Archive for the ‘IT Systems’ Category

Network Security Measures on Vacation

Sunday, June 24th, 2012

As the summer travel season begins, hackers will no doubt increase their attempts to exploit vulnerabilities in airports and hotels. Business travelers and those who conduct some business while on vacation should exercise care when using unsecured WiFi networks in airport, hotels and other public places. In addition to personal identifying information, business and trade secrets may be at risk. The FBI recently advised travelers of the risks of malware attacks to laptop computers over hotel WiFi networks. Exercise caution yourself and remind your employees that all of the usual security protocols apply even when using the business laptop, tablet or cell phone while on vacation. And given what national security officials consider to be an increased threat risk, consider the following:

  • Prepare before the trip. Before you travel, confirm that your anti-virus software is updated on your laptop and all sensitive files are securely encrypted. You may wish to change your passwords both before and after travel.
  • Limit your online activities to when you have a secure Internet connection. Security breaches more commonly occur when travelers are using WiFi or even worse, free WiFi. Sometimes “free” can be very expensive! If you can, refrain from online work until you are sure you are certain of a safe Internet connection.
  • Stay current on alerts. The latest travel-related scam involves phony airline e-mails offering convenient online check-in. The recipient clicks the link and is unaware that his information is being tracked from that moment.

And be aware of your environment. When you have the laptop at the hotel pool, you will be less vigilant than you would be while sitting at your desk. Don’t let your relaxed setting lull you into taking needless risks.

LinkedIn Security Breach Affects User Passwords

Thursday, June 7th, 2012

Don't Type the Obvious

The reports of compromised passwords for social networking site LinkedIn remind us of the importance of password security. A Russian hacker’s website has published more than 6 million passwords for LinkedIn (a social media site for business users to make connections) and 1.5 million passwords for eHarmony (an online dating site). The passwords are encrypted, but the hacker site is inviting other hackers to help decipher them. The company announced that the passwords were not necessarily compromised, but there was a risk. In less than a day of the announcement, hackers had broken more than 60% of the passwords. LinkedIn has announced that it will send e-mails to account holders explaining what has happened and how users can reset their passwords. The e-mails will not include links, which is critical for security as fraudsters have already begun sending out phishing e-mails.

As a precautionary measure, LinkedIn users ought to change their passwords by logging into LinkedIn and clicking their name in the top right hand corner, which opens a small drop-down menu, from which “Settings” appears. Click “Setting” and click “Change” next to “Password”. Enter your current password and create a new one. Be sure to select a strong password, one that cannot be easily guessed. Passwords such as “123456” or “qwerty” or “password” are useless for security purposes. Select a combination of letters (both caps and small letters), numbers and other characters to make the password more difficult to guess. Don’t use the same password for multiple sites as it makes life easier for the hackers. Keep your small business secure by staving off complacency. The news of the hacker attack on LinkedIn offers an opportunity to remind your employees of the importance of computer security.

You Are Responsible for IT Strategy

Friday, May 18th, 2012

Stefan Dietrich PhD, my IT guru and co-author, has an excellent post on Forbes titled “Why You Cannot Rely on Vendors for Your IT Strategy”. The text of the article suggests a focus on large enterprises with a corporate Chief Technology Officer, but the insights apply to small businesses as well. I appreciated two point in particular; first, he writes that choosing the wrong information technology strategy can be extremely costly. Indeed it can and one of the advantages of being a smaller enterprise is that we need not be confined by outdated legacy systems. But if we are passive in our approach and allow our vendors to dictate our IT strategies to us, then we have surrendered a key source of competitive advantage: the nimble and responsive nature of small businesses. And smaller businesses have to husband limited resources more carefully; we cannot afford the long-term costs of bad IT strategy decisions. The costs of bad decisions exceed the costs of inappropriate hardware and software purchases; the costs represent the lost opportunity and limited alternatives that are the result of being locked into decisions that benefited the vendor, not your business. The second point in the piece that really resonated me was the needless complexity that result from vendor-dictated solutions. Their interest is promoting their offerings, not your productivity.

I recently held a conference call for my classmates from the Owner President Management Program (“OPM”) of the Harvard Business School featuring Stefan as our speaker. OPM is an executive education program HBS offers for founders of fast-growth entrepreneurial companies. The call was organized in response to a query from one of our classmates concerning choices in IT and telecommunications systems. Her message resonated with the class, as many of us has a “me-too” story of frustration with the lack of transparency in comparing IT solutions. Stefan was as candid on the call as he was in his Forbes article. We finished the call with a consensus view that we needed to take an active role in charting IT strategies for our business. Many of us had taken passive roles in deferring to the “experts” only to be disappointed with the outcome. Do read the article and pass it on to others. You will find it helpful in framing your thinking about IT strategy.

Cost-Effective Preparedness Solutions

Thursday, September 23rd, 2010

Forbes has posted an interesting commentary piece on the critical need small businesses have of cost-effective disaster preparedness solutions. Because small businesses cannot diversify their risks, they are more vulnerable to disasters than big businesses and have fewer resources from which to rebuild.  In the first edition of Prepare for the Worst, Plan for the Best: Disaster Preparedness and Recovery for Small Businesses, Stefan wrote that while network failures are relatively rare, the network is a good first test of how far contingency planning has progressed. He added, “When someone tells you that their network is completely protected and fail-safe, tell them that you would come over to their office and ‘pull the plug’ on any one network cable. Observe their response!” So I really enjoyed Forbes’ account of one small businessperson who, in a live test for his management, unplugged a file server and then walked over to his desk to manually trigger a failover to the remote copy. That’s confidence! Check out the article. It is a good read.

Small Business Lessons from the SEC Settlement

Thursday, July 15th, 2010

The Securities and Exchange Commission announced this afternoon that it had reached a settlement agreement with investment bank Goldman Sachs in connection with fraud charges it had filed in April. There is a lesson here for small business owners about electronic file management! Earlier this year, the Congressional Financial Crisis Inquiry Commission subpoenaed Goldman Sachs to produce certain documents to inform the Commission’s investigation into the causes of the 2008 banking sector meltdown. The Commission is to issue a report of its findings in December. Goldman complied with the subpoena and then some, by turning over 2.5 billion documents, which enraged Commissioner, and former California Treasurer, Phil Angelides. “We did not ask them to pull up a dump truck to our offices to dump a bunch of rubbish,” said Angelides. “We should not be forced to play ‘Where’s Waldo?’ on behalf of the American people.” The Hill mocked the Commissioner’s reaction, asking if he really thought that Goldman would just “pick out the documents that make it look like it caused the crisis and perhaps even highlight the really damning stuff in yellow.”

I suspect that the ability to comply so readily and so generously with subpoenas likely tipped the negotiations in Goldman’s favor. Back in 2005, I had occasion to speak at a small business protection event sponsored by Hewlett-Packard and Agilysys in San Diego. John Hinkle and Chris Fulton of Agilysys shared their observations of plaintiffs attempting to motivate quick, default settlements on civil claims against corporate defendants that could not furnish subpoenaed documents in a timely manner. On the other hand, those that had their electronic files in order and could comply immediately found that the suits against them were often dropped. Why? Because the plaintiffs lacked the resources to play “Where’s Waldo?” with vast quantities of the files and documents that they themselves had demanded. So protect your business by making sure your documents are backed up, online and offsite available for quick retrieval. This practice will protect your business against legal threats as well as physical hazards.

Digital Spring Cleaning

Tuesday, April 20th, 2010
It's That Time of Year

It's That Time of Year

It’s time for digital spring cleaning for your business computers. If you use a single computer for your business, as in a home-based sole proprietorship, for example, you should regularly schedule maintenance tasks, such as clearing our your caches and de-fragging your hard disk. (Your computer stores information in various places on the hard disk, as if the information were a book taken apart, with individual chapters placed here and there. When you de-frag the computer, you optimize the use of your hard disk space and your computer’s performance.) If you have more than one computer, you will follow a different set of procedures to maintain your network more efficiently. Everyone should get rid of the digital clutter – make sure files are properly stored on network drives and not individual hard drives – and I particularly like to clean up the dizzying array of icons that finds it way on to my desk top. I also make sure my operating system is up to date, old applications that are not likely to ever again be used are removed (unless I think I will have need for them to open an archived file), and older files are properly archived. Check to make sure your e-mails are organized into named folders for prompt retrieval. Clutter does build up over time in your computer. Putting everything in apple-pie order will give you a sense of calm efficiency.

Data Backup Is Not The Same As Disaster Recovery

Sunday, December 6th, 2009

National Underwriter conducted a teleconference to discuss small business disaster preparedness and, surprise – the panelists who spoke reported that small businesses are not prepared to work through disruptions.  David Paulison, former executive director of the Federal Emergency Management Agency, stated “small businesses that don’t have a plan in place generally don’t survive after a disaster, whether it’s a flood or a tornado. We see that anywhere from 40-60%  of those that are hit like that simply don’t come back to business.” Also participating in the teleconference was Bob Boyd, chief executive officer of Agility Recovery Solutions, who shared the findings of a survey of more than 700 business owners his company had conducted with Hughes Marketing Group.  According to that survey, over the past two years, more than half of businesses experience interruptions that affected productivity.  The survey also reported that:

  • 90% of smaller companies (<100 employees) surveyed spend less than one day per month maintaining their continuity plans;
  • 22% spend no time maintaining their plans; and
  • 20% of larger companies (>100 employees) spend more than 10 days per month on their continuity plans.

Mr. Boyd pointed out that a data backup plan is not a disaster recovery plan. “The best data in the world are useless if you cannot make use of it.” Indeed, in Prepare for the Worst, Plan for the Best: Disaster Preparedness and Recovery for Small Businesses (Wiley, second edition, 2008), I shared the example of a business based in the World Trade Center that had backed up its data. Sadly, the only employees who knew how to recover the data and work with it perished on 9-11. It bears repeating: you have invested too much in your business to leave it unprotected.

Symantec’s Small Business Preparedness Survey

Wednesday, November 4th, 2009
Moving Pieces

Moving Pieces

Symantec Corp. announced the findings of its 2009 SMB Disaster Preparedness Survey which reveals a large discrepancy between small business perceptions of disaster preparedness and the less flattering reality. While 84% of small businesses surveyed reported that the feel very protected for disaster and expect their customers to be patient with them while they recover from an outage, this is inconsistent with their own practices with vendors. While 42% of small businesses switched vendors because they believed the vendor’s systems to be unreliable, 65% expected customers to wait for them to recover from their own disasters. (The study included more than 1650 respondents from 28 countries in North America, EMEA (Europe, Middle East and Africa) Asia Pacific and Latin America.)

Disruptions are frequent: the average small business has experienced three outages within the past year, with the leading causes being virus or hacker attacks, power outages or natural disasters. Yet nearly half do not have a plan to respond to such disruptions. The survey found that only one in five (23 percent) small businesses back up daily and an average small business backs up only 60 percent of their company and customer data. More than half estimate they would lose 40 percent of their data if their computing systems were wiped out in a fire. The small businesses surveyed estimated the cost of these outages as being $15,000 per day on average, with 42% of outages lasting eight or more hours. One-quarter reported losing important business data.

In connection with the study, Symantec put forward the following recommendations, which are consistent with what I recommended in Prepare for the Worst, Plan for the Best: Disaster Preparedness and Recovery for Small Businesses (Wiley, second edition, 2008):

Determine your needs: Take time to decide what critical information should be secured and protected. Customer, financial and business information, trade secrets and critical documents should be prioritized. Monitor industry reports that help to identify and prevent threats that your business faces.

Engage trusted advisors: With limited time, budget and employees, you should look to a solution provider to help create plans, implement automated protection solutions and monitor for trends and threats to your business. They can also educate employees on retrieving information from backups when needed and suggest offsite storage facilities to protect critical data.

Automate where you can: Automating the backup process ensures that it is not overlooked. You can reduce the costs of downtime by implementing automated tools that minimize human involvement and address other weaknesses in disaster recovery plans.

Test annually: Recovering data is the worst time to learn that critical files were not backed up as planned. Disaster recovery testing is invaluable and you should seek to improve the success of testing by evaluating and implementing testing methods which are non-disruptive.

Fake Security Software Threatens Computers

Tuesday, October 27th, 2009
Not Always What It Seems

Not Always What It Seems

According to software company Symantec, tens of millions of computers across the U.S. are infected with scam security software that their owners may have purchased, but which only leave them more vulnerable. The owners are duped into providing their credit card and other personal information when a fake security alert pops up as the computer user accesses a legitimate website. The alert claims to have found a virus and offers to correct it with security software. In fact, the alerts are established by very sophisticated cyber-thieves. Symantec found 250 varieties of scam security software with names that appear legitimate, such as “Antivirus 2010” and “SpywareGuard 2008”. Actually, I found one such infection on my parents’ computer identified as “antivirus.exe”. About 43 million downloads of the scam software were attempted in the past year, but it is unknown how many succeeded. To increase their reach, the cyber-thieves recruit middlemen who earn between one and 55 cents each time a person downloads the software. One such site, which is now closed,, reported that its leading affiliates earned as much as $332,000 monthly for selling scam security software. The refined affiliate sales model is very sophisticated and can confound your small business security efforts. Educate your employees not to click on any such alerts and only purchase security software from a trusted source, not one that is pushed out to you from the web.

Beware of Scareware

Thursday, July 9th, 2009


Scareware consists of deceptive advertisements that pop up on websites where criminals have purchased such ads. The pop-up announces that your computer is infected and asks you to click on a box to run a free scan of your computer. If you accept the offer, the scan claims to find a viral infection on your computer. It then helpfully offers you the chance to buy security software to clean this virus. When you accept the offer, the software takes you to an online shopping cart to collect your credit card information. If you back out of the offer at this time, the system will badger you with endless fake scans. Scareware is distributed by a number of means: websites, online social networking sites, Twitter and others, so you must always be vigilant.

Should you encounter what appears to be a Scareware warning box, press Ctrl-Alt-Del to access Task Manager, click to applications, scroll to the dialogue box, and click “end task.” This will force the warning box to close. If you don’t stop at this point, it will be very difficult to stop the attack. You can try running Microsoft’s Malicious Software Removal Tool, or cleanup tools from the antivirus software you use.