Book demo
26 November 2021

Corporate Social Responsibility for Small Businesses

Corporate social responsibility (CSR) is a company-led movement and management style that aims to contribute to the wider social causes such as climate change and other ethical responsibilities.

Corporate. When you hear the word, you’re tempted to think of looming grey buildings, suits and ties, briefcases, and board rooms. You wouldn’t be far off in some cases. Corporate refers by and large to massive, faceless organisations. So, where does social responsibility come in and why does it matter just as much to smaller businesses?

If we imagine that every organisation, every business, every institution leaves a handprint on the earth. That’s a whole lot of handprints. But the fundamental thing that businesses and corporations need to understand is that some of these handprints will be stickier than others. Many will leave residue that will be difficult – perhaps impossible – to remove, for years to come.

In some settings, there’s a higher chance of a smaller business leaving a bigger, stickier handprint. Budgets are often tighter and business focus may be narrower; the wider responsibility to the planet feels inconsequential and maybe even needless. But we know this isn’t the case. In a recent study conducted by Social Green Solutions – awarders of the Green Compass Sustainability Award to businesses – there were a mass load of benefits companies with the award were seeing. Overall, there was a 50% increase in employee morale leading to 50% less employee turnover, improved productivity, increased financial performance and some were even seeing new market penetration opportunities.

 

What long-term and short-term changes can smaller businesses make that can have a lasting, positive impact?

 

It’s the million-dollar question, really. The more small businesses do, the more we’re finding out. Only in recent years have we been able to gather enough information to suggest that simply having things in place like CSR policies, can make a real difference in the years to come. Even more instant results, such as reduced printing costs and better working relationships have been noted on the long list of benefits for smaller companies. That’s not to say that implementing CSR practices won’t be costly for organisations, though. There are some changes that may require a higher investment. But, when it comes to the quality of your product, people, and the planet, we think it’s an investment worth making. You can start with…

  1. Establishing a set of realistic goals and creating a CSR policy

  2. Appointing a responsibility or CSR team to oversee any projects

  3. Writing up some sustainability guidelines for in-office and remote workers

  4. Encouraging volunteering and charity contributions through volunteer days for individuals and teams

  5. Educating your employees! There are plenty of training courses out there aimed at clueing your organisation up on socially responsible practices.

At Predatar, we’ve recently appointed a CSR team and implemented a Corporate Social Responsibility policy, alongside a public statement which you can view here. We’ll be working with our teams and partners to make sure we’re doing our bit and keeping our word.

 

 

 

Learn more about
Predatar recovery assurance

04 November 2021

NAA (Not Another Acronym): What is NIST?

Not another acronym…

We’re not sure about you, but even we  struggle to keep up with all the different acronyms which, particularly within the IT industry, seem to constantly crop up everywhere.

One acronym our team came across lately is NIST and, yes, some of us had to look it up on Google. It turns out that NIST stands for National Institute of Standards and Technology and it’s not new. Based in the US, NIST has been around for 120 years, playing an essential role in enabling and measuring technical innovation not just in the US but all over the world.

Why should I care?

So, why is worth knowing one more acronym? And, why should we bother to understand what NIST do? The answer is simple and remarkably relevant: cybersecurity. We know this is a bit of a buzzword at the moment. Not a week seems to go by without news of a cyber or ransomware attack somewhere around the globe. You may have read about the Kaseya’s cyber-attack at the beginning of July (our blog “Good v REvil” provides a good summary). Not too long ago, the Lazio region in Italy was the subject of a very sophisticated ransomware attack that disabled all its IT systems and ended up disrupting the regional Covid-19 vaccination registrations. So, what role does NIST play in all this? A very important role, actually. NIST have developed a tool to measure cybersecurity.

NIST’s Cybersecurity Framework

 

This framework focuses on using business drivers to guide cybersecurity activities and reinforces the need for cybersecurity risks to be included in organisations’ risk management processes. The Framework consists of three parts: the Core, the Tiers, and the Profiles. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure. Elements of the Core provide detailed guidance for developing individual organisational Profiles. By using Profiles, the Framework can then help an organisation to align and prioritise its cybersecurity activities with its business/mission requirements, risk tolerances, and resources. Finally, the Tiers provide a mechanism for organisations to view and understand the characteristics of their approach to managing cybersecurity risk, helping prioritise and achieve cybersecurity objectives.

A very important feature of NIST’s Cybersecurity Framework is its scalability as it can be easily adapted to organisations of all sizes, sectors and maturities. It is also outcome driven and does not mandate how an organisation can achieve these outcomes, meaning that whether you are part of a small company with a low cybersecurity budget or a large corporation with a million bucks’ budget, tiers and profiles can be tweaked and customised to achieve a result which is in line with your cybersecurity programme.

 

Education, Education, Education.

It would be rather reductive, however, to only associate NIST to the Cybersecurity Framework. Their work compasses several areas which range from cryptography to IoT (Internet of Things), ICS (Industrial Control Systems) and practical cybersecurity solutions such as password standards and guidelines. Another primary focus for NIST are education and training. In partnership with government and academia bodies, NIST have been leading the NICE (another acronym, sorry…) i.e., National Initiative for Cybersecurity Education since 2008. The NICE framework provides a common classification of cybersecurity roles and functions, by describing the responsibilities, skills and knowledge required to perform cybersecurity tasks. This framework is increasingly relied upon across all sectors to help address skills gaps and develop cybersecurity awareness and learning.

It doesn’t have to be complicated.

So, who would have thought that this simple acronym could have such an impact on organisations’ cybersecurity strategies? Being familiar with NIST Cybersecurity framework and general security guidelines is an important step in the right direction when it comes to protecting your organisation’s devices, IT systems and valuable data stored in such repositories.

In a world of complicated acronyms and obscure technical jargon, NIST provide clear and practical guidelines to tackle practical challenges which are part of our everyday lives. It could be as easy as ABC or 123 (as long as you don’t set these as your passwords! See NIST’s Password Guidelines)

Article By | Barbara Giunchi Burr

Learn more about
Predatar recovery assurance

04 November 2021

It Happened to Us: An Anonymous First-Hand Account of a Ransomware Attack (Part 2)

It’s time. Here’s the second, and final, installment of the exclusive interview Predatar conducted with a victim of a business-targeted ransomware attack.

Investigating the Breach

‘We had very understanding clients. It was established at a very early stage that there was no desire to publicise any of this information. But generally, we had to be careful about what we were saying. We couldn’t say anything that wasn’t definitely true, or anything that needed to be kept confidential.’

‘In our investigations, we realised that the cyber-attackers had been in our systems for several weeks, via a password breach. By tracing their actions, we were luckily able to identify that it was very fortunately, a very small portion of data that they had been able to access.’

person using laptop

 

We talk about this a lot over here at Predatar HQ regarding cyber resilient backups. Sure, you think you’ve got immutable backups. You might even have gold standard encryption. But how can you be sure that your backups aren’t brimming with dormant ransomware that you just haven’t noticed yet? Dormant ransomware is a threat to any business. It can sit in your systems indefinitely, gathering information until the cyber-criminals are ready to act.

 

Negotiating

‘It was a really challenging period of time. We were having crisis calls twice a day, and sometimes it would be every hour or two. We established that the cyber attackers were also overseas, meaning it made quite a difference to the timescales. We actually had to contact them through an address on the dark web, which our business knew very little about, so the experts told us how to operate in that space.’

‘After negotiating, we eventually agreed with them to pay a very small fraction of what they had asked for in Bitcoin. Which the experts told us is completely untraceable. We tested them by staging four different payments over a week or so to ensure that each time, they gave us a specific bit of data back. Our negotiator pushed the cyber-criminals to the edge of what was acceptable to them. There were a few times where they said they were going to release the data.’

 

The Aftermath

‘You could say we were lucky. We did get proof of all of our data back, and we already had a backup copy of the data anyway. A few months prior to the event, we’d actually made some changes into tightening up the security of our backup and recovery procedures and that helped a great deal. I’m glad we did that. However, not all of the data was completely up to date, so that still did pose an issue. It wasn’t perfect. But the main issue was a lack of accessibility for our clients; they couldn’t work in a normal way.’

Nowadays, even if a company has a seemingly usable backup in the event of a ransomware attack, there’s no guarantee that the backup itself will recover. And even if it does recover, there’s no certainty that it, too, isn’t infected with dormant ransomware. But that’s where companies like Predatar come in.

‘The whole experience was deeply unpleasant. Nobody wants to pay an attacker anything, but the advice from all of those experts was that it’s typically better to pay something until you’re forced to pay a higher amount.’

It’s almost impossible to estimate the actual cost that ransomware attacks have on a business. The total sum is not just the ransom paid. Businesses will start haemorrhaging money in various ways during a cyber-attack. This can be anything from time lost on major projects to not being able to generate a healthy profit without full functionality and use of data. There can also be a huge knock-on effect to future ventures, including damage to partnerships and client relationships.

 

silver round coin on black leather case

 

So…what now?

After hearing this story, the first thing that crossed our minds, and that has probably crossed your own mind as you’ve been reading this article, is “how can we be prepared for disasters like this?” So, we’ve asked some questions and gotten some answers for you. Here are the top five tips we picked up from this case:

  1. Have a plan of who you can go to as an advisor in this scenario. You will need a set of experts who can offer you insurance. They will also know the lingo and they’ll be able to understand the personalities, behaviours, and personas of certain cyber-attack gangs.
  2. Understand the process of reporting the incident to the authorities, and how that process can help or even hinder a time sensitive cyber-attack.
  3. Hire a negotiator. If this is an option available to your business, don’t skip it out. The experience with a negotiator can be, as our source described, deeply uncomfortable. Without a safety gap between your business and the cyber-attackers, you’re essentially dealing with intelligent criminals with no experience of that.
  4. Look after your employees. It’s a very disturbing experience, and the well-being of your employees is extremely important throughout. Some employees will be on a need-to-know basis, whereas others will need more of an understanding.
  5. Test your backups, then test them again. And then test them again after that.

We hope that this has been eye-opening read for you, and that- like us – it has given you some useful insight on the importance of having cyber-resilient processes in place.

Learn more about
Predatar recovery assurance