Our eBook, Cyber Security Requirements for Cyber Insurance, defines basic, preferred, and best practice cybersecurity for small businesses. 

We also offer multiple assessments to help you understand and benchmark your current cybersecurity, including:

These assessments are free with a Referral Code. 

Contact us or schedule time with one of our Cloud Advisors to learn more and obtain your Referral Code. 

About the Author

Bill Seybolt bio pictureBill is a Senior Cloud Advisor responsible for helping small and midsize organizations with cloud forward solutions that meet their business needs, priorities, and budgets. Bill works with executives, leaders, and team members to understand workflows, identify strategic goals and tactical requirements, and design solutions and implementation phases. Having helped over 200 organizations successfully adopt cloud solutions, his expertise and working style ensure a comfortable experience effective change management.

ALERT: Threatening Emails are Spiking

ALERT

In the last 72 hours, our clients have reported an alarming increase in threatening emails. These emails contain enough personal information to legitimately trigger worry, fear, and in some cases, panic. 

This post covers three types of threatening messages and how to respond.

The Attacks

This type of attack is known as a “Exposure Threat” or “Fear of Exposure” attack. Attackers threaten to release embarrassing or sensitive information about you or your business. They may share bits of information or make claims that imply or confirm that they really do have some information. 

Here are three common forms of the threat:

1 “We Know Where You Live”

The email arrives in your inbox from what looks like a “legitimate” Gmail, Yahoo!, or other email service. The subject line contains your name or that of a family member. The message includes your full address and a valid phone number. In some cases, this threat may also include a picture of your home or office. 

Most often, this type of email does not include any explicit threat or demand.

The implication “we know where you live” is intended to instill fear. The goal is to make you more likely to respond and cooperate with future threats. 

2“We Know What You Did”

This form of attack claims to have documents, images, or video of you doing something embarrassing or illegal. The attacker will claim to have access to your email account, or all of your contacts, and will threaten to share the information if you fail to pay a ransom.

This is an explicit form of extortion.

The attackers are betting that the fear of exposure will cause you to pay the demand and prevent you from reporting the attack.

3“We Have Your Information”

This form of attack threatens to disclose sensitive information about you, your business, or your customers. The threat is the damage a data breach causes. This can include serious and costly legal, regulatory, or contractual issues. The attackers may share a sample that “proves” they have the information on hand.

This attack typically includes a specific threat and an extortion demand.

The preview information shared by the attackers may be from sensitive files, but it may also be available from other sources. This form of attack warrants some investigation.

How to Respond: Do NOT Panic!

First and foremost, do NOT panic. The success of these attacks is dependent upon your fear and your reaction. If you receive an email that is like one of these cases or similar, how you respond can make a difference.

No Specific Threat

  • If the email does not contain a specific threat or demand, your best response is to mark and report the email as spam. Doing so should direct future emails directly to your spam or junk folder.
  • You can take the extra step of reporting the message as abuse to the email server. Here are links to report email abuse for Gmail, Sky/Yahoo!, and Xfinity/Comcast.

With a Specific Threat

  • If the email contains a specific threat, you can and should report the message as spam/junk. We recommend your report this to your IT service provider. Your IT team should investigate the possible risks and take appropriate preventative and responsive measures.
  • Extortion is a crime. While many local law enforcement departments do not have the expertise to investigate cyber crimes, most state police organizations have cyber crime units. You can also report the attack directly to the Internet Crime Complaint Center (IC3). The IC3 will route your report to the FBI and other relevant agencies. Depending on the nature of the attack, the response may range from acknowledgement of the report to a full criminal investigation.
  • If the email includes a threat to show up at your home or business if you do not respond or comply. we strongly recommend reporting the threat to law enforcement.

Possible Data Breach

  • If the threat indicates that the attacker has, or can, access sensitive data, promptly take additional steps to protect yourself and your business.
  • If the attack references personal information, placing locks on your credit reports is always a good step. If the threat mentions (or indicates) a source, such as your bank or investment accounts, report the incident directly to that institution or business. Discuss protections they can put in place on your behalf.
  • If the attack references information from your business, promptly investigate the possible breach. This may involve scanning systems for malware and advanced threats, analyzing logs for unauthorized access, and verifying compliance with security measures. The level of your investigation should match the level of risk. Your IT service provider can help you assess the situation and determine the best course of action.

Your Next Steps

You can protect yourself and your business from these attacks, and other cyber attacks before they happen. Our Security CPR model provides a guide.

  • Communicate and Educate: Learn about, and help your team understand, the risks, nature, and impact of cyber attacks. Communicate the need for vigilance and how their behaviors can enable or prevent a successful attack.
  • Protect and Prevent: Put cybersecurity policies, procedures, systems, and services in place commensurate with your business’s risks, needs, priorities, and budget. This includes advanced threat protection for email and strong settings for your SPF, DKIM, and DMARC protocols in your DNS record. 
  • Respond and Recover: Ensure that you have systems, processes, and services in place to respond and recover should an attack be successful. Beyond restoring data and systems, have resources available to address the legal, regulatory, and customer service issues that often arise. Ideally, have solutions in place that allow you to keep your business running while you respond and recover.

For help assessing your current cybersecurity protections, please send an email or schedule time with one of our Cloud Advisors to discuss our cybersecurity assessments and solutions.

About the Author

Chris CaldwellChristopher Caldwell is the COO and a co-founder of Cumulus Global.  Chris is a successful Information Services executive with 40 years experience in information services operations, application development, management, and leadership. His expertise includes corporate information technology and service management; program and project management; strategic and project-specific business requirements analysis; system requirements analysis and specification; system, application, and database design; software engineering and development, data center management, network and systems administration, network and system security, and end-user technical support.

5 Cybersecurity Standards for Small and Midsize Businesses

5 Cybersecurity StandardsAs small and midsize business leaders, we understand the need to comply with regulatory and industry requirements. We also want and need our IT services to support our business priorities and fit within our budget. So how much cybersecurity is enough? Our cyber insurance partner, Datastream, analyzed policies and coverages for nearly 8 million businesses across dozens of industries globally. The most common cyber attacks exploit weak credentials, human behavior, and out-of-date software to gain access to your systems and data. From there, they can not only launch ransomware attacks, they can initiate business email compromise and other costly and damaging attacks. The result: Datastream identified a bare minimum set of 5 cybersecurity standards

The 5 Minimum Cybersecurity Standards

To address the most common and costly forms of cyber attacks, implement these 5 cybersecurity standards.

1 Multi-Factor Authentication (MFA)

MFA requires a secondary physical authentication when logging in. Whether by text, authenticator app, one-time passwords, or magic links, MFA can prevent attackers from using compromised credentials. According to studies by Microsoft, more than 90% of cyber attacks can be blocked if MFA is in place.

While the minimum standard is coverage for email access and remote network connections, we recommend using MFA for access to any and all critical systems, applications, and data.

2 Encryption

Do you encrypt all sensitive information at rest, including backups?

Most of our systems and applications encrypt data in transit (in motion). Encrypting data at rest, regardless of where it resides, prevents your data from being easily accessed and used in a cyber attack. Encryption should be in place on workstations and personal computers, not just on servers and in cloud-based services.

Just as important, backups should be encrypted. Unencrypted backups provide cyber attackers with easy access to data. Backups should also be stored off-site or in the cloud using immutable storage. This strategy prevents corruption of backup sets in the event of a ransomware attack. 

3 Data Recovery

In the last 6 months, has your company tested its ability to recover all business-critical data and systems within 10 days or less, from offline or cloud backups that are no more than a week old? 

Backing up data and systems is easy. Recovery is hard. Knowing that you can reliably restore your data and systems demonstrates your level of protection and how well you have reduced risks. Documenting this will impact your cyber insurance premiums.

While the 10-day recovery window is a minimum expectation, it may not be sufficient for your business. We recommend analyzing your business needs and setting goals to return to operations in a way that minimizes the impact of any disruption.

4 Automated Hardening Policies

Do you implement automated hardening policies?

Hardening systems is the process of limiting the attack surface of your systems, applications, and data. Hardening tactics include:

  • Removing unused applications and accounts
  • Disabling unnecessary services, ports, protocols, and features
  • Limiting administrative permissions and access
  • Logging appropriate activities, errors, and warnings

The process of configuring and managing hardened systems is easiest to manage with a remote monitoring and management (RMM) system in place.

5 Patches and Updates

Do you apply critical patches and updates to key IT systems and applications within two months?

Updates and patches to operating systems are familiar and comfortable. We regularly receive and apply updates to our smartphones, laptops, and desktops, most often as part of a default, automated process. We may not, however, be as diligent with our business systems and applications.

Updates and patches to databases, applications, and other software often require validation and may require changes to settings and integrations. Regularly reviewing updates and patches, and having a process in place to verify and apply updates, ensures that your systems have current security fixes and features.

Your Next Steps

Having these five cybersecurity standards in place represents a no-nonsense minimum that protects your business and can improve your cybersecurity coverage and premiums.

Our eBook, Cyber Security Requirements for Cyber Insurance, dives deeper to define basic, preferred, and best practices. You can, and should, scale your cybersecurity to meet your business’s specific risks, priorities, and budget.

We offer multiple assessments to help you understand and benchmark your current cybersecurity.

  • Rapid Security Assessment
  • Cyber Insurance Risk Assessment 

These assessments are free with a Referral Code. Contact us or schedule time with one of our Cloud Advisors to learn more and obtain your code.

Help us keep the ideas flowing. If you have any blog posts that are leadership thoughts you want to share, please let us know.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Cumulus Global Offers Free IT Asset Disposal with Managed Cloud Services

Managed Cloud Services by Cumulus Global

Cumulus Global Offers Free IT Asset Disposal with Managed Cloud Services

The company adds IT asset disposal and  lifecycle management to the Basic and Business tiers of its Managed Cloud Service offerings.

Cumulus Global proudly announces the addition of IT lifecycle management services to our Managed Cloud Service offerings. Available at the Basic, Business, and Enterprise levels, these services include asset tracking, access to low-cost extended warranties and accidental damage coverage, and free IT asset disposal services. 

“Properly disposing of IT assets and used electronics is necessary but not easy,” stated Cumulus Global CEO Allen Falcon. “Finding a reputable firm, disposal fees, handling fees, and shipping becomes expensive for most smaller organizations.”

The program, included in the company’s Managed Cloud Service offerings at no additional costs offers two levels of service.  For smaller quantities, customers box and inventory the items and receive prepaid US Postal Service shipping labels.  For larger quantities, a disposal team will come on site to box and ship the items.

“We are meeting an important and growing need for our clients,” noted Falcon. “Our service simplifies the process and saves money. It is a win-win for our clients and the environment.”

The addition of lifecycle management services is part of the Cumulus Global’s commitment to increasing value for clients.  These IT asset disposal and lifecycle management services complement the existing security, support, data protection, and co-management components of the company’s Managed Cloud Services.  Organizations interested in learning more can schedule an introductory call with a Cumulus Global Cloud Advisor.

About Cumulus Global

Managed Cloud Services for Small and Midsize Businesses, Governments, and Schools

Cumulus Global (www.cumulusglobal.com) is an industry-leading managed cloud service provider with a mission to deliver solutions with tangible value.

  • What We Do: We translate your business goals and objectives into solutions and services.
  • How We Do It: We start with your business needs and priorities. Planning and migration includes guidance to help your team adopt and utilize new services. Your team benefits from co-managed services, ongoing support, and client success services that help you adapt as your business changes and grows.
  • What We Offer: Managed cloud solutions featuring Google, Microsoft, and more than three dozen providers.

For more information, schedule a no-obligation introductory meeting with a Cloud Advisor.