Reframing Your Approach to IT Security Decisions

Reframing Your Approach to IT Security Decisions

/in , ,

By Sean Gill, vCIO 

The IT security landscape has continued to shift rapidly over the past couple of years. Threat actors leverage creative social engineering techniques, phishing and spoofing threats are continuously rising, zero-day vulnerabilities are exploited, and ransomware is at large. Businesses are more reliant on technology than ever before, and the industry continues to move toward SaaS (software as a service) solutions like Microsoft 365, shifting company data online and increasing the importance of adapting security best practices.

With rising threats and more at risk reputationally, financially, and operationally, it’s important that businesses adapt the way they think about security to meet these changing times. Taking an attitude of “if it ain’t broke, don’t fix it” or choosing to delay making changes “until it becomes a problem” can be devastating to a business.

Unfortunately, many companies still think that IT security breaches are a problem that only hits those unlucky few. But the reality is, the frequency and variety of threats turns the unlucky “few” into the unlucky “many”. Everyone knows a business that has experienced a compromise. We want to help you avoid becoming one of them.

Modernizing how we think about security 

Business owners and decision-makers now find themselves more involved in the nuances of IT security decisions in ways that they didn’t used to be. If this is true for your business, you’ll know that one of the frustrating challenges is figuring out how to keep up with security and associated IT jargon, especially when your core focus is, appropriately, on running the business and servicing your clients.

As the nature of threats and risks to businesses continues to change, how you think about security should as well. In this article, we will give you a simple framework that aims to help you conceptualize IT security and serve as an outline for making decisions.

IT Security Framework: Prevention, Detection, Response 

There are three key pillars to a thorough IT security framework: Prevention, Detection, and Response. Keeping these in mind when assessing IT security strategy can help ensure that in the budgeting and planning process, your organization doesn’t overload on one area and neglect another.

Prevention Pillar 

Historically, this category is where IT security spending primarily occurred. These solutions were the first (and often primary) line of security against threats. It is still an important focus, but no longer to the exclusion of the others.

Think of your business like a house. This would be like ensuring your locks work and installing a strong gate. These tools are there to prevent a break-in.

Technologies and practices that fall under this pillar of “Prevention” include: 

  • Firewalls – Perimeter security that blocks access to internal networks 
  • Antivirus – Software that recognizes and stops malware and viruses before they take hold and spread 
  • Password Policies– The practices of changing passwords frequently to prevent lost or stolen passwords from being used to access corporate resources 

All these are examples of Prevention security and are still valid and necessary today. But now, in addition to these, it’s important to consider additional ways of preventing malicious actors from getting in and gaining a foothold. Multi-factor authentication (MFA) and leveraging Artificial Intelligence (via Endpoint Detection and Response or EDR) are among the new technologies to improve the stack.

Multi-factor authentication is an essential component in your security foundation, and for good reason. As the name suggests, MFA requires a user to authenticate themselves more than once when trying to access company resources like your Microsoft 365 ecosystem. In contrast to simply providing a password (which could be compromised) to login, MFA also requires that the user supply more verification in the form of something they know, something they have, and, in some cases, something they are.  

This includes some combination of a traditional username and password (something known) and a digital token or code sent to a user’s mobile phone (something they have), and additionally, with most mobile phones incorporating some form of biometrics such as a fingerprint reader or facial recognition, (something they are). 

If your business requires users to utilize MFA for access, hackers will be prevented from accessing systems even if they come to possess a user’s password. This tool has given businesses of all sizes an additional layer of prevention capabilities in today’s landscape and has shifted from being nice to have, to a security standard across the industry.

Likewise, the use of Artificial Intelligence via Endpoint Detection and Response (EDR) has revolutionized traditional antivirus software. Traditionally, antivirus solutions were binary and merely reported on whether malware was or was not present – usually based on a set of definitions or some light heuristics. EDR moves beyond that. Instead of simply preventing known malware and viruses, in an EDR system, the antivirus feeds into and informs a more sophisticated detection and response platform. The use of Endpoint Detection and Response is continuing to become a requirement. In fact, most insurance companies require an EDR solution to purchase a cybersecurity insurance policy.

Detection Pillar

While everyone hopes that their Prevention stack is sufficient to keep out all the bad guys, the way the threat landscape has evolved, this is now just not the case. Even with a good prevention stack, bad actors still find creative new ways in and will spend time in your environment observing patterns and trends, waiting for their time to make a move – exfiltration of data, ransomware, or account takeovers. This is known as “dwell time”. Because of this, the Detection Pillar of the security framework may arguably be the next most important.

A traditional antivirus solution won’t detect if a system is still compromised after the initial compromise. If the bad actor is leaving traces of activity, without a detection tool like EDR, this trail will not be easy to find.

EDR keeps track of everything that has happened-from how a bad actor got in, to which systems or files were accessed, to newly spawned processes. This log of events is referred to as the “kill chain.” The kill chain provides an in-depth understanding of exactly which processes ran or files were touched. This ability to detect and understand all activities, in turn, allows for more certainty when remediating any exploit. From this information, it’s possible to determine if a threat has or has not been fully cleansed and shows exactly what systems should be reviewed for compromise.

Let’s go back to the analogy of your business as a home. Advanced detection tools like EDR are like installing a security camera system. You can detect suspicious activity early, be alerted to it, and if there is a break-in, have clear records of what occurred. 

Response Pillar 

Responding appropriately to any given event is essential – this applies to all areas of life, including our IT Security Framework. This pillar includes the tools and resources you would employ should a breach occur. This can be small (a plan for cleaning out all traces of a malicious actor) to large (hiring a forensics team, communicating to clients, and filing an insurance claim).

An effective Response Pillar includes creating playbooks for how to respond in different scenarios. Does your Security team or IT Steering Committee need to meet? Are there any reporting requirements for clients? Does a Cybersecurity insurance claim need to be opened? Do Business Continuity or Disaster Recovery plans need to be implemented? These reactions can, and should, be thought about before they are needed. Table-top exercises with the Executive Team can be a great way to brainstorm about various scenarios and how the organization should act if they were to arise.

To continue the home security analogy, our locks and gate (Antivirus and MFA) attempted to prevent the break-in. But when that didn’t deter the invader, our security system detected that something was wrong, and the camera (EDR) recorded everything. After reviewing the footage (EDR data) and assessing what happened (was anything taken, was anyone hurt, is the intruder still there?), we can respond and take appropriate action.

Was the alarm triggered by suspicious activity (antivirus quarantined a malicious file) and no actual break-in occurred? Or was the incident serious (a Zero-Day exploit that allowed bad actors inside the network) and do we need to call for help? 

We can see how all the previous pillars of the security framework support our abilities in the response pillar. Particularly the detection tools like EDR data, without which, analyzing risk and appropriate action becomes very difficult. Without this kind of clear insight, the organization may take actions disproportionate to what is needed – either by overreacting and spending unnecessary time and resources or by underreacting and opening themselves up to more risk.

IT Planning 

We all know that protecting our companies’ infrastructure is critical to the success of the business. The foundational requirements for securing your business have shifted to meet the demands of today’s current security landscape, and they will continue to change over time. If your business is part of an industry with inherently high-security compliance demands (like legal or medical businesses), it’s likely you’ve already been implementing modern tools to maintain the highest level of compliance. On the other hand, if your industry has less stringent security compliance regulations, your business may have historically viewed advanced security tools as “nice to have” but not necessary. Unfortunately, the reality of the world today makes that mindset a luxury that no business can afford.

The best place to start is by evaluating your current solutions with these three pillars in mind. With a better understanding of this framework, how does your security stack up? Has your organization implemented modern prevention tools such as MFA? Do you have an EDR solution in place to bolster your prevention and detection abilities? Have you mapped out a response plan? If not, the first step is discussing your security with your IT expert!

Sean-Author

ABOUT THE AUTHOR

Sean has been shaping the IT strategies of businesses across a wide range of industries and sizes for over 10 years. As a vCIO at CIO Solutions, he works with business leaders every day to create a clear IT vision, mature technology solutions, and ultimately, enhance business productivity and security through technology.

He and the rest of the Strategic Client Services team at CIO Solutions are constantly evaluating important trends in the industry and advising clients on best practices and long-term IT strategies for success.

Are you a current client of CIO Solutions? Contact your vCIO or Customer Success Manager to continue the conversation around your IT security!   

Not a client yet, but curious about maturing your IT security? Let’s talk!

How to ride a wave of ravenous demand for products and services

How to ride a wave of ravenous demand for products and services

/in , ,

By Russ Levanway, President

Last year, so many of us had to cope with things we never even considered would happen. I don’t have to go into detail, of course — we all lived it. From working remotely, to COVID protocols, to people getting sick or losing a loved one, to isolation, and the commingling of personal and work life, the social fabric of humanity most definitely frayed.

But humanity is resilient. We came into 2021 with new hope and good momentum. You can see that momentum in people’s pent-up demand for goods and services after living without for a year. We want to travel again. We want a new car or a new home. The demand is enormous, and it’s created a strain that we haven’t really witnessed in recent memory.

More, more more

Underlying all this is a supply chain bottleneck. The supply chain is impacted whenever factories shut down, shipping becomes tapped out, trucking companies can’t find enough drivers to hire, and a thousand other factors. It’s all driving up inflation to levels we haven’t seen since the 1970s, and at an astonishing rate.

The strain has hit every kind of business, including ours. Core infrastructures like switches and servers are much more difficult to find and cost significantly more than they have in the past. The strain has also hit our employees with high prices, myself included. I’m not just referring to the ridiculous increase in home prices; I’m talking about the basics. Everything just costs more.

Whether it’s a temporary or long-term change, I won’t attempt to predict. But, as a company, we don’t want to be caught flat-footed in this new reality, however long it lasts.

The benefits of being nimble and scrappy

How do we begin to support our employees and clients under price and availability limitations? We start by keeping close track of our team composition, recognizing that financial difficulties and high inflation are real considerations, and taking steps to help our employees out.

We’ve also become really creative with buying and procuring equipment. Our procurement team scrounges around on random websites for a laptop here, a switch there. Often, we can’t go with Plan A, so we come up with a Plan B or even Plan C. Sometimes, we just have to tell the client that we can’t get them the piece they want — or at least not yet. In certain cases, we can provide loaner equipment; I’ve watched employees raid the e-waste pile for a temporary switch that will do for our client until the permanent switch comes in.

Baked-in flexibility

How have we been able to stay creative and adaptable? I think we handle change well because it’s been in our DNA from the beginning. Long before COVID struck, we built our company to guard against rigidity or strict adherence to doing things only one way. We fostered a very innovative problem-solving culture. Those measures and methods we set in motion years ago have served us well.

In this time of unprecedented new challenges, have you been flexible and adaptable? Many organizations have evolved while others have fallen by the wayside. And then there are those organizations that hung on tight to the belief that everything would go back to “normal” when COVID ended: everyone in the office again, packing the conference room, meeting up for a happy hour at 5 o’clock, etc. They believed (hoped?) that COVID was just a rude interruption.

I don’t believe that’s true. Are you an organization that has embraced adaptability in your culture? That will be critical to retaining your employees and coming up with innovative solutions for your customers. Start now, if you haven’t already; this might be our new normal.

Understanding The Enemy + Why Your Antivirus Isn’t Enough

Understanding The Enemy + Why Your Antivirus Isn’t Enough

/in , ,

By Russ Levanway

You probably saw a dominant story in the news a couple of months ago about a major fuel shortage across the eastern seaboard. The pipeline that provides almost half the oil to the northeast and south came under a cyber-attack. Gas pumps ran dry in Tennessee, Georgia, and other states. This happened fast on the heels of other major exploits. Then in the last 2 weeks, tech news has been dominated by a serious vulnerability in management software called Kaseya, with over a million computers encrypted with ransomware as a result.

Ransomware attacks are getting to the point where they are becoming existential threats to organizations and can disrupt entire industries and supply chains.  If it wasn’t serious before, it is now.  Furthermore, hackers are increasingly sophisticated and daring. They’re often backed by foreign governments bent on destabilizing, stealing intellectual property, or just plain old making money via extortion.

The risks of a confidential data leak are higher than they’ve ever been before. It is critical that businesses not only understand how these adversaries operate but also rethink their own approach to security.

How cyber extortion works

Hackers’ typical MO is:

    1. Acquire your passwords or exploit some vulnerability
    2. Log into your device and/or network automatically or manually
    3. Steal a copy of your valuable data (credit card numbers, bank account numbers, social security numbers, intellectual property)
    4. Encrypt everything
    5. Hold it for ransom

If they don’t get what they came for, (you restore the data and can’t (or won’t) pay the ransom), the hackers leak your data all over the internet, selling it to the highest bidder.

Doesn’t my antivirus software protect me?

As someone in the IT field, one of the questions I often get asked is ”what about antivirus software? Doesn’t that protect me?” This is an understandable question. I preach the benefits of installing and maintaining antivirus software all the time. If it’s so important to have this tool installed, shouldn’t that be enough protection?

Unfortunately, no. The truth is, antivirus software stops 95 percent of attacks, so we always have it deployed as a security baseline, bar none. But what is it stopping exactly? Antivirus is preventing known viruses, known threats. When we talk about extortion and data infiltration, we’re not talking about viruses — we’re often talking about other tactics.

Flying under the radar

Threat actors often use phishing techniques to trick you into giving them your password (if they haven’t stolen it elsewhere). Often, a cyber-attack like this begins with an email from “your bank” that asks you to log in to your account to validate information. If you aren’t well versed in how to identify a counterfeit or deceptive email like this, you’ll fall for it and click the link. (No need to be embarrassed by your gullibility: you are in very good company. According to some estimates, a staggering 30 percent of people open phishing emails and 12 percent click on malicious links and/or attachments.) That fateful click leads to a counterfeit of your bank’s website. You put in the username and password, and you’re led to a blank page. You’ve been phished. Now the hackers have your credentials for the bank. All of this is done without using a virus of some kind, mind you.

Alternatively, threat actors may identify a vulnerability in your system. Once this vulnerability is identified, they exploit it by running what may appear to be legitimate software that goes undetected. Again, hacking you and your systems without the use of a virus.

These tactics leverage legitimate credentials and exploit existing vulnerabilities. Because of this, they can, therefore “fly under the radar”. Standard antivirus software can’t prevent this, it can only help stop code it knows to be malicious.

Adjusting your expectations

I talk about hacking all the time, I must seem like a broken record. But cyber-attacks keep happening, both in extreme cases like what we see in the news and for our clients, large and small. I keep hoping that if nothing else, a major event like the fuel shortage can help people understand how prevalent and destructive they really are.

Arming yourself with an understanding of how these threat actors operate is the first step. The second step is realizing that effective cybersecurity isn’t a question of simply having current antivirus installed. As we’ve seen, this tool can only do so much. That’s why the approach needs to shift. Cybersecurity is not one-dimensional and antivirus is not a catchall. In today’s world, antivirus is only one part of what must be a much broader cybersecurity toolset. It’s important that the expectation is adjusted to match the reality.

[ READ: Ditch the Drama: 5 ways to stay ahead of the hackers]

Ditch the Drama: 5 Ways to Stay Ahead of The Hackers

Ditch the Drama: 5 Ways to Stay Ahead of The Hackers

/in , , ,

By Russ Levanway

Ransomware attacks are getting to the point where they are becoming existential threats to organizations and can disrupt entire industries and supply chains.  If it wasn’t serious before, it is now.  Furthermore, hackers are increasingly sophisticated and daring, and are often backed by foreign governments bent on destabilizing, stealing intellectual property, or just plain old making money via extortion.  The risks of a confidential data leak are higher than they’ve ever been before.

One of the questions I get asked regularly is: “What can I do to protect myself from data infiltration?”

The first step is arming yourself with an understanding of how these threat actors operate. The second step is realizing that effective cybersecurity isn’t a question of simply having current antivirus installed. In today’s world, threats are varied in nature, and an effective cybersecurity toolset must be multi-dimensional. [READ: Understanding the Enemy + Why Your Antivirus isn’t Enough.]

Here are the 5 best things you can do to protect your business and stay ahead of the hackers:

#1 Keep learning

As cliché as it is, “knowledge is power”. The most powerful line of defense is prevention and education.

We continually have to remind people of that. Thankfully, at CIO Solutions we have long been offering anti-phishing educational tools to clients. These include a valuable training tool that enables your company to educate users in real-time. Through simulations, training videos, and more this tool can make users aware of phishing and empower them to identify and avoid it. We provide this to most of our customers, but its efficacy is only as good as the business’s willingness to put in the work.

To reap the benefits of a program like this, users have to engage with the orientations and training videos; they don’t work by osmosis. Businesses that embrace these trainings and stress their importance are better off than those that don’t. Often, it’s the companies whose employees skip the trainings that wind up incapacitated by a phishing attack, desperately in need of our help to clean up a mess.

#2 Remember your backups

We were recently engaged by a cybersecurity forensics firm to help a large organization that was mismanaging its backups. Sadly, they had been infected with ransomware and all their data was encrypted, including their backups. The data was not recoverable because of the encryption, and the ransom was beyond what they could afford.

Moral of the story? Backups and protection are key. Never skimp on backups and be sure they are set up properly with an onsite and offsite copy that is firewalled from the regular network.

#3 Invest in cyber liability insurance

We consistently recommend cyber liability insurance. Businesses insure against fire, flood, and theft of property. Based on prevalence, cyber-attacks should now be listed among those sorts of catastrophes.

Cyber liability insurance is extremely valuable and, in the grand scheme of things, pretty affordable. Consider the astronomical cost of getting attacked: loss of business, forced shutdown, frustration, and paying for IT help (not to mention the financial costs incurred by paying a ransom). It can be crippling if your data is encrypted. Several days may pass before you can get your network running again. You may even need forensic help to get back online, investigate whether your data was stolen, and prevent further attacks.

Bottom line: If (or when) that happens, cyber liability insurance is a small price to pay for protection.

#4 Look into Endpoint Detection and Response (EDR)

Don’t confuse EDR with antivirus protection. Antivirus software can detect known threats and prevent the installation or deployment of known viruses. EDR can detect variants to patterns in both software and user behavior.

Let’s say Joe’s computer typically downloads 100MB a day from the internet. One day it reverses and uploads 100MB to the internet. EDR will see that as suspicious and flag it.

In our effort to stay at the forefront of cyber-attack prevention, CIO Solutions now offers CrowdStrike, a very advanced EDR tool. A cybersecurity forensics firm we work closely with thoroughly vetted it as a best of breed solution.  As recently as a year ago, the program was outside most organizations’ budget, but today it’s far more affordably priced. Are you a current client of CIO Solutions with questions about CrowdStrike? Don’t hesitate to ask.

#5 Enable Multi-Factor Authentication (MFA)

You’ve probably gotten used to the number of websites these days that won’t let you in with a plain old password. Your bank probably also texts or emails you a security code. You might even have an application on your phone called an Authenticator app with rolling codes that you have to enter to log in.

These are all examples of MFA.

Your business ought to implement MFA on key applications as well. This tool has quickly become a standard in the evolving security landscape. Even if someone DOES get your password, it is useless without the other authentication factor. The second piece to grant access is the security code that will only come up on your phone (which they don’t have). We highly recommend this.

Don’t put off to tomorrow what you can do today

The bad news: hackers will always be a threat.

The good news: there are effective ways to protect yourself, but you have to deploy them now.

Armed with that information, how will you begin protecting yourself from ransomware, phishing, and data infiltration?  How can we help?

Inflection Point

Inflection Point

/in

By Russ Levanway, President

Throughout the course of a human life, our brains are constantly changing. This neuroplasticity is very good news for anyone hoping to take up the ukulele or overcome a phobia. But at certain stages, the brain makes especially big leaps. One of those leaps happens in adolescence, between childhood and adulthood, when brain matter and computational power increase, but the brain relies more on the limbic system (i.e. emotions) than on the prefrontal cortex (i.e. logic). Anyone parenting a teenager will understand what I mean here!

Like the human brain, the human race is constantly making incremental changes and adjustments. We also occasionally make major leaps in advancement. Think of the prehistoric revelations of fire and the wheel, which really catapulted human progress. Or there’s our understanding of germs and what causes them, after which our life expectancy shot up. During the Industrial Age, the discovery of coal as a source of energy pushed us into a new era of productivity, innovation, and comfort. Refrigeration and large-scale agriculture have lifted hundreds of millions of people out of food insecurity. Computers represented another major leap ahead, allowing us to do many things in a matter of seconds which previously might have taken hours, days, or much longer. Computers drastically, exponentially increased our productivity as a people.

Of course, each advancement has not been without its unique challenges.  Coal is incredibly polluting.  Pesticides used in large-scale agriculture have both pollution and health safety concerns. Computers help you do the wrong thing faster than ever before.  But even so, each of these leaps has created great improvements for society overall.

One giant leap for mankind

We may be at another inflection point now with vaccine technology. We’re getting close to living in a world where we can rapidly immunize people against new illnesses and diseases. Even just a short while back, developing a COVID vaccine would have taken 10 to 15 years, whereas recently scientists developed several vaccines over the course of just a few months.  This is an absolute game-changer in terms of our ability to protect people from the ravages of disease now and in the future.

Even though COVID has made these days extremely difficult and challenging, it’s exciting to know humanity hasn’t stopped making those leaps. History illustrates that tragic events often force our hands. The last year has been a trial for most of us. We have been pushed to our edge. Many moments felt threatening, scary, and unprecedented.

But think about the days leading up to each of history’s inflection points. Moving from an agrarian era to an industrial one was unprecedented. Before the computer age, no one could have imagined we’d be carrying tiny, outrageously powerful computers in our pockets and purses. And just a year ago, folks couldn’t imagine a vaccine being developed to change the course of humanity in just a few months. But here we are.

Purpose under pressure

I think recent movements forward in vaccine technology portend a bright future. We often need a kick in the pants to motivate us to do something big, courageous, and bold, and that’s okay. The takeaway is that we as a people rise to the occasion when responding to a big challenge.  There is nothing like a fundamental threat to our way of life to galvanize our focus on something big, bold, and future-changing.

There is a way to make this relevant to our own businesses.  Getting your teams to think about and brainstorm around the big, tough challenges can result in some great ideas.  Giving them space to develop some moonshot ideas is well worth it.  You can generate a lot of excitement and interest around these activities by connecting them to shared values and purpose.  Or perhaps there is a threat to the way you have been doing things that is driven by outside forces, and a new way of delivering your services is needed.  If your team knows what the threats are, and has space to experiment a bit, they are likely to respond in a creative and problem-solving way.  Is there room in your business for this?

Where Planning Has Its Limits

Where Planning Has Its Limits

/in

By Russ Levanway, President

With the new year, I’ve been thinking a lot about where we are now versus where we were this time in 2020. This might be stating the obvious, but many assumptions we had going into 2020 have been turned on their head.  Going into 2020, everything was (pardon the pun) business as usual. We had our annual business plan dialed in, part of our general three-to-five-year plan. We had our quarterly goals lined up. Everything was set up for success.

And then the pandemic hit.

Looking back, we accomplished maybe half of our internal goals in 2020. That’s not to say we fared badly, though. We accomplished other goals we never even thought we would have to deal with in 2020.  Also, the last year taught us a few extremely valuable lessons — lessons I don’t think we could have learned any other way.

Lesson #1: Working from home isn’t horrible.

Prior to 2020, researchers and business experts debated whether working from home was beneficial or detrimental to productivity and company culture. The opinions were mixed, as were the results of countless studies. But after all that hand-wringing, COVID-19 has taught us that yes, working from home can…work. At first, it was a big, difficult transition for many, but by and large, people did well working from home. Some people were more productive, some were less so, but on balance, we pulled it off — not just at CIO Solutions but as a nation.

That being said, our company held a distinct advantage in 2020 because we were already using a couple of key tools. First is our CIO Cloud.  For us and many of our clients who use our Cloud, transitioning to working remotely was – while not seamless – way easier.

Another huge asset we have internally is good dashboards that show us what our support and project teams are up to at any given time.  At a glance, I can see what people are calling in about, who is on the phone queues, who is working on which support tickets, etc.  We also had a great communication chat tool – Slack – that was already widely used across our team.  So in essence, we had the tools to get people working from home and not be totally isolated in the process.

Lesson #2: It can always get better, and it can always get worse.

It was certainly a new year in terms of new lows. We saw crisis after crisis, from political unrest and protests to wildfires and the effects of a devastating virus.  Our company had to deal with an ungodly number of computer viruses and cyber threats over the year as hackers used every opportunity to exploit vulnerabilities as people transitioned to less secure work from home environments.

On the flip side, though, there have been tremendous success stories over the last year. We’ve handled so much more than we thought we could. Many people have come out stronger. Developing a vaccine in under a year? Incredible! Supporting our hundreds of clients in a few hundred locations and then all of a sudden in thousands of remote locations while also working remotely ourselves?  Wow!  It goes to show that what we can do and achieve is better and more than we realize.

You can’t always plan for the worst, but you can’t always plan for the best, either. When crisis hits, or when the unknown rears its terrifying head, we might be surprised by the downside and the upside. All we can do is embrace it when it comes.

Lesson #3: It pays to be flexible.

Planning is good — no doubt about it. But, ironically, if our planning is rigid and inflexible, we become brittle. When the underlying assumptions that we used for our planning change, it is important to revisit the plan.  This is not the same as letting up on a plan because it is “too hard” or due to a lack of discipline.  This is simply an acknowledgment that realities have changed, and it’s time to adjust.

Sure, looking at the glass half empty, we accomplished nowhere near what we’d planned for 2020. But looking at the glass half full, we shifted nimbly to accommodate the new COVID normal. We equipped our clients to work remotely, no matter where they were. In fact, helping clients work from home has transformed how we deliver our services, across the board. Constant attacks and attempts to exploit our clients by hackers demanded a different approach and way of responding to security incidents. We had to throw out a lot of our original planning and devote resources to remote work and security, and progressed a long way in those regards.

How did your business do in 2020? When your employees shifted to working remotely, did your system allow them to continue to do their job? Did it allow you to keep tabs on them? Were you surprised by how challenging it was, as well as how successful you were as a company? Were you able to adapt?