Small Business IT Woes

According to the results of an ongoing study, small business is struggling to meet best practices and, in some cases, even government regulations in IT. Citing the slowing economy and too small or non-existent IT manpower as the reason, a quarter of respondents get a failing grade and more than one-third get a “C”.

“The results to date indicate that many small businesses are falling behind when it comes to implementing accepted best practices for IT operations and management,” according to Steven Kahan of The Planet, one of a consortium of sponsors behind ITEI.
The results so far are especially disturbing, according to Kahan, since more than two-thirds of the small businesses responding to the survey indicated that IT and Web commerce are the foundations that enable their business success. “The IT Effectiveness Index is telling us that in nearly two-thirds of businesses with 100 employees or less, IT operations are failing to fully support or keep pace with small business needs,” he emphasized.

Areas of downtime, security, disaster recovery, and regulatory compliance top the list of concerns. When coupled with the fact that 2/3′s of business also stated IT and Web capabilities are critical to their success, it paints a grim picture. With these concerns and shrinking budgets, SMB’s are clearly feeling vulnerable to impending doom.

The bottom line is Small Businesses are find themselves sacrificing IT because they feel they cannot afford to keep pace. However, the truth is business can’t afford to not spend this money. If you are not practicing good security, you risk data breech and lawsuit. If you are not practicing good disaster recovery, you risk losing all of your records for past years. If you are not practicing good hardware and network maintenance, you are losing money in the form of employee downtime and an inability to do your business. In short, if you are not practicing good IT, you are spending money on IT; you’re just spending twice as much.

Having a trusted partner in IT is always money well spent. Haphazard security and do-it-yourself networks, with poor best-practices just cost you in the end. Take the survey, then find a partner you can trust to take care of your IT needs.

Security Maxims

Some funny, some not……all true My favorite:

Big Heads Maxim: The farther up the chain of command a (non-security)manager can be found, the more likely he or she thinks that (1) they understand security and (2) security is easy.

Security is important and can be done reasonably in most circumstances. Unfortunately, those with the most decision making power concerning security often (not always) have the least understanding of it.

10 essential e-mail security measures

An excellent article on a few “best practice” techniques for email. Of course running an anti-virus and not opening unexpected attachments, no matter who they’re from, are definitely first and foremost in your arsenal of staying safe, but here are a few more tips for you:

#1: Never allow an e-mail client to fully render HTML or XHTML e-mails without careful thought. At the absolute most, if you have a mail client such as Microsoft Outlook or Mozilla Thunderbird that can render HTML e-mails, you should configure it to render only simplified HTML rather than rich HTML – or “Original HTML,” as some clients label the option. Even better is to configure it to render only plain text. When rendering HTML, you run the risk of identifying yourself as a valid recipient of spam or getting successfully phished by some malicious security cracker or identity thief. My personal preference is, in fact, to use a mail user agent that is normally incapable of rendering HTML e-mail at all, showing everything as plain text instead. #2: If the privacy of your data is important to you, use a local POP3 or IMAP client to retrieve e-mail. This means avoiding the use of Web-based e-mail services, such as Gmail, Hotmail, and Yahoo! Mail for e-mail you want to keep private for any reason. Even if your Webmail service provider’s policies seem sufficiently privacy-oriented to you, that doesn’t mean that employees won’t occasionally break the rules. Some providers are accused of selling e-mail addresses to spamming “partners.” Even supposedly security-oriented Webmail services, such as Hushmail, can often be less than diligent in providing security to their users’ e-mail. #3: Ensure that your e-mail authentication process is encrypted, even if the e-mail itself is not. The reason for this is simple: You do not want some malicious security cracker listening in on your authentication session with the mail server. Someone who does this can then send e-mails as you, receive your e-mail, and generally cause all kinds of problems for you (including spammers). Check with your ISP’s policies to determine whether authentication is encrypted and even how it is encrypted (so you might be able to determine how trivial it is to crack the encryption scheme used). #4: Digitally sign your e-mails. As long as you observe good security practices with e-mail in general, it is highly unlikely that anyone else will ever have the opportunity to usurp your identity for purposes of e-mail-but it is still a possibility. But if you use an encryption tool, such as PGP or GnuPG, to digitally sign your e-mails, recipients who have your public key will be able to determine that nobody could have sent the e-mail in question without having access to your private key-and you should definitely have a private key that is well protected. #5: Avoid unsecured networks. If, for some reason, you absolutely positively must access an e-mail account that does not authorize over an encrypted connection, never access that account from a public or otherwise unsecured network. Ever. Under any circumstances. Be aware of both your virtual and physical surroundings when communicating via e-mail. Be careful. Trust no one that you do not absolutely have to trust, and recognize the dangers and potential consequences of that trust. Your e-mail security does not just affect you; it affects others, as well, if your e-mail account is compromised. Even if the e-mail account itself is not compromised, your computer may be if you do not take reasonable care with how you deal with e-mails – and that, in turn, can lead to affecting both you and others adversely as well.

Click HERE to read the rest of the article and 5 more good email security tips.

Acceptable Use: Securing the Office

Often I am in the position of being the “bad guy” at most of our clients. Case in point, we installed a firewall and web filtering for an office this week. They had been hit pretty hard by some malware a month or so ago due to some improper computer use by one or more employees. Like so many small offices, this one has no Acceptable Use Policy, they go on trust, and (until we took them on) they were not having regular checks and maintenance performed on their machines by a qualified professional. Of course, when I do something like this or advise a business owner what steps they should be taking to protect their office, user’s often get mad at me. It doesn’t really bother me, users don’t send me checks and users are not who I am there to protect-businesses are. Unfortunately, most end-users do not understand the ramifications of what they do, nor do they care. These days the lines between work on the office computer and the home computer-for many user’s-is becoming blurred. Worse yet, the line is being completely ignored by some users. According to some recent data, more than half of users in a business environment have changed settings on their work machines to allow more liberal access to the things they want to access, in particular on the Internet. 35% felt it was not the companies business what they were doing. (see: http://www.darkreading.com/document.asp?doc_id=164974&f_src=drdaily) Unfortunately, it IS the companies business and more over it is the companies responsibility to protect their interests. (read “data” and “confidential information”) I’m pretty sure these same employees would be extremely upset if they found out the company let THEIR personal information out on the Internet. This is what those users are exposing to the Internet-someone else’s confidential information! By failing to take proper precautions in securing office machines and the network, companies everywhere could be at risk for exposing other peoples private information and/or their OWN information to people who can (and will) sell or otherwise use that information for nefarious purposes. Another case in point-I was reading an article the other day where the writer was talking of someone impersonating them on the Internet and leaving inflammatory comments on various web sites. This particular user tracked the rouge person back to their place of work by getting the IP address that was left behind every time this rouge person left a comment somewhere. I hope the rouge users place of work realizes THEY are responsible for everything this user did while using the corporate network. This is just one more glaring example of why companies MUST protect their own interests. Users should not be allowed-to the extent possible-to do any personal email, or web browsing, or downloading or-you get the point. If your users do something illegal or untoward there is not only a possibility, but a strong likelihood that it can (and will) be tracked back to you. Finally, the cost involved in cleaning up from a malware or virus infestation is not cheap. There are cases where the machine simply cannot be wiped out and every effort must be made to restore it to it’s original condition. Had the office we took on the other day installed the firewall and web filtering some time ago, they could have used that $300 to put toward the purchase of the firewall to start with. In the long run, it will always cost more to clean up problems than it would have to just protect against them from the beginning.