Tuesday, November 28, 2017

IoT - "Internet of Things" Basics for Small Business

OK. You've heard the term IoT or Internet of Things. First, what the heck is that? And second, why do you care?

This is yet another example of technology industries making things more complicated than they need to be. Basically, the Internet of Things is just a generic term for all the "stuff" that you use that's connected to some network. Here are some examples you might have in your home or office:

- Your wireless-connected television

- LED light bulbs you control with your phone or Alexa

- Your "smart" thermostat

- Your wireless front doorbell/video monitor

- Your baby monitor

- The tracking chip you put in your luggage

- The digital camera that sends photos to your computer or the cloud

- The door lock you control with your phone

- Everything connected to Alexa, Amazon Echo, Google Assistant, Siri, etc.

- Remote controlled window shades, coffee makers, washing machines, vacuums, and more

So now the question is, what do you need to know about all that stuff? Luckily, you only need to know a few things. But you need to take those few things very seriously. Here's the sad truth:

The Internet of Things is Insecure by Default

What does that mean? Well, the average household will soon have a dozen IoT devices. But in just a few years it will have hundreds. And across the country there are currently hundreds of billions of devices. Soon it will be hundreds of trillions.

Most of these devices ship with a default password that you are not required to change upon setup. And, not surprisingly, the username is often "admin" and the password is often the same. In other words, anyone can guess the passwords to millions of devices as a time.

There has rarely been a better opportunity for hackers to break into insecure networks!

Fortunately, it is EASY to secure your network. Having said that, you might want to get some help to do this right. Here's what I recommend:

Step One - Change Passwords!

This seems obvious. But we've already seen major attacks. Hackers use these devices to create massive denial of service attacks. Less common are attempts to break into secured networks. But if these devices are using default settings, they could be used to monitor network traffic - including your username and password.

The easiest first step: Change Your Password. This is literally like not leaving your car keys in the ignition.

Step Two - Create a Separate Network

You might think this is expensive, but it's not. First, consider what you just spent on a devices. If you're buying thermostat and lighting systems for several thousand dollars, you should spend a few hundred to keep them secure.

Consider three networks:

Click to Enlarge

NOTE: This is just a sample network "map." There are many options. A network professional can help you set up something different. For example, you might add a secure "segment" off of the business firewall. Ask a professional to look at your network and desired outcome.

I hope your business network is properly protected with a business-class firewall. Your wireless network (at business or home) should also have a firewall. This does not mean the Internet router. That might technically have a firewall, but it's not intended to replace a real firewall.

And if you have a wireless network, I hope it is properly secured.

I am recommending that you create a third network (or network segment) to isolate all your IoT devices. That way, no matter what happens with door locks, cameras, TVs, thermostats, etc., you business is absolutely secure.

You've seen all the ransomware attacks in the last year. Essentially, all of these attacks take place by finding microscopic holes in networks. Unpatched software and operating systems provide these holes. Remember: the Internet of Things is inherently insecure. It's basically a network of holes!

Keep that away from your business network.

Step Three - Document It!

One of the greatest weaknesses of technology today is that it is "easy" to get things working. Yes, you might spend a few hours fiddling with it. You might call tech support. But eventually, you get it going.

And then you start using it and forget one critical step: Documentation.

It's important that you file away all the paperwork for you network-connected devices where you can find it. And it's even more important that you write down configuration settings. This starts with usernames and passwords. But it should also include a network map (diagram) and any important settings that make the system work.

Ask a Pro

As always, I encourage you to get help from a professional. Yes, you might be able to make it "work" at some level. But you may create a slow network that could be much faster. Or you might accidentally bypass the secure firewall and expose your network. In the end, a professional will help you get the most out of your IoT devices . . . without putting your secure data at risk.

And, no, I'm not available to help you. You can't afford me.

But if you're looking for someone, drop me an email and I might be able to help you find someone in your city.


Wednesday, May 3, 2017

Questions You Need to Ask About Your Cloud Storage and Backups

"The Cloud" is a wonderful concept. You buy technology services as needed and they promise essentially zero downtime. Unfortunately, you have to be a lot more vigilant about keeping track of your data. In the old days, with a server, your company data was in that box in the other room. You might need to hire someone to make it useful, but at least you knew where it was: In that box in the other room.

The good news about cloud services is very good.Your data can be far more secure than on your own server. And if you get the right service, it can have zero downtime. The bad news about cloud services is that you need to make sure you've got the right setup. You cannot assume it's safe, secure, or even backed up.

Let's look at the basic challenges and what you need to know.

1. Where is your data? This question has two components. First, where is your data supposed to be? And second, where is it that it's not supposed to be?

If you have your data stored in the cloud, keeping track of it is simple - but you have to do it! At some point, this knowledge becomes a "black box" of information. You might not understand it if I tell you that you are accessing data on Amazon Web Services via Jungledisk and backed up to a storage archive on Azure. But you should have a document that describes this setup - with administrative information, user names, and passwords.

This document should be prepared by you technology consultant and stored in a very safe place. If your data is in the cloud and you don't have the information to retrieve it if something happens to you I.T. professional, your business could be in very deep trouble.

The second concern is equally important: Are you sure your data isn't being spread all over the place? I see too many businesses that let employees email company information to their home email, or put a bunch of it up on a "free" DropBox account.

In addition to DropBox, there are hundreds (maybe thousands) of sites that will give you free storage space. Generally speaking, if these sites are free, they are insecure and make no promises to keep your data safe. They certainly don't back it up.

This is a problem because you might have employees and contractors using ten different free accounts, plus non-company email, etc. Lots of your secure information could be spread across several insecure sites. And while secure cloud services are more secure than your personal server, insecure cloud sites are extremely insecure.

Controlling this data flow can be accomplished (to some degree) by blocking these services with your firewall. Some can be stopped by attaching additional security to individual files. But for the most part, you will be most effective in stopping this leakage by creating a written policy and educating your employees.

2. How are your data backed up?

Strangely enough, most people assume that everything in the Cloud is redundant and backed up. This is absolutely not true. If you want your email backed up, you need to make arrangements for that. If you want your files backed up, you need to make arrangements for that. If you want a "disaster recovery" option that gets you back in business super fast, you need to make arrangements for that.

It is extremely rare for these backup services to be ON by default. Why? That's easy: It costs money to provide these services. Therefore, it costs you extra money to have the services.

You may decide you don't want a backup. Or there may be a variety of backup options at different price points. But you should ASK and you should decide on what you want. As with the storage services themselves, your I.T. Pro should provide you with documentation, including user names and passwords.

You may not know how to access a backup, restore lost email, or rebuild your storage. But a competent I.T. person will be able to do all those things -- IF they know where the backup is and have credentials to get in.

You Have to Play A Role

I always find it odd when I hear a business owner tell me that they lost control of their domain name and are not sure what to do. If you lost control of your domain name, that really means you never had control. Your domain name was not being "managed" by you or anyone else. And then it expired and it's just gone.

We are entering an era in which I expect to hear similar stories about companies losing all their data - Not because of a disaster, but because no one wrote down where it was or how it was managed. The data will live in the cloud forever after you forget where it is. But you'll never be able to access it.

As with so many things in technology, security ultimately comes down to good documentation. Your I.T. Professional should help you with this and give you a high level of confidence that your data is safe . . . and you can get it back if you need it.

Action Steps:

1. Ask your I.T. Professional to create a description of where your data are located, including all information needed to back it up and gain access to it. You don't personally have to understand all of this, but it should be in a form that other I.T Pros will understand.

2. Create a written policy for your employees and contractors that defines where your data should be and should not be stored. In most cases, you will want to explicitly prohibit the use of free services and personal storage areas on the Internet.


Friday, April 21, 2017

Do You Need a Private Browsing Tool to Keep Your Data Safe from Your ISP?

Do you need to worry about the recent government decision to allow your ISP to sell your browsing history? Maybe. Just remember to keep it in perspective.

First, consider the data that might be sold. There are two very different types. The first is personal data. This links you personally to the internet browsing you do. For example, you visited the following ten sites today and went to these specific pages. Or you Googled a certain product or service.

The second kind of data is "meta" data. That's aggregated data divided by demographics. Males over fifty in your neighborhood tend to go to certain sites and shop for specific things.

Note: Lots of your browsing is already tracked by Google, Facebook, YouTube, and many other sites. Have you ever shopped for something on Amazon and then immediately started seeing related ads on Facebook? That's because your browsing has instantly been sold in what are called "remarketing" campaigns.

That's a little creepy, but most of us are not too worried about it.

Search engines have been blasting you with advertising since the earliest days of the Internet. And they've been selling both personalized and meta data in addition to that. Now your ISP (Internet service provider) want to do the same thing.

Many people are upset that this is just another place where all your information can be stored and therefore stolen. That's not much of a legitimate concern in this case, however. This data will all be related to Internet browsing habits and NOT personal data such as birthday, address, and Social Security Number.

What Can You Do (without being a techie)?

Option One: Nothing. We're not talking about truly personal data here. This is really just one more kind of company selling detailed browsing information. If you haven't got a good anti-virus, spam filter, and backup, please take care of those first. If you still want to "anonymize" your browsing, read on.

Option Two: Use a "VPN" Product. PC Magazine put together a review of VPN (virtual private network) or Private browsing tools recently. Check it out at http://www.pcmag.com/article2/0,2817,2403388,00.asp. That page has information on nine different products.

One very odd note: Several of these products have a "free" option and advertising. This makes no sense to me whatsoever. If you get the free option with ads, all you've really done is pay a company to use your meta data to serve you ads instead of letting the ISP serve you ads.

Free never is. So don't choose that option.

You probably have to be a little technical to install a VPN product, configure it, and use it. For most of these products, you have to enable it when you want it - you are not automatically protected just because you installed it!

Best Option: Get Professional Advice. Talk to your technology consultant and see what they recommend. If you've picked a product, have them figure it out and show you how to configure and use it. They may not have seen it before, but a good I.T. consultant will be able to figure it out quickly. And they'll know what all those crazy security acronyms mean.

Good Luck!


Monday, February 27, 2017

Protect Yourself Before Your Phone is Lost or Stolen

We take lots of technology for granted today. And one major piece of technology we just "assume will be there" is our smartphone. We use it for email, texting, Facebook, SnapChat, fetching a ride, settling an argument, playing games, and a hundred other things. It contains all of our contacts and LOTS of really important photos.

So it can be unnerving when our phone is lost. There are really three kinds of "lost."

First there's misplaced. It's really between the seat cushions or you left it in the car. But for the moment it's lost. We're not going to discuss this kind of lost.

Second there's broken. A broken phone is a sad thing because you can hold it in your hand and know all your data is there somewhere. You just can get it. The obvious first thought is to find someone who can retrieve your data. When that happens, it almost doesn't matter what it costs.

Finally, there's gone. A phone is gone when it's stolen, dropped down a canyon, etc. In other words, you know for a fact you'll never see it again. But in this case, someone else might find that phone. With your contacts, your pictures, you banking app, and all your other data. If you've connected it to work data, then they might have access to that as well.

Here are some tips for protecting yourself and your phone.

1. Back it up!

As far as I know, every phone and every cell service provider has a way to back up your data. Use that tool! Don't delay. Don't forget. Don't make excuses about why you're not doing it. Do it.

If you want a better tool, or you want help doing this, contact your technology consultant. They tend to have really good options for backup and data recovery. After all, the one that comes free with the phone is free for a reason.

2. Document it.

This seems like overkill - until your phone is lost or stolen. Just as you should have a list of all the cards in your wallet so you can report them missing, you should have a list of all the accounts accessed by your phone without a password. If you save passwords, someone might be able to use your phone to access your bank accounts, PayPal, company email, and lots of other stuff. Take inventory. If you lose your phone, you'll be in a high stress situation and you probably won't remember all the accounts accessible from that phone.

3. Brick it.

Any good technology consultant can help you set up a system to "brick" your phone. Some call it a "remote wipe" of the phone. Basically, it means they can push a button and delete all the data on the phone. Yes, your pictures are gone forever, but so is your unencrypted password list, you company email, and all the other secure information on that phone.

Sometimes, remote wipe capability is already built into your email service. For example, this is often enabled if you have a hosted Microsoft Exchange mailbox. If nothing else, have a conversation with your technology consultant and see what you have and what you can get.

4. Manage it.

Many technology consultants offer something called Mobile Device Management. They may be able to track your phone, verify that it is protected from viruses, back it up every day, and perform a remote wipe if necessary. This is usually a super cheap option.

The bottom line: You never have to panic if your phone dies, or is lost or stolen. With a little preparation, you can feel confident that all your pictures and data are save, and that your bank accounts and company emails are safe as well. Yes, it's still a hassle. But it's a lot LESS of a hassle if you take a few extra steps.

Think of these things as a type of "insurance" for the data on your phone.

Ask you technology consultant what you already have and what they recommend going forward.


Tuesday, February 14, 2017

Electricity is Your Friend - Until It's Not

One of the best things your computer consultant can do for your business is to protect your power. Here's what you need to know.

First: Assess the reliability of your power. If your power goes out on a regular basis, you are probably very aware of it. Luckily, that's not a common scenario. But "brown outs" and power fluctuations can go unnoticed by people. Unfortunately, they don't go unnoticed by electronic equipment (computers, network equipment, printers, etc.).

A "smart" battery backup (UPS or Uninterruptible Power Supply) will have a readout so you can see the measurement of electricity moving into your building and the amount being used by whatever's plugged into the UPS. With the right software (normally included for free), you can track voltage spikes and sags.

If electronic equipment doesn't last as long as you expect it to, it might be because the power to your building is irregular. And that may be easily fixed! It might be the line from the utility company that needs to be fixed.

Some areas just never have sustainably reliable power. That makes having a UPS a requirement.

But even if you have the most reliable power, a UPS is still a good idea.

So the first thing you should do is to assess the reliability of your power. The second is to verify that all of your important equipment is plugged into a working UPS.

There are two pieces to that puzzle: 1) You need a UPS. 2) It should be working.

Too many people buy equipment and then assume it will work forever. It won't. The most reliable thing a UPS will do is provide surge protection. That means it will protect you from electrical spikes that can come any time, even with most reliable power from your utility.

The second thing a UPS does it to provide actual "conditioned" power. That means that the power supplied to your electronic equipment is stable. There are no spikes or sags that can blow out the electronics. The UPS does this in part through it's circuitry and in part because of the third thing it provides: a battery.

Electricity flows into the UPS and charges the battery. The electricity might spike up and down, but the system reliably charges the battery. Power flowing out of the UPS flows through the battery. So the output is always consistent. Even if the electricity from your utility goes out altogether, the UPS continues to power equipment from the battery. Nice and even and reliable.

. . . Unless the battery's dead. If the battery can not longer hold a charge, then you basically have a very heavy surge protector.

UPS batteries normally last about three years. You can always test one by plugging in a piece of equipment (I recommend a lamp, not a computer) and unplugging the UPS. If the equipment goes out immediately, your battery needs to be replaced. You computer consultant will probably be able to order one, unless the battery is super old.

If you have a "smart" UPS, you should be able to get a readout that tells how how many minutes your UPS will stay up when the power goes out. This readout is notoriously wrong. A stress test will tell you the correct answer. With a stress test, you unplug the UPS and watch how long in actually takes for the battery to die. Your consultant can do this safely without causing problems with your computers.

What Should be Plugged Into a UPS?

You want to plug "electronics" into a UPS. That means computers, servers, network equipment, phone systems, and all the things that have those annoying plugs with rectangular boxes on one end or the other. Generally speaking, those things all have circuits inside that can be fried.

Here's a list in descending order of importance (From my point of view. Your IT guy may put these in a different order.):

- Your Server
- Desktop and laptop computers
- Monitors
- Storage arrays, NAS, SAN
- Switches
- Router
- Firewall
- Phone system
- Voice mail system
- Wireless access points
- Scanners
- Other network connected equipment such as backup device, spam filter, etc.
- Specialty equipment
- Televisions
- Stereo/music systems

And here's a list of things that should NOT be plugged into a UPS. These things generally draw a lot of electricity, are less fragile, and can damage your UPS:

- Heaters
- Fans
- Anything with a motor (e.g., electronic desk controls)
- Printers (unless you have a specialty UPS designed for this)
- Large all-in-one business machines
- Refrigerators
- Lamps
- Electric staplers
- Power tools, including battery chargers

One time we had a large client (about 75 users) who had all kinds of stuff plugged into the UPSs, so we went through the office and put green electrical tape on the end of any cord that COULD be plugged into a UPS. If we ever found anything else plugged in, we were authorized to unplug it and work with the employee to find a safe place to plug it in.

A few notes to remember:

1) A power strip is not a surge protector unless it says it's a surge protector

2) A surge protector is not a UPS (battery backup). When the electricity goes out, it's dead.

3) A good, brand name UPS can save you thousands of dollars. But they need to be maintained. Batteries need to be replaced. And they need to be tested from time to time.

This Costs Money

I get very frustrated with business owners who think they can buy something once and never put money into it again. You can't do that with anything in your life or business. Stuff gets old. It wears out.

UPSs for every desktop cost a little money now. Consider a good UPS to be a three-year insurance policy for electrical problems. Depending on what you buy, that might be $100-$150 per desktop. For that you get uninterrupted work, no electrical spikes, and protection for unforeseen electrical problems. Plus you don't have to buy a new PC or monitor for that workstation due to electrical problems.

It's rare to have a major electric problem. But they happen to SOMEONE every day. If you lost every piece of computer equipment in your office right now, how disruptive and expensive would that be?

Talk to your computer consultant about tuning up your UPSs today.