What Can Businesses Learn from Target and Hurricane Sandy?

nyIt’s been 2 years since Sandy ravaged NYC. What have we learned?

Disasters happen. They always have, and they always will. Some disasters are natural (Sandy, snowstorms, Ebola), others are man-made – Target, Fazio Mechanical, Patco, TEC, etc. You need to be prepared.

To Prepare for Natural Disasters
Ensure you have a written disaster recovery plan that is well-written, easy-to-understand, and communicated to your staff and family.

Make sure you have sufficient cash on hand at work, and at home, to take care of your employees and family members in the event of an emergency. Remember that during Sandy, ATMs and credit card networks were down. Whether you need a hotel room, a rental car, medicine, or groceries, cash is king.

Overstock on food, water, fuel, and supplies at home and in the office so you are well prepared.

Dealing with Human Disasters
Unlike Sandy, or Ebola, a more common and recurring threat to your business is human.

Whether it is relying on free software, or trusting a five-year-old tape backup to work, or assuming that a seven-year-old server is still good enough for your business, or failing to review and update your insurance policies, or failing to train your staff on new and changing threats -these are all avoidable human errors.

Digital Disasters
During Sandy, a large, multinational firm with thousands of employees world-wide, hosted their exchange servers in their NYC HQ. NYC lost power for a week. No one had emails…globally. (CIO/COO had rejected previous recommendations for redundant data centers and offsite backups).

Cryptowall is the latest, and most successful, extortion-ware on the planet. When your employees (or spouse and kids) surf the Internet unprotected or with inadequate security, criminals install cryptowall on your computers, encrypt all your files with unbreakable security and hold your information hostage for ransom.

A few case studies:
Target’s systems were broken into via a weakness in one of their contractors – Fazio Mechanical.

From KrebsOnSecurity.com:
The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.
[why it took the Fazio so long to detect the email malware infection]: The company’s primary method of detecting malicious software on its internal systems was the free version of Malwarebytes Anti-Malware.

W.J. Bradley Mortgage Company suffered a breach when a former loan officer took files including names, social security numbers, bank and tax information of former and current customers when she left WJ Bradley for a new job.

Choice Escrow and Land Title LLC sued Tupelo, Miss. based BancorpSouth Inc., after hackers who had stolen the firm’s online banking ID and password used the information to make a single unauthorized wire transfer of $440,000 to a corporate bank account in Cyprus. The court ruled that the company assumed greater responsibility for the incident because it declined to use a basic security precaution recommended by the bank.

Key lessons to learn:

  1. If you are relying on free, unmanaged tools to protect your company – STOP. STOP RIGHT NOW.
  2. If you are relying on free or expired anti-virus software to protect you, STOP.
  3. If your servers and critical files are not being backed up daily, then your insurance carrier may deny your claims.
  4. If your systems are not patched, and running the latest versions of your software, you run the risk of a data breach or cryptowall infection.
  5. And most importantly, you ARE a target. Plan accordingly.

Next steps:
If your servers are outdated, your disaster recovery plan is a disaster, your backups are missing in action, your firewall is older than your kids, or you’ve got regulators/insurers breathing down your neck for compliance issues, give me a call to discuss at 347-460-2238.

Or visit:
to schedule your disaster recovery analysis.