SPAM Exists, Get Over It
November 2, 2009
In the “old days”, circa 10 years ago, to avoid E-Mail SPAM you bought anti-spam software and your IT staff would spend hours tweaking the rules that the software used to decide what to block (and what not to block).
These filtering rules got pretty complex, as spammers quickly learned not to use a pure word. You probably have seen SPAM emails with misspellings this in the title; Viagra, V1@gr@, vi@6ra .. you get the idea.
The trick was to build filters that would catch as much of that crap as possible, but without stopping the legitimate e-mail.
Today?
Anti-spam tools now are mature and can be contracted out to service providers for about 2 bucks per person per month. These tools are now mathematically driven and rarely (but still occasionally!) block legitimate e-mail.
The point is; there is no excuse any more for your staff to wade through through hundreds of SPAM emails looking for the few that are not SPAM.
You can get updates to this blog by clicking the RSS icon on the Home Page!
Perceptions of IT (It can take two!)
August 27, 2009
I know, I know! Too often there is a poor perception of the IT function, staff, or service providers in our SME businesses.
And as Michael Hugos at CIO.com points out, the IT staff often contribute to this negative perception!
While there are a dozen ways that your IT staff or provider can shoot themselves in the foot this way, often this perception of IT can be created and re-enforced through jargon laced techno-babble, poor communication and circular logic on the complexity that makes up IT.
Mr. Hugos brings up two great questions for IT leaders;
How can we in IT more actively include people in discussions about possible solutions? How can we more actively include them in implementing these solutions?
But It Can Take Two!
IT must clean up its own image, and must be seen as contributing to solutions, not as being a roadblock to them. I agree with that 100%.
However, I also think that in many cases managers and executives in the small to medium business can also be unintentionally contributing to this negative perception about their IT function.
How?
Simple; they do this by keeping IT as invisible as servants in a medieval castle.
Keeping your IT staff invisible, and locked outside the doors of any communication and conversation about goals and strategy truly leaves your IT team in the dark about methods of collaboration that can contribute to working solutions.
A second issue for many senior managers at SME’s is that too often we can fail to take the trouble to even help ourselves when it comes to technology. This leaves open risks, and an unwillingness to acknowledge the pros and cons of what technology can, (or cannot) do for our business.
Self Inflicted Wounds
In a conversation a few months ago, the owner of a small business that provides technical and IT support for other small businesses told me that he had just fired a customer, and that he was the third IT provider to fire this customer!
Apparently this customer consistently and repeatedly called with angry, accusatory complaints about difficulties on their business network and business computers.
Yet for the vendors, the problem was always the same.
In spite of repeated warnings, and having the newest anti-virus and firewall software installed on their network PC’s, this SMB owner never let them operate properly, secondly he would bring his kids into the office on weekends and let them use other PC’s in the office to play with.
And play they did.
After every abusive , screaming support call, the service provider found the affected PC to be riddled with viruses and spy ware from the kids playing on business PC’s.
This business owner then would be yelling at his service providers. His attitude was that he should never have problems in spite of his own irresponsibility.
The SMB Takeaway
As Michael Hugos states, yes IT must help themselves be seen as a source of answers, not a source of frustration.
But at the same time, you cannot leave your IT team or provider stuck behind the 8 ball either.
Stuck Behind the 8 Ball?
You can get updates to this blog by clicking the RSS icon on the Home Page!
Photo Credit: 60 in 3 via flickr
Bruce Schneier On Passwords
August 17, 2009
Security expert Bruce Schneier passing on some password tips.
I failed a few 
Bet you do too.
You can get updates to this blog by clicking the RSS icon on the Home Page!
Data Theft And Your Ex’s
July 2, 2009
A fairly scary eWeek revelation regarding theft of corporate data with a Symantec sponsored survey, performed by the Ponemon Institute.
The piece that I wanted to reference in this blog is this one (empasis mine);
Equally troubling from an IT security perspective is that almost a quarter of the participants had the ability to access data even after they left the company, with 32 percent of these respondents admitting they accessed the system and their credentials worked.
The SMB Takaway
That survey identified that almost 60% of individuals kept corporate data after leaving.
You can definitely make sure that they don’t keep it because they are still accessing your systems after they are gone.
Data Theft
You can get updates to this blog by clicking the RSS icon on the Home Page!
Photo Credit vernhart via flickr
Who’s Reading That E-Mail?
May 12, 2009
The April 27 issue of Automotive News (Subscription required) reported a case where allegedly representatives of one SMB business had hacked into a 
competitors E-Mail system and were reading their E-Mail. Even trying to intercept possible customers from the ‘tips’ that those E-Mails gave them.
Not once, not twice, but twenty-five hundred times
I hope you are still not thinking that it could never happen to you!
You can get updates to this blog by clicking the RSS icon on the Home Page!
Photo Credit dampeebe via flickr
Application Code and Input Data Don’t Mix
May 5, 2009
It has been a long, long time that I have wanted to write this post.
But I couldn’t. Quite simply, what had been done was so damned dangerous that I did not even want to mention it; until it was fixed.
Happy to say! It is finally complete.
There are many industries that publish and subscribe to what we call data feeds. These could be market data feeds, financial data feeds, any data that you write a bit of application code to receive and place into some context within your organization.
In our case, some of our suppliers crunch boatloads of data in mainframe computers, and pack it up and ship it to our servers. Our development team then has programming code to read that data feed information and update records in various databases.
Now, in order to dump that raw data on our servers, these suppliers need a key (user ID and password) to a piece of my IT server house.
The Problem?
At some time in the past some of our developers put the programming code that grabs that data,tweaks it, beats it up, and squishes it into a database in the same location that the supplier was placing the data.
And Why is this a problem?
Thanks for asking! Let me show you!
I mentioned that to put that data on the server, the suppliers needed a user ID and password, plus the ability to write data into that area. In other words, they have a key to the house.
Imagine that our programming code runs automatically at 3 AM each and every day, and is called PROCESS_DATA_FEED.EXE, this little program does the following;
step 1: check to see if data feed has arrived
Step 2: If data feed has arrived then;
Step 3: squish the data into a database
Now – because that supplier has the key to my house, accidentally, or maliciously, they (or any one) could put anything on that server.
So imagine;
I write a program that does the following;
Step 1: Delete all data it can find
Step 2: go to hacker IP address and download malicious virus or trojan software
And imagine that I call that program the same name, PROCESS_DATA_FEED.EXE – and then I replace the real program on my server.
When that program automatically runs at 3 AM…….
The SMB Takeaway
There is a reason our mailboxes are on the outside of our houses.
When you need to open a mailbox to receive this type of data – keep any application code outside that mailbox. Somewhere that only you have the keys.
You can get updates to this blog by clicking the RSS icon on the Home Page!
Please, Please, Clean Up Those Passwords
March 13, 2009
It took a long time.
It took too long.
We migrated an applications database from one old server to a new server.
The Problem?
As a small to medium business, you probably have software that uses a database. It can be anything from planning software (ERP) to financial software.
These software tools actually use their own login name and password to actually connect to that database and update the records that need to be updated when you use your application.
In this case, years ago, when this software application was originally programmed, if there was something that did not work properly, the user account name that the software code used to access the database was just given more and more security permissions.
With the graphical tools available today – it is just too easy to click the little button that says dbo or sysadmin.
The Reason its a problem?
As a manager in the SME space, you must understand that in the tech business – we call these dbo or sysadmin roles God Mode. (Or Goddess if you prefer)
And they are called God Mode for a reason;
Hindu Goddess Devi
They are the all powerful accounts that let their owners completely delete, or destroy every database application that you have if they so desire.
They have the power to create, and the power to destroy.
The obvious first risk is that a malicious hacker or virus type program could easily destroy everything if it can manipulate that account.
But don’t forget that humans make mistakes too.
A little mistake in some database code……
Well, you will then be running for those backup tapes.
The Fix
Was the painful and time consuming process of combing through everything and putting those security permissions back to what they should be – and that is not God Mode.
The SMB Takeaway
As smaller organizations, we are often more at risk from this than larger businesses because they may have dedicated software development managers and processes.
So make it a regular practice to communicate to your IT staff or supplier that you want security best practices adhered to in any project that you initiate.
You can subscribe to this blog by clicking the RSS icon on the Home Page!
Photo Credit: Jean via gather.com
Default Passwords – And ATM’s?
March 11, 2009
Just back in February I wrote this post; Big Software: Don’t Accept The Defaults- Ever
And look at this techdirt note;
some scammers had found online manuals for popular ATMs, which included a default password, which was rarely changed
And you thought it could not happen?
The SMB Takeawy?
Check for, and change those passwords!
Photo Credit redspotted via flickr
You can subscribe to this blog by clicking the RSS icon on the Home Page!
Tailgating
March 8, 2009
From the low-tech-is-important-too-category
CSO Online has this great article titled; The 4 Security Rules Employees Love to Break
John Stewart, CSO of Cisco Systems outlines those rules. The first of those is Tailgating
And 18 percent have allowed unknown individuals to tailgate behind employees into corporate facilities.
Before getting into the tech business – I worked in the commercial real estate / property management field. I cannot tell you how often we saw this happen.
Here is how it would go down;
A well dressed individual would tailgate past your reception desk behind some of your staff. They would walk straight through the office grabbing anything they could quickly steal, and then exit the back door.
In office towers, the empty purses, wallets or cash boxes were usually found three floors down in the toilet tank of the men’s washroom. In single floor facilities, they were usually in the dumpster on, or next door to the property.
And Yes, there is a tech equivalent
It is IT staff using security network administrative privileges (God Mode!) on their regular computer accounts, then going to lunch.
You can subscribe to this blog by clicking the RSS icon on the Home Page!
Photo Credit Kaptain Kobold via flickr
Real SMB IT: Backing Up Data, It’s Just A Start
February 20, 2009
Backing Up Data, It's Just A Start
As a SMB, I certainly hope that you regularly back up all that critical data that you have.
I also hope that you regularly test those data backups.
Because all the backups in the world won’t help you if that e-mail or ERP server dies, and the back up tapes were defective.
But that is only the beginning.
An interview with author Geary W. Sikich at IT Business edge titled; Backing up Technology Only Part of the BC/DR Puzzle
Elliot’s Note: BC is business continuity planning, and DR is disaster recovery planning -
Has a good reminder that a simple checklist of servers is not sufficient.
You cannot neglect the human issues of whom, where, and how you will operate if a calamity strikess your place of business.
You can subscribe to this blog by clicking the RSS icon on the Home Page!
Photo Credit Mrs. Gemstone
