Business of IT

Artificial Intelligence – It’s all Toilet Paper

AIGraphic.png

Disclaimer, I am not an AI expert or AI scientist or developer, so my opinions are solely my own.

According to www.toiletpaperhistory.net (yes, it’s really a site), the first official toilet paper was introduced in China in 1391, but the first mention of using paper dates back to the year 589 AD in Korea.  In Colonial America, the common means was corncobs (ouch).  Then in 1857, Joseph C. Gayetty invented the first packaged toilet paper in the United States in 1857.  It’s been pretty much the same ever since.  We may continue to use toilet paper, but we’ve given up the ever so tedious task of pushing buttons on our remote to asking a device to do the chore for us. Insert subtle tie in to AI here.

According to www.world-information.org, artificial intelligence, the link between human intelligence and machines, was not widely observed until the late 1950’s.  For most of us, the term remained in hibernation until much more recently.  The term AI is now in full consciousness, thrown about 24/7 in countless ways.  Most of us now associate AI to retail products in use by millions of people and households.  The best known big players include Amazon Alexa, Google Assistant, Microsoft Cortana, and Apple Siri.  Anyone starting a sentence with “Hey Google..” or trying to trick “Siri” into saying something dirty know the drill.

AI can be a really good thing, or not.

When surfing the web there are times AI is useful when it makes suggestions for me based on my tendencies, but I find it more on the creepy side when I’m on a website or using social media and an ad suddenly pops up for something I happened upon in the past 5 minutes. 

AI is also used behind the scenes in more nefarious ways.  Bots, or programmatic robots, can create social media posts with specific content targeting a specific audience without any human intervention.  Look no further than the alleged Russian interference in the 2016 election and the Facebook – Cambridge Analytica data scandal.

AI has increased in use and impact exponentially and will continue to do so, some say faster than the exponential improvements achieved in general computer processing, aka Moore’s Law.  AI is being deployed in every aspect of our lives personal, business, political, social.

Where does AI ultimately lead?

Anyone who has seen the Matrix trilogy knows when machines take over it’s not a good thing.  So how realistic is it really?  The creators of AI tout how it will meaningfully improve people’s lives.  The potential impact in healthcare alone are astounding. Many believe AI has barely begun and many more who believe it has reached major milestones viewed to be decades away. 

One of the primary limitations is not AI itself, but access to it.  Anyone in the U.S. now expects to have access to the internet, the primary driver for AI expansion, anywhere, anytime.  Global access, buoyed by improvements in wireless access, has increased significantly in the past 20 years.  Per an International Telecommunications Union* 2017 estimate, internet users worldwide increased from 16% in 2005 to 48% in 2017.  The region with the lowest usage is Africa, which makes sense given the geopolitical nature of the area. But I digress. The point is, internet usage and technology will continue to expand.  Just as the squid looking sentinels in the Matrix spread in millions to wherever it can reach, I would expect AI to do the same.

What if AI progresses at a pace exceeding anyone’s expectations?

Autonomous cars, drone deliveries, robotic surgery, flying cars, military strike drones are all in the now in terms of time.  What will the next 20-30 years bring?  If history is any indicator, it will certainly be interesting.  In the last 50 years man set foot on the moon and introduced a smartphone with more computing power required for that historical mission.  Looking at my own experience, I only must look to the last 25 years from the time our first daughter was born.  Just in her lifetime we have essentially experienced many of the game changing technology and AI advancements we use today.  And that’s only what we humble civilians know about.  What about all we don’t know?  I’m not suggesting you run to Area 51, but there is a side we don’t see.  What will happen in the next 25 years?  How will it impact the next generation?

If AI improves and does what it is supposed to do, become super intelligent with autonomy, as AI continues to learn and enable ‘good’ outcomes there lay an opposing ‘bad’ outcome.  And if AI improves itself exponentially, it’s conceivable there is a tipping point where AI itself becomes the controller and not the controlled.  This is where it gets very interesting and scary.

What happens when AI is smarter than us and becomes frustrated by our decisions and starts making decisions of its own?  Or more likely, AI decisions are misaligned with human decisions. The interconnection of ‘all things’ is being sold to us as a great thing, so much more efficiency and productivity.  But what happens if all those interconnecting ‘things’ start making decisions on their own and collectively?  We humans become a nuisance, slow and inconvenient.  Considering the military aspect if AI, it gets dark pretty quickly.  If one of our enemies develops AI capabilities faster than us (think of the nuclear weapon history), will they not use it for the larger betterment of humanity or use it to strike as quickly as possible?

Humans are in control of the planet because we are the most intelligent. The more AI advances towards super intelligence and autonomy, control may shift, requiring more care using it.  No one really knows the future of AI and its timeline, but it’s certainly worth planning for. 

We may have more advanced bidet’s, but we will still need toilet paper and I’ll still get in my car and have it tell me the best way to get home.

  

Source: "ICT Facts and Figures 2005, 2010, 2017". Telecommunication Development Bureau, International Telecommunication Union (ITU).

Understanding the Cloud

WhatTheCloud.png

In 2019 you would think the business community would have a good understanding of cloud computing. Reality is much different.  As I speak with business owners, management, and users, the “cloud” is still a nebulous concept more than a solution.  It’s certainly not understood well enough to know how to maximize the value of the cloud based on specific business use cases.  This knowledge gap is a source of business risk as well as lost potential business value.

I’ve written many blogs on cloud computing the past 5 + years and “hosted servers and software”, the stepping stone to the cloud, prior to that.  We have learned a great deal during that time, but one constant remains – there is always more to learn because the technology changes so rapidly.

At Fluid, we have a “cloud first” philosophy where any solutions kept on premise in the office requires a valid business case; a 180 degree change in philosophy from 7 to 8 years ago.  Today, it’s not just about determining if the cloud is a good fit, it’s about selecting the best type of cloud solution with the most optimal deployment.  This requires a deep technical understanding of cloud solutions, well beyond the glossy sales brochures.  Just keeping up with current technology is a full-time job, add the need to understand new disruptive technologies and how they impact the value proposition and you quickly realize it takes a disciplined commitment and process involving many people with varying skill sets.

The barrage of marketing buzzwords around cloud attempting to clarify things actually add to the confusion – public cloud, private cloud, hybrid cloud, software-as-a-service, platform-as-a-service, infrastructure-as-a-service, cloud disaster recovery; the list goes on.

To simplify things, let’s look at a few types.  These definitions and descriptions can be scrutinized and argued among vendors, experts and engineers, but that is not the audience.  The ones needing the most help in understanding the cloud are the business buyers and users.

Public Cloud

These are the big ‘logo’ guys: Microsoft Azure, Amazon AWS, Google Cloud, etc.  These companies, as you would expect, have behemoth cloud infrastructures and solutions that literally span the globe.  These are typically shared environments that are highly complex requiring senior engineers and architects to properly design and deploy.  Their sheer size can provide benefits in cost and deployment with geographical flexibility.  Each have their own rules to abide by.

Private Cloud

These are typically smaller players that have their own cloud infrastructure in smaller geographical areas.  The advantage of private clouds is greater flexibility and control.  Because they aren’t aligned to the major public cloud companies, which are also ‘product’ companies, they have the ability to host solutions that may not be a good fit for the public cloud.  In addition, some companies prefer the private aspect of knowing more about where their information is stored, how it’s managed and, in many cases, more secure.

Hybrid Cloud

The hybrid cloud is just that, a hybrid that utilize more than one solution.  This can include hosting components in the public cloud and others in the private cloud.  It can also be a mix of hosting some solutions onsite with others in the public or private cloud.  Hybrid cloud solutions are typically very ‘business use case’ specific.  For example, an engineering company with very high processing requirements for CAD drawings may use solutions on premise and back up the data to a private or public cloud.

Software-as-a-service (SaaS) should also be mentioned because a vast majority of companies use SaaS solutions alongside others.  For example, if using Dropbox for file sharing and hosting accounting systems in Microsoft Azure is using SaaS for Dropbox and public cloud for the accounting system.

Licensing is a beast!

Invariably, when companies evaluate cloud solutions they focus primarily on the core of the solutions: what will run in the cloud, how much processing power do we need, how much storage is required, how can remote users access it easily from anywhere.  What is often glossed over is the software licensing requirements.  Abusing software licensing rules even unintentionally is not something to take trivially.  The volumes of rules, requirements, and options is literally a wormhole requiring multiple jobs in itself. 

Be wary the sales rep that says licensing is ‘all included’ or ‘nothing to worry about’.  The costs associated with licensing can double the cost of a cloud solution and more if not done properly.  Every software solution has licensing rules and regulations, many of which are specific to usage not just in the cloud but the type of cloud. 

We have a half dozen different licensing programs and certifications just to cover Microsoft licensing in the cloud.  Just multiply that by the number of software providers and it’s a book no one wants to read.  But someone must read it and understand how to weave all the various licensing options into the blanket that best covers your business.  Make sure your provider understands licensing and make sure you understand licensing enough to be comfortable your business is properly covered.  It’s too good to be true is a cautionary motto to follow.

As I was writing this blog, I received an email from a cloud customer, who is the business owner of a food manufacturing business.  In his email, he forwarded dialog with his ‘local tech provider’ questioning every aspect of the cloud setup, software licensing, etc.  It was clear the customer provided the invoice detail to the tech to be a second set of eyes to confirm he had a good solution, which is never a problem.  Transparency with customers should always be the standard protocol.  Interestingly, every line item the tech questioned and provided feedback on was incorrect.  If the end customer followed this advice they would be woefully non-compliant and given dangerously bad information.  This exchange of information proves the entire point of this blog.  Even technical people providing advice don’t understand the cloud technologies with dire consequences. 

Choosing the wrong provider and partner can be disastrous to the business.

The challenges businesses face today is not if a cloud solution will be a good fit but finding the expertise to determine the best solutions available to the business and, more importantly, the ability to execute and implement the solutions.  There are hundreds if not thousands of IT companies, managed service providers (MSPs), etc. happy to sell cloud solutions without the in-house knowledge required to design, implement and support the services properly. 

The problem is exacerbated because the typical business ‘buyer’ does not have the knowledge to ask the right questions to confirm the ‘seller’ has the skills required to meet business needs.  Migrating to the cloud is not an easy task, regardless of what the sales pitch says.  A vendor skilled in doing migrations will have a defined, disciplined migration process and experience to make the migration as painless as possible.  Every flawless plan has unexpected issues to be addressed.  This is where your vendor earns their keep.  If the vendor doesn’t have migration experience and skills, the wheels can shoot off well beyond frustration and become a major disruption to the business with outages and downtime.

Public cloud is… well, public.  So what?

Microsoft Azure publishes its cloud pricing to the public, as well as a “pricing calculator” to use to estimate potential cloud costs.  Easy right?!  Think again.  You must know this stuff at so many deep technical levels and layers it will make the most tech savvy run for the hills.  As a Microsoft Cloud Solution Provider (CSP) we have dozens of “portals” we must navigate just to manage our customers Azure and Office365 accounts and environments, and we are the experts.  This scenario plays out for the other 800 pound gorillas as well.

Proceed with caution… it’s one thing to sell, quite another to advise, implement and support

What is the real implication?  The cloud has come a long way and continues to improve with better tools, automation, and solutions.  But notice I did not say support.  One major lagging necessity is good (not even great) support from cloud providers.  Every cloud provider will require you purchase support, even if it’s buried in the pricing.  What they don’t tell you is the quality of the support.  It’s only when you make that initial call for support that you realize it’s going to be very long day.  Again, this stems from a lack of skills and experience to deliver on both the technical side of the house and customer service.

It is very disheartening to witness how these powerful technologies can improve and enable business only to be poorly understood by those who position themselves as experts to support it.

No one becomes a cloud expert overnight.

We have invested over 10 years of countless hours, millions of dollars, and hundreds of deployments in the cloud.  It wasn’t and isn’t easy to do. It requires a different level of commitment I’m sorry to see many in our business not obligate themselves to.  We owe it to all those we serve not only to understand the technologies, but educate in business terms the value, the many options, and ultimately find the right solution for the situation.  There is an entire segment of business soured on the idea of the cloud because of poor advice, execution, and support.  I only hope with the right partner they can find their way back to today’s possibilities.  Cloud is definitely not a fit for everyone and never will be, but it shouldn’t be swept off the table because we didn’t do our jobs.

Breaking News: IT Can Actually Save Money

GlobalMapDollar750.png

Headline: IT Saves Money for Company!

Wouldn’t it be great to see more headlines about the positives of IT rather than all the negative press about cyberattacks, privacy concerns and cost overruns?

If you are a small to mid-sized company, you are probably using one or multiple vendors for IT services and support (i.e. phone system, cable/network, internet, IT guy, etc.).  You may even have an internal “IT guy” or IT staff that works with one or more vendors to deliver IT services.

At Fluid, we state we will, not only, provide excellent support services (which should be expected), but we also provide valuable strategic IT services to help reduce IT costs, improve productivity, and implement technology that will support overall business objectives.  Unfortunately, companies have received poor support services for so long that they don’t believe there is any way money can be saved and productivity can be improved by working with an IT services partner.  Most businesses are used to the reactive support model, which often does not resolve the root cause of issues.  When a need arises, IT personnel fixes the problem as quickly as possible so that users can do their jobs.  But, the root of the problem is often ignored, and the same issue will usually occur again.

Go beyond the basic blocking and tackling

Providing quality support/helpdesk services is at the basic level, and any IT services provider should be excellent at it.  But, beyond basic support, we see the real value in approaching technology strategically and proactively, and ensuring that the right people are focused on the right things.  Also, properly managing all third-party vendors, on behalf of a company, requires a balance of the right staff, the right skillset, and most importantly, an in depth understanding of the business.  We’ve built our MSP business model based on the premise to deliver on those promises.

Focus on the whole, not the parts

When working with technology vendors and partners, each one typically only focuses on their piece of the puzzle, never expanding beyond to see how it fits into the rest of the business.  Our approach is opposite, which results in tangible benefits.  We take over the management of all third-party vendors to ensure that everyone is working towards singular goals that align with the overall business objectives.  Also, most companies don’t want to deal with other vendors, but their IT personnel doesn’t do it for them either.  I can’t count how many times I’ve heard C-level executives say “I don’t want to waste my time calling ABC vendor. I can’t understand all the technical jargon, and I don’t want to.”

Case Study: Saving money and adding value through strategic management

To understand the possibilities, here is a real business case:

One of our clients recently acquired another company.  As part of the acquisition, there were all the normal integration components, which required areas for optimization. But, there were also other critical projects.  The company needed new cabling/wiring for all locations, as well as a new VOIP internet-based phone system, and upgraded internet service.  At each location, cabling, voice and internet service, was provided by a different vendor.

Most companies, in this situation, would allocate a staff member to manage all the vendors. The staff member may have some technical acumen, but not enough to truly know what to look for in order to manage each vendor effectively.

In our client’s case, as in most similar situations, all the vendors were dependent on the other for implementing their services.  The internet service had to be increased to meet the new phone system requirements, and the cabling had to be in place to provide the necessary “ports” or wall jacks for the phone system.  The number of total ports, in each location, drove the need for new networking equipment. 

As they should, our client wanted and expected that all the pieces would be done correctly so that they could walk in the office, and everything would be configured and working correctly.  The challenge is, every piece must be not only done correctly, but also timed in a way to minimize unnecessary ‘dead time’.

As their technology partner, we stepped in to manage all the vendors, and what we found was frightening.  The cable vendor had provided a quote for both locations based on a walkthrough with one of their staff.  They presented a quote that was over $20,000 for the job.  Once we evaluated it more closely, we found an abundance of new cables that were unnecessary.  This was not the fault of the cabling vendor, they were doing what they thought was right, based on what the staff member told them.  The staff member didn’t have the knowledge to understand the technical details, and how things would work with the new phone system.   

CostSavings150.png

We saved our client over $25,000 on one project

We evaluated the cabling proposal and conducted calls with all other vendors, to ensure that everyone understood their piece and dependency on one another.  After our evaluation and walkthrough at each location, the cabling cost dropped from $20,000 to $6,000.  A substantial savings of $14,000 in one-time CAPEX cost.

We took the same approach with the phone vendor and the internet service provider.  Internet service providers (ISP) are always happy to sell you more bandwidth.  Again, like the cabling, the ISP worked with a staff member to determine the bandwidth required.  As before, the staff member lacked the necessary understanding to calculate what would be required.  Working with the phone vendor, we calculated what the maximum bandwidth usage could be. Then, we compared it with the actual usage reports, which allowed us to calculate a more accurate estimate of internet bandwidth needs.

Through our evaluation, we found that the company could start at a lower bandwidth level and confirmed that the bandwidth could be increased very quickly if necessary.  So, rather than buying more bandwidth than needed ‘just in case’, they were able to get what they needed with the ability to increase.  We ended up saving them over $500 a month in OPEX costs – which adds up to $6,000 per year.

We took the same approach with the phone vendor and found the number of handsets was too high, which resulted in additional savings in both one-time CAPEX and monthly OPEX.

Lastly, the additional cable drops and phone system required the purchase of new networking equipment to connect everything properly.  If the initial figures were used from the cabling and voice vendors, the company would have purchased more expensive networking equipment than necessary.  This also resulted in additional savings of over $5,000 in one-time costs.

The total savings were significant – over $25,000 in one-time costs and $1,500 in monthly costs

By working with and managing all vendors, we were able to help our client save a substantial amount, while also ensuring that each vendor would implement the right solution and do it correctly.  For a small to mid-sized business, spending money on technology can cause a major strain on finances.  Without our involvement and management, the company would have spent money it didn’t really have on solutions that would have been excessive and completely unnecessary.

Your Managed Services Provider can and should save you money and improve productivity

I’m sure other MSP’s say they offer strategic services and can save you money, but we’ve found that the reality is very different.  Unfortunately, most MSP’s don’t have the staff or skills required to manage all third-party vendors effectively.  Anyone can say they can do it, but can they prove it with actual numbers.

Destination Unknown – Cybersecurity without a defined objective is a path to disaster

TechMgmt.jpg

Destination Unknown – Cybersecurity without a defined objective is a path to disaster

Vacation time!

Let’s start this cybersecurity discussion by taking a little vacation – or at least pretend to take a vacation. Before going on vacation, people usually plan for the trip ahead of time.

Scenario 1: Planning for a vacation.

When planning a vacation, most people take the following steps:

  1. Determine the budget.

  2. Choose the destination.

  3. Decide when to go on vacation (busy season, hot, cold, vacation days available at work, etc.).

  4. Decide where to stay (choose hotel, condo, Airbnb, etc.).

  5. Choose mode of transportation (plane, car, boat, etc.).

  6. Book flights, rent car, plan your driving route, etc. 

  7. Book babysitter, dog sitter, house sitter, etc.

  8. Plan activities while on vacation.

  9. Begin the journey to the destination.

  10. Arrive at the destination.

  11. Have fun!

All the above has a cost element to be considered, which can cause the vacation plans to change.  Ideally, a budget would be created at the beginning of the process to help with planning the vacation and determining what is and is not doable. Although, a budget should be the first step in the planning process, people oftentimes choose a desired destination, and then adjust the budget accordingly.

Another important step when planning a vacation, is to do enough research to make informed decisions and properly budget for each part of the plan, especially if traveling to a new destination. People will often turn to friends and/or family for suggestions and input when planning a vacation, but friends and family may not be able to give the best advice. For example, how could they recommend a hotel if they’ve never been to the destination? 

Therefore, it’s also important to utilize outside resources for information and contact experts who are able provide information on destinations, price, pros and cons, hotels, activities, etc. The hard part is knowing who to trust. Some “experts” are more concerned with selling certain products or services even if they may not be the best option. So, it’s usually a good idea to gather information from various people and resources before making informed decisions.

Cybersecurity Time!

If the same logic is applied to businesses when choosing cybersecurity solutions, it reveals a dangerous tendency. 

Scenario 2: Choosing and implementing the best solution and level of cybersecurity

When planning for cybersecurity implementation, business leaders should take several steps:

  1. Determine the budget.

  2. Choose the level of security needed for the business.

  3. Analyze each security element to understand what it does and doesn’t do.

  4. Based on the analysis, determine the priority and order for implementing each element.

  5. Determine who will be responsible for assessing the solution options.

  6. Decide when to begin implementing the security solutions.

  7. Decide who will be involved in the implementation process.

  8. Plan the implementation process and any impact to the business (downtime, users, etc.).

  9. Ensure all relevant parties have been informed, then begin implementation.

  10. Implement the solution and test (sometime in phases or using pilot groups).

  11. Complete implementation and make the necessary adjustments.

  12. Conduct a post-review of the project to determine areas for future improvement.

Planning a Vacation vs. Planning Cybersecurity Implementation

While planning a vacation can be challenging, it is exponentially more difficult to plan and implement cybersecurity. 

When planning a trip, people usually have some sense of what the budget should be or at least know what they can and cannot spend.  Most businesses don’t even have a budget for cybersecurity, so there’s no starting point.  In fact, most companies don’t even have an IT budget, so they certainly don’t have a security budget.

While understanding the purpose for each part of a trip, the reason for it, and pros and cons is relatively easy, understanding the different levels of cybersecurity is not easy at all. Due to the technical nature and the complexity of cybersecurity, it’s difficult to educate CEO’s (buyers) on the different levels of cybersecurity. Translating technology and then articulating the risk/value can be extremely challenging.

Also, like the “experts” people may consult when planning a vacation, many “cybersecurity experts” try to sell solutions to businesses that may not be the appropriate solutions and/or security level. In addition, many IT professionals don’t know how to implement or even determine the best security solutions.

Start with Communication

CEO’s and C-level executives:

  • Cybersecurity is extremely complex, so it’s always wise to consult with multiple experts during the planning and implementation process.

  • When in doubt, ask: If you need more clarification, ask questions until you understand. Ask your IT resources to use analogies or imagery to help you understand.

  • Stay as involved as you possibly can before, during and after the implementation process.  

If you are an IT professional:

  • Before drowning the CEO with cybersecurity jargon, find a way to communicate and educate in terms that the management team can understand: Like the “vacation scenario”, try using analogies, imagery, etc. to explain technology.

  • Don’t be afraid to seek advice from external resources and/or other IT professionals. Technology is complex, and constantly evolving. So, it’s impossible to have all the answers.

Effective and consistent communication is imperative for businesses to appropriately address technology and cybersecurity risks. 

The following provides ways to help overcome this challenge in order to effectively plan and implement cybersecurity:

Define, Determine and Decide

As the diagram below illustrates, there are various levels of cybersecurity.

Step 1. Define and understand each level.

  • Because it includes technical jargon, this diagram may need to be explained in a way that business management and users can understand.

Step 2. Determine what level of security the company currently has.

  • None, Basic, Advance or Comprehensive

Step 3. Decide on which security level to target during implementation.

  • Keep in mind that it takes time and money for a company to start from “None” and move directly to “Advanced”.  So, when trying to decide on a level, remember 80% of all security incidents are due to employees. When in doubt, start with solutions that will address employee driven risks for prevention – AV, training, email ATP. 

SecurityLevels.png

Step 4. Implement, monitor and communicate

·         Once the desired level is agreed upon, begin implementation and continue to monitor and communicate the current state of risk as the company progresses towards the desired cybersecurity level.

·         Using a simple diagram, like the one below, is a helpful tool to use when explaining the progress of implementation to management. 

This diagram illustrates an example of an organization that has a “Yellow risk level” while also showing what has been completed and what has not.

SecurityStatus.png

Step 5. Update management on an ongoing basis

  • Once a communication method is in place, it’s important to update management on the cybersecurity status on an ongoing basis. 

The diagram below is another example of a helpful communication tool to use when explaining the cybersecurity status to management.

SecurityCommunication.png

Embrace the journey!

Effective cybersecurity management never ends. Therefore, if security solutions and levels are not proactively monitored, the risk level can move from Yellow to Green and then back down to Red.  Firewall failure, equipment beyond end-of-life, anti-virus expiration, etc. can cause immediate changes in risk levels.

Cybersecurity is about continuously mitigating risk and keeping businesses from going out of business.  But, in order to successfully mitigate risk, a disconnect between management and IT cannot exist. The IT industry continues to struggle with effective communication – especially when it comes to cybersecurity. Because of this, over 58% of all cyberattacks target small to mid-sized businesses and over 60% of businesses that are hit with a cyberattack go out of business.

Albert Einstein defined insanity as doing the same thing over and over again and expecting different results. It’s time for the technology industry to stop the insanity of ineffective and/or complete lack of communication with business owners and executives about cybersecurity. 

It’s important to take a step back to understand the ‘why’ then work on the ‘what’.  Create a communication method that works for the business, then begin focus on the ‘how’ and ‘when’ to take the appropriate action.

 

Is your business as safe as you think it is? What you need to know to keep your company secure.

With the increase in cyber threats, coupled with the confusion and lack of knowledge about cybersecurity, how do you know if your company is secure?  How do you know if you’re doing the right things at the right time?  The whole topic of cybersecurity is overwhelming and there’s not anything “fun” about it. So, it’s easy to avoid, but at what real risk to the company?

Monsters!

CyberMonsterDespite all the statistics that point to the fact that businesses, without the proper security measures, will likely suffer from a cyberattack, cyber threats are still being viewed as scary, but unlikely to occur. Most businesses still see a cyberattack as the monster under the bed, and cybersecurity as protection against the highly unrealistic possibility that there will ever actually be a monster under the bed. But unfortunately, these “monsters” are very real, and the number of attacks continues to escalate. It’s critical for businesses to have the correct security measures in place to keep the “monsters” from being able to even enter the front door.

One security solution does NOT fit all

Be cautious of cybersecurity providers who offer the same solution to every client. Every company is different, so expectations should be set based on many factors: size of the business, type of business, industry, etc. Also, no two businesses require the same IT solutions, support, software, or hardware. So, having tailored and specific IT security is crucial.

Is your business insecure?

If you’re reading this blog, then you’ve been warned! Now, what are you going to do about it? If you want to keep your business safe from cyber threats, knowing your risk level is a good first step to take before addressing each risk.

The following questionnaire addresses this by asking some basic questions that any business owner or management team should be able to answer.  While some of the topics are technical in nature, the questions are driven from a focus on the business itself.Questionnaire

Cybersecurity Preparedness Questionnaire

Answer each question below and tally your score. After completing the questionnaire, total your score to determine the level of risk for your company.

Yes: 0 points  No: 5 points  Unsure: 5 points

  1. Do you have a cybersecurity budget review annually?
  2. Do you have a written information security policy signed by every employee?
  3. Has your company reviewed its cybersecurity policies and procedures within the last year?
  4. Do you have a person designated as your security officer?
  5. Do you have a written incident response plan that is reviewed annually?
  6. Have you tested your incident response plan within the last 12 months?
  7. Do you know if you have any compliance or regulatory requirements?
  8. Have you defined the level of cybersecurity needs based on your business and compliance requirements?
  9. Have you provided security training to your employees in the past 12 months?
  10. Do you provide security training to employees on an annual basis?
  11. Can you employees identify sensitive information that could compromise the company if stolen?
  12. Do you know where your sensitive data is stored?
  13. Do you have cyber insurance that is reviewed annually?
  14. Are employees prevented from administrative privileges on your network or computers?
  15. Does your company have an acceptable use policy?
  16. Does your company consistently enforce policies around the acceptable use of computers, email, internet?
  17. Do employees regularly update passwords on company-issued computers/devices?
  18. Do your employees lock their computers when away from their desk, even for a few minutes?
  19. Do all your computers have anti-virus software that is regularly updated?
  20. Does your company have data backups onsite and offsite verified at least once a year?

Low Risk: 0-10 Moderate Risk: 15-25 High Risk: 30-50 Escalated Risk: 55-100

What now?

Once you’ve identified your risk level, what now?  If you answered “unsure” to any of the questions, do the necessary research to confirm the answer.  Once you have a “Yes” or “No” answer for every question, you will have a better idea of your true exposure and can begin prioritizing which areas to address first to mitigate the risk.

Don’t put your head in the sand!Headinsand

If you didn’t score a 10 or below, then getting to the green, (low risk range), won’t happen overnight. It takes time and, most importantly, full commitment and buy-in from ownership and senior leadership. But, as I mentioned, cyber threats are not imaginary monsters. So, don’t pretend they don’t exist and hope that nothing bad will happen. At Fluid, we understand the process can be overwhelming. Even determining the priority of what to do first can be a challenge. Luckily, we have a team of experts dedicated to cybersecurity. So, please feel free to reach out to us for help. Don’t wait until it’s too late!

Recession Obsession

If you’ve been alive 10 years, you’ve been through a recession – the Great Recession actually.  If you’ve been alive 20 years, you’ve been through two recessions.  30 years on the planet will give you…you guessed it, three recessions.  Although recessions do seem to be cyclical, they don’t always happen every 10 years. Over the last 50 years, there have been 7 recessions.

Gas Lines and Baby Food Jars

RecessionThe ramifications of a recession also change over time. Being 53 years old, I recall my grandparents saving every coffee can, baby food jar, and plastic container to repurpose and use for storing things throughout the house.  As products of the Great Depression, they were raised to literally save everything.  I can also distinctly recall having to wait in long lines for gas during the recession in the 1970’s.  My father and I would park the car in line at the gas station and go to the nearby strip mall to kill time for two hours while we waited for the line to move.

Although not a recession, I recall Black Monday in 1987 when the stock market dropped over 22%.  I was working at a financial planning firm at the time and that was not a good day, and not just because it was Monday.

Dot Bomb Bubble Burst

In the early 2000’s, the dot com bubble burst, and turned into the dot “bomb”.  It seemed like anyone with a web-based idea was given millions of dollars in funding without having to show any DownGraphprofits (a scenario which still occurs today).  eToys.com, Webvan.com, Pets.com, and many more all wiped out almost overnight.

Most recently, we can all recall, if not relate, to the Great Recession that occurred in 2007-2009 when the housing bubble burst due to the subprime mortgage crisis.  The term “government bailout” became a major thorn, and the nemesis for many household brands.  Many are still recovering from this economic meltdown. However, the prosperity over the past 10 years has dulled some of the sting.

But, some are now warning us that the great run we have enjoyed may be slowing down, and we’re potentially headed for a recession.  Search Google for “Recession 2019” and you’ll find blue-chip names discussing the very likely possibility that a recession is looming.

Before it's too late!

CrisisI have owned a technology company, Fluid IT Services, for the past 17 years, and we felt the impact of the 2007 recession – but in an interesting way.  We provide IT solutions and support for small to mid-sized businesses, and the cost of our services is typically less than the cost of one full-time employee. Although we lost the clients who unfortunately went out of business, we gained new clients who needed to cut costs and couldn’t afford full-time IT staff.

We certainly had to cut costs ourselves and manage everything more tightly, but we were okay because our risks were spread sufficiently, and we provide a service that is “recession friendly”.  We continued to grow as the economy improved, but always with a keen eye on our market segment and the economy as a whole.

As the economic signs, signals, metrics, statistics, etc. started showing a downturn, we’ve used it as an opportunity to get our business in order.  It’s much easier to evaluate all your people, processes and technology-related costs, and make sure that your business is operating as efficiently as possible, before things go south.

Every company has and uses technology (IT) constantly. Most companies today wouldn’t be able to function without IT.  But, when times are good, costs related to IT (and other business functions) may not be closely monitored because sales and revenue can cure many ills.  However, it’s best to ensure your IT house is in order before the times get tough and budgets get tight.

Start by asking questions

An analysis of your current IT spend at a detailed level, may be as exciting as watching paint dry, but it’s crucial when dollars tighten. IT cost analysis can also be difficult. Even knowing which items to include when analyzing your IT spend can be confusing. I’ve found that it’s easiest to start by asking questions…

  1. What are my costs for internet, phones, software subscriptions, IT support, computers, etc.?
  2. What hardware needs to be replaced soon? How much will it cost to replace?
  3. What costs can be reduced or eliminated?
  4. What costs are a bare minimum to keep the lights on?
  5. When was the last time I evaluated all my contracts related to technology and what are the terms? Being locked into an expensive 5-year contract at the beginning of a downturn is no fun.

Good news...

We can help! At Fluid, we help companies analyze their IT costs almost daily. So, we already know where most of the IT costs are found, where the skeletons are buried, what is reasonable, and what is outrageous.  As a provider of outsourced IT services for small to medium businesses, we have to know these costs because we’re responsible for managing them in order to be a good steward with our clients’ hard-earned money spent on IT.

We also take it one step further by using a more proactive and strategic approach to IT. We will hope for the best, but also help you plan for the worst by discussing current and future business needs, goals and “what if” scenarios. Once we have this information, we can provide guidance on ways to cut IT costs and suggest solutions that will generate revenue, and specifically align with each clients’ business plan.

Don’t be afraid to say you don’t know and bring in experts to help you understand your costs.  It will reap rewards now and help you sleep better when economic conditions do change.  Feel free to call Fluid IT, we love this stuff!  Our main objective is to help people with their businesses and see IT in action!

Cybersecurity - "You can't handle the truth!"

I’m a guy who likes sports and movies, and my wife tells me that I’m constantly quoting sports analogies and movie tag lines. Guilty as charged.  So, why do I do that???  Because I can quickly state a movie quote or sports reference to explain a situation to someone, without having to spend an hour doing so. If I tell someone “you just fumbled”, knowing this person likes or understands American football, he or she will immediately know they made a mistake.  Notice how I stated ‘American football’ lest I confuse it with the round ball version and defeat the very purpose of my analogy.

ManYelling

The problem is, if I use my linguistic mojo on people who don’t follow sports or movies (yes, those people do exist), I not only don’t get my point across, I confuse them.  Many times, I get that tilt-of-the-head puppy look and then a nod, never asking me to clarify what I meant.  It’s surprising how many people never ask the question – I don’t understand, what do you mean?

This can be very frustrating and even a cause for escalating arguments and disagreement later.

To clarify, here’s an example of a recent conversation when discussing a company project…

Me: “We’re at the one-yard line!  It’s time to punch it across the goal line!” Colleague: “Got it!  You can count on me!”

A week later…

Me: “So that project was completed, right?” Colleague: “No, I’m still working on it.  I need to add some more detail." Me: “What!  I thought I told you and we agreed this needed to be done asap!? Like yesterday.” Colleague: “Oh, I’m sorry.  You didn’t tell me it was urgent.” Me: “I did tell you it was urgent.  Remember ‘the one-yard line’, ‘the goal line’?” Colleague: “Yeah I kind of recall something like that.” Me: “Then why didn’t you get it done??” Colleague: “Why are you yelling at me?  I have no idea what you meant.” Me: “Why didn’t you ask?

And the downward spiral continues.  The frustration level for everyone is extreme.  Worse yet, the project was not completed, and the company suffers.

I see this same scenario over and over again as it relates to technology and business – especially with cybersecurity.

Get serious about cybersecurity SecurityGuard

Articles are published every day stating how businesses aren’t taking cybersecurity seriously enough only to be completely ignored.

I constantly come across articles that give real statistics showing how businesses think they are secure, yet they have recently been breached or compromised!  How is that possible?  Why do businesses, led by extremely smart people, continue to ignore the very real threat that cybersecurity breaches and hackers can easily compromise their business’ livelihood?  Why do they continue to have incidents, and not learn from them?

Some studies show, many business owners rely on their insurance policy to save them instead of protecting their assets proactively.  I believe some of that is true, but I believe the real issue is a complete disconnect in communication.

The danger of miscommunication

MiscommunicationThere is a very real and dangerous disconnect in communication between business and IT!

I read an article recently that was trying to get businesses to understand the importance of cybersecurity and the importance of communication between IT and business.  Here is how the article begins…

 

ArguingDigital transformation is happening rapidly in every industry. As companies move toward software-defined infrastructures (SDI) connected to powerful cloud ecosystems, they can tap into the near-real-time intelligence from the data gathered from every edge of their business, helping to drive faster business decisions and changing the way they serve their customers.

Rapid transformation, however, without a solid plan, can produce cybersecurity vulnerabilities. As infrastructures go virtual, security models need to shift. To avoid serious risks and security management issues, companies need to identify challenges, strategize, collaborate, pilot, test, and evangelize. *

 

Did you have to read it twice?  Did you understand even part of it?  What exactly is ‘every edge of their business’?

“Trust me, Greg, when you start having little Fockers running around, you'll feel the need for this type of security.” Meet the Parents, 2000

Yes, I did it, I used a movie line from the great film “Meet the Parents” to make my point.  If you haven’t seen the movie, you have no clue what I’m talking about.  Business leaders have not seen the cybersecurity movie!!  They don’t understand a word coming out of your mouth (another movie reference).

Don’t allow technology to get lost in translation

LostTranslation

In all seriousness, business leaders have not taken the time and do not have the time to learn all the parlance of cybersecurity.  Yet, we keep pummeling them to death with cyber techno-speak.

The reality is, both business and technology leaders have a responsibility to their companies, their employees, and themselves to learn enough about each other to make the conversation relevant.  I can keep showing business owners all statistics. But, most of them still don’t properly plan for or budget for cybersecurity, and most will only do so after they’re hit with ransomware or have a breach.  But what is ransomware?  What is a breach?  What do they look like? What is the actual cost to the business now and in the future?

This is not a one-sided issue. IT professionals also need to learn how to translate technology jargon into terms that business owners can understand.

The same case can be made for IT experts making an effort to understand the language of business and understand the impact they are having.  When business owners and leadership speak in terms of EBITDA, CAPEX, OPEX, Life Time Value, Gross Margins, Net Margins, Cash Management, etc., they are speaking a language immediately understood within the group, but many times foreign to the IT group.

At some point, business owners, leadership, and even board members must work with IT experts to start taking cybersecurity more seriously.  Both parties must be willing to have an open dialog where each is not afraid to ask questions, educate and translate into terms each party can understand, to make better business decisions.

If you want to have a discussion regarding your business and how the cybersecurity landscape impacts your company now and in the future in a language you can understand, contact us! We will be happy to advise and educate you in this increasingly complex space.

May the force be with you!

 

* AT&T Cybersecurity Insights Vol 7

When Is The Right Time To Hire A CIO Who Can Take Your Small To Mid-Sized Business To The Next Level?

Why You Might Need To Outsource Your CIOA CIO (Chief Information Officer) can provide a great deal of value to any business — large or small. They not only help set technology standards, but they help the company keep an eye on the future. Smaller businesses often struggle to support this position, however, because they often operate on tighter budgets. The role is frequently divided up among many members of the executive team.

Before you lump CIO responsibilities onto other members of your team, consider outsourcing the role.

What Is A CIO, and Do I Need One?

CIOs are generally found in large or enterprise companies, specifically those with over 250 employees. This executive level role helps ensure that any selected technology is able to move the company forward. The CIO is also forward looking, keeping an eye on which new technologies might benefit the company.

A CIO is:

  • Dedicated to extracting maximum value from implemented technologies
  • Strategically focused rather than tactical
  • Constantly learning about the latest technologies that can provide value

Small to mid-size companies usually do not have a CIO position. When a CIO is not present, responsibilities are usually piled onto an IT Manager, Director or even shared across several managers. But for more complex use of technology or when technology implementation becomes large or far-reaching, these quasi-roles can break down.

IT managers are usually tactically focused. They may have some focus on strategy but day-to-day tasks can distract from having a purely strategic focus. A CIO will not have such distractions.

In businesses that have distributed software via cloud services or SaaS, knowing where everything is located and which data is coming to and from the company is important for the integrity of security and privacy. Especially for any company that must be HIPAA compliant (to name only one type of compliance), ensuring compliance of complex systems is critical. This is where a CIO can play an important role.

"In addition to handling issues as they've come up, Fluid has done a great job of getting out in front of things and consulting with us. They let us know when we need to start thinking about upgrades or capacity increases -- letting us know what's on the horizon for the technology of our company. When we've had issues, they've been very good about thinking out of the box and really being an outsourced CIO."

The CIO's Role in Driving Business Growth

To drive business growth, the CIO’s role shouldn’t be isolated to IT. Instead, the CIO should be integrated into overall business strategy discussions. Even better if the CIO steps up and becomes actively involved in helping shape the overall business strategy. Having the CIO report directly and regularly to the CEO rather than IT support groups can build trust with other C-level members. The result is a more cohesive business strategy and greater potential for the business.

What many businesses don’t realize, however, is that the CIO doesn’t have to be in-house in order to drive the business forward. Partnering with an IT provider who puts business first can be a way to get the benefit of having a CIO without adding to company headcount.

Looking To Bridge the Gap?

Your company may not yet require (or be able to afford) a CIO on-staff. And many IT providers have limitations when it comes to overall business strategy. Finding the right provider who has both IT expertise and business focus can solve a lot of problems for small to mid-sized businesses or larger companies that can’t yet budget for a CIO position. If you’re ready to work with a team that can move your IT from break/fix support to business driver, don’t hesitate to contact us here at Fluid IT Services.

What Should You Do When Your Data Is Held for Ransom?

What Should You Do When Your Data Is Held for Ransom?You come into work on a typical Monday morning… and find something devastating. One of your machines was infected with the Crypto virus, which then spread to your main servers.

All of your files are locked.

But it gets worse.

The virus owner is demanding you pay a ransom – or lose your files forever.

Does that sound like the plot of a modern action movie? Well, sadly, it’s not. It happens to businesses every day. In fact, it happened to some of our IT support clients.

Lessons From a Near Death Experience

“It was a near death experience for us. One more day being down and we would literally have been out of business.”

This statement may seem dramatic, but it is actually a quote from one of our long-time IT support clients. And it was all too true. Due to several missteps by their cloud provider, the Crypto virus caused 7 days of downtime.

This was no mom-and-pop shop, either. This was a 50+ employee company with multiple locations brought to a standstill due to this horrible virus.

No business wants to be in this situation. Most businesses couldn’t survive a full week of being completely down. So you might be asking, What can I do to avoid getting a virus?

First, let’s set the record straight. It is a myth that you can secure your business so tightly that you never get a computer virus. Even with the best firewalls, anti-virus software, intrusion protection, Internet filtering and policies in place, your system may still get infected at some point. Why? Because…

  1. Virus protection is a cat-and-mouse game. New viruses are created and released every minute, and antivirus software must be updated to contend with each one
  2. People are only human. Human error is the number one reason companies get infected. Well-meaning employees click on the wrong thing while surfing the web or reading emails, or they open infected attachments
  3. Many hackers are diabolically smart. Many viruses are cleverly disguised to look safe and legitimate. That infected email might have a very real-looking logo from a major company. That attachment might look like a resume PDF – one you’ve actually been expecting – only to reveal itself as a virus once you open it.

So what’s a business to do? Beyond the IT team doing all they can to protect the business against viruses, the most important deterrent is user education.

Do all of your users really know what not to click on and what not to open? Do they know what telltale virus clues to look for? Hackers are getting more clever and sophisticated, so this education has to become even more of a priority today. Many users are so busy, they quickly open and click just to move on with their day. But taking that extra few seconds to assess before they click might mean the difference between life and death for your business.

Your Business EMTs: The Response Team

Once a virus is found, the company must move quickly into an organized response process. This should include a designated and well-trained response team that can jump right into action. Whether that team is made up of internal IT people or a third-party IT support vendor, identifying this team before a virus hits is critical.

In the past week alone, we have seen 5 clients’ systems become infected with dangerous viruses. Most of them were infected with some form of Crypto virus, which locks you out of your files (encrypts them) and tells you to pay a ransom to regain access. If you don’t pay the ransom within the “kidnapper’s” timeframe, your files will remain locked forever.

So if you are hit with a Crypto virus, what steps should you take?

  1. Inform your IT staff so they can begin the response process and investigate the severity of the infection.
  2. Every virus comes with a “payload.” This is what really does the damage to your systems. If the payload has not been activated, your IT team may be able to remove the virus without any damage.
  3. If the payload has been activated with a Crypto virus, this means you will be unable to access your files – and you must choose one of these two options:
    1. Determine when the payload was activated and restore clean files from a backup prior to that date and time.
    2. Pay the ransom and hope the hacker will unlock your files.

Choosing 3a or 3b is a business decision – not a technical one. Because of the financial implication (in money and downtime) in paying a ransom for data, only the business leadership can make this call. To make that call wisely, though, they need the best information their IT team can provide.

To Pay or Not to Pay

Just this week alone we have seen both cases: paying ransom and restoring from a backup. In all cases the clients were able to get their data back and get back to business, but only after several days of costly downtime.

But let me be very clear: paying the ransom is no guarantee. In that case, you are trusting the hacker (the person who infected your system in the first place!) to keep up their end of the bargain.

Because no one can guarantee paying the ransom will work – or work long-term — many companies choose to restore their data from backups. This can be a relatively easy endeavor, or one that is very painful. Success depends on knowing these key pieces of information before restoring from a backup:

  1. Do you know when the last date/time your data was clean, and do you have backups from that date and prior?
  2. Is the good data backup prior to the virus still viable? For example, if the last known good backup was 30 days ago, that data may be so old that restoring it would useless.
  3. Are the backups complete server container backups or only file backups? This is VERY important. Server container backups may be restored with the underlying server software, software application and data all at one time, which only takes hours. File-level backups require manually rebuilding the servers, configuring them, loading the software, configuring it and finally loading the files — which can take days.

In the nightmare case of the business that was down for over seven days, critical events happened that worsened the situation. First, the Crypto virus response timeframe had lapsed, so paying the ransom was no longer an option. But second — and worst of all — the backups the cloud provider had were not server container backups (which the vendor had promised they would be), but file-level backups only.

This last problem forced us to work with the cloud provider to restore the file backups. To do this, we had to figure out the last day the data was clean. Only then could we figure out where to start. However, before actually restoring the files, we also had to do the following.

  • Rebuild the virtual servers
  • Load and configure Windows Server
  • Load and configure the software applications (e.g. QuickBooks)
  • Restore files to each server
  • Reset the printer settings, file sharing settings, and user settings

If the cloud provider had done their part right, this would have taken 2 days. But unfortunately they made mistakes at almost every step, creating a lot of rework for everyone. The end result was that it took over 7 full days and over 130 hours from our team to help them get it right.

Do that math. That’s 7 days x 24 hours — 168 hours of downtime. That shows you just how intense (and expensive) getting a virus can be.

What You Should Do Right Now to Protect Your Business

In the Fluid cloud, our proprietary cloud solution, our backups have multiple layers and always include server container backups. In this same situation we would have had them back online in less than 24 hours.

No one wants a computer virus, and certainly no business wants to be down a day — much less a week. Here are some steps you can take with your business to be more proactive, so you can better avoid viruses and be more prepared to respond if you do get hit:

  1. Educate your management and users on the importance of information security. Provide them with simple tip-sheets of dos and don’ts, and follow it up with face-to-face training.
  2. Ensure your IT department or provider has the right type of data backups — and that those backups are current.
  3. Define and confirm who is on your response team and what their process is. This way they are ready to respond in a calm and methodical fashion if and when a virus infects your systems.
  4. Most importantly, be prepared. Regardless of all the precautions and preparations, you still may get infected at some point.

If you have not done ALL of the above, you are at serious risk of getting a computer virus, and of business downtime. Contact us at Fluid IT Services and we will be glad to help fill the gaps!

Reinventing Law Practice with the Cloud

When Len Musgrove started his own law practice, IT was just another frustration and expense. He was all-ears when Wade Yeaman said, “The cloud would be an easier, more cost-effective solution.”