14 Apr 2023

Part three Cybersecurity for Small (Micro) Business and Nonprofit Organizations: Striking a Balance

by | posted in: | 0

A Short Guide for Owners and Leaders

Part 1 of this blog described the risks posed to micro businesses and similar-sized nonprofits from a cyberattack, Part 2 outlined a three-prong plan to develop a cybersecurity plan for your organization – starting with identifying the organization’s mission-critical assets and protected third-party data, and assessing your organization’s risk level. This part concludes, by describing the core elements of  an effective cybersecurity plan.

Step Three – Implement a Cybersecurity Plan

The final step of a cybersecurity strategy for your organization is to implement a cybersecurity plan. The specifics of the plan will vary, depending on the outcome of the first two steps discussed in Part 2. However, all organizations will find that their cybersecurity plan must be applied consistently over the long term to afford them maximum protection, and every plan should focus both on mitigating the consequences of a successful cyberattack in addition to preventing one. Finally, the most effective cybersecurity plans recognize that aggressive use of available software technology must be balanced and supplemented with ongoing training.

Password Protection & Data Management

Multifactor Authentication

One of the most obvious risks to your organization is unauthorized use of a password to gain access to your LAN, website, email or internet connected devices. As discussed Part 1, most cybercriminals need access to your network to steal or corrupt your organization’s data or software applications. While this may be is changing, network access is often achieved by providing the correct password, and of course, if the password is stolen, compromised, easily guessed, or left in an insecure location, your organization is vulnerable.

You can address some of these risks by changing passwords regularly, using complex generated passwords, not using the same password for multiple websites, using a password vault or other policies designed to make it harder for a password to be compromised. However, a more effective solution is to require multifactor authentication for all devices that access your organization’s website or local area network (LAN).

Multifactor authentication requires both a password and a correct response to a challenge sent to another internet-connected device – usually a smart phone — that previously has been registered with the person who is seeking access. Taken together, this should mean that even if the password is hacked, as long as the cybercrook doesn’t have access to the secondary device receiving the challenge, the organization’s LAN or website cannot be accessed even if the cybercrook has discovered the password. Multifactor authentication is available for major email and network services, and it has already become a standard feature for most business and government network security.  Of course, these security efforts are more easily defeated if you or others use easily guessed passwords (e.g., “password”, “password 123”, “12345” etc.) or if they fail to keep their secondary authentication device (smart phone or laptop) secure.  

                Multiple levels of security within the organization and data encryption

A second method to strengthen cybersecurity is to require additional levels of password protection within the organization’s LAN for sensitive PII or mission-critical data. This is likely to become more important as the organization expands and adds employees, volunteers or contractors. Examples of data that might require an additional level of security include employee social security numbers, customer bank or financial account information, and health records. Requiring a second level of password protection to this information is the “digital equivalent” of locking a filing cabinet or desk drawer to discourage intentional or inadvertent access to information that should be limited to a specific group within your organization.

An additional approach that should be taken, particularly if your organization has protected PII financial information is to encrypt sensitive data that is maintained on the organization’s local devices or in the Cloud. Common email services and many operating systems and Cloud based storage products offer the option of encrypting files, folders or even an entire hard drive or network.  Of course, data encryption will protect against unauthorized use or disclosure of the encrypted data only if you have properly protected the password or “encryption key” that is used to de-crypt the data.

                Screen locks and time outs

Laptops, desktops and smart phones and other devices all contain options to “lock” access to the device if it is left unattended for a few minutes. Particularly for mobile devices or for any device used by individuals working in an open office environment, enabling this feature is a simple and highly effective way to guard against unauthorize access to the device.

Minimize and reduce access points to sensitive data.

This might seem obvious, but all things being equal, the more places you store sensitive personal data the greater the likelihood that data will be accessed and compromised in a cyberattack. Having at least one off-site backup of the organization’s critical data and software should be part of an effective overall cybersecurity plan. Yet because of the popularity of automatic Cloud backups of email and computer drives such as Google Drive, Apple’s iCloud drive, Microsoft One Drive, and many others it is not at all uncommon to find that at least some of the organization’s data has been stored in multiple locations and at some point multiple storage sites can greatly complicate the organization’s cybersecurity plan and add unnecessary burdens of maintaining all of the  locations where sensitive PII is stored. As part of your development of a cybersecurity plan, you should consider whether the added benefit of storage of the data — particularly sensitive PII, in multiple locations is worth the risk. While Cloud-based storage is relatively secure, most can be compromised and accessed with a password – or best case – a password and some form of multifactor authentication.

A related point that should be considered is whether your organization is only keeping the sensitive PII that it actually needs. Storing multiple backups that are not regularly monitored, particularly on multiple local devices such as desktop and laptop hard drives can greatly complicate efforts to properly handle sensitive data. For this reason, when you are assessing the need for multiple backup storage for the sensitive PII your organization keeps, you should also develop strategies and procedures for periodically reviewing that data to determine if it can be deleted when no longer needed. 

Promptly Update Software and Applications

No application or software is “hack proof.” Over time, cybercriminals learn new ways to access and plant malware in even the most carefully constructed software. It literally is a “cat and mouse” game played between the software developers and cybercriminals. In recognition of this reality, reputable software companies work hard to identify vulnerabilities in their software and create updates (security patches) to eliminate them. Of course, these security patches work only if they are promptly downloaded and installed on all digitally connected devices that access your network. Therefore a critical part of all good cybersecurity plans is to download and promptly install security patches as they become available. Most software and applications that run on computers and smart phones contain an option either to automatically update the program or at least to provide you notice that a new update is available for installation. Generally, these options should be enabled.     

Web-traffic Encryption – Virtual Private Networks

Information (data) is transmitted over the internet using wires (such as an ethernet or fiberoptic cable) and wirelessly over the air (through your wireless modem or smartphone hotspot). While most data transmission is secured (meaning that the information is encrypted before it is transmitted over the internet), public networks or websites that do not encrypt data allow cybercrooks to easily intercept and “listen in” on the communication. The federal government’s cybersecurity watchdog – CISA – has downplayed the risk of this type of attack.  However, one study conducted in late 2016 found that 28% of the public Wi-Fi “hotspots” (at airports, coffee shops, etc.) were unsecured.

So, how do you tell if you are communicating over an encrypted network? When you navigate to a website, look at the address bar on your website browser.  If it begins with the initials “https” you can be at least somewhat confident that your data is being encrypted as it is transmitted over the internet. However, if it says “http” – the data is not encrypted – and can be intercepted and easily read by anyone unless you take additional steps. Many website browsers will warn you when you are communicating over an insecure network. As a matter of good cybersecurity practice, these sites should be avoided, particularly if you have not implemented a second level of encryption that is discussed next.

Only accessing sites with the  “https” designation will greatly reduce the risk of a cyberattack using wireless networks. However, it is not foolproof. Unfortunately, even an “encrypted” Wi-Fi connection can be defeated through a process known as SSL Stripping. This involves tricking your computer into removing the encryption protocol, in effect downgrading your communication from “https” to “http,” without your knowledge.

For this reason, if your organization relies on wireless networks or if you and others often work remotely using public Wi-Fi, you may want to consider using virtual private network (VPN) software. VPN software can run on a single local computer, a LAN, or on a digitally connected device such as a tablet or smartphone. Once installed and activated, most VPN software offers two additional levels of protection for internet access.

First, it masks the originating address of the communication, making it difficult for a cybercriminal to determine what network is being accessed by the user. This is done by causing the transmitted data to go from the computer to the VPN provider’s server before it continues on through the internet to the user’s ISP and the destination website. For many, this feature of VPN is most important because it may offer a higher degree of privacy, making it more difficult for websites or government entities to track web browsing activity. 

However, there is a second advantage to a VPN. VPN communications between you and the VPN provider are encrypted. In other words, even if a cybercrook is able to “strip” the “https” encryption, they will only be able to see data that has been encrypted using the VPN program. No technology is completely secure from cybercriminal hacking or “eavesdropping,” but a VPN connection provided by a reputable provider is very secure, and it’s a relatively inexpensive way to guard against this type of cyberattack.

If you decide a VPN is a worthwhile investment, VPN software is offered by a number of private companies, and it is important to pick one that best meets your needs. You will need to do some investigation and find articles that evaluate VPN providers and offer advice on how to pick a provider best suited for your organization’s needs, but keep in mind that some of these articles focus more on privacy (the first advantage of a VPN) rather than your organization’s objective — defeating a cybercrook’s attempt to intercept and read the data being transmitted. For your organization, the primary concern may be the number of servers the VPN provider has and the speed and capacity of those servers. This is important because once the VPN is activated, all of your communication over the internet must pass through your VPN provider’s server. If the provider does not have sufficient network capacity, the speed and reliability of your internet connection will be significantly reduced.

Addressing “Human” Vulnerabilities

It would be nice if you could protect your organization from cybercrooks just by buying additional software. Unfortunately, relying on software at best is just half the solution. The other half is dealing with the “human” side of cybersecurity. The reason is simple: even the most robust software technology can be defeated or rendered useless by bad actors inside the organization, by failing to properly use the cybersecurity software tools that are available, or simply a failure to recognize a cybersecurity attack. This section focuses on ideas for reducing your organization’s human vulnerabilities to a cyberattack.

Background checks for those who access the network.

Obviously, you want your organization to grow and become more successful, but as that happens it becomes more important to know who has access to your connected devices and data. A good cybersecurity plan should include a set procedure that includes conducting background checks on all prospective employees. This should include criminal record checks, credit checks, as well as verification of employment and education. Even if you are the only “employee” in the organization, the same considerations apply to others such as vendors, customers or volunteers who have access to your organization’s network.  Of course your background check may not be as extensive as what you would use if you were evaluating a person for employment, but depending on the nature of the contact, the role the individual or entity will play, and the level of access to your organization’s data, you will want to know enough about the individual’s background to feel reasonably certain they will not put the organization’s data or its connected devices at risk of a cyberattack.

Implement  cybersecurity policies and procedures.

Even if you are a sole proprietor or the “staff of one” in a local nonprofit, it is important to consider and implement common sense policies and procedures to minimize the risk that your organization  will fall victim to a cyberattack. Items to consider include:

  • Setting a schedule to regularly check all critical software for security patches and immediately installing critical security patches when notified by a software provider.
  • Developing a policy to create robust passwords and to regularly change passwords.
  • Avoid loading any personal software or email on a computer or other device connected to the organization’s network.
  • Avoiding use of the organization’s email address for personal communications.
  • Install screen password locks on all of the organization’s desktops, laptops and tablets.

Admittedly not all of these policies will be popular, and like many things in life, you may decide that the level of risk your organization faces does not justify implementing some of them. That of course is up to you as leader of the organization. However, before making any final decision, consider whether some or all of these steps may be mandated by clients, customers or suppliers with whom you are dealing.

Educate yourself and everyone who has access to the organization’s digital resources.

Hopefully one of the things you have learned from this blog is that the cyberattacks on businesses, organizations and government have continued to evolve to counter efforts to make software and networks less prone to attack. This will certainly continue. For that reason it is important that you commit to remain up to date on evolving cyber security risks. Fortunately there are a number of resources available to assist in that task. Two are listed below:

You also should consider ongoing training and reminders for employees or others who regularly access your network. Here you might want to use resources developed specifically for that purpose:

Develop a Cyberattack Recovery Plan

You may find this part to be discouraging. After all, if you have taken all of the previous steps to protect your organization from a cyberattack, it’s sobering to think that your  still aren’t protected. Of course, that’s not true. By implementing the previous steps you will have made it much more difficult for a cybercrook to access, disable your network, or steal data. However, just as the best physical security and alarm systems don’t provide 100% protection against the risk of theft or loss, even the best cybersecurity strategies can – and are – defeated each day. Just as you take steps to deal with that reality for your physical assets, it’s important to consider how to deal with a successful cybersecurity attack as well. Here are three ideas you should consider.

Offsite Secure Backups

Earlier, in developing your cybersecurity plan you identified the “critical” data and applications that were needed to operate your organization. As part of your Plan, you need to arrange for these critical items to be regularly backed up, and securely stored in a safe location. How often you decide to back up the data will vary, but obviously data that is added after the backup likely will not recoverable, so it may make sense to back up daily or at least weekly.

Nearly all major software providers offer the ability to backup data to remote “Cloud-based” servers. Some providers offer the ability to automatically back-up data on an hourly, daily or weekly basis, together with the option of accessing earlier backup versions. This last feature can be useful if you are concerned that an “infected” file may have been downloaded onto your network or computer prior to your last backup. Of course, there is always a possibility that your automatic backup system may not initiate for some reason, and as part of your  Plan, you will want to periodically check to make sure the backups are occurring  as expected, and that they can be accessed.

Develop a strategy to notify third parties of a cyberattack.     

This step is most relevant for organizations that maintain sensitive PII (described earlier in Part 2), that have an ethical obligation (such as an attorney) to maintain confidentiality of client data, or that have entered into a contract to maintain the confidentiality of third-party data. Organizations in these situations need to consider and include in their plan, a procedure to document and update where third-party data is stored, and a method to easily identify businesses or individuals that need to receive notice of a cyberattack.

Consider cybersecurity insurance.

It’s probably apparent at this point that a successful cyberattack might be an expensive proposition for your organization, not only from lost revenue but from third party claims for collateral damages as well. You likely insure against the risk of loss of your organization’s physical assets, so it may occur to you that insurance against losses from a cyberattack might be a good idea as well.

Many companies offer insurance policies for some losses incurred in a cyberattack, and for some organizations insurance can be part of a comprehensive cybersecurity plan, however cybersecurity insurance may not be appropriate for all organizations, and as part of preparing the plan for your organization, you need to carefully consider the pros and cons before purchasing a cybersecurity insurance policy.

Cybersecurity insurance generally will insure your organization against some losses arising from interruptions to normal operations, the cost of notifying third parties of cybersecurity attacks, and the cost of defending lawsuits from third parties for damages arising from the event. However, these policies typically will not insure against losses arising from damage occurring from criminal activities by your employees or for the loss of physical or intellectual property resulting from a cyberattack. 

You can begin determining whether cybersecurity insurance is right for your organization by talking with your insurance agent. Generally organizations that store significant amounts of third-party personal information and those most at risk from business or operational interruption in the event their network is compromised, will find cybersecurity insurance to be most useful.  However, cybersecurity insurance is NOT a substitute for a good cybersecurity plan. Be aware that if you decide to purchase a policy, you can expect the insurance provider to demand that you institute the policies and procedures outlined in this blog as a condition for providing coverage. In other words, cybersecurity insurance provides an additional level of financial protection, but only after you have implemented a good cybersecurity plan.

Cybersecurity – Is It Worth the Effort?

These three blogs have outlined the risks to your organization of a cyberattack and outlined the steps you should take to implement a cybersecurity plan to defend against an attack. Operating a business or nonprofit on a shoestring budget is extremely challenging and requires leaders to constantly set priorities and trade-offs. Success often depends on not letting “perfect be the enemy of good enough,” and the amount of time and effort organizations need to put into their cybersecurity plan will vary. However, it is not an exaggeration to say that every organization needs to do something. You can confirm that by simply imagining how your organization could operate if your network, records, computers and even your phone all stopped working. Unfortunately even for very small organizations the risk of an attack is significant, and the consequences of being unprepared likely will be  catastrophic. While it is not possible to completely secure your digital assets, the steps outlined, can significantly reduce that risk, and mitigate the damage in the event of a successful attack. For that reason, even for the smallest business or nonprofit, it’s worth the effort to implement an appropriate cybersecurity plan. 

12 Apr 2023

Part Two Cybersecurity for Small (Micro) Business and Nonprofit Organizations: Striking a Balance –

by | posted in: | 0

A Short Guide for Owners and Leaders

Part One of this Blog explained the risks your organization faces from a cyberattack, describing the most common objectives and the primary ways cybercrooks attack microbusinesses and similarly sized nonprofits. You learned that successful cyberattacks often involve tactics that are designed to deceive, along with sophisticated malicious software, and that potentially any device that connects to the internet, or to your local area network (LAN) could be an entry point for a cyberattack.

While the risks posed to your organization by cybercrooks are real, and no solution will be 100% effective, there are several things you can do to greatly limit the risk posed by cyberattacks. The objective of this blog and the next one is to describe a strategy you can use to secure your organization against a cyberattack, and help you mitigate the damage done even if an attack is successful.

There are many good educational resources available online that provide specific guidance to assist in understanding how to spot a cyberattack and more are being developed all the time. Examples include the resources offered by the  U.S. Small Business Administration, the Federal Communications Commission and the Missouri Cyber Security Office as well as commercial software providers, such as Microsoft .   In addition, resources published by PCI Securities Standards Council, the organization that works to secure the processing of credit and debit card payments, can help you identify ways to reduce this significant area of risk for many microbusinesses and nonprofits.

These tools and resources will be essential in implementing a comprehensive strategy for cybersecurity. However, implementing and using them effectively requires that you develop a comprehensive strategy that is tailored to address your organization’s unique vulnerabilities. The next two parts will describe one process you can follow to develop an effective strategy.  Doing this will help you use the available tools and resources more effectively and make the most of these resources. By taking this approach, you’ll be able to better use the available tools and resources to address your organization’s cyber security needs and risks.

Part 2 –Developing  a Cybersecurity Plan for Your Organization – Beginning the Process

Given the number of cybercrooks out there, and the many strategies used to carry out an attack, the task of securing your organization may seem daunting, and it is easy to become overwhelmed. One way to keep yourself on track, is to break down the plan for securing your organization into three steps: Identify Critical Data; Assess Your Risk Level; and finally, Implement an Ongoing Cybersecurity Strategy.

Part 2 of this Blog addresses how to identify your organization’s critical data and assess your primary risks and vulnerability to a cyberattack. In Part 3, will discuss how to use this information to  implement an effective cybersecurity plan that is tailored to your organization.

Step one – Identify Critical Data

This step may seem unnecessary, but overlooking it could sabotage your efforts to create an effective plan or cause you to spend far more time than is warranted working on issues that really do not constitute a substantial threat to the organization. The reason is simple; in order to mount an effective defense against a cyberattack, you must first know what data and applications need to be secured. For this reason, your first step in developing an effective cybersecurity plan is to evaluate your situation with by asking two questions: First, what data and software are “mission critical” to the organization? and second, what “third-party data” do we store and retain that must be protected? Taking this this step is critical because leaders of microbusinesses and similarly sized nonprofits simply do not have the luxury of unlimited staff and resources. They must focus their cybersecurity efforts on what is most important based on their unique situation.

Identify “Mission Critical” Information and Software Applications

Identifying what is “mission critical” to your organization requires a little bit of imagination, as well as some investigation. A good way to start is to imagine what would happen if you discovered one morning that your entire organization had been subject to a successful ransomware attack. You have just grabbed a cup of coffee, turned on your desktop or laptop, and were faced with this screen: 

This Photo by Unknown Author is licensed under CC BY-NC-ND

You open your smartphone and tablet and find that they have the same message! This means you can’t access your documents, such as Word and Excel Templates, customer lists, records and forms. Access to everything saved to a computer or stored online has been blocked. You really panic when you attempt to access your company email account and discover that it has also been hacked and the password has been changed! 

Now, ask yourself, what information (data) is critical to the operation of your organization over the next day, the next week, and the next month? What “software” (apps, programs and applications) do you use daily to generate forms, invoices and correspondence in your organization. This likely would include things like customer lists, templated, custom business software, and a variety of transaction records. You’ll likely decide that some data and applications truly are “mission critical” (things you simply cannot operate at all without immediate access) while others you could work-around for at least some period of time.

One point to remember though, is that your list likely will be different than that which another organization would prepare. For example, an architect or engineer’s ability to access work it performed for a client five or ten years ago, may be the most important competitive advantage they have to gain repeat business for improvements or modifications to a project. On the other hand, that same data maybe simply taking up space on another business’ computer hard drive.

Identify protected third-party Information.

Once you have identified data and information critical to your organizations operation you then need to determine what data your organization maintains relates to third parties (customers, suppliers, employees and independent contractors). The previous blog described ways cybercrooks use personal information to compromise computer networks and rob innocent third parties. For that reason, you need to identify data you have retained that could be exploited in a cyberattack to injure these third parties.

This third-party data is often referred to as personally identifiable information (PII). The Department of Homeland Security defines PII as any information that permits the identity of an individual to be directly or indirectly inferred. Sensitive PII includes social security numbers, driver’s license numbers, alien registration numbers, financial account and medical records, biometric data, or an individual’s criminal record.

Of course, it is important to identify what sensitive PII your organization has to protect others against losses from a malicious cyberattack. However, It also is important for your organization to do this because most every state has enacted laws mandating disclosure to these third parties if your organization is the victim of a cyberattack that likely resulted in the disclosure of sensitive PII to a cybercrook. Missouri’s statute can be found here.

In addition, there are laws and regulations that impose requirements on specific industries, such as finance and health care, and these will vary, but the risk to your organization is much the same: a failure to safeguard this third party sensitive PII may lead to its disclosure, and in turn to a successful attack directed against the third party. To protect these individuals, your organization will need to notify them of the attack. Depending on the amount of information involved, this could be quite expensive and time-consuming. It almost certainly will damage your organization’s reputation.

While you may be able to quickly identify the type of sensitive PII your organization retains, determining where that information is located and stored can be a challenge. Most organizations have multiple devices (computers, tablets, servers, smartphones and others) that store the data locally. In addition, this information often also is stored remotely on devices maintained by third parties, in what has come to be known as “the Cloud.”  Since data backups to the Cloud can be initiated automatically, you may find that there are multiple copies of sensitive information stored in multiple locations. Depending on your organization’s size – and most importantly whether it likely receives, maintains and stores sensitive PII, you may want to look into using specialized software that is designed to search out various locations to identify where your organization has stored sensitive PII, both on local devices and in the Cloud.

Step Two – Assess Your Risk Level

Once you have identified “mission critical” information and applications and the sensitive PII your organization holds, you can move to the second step of your cybersecurity strategy, assessing how well this information and applications are protected from a cyberattack. Since a cyberattack is most likely to be launched by someone who is accessing the internet, a good way to begin is by examining how your organization interacts with the internet.

Inventory internet-connected devices

One place to start this effort is to catalogue the devices that can access the internet. Of course, this will include desktops, laptops and tablets and smartphones owns and maintains. However, that may only be the first step, and it may not include your most vulnerable access points for a cyberattack.  For example, you or your employees may access the organization’s LAN remotely from a home computer, smart phone or tablet. You may also have granted customers, patrons or suppliers’ special access your network resources. Each of these is a potential “point of access” to a cyberattack. As you develop an appropriate cybersecurity plan in Part 3 of this blog, you will need to take these devices and entry points into account as well as your LAN and the devices that are attached to it.

Addressing customer credit or debit card payment information

Most businesses and nonprofits must be able to seamlessly accept payments and/or donations with a credit or debit card. However, it is very important to understand what responsibilities your organization has assumed through its credit or debit card payment arrangements, and how that risk can vary depending on how the organization has structured its payment receipt system.

In 2004, the major payment card companies created the “Payment Card Industry — Data Security System”` – usually referred to as “PCI DSS.” The PCI DSS establishes industry standards for businesses and organizations that accept, transmit or store payment card information. This is not a federal or state law although as previously discussed, separate federal or state laws or regulations may require disclosure and create liability issues for your organization if  PII is compromised in a cyberattack. Data Security Standards for PCI compliance vary depending on the payment brand (Visa, Mastercard, American Express, etc.) and the number and size of credit or payment card transactions. An organization that is not PCI compliant may lose the right to accept credit or payment card payments and, more importantly, face very substantial fines and penalties.

That said, most PCI compliance obligations are triggered only if the organization handles, transmits or stores credit or debit card information its network. Fortunately, most small organizations can avoid many of the ongoing requirements to remain PCI compliant, and still offer customers or donors the convenience of using credit and debit cards by using a payment card processor company. In a payment transaction these companies act as an “intermediary.” Once the transaction is initiated, the exchange of protected information (PII) is conducted on the processor’s network rather than the organization. The processor takes the payment card information directly from the customer and credits the organization’s account with the appropriate payment. Since the processor’s network handles the mechanics of the payment processing and stores that information as needed, the organization does not handle, transmit or store any protected data relevant to the transaction.

Of course, if your organization collects or stores payment data by some other means, such as requesting it directly from the customer or donor, that short-circuits the protection afforded by using the payment processor. It then must handle  and secure the sensitive PII in accordance with the PCI DSS standards, and it potentially could be subject to significant economic fines and penalties if the sensitive PII it has stored is compromised through a cyberattack. For these reasons, organizations will want to be extremely cautious about collecting and storing any payment card information. 

Cybersecurity and your organization’s website

Your organization almost certainly has some sort of “online presence” whether it is through a commercial website provider or just a page on a social media site. As with other aspects of cyber security, your organization’s risk of a cyberattack will vary, and will depend in large part on the level of access offered to the public through the website. Additionally, in cases of a ransomware attack, the extent to which your organization relies on its website to maintain day-to-day operations will be important in assessing the extent to which the cybersecurity plan for the organization needs to focus on website cybersecurity. As a general rule, if your organization has a website, you’ll want to spend time understanding the cybersecurity risks associated with the site, even if you rely on a third party to prepare and maintain it for your organization.

The risk of a successful cyberattack through your website can depends in part on the software and cybersecurity tools used by the company that hosts that site for your organizations. Websites that regularly update security software are at less risk. However, if your website permits customers or users to upload any files or documents onto the site, you will need to be particularly diligent to ensure that those files are screened for malware, as this feature presents the potential for any cybercrook to launch a malicious attack on the website. Additionally, if your website provider provides options to accept payment cards you’ll need to assess whether it is PCI DSS compliant.

The Final Step

Now that you have learned what a cyberattack is, how it is implemented, determined what data and applications your organization needs to protect, and reviewed your organization’s unique risk profile, you are ready to focus on ways to protect your organization. This is the focus of Part 3 of this Blog.

29 Mar 2023

Part 1 Cybersecurity for Small (Micro Business and Nonprofit Organizations: Striking a Balance

by | posted in: | 0

A Short Guide for Owners and Leaders

Inflation, supply chain issues, COVID, staff shortages, rising wages – and you want me to spend time thinking about cybersecurity?

Well, yes – you should – at least just a little. That advice applies even if it’s just you “pulling the levers” to keep your small business or nonprofit operating, and it applies even if you have outsourced all of your website, email management, and credit card processing to a third-party provider.

This is the first of a three-part blog specifically targeted to cybersecurity for very small organizations.  Owner-operated businesses with no more than 5-10 employees — sometimes called “microbusinesses” as well as similarly-sized nonprofits. This part (part one) will describe what a cyberattack is, how it is carried out and ways it can cripple or destroy your organization. While almost everyone understands that large businesses and the government are at risk of cyberattacks, in recent years cybercrooks have focused on smaller organizations, in part because these crooks know that you may lack a dedicated IT staff to defend against the attack. Your organization is assumed to be “low hanging fruit” for cybercrooks, but if you understand the risk and take some reasonable steps to address it, you can greatly enhance your organization’s ability to avoid or recover from a cyberattack.

Just because your organization is small does not mean it is less vulnerable to a cyberattack.  Unless you are prepared, an attack can cripple your operations and do irreparable harm to your reputation. Microbusinesses already face challenges that lead 30% of them to fail within the first year of operation and similar failure rates apply to nonprofits as well. As the leader of a small organization with limited resources time spent working to secure your business against a cyberattack and to recover from a successful attack, could be critical to the organization’s survival.  

Creating a strategy to address this risk doesn’t require a substantial amount of time, and once it is in place, effective cybersecurity is much like protecting your organization’s physical assets. You have locks on the doors and windows, perhaps even a security monitoring device or service to discourage criminal activity and alert you in the event of a break-in, and worst case – you’ve insured as best you can against potential losses should those steps fail. Addressing cybersecurity is much the same, except that instead of physical assets (building and equipment) you are working to protect the information contained on your internet-connected devices and the software that keeps those devices operating

With that in mind, keep on reading to learn more about the risks your organization faces, and how to protect it.

Part One: What is at Stake — The Risks of a Cyberattack

The purpose of cybersecurity is to prevent or limit damage to your operations from a cyberattack.

Cyberattacks can cripple your operations and put your organization’s viability at risk. A January 2023 article states that 43% of small businesses surveyed had suffered a cyberattack, and that cyberattacks are expected to cost 6 trillion dollars. This risk is not limited just to your organization. Even if you can quickly recover from a cyberattack others can suffer significant harm. Confidential information relating to third parties that is stored on your network or computers can be stolen and exploited, or your “infected” network and devices can spread harmful programs to customers, donors and suppliers. In addition to badly damaging your organization’s reputation, it may face lawsuits, fines and penalties for failing to properly secure the information on the network and connected devices.

There are many types of cyberattacks, with confusing names and acronyms, and to make matters worse they are consistently changing and evolving as cybercrooks find new ways to achieve their goals. That said, to develop effective strategies to prevent or deal with a cyberattack it is useful to understand what a cyberattack is, what the attacker wants, and some of the common strategies used by cybercrooks that pose a particular risk to small businesses and nonprofits.

What is a cyberattack?   

In these blogs, the term “cyberattack” means an attempt to gain unauthorized access to a digital network and/or to the physical devices that are connected to that network in order to steal information or to disable your operations by locking, corrupting or destroying critical data and applications..

A “digital network” is the mechanism your organization uses to transmit “data” (e.g., email, files, credit and debit card information, video or audio) from one physical location to another. The “internet” is a digital network with more than 5 billion users and by some estimates 50 billion devices that connect to it. However, the switches, routers and modems your organization uses to connect computers and other devices to servers and the Internet is also a digital network. It is usually called a local area network or LAN. Unlike the internet, a LAN connects a limited number of devices with each other, and it most often acts as a gateway that some or all of these devices can use to access the internet. Typically, a cyberattack originate from a device located somewhere on the internet, and it succeeds by gaining access to your LAN or to one of its connected devices.

What physical devices need to be secured against a cyberattack?

An important point to understand here is that any device that is connected to your LAN (or to the internet directly) is at risk in a cyberattack. This of course includes desktop computers, laptops, network servers, switches and routers – but it also includes a smart phone or a tablet, smart appliances, surveillance cameras or sensors that are part of your alarm system or inventory control, perhaps even your wristwatch. All of these devices have the capacity of interacting and connecting to your LAN and the internet, and thus all of them are at risk of a cyberattack.  

What are the common objectives of a cyberattack?

Most cyberattacks are intended to achieve at least one of these goals.

Extortion –

According to a recent Forbes article the most common cyberattack threat facing small business in 2023 is ransomware. As the name implies, in a ransomware attack, the cybercrook attempts to load some type of malicious software onto your device or your LAN to encrypt the data or otherwise block access. In other words, the attack “locks you out” of your device – or all devices on the network. Once that is accomplished, the cybercrook demands a payment (ransom) with the threat the failure to pay will result in destruction of the data, or disclosure of the personal or financial information of the organization or third parties to other criminals. A derivative of this type of attack could involve theft of sensitive data or third-party information, again with the threat that the cybercrook will disclose it to criminals if the ransom payment is not made.

Theft –

Attacks of this type can take one of several forms; the first category is theft by deception.  Here the cybercrook’s goal is to convince you that they are someone else and deceive you into the sending them money or valuable information (e.g., credit card or bank account numbers – or passwords to protected networks). The “great-grandfather” of these types of attack is the infamous “Nigerian prince email”  (send a relatively small amount of money to aid a Nigerian prince to gain access to a far greater sum that will be shared with the victim). Surprisingly, even though this ruse has been around for decades, it still is used to steal hundreds of thousands of dollars each year. Maybe you like to use the term phishing somewhere because that was one of the most common attacks in 2022.

These types of attacks have greatly evolved over the years. More sophisticated versions used today involve using false credentials and other nefarious approaches to impersonate a known person or business. These are used to trick the unsuspecting into sending money to the cybercrook. The attack is successful because the request itself seems reasonable, such as an email request to move funds from a finance officer or for payment of an invoice from a trusted supplier. At times stolen emails are used, making it impossible to determine from the communication that it is illegitimate, unless the recipient decides to verify its authenticity by phone or some other communication. A second class of theft by deception cyberattacks seek is disclosure of valuable private information (e.g., credit card, bank account information, email passwords, etc.) in lieu of requests to transfer funds.

Sometimes the objective of a cyberattack may not be money or data, but instead use of your computer itself. Cryptojacking is the most common objective of these attacks. Here the cybercrook seeks access to your computer or networks so that it can use the hardware for “crypto mining” – solving extremely complex mathematical equations to create digital currency. While it may seem farfetched to you that your small organization might be subject to this type of attack, it should not be discounted. A 2021 report on cyber security threats prepared by Cisco found that nearly 70% of organizations studied had at least one computer that had been successfully “highjacked” for use in an illegal crypto mining operation.

This is not a victimless crime; unauthorized crypto mining can greatly reduce the efficiency and useful life of computers and related hardware and result in higher electricity bills. More troubling, since the cybercrook can only highjack your machine by placing software on it, these cyberattacks also usually involve other objectives, such as eventually triggering ransomware or steeling confidential data as well. 

Monitoring — Exploitation –

This last category of cyberattack (monitoring and exploitation) typically is undertaken in advance, or in conjunction with one of the others, such as extortion or theft. However, sometimes the cybercrook’s initial goal is simply to gain access in order to eavesdrop and monitor your organization’s online activity. The individual behind the attack might just be a maladjusted “cyber-voyeur” who enjoys the thrill of breaking into and looking at things that are none of their business. On the other hand, news reports regularly surface stories of state-sponsored cyberterrorist attacks that target government websites for purposes of espionage. However, the greatest risk to your organization posed by this form of attack is likely to be that it allows the cybercrook access to confidential information that can be used and exploited at a later date.  

How is a cyberattack carried out?

All digital devices use computer programs (drivers, apps, software, algorithms etc.) to operate. These programs are used let us communicate via video or audio, monitor business inventory, transfer funds and process credit card payments, create and transmit email and text, and perform many other tasks that keep our organizations running. To achieve the one or more of the purposes of the cyberattack, the attacker has to gain access and, in some cases, to add a program or modify an existing program on the LAN or on a computer or other device that is connected to the LAN. These programs or program modifications are referred to generally as “malware,” and they include “viruses, trojans, adware and ransomware.

You may think that this occurs only through highly sophisticated exploitation of a flaw in the device’s operating  system, undertaken without any action on your part. However, while there have been successful attacks of this type in the past, readily available network and computer defenses make this much less likely today, particularly if existing software is regularly updated.

While the computer algorithm  or “malware” used to implement a successful cyberattack may be complex, according to the 2021 Cisco report previously mentioned,  9 times out of 10 those algorithms were introduced to your computer or network by actions taken by you or someone in your organization! Further, while it is certainly possible for a cyberattack to be initiated by a disgruntled current or former employee with physical or remote access to your organization’s network, it is far more likely that access will be unwittingly granted simply by opening an attachment on an email, clicking on a link in a text or on a website, or simply replying to a seemingly legitimate request from a customer or colleague.

This method of attack is generally referred to as phishing (pronounced “fishing”) and there are many variations.  However, the objective of all these attacks is to trick the recipient into taking some action that enables the malicious program to be downloaded so that the attack can proceed. The objective of the attack itself might involve any one of the three objectives described above. There are many examples and derivatives of phishing  as well as sites that offer cues you can use to recognize and avoid them.

A second less common, but effective means of launching a cyberattack can occur when the attacker intercepts and accesses a wireless network connection. This wireless connection could be the wireless modem used to connect devices at your place of business, or it could be the public wireless network at the airport, coffee shop or Walmart parking lot. In each case the cybercrook uses various means to cause your device to communicate unencrypted information, so that it can be read and later exploited.

Is there any way to defend against a cyberattack?

This blog is by no means an exhaustive discussion of the types of cyberattacks. There are others. However, those discussed do comprise the most common small organizations face. The bad news is that these attacks continue, and are becoming more sophisticated. The good news is that with a little planning and thought you can greatly reduce your risk of becoming a victim.

Part 2 of this blog will describe a strategy your organization can use to develop a cybersecurity plan that will minimize your risks, and speed recovery even in the event of a successful cyberattack.

6 Dec 2022

Office of Broadband Encourages Participation in FCC Challenge Process

by | posted in: | 0

Missourians have until January 13 to file challenges to newly released maps of broadband coverage to be considered when determining Missouri’s share of federal broadband funding. The Office of Broadband Development encourages Missourians to make sure their homes, businesses, and communities are correctly represented on the maps to ensure locations are eligible for funding and receive their fair share.

The FCC map will determine how much of more than $42 billion in funding will come to the state through the Broadband Equity, Access, and Deployment (BEAD) Program, a component of the Infrastructure, Investment, and Jobs Act (IIJA). In 2023, Missouri will use BEAD funding for its Connecting All Missourians initiative, which aims to provide high-quality internet to every home and business statewide. Read more…

25 Aug 2022

Remember the FCC RDOF Auction? When is a “Funded Area” Actually “Funded”?

by | posted in: | 0

By Marc McCarty

Today I re-read my Blog from December 2020 about the winners of the FCC Rural Digital Opportunity Fund (RDOF) auction awards. It was an exciting time! Over $9.2 billion awarded — $346 million to Missouri providers that promised to connect nearly 200,000 Missouri locations to high-speed internet!

Twenty months later, while some Missourians now have the service available, many do not, and for some the connection promised by the funding will never come at all.

Why?

Part of the answer was described in the December 2020 Blog:

“Companies receiving awards are required to submit much more detailed information to the FCC throughout next year before their award is final.  That information includes engineering data, deployment plans and financial data, and failure to submit it by the deadlines can result in forfeiture of the award.” 

As this map shows, as we approach the second anniversary of the initial FCC award announcement, companies who won awards in the areas of the state shaded in yellow still have not been able to satisfy the FCC’s criteria to begin receiving funding. Those areas shaded in red represent locations where companies have “defaulted” and lost their chance for federal funding.  This map does not include the latest disqualifications of “winning companies” — $885 million to Star Link (disqualified because it could not show it could deliver service to all locations at the promised speeds) and $1.3 billion to LTD Broadband (disqualified because it failed to obtain necessary state issued licenses to offer internet service). LTD Broadband’s disqualification is particularly relevant for Missouri because it represents the majority of Missouri locations that had not been funded.

Of course, even in areas where the final applications for funding have been approved by the FCC, another reason many folks are waiting for broadband service is that the funding is spread over 10 years and the providers have 6 years to meet their obligation. 

On August 15, the Department of Economic Development began taking applications for up to $265 million of state grant funding for broadband infrastructure, and Missouri likely will receive hundreds of millions of dollars more funding over the next few years through the Infrastructure Investment and Jobs Act programs.

Government officials are very concerned that this new funding does not go to areas already covered by another federal grant funding award. For example, under the DED program:

“project areas where high-cost support from the federal Universal Service Fund has been received by rate of return carriers, funding from the National Telecommunications and Information Administration Broadband Infrastructure Program, or where any other federal funding has been awarded to provide broadband service at speeds of 100/20Mbps will not receive Program funding.”

This of course, seems very logical. Why should the federal or state government pay twice for the same promised broadband access?

However, this logic breaks down when the promised federal funding is delayed for months or even years and then ultimately denied, or where the funded project cannot deliver the promised levels of broadband access.

This is a problem that is unlikely to go away. The FCC, NTIA and USDA (Reconnect) all have had funding programs in place over the past several years, with slightly different criteria for eligibility, requirements for connectivity levels, and build-out timelines. In some cases, the funding program did not require, and the provider did not commit to build out the locations to the current 100/100 Mbps or 100/20 Mbps standard.

Some of these issues can be addressed through a focused grant application and challenge process of the type DED has implemented. After all, providers that do expect to move forward with federal funding should be able to make that intent known. Further, in situations where “preliminary” awards were granted only to ultimately be rejected during an extended evaluation process – such as Star Link and LTD Broadband — the DED Broadband office has already taken steps to encourage applicants to make the case for funding through a new addition to its broadband program grant FAQ:

Questions added August 22, 2022:

Q31:The Federal Communications Commission today announced that it is rejecting the long-form applications of LTD Broadband and Starlink to receive support through the Rural Digital Opportunity Fund program, what does that mean for my broadband application?  

A31:Due to the FCC rejecting the long-form applications of LTD Broadband and Starlink, areas within Missouri that may have been considered federally funded/awarded may no longer be considered federally funded. In the application, for Section IV Questions 13 & 13a, if your proposed service area was a previously funded area, but it is no longer, provide an explanation of how the area was previously awarded,  and why that proposed service area is eligible for this Program’s funding.

Certainly, it also would be helpful if all federal agencies had more consistency in their requirements and process for funding programs and more transparency to identify when an “awarded” area:  (1) actually is reasonably likely to qualify for funding and (2) is building infrastructure capable of meeting modern standards for broadband service (100/100 Mbps or 100/20 Mbps).

Finally, it might be appropriate to consider more objective criteria for determining if an area that is unserved or underserved actually should be excluded because of a competitor’s challenge.  For example, Ohio’s state grant program definitions exclude unserved and underserved communities from participation in its grant program only when a competitor’s network is actually under construction and expected to be deployed within 24 months. Likely there are other ways of addressing this issue, but for the sake of residents and businesses currently on the other side of the digital divide, solutions need to be found. For Missourians without access, it is little comfort to learn that they live in an area that cannot participate in new rounds of federal and state funding for broadband, because funding was promised but never provided in a prior award or was used to construct infrastructure that doesn’t meet current standards. In either case, these folks are unconnected, with no realistic prospect of becoming connected, unless their homes and businesses are eligible to participate in future federal and state grant programs.

7 Jun 2022

A Wrap-up – Broadband and the 2022 Missouri Legislative Session

by | posted in: | 0

The Missouri General Assembly closed out its regular session on May 13, 2022 (Friday the 13th). The General Assembly committed unprecedented amounts of new public investment in high-speed internet infrastructure. Yet, the amounts provided were substantially less than what the Governor proposed last fall and did not address some of the key objectives identified in his budget proposal. Aside from the appropriation, limited progress was made on other fronts as well, and these are discussed in more detail below.

The ARPA Broadband Appropriation

Much of the General Assembly’s work this session centered on the Governor’s American Rescue Plan Act (ARPA) spending proposals – a key component of which was spending for Broadband. Using federal money provided by ARPA, the Governor proposed a multipronged approach that included infrastructure funding (broadband access), adoption (digital skills training) and affordability. In this regard, the Governor’s proposal mirrored the approach of the Infrastructure Investment and Jobs Act (the IIJA) enacted by Congress last year and described in an earlier blog.

As shown in the following table, while the General Assembly provided funds for internet access, it did not approve funding for the Governor’s adoption or affordability proposals. Administration of the new grant funding program (as well as development of a 5-year plan to apply for and secure more federal funding from the IIJA programs) will be provided by Department of Economic Development’s Broadband Office (DED), which received $10 million of additional funding this session.

ProgramGovernor Parson’s Proposal (Missouri Department of Economic Development (DED)General Assembly Appropriation
Access (Infrastructure)$250 Million  — Competitive Grant Program for locations lacking fixed wired or wireline service of at least 100 Mbps/20Mbps250 Million
“Digital Literacy”  (Adoption/Digital Skills)$30 Million – Competitive Grants  to Nonprofit and Educational OrganizationsNot Funded
Affordability (Assistance for broadband subscription cost )$30 Million – Would funds an additional $10 per month benefit to households eligible for the $30 per month benefit provided as part of the IIJA’s Affordable Connectivity ProgramNot Funded
Pole Replacement (supports fiber on pole deployment)$0* *Pole replacement costs could be funded through broadband infrastructure grant program  $15 Million
New Cell Towers for Wireless Access$30 Million$20 Million

There are a couple of observations that seem relevant here:

  • First, while the amount of money appropriated for broadband infrastructure far exceeds previous funding, it will not be enough to provide broadband to every location in Missouri that needs one.

The Governor’s proposal was expected to be enough to connect approximately 75,000 households in the state.  However, in a webinar presentation last month DED noted that a recently completed gap analysis showed that nearly 500,000 locations in Missouri lack broadband service at speeds of 100/20 Mbps (the new standard for “underserved” locations). The cost to connect those locations was estimated at a little less than $2 billion, whether wireless or wired technologies are used to provide service.

That said, the goal of funding universal broadband access across Missouri seems to be well within reach. The $285 million appropriated by the General Assembly this session is money the federal government provided to the state through the ARPA last year. An additional $1.3 billion (the second installment of State and Local Fiscal Recovery Funds (SLFRF)) will be deposited with the state later this year. This money also can be used to fund broadband and other infrastructure needs. Thereafter, Missouri is eligible to receive a sizable portion of the $42.5 billion available to states to fund broadband infrastructure as part of the IIJA. Finally, of course, assuming a public-private partnership model is used to provide broadband access, no one thinks that the federal and state governments will need to finance the entire cost of building out broadband to all underserved locations, as the private sector can fund the investment as well.

In other words, over the next several years, there appears to be an opportunity to access enough federal money to construct the infrastructure needed to close Missouri’s digital divide. However, this will require continued support from the General Assembly to appropriate the federal money. ARPA money left unspent by the end of 2026 must be returned to the United States Treasury. IIJA funding will be allotted to states based on need and funded only after submission and approval of a five-year plan designed to provide access to all unserved locations in the state. Thankfully, in this session the General Assembly began this process by appropriating money to DED this session from ARPA funds to develop this five-year plan, so that Missouri can fully participate in the IIJA funding programs both for access and adoption over the next several years.    

  • Second, the General Assembly’s decision to “zero-out” the Governor’s proposed appropriation for internet adoption is somewhat puzzling. One could make the case that $30 million was not the right amount – that it was too much – or that the need for adoption programs could be deferred to a later date and paid for out of future IIJA grants, and did not need to be included in this year’s appropriations. 

It may be simply that the proposal suffered from “misbranding”– the decision to call it “Digital Literacy.”  One would think most folks don’t like being referred to as “illiterate” – even if it’s “digitally” illiterate, and that term doesn’t really do a very good job of describing what the money was intended to pay for – or why it was needed in the first place.

Likely what was lost in the debate was an appreciation that the public benefit of broadband access, what justifies the investment of hundreds of millions of public dollars for broadband infrastructure, comes only when all individuals throughout the state can actually use that resource in ways that make a positive impact on public health, education and economic opportunity. This would include visiting their doctor online (telehealth); starting an in-home, internet-based business; reversing population declines in rural communities and saving commuting time and expense through telecommuting; obtaining an advanced degree or skill online from a university or junior college; monitoring crops in the field, reducing fertilizer and production input costs through precision agriculture; accessing online federal, state and local government services; and otherwise using high-speed internet in ways that make business, government and other institutions more efficient and effective.

In short, to fully realize the public benefit of broadband that justifies the unprecedented public investment in broadband infrastructure, there is a need to move beyond smart phones and recreation-centered internet-based applications (things like texting, social media, YouTube videos, online gaming etc.) and to provide everyone – not just the “tech-savvy” with the training and skills needed to effectively use this new resource. While certainly most everyone believes these goals and programs are worthwhile and necessary, the private sector has limited motivation (and expertise) to provide them. This was the rationale of an internet adoption program that would use nonprofit, local government, and educational organizations to develop the skills-based resources designed to further these objectives. Hopefully, as the need for these resources becomes more evident, funding for adoption programs will be included in future appropriations so that communities receiving public funding for internet  access will have the means to fully realize the benefit of this new resource.

Senate Bill 820   

Aside from the appropriations bills, significant – but more incremental progress was made through passage of  Senate Bill 820. This legislation incorporated several of the proposals from the work of the House Special Interim Committee on Broadband Development chaired by Representative Louis Riggs.

Among the changes, was a proposal supported by the DED, that incorporated a badly needed update to the definition of areas that lack access to adequate broadband service (underserved areas). This definition is important because it is used to identify broadband infrastructure projects that can be financed by Community Development Districts, Neighborhood Improvement Districts, and Broadband Infrastructure Improvement Districts, as well as describing locations that can qualify for direct grant funding administered by DED.

Assuming SB 820 is signed by the Governor later this summer and becomes law, underserved areas will be defined to include areas lacking fixed wired or wireless service equal to  100 Mbps download and 20 Mbps – a substantial increase from the old standard (25/3 Mbps).  This new standard is the same as that contained in the Infrastructure Investment and Jobs Act (the IIJA). SB 820 also permanently ties the definition to future increases in the speeds necessary to qualify internet service as “broadband” as changed by Federal Communications Commission – the  FCC – from time to time. By raising the standard used today, many more projects will qualify for funding and can use existing financing district legislation today, and by tying the definition to future increases implemented by the FCC, the statute will continue to be a useful tool in the future as new technologies such as virtual reality and artificial intelligence require even faster internet connections.

SB 820 also includes a new Vertical Real Estate Act (new §8.475) to expressly authorize any political subdivision to erect wireless telecommunication towers and related ground-based equipment and to enter into public private partnerships for the same purpose.  Finally, the new law adds several provisions designed to enable DED to better enforce and administer state broadband infrastructure grants in the cases where the recipient has failed to construct the promised infrastructure.

20 May 2022

New NTIA Data Show Enduring Barriers to Closing the Digital Divide, Achieving Digital Equity

by | posted in: | 0

Over the past two years, the COVID-19 pandemic highlighted what many already knew: high-speed internet access is not a luxury; it’s a necessity. As workplaces and schools shifted to online environments, families that lacked access to affordable, reliable, high-speed connections, appropriate devices, and digital skills fell further behind.

Newly released data from the 2021 NTIA Internet Use Survey show that historically less-connected communities used the Internet and connected devices in greater numbers than they did two years ago. Despite that progress, the substantial disparities that NTIA has tracked for decades continued to be evident, highlighting the urgent need to work toward digital equity in the United States. Read more.

20 May 2022

Digitally Connected Community Guide tapped for national workshop

by | posted in: | 0

The University of Missouri System Broadband Initiative team was tapped to help train extension professionals to be effective partners in closing their state’s digital divide. The May 3–5 workshop in St. Louis equipped participants from 11 states with training and tools based on the UM System’s Digitally Connected Community Guide model to help close critical broadband access and adoption gaps that impact quality of life and economic recovery. 

The National Digital Extension Education Team (NDEET), headed by Rachel Welborn, associate director of the Southern Rural Development Center at Mississippi State, asked UM to provide a train-the trainer-model program around the UM model.  

“This collaborative national training opportunity strengthens the impact of broadband expansion across rural America and other areas of need by bringing together Extension professionals as co-learners and community catalysts,” said Alison Copeland, UM System deputy chief engagement officer. “It’s an honor that the Digitally Connected Community Guide was selected by NDEET to train Extension colleagues across the nation.”

The Guide, an online curriculum produced by the UM System Broadband Initiative, offers tools and resources — and a step-by-step process — to engage local partners and residents in bringing high-speed internet to unserved Missouri communities; improve adoption rates and digital literacy; and increase the use of internet-based technologies and applications to improve health, education, and economic opportunities for all. 

More information about the Digitally Connected Community Guide is available.

10 Mar 2022

Seven “Characteristics” of Successful Broadband Public-Private Partnerships

by | posted in: | 0

We are at the beginning of  the Great Broadband Infrastructure Funding Boom. New federal funding for broadband started with the CARES Act and picked up steam with the American Rescue Plan Act (ARPA) but the amounts involved are dwarfed by over $65 billion that will be distributed by the federal government over the next few years as part of the bipartisan Infrastructure Investment and Jobs Act (IIJA).  Meanwhile, in the near term we expect over $400 million of the state’s ARPA funding to be appropriated by the General Assembly this spring, with actual awards and funding to begin by late this calendar year.

While this funding potentially could be distributed directly to local government, in many cases the federal and state enabling legislation contemplates that private for-profit internet service providers, nonprofits and government entities will work together to implement broadband access and internet adoption projects. These public-private arrangements are called public-private partnerships or – P3s.

P3s seldom are actually documented as partnerships and the arrangement  may not even be referred to as a “P3.” However, they all do involve an ongoing legal agreement among one or more federal, state or local governments (public partners) and at least one for-profit or nonprofit entity (private partners), with the goal of constructing and operating a new development or enterprise.  P3s have been used for many decades to construct and operate all sorts of public improvements, everything from arenas and stadiums to water systems and power plants, to toll roads and bridges – even a few high-speed internet networks. They also have been instrumental in bringing major retail or business expansion projects to depressed or underdeveloped communities.      

I believe P3s likely will be used extensively for new broadband projects in underserved communities because much of the funding from the federal government comes with conditions that focus on outcomes over the long-term.  For example, any broadband infrastructure project funded with an IIJA grant will have to achieve minimum levels of performance (download, upload and latency), offer service to all or nearly all of the locations in the project area, meet certain service affordability standards, and once operating, satisfy specified “quality of service” parameters.  The exact requirements remain to be seen, but it seems likely that if federal funding is used, recipients will be required to show not only that project was built as designed, but also that when completed it operates at the performance levels promised, and that the service offered is reliable and affordable. This focus both on construction and the ongoing operation of the project will be difficult for a single entity (government or business) to meet on their own and many will move to seek to share both the risks and rewards of project construction and operation using a public-private partnership. In fact, Missouri’s most recent award of federal funding required that the new projects be completed using a public-private partnership.

Using a P3 won’t necessarily eliminate risk or ensure the project will be a success. My work with communities, negotiating and documenting P3s over several decades, has yielded decidedly mixed outcomes. Many P3s have been unqualified successes, delivering state-of-the-art infrastructure improvements on time, at or under budget. However, others have been financial and operational disasters. There have even been a few situations where initially the P3 failed, but later it was resurrected, modified, and ultimately succeeded. As communities and businesses across Missouri and the United States consider using P3s for broadband, it seemed a good time to share a list of characteristics that I’ve found most successful P3s have in common.

My list is anecdotal; it’s based entirely on my own observations. I compiled it after reflecting on my experience working on many projects over the years. Admittedly my list wasn’t derived primarily from experience working on P3s that were formed to construct and operate broadband networks, but I think the fact that the projects I worked on were so varied (everything from ethanol and bio-gas plants to football stadiums) shows that what is being built or operated is not all that relevant, and at least a couple of the characteristics described actually were illustrated by broadband P3s.

With that as an introduction, my list follows —         

Characteristic 1 — The Partners Think Long-Term

Partners in successful P3s typically organize their arrangement to achieve long-term objectives over many years or even decades. All critical partners share an understanding of the ultimate objective, and each tends to see their individual responsibility to the enterprise through that perspective. For example, if a P3 is used to build and operate a toll road, the construction contractor understands that delivering the road on time and under budget in accordance with the design specifications, means very little if she knows the road hasn’t been properly designed to handle projected traffic volume, or that the material specified in that contract will not stand up to weather conditions and last for the project’s intended useful life. Neither of these concerns are the contractor’s primary responsibility, and if the arrangement was viewed only as a construction contract, the contractor would measure success only by looking at whether the road was completed, on time, within budget, in accordance with design specifications.

However, the true objective for the P3 is to provide a toll road that will improve travel for many years. Certainly, a critical step in reaching that goal is to get the road built and open for operation, but that short-term objective is only part of a much larger long-range goal. If the contractor partner takes this long-view into account, she will raise her concerns, and all parties will consider and address them before proceeding. It may take a bit longer to get the road built, and it might cost more, but it will be much more likely that the project will satisfy the P3’s long-term objective.

This mindset may not come naturally, but it does seem to lead to a better overall outcome – over the long term.  It doesn’t take much imagination to see how thinking long-term thinking could benefit communities building a new broadband network. If the long-term objective is to provide the community access to high-speed internet that is affordable and capable of handling the community’s needs over the next 10 to 20 years, the partners in the P3 wouldn’t automatically choose the broadband infrastructure option that could be constructed for the lowest cost.

Instead, before selecting that option, the partners also would consider how much it will cost to operate and maintain the network, and whether the network can be easily upgraded so that it can efficiently operate new internet applications that become available, compared to other infrastructure technologies that are more expensive to install. Looking “long-term” the savings associated with lower operating expenses and avoiding the cost of installing a replacement network in just a few years, may far outweigh the limited benefit of a lower initial installation expense today.   

Characteristic 2 — The P3 Has “Good Partners”

Successful P3s have “good partners” – partners that have three characteristics:  a proven track record, financial wherewithal to weather economic problems, and finally, a “cooperative spirit.” The first two of these seem obvious. Of course, a local government (public partner) would want to find a private internet service provider, contractor, or network operator with a great track record, that was highly capitalized and able to cover unexpected cost overruns and delays. Likewise, a private company (the private partner) would search out a city or county with a team of elected officials and staff that had successfully worked with private businesses on significant P3 projects in the past and that have a reputation for following through on financial and other commitments.

However, identifying and recruiting good partners is not easy. After all, if government or business, acting alone were able to provide affordable access to high-speed internet in the community, that already would have happened. There likely are engineering problems, lack of access to easements and right of way, insufficient access to capital, low population density and demand for service, and many other issues to overcome to successfully construct and operate an economically viable network. The best “partner” candidates often have many options in communities that present fewer challenges and that are less risky. This does not mean recruiting good, –qualified partners — is impossible, but it does underscore the need to carefully evaluate and select the best candidates, and to pay particular attention to each candidate’s experience and financial condition.

Communities need to be especially cautious of firms that offer untested technologies to achieve the P3’s goals. Although it’s possible an entrepreneur may have discovered a great solution, often unexpected problems arise when a new technology is deployed in a real-world setting, and invariably firms promoting these technologies are undercapitalized and find it difficult to weather these setbacks. Certainly, a carefully crafted request for qualifications or request for proposals solicitation process should be followed to identify all available candidates and options. For public partners, this usually will require the help of a financial advisor and perhaps an engineering consultant to assist in evaluating prospective partner candidates and P3 proposals.

A third, less obvious, characteristic of a “good partner” is a cooperative spirit. For the reasons already discussed, a P3 that seeks to provide internet access to underserved communities and improve adoption of internet applications, likely will encounter difficulties and setbacks along the way. In successful P3s, each partner, public and private, understands this, is willing to stay the course and, if necessary, alter their approach to the extent necessary to achieve the P3’s long-term objectives.      

Characteristic 3 — Each Partner Has the Support of its Constituency

Public and private partners have constituencies. Public partners (elected and appointed government officials) must answer to voters, public utility customers, parents of school age children, local business and civic community leaders, and many other groups. Private partners typically answer to their board of directors, investors and, in the case of nonprofits, donors. To achieve success, partners in successful P3s will have taken steps to obtain and maintain the support of their constituencies.

This characteristic is particularly important for public partners. It can be easy for a well-meaning government official or governing body to get ahead of the voters. Even if the P3 contracts are eventually approved over public objections, a future city council or county commission may work to undue the efforts of its predecessor and terminate the arrangement. In successful P3s, written agreements among the partners reflect and evidence the commitment of the community, not just the current government leadership. Of course, no P3 has unanimous public support. There always will be dissenters, but when reflecting on unsuccessful P3s, one often finds it had a critical public partner that entered into the agreement even when faced with widespread sustained opposition from a substantial portion of the community.

In successful P3s, prior to entering into the arrangement, public partners spend time and effort engaged in learning sessions where they carefully explain both the benefits and the risks associated with the P3, and work to address concerns voiced by constituencies. This effort continues throughout project construction and commencement of operations. The public is kept informed of the project milestones as well as challenges encountered along the way that require modifications to the initial plan.   

Characteristic 4  — Expectations Are Kept in Check

Successful P3s have partners with realistic expectations of what can be achieved. Public partner leaders and decision makers understand that calling the arrangement a  “P3” does not somehow guarantee the successful completion and operation of the enterprise, nor eliminate financial risk. Private partners understand that public institutions operate by consensus rather that edict, and they accept and adapt to a decision-making process that takes more time.

Characteristic 5 — The Objectives of All Partners are Well Defined and Understood

Partners in successful P3s take the time to fully understand their shared objectives, and to compromise individual objectives that could otherwise lead to future conflict. In contrast, partners that assume their objectives are fully understood and shared – or worse – conceal their true motivations to achieve a strategic advantage in negotiations, eventually face difficulties. Some underlying problem eventually will expose the problem under circumstances when it will be much harder to achieve an acceptable resolution.

Defining and understanding objectives often does not receive enough attention because it is inconsistent with traditional contract negotiation strategy. For example, if I want to buy a house, my goal – my objective – is to get one that best suits my needs at the lowest possible price. In contrast, your goal, as seller, is transfer the house for cash, free of any future responsibility at the highest possible price. Most would agree that in a traditional negotiation, the seller should emphasize the positive aspects of the house, while avoiding (to the extent the law allows) pointing out any defects that might depress its price. On the other hand, as the buyer, I would do everything possible to emphasize the structure’s defects and shortcomings and initially would offer less than the  amount was willing to pay in the hope of getting the best bargain. Eventually, through a series of offers and counteroffers we would either arrive at the selling price or abandon the effort.

Partnership arrangements involve a much different set of expectations and dynamics. Most are designed to remain in effect for an extended period, and in successful P3s, the parties recognize this, and tend to spend a substantial amount of time at the outset working to understand and clearly define each other’s objectives. It is true that, just as in the buyer-seller example, the parties likely will have some objectives that are incompatible, but if the P3 structure is a viable option, they will also identify some important common or shared objectives.

For instance, a for-profit ISP may be looking to maximize profits by expanding its internet network to homes in an underserved community. At the same time, the public partner may be looking to provide online learning opportunities for residents, or it may want to add residence-based internet sensors and controls for public water, sewer or electric utilities. The common, or shared objective in this case is to expand internet service to every home in the community. While the motivation behind the objective may be much different (profit for the private partner ISP and better delivery of community services for the public partner) the potential exists to create a successful P3 that will enable them to reach this shared objective. For example, the public partner might agree to purchase permanent capacity on the new network capacity to meet its goals, in exchange for the ISP’s agreement to build out service to each home in the community, including those that it otherwise would have by-passed because the lack of customer density created profitability concerns.

Of course, there also likely are some inconsistent objectives as well. The ISP might want to exclude some homes in the community because they could not be served profitably, or the public partner might want the ISP to offer service to low-income households at a reduced rate to encourage adoption of its new public internet-based government services. But even here, if these objectives are identified and understood, a solution probably can be found. For example, perhaps the parties would agree that the ISP could install infrastructure that is slightly less capable, but much less costly to install and operate in marginal areas of the community. To meet its goal of reaching all of the households in the community, the public partner might agree to offer subsidies to low-income subscribers, so that they could afford to pay a market rate for internet service.    

However, before any of these ideas can be explored and developed, the partners must be willing to reveal their underlying motivations and objectives. Stated another way, it’s impossible to find common ground unless you know where you and your potential partners “stand” right now. This can be a difficult shift, particularly for legal advisors and business advisors more familiar with traditional negotiation strategies. It requires a significant investment of time and the development of a negotiating environment designed to encourage free exchange of information and ideas.

Characteristic 6 – The Partners and the P3 Speak with One Voice

This characteristic applies primarily to public partners, and it applies both during the course of negotiations leading to the formation of the P3, as well as after the project commences. Nothing tends to undermine trust and sidetrack negotiations quite like a public partner with multiple spokespersons. Public entities, by their nature, tend to be somewhat decentralized and populated with folks who are eager to take the limelight. Private partners cannot effectively react to multiple inconsistent positions voiced on behalf of a single government, and if the situation is not properly managed, the private partner may eventually decide to abandon negotiations. Successful P3s tend to have public partners that understand this risk. They establish clear lines of negotiation and communication through a single individual, and demand that all parties respect this process.  

What is true for individual partners, is also true for the P3. Most P3s need to contract with others for financial and other resources. When approaching third parties such as a bank or underwriter, or a federal regulator, successful P3s designate a single individual to conduct negotiations.    

Characteristic 7 — The Parties Think “Win-Win”

This final characteristic I borrowed from Stephen Covey’s  “The Seven Habits of Highly Effective People.” It may seem altruistic and somewhat naïve, but it reflects a practical difference that underlies all of the six characteristics previously described. Effective partnerships of any kind exist because they can achieve an objective that the individual partners, working alone, could never reach.  From this perspective, if the partnership succeeds, everyone should feel like a winner – because all fared better than they would have had they undertaken the project on their own.

Identifying a path that achieves the community’s core objectives, that provides private partners a fair economic return, and that fairly allocates risks and offers rewards commensurate with each partner’s investment of time and resources is seldom easy. In many cases attempts to establish a P3 fail because there are too few shared objectives or because one or more of the partners was unwilling or unable to engage and negotiate an arrangement that required a long-term investment of time and capital.  In some instances, the P3’s objectives, were only partially achieved, and of course there are some where the P3 failed completely. However, there are many others where the effort proved successful.

That’s the reason public-partnerships continue to be popular and used in a wide variety of situations. It’s not because they ensure success or eliminate risk, but instead it’s because parties know that without them there would be no possibility of successfully completing the project and achieving their shared goals.   

1 Feb 2022

Missouri House Special Interim Committee on Broadband Development Issues Its Final Report

by | posted in: | 0

The Missouri House Special Interim Committee on Broadband Development has issued its final report and recommendations for improving access to broadband and broadband applications. The Committee was appointed last year by House Speaker Rob Vescovo, and included Representatives Louis Riggs (Chair), Cyndi Buchheit-Courtway, Bishop Davidson, Travis Fitzwater, Jay Mosely, Wes Rogers, and Travis Smith.

The Report summarizes findings from at least 11 public meetings and testimony from over 40 witnesses; together with appendices and transcripts, it is more than 500 pages in length. The Report addresses issues of internet access, connection speed, and affordability, as well as the need for progress to improve adoption of internet-based applications for online education, telehealth, precision agriculture, workforce development, and entrepreneurship.

While acknowledging that the state has made some progress over the past several years – moving up from 41st to 32nd in the FCC state ranking for broadband access, the Committee concluded that “there is still a tremendous amount of work to do in order to move Missouri from below the middle of the pack into the Top 10 states in the country.” To illustrate the point, the Report noted that Missouri ranks 44 out of 50 states in home use of fixed broadband and 15th in the nation for households with no internet access at all.

Several recommendations were made to improve on these statistics, including the creation of legislative committees in the Missouri House and Senate dedicated exclusively to broadband expansion and oversight, along with a “Broadband Development Council” to enhance stakeholder engagement, ensure accountability and provide meaningful public oversight. As part of this effort the Committee called for a publicly accessible internet testing and mapping resource that would show actual internet connection speeds in real-time.

More funding for the Missouri Broadband Office within the Department of Economic Development was recommended to increase amounts available through the state’s broadband infrastructure matching grant program over the next three years and to provide additional staff to improve oversight of internet providers that participate in this program. The Committee recommended increasing connectivity speeds in the state’s definition of broadband, so that public funding would be available in areas lacking connectivity at speeds of at least 100 Mbps download and 20 Mbps upload and modifying the definition so that those standards automatically adjust in conjunction with future increases in the federal standard. At the same time, the Committee acknowledged that some public funding support should be available for connection speeds at lower levels for extremely remote last-mile locations, until technological advances permit these to be phased out.

Finally, the Report recommended legislation to encourage and streamline deployment of broadband, including the use of government-owned structures and broadband assets to expand service to homes and businesses through participation in public-private partnerships. Specific recommendations included overhaul of right-of-way access, streamlining resolution of utility make-ready and pole attachment cost disputes, and the institution of “Dig Once” policies to require more efficient and cost-effective installation of broadband infrastructure.

Several of these recommendations appear to be included in legislation proposed in  the Missouri General Assembly this session. For example, Senate Bill 981 changes the definition of broadband and Senate Bill 990 addresses part of the make ready and pole replacement cost issue.