Sunday, June 12, 2016

Signs Your IT "Guy" is an Amateur

Strangely enough, no one has ever asked me why I called this blog "Consultant or Amateur?" So I'll tell you!

I came from a professional I.T. background. I managed large-scale computer systems across several states. I managed large teams of people. I managed the outsourced resources that made several different companies successful.

So when I started my own technology consulting company, I put a premium on being professional. At first I thought that meant dressing professionally, having standard offerings, and delivering what we promised. But as I met more and more small business owners, I realized that my so-called competition was in a completely different league when it comes to professionalism.

Time and time again I met business owners who had been ripped off and mistreated by the IT "Guy" before me. Here are a few examples:

The Untrained
- One computer consultant recommended that a client uninstall the brand new operating system from her brand new computers and install the previous version because it was more stable.

What that really means: 1) This guy is too lazy to learn the new operating system. 2) This guy wanted to drum up thousands of dollars in billable labor to "fix" perfectly working machines and turn them into last-generation technology. 3) This guy cared more about his own pocket book than about the client's experience or business.

The Thief
- Many (too many) IT consultants sell used equipment as new. They buy illegal software and sell it for full price. They bill for work they didn't do. Basically, people like this are scratching and clawing to make a little money any way they can.

This is bad enough. But it's also a sure sign that these people do not have the connections to get good equipment, replacement parts, warranty service, etc. It's also a good indicator that they'll be out of business and gone when something important breaks.

Secret-Keepers
- These folks never document anything. Or at least they don't share the documentation with the client. So business owners don't know the passwords to their server, router, firewall, email provider, Internet service provider, etc. This is a HUGE PET PEEVE of mine. I wrote a book on documentation and I made a huge point of encouraging people to share this information with the business owner - because it's their network.

There's some strange belief among secret-keepers that they have more job security if they don't share any information. They don't know how wrong they are! Unfortunately, I've made a LOT of money figuring out how to give new clients access to their own equipment and servers after they fire the secret-keeper!

The Mine-Mine-Miners
- I don't know what else to call them. If I knew WHY these people do what they do, I'd have a better name for them. These people put everything in their own name. I have one client whose Internet connection is in the name of an IT guy they hired for three months - 18 years ago! They can't change it except to just switch to a new ISP. It's ridiculous.

These people register the server, the network equipment, and all the software in their own name instead of the business name or even the business owner's name. Again, maybe they think this is some kind of job security. But when these people are gone and you try to get control of your own equipment - which you paid for - it can be a huge hassle. And, again, I've made a lot of money helping people take control of something that should have been under their name in the first place.

This includes Internet Domain Names. I've seen cases where the IT Guy registered domain names in his own name and then would not transfer them to the rightful owner - even though the small business owner paid him for the registration! In more than one case, the domain expired and the rightful owner could not renew it or transfer it because the IT Guy had it in his own name and he disappeared.

The Old-Timers (of any age)
- These folks just can't bring themselves to learn new stuff. They don't sell the latest equipment because clients aren't asking for it. Well, it's not the client's job to know what's new and ask for it. It's the IT professional's job to know what's new and recommend it. These people also perpetuate fear about things like Cloud Services. When I hear that "the cloud" is unsafe, un-tested technology I'm reminded of when people used to say that the Internet was just a fad.

The Un-Safe
- Un-safe technicians tell you stupid stuff like you don't need a firewall. Or you don't need a backup. Or you don't need an anti-virus program.

Let's turn this around. If your business has any value whatsoever, then you need to protect it. If your programs and data help you make money, then you need to back them up. If it would be a bad thing for someone else to get all your information, then you need a firewall. And if someone really has to convince you to get anti-virus, then maybe you're the amateur as well as your IT Guy.

We have a saying in our company: We can't care more about the client's business than they do. If you care about your business, you do the basic things to protect it. You lock the front door at night, you have insurance, you have a firewall and AV program, and you back up your data.

YES - It is possible to overspend. But most businesses underspend. And that's why lots of them go out of business after a disaster. 99.9% of all IT-related disasters are both preventable and easy to recover from - IF you've spend a little time and money preparing for a disaster. It's not difficult or expensive to have true business continuity or disaster recovery.

What to Look For

Here's a simple way to look for a professional IT consultant.

- Ask about their trainings and certifications. Training and experience are more important than certifications.

- Ask them about their SOPs - Standard Operating Procedures - for selling hardware, software, and service.

- Ask them about their SOPs for documenting your network.

- Ask them to describe their preferred network security and disaster recovery options.

- Ask them about what they sell and what they expect to sell in the next three years.

A professional technology consultant should be able to discuss each of these and sound confident and knowledgeable. You should also not hear any red flags like, "We prefer the old system," or "We're not recommending new technology yet."

It can be hard to hire an IT professional when you're not a professional in IT. But if you put out a little extra effort now, you can avoid a lot of grief in the future!

:-)

Saturday, June 4, 2016

Reusing Passwords Will Kill Your Business

Do you reuse passwords? If so, it's just a matter of time before the bad guys break into your network, your laptop, your bank account, and your business.

Since computers were invented, we have had to balance use-ability with security. And business owners have always hated passwords. I can't tell you how many times I've been told that I should make a password easy to remember.

I'm sorry to tell you: Those days are long gone.

There are now literally millions of bad guys hacking and cracking into everything they can find. People with poor security habits have all kinds of juicy information on their computers (Social Security numbers, birthdays, credit card numbers, and of course password lists!).

Some of this information is used to break into accounts. Some is used to open new credit card accounts or redirect your tax return to a new address. Lots of it is sold in bulk to organized crime syndicates in other countries. And then the aggregated data is sold again and again to bad guys who want to generate fake profiles, credit cards, and more.

As you read about break-ins for large companies like Target, just remember that that are thousands of breaches that never make the news for every single breach that does. Most are never reported because it's not required. In fact, most are not reported even if it is required because there's no real enforcement.

Here are the most obvious things you can do:

1) Have good passwords. 
That means they are long(ish) and complex. Complex means that standard stuff you hear about all the time: Upper and lowercase letters, symbols, and at least 8-12 characters.

2) Never use a password that exists on any list anywhere. 
For example, if you use a single word that is found in a dictionary, it takes only a few milliseconds for a computer to guess your password because the computer has it's own "dictionary" that includes all the words in all dictionaries for all languages. It also includes all lists of all passwords that it has ever come across.

3) Change your passwords from time to time!
You don't necessarily have to change your password every 30 days - but it doesn't hurt. But you should change all your important passwords (bank, payroll, work) at least once every three months.

And here's one more thing that most people don't think about:

4) Don't reuse passwords. 

Consider this: You probably have passwords on dozens if not hundreds of web sites. I use a password manager that stores about 800 of my passwords. With that many accounts out there, it's almost guaranteed that one of those accounts will get hacked this year. So my username and password combination will now be out in the wild for the bad guys to buy.

Why is that valuable? Well . . . If I reuse passwords (as most people do), then that username/password combination will be guaranteed to work somewhere else. So now the bad guys have lists of all the passwords out in the wild, but they also have some known-good combinations.

Social media accounts are always under attack. Most recently, MySpace and Tumblr were hacked. If you have one of those accounts and use the same password for Facebook, LinkedIn, etc. then the bad guys have those passwords as well.


The bottom line: Some account you have somewhere will be hacked. With luck, it will be an unimportant account. And if you don't have the same password everywhere, then the damage will be isolated to that one account. But if you reuse one password all over the place, then the chances that other accounts will be hacked goes up significantly.


Action Steps:

- Contact your I.T. consultant and find out what they recommend for password policies and password management.

- Change your most important passwords right now - and make them all different!


Additional Resources

Here is a Google search for Password Managers. I use an off-line password manager so that it's not hosted somewhere and the focus of targeted attacks.

Here is a password testing tool. Set the year to 2020 and see how quickly your passwords can be cracked.

Just remember: Even if this password can't be cracked in a million years, a list of passwords that includes this one might not be as secure!

Finally, here are the 100 most popular passwords in the last year, in alphabetical order. You can be guaranteed that these will be cracked in less than one second.

1111
1234
2000
6969
12345
111111
121212
123123
123456
654321
666666
696969
1234567
12345678
123456789
abc123
access
amanda
andrew
asdfgh
ashley
asshole
austin
baseball
batman
bigdog
biteme
buster
charlie
cheese
chelsea
computer
corvette
cowboy
dallas
daniel
diamond
dragon
football
freedom
fuck
fucker
fuckme
fuckyou
george
ginger
golfer
hammer
harley
heather
hello
hockey
hunter
jennifer
jessica
jordan
joshua
killer
letmein
love
maggie
martin
master
matthew
merlin
michael
michelle
monkey
mustang
nicole
orange
pass
password
patrick
pepper
princess
pussy
qwerty
ranger
richard
robert
secret
sexy
shadow
silver
soccer
sparky
starwars
summer
sunshine
superman
taylor
test
thomas
thunder
tigger
trustno1
william
yankees
yellow

Source: http://www.passwordrandom.com/most-popular-passwords

Let's be safe out there!

:-)