Why I Decided to Address MultiFunding’s CyberSecurity

As we went through the process of picking a vendor, I learned that our situation was even riskier than I’d thought. The security risk of employees using personal devices made us more susceptible to malware, phishing attacks, and hacking.

If you think about it, there are always risks in our businesses that we hope and pray will not blow up on us. If your business relies heavily on selling on Amazon, you know that it could change the rules one day, and you’d be in trouble. It’s the same if your business depends on Google’s search algorithms. Or if your business has a concentration with one big client. Being an entrepreneur is, by definition, about taking risks. The question is which ones you choose to accept and which ones you try to mitigate.

At MultiFunding, we have lagged behind in our IT systems and controls. We have known this for a long time. And yet, despite the reality that we were working with a lot of sensitive customer financial information, fixing our IT was always one of those priorities that kept getting kicked down the road. But I always knew that I would have no one to blame if we had a ransomware attack. Eventually, I decided that I wanted to be able to look my team and my customers in the eye and tell them honestly that we had done everything we could to avoid such an attack.

The first step in the process was hiring a director of operations to focus on—among other responsibilities—getting us through the process of protecting our systems and securing our data. His first priority was to pick a vendor to handle the grunt work. If I hadn’t hired him, we would have kept postponing the project. No one else had the time to dig in.  

Why We Were Where We Were

Like many businesses, we had bootstrapped for the first several years, cutting corners to save a dollar here and time there. Our bootstrapped state, which is not atypical for young companies, is the main reason our team members had always worked on a mixture of personal laptops and company-issued devices. This, of course, put us at a higher risk of a data breach. When company business is conducted on a machine that an employee uses personally, the risks go way up.

Going forward, we knew we would need an effective way to house and archive information, meaning we needed an intranet, an internal website to serve as a library for documents and data. We would also need more secure ways to collaborate internally and externally. We had been operating on Google Workspace, which, in evaluating alternatives, I learned had fewer security features than Microsoft 365 and more limited integration with tools and platforms that Google does not own.

As we went through the process of picking a vendor, I learned that our situation was even riskier than I’d thought. The security risk of employees using personal devices made us more susceptible to malware, phishing attacks, and hacking. A data breach could lead to a large leak of personally identifiable information and jeopardize our reputation. Plus, any cyberattack would likely result in legal fees, customer compensation, and loss of revenue caused by a loss of confidence and trust.

We Needed to Outsource

We assessed our IT needs based on our risks and consulted with several local IT companies. In evaluating these companies, we focused more on the integrity and reputation of the vendor and less on the price. We considered customer service ratings and the experiences of other businesses.  

All of the vendors we met recommended switching from the Google platform to Microsoft 365. Where we found differences among the vendors was when we evaluated customer service ratings, monthly service costs, and hardware management. Some vendors proposed an agreement to charge hourly rates for support instead of a flat rate technical support model. There was a moderate difference in price among vendors. 

Ultimately, we picked ChristoIt, a local firm whose CEO serves on the board of my Philadelphia EO chapter. The firm has experience working with companies our size and understands our business model. It felt like we were in their sweet spot and would be an important client for them. They presented a compelling business case that they could migrate our data and better protect us going forward to partner with them to protect our information and data.

The investment has been considerable for us. The data transfer charge was about $20,000, and the new equipment cost about $15,000. Going forward, we will pay about $220 per head monthly, which includes service agreements—support hotline, administrative duties—and Microsoft subscription costs.

Where We Are Today

We have implemented a firewall solution to safeguard our network against cyber threats (viruses, spyware, hacking, etc.) We have migrated from Google Workspace to Microsoft 365 for improved email and data protection, including offering automated email encryption for enhanced security involving emails with personally identifiable information. We have Installed advanced antivirus and anti-malware software to prevent malicious attacks.

The process took a few months, and despite a few minor hiccups and some disruption for team members who weren’t excited about all of the changes, everything settled down within a week of flipping the switch to Microsoft Outlook. 

Can We Get Cyber Insurance Now?

Of course, nothing is perfect. This is why our next step will be to obtain cyber insurance. This lengthy process starts with an application that has to prove that we now have the proper systems and controls and an administrator to oversee compliance. Employee training, data backup, and multifactor authentication are required. As always, the devil is in the details, and there is a lot we still need to learn about cyber insurance, including its cost and practicality. I look forward to sharing more as we proceed.