Pragmatic Security: Balancing Security Measures for Small Businesses

Security vs UsabilityWhile on vacation recently, I did something that I did not think has been possible since July 1970. I boarded a commercial airline flight without having to go through security. No ID check. No metal detectors. The gate agent scanned the barcode on my ticket and I walked on board. The experience was, at first, confusing as I went from curb to gate with no security checks. I asked the gate agent why there was no security check; the answer was pragmatic security.

Pragmatic Security in Action

Airport security intends to prevent hijackings. I was traveling in New Zealand, which you know is an island country.  The nearest country, Australia, is at least a 3½  hour flight by jet. My plane was a dual engine turboprop with about 70 seats with and a range of 930 miles. It is impossible for the plane to leave the country.

Hijacking a regional flight in New Zealand is pointless, as you cannot escape the country. The security risk is miniscule.

In New Zealand, flights on regional planes do not have (or need) security checks. To board a jet, however, you will board at a “jet gate” having passed through all of the common security and ID checks.

Pragmatic Security for Your Small Business

The concept of pragmatic security also applies to IT and cybersecurity. Not every business needs every security measure. We can, and should, scale our IT and cyber security to meet our needs and priorities.

That said, the baseline has changed. In New Zealand, the baseline security for flights is that the customer has a ticket.  For smaller businesses, the historical baseline has been “a secure firewall/router, antivirus software, and email filters for spam.”

As we have discussed in other Security Update Series blog posts, we face new security demands from customers, insurance providers, and regulators. As cybersecurity risks increase, so do the solutions we need to implement.

Pragmatically: How Much Security is Enough?

While the answer varies based on your business needs, risks, and priorities, our Security CPR model provides a solid baseline. We are also proponents of understanding risks. As we discussed in this blog post, focusing on the most prevalent risks and the most damaging risks is the best place to start.  Designing your security solutions from these two angles provides a solid baseline of protections. Additional measures can be added as needed to meet industry or regulatory requirements.

Call to Action:

If you have not done so already, a baseline security assessment is a good place to start. Our Rapid Security Assessment provides a quick review of core security services. And our Cloud Advisors are ready to assist with any questions or concerns.

Contact us or schedule time with one of our Cloud Advisors

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

IT Solutions: 3 You Can Live Without

Business Continuity & Protection

With continued, rapid change and evolution of the cloud services and capabilities, we hear that we “need” many things. The reality, however, is that many of the “solutions” being hyped are not really needed. In our recent blog post, we offered three IT solutions you need. But in this blog post, we will share three solutions you can do without.

1 3rd Party Conference Tools

Both Microsoft and Google Workspace, with Teams and Meet, include robust audio and video conferencing services. There was a time when third-party services like Zoom offered unique features. However, capabilities such as transcription, translation, break-out rooms, and Q&A panels are now a part of Teams and Meet.

Notably, some of the advanced features of Teams and Meet, such as streaming, come with upgraded Microsoft 365 and Google Workspace licenses. These upgrades are generally less expensive than third-party services.

2 Physical Desk Phones

While some of us may have an emotional attachment to the physical phone on our desks, for many, these devices feel like clutter. The way we make and receive calls has changed. Our devices should change as well.

Features like hot links, click-to-dial, and voice dialing are available within the apps and browsers on our computers and phones. Smartphone apps let us make and receive business calls without sharing our personal phone numbers and maintaining separation between personal and business text messaging and voicemail.

Headsets and speaker/microphones give us hands-free access to our phone systems at our desks, from our smartphones, and in our cars and trucks.

3 Unsecure Artificial Intelligence

You do not need unsecure AI. Even so, you and your team likely want to use it.

Chances are, you and members of your team may already be using Chat-GPT, AI meeting assistants, and other AI-powered tools.

The challenge is that most public AI tools are not secure. Using them likely violates confidentiality and nondisclosure clauses in contracts. Using them may also put you in violation of HIPAA, PCI, and other data privacy laws and regulations.

Before jumping into AI as a company, and before “Shadow AI” (unvetted tools) gets out of hand, develop an AI strategy and plan. Begin with identifying use cases and understanding how to ensure data security, privacy, and compliance. Pilot solutions and educate/train your team.

Copilot and Gemini AI both offer artificial intelligence tools that integrate with Microsoft 365 and Google Workspace, respectively. These are secure tools that use the permissions capabilities of the ecosystems. 

What to Do:

Contact us or schedule time with one of our Cloud Advisors. Without obligation, we are happy to discuss your business and IT services. We can also map out opportunities to save money and leverage AI, along with other emerging technologies.

If you are interested in three solutions you need, jump over to this post.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Zoom Privacy Policy is a Risk

Updated 4/05/20


  • 4/05/20: Zoom posted an updated Privacy Policy, back dated to 3/29/2020.  This policy clarifies Zoom’s actions and intents and changes some terms and conditions, indicating that Zoom is now doing the right thing with your personal data.  Zoom has also expanded users’ ability to use passwords and waiting rooms to control meeting access.  We still recommend reviewing the policy and using the “do not sell” process.  We also recommend using conferencing systems within your productivity suite, Office 365 or G Suite, as these are secure and integrate with your email, calendar, and file services.
  • 4/01/20: MIT Tech Review summarizes the security issues with Zoom, including information about a Class Action Lawsuit.
  • 3/31/20: reports that Zoom is leaking personal emails and photos to strangers.
  • 3/31/20: The Intercept reports that Zoom is not using End to End Encryption as claimed in their marketing materials and user interface. 
  • 3/31/20: New York Times reports that Zoom, the videoconferencing app whose traffic has surged, is under scrutiny by the New York attorney general’s office for its data privacy and security practices.
  • 3/30/20: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic

On March 18, 2020, the posted changes to its privacy policy that impact all users, even those without accounts attending meetings as guests.  This change follows a dramatic increase in Zoom users (and stock price), as Zoom has been offering its services for free to many businesses and schools.

Under this version of the Zoom’s privacy policy, Zoom is collecting more information, in our assessment, than is necessary to provide users with the service. Zoom also acknowledges providing this information to third parties. The information Zoom is collecting includes, but is not limited to:

  • Name, physical address, and other similar personally identifying information
  • Information about your job, such as your title and employer
  • Your Facebook profile information (when you use Facebook to log-in to Zoom or to create a Zoom)
  • General information about your product and service preferences (including software installed and/or in use on your computer)
  • Information about your device

Per Zoom’s policy, downloading and using the Zoom app provides Zoom with consent to share any personal information they collect with third parties.

In reference to the use of third party services, the policy states

“We use these tools to help us improve your advertising experience (such as serving advertisements on our behalf across the Internet, serving personalized ads on our website, and providing analytics services).”

In other words, Zoom may use the personal information of any person using their services to market to that person across their use of the Internet.

Additionally, we do not see any effort by Zoom to determine the age of individuals using the service, so they are likely collecting and using the personal information of children. is reporting that Zoom’s iOS app sends data to Facebook even if you do not have a Facebook account.


Our current assessment of the impact is as follows:

  • Data collection is based on the way each meeting participant enters the meeting.  Even if the organizer is on a paid and secure business or education edition, meeting attendees using the free client or entering as a guest are subject to dating mining and sharing.
  • For businesses and schools, some of the data Zoom collects and shares is prohibited under the Children’s Online Privacy Protection Act (COPPA).
  • For schools and libraries, not using the K12 version of Zoom for faculty and students may result in violations of the Children’s Internet Protection Act (CIPA)
  • Zoom does provide a means for users to instruct Zoom to “Do not Sell” their personal information. This help with California Consumer Privacy Act (“CCPA”) and  EU’s General Data Protection Regulation (“GDPR”) compliance.  It may not be practical to advise all meeting attendees of this option.

In short, Zoom’s privacy policy may conflict with your business’ privacy policy and how you manage and respect your customers and their data. The policy may also create regulatory and legal issues.


If you organization uses G Suite or Microsoft Office 365, you already have the ability to securely conduct audio and video conferencing with services that do not mine and share attendee data.

  • G Suite
    • Hangouts Meet (the new service) is secure and HIPAA compliant.  Individuals outside your organization can join via shared URL, without providing personal information. Through June 2020, Google has enabled all G Suite users to conduct meetings with up to 250 participants and provided organizers with the ability to record meetings. Participants can mute their own audio/video and can present to the meeting. Meeting include dial-in numbers and pins to allow access from phones.
    • Participants can join via web browser or use the free iOS and Adroid Apps.
    • Traditional Hangouts and Chat, while not HIPAA compliant, are still secure and work within organizations and with guests.
  • Office 365
    • Teams (and formerly Skype for Business) is a secure video/audio conferencing service with screen sharing, waiting rooms, and other helpful features.  As with all of Office 365, Teams can be deployed to meet HIPAA compliance. Teams does not collect and share personal information.
    • Teams, by default is device-to-device conferencing.  You can add the ability for individuals to connect by phone for a small monthly fee for each meeting organizer that needs this function.
    • Participants can join via web browser, or use the free apps for Windows, Mac, iOS, and Android.

Before adding another service or tool for audio/video conferencing, take full advantage of the services you have. Contact us if you need help with user training and support.

If you are not using G Suite or Office 365, several communications and conferencing services are offering secure, free access for up to 90 days.  These include, but are not limited to, Dialpad, UberConference, Ring Central, and Cisco WebEx. Please contact us for help selecting and deploying the right service for you and your teams.


Myth Busting Monday: Skype and Skype for Business are the Same

Office365-Logo-and-textSkype and Skype for Business carry similar names and are sometimes confused as one and the same thing.  Both let you communicate for free between computers and hold online meetings. But that is where the similarities end.

Skype and Skype for Business are Very Different Services

Skype is a free consumer service designed for communicating with a small number of people. You can buy credits to make calls to traditional phone lines and mobile devices.

Skype for Business is a secure communication and collaboration service designed to boost productivity by letting people connect in the way that is best for them — chat, voice, video, etc.  Skype for business is more than a chat and calling app, your team can give presentations and attend meetings from anywhere with an Internet connection.

Skype for Business lets you run online meetings with up to 250 attendees, gives your enterprise security, lets you manage your employee accounts, and integrates with your Office apps and Office 365. The integration with Office 365 also includes:

  • Presence – See if somebody is available or busy at anytime
  • Instant IM – Start an IM session by double-clicking a contact name
  • Share – During meetings, share your desktop or a specific application
  • Include – Invite people outside your company to meetings with a full-feature web conferencing experience
  • See – Integrate video through webcams on any call or conference

With Skype for Business, you can skip the expensive web conferencing services, along with the hardware, software, and administration required for on-premise communication servers. You simply manage access, settings, and security.

This is the seventh of a multi-part series designed to help companies better assess the opportunity and value of cloud-based solutions. Contact us to schedule a free, no-obligation Cloud Advisor session to discuss your priorities and plans.

Beauty in the Box

Asus Chromebox
It looks simple enough. A small form factor desktop computer running Chrome OS. In it’s native mode, the Chromebox lets you access any website and any cloud-based service with a web interface that you can imagine or ever want.

What makes the Chromebox really beautiful, however, is what it can do when assigned to special tasks.


Bundled with the Chrome Management Service, you can easily configure Chromeboxes to run as a single application kiosk. Whether providing information to customers in your store, allowing visitors to check in at the lobby desk, or to provide games for kids to play in your waiting room, the small form factor and easy setup make Chromeboxes an affordable solution to install and maintain.

Chromebox for Meetings

For less than $1,000, you can enable video conferencing in almost any small or mid-size conference room. Bundled with an HD camera, an HD conference speaker/microphone, and management software, you can link the device to the conference room calendar. Video conference setup is automatic and attendees can start the conference with a single press of a button on the remote control. Easier to use than traditional video conferencing, you can share presentation materials from any participant in the meeting.

Digital Signage

Combine the kiosk capabilities of the Chromebox with free or low cost tools, and your Chromebox becomes one of the most affordable digital signage solutions on the market. Securely manage display presentation and content remotely from any web-connected device without investing in expensive, proprietary systems.

If you are interested in or need kiosk, video conferencing, or digital signage solution, contact us to discuss your needs and evaluate solutions.



Hangouts and Chromebox for Meetings Grow Up

Based on customer and user feedback, Google announced today a set of major improvements for both Hangouts within Google Apps and Chromebox for Meetings.

Hangout Updates

  • Hangouts is now a core Google Apps for Business product, covered under the full Terms of Service that supports Gmail, Drive, Sites, and other core services.  This means that Hangouts are eligible for Google’s support, 99.9% uptime guarantee, and is ISO 270001, SSAE 16/ISAE 4302, and SOC-2 certified.
  • Google Apps account users can now include up to 15 full participants without creating a Google+ Profile.
  • New partners, like Blue Jeans, enable people on traditional video conferencing systems to join video meetings.

Chromebox for Meetings

  • You can now connect two displays to one Chromebox for Meetings device, so you can see your audience and your projected presentation/screen at the same time.
  • From the Google Apps Admin Console, IT admins can better manage meetings, including: remotely starting meetings, muting, and hanging up meetings.

You can learn more about these features on Google’s Official Enterprise Blog post.

If you want to better understand how Hangouts and Chromebox for Meetings can help your business, please send us a note.





Cumulus Global CEO offers Video Conferencing Advice to SMBs

Allen Falcon, CEO of Cumulus Global was quoted recently by the Worcester Business Journal, providing technical advice about video conferencing services for Small and Mid-Size Businesses.

Click Here to Read the Article