Have You Ever Used a Public Cell Phone Charging Station? If so, read on…

Beware!

Free charging stations are located in many public places such as bus stations, airports, cafes, hotels and conference centers. If you travel frequently, it is very convenient to give your cell phone battery power a quick boost. But connecting to an unknown port has its risks.

A technique used by hackers called “video jacking” is when a USB cord is rigged to capture the smartphone’s video display and record everything that appears on the screen.

Plugging your phone into a hacked power strip or charger can open your device to infection and compromise all of your data. Once a port is compromised, there is no limit to what a hacker can steal. Your email, photos, videos, contact information, text messages, bank passwords and PIN numbers will all be vulnerable.

Hackers can find all the tools they need online, and for just a couple of hundred dollars. They will use their custom electronics hidden in a faux USB charging station. The person who is using the charging station believes it’s authentic, and will connect their phone to the correct charging cord. Then, while the phone is connected, the “charging station” mirrors your screen and records everything that you can see on your screen. And then, in a matter of minutes, the damage is done. If you have an Android or any HDMI ready smartphone, you are vulnerable. If you have an iPhone, you’re not safe either.

So, the best advice for those of you who cannot live without your phone?

Security experts advise never to use public outlets — instead, invest in a portable USB battery pack. You can also buy USB cords that don’t have wires to transmit data, thereby preventing a hacker from accessing your phone’s information.

Be prepared. The risk just simply isn’t worth it.

IT Security Cheat-Sheet

All organizations are at risk of a breach in IT security, whether externally (by a party outside the organization’s computer network) or internally (by a person connected to the organization’s computer network); studies show that even small companies are targeted externally, primarily because they are more vulnerable than larger organizations who can dedicate resources to combat external threats.

Organizations take great efforts to secure their data; they have firewalls, spam blockers, anti-malware applications, intrusion detection, etc.  However, the greatest threat comes from within:  End-users often inadvertently introduce malware (via web browsing or email-attachment clicking), which can spread across the network or attack confidential data.

Effective IT security requires a layered approach; it is comprised of multiple solutions at different points-of-entry and areas of concern.  It must be setup properly, but must also be continually monitored and then updated as appropriate.  Security should be periodically reviewed by an IT expert and, if budget permits, tested to ensure what is expected is what is received.

Effective IT security also requires ongoing training for all users and monitoring and enforcement of usage policies.

For an overview on IT security, I recommend viewing Ivan Dimitrijevics’ 10 Ways to Secure Your Small Business and Prevent Data Breach in The Globe and Mail.

Here is our checklist, organized by security concern:

1.) Computer Network:

  1. Deploy, update, and monitor stand-alone firewall(s) between all external networks (IE: Internet) and the organization’s network.
  2. Deploy, update, and monitor an email/spam-protection capability.
  3. Deploy, update, and monitor an event-log management capability.
  4. Deploy, update, and monitor intrusion-prevention/detection capability.
  5. Lock-down wireless access points.

The first line-of-defense from external threats is a professional-grade, stand-alone firewall configured to refuse unwanted traffic from external sources while permitting only desirable connections.  It should be supplemented with email/spam protection; either as a Cloud-based service or via an internal appliance.  Event-log management and intrusion prevention/detection are also available either as a service or appliance; both are recommended, but budget versus benefits must be considered.

Enable Service Set Identifier (SSID) for internal-use wireless access points

2.) Servers, their operating systems, and their applications:

  1. Test and then install all recommended security patches/firmware updates.
  2. Manage operating system and application security-updates continually.
  3. Deploy, update, and monitor anti-malware application on all servers.
  4. Monitor continuously and review periodically for anomalies.

Servers, whether in-house or Cloud-based, contain not only valuable data, but also end-user information (usernames, passwords, profiles, etc.) that can be manipulated and used to infiltrate.  They, their operating systems, and server-based applications, must be aggressively patched, protected through anti-malware, and monitored continuously.

Anomalies in performance and event logs can highlight potential security risks; both should be reviewed periodically.

3.) Data:

  1. Identify at-risk data and its location; keep only what you need.
  2. Outsource payment processing to a reliable, third-party partner.
  3. Verify security of vendors and partners with access to your data
  4. Where performance permits; encrypt data at-rest and in-motion.
  5. Deploy an encrypted backup solution with onsite and offsite storage.

Company data should be classified as to its value and stored accordingly.  It is best always encrypted, although many organizations might not have the processing power to permit such.

Rather than process payments onsite, many third-party vendors provide this service, but they should be verified before engaging.

Data backups should be encrypted and follow the 3-2-1 rule for reliability:

  • Three copies of important data
  • Two different media types
  • One copy offsite

4.) End-user devices, operating systems, and applications:

  1. Manage operating system and application security-updates continually.
  2. Deploy, monitor, and update anti-malware app(s) on all end-user devices.
  3. Test and install security-required firmware updates to end-user devices.

End-user devices are a primary target; they are difficult to secure and change continually.  However, end-user tools also share some blame:  Karen A. Frenkel of CIO Insight writes in “How Malware Bypasses Detection Tools” that 81% of IT professionals believe that web-browser-initiated malware can remain undetected by security tools and that the primary attack vector is an insecure web browser.

End-user devices, their operating systems and their applications must also be aggressively patched, protected through anti-malware, and monitored continuously.

Occasionally, a manufacturer will issue an alert for a security-required update to an end-user device, which should be applied as soon as possible.

5.) Usage:

  1. Lock-down user rights to restrict data access to as-needed basis.
  2. Require complex passwords with forced, periodic changes.
  3. Enforce periodic time-outs when computer is left unattended.
  4. Separate social-media browsing from financial-data handling.
  5. Require two-factor authentication for all online transactions.
  6. Create end-user policy detailing appropriate Internet use.
  7. Create end-user policy on how-to protect sensitive data.
  8. Enable web-monitoring capability to enforce policies.
  9. Protect email via encryption (as needed).

Data should be restricted, preferably by need-to-know.  (Crypto Locker can initially only attack data available to the end-user introducing this virus.)  Complex passwords with periodic changes can restrict untrusted access while forced time-outs keep private information from unwanted eyes.

Setup a separate login account or device for access to financial-data.  All online financial transactions must have two-factor authentication.

Policies should exist to inform end-users; they can be enforced through web-monitoring solutions.

Sensitive emails should be encrypted (via a service or appliance) while sensitive documents can be transferred via a secure FTP site.

6.) Training:

  1. Define an organization’s best practices for IT security.
  2. Demonstrate how to spot an unwanted ad while browsing.
  3. Train users how to verify a website link (before clicking it).
  4. Show how to verify an email attachment (before opening it).
  5. Train users to check the address of an email’s sender/source.

Data breaches occur due to the inadvertent introduction of malware, sometimes through the failure to comply with policies designed to limit inappropriate behavior, but often through a lack of IT-security knowledge and training.

The more training, the better.  Initial training should be acknowledged by the recipient and then tested for knowledge gained.  Security training should be repeated periodically; preferably at least annually.

7.) Maintain a Written Information Security Plan (WISP):

  1. Assign a responsible person.
  2. Define and announce the WISP.
  3. Review WISP periodically (at least annually).
  4. Document changes to WISP when they occur.
  5. Periodically test, assess, and rework policies and procedures.

The Commonwealth of Massachusetts, under statute 201 CMR 17.00, requires a WISP for all organizations that hold personal information on any Massachusetts resident.  The WISP must be assigned to an Information Security Manager, periodically reviewed, and changes must be documented.  All WISP policies and procedures must be periodically tested, assessed, and reworked as needed to ensure maximum, ongoing protection.

If you would like to improve your 2017 cybersecurity plan, or to inquire about Bryley’s full array of our Managed Cloud Services and Managed IT Services, please contact us at 844.449.8770 or by email at ITExperts@Bryley.com. We’re here for you.

Disruptive Tech Trends for 2017

So, another year departs, obsoleting old technology while ushering in new gadgets and trends. Even though gadgets get the attention; trends set the direction.

A survey of 196 IT professionals1 revealed these disruptive trends in technology2:

  • Predictive IT and Self-service IT
  • Internet of Things (IoT)
  • Artificial intelligence
  • Mobile payments
  • Next-gen WiFi

Predictive IT and Self-service IT

In the IT-support world, things have been transitioning from:

  • Reactive – Your PC’s drive is broken; we are going to fix it now, to
  • Proactive – Based on our remote tooling, it looks like the drive in your PC is starting to fail, which we can replace now before serious damage occurs, to
  • Predictive – Based on historic data of similar drives and on our ongoing analysis of the specific drive in your PC and its expected, long-term behavior, we are going to replace the drive now before it exhibits failing tendencies.

Predictive IT reduces the effort and improves the response of an IT-support team; it allows the team to focus on critical issues, while optimizing the time spent on predictive issues.

The ease of deploying consumer-grade technologies and lower-level Cloud services, combined with service-management platforms with knowledge-based response capabilities (like ConnectWise, a leading Professional Service Administration tool used by Bryley Systems), is leading end-users toward self-service IT.

Self-service IT enables both IT-support teams (by redirecting their time spent on end-user issues toward higher-level IT concerns, like security) and end-users, providing a world where the end-user can support themselves (to some extent).

Internet of Things

IoT is here, and it can be hacked: One of the most-hacked, in-home appliances are Samsung TVs, but a recent, Denial-of-Service (DoS) attack on DNS providers3 was perpetrated primarily through unsecured, IoT-based surveillance cameras.

IoT refers to all of the IT-enabled items, both home-based and commercial, that communicate through the Internet, primarily providing end-user access and/or sending data back to a collection point for analysis.

IoT traffic and security are significant concerns: All of those not-so-smart devices (projected at 20B by 2020) constantly sending data can consume bandwidth, while presenting themselves as easy targets to hackers and crackers.

Artificial Intelligence (AI)

Remember HAL? (No, I’m not referring to Bryan Cranston of Malcolm in the Middle.) Back in 1968, 2001: A Space Odyssey was a fairly accurate portrayal of space travel; the HAL 9000’s cognitive ability and self-preservation-at-all-costs behavior seemed extreme, but may become necessary since AI has been bent to the will of hackers, teaming repetitive acts with mindful observation to attack secure sites.

AI forms the basis of Big Data, IoT, and Predictive IT; although disruptive, it will likely remain safe for human beings, with the ability to secure itself (somewhat).

Mobile Payments

Being a cash-carrying/credit-card-wielding, baby-boomer payer; I am not sure I agree with this one, but I do know millennials who always upload gift cards onto their smartphones, using them to expunge their purchasing debts.

Statistics support the supposition that Mobile Payments will endure and prosper:

  • Over 70% of US citizens own a smartphone, and
  • Over 70% of those using a mobile-payment tool are millennials or Gen Xers.

Retailers and urban-area merchants best get ready; if they wish to accept payment from their young clients, they will need to deploy the technology to enable mobile payments, or risk losing them to the competition down the street.

Next-Gen WiFi

Tomorrow’s WiFi ain’t what grandpa uses today; it will be faster, but will also work over greater distances with lower-powered, IoT devices.

The emerging standard is known as WiFi HaLow, based on IEEE 802.11ah. It will double the range, provide greater penetration through obstacles (walls, doors, etc.), and enable power-efficient use.

IEEE 802.11ah also supports machine-to-machine (M2M) markets, permitting direct communication from sensing devices to the applications they serve.

REFERENCES

1Please see ComputerWorld Tech Forecast 2017: Complete survey results.

2See the ComputerWorld article 5 Disruptive Technologies to track in 2017 by Beth Stackpole on December 5th, 2016.

3See Jon Gold’s article DNS provider Dyn hit by DDoS attacks that takes out major sites in the October 21, 2016 edition of ComputerWorld.

Data-Backup Guidelines for 2016

Our Data-Backup Guidelines for 2016 discusses backup technologies (like our Cloud-based Backup/Data Recovery service) and includes a helpful Backup-Rotation Calendar and a Backup-Event Log for those with on-premise backup systems.

Consumer PC Price Cuts!

In an effort to bridge the gap between current Windows 8.1 and upcoming Windows 10 (not sure what happened to Windows 9), Microsoft is shepherding a dramatic decrease in the prices of consumer PCs and Windows-based devices.

These price decreases started in October with year-over-year reductions of 10% and falling, particularly for consumer-class PCs; higher-priced, business-class PCs will also be affected. Most are attributed to Microsoft’s decision to fight Chromebooks with a low-cost version of Windows 8.1 with Bing.

The potential consequences:
• PCs will become even more commoditized
• Smaller, PC-centric vendors will struggle to survive
• Prices may drop on popular, after-market, Windows-based software

For details, please see the Gregg Keizer of ComputerWorld article: “Drastic price cuts may damage PC industry, jeopardize Microsoft’s hopes for Windows 10”.

What is the business case for Windows-Server virtualization?

Windows-Server virtualization, the deployment of a virtual version of a Windows-Server operating environment, is used to reduce hardware costs, gain efficiencies, and improve the availability of computing resources.  It refers to installing a virtual environment onto one or more “virtualized” hardware servers (termed Physical Hosts) and deploying multiple virtual Windows-Server operating systems (termed Virtual Guests) onto this virtual environment.

In small to medium-sized businesses, we typically see three levels of Windows-Server virtualization with these increasing benefits:

  • Single Physical Host – Cost savings (energy and hardware) with some flexibility
  • Multiple hosts with Storage Area Network (SAN) – Highly available environment with minimal downtime
  • Multiple hosts with Site-to-Site Failover – Disaster recovery to separate location

We review each of these levels below.

Single Physical Host

This virtualization level has these components:

  • Single hardware server with onboard storage – This hardware server is the platform for the Physical Host; it could be a HP ML350/ML370 tower server or equivalent with multiple disk drives.
  • Virtualizing software – The operating environment for virtualization; typically the free versions of either VMware’s VSphere or Microsoft’s Hyper-V.  (These products are available as free downloads from the manufacturer.)  Installing the virtualizing software onto the hardware server creates the Physical Host.
  • Multiple Virtual Guests – The virtual operating systems installed onto the Physical Host; usually one or more instances of Microsoft’s Windows Server.  (These instances must each be licensed copies of Windows Server and any associated, server-based applications.)

This environment consolidates several Windows Server instances onto a single hardware server with sufficient processing capability, Random Access Memory (RAM), and on-board disk storage.  It introduces cost savings in hardware, energy, and support and provides some flexibility in the transfer of a virtualized instance to a new hardware platform (although this transfer is manual and requires a second hardware server).

Some caveats:

  • The hardware server (and its components) is the primary point of failure; if it is down, all of the installed Virtual Guests are unavailable.
  • Ports on the Physical Host are handled differently in a virtual environment; attached backup devices and UPS equipment might need special setup.

Primary business benefits:

  • Less up-front acquisition cost (capital expenditure or CapEx) since a single hardware server can be used rather than two or more hardware servers.  Plus, the virtualizing software at this level is basically free.
  • Less energy required to power a single hardware server than multiple hardware servers; leads to reduced operating expenses (OpEx).
  • Fewer components to support; could lead to lower support costs.
  • Increased flexibility and scalability when migrating to a new hardware server.

This virtualizing environment works well in a business with a couple of Windows Servers that is looking to capital and operating reduce costs.

Multiple Physical Hosts with a Storage Area Network

At this level, we separate the storage (disk-drives) from the Physical Host and move them to a separate Storage Area Network (SAN)1.  We also add sophisticated virtualizing software capable of automatically managing the location of Virtual Guests.

A major benefit of this approach is termed: “High availability”.

High availability refers to “A system design approach and associated service implementation that ensures a prearranged level of operational performance will be met…” (from WikiPedia under “High availability”).  Basically, if designed properly, this level provides complete redundancy of all critical components within the equipment stack such that any single component can fail without compromising system reliability.

Improved performance is also likely since the virtualizing software can automatically balance available resources against Virtual Guest needs.

This virtualization level has these primary hardware components:

  • Storage Area Network (SAN), preferably with redundant disk chassis and network switching2
  • Two or more Physical Hosts, preferably with N+1 redundancy3
  • Two or more VLAN-capable Ethernet switches4

Each item is a critical of the overall design:

  • All data and Virtual Guests reside on the SAN
  • Virtual Guests are balanced among the Physical Hosts
  • Ethernet switches route all the traffic between the SAN and the Physical Hosts

If any item fails, the system fails.  So, each item must be redundant (to increase reliability) and must be properly maintained.

Notes:

Technically, the Storage Area Network consists of disk arrays and the interconnecting fabric, which is TCP/IP over Ethernet over UDP in the case of an iSCSI SAN.

The SAN is the data storage; it should have redundant components capable of automatic failover.  A single-chassis SAN (like the HP P2000 series) has redundant controllers and power supplies, but fails if its disk backplane fails; a redundant-chassis SAN (like the HP P4000 series) consists of two or more separate storage arrays.  The chance of a failure in a redundant-chassis SAN affecting all arrays at once is extremely small.

Physical Host N+1 redundancy refers to adding one more Physical Host than required to meet performance standards.  The additional Physical Host permits performance standards to be retained, even if a Physical Host fails.

In addition to providing the SAN connectivity, the Ethernet switches provide redundant network links between the Physical Hosts and the remainder of the network.

Multiple Hosts with Site-to-Site Failover

Our highest level of Windows Server virtualization, Multiple Hosts with Site-to-Site Failover, addresses the issue of a single-site failure; how long does it take to recover to a new location if your primary site fails (as in a building catastrophe such as long-term power outage, flooding, fire, theft, etc.).

Like most data-center-uptime strategies, redundancy is the core concept; in this case, a second site is equipped with comparable equipment and the data is synchronized between the primary and secondary site.  Done properly, the secondary site can be brought up either automatically or, when budget is a constraint, within a short interval of an hour or less.

Configuring for automatic failover can be considerably more expensive than allowing a short interval of an hour or less to recover since you essentially need to duplicate the primary site at the remote location, have sufficient bandwidth between the locations to permit real-time replication, and deploy some additional equipment and software to manage the automatic failover.

While automatic failover is feasible, we structure the failover interval (automatic or short) to meet the client’s requirements and budget.

When configuring for a short delay, we use HP Proliant servers with VMware’s vSphere virtualization platform.  Storage is provided through an HP P4500-series SAN (Storage Area Network), which offers complete redundancy within the SAN (redundant-chassis, dual power supplies per chassis, redundant array controllers, and a Network-RAID array to spread the data across the P4500) as well as block-by-block transfer of data to a storage device at one or more remote locations.  (This replication is not real-time; it is based on snapshots taken and copied to the remote location.  These snapshots can be taken no more frequently than every 15 minutes, but this time period often needs to be lengthened to accommodate bandwidth constraints.)

The P4500 is setup at the primary site with a lower-cost HP P2000 deployed at the secondary site(s).  The P4500 is configured to provide synchronization aligned with the circuit bandwidth between sites, allowing the P2000 to retain the same data and configuration without compromising performance.

The secondary site(s) would also have HP Proliant servers and two (or more) VLAN-capable Ethernet switches.  The Proliant servers run the VMware virtualizing software, but are basically dormant until needed.

When configuring for automatic failover, several items must be adjusted:

  • P4500 SANs must be deployed at the primary and remote site(s) and must be configured in a multi-site cluster
  • VMware vSphere Enterprise or better is required and must be licensed for both the primary and remote (recovery) site(s)
  • Windows Server licensing at the primary site must be duplicated for the recovery site(s)
  • Sufficient bandwidth must exist for real-time disk-writes since this configuration cannot fall behind and catch-up during slack periods
  • Additional VMware utilities and enhanced licensing for applications may be required to enable true automatic failover

For more information, see the Bryley Systems case study on the virtualization of RTA Transit Services, Inc.; the company operating the Worcester Regional Transit Authority at https://www.bryley.com/documents/2012/Bryley%20–%20WRTA%20Case%20Study%20–%202012.pdf.

 

For more information, please email Info@Bryley.com or call us at 978.562.6077.

Deploying software systems to manage a growing organization

Most organizations use software to manage at least these items:

  • Accounting – Perform vital bookkeeping and accounting functions
  • Contacts – Organize and manage clients, prospects, vendors, etc.
  • Operations – Match assets to organization’s need on a daily basis

In organizations with funding limitations, deployment of a software-based system to manage specific functions often starts as a cost-based decision, which can lead to several miscues along the way since cost is only one of the factors that should guide the decision.

I’d categorize deployment options in this manner:

  • Build your own using all-purpose, brand-name, productivity software
  • Purchase stand-alone applications and manually integrate them
  • Deploy an integrated, all-inclusive system
  • Outsource this mess to someone else

I’ll address the first three options now and provide some feedback on deployment.   Outsource is a large topic that will be covered separately.

Build your own

Organizations with a do-it-yourself perspective often turn to the build your own approach; you basically use the functionality of productivity software (like Microsoft Office) to create a custom-built solution.  Generally, this works OK to start, but can be difficult to manage and maintain with growth.

Popular productivity-software options include:

  • Microsoft’s Office suite (currently Microsoft Office 2013), which includes:
    • Outlook to manage contacts, calendar, email, and tasks
    • Excel to create proposals and track financial information
    • Access to build and manage contact and production databases
  • Microsoft Office 365, a Cloud-based alternative to the Microsoft Office suite
  • Google Apps for Business, which is a direct competitor to Microsoft Office 365

When Bryley Systems first started in the mid-1980s, we used Lotus 123 (a then-popular spreadsheet application) as our primary tool for everything financial; it quickly became unwieldy, so we purchased an accounting-software package.

Stand-alone applications

Stand-alone applications target a specific function and provide work-flows and best-practices to address this function through use of the software application.

Stand-alone applications are often categorized by function (as described above):

  • Accounting
  • Contacts
  • Operations

Below is a brief summary of these categories.

Accounting

The accounting system is very important; it automates the various accounting and bookkeeping functions (Accounts Receivable, Accounts Payable, Inventory Control, Payroll, etc.) and provides a shared foundation for other capabilities.

Intuit’s Quicken is easy to use as a checkbook replacement, but QuickBooks is a full-function accounting system that leads this market.  Peachtree is another popular accounting package, but with only a fraction of the market share.  Intaact is making headway in mid-sized businesses.

FindAccountingSoftware.com provides an easy-to-use, online guide at http://findaccountingsoftware.com/software-search/.

Contacts

Contact-management applications permit the input and retrieval of contact information with tracking and communications activities, including scheduling.  (You can manage your contacts within your accounting system, but this becomes less practical as your account base grows.)

ACT was one of the original contact managers and claims to be the market leader.  It is now owned by Sage Software (which also owns Peachtree and other accounting packages) and can be purchased or leased online.

Other popular options include:

  • Salesforce
  • OnContact
  • Prophet

We started with ACT in the early years, but shifted to Prophet in the early 2000s since it integrated with some of our other systems.

For a recent ranking and review, please visit http://contact-management-software-review.toptenreviews.com/.

Operations (both manufacturing and service-delivery)

In a manufacturing environment, a production-management system enhances control over materials flow (from raw materials coming into the organization to finished goods flowing out), production resources (tooling, equipment, and employees), and scheduling.  It is the glue that binds these items together, permitting the company to manage its flow of work.

We often see these packages at our manufacturing clients:

  • Exact Macola
  • Exact JobBOSS
  • GlobalShop Solutions
  • IQMS  Enterprise IQ

Capterra lists many of these options at http://www.capterra.com/production-scheduling-software.

Service-delivery management is a bit more diverse; what works for one type of service operation might not be appropriate for another type.  Typically, these are industry-specific solutions.

For example, we started with BridgeTrak, which is a service-ticketing application with scheduling and limited contact management.  It served well for a number of years, but we found it difficult to integrate with our accounting package (Peachtree at the time) and with other applications.

Stand-alone applications can be deployed internally, but many companies exist to assist with this process. Multi-user versions should have a dedicated, Windows-based server or be Cloud-based.

The lines are blurring between stand-alone applications and integrated, all-inclusive systems, but the primary issues with stand-alone systems:

  • They can become separate islands of information
  • They do not readily integrate with one another

Integrated, all-inclusive system

ERP (Enterprise Resource Planning) and PSA (Professional Services Automation) systems integrate all company functions and departments; it provides one repository for all organization data, which is available to all employees.  A related option, Customer Relationship Management (CRM), software is similar, but has less functionality and is often a component of an ERP or a PSA system.

High-end, all-inclusive systems from SAP, Oracle, Epicor, etc. cost hundreds of thousands or even millions to procure and deploy, but integrate every aspect of the organization.  Most large organizations work with one of these vendors and use their software nearly exclusively for all functions.

For mid-sized and smaller companies, there are many accounting-based systems that can be expanded through modules and customization to provide ERP and PSA-class alternatives.  Three of the more-popular options:

  • Microsoft Dynamics/GP (formerly Great Plains)
  • Sage 100 (formerly MAS 90)
  • NetSuite

There are also many software-development firms that focus on a specific, vertical market and provide a complete, market-specific solution.  In the mid-2000s, we chose this direction and purchased a PSA system from ConnectWise which is custom-tailored to our industry.

ConnectWise handles all facets of our business and integrates with our accounting system and with our sales-quoting tool.  All employees are required to enter every scrap of data into ConnectWise; our adopted slogan is “If it is not in ConnectWise, it did not happen”.

We also use QuickBooks, but primarily because it integrates with ConnectWise in a downstream direction.  We create our proposals through QuoteWerks, which integrates with both QuickBooks and with ConnectWise.

The initial investment is significant, but the time spent deploying an integrated, all-inclusive system solution within the organization and training employees can far surpass the cost of the software licensing. It is a demanding process, but it pays big dividends in uniting all functions and groups.

The primary benefits:

  • All functions integrate together
  • The system can usually integrate with other applications
  • All employees use the same interface and share the exact-same information

Deployment

To deploy these packages on-premise (rather than in the Cloud), you would need:

  • Infrastructure hardware – Physical server with reliability items (UPS, RAID, redundant power supplies, backup solution, etc.).  We recommend HP servers, but also support Dell.
  • Infrastructure software – Most business software are compatible with Microsoft Windows Server and Microsoft SQL Server.  Microsoft Exchange Server may be needed for email integration.
  • Infrastructure deployment – Setup the Infrastructure hardware and software (listed above), configure the end-user devices (PCs and mobile), etc.
  • Business software – Usually sold in a series of modules with add-ons and licensed to match your user count.
  • Business-software deployment – Usually sold as a project, which includes all of the setup stages needed to get the business software operational and assist in the transition.  A fair amount of process customization is needed; report customization is also part of this stage.  (Most folk select an internal “champion” or a “deployment team” to evangelize, build enthusiasm, watch-over the process, and keep things on-track.)
  • Training – We recommend several, time-spaced sessions followed by occasional tune-ups to allow acclimation and to provide hand-holding for those that will have the most challenges.

Cloud-based deployments eliminate the Infrastructure stages (except setup of client devices) and price the business software in per-user increments; however, customization and training are still needed.  The major incentives to Cloud-based deployments include:

  • Reduce capital expenditures (Infrastructure equipment and software)
  • Shift to operating expenses on a per-user basis
  • Speed-up time to deploy

Cloud-based deployments requires great trust in the business partner providing these services, but they can free-up cash (by eliminating the need to purchase Infrastructure) and get you setup quicker.

Summary

Many cash-strapped organizations start with build-your-own and later morph to one or a combination of the other three options as they grow.  However, deploying an integrated, all-inclusive system provides significant benefits and is now easier to budget and deploy with Cloud-based alternatives that spread costs over time.

 

For more information, please email Info@Bryley.com or call us at 978.562.6077.

Protect your mobile device

The need to secure newer mobile devices (smartphones, tablets, etc.) has grown since they now meet the basic criteria for malicious, cyberspace-based attack:

  • Developer kits are readily available
  • Mobile devices are in widespread use throughout the world
  • Motivation is increasing since usable/saleable data live on these devices

In addition, BYOD (Bring Your Own Device) has introduced related, security-oriented concerns and complexities:

  • How can we accommodate personal equipment in the workplace, particularly when two-thirds of 20-something workers in a recent survey from research firm Vision Critical state that “they, not the company, should be responsible for the security of devices used for work purposes”?1
  • How do we manage the large variety of mobile devices, many with differing operating systems, processing capabilities, and user interfaces?
  • How do we structure our security offerings to permit broad access to low-risk functions while restricting high-risk activities on a need-to-have basis?

Protecting a smartphone (or tablet) gets easier if you take the perspective of Garin Livingstone, one of our technical staff, who pointed out: “It is just a small computer; all of the same security concerns and rules that apply to PCs also apply to smartphones.”

As described in a recent InformationWeek article2, corporate response from the IT department should consist of these three stages:

  • Set policy for mobile device use
  • Train users
  • Enforce

 

1. Policies

Mobile-device-use policies should protect company data, while enabling employees to do their jobs efficiently.  The policy should protect, but not inhibit, the use of data from a mobile device; this usually requires the protection of the device itself with a strong focus on what data is available and where it will reside.

Some policy suggestions:

  • Device:
    • Deploy an anti-malware utility set to scan automatically
    • Set continuous updates of operating system and anti-malware utility
    • Encrypt company data (if stored on the device itself)
    • Backup data to a secure site (preferably daily)
  • User:
    • Require passwords and make them complex
    • Set an auto-lock period of five minutes or less
    • Set browsers to high-security mode
  • Remote access:
    • Access data/applications securely via SSL, HTTPS, or VPN technologies
    • Provide virtualized access to data stored at the corporate site

 

2. Training

Training is an important, early step in any process; informing end-users of the need to secure their mobile devices is critical.  Recommended training topics:

  • Why we need to authenticate and encrypt
  • How to reduce the risk of loss or theft
  • How to safely deploy new applications
  • How to securely backup your data

Authenticate and encrypt

Authentication is the process of confirming that the end-user is authorized to use the mobile device in a prescribed manner.  It is typically handled through a username with a complex password that is changed frequently.  (A complex password requires at least three of four character options – capital letter, lower-case letter, numeric, and special character – with at least eight characters.)

Increasingly, biometrics (fingerprint verification, eye-scans, etc.) are playing a role in authentication.

Sensitive data should be encrypted to make it unreadable if the device is lost or stolen.  (Encryption scrambles the content, making it unreadable to anyone without the capability to unencrypt.)  Authentication is required to unencrypt and access the data.

Reduce the risk of loss or theft

Cell phones are easy targets for theft; they can be sold on-the-street and are (still) easily programmed to a new service on a cellular network.

To prevent theft:

  • Be vigilant; know where your cell phone is at all times and keep it close to your body.  (It doesn’t always help:  One of our clients had his cellphone taken right from his hand by a man on a bike on a busy city street; the bicyclist also gave him a kick to discourage pursuit.)
  • Install phone-tracking software
  • Install a physical locking device

Safely deploy new applications

Mobile-device users download applications through app stores installed on the device.  App stores are increasingly targeted areas for malware distribution; only trusted and approved applications should be downloaded and deployed.  (Most app stores have responded by requiring additional security precautions from their customers.)

For company-owned devices, end-users should have specific guidelines on what applications can or cannot be deployed; ideally, an enforcement mechanism would be installed on the mobile device to ensure these policies are followed.  For employee-owned devices, this policy may need to be recommended rather than required.

Securely backup your data

To prevent loss or inadvertent deletion, data stored on a mobile device (pictures, documents, contacts, etc.) should be backed-up in an encrypted format to a separate, secure location.

Backups should be required on devices owned by the organization and strongly recommended for individually owned devices.  Backups should be scheduled periodically and verified.

Online, consumer-oriented backup and file-storage applications – spritemobile, DropBox, Mozy, SugarSync – are somewhat restricted by the mobile-device operating system in what type of data that they can backup; typically contacts, calendars, tunes, and photos.  Full backups are usually done through tethering (attaching the phone to an external device).

Visit Enterprise Security Policies for Mobile Device Backup and Restoreat Dummies.com for an informative article on mobile-device backup.

 

3. Enforcement

Enforcement is usually assisted through a Mobile Device Management (MDM) tool; typically a software-based application that requires an agent be installed to the mobile device.  Once installed, this agent connects back (remotely) to a central console from which an administrator can monitor, manage, and secure the mobile device and also support its user.

MDM features typically include:

  • Enforce user security policy:
    • Require complex password with frequent changes
    • Permit remote access only via SSL or VPN
    • Lock-down browser settings
    • Enable encryption
  • Recover lost or stolen devices:
    • Activate alarm (set off an audible alarm on the device)
    • Enable track and locate (track and locate the device via GPS)
    • Permit remote wipe (complete erasure of the device as a last resort)
  • Control mobile device applications:
    • Recognize and prevent installation of unauthorized applications
    • Permit whitelisting and blacklisting of application
    • Restrict or block application stores
  • Remotely deploy and configure applications (email, etc.)
  • Audit the mobile device for installed software, configuration, and capacity

ComputerWorld has a comprehensive article on the challenges of MDM.  View it at Mobile device management: Getting started.

MDM Tools

To support our mobile device clients, we use the MDM capabilities built into Kaseya, our Remote Monitoring and Management tool.  Other MDM providers include:

  • AirWatch
  • LabTech
  • MobileIron
  • Symantec
  • Zenprise

While MDM provides a comprehensive tool, it can be costly to procure and support.  Many companies utilize a trusted business partner (like Bryley) to provide MDM tooling, monitoring, and support for their mobile devices on an ongoing basis with pricing that ranges from $15 (in quantity) to $75 per device per month.

Non-MDM Tools

Alternatively, Microsoft Exchange 2010 offers many MDM-type features through Exchange ActiveSync (EAS), an included protocol that licenses by end-user or end-device Client Access License (CAL).  The Exchange 2010 Standard CAL licenses:

  • Password security policies
  • Encryption required
  • Remote wipe

The Exchange 2010 Enterprise Add-On CAL licenses advanced features including:

  • Allow/disallow Internet browser, consumer email, unsigned installation, etc.
  • Allow/disallow removable storage, Wi-Fi, Internet sharing, etc.
  • Allow/block specific applications
  • Per-user journaling
  • Integrated archive

Exchange Server Standard 2010 is $709; Standard CALs are $68 each while the Enterprise Add-On CAL is an additional $42 each (based on list prices for business).

Main difference between MDM and EAS: Most MDM tools provide greater control over the mobile device during its lifecycle and can provide control over the device even before email is configured.

Other recommended tools include:

  • Anti-malware: AVG Mobilation – From free to $9.99 for Pro version
  • Protect and find phone via key-case fob – Kensington Bungee Air at $79.99

First step suggestions

These are our minimum, first-step suggestions:

  • Deploy anti-malware software immediately and manage it continuously
  • Require password to activate the device with a low auto-lock time
  • Update mobile devices through vendor-approved patching
  • Enable on-board encryption if handling sensitive data

Visit 10 Steps to Secure Your Mobile Device for detailed recommendations on securing your mobile device.

 

References:

1. Visit Network World at http://www.networkworld.com/news/2012/061912-byod-20somethings-260305.html to review the article “Young employees say BYOD a Right not Privilege” by Ellen Messmer.

2. Please review the May 12, 2012 InformationWorld article “Mobile Security Gaps Abound” at informationweek.com by Michael Finneran.

 

For more information, please email Info@Bryley.com or call us at 978.562.6077.

Outsourcing IT (Information Technology)

When in doubt, source IT out.  It’s a big topic, but there are many ways to save time, effort, and money by outsourcing some of all of your IT functions.

Often, organizations staff IT themselves using one of these techniques:

  • The part-time IT person
  • The full-time IT person
  • The IT team

The part-time IT person

Smaller organizations might assign IT tasks to an existing employee; IT becomes an add-on to that employee’s full-time job.  This arrangement might work well initially, but can creates these issues:

  • Insufficient expertise – Your employee does not have enough expertise and makes mistakes that compromise performance, reliability, and/or security.

Not much needs to be said; basic training and certifications are helpful and should be encouraged.  It might help to have an outside look periodically (an IT audit) to see if your employee is heading in the right direction and doing the right things.

  • IT takeover (makeover?) – Your employee becomes enamored with IT and does not spend enough time on their full-time job.

Often the employee spends too much time chasing IT problems; they find the challenges fascinating and spend hours pursuing issues that might be solved faster by asking for help.  (Pride might also play a part.)  This behavior takes them away from their full-time role, which they might not like as much.

It is a fine line; when should I call for help versus getting it done without engaging anyone else.

  • Skill-set range – IT requires several different skill sets:
    • High-end – Plan strategically, define security requirements, etc.
    • Mid-range – Select and support required applications.
    • Low-end – Change toner in a printer, replace a keyboard, etc.

One employee is required to perform low-level tasks, but is also expected to address high-level functions.  At the mid-level, they own organization-specific applications and provide setup, training, and problem resolution.

It is difficult to find someone who can handle the high-level functions, but is willing to do the mid or low-level tasks; conversely, someone only capable of performing the low-level tasks often cannot support the high-level needs.

Ideally, you would have people for each end of the IT-needs spectrum and all things in-between; realistically, you might consider outsourcing various aspects to supplement the skills of your part-time employee.

  • Management – Who is managing this employee?  How do they know if they are doing things correctly?  How can they be sure that the employee can handle both his/her full-time job and the part-time IT job?

The full-time IT person

Investing in a full-time IT employee is considerably better that counting on a part-time person, but some problems linger:

  • Skill-set range
  • Management

This scenario typically works best if the full-time person is high-end enough to plan strategically, but engages and manages outside assistance to deploy and maintain high-impact items like the network infrastructure.  In this fashion, the skill-set range can be supplemented while direct management is provided.  In addition, this person is always onsite to address critical needs immediately (like showing the CEO how to call-up his/her Facebook page.)

The IT team

An IT team is ideal; you can staff it with individuals who have the appropriate technical skills while providing seasoned management to keep everyone focused and productive.  This manager, who might report to a C-level executive, becomes the interface between the organization’s business requirements and their translation to the technical efforts of the team itself.

An IT team is what you get from most IT-service companies; the good ones know how they fit with their clients and have a long-term relationships with these clients.

Questions to ask an IT-service company

When you engage an IT-service company, you should receive an IT team capable of handling most, if not all, of your IT needs.

Some key questions include:

  • Do you offer features and functions that meet the needs of my organization?
  • Can you state your services and their benefits in business-oriented language?
  • Can you demonstrate dependable service at a reasonable cost?
  • Are you certified and trained in the areas you support?

An IT-service company should be a strategic partner, someone capable of guiding your future while supporting your current infrastructure.

 

For more information, please email Info@Bryley.com or call us at 978.562.6077.

Bryley Basics (in 100 words): Mass. enacts sales tax on Computer Services

Massachusetts is now one of the few states collecting sales tax on services; the 6.25% tax targets specific computer system design services as of July 31st.

The legislation was approved July 24th, 2013 with the intent to tax customization services; the relevant, broadly worded phrases:

  • “’Computer system design services’, the planning, consulting or designing of computer systems that integrate hardware, software or communications technologies…”
  • “…modification, integration, enhancement, installation, or configuration of standardized software.”

See Section 48 and Section 49 of Chapter 46 of Massachusetts Session Laws at https://malegislature.gov/Laws/SessionLaws/Acts/2013/Chapter46 for details.

Fortunately, this legislation was followed on July 25th with guidance from the Massachusetts Department of Revenue (DOR) in Technical Information Release (TIR) 13-10, which helped to narrow the discussion with these clarifications:

  • “…generally intending to tax software services that modify, enable, or adapt prewritten software to meet the business or technical requirements of a particular purchaser and to operate on the purchaser’s computer systems…”
  • “…may also be described as customization services with respect to prewritten software.”

TI 13-10 also provides guidance on sourcing; when the tax would be applied if the provider or consumer occupies multiple tax jurisdictions.  TIR 13-10 is available at http://www.mass.gov/dor/businesses/help-and-resources/legal-library/tirs/tirs-by-years/2013-releases/tir-13-10.html.