FY2016 Support Contracts Coming in October

We are finalizing the content for the 2016 Support Contracts and have several items of importance to update you on before they are released for signature.

First- The rate reductions put in place last year will remain as standard again this year. We are not raising the cost for Travel, Labor, Help Desk and standard Remote Monitoring and Management.

Second- We are adding additional security enhancements to each site and the related cost increases will be solely to cover the cost of those programs. I’ll add more detail about this later in this post.

Third- The new contracts will include specific limitations concerning our ability to support data recovery and network security for sites that do not use the Datto Cloud backup device or the SonicWall Firewall appliance. Again, I’ll go into specifics on this shortly.

Fourth- Not all existing contract clients will be offered ongoing support from us in 2016. We are still sorting out this issue as there are certain incompatibilities that will be resolved by November.

Annual Support Contracts are always issued in late October with a signatory return no later than 15 November. This is done so we can get the accounting updated and the appropriate billing sent out in December for the January support window. It is also essential so we know who our clients will be in 2016 and can plan for adequate resource allocations.

Security Enhancements … what and why

All client sites depend on the Internet in some form for daily business operations and that dependency is growing faster than any other support requirement. At the same time, the dangers from hackers have outpaced almost all previously standard defense mechanisms that were commonly in place.

One of the biggest examples of this is the Crypto-class of Trojans. CryptoLocker and CryptoWall are the two best known of these items but they are far from being the only ones. As soon as CryptoLocker came out, we put a block in place in the Server Registry that prevented it from running its code. If you tried to install programs that run in the same space as these Trojans, the install would fail and we had to disable the protective feature, get the program installed and then re-enable it in the Group Policy that impacted that specific Registry entry. Painful but effective…

They have now found a way around that and so we’ve spent the past five months evaluating a new multi-layer defense strategy that will become the new standard for our supported networks. Here are the basics and how they work together to add additional defenses to business data protection.

When a Trojan gets into a PC, it immediately goes out to the Internet to begin downloading the infection package. Those packages are stored on certain Servers. We will begin circumventing this by adding the professional paid version of OpenDNS to every network.

This service routes all outbound requests from a network through the OpenDNS Servers which keep track of those Trojan package Servers and will immediately block any attempt to get to a known infected site. It will also block other known infected sites during your normal daily browsing.

The second layer of protection comes in the form of your network router. Almost all client sites have been upgraded to the SonicWall router with its security services package. SonicWall’s services package has a database of known Viruses, Trojans and Crypto-class items and actively works to stop this stuff before it gets loose.

OpenDNS and SonicWall automatically update their databases and very often do so on a daily basis. These two products are far more real-time aware of these threats and quicker to put a fix in place even before Trend Micro Antivirus does.

We are also investigating the use of WebRoot as the third layer in the evolving network protection scenario. That’s still preliminary but it may well prove to be a replacement for Trend Micro going forward. More on that as we see how it blends with other protective services.

SonicWall and OpenDNS combined is the basic multi-layer defense implementation which is now required on any network which we support.

Recovery Capabilities… how we insure data security

There are currently three types of backup methods in use inside our supported networks. These are

1) Tape
2) USB drives
3) Datto local devices with secure Cloud storage

The new support contract will have a line item clarifying our limited ability to assure data recovery for outmoded backup methods. So far, we have had no issues with Datto Cloud backup as that is a local device with long term version storage available in a secured Cloud.

However, for tape and USB drive users, a huge issue has arisen recently. Although the backup software in use for those devices checks for a byte count and other things that are supposed to insure the backup actually completed and is verified as good, it is extremely limited. For USB devices, it has become increasingly common to find out that a backup is corrupted and pretty much useless. Tape backups can develop read/write errors the older the tapes get and that, too, means corrupted data.

The process for manually checking these backups is tedious and very time intensive. Unless someone at the site is checking the backups at least weekly, there is no certainty that you have good backups. And remember, your data changes multiple times a day. Additionally, if any file is lost or corrupted and needs to be recovered, that can take hours to locate it and get it recovered…. provided the needed data hasn’t been overwritten on the tape or drive.

At best, these two methods, in good shape, keep about one month of backup data… Datto keeps a year’s worth. Plus the Datto device range has the ability to spin up a Virtual Server in the event yours goes down for repair… or is lost to a fire, flood or tornado…

If data recovery is required on tape or USB backups, it will not be quick as is the case with a data recovery from a Datto. Therefore, it will cost more. If the Server goes down and we are unable to get a good Image file from tape or USB, a full blown Server reload would be required and it is possible that most of the company data may not be recoverable. Again, that means we are unsure as to how successful we might be in getting a valid recovery done and in getting your business back up and running in a reasonable time. And it means that you can expect high costs if critical issues arise with Servers backed up by outdated devices.

Let me highlight this by pointing out a recent event. The client did not have a SonicWall appliance in place. OpenDNS had not yet been deployed. They did, however, have a Datto device in the network. A user got hit with CryptoWall and the entire range of business databases on the Server were encrypted.

If this had been tape or USB, it would have taken weeks to fix this, if at all, and we do not have that kind of time (nor did the client). As it was, it still took about three days to fix it by comparing files on the Server to files on the Datto. They now have a SonicWall in place and the newest Datto device. They are still in business.

Would you be?

If you are risking your business by using outmoded backup methods, the responsibility is yours to ask about getting that critical element of your network updated… sooner rather than later. You know the drill… call Lesa…