Sunday, June 12, 2016

Signs Your IT "Guy" is an Amateur

Strangely enough, no one has ever asked me why I called this blog "Consultant or Amateur?" So I'll tell you!

I came from a professional I.T. background. I managed large-scale computer systems across several states. I managed large teams of people. I managed the outsourced resources that made several different companies successful.

So when I started my own technology consulting company, I put a premium on being professional. At first I thought that meant dressing professionally, having standard offerings, and delivering what we promised. But as I met more and more small business owners, I realized that my so-called competition was in a completely different league when it comes to professionalism.

Time and time again I met business owners who had been ripped off and mistreated by the IT "Guy" before me. Here are a few examples:

The Untrained
- One computer consultant recommended that a client uninstall the brand new operating system from her brand new computers and install the previous version because it was more stable.

What that really means: 1) This guy is too lazy to learn the new operating system. 2) This guy wanted to drum up thousands of dollars in billable labor to "fix" perfectly working machines and turn them into last-generation technology. 3) This guy cared more about his own pocket book than about the client's experience or business.

The Thief
- Many (too many) IT consultants sell used equipment as new. They buy illegal software and sell it for full price. They bill for work they didn't do. Basically, people like this are scratching and clawing to make a little money any way they can.

This is bad enough. But it's also a sure sign that these people do not have the connections to get good equipment, replacement parts, warranty service, etc. It's also a good indicator that they'll be out of business and gone when something important breaks.

Secret-Keepers
- These folks never document anything. Or at least they don't share the documentation with the client. So business owners don't know the passwords to their server, router, firewall, email provider, Internet service provider, etc. This is a HUGE PET PEEVE of mine. I wrote a book on documentation and I made a huge point of encouraging people to share this information with the business owner - because it's their network.

There's some strange belief among secret-keepers that they have more job security if they don't share any information. They don't know how wrong they are! Unfortunately, I've made a LOT of money figuring out how to give new clients access to their own equipment and servers after they fire the secret-keeper!

The Mine-Mine-Miners
- I don't know what else to call them. If I knew WHY these people do what they do, I'd have a better name for them. These people put everything in their own name. I have one client whose Internet connection is in the name of an IT guy they hired for three months - 18 years ago! They can't change it except to just switch to a new ISP. It's ridiculous.

These people register the server, the network equipment, and all the software in their own name instead of the business name or even the business owner's name. Again, maybe they think this is some kind of job security. But when these people are gone and you try to get control of your own equipment - which you paid for - it can be a huge hassle. And, again, I've made a lot of money helping people take control of something that should have been under their name in the first place.

This includes Internet Domain Names. I've seen cases where the IT Guy registered domain names in his own name and then would not transfer them to the rightful owner - even though the small business owner paid him for the registration! In more than one case, the domain expired and the rightful owner could not renew it or transfer it because the IT Guy had it in his own name and he disappeared.

The Old-Timers (of any age)
- These folks just can't bring themselves to learn new stuff. They don't sell the latest equipment because clients aren't asking for it. Well, it's not the client's job to know what's new and ask for it. It's the IT professional's job to know what's new and recommend it. These people also perpetuate fear about things like Cloud Services. When I hear that "the cloud" is unsafe, un-tested technology I'm reminded of when people used to say that the Internet was just a fad.

The Un-Safe
- Un-safe technicians tell you stupid stuff like you don't need a firewall. Or you don't need a backup. Or you don't need an anti-virus program.

Let's turn this around. If your business has any value whatsoever, then you need to protect it. If your programs and data help you make money, then you need to back them up. If it would be a bad thing for someone else to get all your information, then you need a firewall. And if someone really has to convince you to get anti-virus, then maybe you're the amateur as well as your IT Guy.

We have a saying in our company: We can't care more about the client's business than they do. If you care about your business, you do the basic things to protect it. You lock the front door at night, you have insurance, you have a firewall and AV program, and you back up your data.

YES - It is possible to overspend. But most businesses underspend. And that's why lots of them go out of business after a disaster. 99.9% of all IT-related disasters are both preventable and easy to recover from - IF you've spend a little time and money preparing for a disaster. It's not difficult or expensive to have true business continuity or disaster recovery.

What to Look For

Here's a simple way to look for a professional IT consultant.

- Ask about their trainings and certifications. Training and experience are more important than certifications.

- Ask them about their SOPs - Standard Operating Procedures - for selling hardware, software, and service.

- Ask them about their SOPs for documenting your network.

- Ask them to describe their preferred network security and disaster recovery options.

- Ask them about what they sell and what they expect to sell in the next three years.

A professional technology consultant should be able to discuss each of these and sound confident and knowledgeable. You should also not hear any red flags like, "We prefer the old system," or "We're not recommending new technology yet."

It can be hard to hire an IT professional when you're not a professional in IT. But if you put out a little extra effort now, you can avoid a lot of grief in the future!

:-)

Saturday, June 4, 2016

Reusing Passwords Will Kill Your Business

Do you reuse passwords? If so, it's just a matter of time before the bad guys break into your network, your laptop, your bank account, and your business.

Since computers were invented, we have had to balance use-ability with security. And business owners have always hated passwords. I can't tell you how many times I've been told that I should make a password easy to remember.

I'm sorry to tell you: Those days are long gone.

There are now literally millions of bad guys hacking and cracking into everything they can find. People with poor security habits have all kinds of juicy information on their computers (Social Security numbers, birthdays, credit card numbers, and of course password lists!).

Some of this information is used to break into accounts. Some is used to open new credit card accounts or redirect your tax return to a new address. Lots of it is sold in bulk to organized crime syndicates in other countries. And then the aggregated data is sold again and again to bad guys who want to generate fake profiles, credit cards, and more.

As you read about break-ins for large companies like Target, just remember that that are thousands of breaches that never make the news for every single breach that does. Most are never reported because it's not required. In fact, most are not reported even if it is required because there's no real enforcement.

Here are the most obvious things you can do:

1) Have good passwords. 
That means they are long(ish) and complex. Complex means that standard stuff you hear about all the time: Upper and lowercase letters, symbols, and at least 8-12 characters.

2) Never use a password that exists on any list anywhere. 
For example, if you use a single word that is found in a dictionary, it takes only a few milliseconds for a computer to guess your password because the computer has it's own "dictionary" that includes all the words in all dictionaries for all languages. It also includes all lists of all passwords that it has ever come across.

3) Change your passwords from time to time!
You don't necessarily have to change your password every 30 days - but it doesn't hurt. But you should change all your important passwords (bank, payroll, work) at least once every three months.

And here's one more thing that most people don't think about:

4) Don't reuse passwords. 

Consider this: You probably have passwords on dozens if not hundreds of web sites. I use a password manager that stores about 800 of my passwords. With that many accounts out there, it's almost guaranteed that one of those accounts will get hacked this year. So my username and password combination will now be out in the wild for the bad guys to buy.

Why is that valuable? Well . . . If I reuse passwords (as most people do), then that username/password combination will be guaranteed to work somewhere else. So now the bad guys have lists of all the passwords out in the wild, but they also have some known-good combinations.

Social media accounts are always under attack. Most recently, MySpace and Tumblr were hacked. If you have one of those accounts and use the same password for Facebook, LinkedIn, etc. then the bad guys have those passwords as well.


The bottom line: Some account you have somewhere will be hacked. With luck, it will be an unimportant account. And if you don't have the same password everywhere, then the damage will be isolated to that one account. But if you reuse one password all over the place, then the chances that other accounts will be hacked goes up significantly.


Action Steps:

- Contact your I.T. consultant and find out what they recommend for password policies and password management.

- Change your most important passwords right now - and make them all different!


Additional Resources

Here is a Google search for Password Managers. I use an off-line password manager so that it's not hosted somewhere and the focus of targeted attacks.

Here is a password testing tool. Set the year to 2020 and see how quickly your passwords can be cracked.

Just remember: Even if this password can't be cracked in a million years, a list of passwords that includes this one might not be as secure!

Finally, here are the 100 most popular passwords in the last year, in alphabetical order. You can be guaranteed that these will be cracked in less than one second.

1111
1234
2000
6969
12345
111111
121212
123123
123456
654321
666666
696969
1234567
12345678
123456789
abc123
access
amanda
andrew
asdfgh
ashley
asshole
austin
baseball
batman
bigdog
biteme
buster
charlie
cheese
chelsea
computer
corvette
cowboy
dallas
daniel
diamond
dragon
football
freedom
fuck
fucker
fuckme
fuckyou
george
ginger
golfer
hammer
harley
heather
hello
hockey
hunter
jennifer
jessica
jordan
joshua
killer
letmein
love
maggie
martin
master
matthew
merlin
michael
michelle
monkey
mustang
nicole
orange
pass
password
patrick
pepper
princess
pussy
qwerty
ranger
richard
robert
secret
sexy
shadow
silver
soccer
sparky
starwars
summer
sunshine
superman
taylor
test
thomas
thunder
tigger
trustno1
william
yankees
yellow

Source: http://www.passwordrandom.com/most-popular-passwords

Let's be safe out there!

:-)

Thursday, February 18, 2016

Don't Go Phishing - An Email Safety Tip

I am preparing a training for my clients on how to avoid problems that show up in email. Whether it's work email or home email, certain "bad" emails will always get through. If you have a good anti-virus program and a good spam filter, you shouldn't get viruses in your inbox.

But "phishing" is another program. Phishing is pretty much what it sounds like - bad guys are fishing to see who will bite. Here's a great example of a phishing email:



Notice the popup that says "http://s522558593... ." We'll come back to that.

When you get any email that includes links, do not click on anything unless you are 100% sure that it's real. For example, if you receive a regular newsletter, those links are probably safe.

Here are some quick tips for dealing with phishing emails.

First, be suspicious. Phishing emails often look very real. They will frequently have a "scare" tactic to get you to click without thinking. For example, a letter was returned undeliverable. Make sure we have the right address.

Well, wait a minute. Do you even use this product or service? Do you care if a letter went missing? Is this your bank?

Second, never click on the links in an email unless you asked this person to send you this email. If your bank has an urgent message for you, then open a browser and log into your bank. That way you'll know YOU initiated the contact and that it's really your bank. If there's an urgent message for you, it will be there.

If you want to see where the link is really going, float your mouse over it. See the example above. The "link" looks like it's going to CoveredCA.com, but if you click it will really go to that long link instead. In this case, that link is to a server with a reputation for sending massive amounts of spam email. If you click anything, you verify that your email works and they can sell it again.

I did not click on the link because 1) I don't use CoveredCA, and 2) I floated my mouse over it and the address was different.

But if I had clicked, I bet it's a site that looks very much like the "real" CoveredCA web site. But when you put in your information, if fails. In reality, you have just given the bad guys your username and password!

That's what they're fishing for.

The bad guys convince people to let their guard down. You need to have some hard, fast rules that you never break. And remember that the government will never initiate contact with you. And neither will most large businesses!

And here's a bonus tip: If you receive an email with an attachment, never open the attachment unless you asked that person to send you that email.

In general, click less and slow down. When you go fast, the bad guys can trick you into clicking when you should be deleting!

:-)





Saturday, February 6, 2016

Beware Budget Bifurcation

Humans have an amazing capacity to isolate various pieces of our lives and treat each independently. Perhaps we have to do this in order to make decisions at all and not be overwhelmed with data.

But sometimes we know very clearly that two things are directly related and choose to ignore this relationship anyway. This is called bifurcation.

The best example of bifurcated thinking is the government budget process. In the spring, Congress passes all kinds of laws with almost no attention to costs. Policy is all that matters. Then, in the Fall, they look at the costs of all  those programs and start  cutting and trimming costs - without regard to the policies.

Yes, the government always manages to overspend. But there is a budget process. And the most common compromise is the very simple and predictable: Split the difference. In other words, the House and Senate meet halfway in the middle - without regard to the policy differences.

What's this got to do with Small Business? Unfortunately, A Lot!!!

Business owners are also tempted to use bifurcated thinking when they budget as well. But unlike Congress, you can't go over budget without feeling the pain - and you can go out of business.

The most common example of bifurcated thinking in small business involves saving money in the wrong way. I call this "Saving the wrong pennies." Here's a great example.

Last year, one of my clients bought a new laptop. They only needed it for a few simple tasks, so they bought a low-end $300 machine instead of the business class machine I recommended for $600. It looks like they saved $300, right? Wrong - by a long shot.

Super basic, low-end equipment almost never saves money. That extra $300 was saved somewhere by the manufacturer. As a result, setting up the machine to work on a network was slower. Since that's billable labor, the client paid more for the setup right off the bat.

Then they started using it and found that it is noticeably slower than other machines in the office. "That's okay," they said, "We just need it once in awhile for low-end needs."

But right away they were disappointed because the new laptop printed very slowly and the printouts were often grainy, especially with photos. That's because the machine has almost no video memory, and almost no processor cache. Those are "specs" that almost no one compares, and they are very important for good performance.

And you know what happened next. They hired a new employee and that laptop is now used as a desktop computer every day. It is super slow and doesn't do the most important thing a computer should do: Make the user more productive!

So the client asked if we can upgrade the graphics card. But of course they can't. On a nicer laptop they might be able to upgrade the graphics - but they wouldn't need to because it would already have a better graphics card.

Now that they feel the pain, they see that the laptop is really only good for a few tasks and they'll pay whatever it takes to get something that performs well. This reminds me of a twist on an old saying: "We don't have money to do it right, but we have plenty of money to do it over."

Bifurcation Warning: You can always make decisions on price alone, but don't be surprised if that becomes a powerful, expensive decision in the long run.

The solution to this is surprisingly simple: Find a technology consultant who will give you good, honest advice and help you with long-term planning. A good consultant will help you create some kind of technology budget instead of just reacting to situations as they arise. Very often, the answer will be to save money in the short run as well as the long run!

Ideally, you have an ongoing maintenance contract and hold quarterly "roadmap" meetings to discuss your technology needs going forward. Once your I.T. consultant knows about your plans for the months (and years) ahead, they can help you make wise long term decisions.

For example, I recently had a client with some minor but annoying problems on a desktop PC. Knowing that the machine was scheduled to be replaced in two months, I asked her how much time I should spend on it. This reminded her about our earlier "roadmap" discussions and she said to limit my time to one hour.

Your I.T. consultant should be a consultant. That is, they should give you good advice that serves you well in the long run.

Be of one mind. Stop the bifurcated thinking!

:-)

Tuesday, December 1, 2015

If You Get Viruses, Fire Your Technician - Or Yourself

There's a simple formula for avoiding viruses on your computers. I am extremely frustrated when I go to professional conferences hear people talking about Cryptolocker and other viruses.

There is no excuse for letting your computer get viruses today. Really. Zero.

Twenty years ago a client asked me if computer consultants created viruses so they could stay employed. I said no, we don't have to because the bad guys are creating enough. That's still true.

BUT I have met a lot of consultants recently who do not do the best job they can of patching systems . . . because they want your computer to break. In my opinion, these are amateurs at best and incompetent technicians at worst.


How We Get Viruses Today


Virtually every virus today requires YOU to install it. Something pops up on your screen and you click YES. When that happens, you are to blame and you should pay for the cleanup.

Virus manufacturers try to trick you into clicking in many ways. The most common are

1) A fake virus scanner pops up and says your system is infected. You click to "clean" your machine, but you're really installing a virus.

2) Fake web sites look like the real thing, so you start clicking on stuff. Again, at some point a program wants permission to install something and you say yes.

3) You receive emails with fake lures. For example, your bank needs you to read a notice or says your deposit did not go through. You panic and click. And infect.

4) You receive an email with an attachment, often with a fake extension. You open it and infect your machine.


Five Simple Steps to Zero Viruses


It is extremely easy to stop getting viruses ever again. But you have to do all five. If you do less than five, then you will get viruses. Note: You computer consultant should recommend these steps to you and pressure you to do them. This is worth paying for because it's cheaper than cleaning up one nasty virus.

Step One: Have a good, current anti-virus program. In addition, know what it is! Open it. Look around. See how the quarantine looks. Be comfortable with it. That way, when something pops up and says you have an infection, you will know that it's NOT your anti-virus program and you can close it without clicking.

Step Two: You need a good patch management system. This will cost a little money every month, but it guarantees that your operating system and all your software is up to day. There's a big buzz every week about Microsoft updates. Of course you ignore it because it's not your job. But those updates (as well as updates from Adobe, QuickBooks, Sage, and others) are critical to the health of your computers.

Very often, these updates do not install automatically (even when set to) and sometimes fail to install for weeks or months. That's why you need a managed system. Your computer consultant should be making sure all these patches are applied. On rare occasions, a patch should NOT be applied because it causes problems. Your computer consultant should manage that as well.

Step Three: No one in your company should have "administrative rights" on your computers. As soon as you take away admin rights, programs cannot be installed. Viruses are programs. They need admin rights to install and infect your computer. Once you take this away, 99% of all viruses are stopped dead in their tracks.

WHINE: I always hear the argument that it's a pain in the neck to contact the computer guy every time we need to install something. A) No it's not. B) Here's another thing you can do.

Have your computer consultant create a special Administrative account on your computer. Call it something like AdminX with a password that's easy to remember. This doesn't have to be a super secure password if you have a properly set up and secured network. Now, when a program asks for Administrative credentials in order to install a program, you can put in the AdminX username and password. Ideally, that will slow you down, make you think, and NOT install viruses.

If you do install a virus, you'll know instantly that you did it yourself and you can give up the lame excuse that you browsed to a web site and magically got a virus.

Step Four: You need a good firewall with an anti-virus module installed. That means you can't use a crappy $39 router any more. You need a real firewall with a real anti-virus module - and a subscription to keep that up to date. Yes it costs money. But it costs less than fixing one nasty virus.

Step Five: You need good habits. As you read above, YOU are the cause of all viruses. So change that, educate your people. And stop clicking on everything on the Internet!!! Here are a few rules. Follow these and you life will be good:

1) If you have any doubt whatsoever, do not click. For example, if your bank has a message for you, close the email and log on to your bank site. Since you initiated the connection, you'll know you are at the real bank site. If there's a message, it will be there.

2) Do not open email from someone you don't know. Just delete it. Really. The world will keep spinning.

3) Do not open any email attachments unless you asked that person to send you that file. Even if it looks like it came from your mother or best friend. Send them an email and ask them if they sent you something. If they say no, delete it.

4) Have your computer consultant enable "view extensions" on your computer. That way, you can look for files with two extensions and you can delete them without opening. These files have names like: FILE.DOC.EXE or FILE.PDF.JS.


In the 21st Century, I believe it is unscrupulous for computer consultants to let their clients get viruses and lose data. It costs the client a lot of money and is completely avoidable.

At the same time, business owners who are not willing to pay for a good firewall, good anti-virus software, and a patch management program are just asking for trouble. It costs money to run your business the right way. If you don't buy a managed service contract and you don't invest in basic security, then please don't complain when you have to pay money to clean up a virus or two. Or three.

:-)

Tuesday, September 29, 2015

DropBox is Not Your Friend

Let me start out by saying that DropBox CAN be the perfect solution for many small businesses - IF it's the solution to the right problem!

There's an old saying among people who work with their hands: Use the right tool for the right job.

When you use the wrong tool, either you injure yourself or you do a really crumby job. Either way, more than likely, it shows. Note also that you have to do the right job. That means even the best tool can be used the wrong way.

As we tip-toe into "cloud" services, a lot of companies are finding out that employees (or owners and managers) are grabbing whatever tool they can find to make their job easier. One of the most common examples of this is cloud-based storage. Time and time again, we see clients who are throwing important company data up on free accounts. Some people even brag about having 5 GB accounts on several different providers - all free!

Free is great when free is appropriate. 

Free means, in the end, you have ZERO guarantees that anyone is responsible for your stuff. Even if everything was lost by a freak accident and you were paid one million times what you paid for the service, you will still get ZERO. If you're not paying for it, assume it's not as secure as when you are. Assume it's not as private as it could be.

Just because a little lock shows up in your browser and the web connection is "encrypted" doesn't mean that you have any level of real security. Most free accounts (I would say ALL, but I don't actually have proof of that . . . But certainly every free account I've ever seen . . .) is NOT compliant with requirements such as HIPAA or PCI.

What does that mean? In a nutshell, it means that these free accounts aren't good enough for use with data that 1) Is important in any way, and 2) You don't want to lose. If your industry is regulated in any way, YOU are responsible for the security of you data and being compliant with regulations.

When you hire a professional technology consultant, they will make sure that your data is secure - in a way that protects you and has your best interest in mind. For example . . .

- It's good to say your data are encrypted. What does that mean? To be truly secure, you need to be in control of that encryption. That means some system you control needs to do the encrypting and decrypting. The service that stores your data should never be able to look inside your encrypted files. Your consultant can show you how this works with the systems they sell you.

- It means that you need a complete system designed for speed, security, and data recovery. All of that needs to be designed intentionally and documented thoroughly. In a disaster, where are your data? Which accounts and emails and passwords are used for everything? Who knows this stuff? Where is it documented?

Cloud services absolutely CAN be secure and keep you inside the law. But that doesn't happen by accident. You can't just put your important company data anywhere you want and assume someone is taking care of it.

The real irony is that good, secure, cloud-based systems are now VERY affordable. That means low-price, not free. But to save a few dollars every month, people choose to do whatever they think is "easy." We all know the free version of games are crippled in some way. We all know the free version of software has key features disabled. We all know that free means you're not getting the whole thing.

What's missing in your free cloud storage?

PLEASE talk to your technology consultant and make sure you have a data storage system that makes sense and was created specifically to meet your needs.

DropBox might be your friend. But only if it's part of an overall system designed to meet your needs and fulfill the requirements of your business.

:-)

Sunday, June 7, 2015

Windows 10 Strategic Deployment Advice

Memo to Businesses about Windows 10:

On June 1st, Microsoft announced that Windows 10 will be released July 29th. Whether you like it not, this affects you. Here are a few points to consider regarding deployment of this operating system.

Executive Summary:

1) After July 29th, Windows 10 will be the only version of Windows available.

2) Machines with Windows 7 or 8 can upgrade for free to Windows 10 for the next year.

3) I recommend that you work with you IT Consultant to schedule an upgrade to Windows 10 on any W8 machines. It’s a much more usable interface and will give you an idea of what the upgrade process will be like for other machines. Labor for this is probably billable.

4) I recommend that you keep Windows 7 machines as is until you decide on a good time to switch over. You do not ever “have to” make the switch. But there's no cost for the software for the next year.


Some Details:

Unlike most Windows updates from the past, this one is quite significant. It means that very shortly Windows 10 will be the only version of Windows available.

Here’s why: Microsoft has always allowed people to legally use the current version of Windows purchased, or the previous version. That’s why Windows XP was allowed to stay around so long. Some folks didn’t like Windows Vista, so they bought machines with XP.

Well, the current version is Windows 8.x, even though no one likes it.

When Windows 10 is released, the “previous” version will be Windows 8. Manufacturers will be allowed to ship machines with Windows 10 or Windows 8. Since they are all currently shipping Windows 8 “downgraded” to Windows 7, you know they’re not going to ship Windows 8.

Therefore, the only real option after July 29th will be Windows 10.

ALL versions of Windows 7 and Windows 8 will be eligible for FREE updates to Windows 10.

Note: If you have Home versions of Windows 7 or 8, they will be upgraded as part of the regular Windows Updates. When this happens, you will lose Windows Media Center, all desktop gadgets, and certain Microsoft games.


Work with your IT Consultant or Managed Service Provider

It's always best to work with your Managed Service Provider (MSP) to coordinate these upgrades. In this case, it's particularly important.

With an "unmanaged" computer, the Windows Updates are probably set to automatic. If that's true, then all Windows 7.1 and Windows 8.x machines will soon see a new icon in the lower right-hand corner.

If you click it, you'll install Windows 10. You can't undo this.

Managed computers go through an upgrade vetting process. That means that only approved patches and fixes are installed. So, your Managed Service Provider can stop the installation of the Windows 10 Upgrade App.

That gives you time to decide when and whether you want the upgrade.


Mixed Environments

If you have a few machines with Windows 8, that's probably good for you. You'll definitely want to upgrade those to Windows 10. Once that happens, you'll see how much better it is than W8. And you can decide whether you want to run a "mixed" environment of W7 and W10 of just upgrade all the W7 machines.

Our general advice is that you should plan to keep business class computers for three years and then get newer machines AND you should always get machines with the latest operating system. So, for most people, we advice that you leave the Windows 7 machines alone unless you have a need for some feature of Windows 10 that you don't get with Windows 7.

Once again, the good news is that your Managed Service Provider will help you figure out a reasonable schedule for upgrade to make sure that all of your hardware and software works properly with Windows 10. 

It's fine for Microsoft to release a new operating system and assume everyone should just get it. But you need to make good decisions about your business.

This is a great time to rely a professional IT consultant to make sure you have a smooth transition.

- - - - -
Microsoft has a nice FAQ on this upgrade process from their perspective:

:-)