On-Demand: Cyber Action Plan--Disaster Recovery
May 19, 2020
EisnerAmper and Datto discussed trends and best practices around cloud-based software and security measures that are essential considerations when dealing with a remote workforce.
Desraie Thomas:Thank you so much for having me today. I'm super excited for this conversation.
Rahul Mahna:Fantastic. So to give a little context, I picked Datto as the first in the series to talk to you because I remember vividly an event. When I first met Datto and about 10 years ago, they would prove what they did by coming to sessions with a computer. They would light the computer on fire, and they would say, "Now, what is your backup strategy? Because we have a strategy," and they would show us the value of their backup services. So wanted to first start off, Des by are you guys still lighting computers on fire in hotels?
Desraie Thomas:Well, that one story that you're telling right there is specifically from a Marriott in Australia and it's funny because that was one of the last times we lit a computer on fire. What had happened there is we didn't realize that all the detectors are a little more sensitive. And so at the Marriott Conference Center in Sydney, we lit a computer on fire and then the fire detectors went off and they evacuated the entire conference center, the entire hotel and the firetrucks came. And we ended up with a massive fine. And then my boss, that would have been Rob Rae, he was the one at that time who was doing that presentation, called his boss, Austin McChord. And first thing he said was, "So sorry, we made a mistake. We have a huge fine." And Austin said, "Was it cool?" He's like, "Yeah, it was cool!" He was like, "It's fine." So we no longer set things on fire, but we have some really cool disaster demos that we do as well.
Rahul Mahna:Oh, that's awesome. So with that lead in, why don't you talk a little bit about what does Datto do? I know you're an expert. Everybody's seen your videos on YouTube and your marketing materials, but just give us a little sense, what exactly is the strength of Datto?
Desraie Thomas: Absolutely. So Datto is a company. Our core product is our disaster recovery business continuity solution. We work with companies that use MSPs, IT service providers and give them the tools that they need to support their clients. Business continuity, a big part of what we're going to talk about today, is where that core came from. So we've been around since 2007. Our founder, Austin McChord, created us. When he came out of school, he realized that he couldn't get a job because he didn't have any experience. and then tried to figure out how to get experience and created Datto. He first started us in his parents' basement. Since then has sold the company. A really awesome guy.
If you ever want to look it up he's got some great videos, some great machinist videos too. And we since then have grown quite a bit. So we have pretty much all of the tools that any IT service provider or MSP needs, whether it be an RMM or a PSA. We have a networking lineup. SAS protection is another thing we're going to talk about today. So a full lineup of products that will help you support your clients.
Rahul Mahna:Okay, so you had a lot of great three letter acronyms and a lot of different sayings that you use. But in general, the one thing I like is at the cloud level you're providing a lot of disaster type services that help the consumers. And I really like your services and thoughts. And I think you guys are great for your thought leadership because of that. I want to, just before we get going and ask some questions, remind everybody we're going to keep this to 30 minutes. We're going to be very respectful of that. Please ask any questions you want in the boxes below. If we don't get to you, I promise that Des and I will personally get back to you within the next week. So don't feel rushed if we don't get to your questions, but if anything comes to mind please just put them there. Okay, so let's get into some of the nitty gritty of what's going on. Des, can you tell us from your perspective what are some of the trends and the security issues you're seeing in the cloud pre-COVID, post-COVID? What are you guys seeing?
Desraie Thomas:Yeah, absolutely. So I'm going to bring up some slides here. In my job as a Channel Development Manager I attend events like this, usually live in person. I travel 70% of the time and we have a lot of conversations. Datto, we do a lot of research within the industry and with small to medium sized businesses to see where the industry's headed. And that what we found last year was that there's a lot of money being spent by small to medium sized businesses. So this is of last year, but I just show you the trends. I really think these statistics are super interesting. Forty-three percent of all cyber-attacks are aimed at small to medium sized businesses. Eighty-five percent of all email attachments are harmful. You think about the time that you're hiring, you're doing a massive hiring event, your HR person, how many attachments are they opening up? What are the risks of those?
And then when I think about that, that puts that eighty-five percent really into perspective. Ninety-one percent of attacks are launched from a phishing attack. So looking at who you are, who you're connected with, your social media, what information can they get you to click on? Cybercrime will cost $6 trillion by 2021. With the new statistics we're seeing, that number is even jumping with just what's happened in the last 30, 60, 90 days. This statistic has actually shocked me. Twenty-four new malicious apps are actually removed from the app store on a day-to-day basis. That just was crazy to me. And then ransomware was up one hundred and eighty percent from 2018. So this is big business that you're looking at, because there's money to be made. So as long as there's money to be made this business is going to keep it up.
Then we go into a business is hit with ransomware every 13 seconds, so a small to medium sized business. So this is all stuff that we're worried about pre. These are all conscious things that we should be aware of and be thinking and training our employees all of those things. And then we look now post-COVID. Within weeks of COVID happening you will look at Zoom being attacked, whether it be by people going in and entering Zoom and putting information that wasn't very nice or polite or being mean and things, but they're attacking Zoom. Even from there, I pulled together just some news articles over the last 30, 60, 90 days and you're looking at already Forbes is saying that the largest cyber-attack in history will happen within the next six months. You have the EU. WHO is warning everyone now on a day-to-day basis, is recognizing that with change in these environments where you were secure, you had VPN, you had security within your office, and now everyone had to move to home so quickly that is your home office secure?
How are people using their home offices? You have a great story. You're talking about people VPNing. How did that look? What's the security behind that? And that is what we're seeing, that this change is happening quite quickly and there will be unfortunate consequences if we don't keep the security conversation going.
Rahul Mahna:Yeah, that's a great point. And we're seeing that a lot with our clients, even at EisnerAmper, even talking to friends in the industry. There's just a lot of gaps that have been created now across the board from working at home, offices having to adjust and importantly, coming back to the office. How are we going to handle that as a security community? And the biggest thing I keep saying is you should have a plan. So we've been really pushing the mantra of have a plan and do that. Often in the industry there's this term called BCP. What does BCP kind of mean to you and how should companies be using a BCP?
Desraie Thomas: Absolutely. We love our acronyms. I feel like I should just apologize to everybody for every acronym that we ever made. So BCP is your business continuity plan. A lot of the times when we're talking about business continuity people are thinking, okay, backup. I just need something to back up my computer so that way if I drop it or I lose it I can go back to where you're at. The point of a business continuity plan is really thinking about how long you can be down for. Thirteen seconds, every thirteen seconds businesses were being hit with ransomware. So it's only a matter of time until someone actually clicks that link. So if someone was to click that link and your computer was to go down, would it take a day, a week, a month to get back up and running?
So there's two points to think about. How often you're backing things up. Are you backing up once an hour, once a week, once a month? You'd be surprised how often once a month works. As an example, say, if you were a professor at a university writing massive papers and then you lose all your information after a day's work well, that's an entire day's work. That's going to suck. So how often are you backing things up? And then how quickly can you get back to the point that you were at before? And that is where that business continuity plan comes into place. We have a fantastic RTO RPO calculator that you can take a look at, at any point in time. Anyone listening, please reach out and we can help you with that.
But it's a simple nine questions. You can go through how many staff you have, what their wages, nine simple questions. And it'll actually break down if you're down for one hour, two hours, the actual cost to your business of being down. It's usually at that point in time when you realize the cost of being down doesn't mean that you have a continuity plan. You might have a backup plan, but not a continuity plan. You need to figure something else out. And this is where products like Datto or products that you are using come into play.Rahul Mahna:Yeah, that's a great point. With a lot of our clients the first thing we do is we start with what's your plan? And then more importantly, which a lot of folks have not done, is have you ever tested your plan? And we saw a lot of those issues with COVID where people had put a firewall and a VPN and said, "Hey, if someone works in their home, they can work from home." But they never tested could all thousand employees actually log in at the same time and the plan failed. So that's the second part of it that we really try to encourage folks to do. I want to go back to one point you made about the backups and making sure they work. I often am asked the question that, "What's the difference between a consumer grade backup product that you might see on the internet if you just Google backup versus what my business is doing? Is there a difference between these two products?" What's your thoughts about that?
Desraie Thomas: Yeah, absolutely. So when you're looking at a consumer level product you're generally looking, and it really depends on the product that you're looking at, but generally looking at more file and folder. And file and folder, even we've got a solution that does file and folder share. Of course that's still a good option, but the fact of the matter is when you have just a file and folder that might be good if someone came and deleted a file by accident. Or say, even with my team, we're all clearly working remote throughout the U.S And Canada. We have many projects that we're working on together and sharing, and I'm not going to say that I was the person who deleted it, but I was the person who deleted it. So it was really good that we had a backup tool file and folder, but that's not going to solve me if I smashed my computer, or if my dogs run through my house, which has happened, and my computer goes flying.
So the difference between there is: (a) can you test it? and (b) is it a full back up? Can you be back up and running? If you were to take your computer right now and smash it could you pick up another computer and be instantly back up and running exactly where you were before? And that is going to be the biggest differences between what you're looking at when you're at the store just shopping for everybody and then what you're actually working with, say like a product for Datto. Datto, not only are you guaranteed that being able to test. It's tested several times a day. Actually your MSP can pull up at any point in time in these tests. It also has ransomware detection on it. So if there is from one payload to a next a massive difference, the system will actually say, "Hey, these are different. Let's take a look and see what's wrong." So those would be the biggest things I would say.Rahul Mahna:Yeah, yeah. We see that a lot. When we work with some clients and they've put in a solution that's at $10 a month or something they found on the web, but they never test it. And they don't know, does it come back? And I have a small story where a client did that for their server and they were using that, I would say, more consumer grade product and the problem was when their server crashed, it took, I think, a week to get the data back. And they luckily got it, but in that week, how much productivity was lost? Whereas more of an enterprise solution I mean, you know, to the fire story that they used to do at Datto like you can literally within a minute you're back up and running in a virtualized kind of server environment. So it really pays in these types of situation in my mind, especially when it's your data and you really need it.
Desraie Thomas: People are your biggest risk. That's the thing. It's just, especially today, everyone's everywhere. People are your biggest risk. I have definitely been the person who got frustrated at trying to restart my computer and pressed the wrong button and deleted everything.
Rahul Mahna:So let's bring it back to the home environment right now because that's where we're seeing a lot of the questions come up for obvious reasons. A lot of people are using Office 365 today. A lot of people transitioned. I think I saw their usage tripled in the matter of four to eight weeks. Everybody feels that, hey, I'm not on my computer. I'm not in my office, but I'm at Microsoft. I'm using email, I'm using SharePoint. I'm using a OneDrive. I'm sharing everything there. I should be good, right? Everything's covered by Microsoft because Microsoft spends $200 billion a year. They've got it all figured out. What have you been seeing and what's your thoughts about that?
Desraie Thomas: Yeah, so I didn't think of putting these two slides in. I've got these two fantastic slides that highlight the SLAs, so both Google and Microsoft Office. So if anyone's interested in that I can send that at any point in time. But both of those companies aren't security companies. And all that fine print that you skim past and at the very end you click I agree, in that fine print both of those companies state that they are not responsible for any data that's lost. So an example of that would be we actually had a partner of ours who they lost, Microsoft Office 365 lost their entire emails, lost everything. So when they're trying to figure this out the partner was able to produce a bill saying, "See, this person exists." And Microsoft Office was like, "No, it doesn't exist. It no longer exists at all."
And what happened was there was a glitch. It was like .008 percent of people this happened to, like such a low number. But that email, everything was deleted. Luckily they were using SAS protection from Datto, our SAS protection line. They were able to access and show Microsoft, look all of this information and help Microsoft get the information back, first of all. Then also be able to get the person back up and running while they fixed the problem. Once again, I go back to the people are your biggest risk. Having a backup solution for your Gmail and your Office 365 isn't just important because of ransomcloud. If you haven't heard about ransomcloud, this is another important thing to point out, but it's ransomware that's specifically focused on your Gmail accounts or Office 365. And it'll lock you out of all your emails, but even outside of that and you're like okay, maybe that won't happen to you. Maybe you won't click one of those. What did we say? Eighty-five percent of email attachments are bad. Maybe you won't click one of those.
Well, what about the employee who leaves your office and deletes all their emails? How are you going to get access to that once they're gone? Even opening up a ticket with either of those big vendors can be really costly. It can never guarantee you're going to get the information back. And it's going to take you a lot of time and money. Those are the reasons having a backup solution. What did we say earlier? Securing the person, backing up the person so every product someone's using, having a backup solution for that is important.
Rahul Mahna:You know, that's a lot of good information there. I'm just going to take a second to think about that because I really can't emphasize enough to all of our clients that Microsoft and Google encourage you to go outside to backup. They also don't want the full liability. That's a great case example you gave. They do offer some backup services, but if something goes down in their ecosystem, their ecosystem is totally down. It's nice to have this kind of redundant backup. And I think that's why they encourage it. I really have seen that and I wish we'd put it up. Maybe we'll add it for the slides that everyone will get after this in an email. But they actually stated there's two, three, four sentences that say, "Please go external for your backup services." Let's talk real quickly about that one term you just said, ransomcloud. Could you slow down a little bit and go back to that? Because I think that's really relevant and it's something happening right now.
Desraie Thomas: Sweet, absolutely. This is another awesome video that anyone who is interested, we can send you this video. Kevin Mitnick was a hacker from the eighties, nineties? Was a hacker from the nineties?
Rahul Mahna:Yeah, a big hacker, yup.
Desraie Thomas: Exactly. So he went to jail. Now he's out and he's a white hat hacker and he has his own business. He's actually come into different Datto events a couple of times. And then we had him come into our office and do a ransomcloud hack. This is a video. It's available to anybody at any point in time. If you guys want to see it, please let us know. In this video he actually shows how quickly and easy it is to hack someone's email. It's simple steps. Say, Friday night, 3:00 PM, it's camping time. You're ready to get out of the office. You really want to hit in the road. What are the chances that your staff is going to click an email that says, "Hey, your security settings aren't up to date. You need to update your security settlements." I know, even with all the training that I've gone through, that there's a chance I might click that link. It looks legit.
And then once you click that link, it then says, "You just need to restart your computer. Click." And then when you open your computer all your emails are blacked out. That's ransomcloud. Ransomcloud is specifically blocking your emails and then asking you to pay a ransom in a nice way. They offer different languages. It's big business. They have help desks. They'll tell you how to get Bitcoin. They'll do everything for you as long as you give them money. And it's specific to your email so how important are your emails if you lose your emails today?
Yeah, I know. It's something that's so, so important. So I want to be a little bit mindful of time and grab a couple of questions. We only have about five, seven minutes left. So let me summarize because I like to summarize these talks that we do because they sometimes get technical. I think there's three things that I'm learning from you and through this discussion. The first is you need a plan, right? In the industry it's called BCP. You just need a plan and you need to test your plan that how are you going to handle events that come up in the future? Because this isn't the first nor the last and there's going to be more to come and how are you thinking through that? The second step is you need a good backup strategy. I don't think the days of using just a consumer grade, quick, easy, cheap product or maybe something you stick in your computer makes a lot of sense.
I think you really have to think about not only ensuring your data is backed up to a secure cloud so it's not in your home, but also would it be available to come back if you ever need it? And testing that, that it can come back. And how effective that is because that's really the essence of it to your earlier points. And finally, I really love this term you just said, "Secure the person." I think as we change how we all work you're going to be using your telephones more in different ways. You're going to be needing to secure not only the phone, but the home environment. You're going to be needing to figure out how everybody's getting back to work, what the protocols are, how you're going to secure the person and the data that follows them in the different environments is going to be really critical to thinking through our future.
So with that, let's grab a couple of questions if that's okay with you, Des, and then we'll keep it moving. So one of the first questions I'm getting here is what is the difference between backup and archive? I've always wondered this and I'd love for you to talk, being a backup specialist.
Yeah, absolutely. So archiving things is just generally your historical records. You're putting them from one place into another. They're generally not easily accessible. Where you're backing things up, you're going to be in and out of that information if needed at any point in time. So a good example is my emails. My emails are usually held on a 30 day retention, but it doesn't mean after 30 days that I can't get them. I just have to go to another place, do another step and it's a lot more work. Let me go back to the continuity plan. Those really work with continuity. You need to be able to access this information quickly and easily and so that's going to be your big difference between just archiving things and backing things up.
Rahul Mahna:And do you think you need both or one or the other?
Desraie Thomas: Both. Yes, it also depends on what systems you're using. Generally with the Datto systems, when you're backing things up we have a retention, depending on which product you're using, we have a retention forever. So you can always be doing that, but you should always have your business continuity plan and your backup and solution. But if you aren't then yeah, of course, then you should still be archiving that information, but you should have both.
Rahul Mahna:Okay, that makes a lot of sense. Great. Let me look at another question here. We're getting a lot of questions. I backup on a USB stick. Does that last forever?
Desraie Thomas: This is amusing. I'm laughing at you because I'm going to ask you. Can you tell me where any USB stick is in your house right now?
Rahul Mahna:I know there's a jar and I've got about 20. I don't know where the jar is though.
Desraie Thomas:I'm not very organized. I can tell you that I probably have 20 in 20 safe places in my house that I have no idea where they are, just from collecting them at different events or someone will give you one for something and whatever. Then after you use it, it's gone in the place. If you don't know where that information is, then definitely not. And then the other part is what happens if you lose it, your house burned down, your dog eats it, your kid decides it's a toilet toy or something along that lines? All of those things are relevant things that happen on a day-to-day basis in our lives now, so no!
Rahul Mahna:Yeah, I know. We had a recent client and they were going to do a presentation to us actually. They're both a client and a provider. The person canceled the meeting about an hour before the meeting and gave an apology and said that they had their computer, an external drive, a monitor, and some other miscellaneous things. And to your earlier story, their child ran by, kicked the power cord and took all of their computing equipment and it hit the wall next to them and broke everything. So they were out of luck and that's a tough spot. I think we can all empathize working from home, but the reality is you need to try to figure out some better ways to where you should back up. You also plan in your own environment in how you handle things of that nature. Okay, I think we have time for one quick more. You know what? How about you just tell us in maybe the last minute or two that we have, what do you think the trends are? Where are things going? Real succinctly, real quickly in a minute or so.
Desraie Thomas: What? Quick Des? Never! I think money has to be made always. It's really, really important. I'm pulling up a couple of slides here that I want to get through kind of quick. Money's going to be made in this industry for a really long time for the bad guys. So there's a set policies and procedures within your businesses that everyone should have in place. Just to go through these quickly, you are always a target online and offline so make sure that your staff understand that, that you guys understand that. Have policies and procedures in place. If you're not sure how to set that up, this is where you guys are going to be so good to work with these prospects and work with these clients and help them have set policies and procedures in place.
From there, ongoing employee training and testing, testing your employees. We constantly at Datto get emails sent to us that are from our security team just to see if we'll click the links. So I extra don't click those, which sometimes results in me not opening emails. So I shut them. Password management, I read something online today on a post where someone was talking about a password protected Excel sheet. That's not password management. Make sure your staff are using password management within their houses. Make sure they're not using password one, two, three or the same password for Facebook as the password to the VPN into your network. Never leave devices unattended. We're at home now so it's a little bit different, but a lot of the times people are working. I usually spend 70% of my time working and traveling on the road. Be careful what you click. Make sure your end users are trained on what they should click and what they shouldn't.
And then antivirus and malware protection, backups, backups, backups, business continuity plan. This is super important. Can you afford your business to be down a week, a month? Clearly with everything that's going on that's not something any of us can afford at this point in time. Then having a mobile device policy. This is a new one. So every time we've mentioned securing the person, these altogether, this is where this is coming from. So having a policy for when people are using their devices on their day-to-day, when they're using them for work. And then security testing and configurations. All of this together really will help you bring in the right direction, moving forward and help you get out of this whole thing as it continues to increase and get worse or hopefully better at some point.
Rahul Mahna:Fantastic. Well, thanks for that and I'll turn it back to Lexie as we've hit 30 minutes on the dot.
Lexi:We invite you to register for our upcoming Capstone webcast, a part of this series. The link to register can be located within the resource list widget on the bottom of your screen. Thank you for taking the time to join us and we hope you enjoyed today's presentation on Cyber Action Plan Disaster Recovery. A special thanks to our speakers today for delivering this insightful program.