Small Business IT Woes

According to the results of an ongoing study, small business is struggling to meet best practices and, in some cases, even government regulations in IT. Citing the slowing economy and too small or non-existent IT manpower as the reason, a quarter of respondents get a failing grade and more than one-third get a “C”.

“The results to date indicate that many small businesses are falling behind when it comes to implementing accepted best practices for IT operations and management,” according to Steven Kahan of The Planet, one of a consortium of sponsors behind ITEI.
The results so far are especially disturbing, according to Kahan, since more than two-thirds of the small businesses responding to the survey indicated that IT and Web commerce are the foundations that enable their business success. “The IT Effectiveness Index is telling us that in nearly two-thirds of businesses with 100 employees or less, IT operations are failing to fully support or keep pace with small business needs,” he emphasized.

Areas of downtime, security, disaster recovery, and regulatory compliance top the list of concerns. When coupled with the fact that 2/3′s of business also stated IT and Web capabilities are critical to their success, it paints a grim picture. With these concerns and shrinking budgets, SMB’s are clearly feeling vulnerable to impending doom.

The bottom line is Small Businesses are find themselves sacrificing IT because they feel they cannot afford to keep pace. However, the truth is business can’t afford to not spend this money. If you are not practicing good security, you risk data breech and lawsuit. If you are not practicing good disaster recovery, you risk losing all of your records for past years. If you are not practicing good hardware and network maintenance, you are losing money in the form of employee downtime and an inability to do your business. In short, if you are not practicing good IT, you are spending money on IT; you’re just spending twice as much.

Having a trusted partner in IT is always money well spent. Haphazard security and do-it-yourself networks, with poor best-practices just cost you in the end. Take the survey, then find a partner you can trust to take care of your IT needs.

The Little Bugs that Bug Us

Clients often ask what the difference is between Malware, Spyware, Trojans and viruses. Or they don’t ask this question; many people do not realize they are distinctly different types of rogue programming. In the heat of an infection, the “what” is often secondary to the “how” and the “can it be saved” panic which often ensues once an infection is discovered. Later though, often folks want an explanation; they want to know where it came from, how to protect from future infections and what they were infected with. Those questions and answers are definitely part of your prevention strategy. Most iterations of bad stuff will fall under the category of MalWare. MalWare is any MALicious SoftWARE. So technically, any Virus, Trojan, Worm, or other rogue software is MalWAre. It is a general and broad category which encompasses the several incantations. Most people use the MalWare term to describe what is actually AdWare or “NagWare”. This software has the primary purpose of delivering advertising content in a manner or context that is usually unwanted and unexpected by the computer user. Basically, AdWare nags you to buy a product or service that is not only ineffective, but usually costly. In rare instances, Adware collects credit card information, and then feeds it to an underground network. These networks in turn attempt to resell the information for fraud purposes. This scenario is not as common right now, but it is the next logical step. Mostly, makers are “just” ripping you off at this time, selling you “anti-virus” which is actually nothing of the sort. Another often seen MalWare is SpyWare. SpyWare alone does just as the name suggests. It spies on you, tracking your moves and keystrokes, without your notice or consent. Sometimes SpyWare also transmits that information back to an underground network for sale or use. These programs are often very difficult to remove as they run in the background. Normally, they aren’t obvious and only a trained eye or experienced technician will spot SpyWare when it runs alone. A Trojan Horse is malicious software which tricks a user into installing it on their machine. Many Trojans are downloaded or emailed, presented as one type of program (such as a free music player) which may or may not install, along with a rogue program. Trojans are well known information stealer’s; most often keystroke loggers are installed this way. Viruses and Worms are similar in that they are both viruses, they both replicate themselves and infect the user. The difference is a virus needs a host program to replicate and propagate, a worm does not. Worms have the ability to replicate by themselves. Virus and Worms cause a variety of problems, but usually they are not recorders or information stealer’s. Virus and Worms are often used to cause destruction of some kind and wreak havoc on users’ computers. You must protect yourself against these threats. It is imperative to use an anti-virus. You must also be a vigilant user, don’t click every window that pops up while using the Internet, don’t open attachments from anyone unless you are expecting it and don’t visit disreputable sites on the Internet. With good software, (kept up to date) smart use and a trusted advisor for you and your network, your computers will have a long and healthy life.

The Importance of a Good Backup Strategy

One of the lowest rungs in many SMB’s IT budget is a proper and reliable data protection strategy. In a recent poll of small, medium and large business, almost half (49%) of small business reported they do not have a daily backup strategy. This poll was conducted throughout Hong Kong, Singapore and Australia, but here in America the numbers are most certainly the same, if not higher.

This is despite the fact that nearly half of all participants had experienced data loss in their workplace in the past two years, and 36 per cent felt that data loss could have a significant impact on their business.

The excuses as to why a business doesn’t have a back system in place are as numerous as the businesses themselves. “We’ve never had a problem.” “We have a system, but we always forget to change the tapes/discs around.” We can’t afford to put in a system for backing up.” In today’s data driven business climate, it amazes me people fall back on these excuses. Think about every program you use each day. Think about all of the irreplaceable documents, emails, accounting and databases (just to name a few) that you and your staff use. If you don’t have a good backup system in place, a Disaster Recovery Plan, and regular testing of both, all of your data is a risk, and in the event of a catastrophic failure, it is gone forever. Viruses, malware, rogue or uneducated employees and hardware failure are some of the most common causes for valuable data to be unusable or inaccessible. Even completely innocuous things like OS deterioration and program corruption can cause issues with data consistency. Unfortunately, there is often no sign that something is about to go wrong. One minute everything is fine and the next-it’s not. Backup systems don’t have to be expensive. For a few hundred dollars and the cost of a full test every quarter you can feel secure about your ability to recover from catastrophic failures. Your data is one of the most important pieces of your business. Audits, adherance to the laws, record keeping and basic peace of mind are all good reasons to protect your data.

10 essential e-mail security measures

An excellent article on a few “best practice” techniques for email. Of course running an anti-virus and not opening unexpected attachments, no matter who they’re from, are definitely first and foremost in your arsenal of staying safe, but here are a few more tips for you:

#1: Never allow an e-mail client to fully render HTML or XHTML e-mails without careful thought. At the absolute most, if you have a mail client such as Microsoft Outlook or Mozilla Thunderbird that can render HTML e-mails, you should configure it to render only simplified HTML rather than rich HTML – or “Original HTML,” as some clients label the option. Even better is to configure it to render only plain text. When rendering HTML, you run the risk of identifying yourself as a valid recipient of spam or getting successfully phished by some malicious security cracker or identity thief. My personal preference is, in fact, to use a mail user agent that is normally incapable of rendering HTML e-mail at all, showing everything as plain text instead. #2: If the privacy of your data is important to you, use a local POP3 or IMAP client to retrieve e-mail. This means avoiding the use of Web-based e-mail services, such as Gmail, Hotmail, and Yahoo! Mail for e-mail you want to keep private for any reason. Even if your Webmail service provider’s policies seem sufficiently privacy-oriented to you, that doesn’t mean that employees won’t occasionally break the rules. Some providers are accused of selling e-mail addresses to spamming “partners.” Even supposedly security-oriented Webmail services, such as Hushmail, can often be less than diligent in providing security to their users’ e-mail. #3: Ensure that your e-mail authentication process is encrypted, even if the e-mail itself is not. The reason for this is simple: You do not want some malicious security cracker listening in on your authentication session with the mail server. Someone who does this can then send e-mails as you, receive your e-mail, and generally cause all kinds of problems for you (including spammers). Check with your ISP’s policies to determine whether authentication is encrypted and even how it is encrypted (so you might be able to determine how trivial it is to crack the encryption scheme used). #4: Digitally sign your e-mails. As long as you observe good security practices with e-mail in general, it is highly unlikely that anyone else will ever have the opportunity to usurp your identity for purposes of e-mail-but it is still a possibility. But if you use an encryption tool, such as PGP or GnuPG, to digitally sign your e-mails, recipients who have your public key will be able to determine that nobody could have sent the e-mail in question without having access to your private key-and you should definitely have a private key that is well protected. #5: Avoid unsecured networks. If, for some reason, you absolutely positively must access an e-mail account that does not authorize over an encrypted connection, never access that account from a public or otherwise unsecured network. Ever. Under any circumstances. Be aware of both your virtual and physical surroundings when communicating via e-mail. Be careful. Trust no one that you do not absolutely have to trust, and recognize the dangers and potential consequences of that trust. Your e-mail security does not just affect you; it affects others, as well, if your e-mail account is compromised. Even if the e-mail account itself is not compromised, your computer may be if you do not take reasonable care with how you deal with e-mails – and that, in turn, can lead to affecting both you and others adversely as well.

Click HERE to read the rest of the article and 5 more good email security tips.

Acceptable Use: Securing the Office

Often I am in the position of being the “bad guy” at most of our clients. Case in point, we installed a firewall and web filtering for an office this week. They had been hit pretty hard by some malware a month or so ago due to some improper computer use by one or more employees. Like so many small offices, this one has no Acceptable Use Policy, they go on trust, and (until we took them on) they were not having regular checks and maintenance performed on their machines by a qualified professional. Of course, when I do something like this or advise a business owner what steps they should be taking to protect their office, user’s often get mad at me. It doesn’t really bother me, users don’t send me checks and users are not who I am there to protect-businesses are. Unfortunately, most end-users do not understand the ramifications of what they do, nor do they care. These days the lines between work on the office computer and the home computer-for many user’s-is becoming blurred. Worse yet, the line is being completely ignored by some users. According to some recent data, more than half of users in a business environment have changed settings on their work machines to allow more liberal access to the things they want to access, in particular on the Internet. 35% felt it was not the companies business what they were doing. (see: http://www.darkreading.com/document.asp?doc_id=164974&f_src=drdaily) Unfortunately, it IS the companies business and more over it is the companies responsibility to protect their interests. (read “data” and “confidential information”) I’m pretty sure these same employees would be extremely upset if they found out the company let THEIR personal information out on the Internet. This is what those users are exposing to the Internet-someone else’s confidential information! By failing to take proper precautions in securing office machines and the network, companies everywhere could be at risk for exposing other peoples private information and/or their OWN information to people who can (and will) sell or otherwise use that information for nefarious purposes. Another case in point-I was reading an article the other day where the writer was talking of someone impersonating them on the Internet and leaving inflammatory comments on various web sites. This particular user tracked the rouge person back to their place of work by getting the IP address that was left behind every time this rouge person left a comment somewhere. I hope the rouge users place of work realizes THEY are responsible for everything this user did while using the corporate network. This is just one more glaring example of why companies MUST protect their own interests. Users should not be allowed-to the extent possible-to do any personal email, or web browsing, or downloading or-you get the point. If your users do something illegal or untoward there is not only a possibility, but a strong likelihood that it can (and will) be tracked back to you. Finally, the cost involved in cleaning up from a malware or virus infestation is not cheap. There are cases where the machine simply cannot be wiped out and every effort must be made to restore it to it’s original condition. Had the office we took on the other day installed the firewall and web filtering some time ago, they could have used that $300 to put toward the purchase of the firewall to start with. In the long run, it will always cost more to clean up problems than it would have to just protect against them from the beginning.