Tech Standards? Or The Wild, Wild, West Of IT?
December 1, 2009
Gary Hamel writing on the Wall Street Journal blog blasts corporate IT departments for enforcing technology standards with a post titled; Why Don’t IT Departments Give Employees More Freedom? The premise is that if the best tool for the job is something that an employee provides themselves, or downloads from the Internet, so what? In Mr. Hamel’s words;
How is it that employees can be trusted to take care of important customers, safeguard expensive equipment and stay within their budgets, but can’t be trusted to use the Web at work, choose their own IT tools, or download programs onto the workplace PCs? Do IT staffers really believe that conscientious, committed employees turn into crazed, malicious hackers when you give them a bit of freedom over their IT environment?
Sounds Great In Theory -But Tell Me, Who Pays?
When it comes to business computers, the actual total cost of ownership of an IT asset can be as high as five times the purchase price, no not one time – annually! And a significant portion of that cost is supporting that IT Asset. Support is defined as direct, an example being technical services staff paying a visit to fix something, as well as indirect support. This latter support is when you spend your time helping a neighbor (or they help you) trying to figure out why that mail merge is not working properly.
Now, in my smaller business, we are pretty relaxed about people utilizing their own tools of choice as stated by Mr. Hamel. But in the past three or four months – that choice has cost me over 10 grand to do it. (more on that later)
Who Fixes What? (Or When I Just Go Home!)
Just in the past few weeks, I recall reading about a larger organization (if I find it again I will update with a link) that has allowed its employees to provide their own computers or laptops. With the caveat that corporate support would not be able to help them if they chose the non-standard devices. In other words – you are responsible for getting it fixed if it breaks.
OK, So what happens when it does break?
In larger organizations, if a notebook or PC software or hardware dies, it will be either re-imaged with clean versions of the software, or new PC dropped into place with the corporate tools pre-loaded. Job done. In fact this type of computer support can often be done remotely.
So if I chose to forgo the corporate supplied PC, and provide my own Mac, and it dies. Lets see, I unplug it and trek off to my repair outlet of choice. They tell me it will be back to me by Wednesday.
OK. Do I sit twiddling my thumbs until Wednesday?
Maybe call my my clients and say; “Hey – can’t help ya until next week, will call you back then!”
Somehow I don’t see that going over well with your clients. So the question is;
If staff supplies their own IT assets, and they are responsible for repairing them, what productivity loss do you face when they don’t have their machine until next Wednesday?
Next: How About The Cost of Security?
Leaving hardware failure out of the picture, lets assume we allow everybody to install their software of choice on business computers. Read the following quote from an Information Week article by Avi Baumstein after audits found peer to peer file sharing software on PC’s;
The results were shocking and scary–loads of confidential business documents and enough personal information to ruin any number of lives and create PR nightmares for quite a few companies. Among the business documents were spreadsheets, billing data, health records, RFPs, internal audits, product specs, and meeting notes
As smaller businesses, we are not immune to this either!
In this previous post, I wrote about a small business owner that was fired by three network support vendors.
And why did three IT Services companies fire this customer?
After every abusive , screaming support call, the service providers found the affected PC to be riddled with viruses and spy ware from the kids playing on business PC’s. His attitude was that he should never have problems in spite of his own irresponsibility.
My Personal Experience
At the beginning of this post I mentioned above the 10 grand dollar value.
As an organization, we are pretty liberal on what people do with their PC’s. And of a staff of about 20, three of them use that advantage more than others.
And yes. I have to rebuild or fix those three users computers every couple of months. In fact I just finished fixing one again that took a few days to repair. But lets leave out those softer productivity and labour costs for a minute. After all, maybe you don’t consider these type of things as costs. (but you should!)
How about hard dollar accounts payable costs? Does that strike a nerve?
One of these three individuals configured a three way data synchronization with our email server, his iPhone, and his Google calendar.
Immediately after he did this, I started getting errors on our e-mail server, all coming from his account!
Even after removing the e-mail server part of this synchronization, the errors rapidly escalated in severity and number.
Articles and support notes suggested completely deleting this individuals email account, taking the server off-line and running certain database repair & diagnostic tools.
To avoid bringing critical e-mail to a halt during business hours, I planned that work for late on the next Sunday.
Unfortunately – my e-mail server did not last until the next Sunday.
That Friday morning was nothing but a complete nightmare of error messages and failures that completely crashed the server. The crash completely corrupted all message stores, the file system, the works. At one point we could not even get that e-mail server to actually run the operating system.
After a few hours of work, I contacted one of my preferred vendors who specialize in this type of disaster recovery. It still took myself and two of their experts 3 days to get a complete rebuild of that server, a restore of all that data from backup tapes, and then use the database tools to clean up the corruption.
Three days and a 10 grand service bill
The SMB Takeaway
It is easy to say; let everybody use what they want.
But you better be willing to pay for the excess costs! Because somebody has to pay them.
You can get updates to this blog by clicking the RSS icon on the Home Page!
Photo Credit peppergrass via flickr
Real SMB IT: DNS, MX, What Is It? (And Why Should I Care?)
November 13, 2009
Could your business be kicked completely off the Internet?
The answer is yes!By kicked off the Internet, I mean invisible. Impossible to find.
So lets start with a little background.
At its most basic, all computers on the Internet communicate with each other with a unique number called an Internet Protocol (IP) address. As an analogy, just imagine this number as similar to a phone number.
But! when you visit a Web Site, or send an e-mail, you are using words, not numbers. you type in the www.yourcompany.com, or you send me an email by typing elliotross@company_name.ca
Since the computers communicate with each other via IP address numbers, and we humans prefer text and words, something is needed to translate those human readable words, into the machine readable numbers.
Enter DNS!
If you think of a phone book, you look up the words Elliot Ross which points to the listing for my telephone number. The domain naming system (DNS) provides a similar ability for our computers to translate human readable text we type into the machine IP address.
If you want to see this in action, simply open your Web Browser and paste these numbers into the address bar: 74.125.45.100
You will see the Google Web Site appear. (at least at the time of this writing!) I say at the time of this writing, because the machine readable number can be changed, and just like the phone book, If I change my phone number, as long as Elliot Ross is pointed to that new phone number – you won’t have any problem.
That little MX just stands for Mail eXchanger, in other words, when you send me an e-mail, that little MX tells the internet that to reach me by e-mail, “send that e-mail to this server over here!”
And Why Should You Care?
The first and easiest, if you think you cannot get on the Internet when you type in a company name, DNS problems are a common source of the issue.
But that is NOT what this is about
A SMB that I am acquainted with had an issue where an unknown individual tried to hi-jack that DNS information from them, and make it point to servers that were not associated with their business.
To continue with my phone book analogy, imagine that when you look up my name, the phone number that my name points to is yours, not mine.
So I would never get any calls.
Except on the Web, it is not missing some phone calls, it means that you completely disappear from the Internet. No Web Site, no e-mail. Nada.
There are checks and balances to make this difficult to do, but it goes to emphasize;
You must make sure all critical information about your on-line presence is owned by you.
Not your supplier.
Not your contractor.
That includes the contact information for your Internet domain and its DNS records. They may help you set that information up, but the contact name and information must be yours.
You can get updates to this blog by clicking the RSS icon on the Home Page
Photo Credit merfam via flickr
SPAM Exists, Get Over It
November 2, 2009
In the “old days”, circa 10 years ago, to avoid E-Mail SPAM you bought anti-spam software and your IT staff would spend hours tweaking the rules that the software used to decide what to block (and what not to block).
These filtering rules got pretty complex, as spammers quickly learned not to use a pure word. You probably have seen SPAM emails with misspellings this in the title; Viagra, V1@gr@, vi@6ra .. you get the idea.
The trick was to build filters that would catch as much of that crap as possible, but without stopping the legitimate e-mail.
Today?
Anti-spam tools now are mature and can be contracted out to service providers for about 2 bucks per person per month. These tools are now mathematically driven and rarely (but still occasionally!) block legitimate e-mail.
The point is; there is no excuse any more for your staff to wade through through hundreds of SPAM emails looking for the few that are not SPAM.
You can get updates to this blog by clicking the RSS icon on the Home Page!
Perceptions of IT (It can take two!)
August 27, 2009
I know, I know! Too often there is a poor perception of the IT function, staff, or service providers in our SME businesses.
And as Michael Hugos at CIO.com points out, the IT staff often contribute to this negative perception!
While there are a dozen ways that your IT staff or provider can shoot themselves in the foot this way, often this perception of IT can be created and re-enforced through jargon laced techno-babble, poor communication and circular logic on the complexity that makes up IT.
Mr. Hugos brings up two great questions for IT leaders;
How can we in IT more actively include people in discussions about possible solutions? How can we more actively include them in implementing these solutions?
But It Can Take Two!
IT must clean up its own image, and must be seen as contributing to solutions, not as being a roadblock to them. I agree with that 100%.
However, I also think that in many cases managers and executives in the small to medium business can also be unintentionally contributing to this negative perception about their IT function.
How?
Simple; they do this by keeping IT as invisible as servants in a medieval castle.
Keeping your IT staff invisible, and locked outside the doors of any communication and conversation about goals and strategy truly leaves your IT team in the dark about methods of collaboration that can contribute to working solutions.
A second issue for many senior managers at SME’s is that too often we can fail to take the trouble to even help ourselves when it comes to technology. This leaves open risks, and an unwillingness to acknowledge the pros and cons of what technology can, (or cannot) do for our business.
Self Inflicted Wounds
In a conversation a few months ago, the owner of a small business that provides technical and IT support for other small businesses told me that he had just fired a customer, and that he was the third IT provider to fire this customer!
Apparently this customer consistently and repeatedly called with angry, accusatory complaints about difficulties on their business network and business computers.
Yet for the vendors, the problem was always the same.
In spite of repeated warnings, and having the newest anti-virus and firewall software installed on their network PC’s, this SMB owner never let them operate properly, secondly he would bring his kids into the office on weekends and let them use other PC’s in the office to play with.
And play they did.
After every abusive , screaming support call, the service provider found the affected PC to be riddled with viruses and spy ware from the kids playing on business PC’s.
This business owner then would be yelling at his service providers. His attitude was that he should never have problems in spite of his own irresponsibility.
The SMB Takeaway
As Michael Hugos states, yes IT must help themselves be seen as a source of answers, not a source of frustration.
But at the same time, you cannot leave your IT team or provider stuck behind the 8 ball either.
Stuck Behind the 8 Ball?
You can get updates to this blog by clicking the RSS icon on the Home Page!
Photo Credit: 60 in 3 via flickr
Bruce Schneier On Passwords
August 17, 2009
Security expert Bruce Schneier passing on some password tips.
I failed a few 
Bet you do too.
You can get updates to this blog by clicking the RSS icon on the Home Page!
Data Theft And Your Ex’s
July 2, 2009
A fairly scary eWeek revelation regarding theft of corporate data with a Symantec sponsored survey, performed by the Ponemon Institute.
The piece that I wanted to reference in this blog is this one (empasis mine);
Equally troubling from an IT security perspective is that almost a quarter of the participants had the ability to access data even after they left the company, with 32 percent of these respondents admitting they accessed the system and their credentials worked.
The SMB Takaway
That survey identified that almost 60% of individuals kept corporate data after leaving.
You can definitely make sure that they don’t keep it because they are still accessing your systems after they are gone.
Data Theft
You can get updates to this blog by clicking the RSS icon on the Home Page!
Photo Credit vernhart via flickr
Who’s Reading That E-Mail?
May 12, 2009
The April 27 issue of Automotive News (Subscription required) reported a case where allegedly representatives of one SMB business had hacked into a 
competitors E-Mail system and were reading their E-Mail. Even trying to intercept possible customers from the ‘tips’ that those E-Mails gave them.
Not once, not twice, but twenty-five hundred times
I hope you are still not thinking that it could never happen to you!
You can get updates to this blog by clicking the RSS icon on the Home Page!
Photo Credit dampeebe via flickr
Application Code and Input Data Don’t Mix
May 5, 2009
It has been a long, long time that I have wanted to write this post.
But I couldn’t. Quite simply, what had been done was so damned dangerous that I did not even want to mention it; until it was fixed.
Happy to say! It is finally complete.
There are many industries that publish and subscribe to what we call data feeds. These could be market data feeds, financial data feeds, any data that you write a bit of application code to receive and place into some context within your organization.
In our case, some of our suppliers crunch boatloads of data in mainframe computers, and pack it up and ship it to our servers. Our development team then has programming code to read that data feed information and update records in various databases.
Now, in order to dump that raw data on our servers, these suppliers need a key (user ID and password) to a piece of my IT server house.
The Problem?
At some time in the past some of our developers put the programming code that grabs that data,tweaks it, beats it up, and squishes it into a database in the same location that the supplier was placing the data.
And Why is this a problem?
Thanks for asking! Let me show you!
I mentioned that to put that data on the server, the suppliers needed a user ID and password, plus the ability to write data into that area. In other words, they have a key to the house.
Imagine that our programming code runs automatically at 3 AM each and every day, and is called PROCESS_DATA_FEED.EXE, this little program does the following;
step 1: check to see if data feed has arrived
Step 2: If data feed has arrived then;
Step 3: squish the data into a database
Now – because that supplier has the key to my house, accidentally, or maliciously, they (or any one) could put anything on that server.
So imagine;
I write a program that does the following;
Step 1: Delete all data it can find
Step 2: go to hacker IP address and download malicious virus or trojan software
And imagine that I call that program the same name, PROCESS_DATA_FEED.EXE – and then I replace the real program on my server.
When that program automatically runs at 3 AM…….
The SMB Takeaway
There is a reason our mailboxes are on the outside of our houses.
When you need to open a mailbox to receive this type of data – keep any application code outside that mailbox. Somewhere that only you have the keys.
You can get updates to this blog by clicking the RSS icon on the Home Page!
Please, Please, Clean Up Those Passwords
March 13, 2009
It took a long time.
It took too long.
We migrated an applications database from one old server to a new server.
The Problem?
As a small to medium business, you probably have software that uses a database. It can be anything from planning software (ERP) to financial software.
These software tools actually use their own login name and password to actually connect to that database and update the records that need to be updated when you use your application.
In this case, years ago, when this software application was originally programmed, if there was something that did not work properly, the user account name that the software code used to access the database was just given more and more security permissions.
With the graphical tools available today – it is just too easy to click the little button that says dbo or sysadmin.
The Reason its a problem?
As a manager in the SME space, you must understand that in the tech business – we call these dbo or sysadmin roles God Mode. (Or Goddess if you prefer)
And they are called God Mode for a reason;
Hindu Goddess Devi
They are the all powerful accounts that let their owners completely delete, or destroy every database application that you have if they so desire.
They have the power to create, and the power to destroy.
The obvious first risk is that a malicious hacker or virus type program could easily destroy everything if it can manipulate that account.
But don’t forget that humans make mistakes too.
A little mistake in some database code……
Well, you will then be running for those backup tapes.
The Fix
Was the painful and time consuming process of combing through everything and putting those security permissions back to what they should be – and that is not God Mode.
The SMB Takeaway
As smaller organizations, we are often more at risk from this than larger businesses because they may have dedicated software development managers and processes.
So make it a regular practice to communicate to your IT staff or supplier that you want security best practices adhered to in any project that you initiate.
You can subscribe to this blog by clicking the RSS icon on the Home Page!
Photo Credit: Jean via gather.com
Default Passwords – And ATM’s?
March 11, 2009
Just back in February I wrote this post; Big Software: Don’t Accept The Defaults- Ever
And look at this techdirt note;
some scammers had found online manuals for popular ATMs, which included a default password, which was rarely changed
And you thought it could not happen?
The SMB Takeawy?
Check for, and change those passwords!
Photo Credit redspotted via flickr
You can subscribe to this blog by clicking the RSS icon on the Home Page!
