2021 offered an unprecedented number of challenges to small business information systems.

I wanted to take a few minutes to talk about the overall strategies that I’ll be using to protect my clients in the coming year.

Defense in Depth

There’s no such thing as a magic pill. Not one product, not one solution, not one strategy that can safeguard IT assets 100% of the time; anyone who tries to convince you otherwise is trying to sell one. And if you believe that sales pitch, you’re already falling into a trap of the mind; you’re already making too many assumptions and assumptions won’t keep you safe.

Instead, it is more rational to perceive risk in terms of layers of control.

Here are some examples:

• one layer controls the physical access to a network;

• another controls the wireless access to a network;

• another controls the remote access to a network;

• another layer authenticates who you are to that network;

• another defines what software you do or do not have access to.

Five layers, five controls.

Over time, we can measure and test our controls to prove that they work, and we can say - with some degree of certainty - that our systems are secure.

Security, after all, is just a feeling: it is the confidence that we have in our safeguards. If you’re not already managing your IT in layers, how can you have any confidence that your systems are secure? Well, you can’t - you’re just making assumptions - and assumptions do not equal confidence.

Cloud Computing

Most small businesses do not have computer and network expertise on-staff. And aside from the talent problem, managing IT assets and information systems is extraordinarily risky and costly. So unless computer expertise is a core-competency, why do it?

It is far better for small businesses to outsource that risk and push it onto the backs of vendors who can operate at a better economy of scale and can manage IT better than them.

Somebody like Google can manage your email more cost-effectively than you can, and they have an army of professionals safeguarding your data. So why not let Google handle your email instead of running your own email server? The same could be said for applications, files, phone calls, databases, and device management.

In doing so, small businesses transform IT into an always-on utility - a system like electricity and water - allowing for the most reliable, cost-effective access, using any device, anywhere.

You don’t keep an electrician on-hand to deal with electrical problems, right? And you don’t keep a plumber on your payroll to handle the plumbing problems and run more water into your building. The same should be for your IT. Outsource the risk; transform IT into a utility.

In 2022, I’ll continue to push my small business clients to abandon running their own on-prem servers and devices, and to leverage cloud computing to the greatest extent possible.

Identity and Access Control

One of the biggest challenges we have in IT today is this concept around stealing somebody’s identity to gain access to a confidential system. This is primarily done with phishing attacks. A bad actor sends your team an email that looks legitimate. They click on a link and are brought to a website that looks and feels legitimate, but is really set up by the bad guys to capture their username and password to a secure system.

It’s a huge problem and employee training isn’t enough. The bad guys get more sophisticated every day. We need technical controls that adapt - using machine learning (ML) and artificial intelligence (AI) - to spot the phishing attack and prevent the user from evening seeing it. Google’s Gmail uses these tools to constantly screen attacks from aggressors intending to steal ident information from your employees.

Combined with good password management policies, multi-factor authentication, and admin alerts controlling end-user access, adaptive ML/AI promises to reduce these effects significantly. In 2022, in my role as a Google Partner, I’ll be continuing to help my clients get the greatest benefit from their cloud platform investment by securing their identity.

Endpoint and Mobile Device Management

Another vector of attack against your systems is through exploiting the human propensity to procrastinate and ignore risk.

A good example are computer security updates. Many users will deliberately tell their computers to not apply updates, or, won’t restart their machines after receiving updates. This prevents the system from receiving necessary software updates to help protect them, and over time, the lack of patches creates huge holes that aggressors can drive a truck through.

Endpoint Management (EPM) uses software to regulate the compliance of managed computers so that they’re always receiving their security patches. EPM also takes care of things like viruses, malware, and intrusion detection. It provides a set of tools to remotely manage assets to bring them back into compliance and safe to use.

Mobile Device Management (MDM) uses similar controls to verify that the devices approved to remotely (like mobile phones, tablets, and laptops) access company information are controlled.

Used in conjunction with each other, MDM and EPM alert administrators to take action if a machine continuously falls outside of the range of acceptable patching, suffers from malware or an attack, prevents unauthorized, lost, or stolen devices from accessing secure information, and provides dashboard-level pictures of the overall security posture of a company. It’s the best, most cost-effective way to prevent loss … rather than reacting to loss.

In 2022, I’ll be attempting to convince most of my clients to join my endpoint management program and implement MDM to best control their systems.

Managed Browsers

Increasingly, phishing attacks come not just from email but from what are referred to as browser hijacks. Websites and software will redirect the user’s browsing activities to websites that attempt to steal ident credentials or Personal Private Information (PPI). Hijacks threaten not only the user but any confidential information that may exist on their computers.

These risks demand that an IT control be extended to Internet browsers. Managed browsers are browsers that exist on any device anywhere but they receive a central set of policies. These policies dictate how the browser can be used, when it can be used, what sites and software are okay to use - and which ones aren’t - and prevents the user from accessing known-bad websites that could harm them.

In my role as a Google Partner, in 2022, I’m going to help a majority of my clients by deploying managed browsing policies governed by their Google Workspace investment to help keep their teams safe while using the Internet.

Perimeter Control

There are logical software components to every network. These components control the logical flow of information. You’re probably familiar with these devices by their names of routers, switches, bridges, and gateways. Most are simple computing appliances without a high degree of security built-in to them.

These devices do their work day in and day out and most of the time, you don’t have to even think about them. However, over time, their firmware needs to be updated; for the same reason we patch computers, we must also patch these devices. Aggressors realize that this equipment often goes unnoticed and unsecured because it’s not something most people are thinking about.

Well, I’m thinking about it. In 2022, I’ll be helping my clients identify their network’s perimeter infrastructure, either patching or replacing suspect equipment, and implementing tighter security controls over them.

Training

All the ML/AI in the world can’t beat human instinct or well-trained human behaviors. Technical controls to help secure the workplace are great but real security - real confidence - begins and ends with training people.

Your team must be brought up to speed about the most recent threats and concerns, and given tools to help them navigate the risk.

Sometimes, the best training simply interrupts an emotional response to a problem … to get somebody to just question clicking on a link so they can ask for more advice is an interrupt that a hacker can never thwart. The most skilled hacker can rarely beat an attentive, trained human! They’re counting on the human to not be paying attention, to not be trained.

Therefore, technical controls aren’t enough. This next year, I’ll be pushing training to help teach and inspire others to take these threats seriously. Further, responding to these problems by dealing with them in-depth, through implementing layers of controls, through shifting more and more risk to cloud providers, by implementing strong controls over identity and Internet browsing, and through inspecting the perimeters of our networks, will help instill a stronger sense of security for my clients next year.

R

It’s undeniable that small businesses face unprecedented challenges in the age of COVID. These are difficult times for everybody and - arguably - the difficulties are just beginning.

Still, regardless if it were a hurricane, a major earthquake, a financial crisis, or a pandemic, it’s my view that small businesses have a competitive advantage during tough times that much larger firms do not.

I’m not referring to their smaller size, their nimbleness, or their innate ability to quickly shed fixed costs. Rather, small businesses have a face. Your face.

Your small business has the ability to project sincerity and compassion in a way that larger firms cannot. Your competitive advantage as a small businesses in hard times is kindness.

People. And I’m talking about customers, vendors, employees, and service providers. Even in an extremely disconnected, automated, and disintermediated economy such as ours, in a practical sense, businesses cannot operate without people buying, selling, delivering, shopping, providing, shoveling, mopping, cleaning, browsing, clicking, or calling. People drive every aspect of our business.

In times like these, savvy small business owners would do well to recognize their unique ability to connect with people as an advantage in every transaction. That they have the opportunity to project sincerity and compassion in ways a bigger company cannot.

And that could come in so many forms. More smiles. More listening. Arriving on time and respecting somebody’s time. By not taking a single opportunity for granted. Through offering a simple sticky note to affirm somebody’s great work. By being enthusiastic. By focusing on the good around us rather than chronically dwelling on the bad. And sure, more tangible things like more bonuses, more breaks, more time off, more leeway, more investment in PPE, or more flexibility - understanding that schedules aren’t as reliable as they had been - but the real advantage being exercised here is just human kindness.

Think about the last COVID-19 response you received from your big bank. It was delivered at four in the morning. It said (with a charming, smiling clip-art graphic), “We’re here for you day and night!”, and it offered a link to their website so they could continue to take your money for credit card or loan payments. They’re a huge corporation! They can’t honestly identify with you insomuch as you can relate to them. Inasmuch, your big bank can’t possibly appear sincere, or empathetic, or truly engaged.

Now picture somebody like me, a computer consultant, coming in to your place of work. I arrive on time. I’m dressed professionally. Sure, I smile under my mask these days, but people can see that in my eyes. I engage in friendly conversation, empathize with your current situation, and I quickly resolve the technical matter. I explain what went wrong in easy terms you can understand. Further, I explain strategies for how we might avoid it in the future. I leave you my business card so you can contact me at any time. And I thank you once again for your continued business.

Now, that’s all just something the big tech support firms, the big box stores, and the nameless phone companies can’t do. They’ve focused so much of their business on scale, volume, you’re a number so be a number, take a ticket, leave a message, press a button, wait a day, but please keep having problems, and pay our retainer, keep feeding us money to support our waterfront offices … sigh.

Well, which of those experiences are you going to remember?

Kindness is competitive.

I feel that demonstrating genuine, compassion to others is the value-add that the big guys simply can’t compete with. In good times or in bad. It could be the advantage that inspires your team to keep coming back to work. It could be the gentle reminder of a pleasant experience that brings a customer back. It could be the portrayal of confident professional enthusiasm that’ll prioritize a check for you in the mail this week.

It could be that kindness … is the one thing that makes you, your products, your services, more memorable, and keeps people calling you over somebody else.

The COVID-19 pandemic has forced millions to work from home.

In the tech industry, we call home computers and home networks unmanaged endpoints - unmanaged because we don’t control those devices and we have no idea how they’re configured.

There’s a whole bunch of risk that comes with unmanaged endpoints:

1. The operating system of home computers are often neglected. They could be lesser versions of Microsoft Windows or MacOS and haven’t received critical updates or patches.

2. The software or settings that we introduce into corporate environments to safeguard our computers aren’t implemented with unmanaged endpoints.

3. Disaster recovery options on unmanaged endpoints is challenging because data may be stored on the local hard drive of these machines. There may not be any data backups.

4. Privacy and confidentiality of corporate data may also be at risk because, again, such data is stored on an unmanaged hard drive. Who knows if the local admin password on the PC is set to a reasonable level as to disallow root-level access.

5. The use case of home machines are very different from business machines. There’s likely to be more risky behaviors (browsing, downloading, installing by end users) associated with these endpoints taken on by teenagers and children.

6. The networking equipment - like the home router and wifi access point - likely hasn’t been patched, updated, or even its root password rotated from its default setting.

And all of this spells big trouble for the small business.

The challenge is to transform these unmanaged assets into managed ones, and, to inspect the networking environment for potential risks and, well, you know … do something about it!

We help small business use technology better. That includes three critical solutions to help protect small business while distance-working.

1. Ongoing Endpoint Monitoring and Protection.

2. Online Backups.

3. Remote Support.

Our Endpoint Monitoring and Protection software reports vulnerabilities back to us so we can take corrective action. It turns an unmanaged endpoint into a managed one. It helps identify areas where the operating system may be vulnerable, or, when somebody installs a risky program. It also includes an antivirus, anti-malware, safe browsing, and intrusion protection system that counters typical threats to a user’s machine.

Our Online Backup solution is all about recovering the company’s data in addition to the user’s data while they’re using their own PC for company business. In the event of failure or if their machine is hit by a ransomware, we can recover the user’s data to a restored machine.

Our Remote Support is part of what we offer. It’s a human eye to look at the user’s network and can make recommendations to improve their security posture. We can red-flag issues that are unmitigated risks so that they can be dealt with; otherwise, we can help safeguard the remote employee with a few simple changes. And of course, if the user gets in a jam with their tech, we’re there to help so they can get back to work.

In all, our approach is to mitigate risk to the small business and to the employee by taking preventative measures. Instead of just reacting to failure - hoping that everything is okay with an unmanaged asset - we help our clients move beyond hope. We help small businesses have confidence in their ability to function and serve their customers.

That’s how we add value.

R