CHALLENGES INCREASE FOR FINANCING, SHIPPING AND INVENTORY

My last article talked about the economy not doing what economists think it should be doing given the low unemployment, rising interest rates, lagging wages, consumer spending, and more. Because of these seeming contradictions, it’s becoming harder to predict what will happen next and what should be done to put the economy on an even keel.

To all of this, we can now add the credit rating agencies getting involved. Recently Fitch Ratings lowered America’s Long-Term Foreign-Currency Issuer Default Rating (IDR) from AAA to AA+. While that is something to be considered, it won’t have much of an impact on your business.

What may have an impact is Moody’s Investor Services downgrading the credit rating on a number of regional banks. Specifically, Moody’s downgraded the rating for Amarillo National, Associated Banc-Corp, BOK Financial, Commerce Bancshares, Fulton Financial, M&T Bank, Old National Bancorp, Pinnacle Financial Partners, Prosperity Bank, and Webster Financial Corp.

This downgrade will make it harder for these banks to provide the full spectrum of financial services their customers need. It will make getting loans from the above institutions more expensive if even possible. It means if you are a customer of one of these banks, they will be looking for more financial information about your business before a current loan is renewed or a new line of credit is granted. Indeed, if you are a customer of one of these banks, now is the time to start having discussions about any financing they are providing to your business.

By the way, there will probably be more banks that have their ratings downgraded, so if your bank isn’t listed above, it would be good to start having conversations now, just in case. 

Why are the downgrades happening? Banks use their deposits to make loans to finance business investments and payment of interest. In addition, banks sell bonds to raise additional capital for these purposes. With a downgrade of their credit rating, it will be more difficult to get anyone to buy those bonds so they will have to increase the interest the bonds will pay. For the banks to better protect their investment in business, they are going to be making sure that investment has a high probability of being repaid.

With the continuing increase in interest rates, these smaller regional banks need to pay out higher amounts of interest to hold their deposits.  Other financial instruments have been moving faster to offer higher interest rates, as they don’t have specific deposits to protect; rather these new instruments are seeking “new” dollars to invest at even higher rates of return. This creates a potential drain of deposits from smaller regional banks.

Beyond the threat of deposits leaving the regional banks, they need to pay competitive interest on the remaining deposits. Depending on how those remaining deposits are invested, that too can lead to a drain if the interest being charged is less than the interest paid.

In addition to the pressure of having to pay increased interest, there is also the increased probability of loan defaults. The Wall Street Journal reports mortgage delinquencies in multifamily structures remain relatively low, but are increasing.  Apartment building investors bid up building prices during the pandemic, seeing the rapid increase of rents leading to the prospect of large returns when selling the property. Much of the financing for multi-family structures was short-term, and now property owners can’t afford the revised payments, so a number of properties are going into default.

Another probable impact on your business is the shutdown of Yellow Freight. They made the announcement they were ceasing all operations in early August. Yellow was one of the largest less-than-truckload (LTL) freight carriers in the country. It is possible Yellow was a favored trucking company used by the bicycle distributors from which you source products. There are other LTL carriers that will fill the void left by Yellow’s closing, but the removal of a major competitor will likely lead to an increase in freight charges, so don’t be surprised when you see an increase in the cost of your landed bicycles.

On top of that, United Parcel Service recently entered into a new contract with the Teamsters. Carol Tome, the CEO at UPS, said the contract provides industry-leading pay and benefits for their employees. As a result, it’s probable you’ll see increases in the rates charged by UPS.

And if all of this wasn’t enough to worry about, the price of oil is once again on the rise. In the last six weeks, benchmark crude prices are up 21 percent, and are projected to go even higher. Already many freight companies are adding fuel surcharges, some updating the amounts weekly.

This is a double-edged sword. With the price of oil going up, meaning gasoline will become more expensive, maybe people will park their cars and buy a bike. However, with the cost more to fill the gas tank, there may not be enough left in the personal budget for a new bike.

Here is one more thing to navigate in your business — inflation shows signs of being on the rise again. The Federal Reserve said the consumer price index rose at a 0.2 percent rate in July, the same increase seen in the previous month. This brings the annual rate to 3.2 percent over the last 12 months, certainly below the 9.1 percent peak from June 2022, but still above the 2.0 percent target. That’s the good news.

The so-called core inflation, sans food and energy, is up at an annual rate of 4.7 percent, and services (less energy) rose 6.1 percent in the last 12 months. The Federal Reserve paused interest rate increases last month, but it seems more increases may be needed.

The average mortgage rate hit a 20-year high, almost 7.1 percent during the week of August 14. Keep in mind, the increase in oil prices mentioned above and rising credit card interest rates are also having an impact; maybe not immediately but that is coming, too.

There is a corresponding pullback in consumer spending. For example, Target reported June sales were down 7 percent year-over-year. Conversely, consumers still seem to be willing to buy discretionary goods as long as they are cheap. Yes, Target’s results last quarter were affected by the Pride Month controversy, but the contrast of 6 percent sales growth at T.J. Maxx last quarter is instructive. Even Target’s first quarter, which wasn’t impacted by the backlash, sales in apparel, electronics, and appliances fell by three percent.  Yet T.J. Maxx and Dollar Tree saw sales increases of three to 3.5 percent. 

What does all of this mean for the inventory retailers have on hand? For the additional inventory distributors would like dealers to take? For terms they are offering? Take a look at your business and its needs. Talk to your banker to make sure your financing requirements remain safe and affordable. Talk to your shipping companies to make sure you understand their thinking about rates, and begin shopping around if necessary. This is not a time to assume all will end well, especially since the things written about here are mostly out of your control.

Contact Steve Bina: steve@humanpoweredsolutions.com

HOW THE STUDENT LOAN ISSUE IS IMPACTING YOUR BUSINESS

In last month’s article, I wrote about the uncertainty in the economic landscape. The issues were the extension of the debt ceiling negotiations, the continuing rise of interest rates, and inflation. Since then, an extension and increase in the debt ceiling has been accomplished. The Federal Reserve took a break from raising interest rates in June, but has given indications there likely will be more rate increases in the coming months. Inflation has slowed, but is still at an elevated level.

All of these things have an impact on your business, either directly or indirectly. Over the coming months, continuing changes to each are certain, so you’ll need to be mindful that your business is doing what it needs to do to thrive, and to survive.

One thing I didn’t include in the last article was the looming resumption of government student loan payments. Part of the debt ceiling negotiation was for student loan payments to resume on August 30. The payments and interest accruals have been in abeyance since March 2020. This was done by the Department of Education to ease the impact of the COVID pandemic, which caused the closure of many businesses, resulting in significant layoffs and an overall reduction in hiring.

An estimated 43 million people, approximately 17 percent of the adult population, have federal student debt. Of those, 26.6 million, about 10 percent of the adult population, had loans that were in abeyance in Q1 2023, according to the National Student Loan Data System. Once payments resume, the average monthly payment will range between $200 and $300, according to the most recent Federal Reserve data. It is estimated that, collectively, borrowers are set to resume paying around $10 billion A MONTH, according to recent analysis by JPMorgan.  

That amount being redirected out of the economy means a number of retailers will likely be negatively impacted. According to UBS, those retailers include American Eagle Outfitters, Carter’s, Crocs, Foot Locker, Canada Goose, Nordstrom, Nike, Steve Madden, Under Armour and Victoria’s Secret. UBS Research did a survey in March 2023 and found the average student loan borrower is younger, likely to be single, female, and earn slightly less than the average U.S. consumer.

Undoubtedly, these retailers will be affected, and so too will your business. And as with these other retailers, the reduction in consumer spending will back up through the channel supply chain, affecting distributors and manufacturers.

On top of the restarting of loan payments and interest accrual, the Supreme Court’s ruling on June 30 declaring that the administration’s plan to forgive almost $430 billion of student debt is unconstitutional, will have a further chilling effect on consumer demand. 

As bad as that sounds, there is a small silver lining. That much money being redirected out of the economy will reduce demand across the board. The Federal Reserve has been hoping that would be one of the results of their raising interest rates. How much and how soon remains to be seen, and is why the Federal Reserve did not raise rates in June, but has strongly suggested additional rate increases may be needed.

Reducing demand is also a step in possibly helping to lower inflation. The extraordinary post-pandemic demand for consumer goods outstripped most retailers’ ability to supply. The reasons are well known. Shortages drove up prices on everything from printer cartridges to automobiles, in some cases making used cars more expensive than new ones simply because used ones were more readily available.

As noted in my previous article, running your business to your budget in the coming months will be crucial given all the outside influences. Understand and manage what you can control, because a lot of what will be affecting your business you can’t control. Right now, the one thing you can count on is it’s going to be a very challenging selling season.

Contact Steve Bina: steve@humanpoweredsolutions.com

MANAGING YOUR BUSINESS ON A ROLLER COASTER

The economic roller coaster continues. The first quarter brought mixed results from retailers in different industries. The cost of credit continues to increase (with no end in sight). Consumer spending increased significantly in April and inflation accelerated. The Commerce Department said consumer spending increased 0.8 percent, up 0.1 percent from increases in both February and March. The president of the Cleveland Federal Bank said she thinks interest rates should keep rising until the next move is equally likely to be an increase as a decrease. “I don’t believe we are there yet,” she said earlier in May.

While consumer spending is increasing, the rise of interest rates and inflation is making consumers jittery and managing your business more difficult. Lowe’s reported inflation pressures were felt mostly for big ticket items. Spending on do-it-yourself project items was down significantly, according to CEO Marvin Ellis. Home Depot reported essentially the same thing. Costco’s CFO said the company’s average daily transaction amount fell in the first quarter, driven mostly by weaker sales of big ticket items such as electronics, jewelry and home furnishings.

On top of rising interest rates, the uncertainty of the federal debt limit negotiations weighed on the economy. All involved professed a default could be avoided. The administration held a position that a clean debt ceiling bill was what they wanted, and that there would be no negotiation. The House deliberated and passed a bill that raised the debt ceiling, but with conditions. With the clock ticking down, both sides compromised and an agreement was hammered out with a bipartisan vote to raise the debt ceiling. Neither side got everything it wanted, but the threat to the economy was removed, at least until the debate begins on next fiscal year’s budget.  

Tracking spending trends shows consumers are spending a larger share of their budgets on activities that get them out of the house. This isn’t surprising given the sequestration COVID caused. However, that spending has been selective.  Urban Outfitters latest quarter sales rose 17 percent at Free People, a sub-brand which caters in bohemian-chic fashion, and 13 percent at Anthropologie, another sub-brand. Those gains offset a 13 percent drop at the company’s namesake brand.  

Consumer spending trends also show a pent-up demand to get out and express yourself. The going-out trend is evident at Dick’s Sporting Goods. Dick’s reports sales of items sold for team sports stayed strong in the latest quarter.

How might this effect your business as a bicycle distributor and/or dealer? Certainly you will have an understanding of what is selling in your business; high end versus moderately priced product, complete bicycles or accessories to make what they already have perform better or full-priced product or just what is on sale.

Many of you are pressed not only with a lot of inventory, but pressure from your distributors to take more. We are on the cusp of what many hope will be a busy summer selling season, but as noted above there are significant economic headwinds. Things may be getting a little worse, too. Recent data from the Commerce Department shows consumers increased their spending sharply in April, 0.8 percent (kind of good news), but may force a continuing increase in interest rates (kind of bad news). The increase in consumer spending is “… just continuing to demonstrate the underlying resilience of the consumer … ” said Wells Fargo economist Shannon Seery, and may lead to further interest rate increases. However, it seems that underlying resilience has been and will continue to be selective.

As that summer season is rapidly approaching, you may wish to consider some unconventional business changes to help weather these unconventional economic times. Cash flow is critical to any company’s survival, and you should have a budget to help you navigate that, now more than ever. Is your revenue coming in as forecast and covering your costs? Is the business at least at break-even? If not, is it a revenue short-fall or are expenses higher than anticipated? Following are some questions you should be asking to make sure your business is in good shape.

A shortfall in revenue can be tough to correct, and you need to identify the reason. Is store traffic not as high as anticipated? Or, like Costco, has the average transaction fallen? If this is the case can you identify possible causes? Have you changed your marketing and/or advertising tactics? Should you? Has new competition sprung up in your area? Has mail order or direct-to-consumer sales had an effect? How you might respond to each of these depends on your individual circumstance and market demographics. Can you adjust marketing and advertising, or do you/can you offer direct to consumer sales? What might a new competitor offer that you don’t but should?

Is the shortfall across the board or from a specific part of the business such as new/used product sales, service or accessories? Is the mix of what’s sold/billed significantly different that budgeted? Even if the total amount of revenue is meeting budget, you still should understand where the dollars are being generated so you can address any possible lagging performance in one or more areas to take corrective actions before the lag becomes critical.

Sometimes it may be tempting to put product on sale to hopefully increase sales and get revenue back on track. That can also help to lower inventory and carrying costs, converting inventory to either cash or accounts receivable. The caveat is this needs to done carefully. As noted above, with consumers looking to rein in their spending and being selective, you don’t want to condition your customers to shop only when you have a sale. 

Your expenses may be on budget, but if revenue isn’t you still need to take action. On the expense side there are a number of things you can control. If there is a reduction of store traffic are your business hours appropriate? Maybe it’s possible to have a voicemail system to handle calls during off hours. Does your store have an effective web site? Is that web site able to log and report customer contact via e-mail? That capability would allow the customer to establish a connection with your business and allow you interact with the customer in close to real time. It may also allow your business to generate on-line sales. Of course that presumes someone would be available and responsible to answer and respond in a timely manner.

As hard as it may be to find qualified employees, you may have to ask if your staffing is appropriate. Would it make sense to offer temporary part time employment to some full time employees? Perhaps have one of the full time employees be responsible for the voicemail and e-mail?

These are some things to consider to make sure your business is one that survives and hopefully prospers. In coming editions I’ll look at the continuing economic issues and how they might impact your business.

Contact Steve Bina: steve@humanpoweredsolutions.com.

HOW INTEREST RATES AND CREDIT POLICIES ARE IMPACTING THE BICYCLE INDUSTRY

The recent failure of two banks, Silicon Valley Bank in California and Signature Bank in New York, didn’t have much of a negative effect on the stock market overall. Yes, bank stocks slid a bit, and were rattled a little more a few days later when Credit Suisse was merged with UBS to stave off a large European bank failure.

Most likely, the market reaction would have been more negative had the administration not said it would cover all depositor losses even if over the FDIC limit. While that was not unprecedented, it does set an expectation going forward, which could become very problematic. Not surprisingly bank stocks, especially the small and regional bank stocks, have taken a hit, but also less than one would have expected had the administration not intervened to cover all deposits. 

While there is an impact overall in the banking industry, it’s interesting to note that big national banks, including JPMorgan, Citigroup and Wells Fargo, just reported increased profits and increases in deposits for the first quarter. JPMorgan reported a 52 percent increase in profit, and estimates it picked up an additional $50 billion in deposits following the March bank failures. Citigroup estimates it netted almost $30 billion in new deposits since March. The banks expect to see moderate declines in deposits, as they compete with each other and smaller/regional banks in the coming months. In addition, some money will move to Treasuries and money-market funds that may offer higher interest. These deposit increases came at the expense of the smaller/regional banks, with customers moving their accounts to larger “to big to fail” institutions. 

This increase in deposits has also helped the big banks profit. The Fed increasing interest rates allows the banks to increase the rate they charge for loans, but the view from depositors as a safe haven means they don’t have to increase their deposit rates. Smaller and regional banks don’t have that luxury right now, putting them under additional pressure. Regardless, clients of all sizes are pulling back. Banks are reporting mortgage underwriting has fallen off significantly because of the run up in interest rates. The same goes for investment banking and M&A (mergers and acquisitions).  

Still, the big three banks are bulking up their reserves. It’s reported these banks have set aside an additional $2 billion to cover potential bad debts, and Wells Fargo’s CFO is quoted as saying the company expects to see more stress in the coming months. First quarter earnings reports will be coming out shortly, and they will tell a very important story on the strength of the economy and projections for the rest of 2023. 

What does this mean for the independent bicycle dealer? Frankly, not much from an investment standpoint, as most probably don’t have a lot of bank stocks in their portfolios. In addition, most IBDs likely aren’t customers of large national banks, more likely to be dealing with smaller regional banks. The bigger concern is the impact on credit availability and interest rates available from the smaller banks. As noted above, the big banks are increasing their “bad debt” reserves, seeing decreasing demand in credit requests, and raising the interest rates on loans commensurate with rates set by the Fed. No doubt smaller banks are doing the same.

The increase in reserves suggests the banks anticipate businesses overall to either fall behind in payments, look to renegotiate current credit facilities, or enter bankruptcy. The interest rate increases further add to those possibilities.

Each of these alternatives may be something your business will face. Financing your business, the inventory, operating expenses, and the kind and amount of credit you offer your customers, are tough enough to manage in good times. Today’s uncertain economic outlook makes those things more critical.

While a credit crunch may have a significant impact on your business, it may also cause the same issues upstream with your suppliers and brands. Will they be able to offer you the same payment terms they have in the past? Will they get squeezed by their lenders to scale back on inventory or operations? Will they force liquidation of inventory at distressed prices to generate quick cash, and possibly distort the retail market with unsustainable discounts? Will they look for new outlets for their products that could bypass your business?    

There are no easy answers to these questions. Your approach to deal with these will undoubtedly focus on the short term to make sure you can open the doors tomorrow. But you also have to consider the longer-term consequences to make sure you’ll be able to keep the doors open into the future.

The next installment in this series will discuss how the economy may impact your business and what strategies might help.

Contact Steve Bina: steve@humanpoweredsolutions.com

RANSOMWARE ATTACKS ARE ON THE RISE

Nine bicycle shop owners or managers were interviewed in a recent issue of Bicycle Retailer and Industry News. The topic was how they protect their inventory and information. It was interesting for me to read these nine perspectives on security.  I was especially intrigued by one of the respondents saying that anyone stealing from them would have some bad karma coming their way.

You may recall that I’ve written a number of articles for The Micromobility Reporter addressing security, most protecting information and data. Those articles discussed different ways to secure and protect systems and data to help ward off hacks and ransomware attacks. Admittedly, I overlooked the karma defense.

Data is critical to the operations of nearly every business. When data is corrupted or lost, the impact on business can be devastating. Data loss can be the result of a hack, ransomware attack, system failure, natural disaster or other causes. Because a data loss can be so devastating, your business should be working with your IT advisors to proactively protect your data and ensure speedy resumption of operations.

Ransomware as a cause of data loss is particularly concerning. The constant threat of new and creative attacks makes being breached more likely all the time. The encryption of your business’s data if you become a victim of ransomware could become a defining moment. Some businesses will survive mostly intact, but others will succumb and be crippled. Many times it’s the businesses that continue to rely on legacy processes that have the greatest difficulty recovering because of the amount of work and resources needed to identify what data was compromised, and how to recover. This can take days or weeks, and the business has to work around the missing and/or corrupted data.      

According to Enterprise Strategy Group (ESG) research, ransomware preparedness is the most important business priority for 26 percent of survey respondents, and is among the top five business priorities for another 53 percent. Where does ransomware protection rank in your business?    

Ransomware attacks are never-ending. According to ESG’s research, 79 percent of businesses have experienced at least one attempted ransomware attack (successful or not) within the past year. Ransomware attacks happen in the cyber world, though the impacts can potentially extend across all facets of your business, especially data protection.

Regardless, companies must recognize one important fact about ransomware: ransomware payments do not guarantee full data recovery. ESG research shows that 87% of companies that have been victimized by a ransomware attack in the last year failed to recover all their data after paying a ransom. In addition, the possibility also exists that some malware may still reside in your systems that will initiate another attack in the future.

Ransomware puts a tremendous amount of pressure on your business. It is something that requires constant vigilance because once the ransom demand is made, it’s too late to try and fix the problem. Make sure you’re talking to and working with your IT professional now.

Above I mentioned I’ve written articles that covered data protection, data storage, hacking and ransomware. If you haven’t read them I would like to encourage you to do so. If you didn’t save the articles, contact Human Powered Solutions for copies or check the articles archives at humanpoweredsolutions.com.

Hoping you don’t get attacked is not the best strategy.

Contact Steve Bina at steve@humanpoweredsolutions.com

INFORMATION TECHNOLOGY PART 6: PREPARING FOR DISASTER

The last article on information technology (part 5 in this series) addressed the issues of hacking and ransomware. The article discussed some, but not all, of the causes. This time we will look at some of the other causes, and the main issue a business may face regardless of the cause: disaster recovery.

As with all of these articles in The Micromobility Reporter, be aware that there is no guarantee your company won’t suffer an attack or data loss. Hopefully, some of the processes and tips in these articles will help stave off an attack or minimize the disruption.  

Hacks and ransomware as discussed are primarily initiated by individuals or groups seeking recognition and/or monetary gain. Just this week The Wall Street Journal reported that a ransomware attack believed to have been instigated by North Korea targeting healthcare providers and hospitals, was disrupted by law enforcement. Recall in the last article on this subject, I wrote whenever you have evidence of a hack or a ransomware demand, or you think you or your business have been targeted, you should alert the authorities. In this instance, because law enforcement was looking, not only was the attack stopped from impacting others, but a significant amount (about half a million dollars) of paid ransom in cryptocurrency was recovered.

State actors are the top end of hackers, and represent the most sophisticated of external threats to your systems and data. There are also internal threats that may not be as malicious, but can cause as much damage. I’ve already written about employee sabotage. This may come about in a number of ways such as being passed over for a promotion, getting mad at a supervisor or the owner, attempting to prove a point, or an employee taking action to gain access because they believe it will make them more efficient. An employee can lose or compromise data or provide system information to people outside the business, allowing them access to hack or encrypt data. All the more reason. This is why it is important to compartmentalize systems access and use tight password control.

On the other hand, people make innocent mistakes which an employee could do at any time. A mistake is just that, but whether data is lost or compromised, whether it happens maliciously or by mistake, it’s still a problem.

Another thing that can cause data or system issues is hardware and/or software failures. An earlier article mentioned the importance of making sure software updates are installed in a timely manner. It is also important to make sure your system hardware is appropriate to the software requirements. A correct correlation between software and hardware is essential to insure the software can function correctly, and that the suite of systems your business uses can interface and communicate necessary data effectively. When your business upgrades one, make sure upgrades to the other are considered and implemented as needed.

One set of potential problems that tends to be overlooked are natural disasters. Depending on where your business is located (or perhaps with multiple locations), you may be exposed to tornados, wildfires or facility fires, floods, hurricanes, earthquakes, or any combination. You may have some control concerning most of the threats I’ve written about in this and the previous article. However, natural disasters are completely out of your control, and may occur when you least expect them. Nonetheless they are real, and can cause just as much damage as a malicious attack.

Finally, a power surge or outage can do significant damage to hardware. Either could have a detrimental effect on your data and systems as well. Depending on the severity of the surge or the length of an outage, hard drives or other internal hardware devices may suffer failures, making data retrieval difficult to impossible. This scenario brings into focus the previous article in this series talking about backups. Hardware failures often do not allow for data recovery, so a backup could be the only way to restore your data.

For each of these possibilities the best defense is a good offense. Understand the systems used to run and manage your business. Take the time to find out how much data your business has generated. Initiate system user and password protocols to compartmentalize systems access for your employees, and manage how passwords are created. Make sure your data is backed up regularly and with multiple copies. And when disaster strikes, make sure you have a recovery plan.

Recovery failures happen most often because there is no plan in place. Talk with your system administrator to develop a plan to address these multiple threats. In fact, you may need to develop multiple plans, one for reach type of threat. The plans should be documented and updated as your systems, hardware and personnel change. The plans are important, but the planning process is even more so. An out of date plan that won’t work is of no help.

The plans should be simple and straightforward. They should be threat specific, and the steps should have a logical progression. They should be flexible to allow adjustments as a threat that may morph during an attack.

With proper planning, you and system administrator should hopefully be able to minimize any disruption in your systems and protect/restore your data with minimal downtime.

Feedback? Contact Steve Bina: steve@humanpoweredsolutions.com.

INFORMATION TECHNOLOGY PART 5: PROTECTING FROM THREATS

This series of articles has covered issues of managing your business data, understanding how much data your business has, how passwords are created and protected, and how and where you back up your data. These articles have been leading to this: protecting your data from threats, natural, internal and external.

All the procedures and tips I have written about can help you protect your business data. However, there is no guarantee these procedures and tips will prevent a determined attack or natural disaster. The intent is should your business become victim of an attack or data breech, you will be able to recover as quickly as possible.

Previous articles mentioned, in passing, different kinds of data threats, internal and external. This time we’ll discuss a couple of different kinds of threats in more detail.

Hacking

Hacking is gaining unauthorized access to data in a system or computer. Hacking is not always done for malicious purposes, but more and more references to hacking and hackers designate them as cybercriminals and what they do as illegal. They can be motivated by financial gain, protest, revenge, spying, or even just for the “fun” of the challenge.

Hackers may be individuals, part of a larger organized group, or possibly sponsored by a government. An earlier article concerning password protection said you should change all passwords when an employee leaves to protect your systems. The article on passwords suggested that even if an employee left on good terms, that doesn’t mean they will stay that way or that in the future the person may want to try and make some money off of a vulnerability.

Hackers may be looking for specific information, names, addresses and social security numbers of employees, names and credit card numbers of customers, bank account numbers and more. Hackers may be looking for information about your business that would provide a competitive advantage to another business. Hackers may simply make subtle changes within your systems or on your web site to prove they were there.

How do you protect against hacks? The password protection and protocol article was a good first start. Next, download a reliable malware detection product that can both detect and neutralize malicious software. Make sure your software is up-to-date, download and install any software updates, making sure those updates are from a trusted and safe source. You and your employees should avoid unsafe/unknown web sites and should never download unverified attachments or click links from unfamiliar e-mails.

While it may be embarrassing, any hack should be reported. You may think your being hacked is a singular event when it could be part of a larger attack. Reporting the hack will alert authorities to the threat. You should also alert your customers and suppliers so they can be looking for anomalies in transactions.

Regardless, any time you suspect a hack has occurred you should immediately change all your passwords.

Ransomware

Ransomware is malware that prevents or limits users from using their systems by locking or encrypting all data. Often the infecting malware will delete itself after locking up the data, and a ransom is demanded to restore and release the data.

Ransomware attacks are almost universally about extorting money from the victim. Recall in the article about backing up your business data where a comparison was made between your data and your physical inventory. If your business suffered a theft of a number of bicycles that may have an impact on your sales, but you probably have insurance that would mitigate the financial impact of the stolen inventory. The loss of data would have the same impact on your business, perhaps even more so, but likely there would be no insurance to ease the financial impact or cover the ransom payment.

Protection against ransomware attacks utilizes the same tactics as protecting against hacking. Unfortunately, cleaning up after a ransomware attack is much more complicated than a hack. Your data is either locked or encrypted. The quickest way back is to pay the ransom demanded.

On the other hand, depending on how long ago the ransomware attack was, and how often you are doing backups, you may be able to recreate your data set from a previous backup assuming that backup was not affected by the ransomware. (Remember the 1-2-3 rule. If you aren’t sure go back to the article on backups.)

As with a hack, a ransomware attack should be reported to the authorities. In fact, that may become a moot point as many ransomware attacks become known because a specific company probably has become paralyzed because their data is locked up.  

Should you pay the ransom? Most law enforcement agencies say no. A recent survey by CSO of businesses across different industries shows that 66 percent of the respondents say they would never pay a ransom. In a separate survey it was found that 65 percent of companies that suffered a ransomware attack paid the ransom.

Ransomware is a big business. In 2019 ransom payments were estimated to be $7 billion in paid ransoms and time/business lost. This represents a 15X increase over what was determined in 2017. Big ransoms and the large companies involved make the news, and those payments are sometimes in the millions of dollars. Today, the majority of large ransomware demands are in cryptocurrencies making tracing the money and who gets it more difficult.

On the other hand, most ransomware demands are against smaller companies in the range of $2,000 to $2,500 ransom.  The payment of a ransom is often determined by a cost-benefit analysis of the amount of the ransom versus the lost time and business, making these smaller amounts more palatable, and mostly explains the 65 percent payment number above. Still here is the part of the equation that usually gets overlooked. Once a cybercriminal finds out you’ll pay, they probably will be back.

Leakware

Leakware is an offshoot of ransomware. This starts with a ransomware attack, with the attacker threatening to make public personal information from the data unless a ransom is paid. The exposure of confidential data often makes the targeted company nervous about possible liabilities and makes them susceptible to paying the ransom.

The protections and protocols mentioned above concerning hacking and ransomware apply to leakware as well.

The above threats come mostly from external sources. There are other dangers to your business data as well from internal and natural sources. I’ll address those in the next article in this series.

Regardless, the best defense for any of these threats is to not become a victim. The procedures and protocols that have been discussed in this series will help to preclude a successful attack. Your systems administrator should be taking proactive steps to protect your systems and data. Make sure you have that discussion with them. 

Questions? Comments? Contact Steve Bina: steve@humanpoweredsolutions.com

INFORMATION TECHNOLOGY PART 4:
BACKING UP

How you back up your data and how often is as important, maybe more so, than anything I’ve written about so far about information technology in the bicycle business.

This article on backing up data does not mean your company won’t run the risk of losing data or having it compromised. However, taking these steps may well allow you to rebuild quickly or keep your business running should the unthinkable happen.

Keeping your systems and data secure is as important as making sure your inventory is secure and accurate. In some ways managing your inventory is easier. It has a physical presence. You can see it, touch it and count it. Your business data is a non-physical asset. Like your physical inventory, your data takes up space albeit in a much more compact form than a back room filled with bikes, parts and accessories. Knowing where specific parts of your data are stored and how often inventory is “counted” (updated) is just as important, and maybe more, than your physical inventory itself. Having an accurate and timely backup of your businesses data not only prepares you for a time when your systems go down, but can mitigate other data threats (which I’ll talk about in the next article).

How often should your business data be backed up? Let me expand on the comparison I’m making between your business data and your physical inventory. If you’re like most businesses, you have different categories or types of physical inventory based on value and/or usage. You also likely do inventory counts on a staggered basis. Some items may get counted on a weekly basis, some monthly, some quarterly, and some annually. You do this to insure your inventory is accurate, so that you can correctly calculate the cost of sales and profitability and prepare an accurate balance sheet.

Business data can be viewed the same way. You can, and should, determine what data needs to be backed up and how often.

Important data, (sales receipts, employee time/payroll, etc.) should be backed up every day. Employee records, inventory counts and values and other less critical data can be backed up less often, but probably not less than weekly. A general rule of thumb is to err on backing up more often rather than less often.

If you have software that helps manage your business data, it likely has an automatic backup facility that will perform at regular pre-determined intervals. If you aren’t using data management software, you can still do manual backups. Manual backups should also be done at regular predetermined intervals. Most always backups are done when systems are not in use, meaning after business hours, so having automatic backups scheduled means you don’t have to spend extra time at your place of business.

When you perform backups, the recommendation is the 3-2-1 rule: three copies of your data, two local (on different devices) and one off-site. For most businesses, this means the original data on your computer, a backup on an external hard drive, and another on a cloud backup service. A mix of internal and external/cloud location is critical to make sure your data is protected and can be quickly retrieved if necessary. 

While it is generally agreed that backups need to be done at regular intervals, the next question is what type of backup is appropriate. There are four basic types of backup: full, incremental, differential and synthetic full. Let’s look at each and define what they are.
 
Full Backup

A full backup is exactly what the name implies. It is a full copy of the entire data set of your business. Although a full backup usually provides the best protection, many businesses do not need to do them on a daily basis. The files that are to be copied during the full backup process are designated beforehand by a backup administrator or other data protection specialist.

If you haven’t been doing backups in your business, a full backup is the place to start. The first full backup becomes the baseline against which subsequent backups will be compared and applied.

Full backups consume the most tape or disc capacity and are time consuming, as they back up the most data. Full backups only need to be done once though you may decide that on occasion a new full backup should be done. But keep in mind the 3-2-1 rule. You shouldn’t be making just one copy, and each copy will require adequate storage. The second article in this series addressed finding out how much data you have, which was leading to this, so you would know how much storage, both internal and external (cloud), would be required. 

Incremental

Incremental backups are a way to increase backup speed and decrease storage space compared to doing a full backup. Incremental backups only back up data that have changed since the last backup.

As an example, suppose you created a full backup on Saturday evening, and used incremental backups for the rest of the week. The backup done Sunday evening would only capture the data that changed since Saturday. The backup done Monday evening would only capture data that changed since Sunday, and so on.

The primary disadvantage of using incremental backups is they can be time consuming when a restore is required. Using my previous example, suppose you wanted to restore the backup from Tuesday. To do so, you’d have to restore Saturday’s full backup. After that you’d have to restore Sunday’s backup and then Monday’s backup.
Additionally, if any of the backup is damaged or missing, you will have an incomplete data recovery.   

Differential

Differential and incremental backups are similar as both start with a full backup, and subsequent backups contain only data that have changed. The difference between differential and incremental backups is that an incremental backup only includes data that have changed since the previous backup, while a differential backup contains ALL of the data that have changed since the last full backup.

As an example of a differential backup, suppose you wanted to create a full backup on Sunday evening, and differential backups the rest of the week. Monday’s backup would capture all the data that have changed since Sunday. At that point it would then be identical to an incremental backup. However, on Tuesday the differential backup would back up any data that had changed since Sunday as well.

The advantage a differential backup has over an incremental backup is shorter restore times. Any scenario where downtime is critical, such as disaster recovery, rapid restore is important. Restoring a differential backup never requires more than two backup sets. Incremental backups could require numerous additional backup sets. The tradeoff is as time progresses, differential data can grow and contain much more data than incremental backups and require additional storage resources. 

Synthetic Full

A synthetic full backup is a variation of an incremental backup. The backup routine begins with taking a full backup followed by a series of incremental backups. Synthetic backups take it a step further.

What differentiates a synthetic backup from an incremental backup is the backup server actually produces a full backup. This is done by combining the existing full backup with data from the combined incremental backups. This creates a synthetic backup that is indistinguishable from a full backup created the traditional way.

The primary advantage of a synthetic full backup is it significantly reduces the time needed to do data restoration. Restoring a synthetic full backup does not require multiple tapes or disc sets like an incremental backup. 

What type of backup you choose depends on how often you want to do a backup, what your need is to possibly restore data, and how much capacity you have, internally and externally, to store the backups. This is a conversation you should have with your system administrator. It’s also important to periodically review your backup requirements and protocols as your business needs may change. 

You also should be doing backups on other devices used in our business. Your smart phones and tablets also need to be backed up to make sure all the data you depend on can be restored when needed.

Next time I’ll discuss the data threats to your business and devices.

Comments? Contact Steve Bina: steve@humanpoweredsolutions.com

HOW TO MANAGE TECHNOLOGY IN BIKE SHOPS, PART 3, PASSWORDS

The initial article in this series dealt with systems used by your business and who should have what kind of access. In most cases, access is granted by the system administrator and conferred by a password. This makes password discipline an important component of your data security.

This discussion on password discipline does not mean your company won’t have a systems breach or that data will not be exposed. However, password security and protocol is a good first-line defense and hopefully you will find some best practices in this article you can incorporate in your business.

Is password security a big deal? Yes, it is. How passwords are created is a key to greater systems security. In a major systems hack in 2020, over 32 million passwords were compromised.  Around 1% (320,000) of the passwords were “123456.” The next most commonly used password was “12345” followed by “11111”, “qwerty” and “abc123.”

In 2021 there were 1,862 data breaches, according to CNET. There were also 2,690 ransomware attacks. Both of these numbers represent double digit percentage increases from the previous year. They also represent only the attacks that were reported. It is not unusual for companies to not publicly report a hack or ransomware attack to lessen any panic or embarrassment.

When you or your employees create passwords, there should be a format so you don’t end up with the type of passwords shown above. Passwords should never use personal information such as the user’s name, age, birth date, pet’s name or anything else that might be found on-line.

Passwords should include a combination of letters, upper and lower case, numbers and characters. That may seem like common sense, but people don’t want to have to remember complex passwords or forget them if they don’t use them every day. Strong passwords can be easy to remember but hard to guess. A couple of examples; Iam:)2b29 (I am happy to be 29) and 2B-or-Not_2b (to be or not to be).

Another security protocol is passwords should not be reused. Users, in an attempt to remember passwords for multiple systems, will use the same password for each system, e-mail, social media, payroll, accounting, POS and more. Two recent breaches revealed a password reuse rate of 31% among victims. Reusing passwords is bad enough when someone outside your business is trying to get access to your data, but also presents a significant and often overlooked risk internally.

Passwords should not only be system specific, but individual specific too. Being able to see who logs into systems used by your business allows for audit if data goes missing or is compromised. Like so many other threats to your business, bad actors are not always external, so being able to track internal data access is important.

How often should passwords be changed? The thinking on that is evolving. It was originally recommended changing a password every three months. That recommendation made sense initially, but thinking has changed somewhat. A cyber security consultant at intrust IT told Business Insider, “Unless you become aware of a password breach, there is no need to change your passwords regularly if each is a strong, unique password” (emphasis mine). So should you regularly force password changes or not?

The emphasis above about a strong and unique password cannot be overstated. Let’s start with some best practices for strong passwords.

Never reveal your password to others. This may seem logical, but many times employees share a password in an attempt to simplify system use and in a misguided sense of efficiency. Employees may feel they have been denied access to some systems to which they should have access to do their job, or that management made a “wrong” decision. A way to do that is using a password from someone who does have access.

Use different passwords for different accounts/systems. This may also seem logical, but as noted above employees will move towards what is easier for them. Many times that manifests itself by using one password for all systems.  

Length trumps complexity. The longer the password, the more difficult it is to crack. Is the extra digit a capital letter? Lower case letter? Number? Special character? A brute force attack against a 6-digit password would take around 22 hours, an 8-digit password 46 hours, and for a 10-digit password an average 2 years.

Complexity still counts. Use a combination of upper and lower case letters, numbers and characters. A gibberish (y_?\E4Dj) password is better than one actually made up of words. Note the sample here and the two examples given earlier.
  
The question remains, should you change your passwords regularly? The answer comes back to how strong and unique are the passwords being used. Obviously you can police your own passwords, establishing protocols for your employees, and inspection. This will insure they too will create strong passwords.   

If you think one of your systems has been compromised, you should change your passwords immediately. When an employee leaves, you should change your passwords. While it may seem the parting was on good terms, things change. Just because you think an employee leaving was to go back to school, a better job or a relocation, doesn’t automatically make it so.

Something could change and that “friendly” parting might change, so why take the risk. The former employee may end up working at a competitor and decide getting a list of your customers, your inventory or profit margins would make them more valuable. Of course, something more sinister might happen,  so protecting your data is always the best thing.

Earlier this article mentioned hacks and ransomware attacks. Both are targeted at your business data, but with slightly different purposes. If your systems get hacked, it may be to get a look at and/or copy some of your business data. Hackers could look at your customer credit card numbers, phone numbers, addresses and more. They could look at the financial information about your business like bank account numbers and personal information on your employees. This information may be sold and/or used to steal identities and cause significant problems for you, your customers and employees.   

A ransomware attack also targets your business data. Instead of just looking at the business data, a ransomware attack will encrypt your data or make it unusable to you. The endgame is to get your business to pay a ransom for a key to unlock your data. Most ransoms are requested in a crypto-currency in return for an electronic key.

Either of these attacks should be reported to the authorities to allow tracking and hopefully keep this from happening to someone else. It also allows the opportunity to alert customers their information has been compromised and to quickly make changes and look for fraudulent charges.

As mentioned earlier, password security is a big deal. I’ve touched on two external threats but there are others both external and internal.  In a future article, I’ll address those and how and where you can back-up your data to minimize those threats. 

Thoughts? Contact Steve Bina: steve@humanpoweredsolutions.com.

HOW TO MANAGE TECHNOLOGY IN BIKE SHOPS, PART 2

In Part 1 of this series (read here), there was a discussion leading to a better understanding of the systems used in your business, how they function, how they are administered, and who should have what kind of systems access. The last article also talked about the data each system generated, captured, saved and analyzed.

In this installment, we’re going to explore what kind of data you have and how that data could be managed. Some of the systems used in your business may be managing the data automatically. Maybe that is the case, but more than likely the management of your data is a manual process.

As before, this topic and the things we’ll discuss won’t guarantee you’ll never have a systems or data problem, breech or loss of data. But hopefully this will provide tips that will minimize the chances of that happening.

The first and very significant question you need to answer is how much data do you have. That should be a simple question to answer yet, more often than not, the answer is, “I don’t know.” The business owner will say their computer or server has X number of gigabytes and since there is still empty space there can’t be more data than that. The short answer is that’s correct, but may not be accurate.

Computers and servers host all types of software. That takes up a lot of space on the hard drive. In some hardware configurations there may be multiple hard drives, some that host the software and some that host the data. Which brings up the issue of where do you store your data? In house? In the cloud, with a managed service provider (MSP)?

Where data gets stored may seem like a simple issue but has a number of facets to consider. How often will you need access to the data? For example, data from a point-of-sale (POS) system will, hopefully, see many inputs during the business day. As I mentioned in the first article, how each of your business systems interface is crucial.

A sale processed through your POS system will have data points needed for your accounting system and inventory system at a minimum. Your business may also wish to capture data points on the customer, the date of purchase, the reason for the purchase, whether a promotion of some kind brought the customer to your business, if this sale was to a new or repeat customer, whether the customer was local, and other relevant data points. Not all of this data needs to be stored on your business computers or servers. It could be but would it truly be necessary? There are options to consider.

Another example is e-mail correspondence. When an e-mail is written and transmitted, every person keeps a copy. It can be saved or deleted at your convenience. If the e-mail is written and sent to a single person there are two copies, one for the sender and one for the recipient. What happens if the e-mail is copied to a couple of people in your business to keep them informed? Each person now has their own copy saved somewhere on your company’s computer or server. This is something almost no one thinks about. Over time it can consume a LOT of disk space, especially if there are attachments.

If all your data is kept on your computers and servers, are you also running some data protection or data management software? If you aren’t, you probably should. There are numerous companies that offer this kind of software, your systems administrator, the company that oversees your hardware and/or industry organizations should be able to make recommendations.

One feature to look for when considering data management software is deduplication. This is a feature that eliminates the kind of duplication I described with the previous e-mail example. Typically, a record that is deduped will still retain a “stub” that, when called upon, will allow recall of the original record for display.

Another feature to look for is the data metering. Most data management software will use “upfront” metering, meaning data is measured when it is first input through the software. This is important as most data management software products are priced by the amount of data it protects. With upfront metering, any backups or subsequent internal copies are not counted against the purchased capacity.

So, where is your data stored? Earlier I asked this question. Now I’ll talk about the alternatives.

I spoke recently with a business owner and asked him that question and was slightly stunned by his response. He told me “All the data in my business is stored on a couple of one terabyte thumb drives.” That may work, but certainly would make any retrieval or analysis of that data problematic. The question I was really asking him was where is his data stored, on-site, off-site or in the cloud. There are pluses and minuses to each, so you need to understand them to make the best decision for your business. There is no right or wrong answer, but how your business intends to use the data will have an impact on where it’s kept.

Having all your data stored on-site is fine when you have a handle on how much data you have, how often you need access to that data (some or all), and how you intend to analyze the data to help run your business. However, keeping all the data on-site may cause problems with actual storage and disaster recovery, something I will talk about in subsequent articles.

Having all the data off-site also is workable when you understand how much and what kind of data you are managing. It makes disaster recovery less of an issue through it really just pushes the issue downstream. Is the facility that is storing the data able to recover and restore if they suffer a disaster? If so, how long will they take to restore the data so your business can get up and running?

Storing off-site also may make it more difficult to retrieve data in a timely manner, requiring advance planning to make sure data is available and accessible.
Another consideration is cost. Most data storage facilities, commonly called managed service providers (MSP), charge storage by the gigabyte per month. The question your business should investigate is whether the storage fee is more or less expensive than the cost of having your own storage and maintenance of that storage. And note, some MSPs will offer a hybrid solution where they manage the data both on-site on your infrastructure, and off-site on their infrastructure.

Finally, understanding how much and what kind of data you have is also important when considering a cloud solution. Most cloud solutions closely resemble what is described above as an MSP with one big difference. Cloud data is always off-site storage and usually can be accessed from almost anywhere from almost any computer with the right credentials. (If you didn’t read the first installment about systems access in the February Micromobility Reporter, now might be good time if you’re considering a cloud solution.)

Now that the business is thinking about how much data it has and where it should be stored, you also should be thinking about how you curate your data. The primary consideration is the legal requirement for data retention in your jurisdiction. Of course, not all business data will be subject to legal requirements, so seek counsel on what needs to be legally retained and for how long. And as important as it is to retain certain data for a specified period of time, it is just as important to delete data that is no longer legally required. Why? Should the business ever get audited, it will only be required to produce data within the legal retention requirements. If the business has been inconsistent with when/what data is deleted, it could be deemed suspicious and lead to a prolonged audit.

If the business is paying for off-site storage, you will want to properly manage the amount of data being stored since that will be the basis of your monthly bill.
In my first article I discussed the importance of who has access to the systems in your business and the interfaces. The same care needs to be applied to the curation of the data the business creates. Likely this isn’t something you’ve spent a lot of time considering. Who has the ability to delete or retain data could have a huge impact to your business.

Managing your data and where it is stored can help your business run more smoothly and provide timely information. The next article will discuss system and password security.

Questions? Comments? Contact Steve Bina, steve@humanpoweredsolutions.com