,

Breached Deloitte Talks About the Cost of Cyber Breaches and Hacks

Long after intruders are removed and public scrutiny has faded, the impacts from a cyberattack can reverberate over a multi-year timeline. Legal costs can cascade as stolen data is leveraged in various ways over time; it can take years to recover pre-incident growth and profitability levels; and brand impact can play out in multiple ways.

That’s from a Deloitte report, “Beneath the surface of a cyberattack: A deeper look at business impacts,” released in late 2016. The report’s contents, and other statements on cyber security from Deloitte, are ironic given the company’s huge breach reported this week.

The big breach

The Deloitte breach was reported on Monday, Sept. 25. It appears to have leaked confidential emails and financial documents of some of its clients. According to the Guardian,

The Guardian understands Deloitte clients across all of these sectors had material in the company email system that was breached. The companies include household names as well as US government departments. So far, six of Deloitte’s clients have been told their information was “impacted” by the hack. Deloitte’s internal review into the incident is ongoing. The Guardian understands Deloitte discovered the hack in March this year, but it is believed the attackers may have had access to its systems since October or November 2016.

The Guardian asserts that hackers gained access to the Deloitte’s global email server via an administrator’s account protected by only a single password. Without two-factor authentication, hackers could gain entry via any computer, as long as they guessed the right password (or obtained it via hacking, malware, or social engineering). The story continues,

In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details.

Okay, the breach was bad. What did Deloitte have to say about these sorts of incidents? Lots.

The Deloitte Cybersecurity Report

In its 2016 report, Deloitte’s researchers pointed to 14 cyberattack impact factors. Half are the directly visible costs of breach incidents; the others which can be more subtle or hidden, and potentially never fully understood.

  • The “Above the Surface” incident costs include the expenses of technical investigations, consumer breach notifications, regulatory compliance, attorneys fees and litigation, post-preach customer protection, public relations, and cybersecurity protections.
  • Hard to tally are the “Below the Surface” costs of insurance premium increases, increased cost to raise debt, impact of operational disruption/destruction, value of lost contact revenue, devaluation of trade name, loss of intellectual property, and lost value of customer relationship.

As the report says,

Common perceptions about the impact of a cyberattack are typically shaped by what companies are required to report publicly—primarily theft of personally identifiable information (PII), payment data, and personal health information (PHI). Discussions often focus on costs related to customer notification, credit monitoring, and the possibility of legal judgments or regulatory penalties. But especially when PII theft isn’t an attacker’s only objective, the impacts can be even more far-reaching.

Recovery can take a long time, as the Deloitte says:

Beyond the initial incident triage, there are impact management and business recovery stages. These stages involve a wide range of business functions in efforts to rebuild operations, improve cybersecurity, and manage customer and third-party relationships, legal matters, investment decisions, and changes in strategic course.

Indeed, asserts Deloitte in the 2016 report, it can take months or years to repair the damage to the business. That includes redesigning processes and assets, and investing in cyber programs to emerge stronger after the incident. But wait, there’s more.

Intellectual Property and Lawsuits

A big part of the newly reported breach is the loss of intellectual property. That’s not necessarily only Deloitte’s IP, but also the IP of its biggest blue-chip customers. About the loss of IP, the 2016 reports says:

Loss of IP is an intangible cost associated with loss of exclusive control over trade secrets, copyrights, investment plans, and other proprietary and confidential information, which can lead to loss of competitive advantage, loss of revenue, and lasting and potentially irreparable economic damage to the company. Types of IP include, but are not limited to, patents, designs, copyrights, trademarks, and trade secrets.

We’ll see some of those phrases in lawsuits filed by Deloitte’s customers as they try to get a handle on what hackers may have stolen. Oh, about lawsuits, here’s what the Deloitte report says:

Attorney fees and litigation costs can encompass a wide range of legal advisory fees and settlement costs externally imposed and costs associated with legal actions the company may take to defend its interests. Such fees could potentially be offset through the recovery of damages as a result of assertive litigation pursued against an attacker, especially in regards to the theft of IP. However, the recovery could take years to pursue through litigation and may not be ultimately recoverable, even after a positive verdict in favor of the company. Based on our analysis of publicly available data pertaining to recent consumer settlement cases and other legal costs relating to cyber incidents, we observed that, on average, it could cost companies approximately $10 million in attorney fees, potential settlement of loss claims, and other legal matters.

Who wants to bet that the legal costs from this breach will be significantly higher than $10 million?

Stay Vigilant

The back page of Deloitte’s 2016 report says something important:

To grow, streamline, and innovate, many organizations have difficulty keeping pace with the evolution of cyber threats. The traditional discipline of IT security, isolated from a more comprehensive risk-based approach, may no longer be enough to protect you. Through the lens of what’s most important to your organization, you must invest in cost-justified security controls to protect your most important assets, and focus equal or greater effort on gaining more insight into threats, and responding more effectively to reduce their impact. A Secure. Vigilant. Resilient. cyber risk program can help you become more confident in your ability to reap the value of your strategic investments.

Wise words — too bad Deloitte’s email administrators, SOC teams, and risk auditors didn’t heed them. Or read their own report.

,

A nice civilized EDC pocket knife: Benchmade Bugout Axis

My Benchmade Bugout Axis knife arrived last week. I’ve been using it as an everyday carry (EDC) knife, instead of my usual Benchmade Griptilian or Mini Griptilian.

Summary: The Bugout is very nice and light, with an excellent blade. The handle’s too thin for a sturdy grip, so I wouldn’t want it in a knife fight. It could be easily knocked out of my hand. Easier to drop, I think, than the Griptilian or Mini Grip. Still, the Bugout nice and practical for a pocket knife, and the Axis is my favorite locking mechanism.

Benchmade describes the Bugout as “designed for the modern outdoor adventurer, incorporating the lightest, best performing materials in an extremely slim yet ergonomic package.” Well, that’s not me: I’m an urban work-at-home adventurer who likes having a knife in my pocket whenever I got out, whether it’s to the store, a technical conference, or for a walk around the neighborhood. (Sadly, I can’t take a knife when I fly. Sniff.)

What’s good about the Bugout: Light (1.85 ounces, says Benchmade), blade length (3.24”) steel (S30V), pretty blue handle, thin (0.42”). The blade is thin (0.09”).

Compare to the Griptilian, seen here with a black handle and silver blade. Slightly longer and thicker blade than the Bugout (3.45” and 0.11”), much thicker handle (0.64”) and twice the weight (3.79 ounces). Many choices of steel.

Compare to the Mini Grip, seen here with a black handle and black blade. Shorter but thicker blade compared to the Bugout, (2.91” and 0.10”), thicker handle (0.51”), and greater weight (2.68 ounces). Many choices of steel.

What’s not so good about the Bugout: Beyond the slightly hard-to-grasp handle, it’s the lack of essential options. With the Griptilian and Mini Grip, you can choose the steel. You can choose the blade shape. You can choose the colors. Not so with the Bugout, at least not yet, so I’m stuck with the drop-point and blue.

With the Grip and Mini Grip, I’ve chosen knives with the sheepsfoot point. I like the flip-out hole, even though it makes the knives bulkier. The only real option on the Bugout, at least at present, is a plain or serrated drop-point blade. (I would buy another Bugout if it came with sheepsfoot, and give this one to my son.)

Oh, you can do custom engraving on the Bugout blades. Nice if you’re giving one as a gift.

Bottom line: The Bugout is a very nice, very civilized EDC. I’m happy to wear it with nice trousers, or at any time where slimness or light weight are paramount. (Those are the scenarios that Benchmade touts, especially for packing into a backpack or other “bugout” gear.) The big loser here is the Mini Grip, which has been supplanted by a lighter knife with a longer blade.

Go ahead, bring on the apple, bring on the wrapped package, bring on the rope/cord. The Bugout has it covered.

That said: For going out on walks, or other outings with jeans or cargo pants, when weight is not an issue, the Griptilian will still be my #1 EDC.

, ,

The root cause of the Equifax breach: Sheer human incompetence

Stupidity. Incompetence. Negligence. The unprecedented huge data breach at Equifax has dominated the news cycle, infuriating IT managers, security experts, legislators, and attorneys — and scaring consumers. It appears that sensitive personally identifiable information (PII) on 143 million Americans was exfiltrated, as well as PII on some non-US nationals.

There are many troubling aspects. Reports say the tools that consumers can use to see if they are affected by the breach are inaccurate. Articles that say that by using those tools, consumers are waiving their rights to sue Equifax. Some worry that Equifax will actually make money off this by selling affected consumers its credit-monitoring services.

Let’s look at the technical aspects, though. While details about the breach are still widely lacking, two bits of information are making the rounds. One is that Equifax practiced bad password practices, allowing hackers to easily gain access to at least one server. Another is that there was a flaw in a piece of open-source software – but the patch had been available for months, yet Equifax didn’t apply that patch.

It’s unclear about the veracity of those two possible causes of the breach. Even so, this points to a troubling pattern of utter irresponsibility by Equifax’s IT and security operations teams.

Bad Password Practices

Username “admin.” Password “admin.” That’s often the default for hardware, like a home WiFi router. The first thing any owner should do is change both the username and password. Every IT professional knows that. Yet the fine techies at Equifax, or at least their Argentina office, didn’t know that. According to well-known security writer Brian Krebs, earlier this week,

Earlier today, this author was contacted by Alex Holden, founder of Milwaukee, Wisc.-based Hold Security LLC. Holden’s team of nearly 30 employees includes two native Argentinians who spent some time examining Equifax’s South American operations online after the company disclosed the breach involving its business units in North America.

It took almost no time for them to discover that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: “admin/admin.”

What’s more, writes Krebs,

Once inside the portal, the researchers found they could view the names of more than 100 Equifax employees in Argentina, as well as their employee ID and email address. The “list of users” page also featured a clickable button that anyone authenticated with the “admin/admin” username and password could use to add, modify or delete user accounts on the system.

and

A review of those accounts shows all employee passwords were the same as each user’s username. Worse still, each employee’s username appears to be nothing more than their last name, or a combination of their first initial and last name. In other words, if you knew an Equifax Argentina employee’s last name, you also could work out their password for this credit dispute portal quite easily.

Idiots.

Patches Are Important, Kids

Apache’s Struts is a well-regarded open source framework for creating Web applications. It’s excellent — I’ve used it myself — but like all software, it can have bugs. One such defect was discovered in March 2017, and was given the name “CVE-2017-5638.” A patch was issued within days by the Struts team. Yet Equifax never installed that patch.

Even so, the company is blaming the U.S. breach on that defect:

Equifax has been intensely investigating the scope of the intrusion with the assistance of a leading, independent cybersecurity firm to determine what information was accessed and who has been impacted. We know that criminals exploited a U.S. website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

Keeping up with vulnerability reports, and applying patches right away, is essential for good security. Everyone knows this. Including, I’m sure, Equifax’s IT team. There is no excuse. Idiots.

, , ,

The amazing HP calculators of the 1970s

HP-35 slide rule calculatorAt the current rate of rainfall, when will your local reservoir overflow its banks? If you shoot a rocket at an angle of 60 degrees into a headwind, how far will it fly with 40 pounds of propellant and a 5-pound payload? Assuming a 100-month loan for $75,000 at 5.11 percent, what will the payoff balance be after four years? If a lab culture is doubling every 14 hours, how many viruses will there be in a week?

Those sorts of questions aren’t asked by mathematicians, who are the people who derive equations to solve problems in a general way. Rather, they are asked by working engineers, technicians, military ballistics officers, and financiers, all of whom need an actual number: Given this set of inputs, tell me the answer.

Before the modern era (say, the 1970s), these problems could be hard to solve. They required a lot of pencils and paper, a book of tables, or a slide rule. Mathematicians never carried slide rules, but astronauts did, as their backup computers.

However, slide rules had limitations. They were good to about three digits of accuracy, no more, in the hands of a skilled operator. Three digits was fine for real-world engineering, but not enough for finance. With slide rules, you had to keep track of the decimal point yourself: The slide rule might tell you the answer is 641, but you had to know if that was 64.1 or 0.641 or 641.0. And if you were chaining calculations (needed in all but the simplest problems), accuracy dropped with each successive operation.

Everything the slide rule could do, a so-called slide-rule calculator could do better—and more accurately. Slide rules are really good at few things. Multiplication and division? Easy. Exponents, like 613? Easy. Doing trig, like sines, cosines, and tangents? Easy. Logarithms? Easy.

Hewlett-Packard unleashed a monster when it created the HP-9100A desktop calculator, released in 1968 at a price of about $5,000. The HP-9100A did everything a slide rule could do, and more—such as trig, polar/rectangular conversions, and exponents and roots. However, it was big and it was expensive—about $35,900 in 2017 dollars, or the price of a nice car! HP had a market for the HP-9100A, since it already sold test equipment into many labs. However, something better was needed, something affordable, something that could become a mass-market item. And that became the pocket slide-rule calculator revolution, starting off with the amazing HP-35.

If you look at the HP-35 today, it seems laughably simplistic. The calculator app in your smartphone is much more powerful. However, back in 1972, and at a price of only $395 ($2,350 in 2017 dollars), the HP-35 changed the world. Companies like General Electric ordered tens of thousands of units. It was crazy, especially for a device that had a few minor math bugs in its first shipping batch (HP gave everyone a free replacement).

Read more about early slide-rule calculators — and the more advanced card-programmable models like the HP-65 and HP-67, in my story, “The early history of HP calculators.”

HP-65 and HP-67 card-programmable calculators

, ,

Many on-prem ERP and CRM packages are not sufficiently secured

When was the last time most organizations discussed the security of their Oracle E-Business Suite? How about SAP S/4HANA? Microsoft Dynamics? IBM’s DB2? Discussions about on-prem server software security too often begin and end with ensuring that operating systems are at the latest level, and are current with patches.

That’s not good enough. Just as clicking on a phishing email or opening a malicious document in Microsoft Word can corrupt a desktop, so too server applications can be vulnerable. When those server applications are involved with customer records, billing systems, inventory, transactions, financials, or human resources, a hack into ERP or CRM systems can threaten an entire organization. Worse, if that hack leveraged stolen credentials, the business may never realize that competitors or criminals are stealing its data, and potentially even corrupting its records.

A new study from the Ponemon Institute points to the potential severity of the problem. Sixty percent of the respondents to the “Cybersecurity Risks to Oracle E-Business Suite” say that information theft, modification of data and disruption of business processes on their company’s Oracle E-Business Suite applications would be catastrophic. While 70% respondents said a material security or data breach due to insecure Oracle E-Business Suite applications is likely, 67% of respondents believe their top executives are not aware of this risk. (The research was sponsored by Onapsis, which sells security solutions for ERP suites, so apply a little sodium chloride to your interpretation of the study’s results.)

The audience of this study was of businesses that rely upon Oracle E-Business Suite. About 24% of respondents said that it was the most critical application they ran, and altogether, 93% said it was one of the top 10 critical applications. Bearing in mind that large businesses run thousands of server applications, that’s saying something.

Yet more than half of respondents – 53% — said that it was Oracle’s responsibility to ensure that its applications and platforms are safe and secure. Unless they’ve contracted with Oracle to manage their on-prem applications, and to proactively apply patches and fixes, well, they are delusional.

Another area of delusion: That software must be connected to the Internet to pose a risk. In this study, 52% of respondents agree or strongly agree that “Oracle E-Business applications that are not connected to the Internet are not a security threat.” They’ve never heard of insider threats? Credentials theft? Penetrations of enterprise networks?

What About Non-Oracle Packages?

This Ponemon/Onapsis study represents only one data point. It does not adequately discuss the role of vendors in this space, including ERP/CRM value-added resellers, consultants and MSSPs (managed security service providers). It also doesn’t differentiate between Oracle instances running on-prem compared to the Oracle ERP Cloud – where Oracle does manage all the security.

Surprising, packaged software isn’t talked about very often. Given the amount of chatter at most security conferences, bulletin boards, and the like, packaged applications like these on-prem ERP or CRM suites are rarely a factor in conversations about security. Instead, everyone is seemingly focused on the endpoint, firewalls, and operating systems. Sometimes we’ll see discussions of the various tiers in an n-tier architecture, such as databases, application servers, and presentation systems (like web servers or mobile app back ends).

Another company that offers ERP security, ERPScan, conducted a study with Crowd Research Partners focused on SAP. The “ERP Cybersecurity Study 2017” said that (and I quote from the report on these bullet points):

  • 89% of respondents expect that the number of cyber-attacks against ERP systems will grow in next 12 months.
  • An average cost of a security breach in SAP is estimated at $5m with fraud considered as the costliest risk. A third of organizations assesses the damage of fraudulent actions at more than 10m USD.
  • There is a lack of awareness towards ERP Security, worryingly, even among people who are engaged in ERP Security. One-third of them haven’t even heard about any SAP Security incident. Only 4% know about the episode with the direst consequences – USIS data breach started with an SAP vulnerability, which resulted in the company’s bankruptcy.
  • One of three respondents hasn’t taken any ERP Security initiative yet and is going to do so this year.
  • Cybersecurity professionals are most concerned about protecting customer data (72%), employee data (66%), and emails (54%). Due to this information being stored in different SAP systems (e.g. ERP, HR, or others), they are one of the most important assets to protect.
  • It is still unclear who is in charge of ERP Security: 43% of responders suppose that CIO takes responsibilities, while 28% consider it CISO’s duty.

Of course, we still must secure our operating systems, network perimeters, endpoints, mobile applications, WiFi networks, and so-on. Let’s not forget, however, the crucial applications our organizations depend upon. Breaches into those systems could be invisible – and ruinous to any business.

,

U.S. Secretary of State Rex Tillerson is spamming me from Benin

To think, the U.S. Secretary of State wants to send me money! Interesting that he’s using a gmail.com address for outgoing mail, a German email address for replies, and a phone number in the African country of Benin.

Obviously, this is spam. Delete such messages; don’t reply to them.

From: “Mr. Rex W. Tillerson” email hidden; JavaScript is required

Subject: Federal Bureau of Investigation (FBI)

To: undisclosed recipients: ;

Reply-To: “Mr. Rex W. Tillerson” _____________

U.S Department of State 2201 C Street NWmWashington, DC 20520.

Dear Beneficiary

Your ATM Visa Card will be shipped through DHL to your address. I am Mr. Rex W. Tillerson, United States Secretary of State by profession. This is to inform you officially that after our investigations with the Federal Bureau of Investigation (FBI), Central Intelligence Agency (CIA) and other Security Agencies in the Country for the year 2016 and 2017, we discovered that you have not yet received your over due fund.

I have made it my first point of call since taking office to settle all Outstanding Payments accrued to Individuals or Corporations with respect to local and overseas contract payment, Debt Rescheduling and Outstanding Compensation payment.

This is to make sure all Outstanding payments are settled beginning of this fiscal year 2017. On Behalf of the entire staff of the U.S. Department of State and the United Nations in collaboration with World Bank, we apologize for the delay of your contract payment, Winning or Inheritance funds from most of African Countries and all the inconveniences you encountered while pursuing this payment.

However, from the records of outstanding beneficiaries due for payment with the U.S Secretary of State, your name was discovered as next on the list of the outstanding payment who has not yet received their payments.

Note that from the record in my file, your outstanding contract payment is $5,5,000.00 USD (Five Million, Five Hundred Thousand United States Dollars) loaded in an ATM Visa Card that allows you to make a daily maximum withdrawal limit of $5,000 Five Thousand Dollars) YOUR ATM PIN CODE (7250).

I have your file here in my office and it says that you are yet to receive your fund valued at $5,5,000.00 USD (Five Million, Five Hundred Thousand United States Dollars). This Funds will now be delivered to your designated address or your preferred payment option.

We have perfected all modules on how to bring this fund to your house without any problem, but be aware that United Nations and the United States Government has only authorised my office to release the Sum of $5,5,000.00 USD to you as true beneficiary of the Fund.

Note that your loaded ATM Visa Card will be mailed to you through Priority Mail Express (DHL) to your designated address immediately you admit full compliance to this email. Due to my busy schedules You are advised to kindly get in contact with our correspondent Mr Brian Voge with the below details enclosed to help ensure safe mailing of your ATM Visa Card:

Your Full Name:

Your Contact House Address:

Name of City of Residence:

Country of Residence:

Direct Mobile Telephone Number:

ID Card, DL or Passport Copy:

Age and Occupation:

Contact Mr Brian Voge immediately by replying to this email or emailing the address below:

Name: Mr Brian Voge

TELEPHONE: ____________

He is obliged to treat your case with utmost urgency as soon as you contact him and fill out your correct details including all reachable phone numbers for him to get in touch with you via phone and email.

NOTE: Every documentation proof for your fund have been packaged and sealed to be mailed together with your Visa Card to your address. Therefore, the only obligation required of you by the laws of the Government of United States and the financial Monetary Policy of the Supreme Court, states that; you as a beneficiary must officially obtain the irrevocable LEGAL STAY OF PROCEED from the Supreme Court of USA, as a means to justify the legitimacy, transparency and clean bill of funds from USA so that by the time your funds gets to you, no authority will question the funds as it has been legally certified free from all financial Malpractices and facets. The LEGAL STAY OF PROCEED is valued at a cost of just ($150) please take note of that.

As soon as the above mentioned $150 is received, The LEGAL STAY OF PROCEED will be secured on your behalf immediately. I need all the compliance that I can get from you to ensure we get this project accomplished. Personally, I am very sorry for the delay you have gone through in the past years. Thanks for adhering to this instructions which are meant for your sole benefit, once again accept my congratulations in advance.

Thanks for your cooperation as your quick response to this email notice with adherence to the above instructions is highly anticipated.

Yours Sincerely,

Mr. Rex W. Tillerson.

, ,

When natural disasters strike, the cloud can aid recovery

The water is rising up over your desktops, your servers, and your data center. Glug, glug, gurgle.

You’d better hope that the disaster recovery plans included the word “offsite.” Hope the backup IT site wasn’t another local business that’s also destroyed by the hurricane, the flood, the tornado, the fire, or the earthquake.

Disasters are real, as August’s Hurricane Harvey and immense floods in Southeast Asia have taught us all. With tens of thousands of people displaced, it’s hard to rebuild a business. Even with a smaller disaster, like a power outage that lasts a couple of days, the business impact can be tremendous.

I once worked for a company in New York that was hit by a blizzard that snapped the power and telephone lines to the office building. Down went the PBX, down went the phone system and the email servers. Remote workers (I was in in California) were massively impaired. Worse, incoming phone calls simply rang and rang; incoming email messages bounced back to the sender.

With that storm, electricity was gone for more than a week, and broadband took an additional time to be restored. You’d better believe our first order of business, once we began the recovery phase, was to move our internal Microsoft Exchange Server to a colocation facility with redundant T1 lines, and move our internal PBX to a hosted solution from the phone company. We didn’t like the cost, but we simply couldn’t afford to be shut down again the next time a storm struck.

These days, the answer lies within the cloud, either for primary data center operations, or for the source of a backup. (Forget trying to salvage anything from a submerged server rack or storage system.)

Be very prepared

Are you ready for a disaster? In a February 2017 study conducted by the Disaster Recovery Journal and Forrester Research, “The State Of Disaster Recovery Preparedness 2017,” only 18% of disaster recovery decision makers said they were “very prepared” to recover their data center in the event of a site failure or disaster event. Another 37% were prepared, 34% were somewhat prepared, and 11% not prepared at all.

That’s not good enough if you’re in Houston or Bangladesh or even New York during a blizzard. And that’s clear even among the survey respondents, 43% of whom said there was a business requirement to stay online and competitive 24×7. The cloud is considered to be one option for disaster recovery (DR) planning, but it’s not the only one. Says the study:

DR in the cloud has been a hot topic that has garnered a significant amount of attention during the past few years. Adoption is increasing but at a slow rate. According to the latest survey, 18 percent of companies are now using the cloud in some way as a recovery site – an increase of 3 percent. This includes 10 percent who use a fully packaged DR-as-a-Service (DRaaS) offering and 8 percent who use Infrastructure-as-a-Service (IaaS) to configure their own DR in the cloud configuration. Use of colocation for recovery sites is remains consistent at 37 percent (roughly the same as the prior study). However, the most common method of sourcing recovery sites is still in-house at 43 percent.

The study shows that 43% own their site and IT infrastructure. Also, 37% use a colocation site with their own infrastructure, 20% used a shared, fix-site IT IaaS provider, 10% use DRaaS offering in the cloud, and only 8% use public cloud IaaS as a recovery site.

For the very largest companies, the public cloud, or even a DRaaS provider, may not be the way to go. If the organization is still maintaining a significant data center (or multiple data centers), the cost and risks of moving to the cloud are significant. Unless a data center is heavily virtualized, it will be difficult to replicate the environment – including servers, storage, networking, and security – at a cloud provider.

For smaller businesses, however, moving to a cloud system is becoming increasingly cost-effective. It’s attractive for scalability and OpEx reasons, and agile for deploying new applications. This month’s hurricanes offer an urgent reason to move away from on-prem or hybrid to a full cloud environment — or at least explore DRaaS. With the right service provider, offering redundancy and portability, the cloud could be the only real hope in a significant disaster.