The pandemic of 2020 thrust emergency preparedness and readiness to the forefront of business owners’ minds. On this week’s episode of The Playbook, host Mark Collier, area director for the UGA Small Business Development Center, sits down with Mark Lupo, former Business Education and Resiliency Specialist at the UGA SBDC. Today, Lupo discusses his new role with the University of Georgia and shares his wealth of knowledge on the very important topics of preparedness and business continuity.
Transcription:
Mark Collier:
Welcome to The Playbook, Mark.
Mark Lupo:
Thanks Mark. Good to be here.
Mark Collier:
All right. I’ll tell you what man, prior to 2020, most businesses did not think about emergency preparedness. They did not think about resiliency unless they lived on the hurricane belt.
Mark Lupo:
Yeah. Right.
Mark Collier:
But the pandemic changed all that and it thrust these very important topics to the forefront. So before we jump into that though, you recently transitioned from our organization, UGA SBDC, to the University of Georgia, Carl Vincent Institute of Government. Why was that? And tell me a little bit about your current role.
Mark Lupo:
Yeah, it was a challenging decision. The University of Georgia’s had an ongoing cybersecurity initiative for past four and a half years. It’s now known as CyberArch. And I was involved with that since 2017.
Mark Collier:
All right.
Mark Lupo:
Over the past two years with the pandemic ongoing, some of the courses that I was working with, the Grow Smart course, was on hold. And so, I had more of an involvement with the CyberArch program. And then over the past year, what University of Georgia decided to do, was to scale that program up-
Mark Collier:
Okay. Very good.
Mark Lupo:
To reach more communities across the state. And so, because of my involvement, I had some extra time, I took more of a lead role in coordinated developing and coordinating how that’s going to look, going forward.
Mark Collier:
Okay. No, that’s important work, not only for the university in protecting their cybersecurity interests, but also the small business community at large.
Mark Lupo:
Right. It is. It’s essential these days. Not only for the natural threat, but cybersecurity as well, which I think we’ll dive into in a little while.
Mark Collier:
Absolutely. All right. So Mark, in your experience, why should a small business consider preparedness and business continuity as a priority?
Mark Lupo:
Right. So as we’ve seen, as you mentioned with the pandemic, that really brought it to the forefront. It’s one of those threats that businesses could face in the future. Some have called… The pandemic is more an incident without precedence, for most of us because we’ve not experienced that.
Mark Collier:
That’s right.
Mark Lupo:
So for businesses moving forward, whether it’s a natural disaster such as hurricane, wildfires or ongoing pandemic threat, or cyber issues, it is essential for business really, just a price of doing business now. We see, in order to be prepared for that next eventuality.
Mark Collier:
No, I think it’s prudent to be in a proactive mode as opposed to a reactive mode. So doing the stuff on the front end is important. All right. So what are the three most helpful tips you’d give a small business owner about setting up an emergency preparedness plan?
Mark Lupo:
Right. Most business owners right now, they face challenges, daily.
Mark Collier:
Yes. Absolutely.
Mark Lupo:
Regardless of where there’s some major impending disaster. It’s just making payroll. So disaster preparedness really, is not as high on the front burner maybe as it could be, because they’re dealing with other things. But for three simple steps, FEMA, Department of Homeland Security had several years-
Mark Collier:
And FEMA, just for people aren’t familiar with the acronyms, that stands for…
Mark Lupo:
Federal Emergency Management Agency.
Mark Collier:
Very good. All right.
Mark Lupo:
Right. So there’s a website ready.gov, that individuals can go to for all the assistance, but really they had three steps. Build a kit, make a plan, stay informed. It’s just a very simple, three step process.
Mark Collier:
I like it.
Mark Lupo:
And building a kit is just, preparing for food and water access, in the event power goes out, can’t get to the grocery store, whatever. At least three, now recommending seven days worth of food, non nonperishable food and water in the kit. And then, make a plan. Understand, if cell phone service went out, how would you reach your kids?
Mark Collier:
Absolutely.
Mark Lupo:
Or your employees, if it’s within a business, or it’s your customers, if they need to access information about your business and how they’re going to reach services.
Mark Collier:
That’s a key component of this, because we take communications for granted. We pick up our cell phone, we expect it to work. We expect to reach out. But if those communications ceased, you got to have some adequate measures in place so that communication can continue follow—
Mark Lupo:
Right, yeah. Redundant systems, whether it just is simple as going to a Facebook page, putting information out like that.
Mark Collier:
Okay. All right. So let’s talk about, get a little bit more granular. Tabletop exercise, tell me about that and why should a business consider conducting one.
Mark Lupo:
Yeah. Tabletop exercise again, with DHS, FEMA. If you’re working with emergency management, these can get real involved in law. What we’re talking about for small business is a much simpler process. It’s really just getting the key players in an organization together, around a table, kind of what it says, a table top. And then presenting a certain scenario. So let’s say it could be as simple as, “Okay, so we’ve developed a plan. We think this is what we’re going to do. How we’re going to respond in the case of a fire.” But then we say, “Okay, so there’s a fire over here in a waste basket in this room. How do we respond?” We just start talking through that.
Mark Collier:
Is it actual verbal exercise or is it a physical exercise? Are you moving through the-
Mark Lupo:
Tabletop would be just verbal, and saying, “Okay, so in our plan, we’d say, we’re going to exit this door. We’re going to go out of the building. We’re going to have a rally point here.” The tabletop helps us think through those issues. And what’s important is to include public safety. This is a key element for small business, to build that rapport with the fire department, law enforcement, those that would be responding and to get the actual, the fire station that would be responding to your business, to have them sitting at the table. So when you say, “Yeah, we’re going to go out this door.” And they say, “Really, you probably need to go out this other door. And instead of going over here at this rally point, we’re going to be parking our trucks there when we come in. You might want to think about this other location.”
Mark Collier:
No, that makes perfect sense. You really want to think through all of the eventualities or options that you have, to make sure you’re making the most informed decision you can.
Mark Lupo:
Right. So you develop the plan, you go through a tabletop, just to see how that works with public safety there. And then you modify that plan going forward, based on the feedback you get. And then you move to more of a walkthrough, where you actually walk through what you’re going to be doing.
Mark Collier:
Right. That’s like the old fire drills we all did as kids in school, right?
Mark Lupo:
That’s right. Yep. Sure is.
Mark Collier:
All right. So let’s talk about another role, financial preparedness. What role does that have in business continuity?
Mark Lupo:
Well, I tell you, so important, which we have just seen through the pandemic. Having cash available, which is tough for small businesses to have extra cash, set aside does not being used that temptation to reinvest it in the business or pay down some debt. There’s a great book by Jim Collins, called Great By Choice. And one of the three elements that he mentioned for successful entrepreneurial businesses is, leading above the death line is the way he calls it. And it has to do with mountain climbing and you get above a certain elevation, the foliage and all is not able to survive. He uses that analogy to discuss financial resources available for businesses. So in the event of a disaster situation, which would be considered say, above the death line, you need to have those pockets of cash available that you can reach in and use to survive. And those that have that cash available are able to survive when others aren’t.
Mark Collier:
No, that’s a good point.
Mark Lupo:
Which then increases the ability to increase market share afterward.
Mark Collier:
Right. I’ll tell you what, that underscores the old adage, cash is king.
Mark Lupo:
It is.
Mark Collier:
And not only in business operations, but the business preparedness as well.
Mark Lupo:
It is. And the SPDC, the ability to go into and work with an SPDC consultant, to develop financial projections is so important to help build some of that financial preparedness.
Mark Collier:
Absolutely. Well, let’s shift gears a little bit and talk about cybersecurity, your new role. It’s a topic that has become much more significant in recent years for many different reasons. And it can be a concern for businesses both large and small. So what do you say to a business owner when they express that their business may be too small, doesn’t have anything that a hacker may be interested in? How do you respond to that?
Mark Lupo:
Yeah. And that is a very common misconception with small business owners. I think back to a time in the army where there were direct threats and indirect threats. So if you’re going through the bush and there’s a possible ambush, somebody’s really targeting you specifically. Whereas if you’re walking and you cross a minefield, you just happen to step in the wrong place, possibly. Same with cyber security. There are those out there, organizations that want to penetrate your organization directly. They might not be after you, but they want to get into your supply chain. They want to figure out how they can monetize any of the information you have or with organizations that you’re connected to.
Mark Lupo:
So that’s one. The other is the minefield. You just happen or one of your employees just happens to go to a website that they shouldn’t have. And they’re so sophisticated now, that someone might not even know that they’ve gone to a website that they shouldn’t have. Malicious software is downloaded on the computer and now they’re just capturing any kind of access that you are using to your bank account, to your vendors. And so, for small businesses, it’s not necessarily the data you have. It could be, but it’s more how they can use that data or your connections to continue to expand their infiltration into a system.
Mark Collier:
That’s a very important point. So small business owners have to look at it from the vantage point of, okay. It’s not just my data that could potentially be harmful. It’s what they can do with the data that they access, that could potentially harm vendors, suppliers, or other people within my sphere of influence.
Mark Lupo:
That’s right.
Mark Collier:
Okay.
Mark Lupo:
Yes. Most definitely.
Mark Collier:
All right. There’s so many tactics you can do to protect yourself from a cyber attacks. What do you suggest as a top five things, are an action steps so that business owners can do to hopefully strengthen their cybersecurity practices?
Mark Lupo:
I was talking with someone recently and that was one of the comments, it’s so overwhelming when you start thinking about the threats that are out there. But if you’re looking at just five simple things that you could do, really don’t cost anything to do these days. The first is, prevailing wisdom is to obtain a digital password manager. One of the apps, one of the platforms. You can go online say what’s the best password manager in 2022, 2023. And that information will be provided and you can start seeing some of the same platforms identified.
Mark Collier:
Understood, all right.
Mark Lupo:
Our human brains just aren’t able to really retain the sophistication, the complexity of passwords that are required these days, as well as not repetitive, not repeating those passwords across multiple platforms.
Mark Collier:
Good point.
Mark Lupo:
So we do need to leverage the password manager technology. And that was a concern of mine was, well, if someone ever breached that password, they would have access to all my passwords. But those digital password managers are more secure than even than writing down your passwords or trying to remember certain passwords, because we’ll have a tendency to try to repeat those passwords just to remember.
Mark Collier:
Oh, absolutely.
Mark Lupo:
Okay. So that’s first thing. Second thing is, once you get that set up, go ahead and change at least two passwords. Just on a pilot program, into a sophisticated, complex password of probably 15 to 20 characters.
Mark Collier:
Wow. Okay.
Mark Lupo:
Try that and just get comfortable with that process. And usually one will find that they want to continue that with other passwords. Third would be, change your username if possible. Many times a website will default to using our name or our email address as our username. That can be easily picked up off of social media. So if they’ve gathered the username off social media, they’re halfway potentially, to breaching that website. Fourth and probably one of the more important ones is, setting up multifactor authentication.
Mark Collier:
That’s one of my favorites.
Mark Lupo:
Two factor authentication.
Mark Collier:
That’s one of my favorites.
Mark Lupo:
Yep. Microsoft has said, that will decrease the ability of someone to penetrate that or break, that hack that credential access, by up to 99%.
Mark Collier:
99%.
Mark Lupo:
Right.
Mark Collier:
So that’s how important that is. Wow.
Mark Lupo:
So important. And it’s not just for our banks. It’s for business owners, it would be for QuickBooks. It would be for Facebook pages, twitter, Instagram, as many sites, Amazon as many sites as possible, to set up MFA so that you would be getting that prompt or the text message, prior to someone accessing the site. And if you ever do get a prompt and you know it wasn’t you, then you just declined that and you know somebody’s breached your credentials there. And then fifth is, created an effective backup.
Mark Collier:
All right. Yeah.
Mark Lupo:
So you got your data backed up so that it is, in the event that something does happen, that you can always access it. And one tip is, just keep everything up to date, all the software up to date as much as possible.
Mark Collier:
Very good. Mark Lupo, Business Education and Resiliency Specialists. Now at the University of Georgia, Carl Vincent Institute of Government. I just want to thank you for taking time out of your busy day, to come in and just come impart some very, very important tips and tricks that business owners can utilize today, to help improve not only their resiliency, but their cybersecurity efforts.
Mark Lupo:
My pleasure, Mark.
Mark Collier:
All right.