Category: information security

Posted on

Small Business IT Governance: You really need it now

it-balancing-actBig changes are going on in the world of information technology and business.  Where social computing and  mobility are no longer purely consumer concerns, enterprise IT departments face a growing requirement to embrace user devices and access in environments which were once strictly and closely controlled.  Enterprise IT may be challenged when presented with user personal devices and demands for remote access to enterprise data, yet the governance of systems is generally well-defined and strictly performed.  In small business, however, the people, policy and process issues (collectively incorporated into “governance”) tend to be more organic, and the use of personal devices and open access is more frequently considered to be a normal part of the overall business IT profile.

It is a focus on defining controls and processes, and influencing the activities and attitudes of the people involved, which has become an essential requirement in small business.  Where management of information technology resources was not of great concern to the small business owner before, increased device and information mobility (removal of physical boundaries) and erosion of logical boundaries around personal and business computing have become a really big deal for everyone in business. Small businesses just don’t often have departments of people working on the problem.

Technology use in business has always come at a price, and as various influences continue to change how users interact with devices, applications and systems, business owners and IT managers will continue to face difficult choices between balancing security of information resources and providing a productivity-enhancing user experience.   Too many security barriers result in avoidance of security protocols, slow or immobile company computers result in users working on their own machines and portables, and restricting access for mobile users results in “shadow IT” implementations of mobile sync and other data access approaches.

Yet “shadow IT” tends to be the norm with many small businesses, where there are often fewer barriers to implementing solutions which address individual user issues or problems.  Lacking the resources or understanding to develop a strong plan for managing information systems and technology within the business, small business owners often consider the computer systems and computerized data to be tools to get jobs done rather than strategically valuable assets to be strictly controlled and protected.  These business owners are not recognizing the ever-increasing need to not simply secure business information, but to establish processes and rules which will govern how users and devices access and interact with the information and systems.

Enterprise IT departments have often viewed their small business counterparts (customers, suppliers, etc.) as potential points of vulnerability, an attitude which was once considered to be centered not on real assessments of the risk but more in terms of ego, level of sophistication, and hierarchy in the food chain.  In today’s world of real risk introduced by myriad technological and human elements in every link in the supply chain, enterprise IT conclusions regarding the risk potential of doing business with anyone – including small businesses – may not be entirely unfounded.  Whether it be commentary and information distributed by individuals via social media or malware or corruption introduced inadvertently (or not) via computerized interaction, there is the possibility of risk introduced with every system, person and process involved.  Enterprise to enterprise, these issues may be more often recognized and remediated; where the SMB is involved, not always so much.

This is a brave new world of computing, and there is truth in that even the smallest of businesses can “compete with the big guys” when the right mixture of technology and process is applied – for good or bad.  Technology enables businesses to be more productive, get more done with fewer resources and perform at higher levels. IT Governance in small business is no longer an optional area of focus, addressed only during infrequent discussions with the local contract IT guy when he comes in to defrag the hard drive on a slow computer.  Establishing the proper processes and controls to wrap around IT use in the business has become an imperative; a necessarily specific and considerate approach to how information technology is used within the business, who uses it, and what IT is composed of.

Just about every business, and most individuals, are connected in some manner via some type of network, representing a dramatic and dynamic change to the traditional composition of business IT and the landscape of vulnerabilities which threaten it.  The increased connectedness, capability and complexity of systems and networks requires a greater focus on overall IT governance – exercising authority and controls – as the impact (just like the information) can easily and unintentionally reach far beyond the boundaries of the individual business.

jmbunnyfeetMake Sense?

J

“People are nothing more than another operating system”, says Lance Spitzner, training director for the Securing The Human Program at SANS Institute.  “Computers store, process and transfer information, and people store, process and transfer information,”  How Hackers Fool Your Employees

Posted on

Turning a Product or Service into a Solution: the Value Add of a Reseller

Turning a Product or Service into a Solution: the Value Add of a Reseller

There is quite a bit of chatter on the web and among IT resellers about how opportunities to serve business customers are diminishing, yet business adoption of cloud computing, managed services, and mobile technologies is growing tremendously.  It seems that use of technology is increasing, but the opportunity for “traditional” IT resellers and channel partners to make money by selling IT-related products and services is diminishing.  This is not new, and is simply a finer form of the problem that has been revealing itself for years.  In order to provide value, suppliers must provide businesses with solutions to business problems rather than just trying to sell them products and services with a hefty profit margin.

Whether it is a physical item like a computer or an intangible item like consulting services, businesses will buy if they see value in it.  In the eyes of the consumer, the value is likely tied to far more than the item at hand; the value tracks to some expectation of business benefit to be achieved now and in the future.  Businesses will pay for solutions to problems they experience more readily than they will pay for shiny things or big ideas, and it is this truth that many “value added” resellers tend to forget even though it is part of their business description.

For many years channel resellers have struggled with competitive elements that reduce revenue and profit potential on core products and services.  When computer hardware prices dropped years ago and businesses found that going through distribution or direct to the manufacturer was often a more affordable path than buying through a reseller, the resellers re-trenched and began providing more value in terms of solution architecture, training and implementation support, and system management services.  As the delivery chain for information technology continues to compress and more products and services are delivered direct-to-consumer, the pressure for resellers to discover their “value add” grows even more severe.

The days of simply reselling technology products to make a living are quickly coming to an end. There isn’t enough profit margin available to eek out a living just selling hardware and software, and it takes a large volume of subscribing customers to reach any significant revenue level by reselling commoditized cloud services. Yet the customers are there to be won if the offerings represent solutions to defined and recognized business problems – solutions that introduce quantifiable business benefit rather than creating more business problems – and where the reseller plays an integral part in making the selection a successful one for the customer.

While it may seem that business cloud computing, hosting services and SaaS solutions all come with easy-to-read instructions, do-it-yourself installation and painless upkeep, the truth is often very different. Some consumers realize this when they go shopping for solutions and come up with more questions than answers; some only figure it out after they have made the wrong decision. Either way, these businesses could use the help of a professional who will provide the added value of taking time to understand the problem to be solved, consider the variables which exist in the client organization, and clear a path which takes the customer business to a better place.

Cloud computing and SaaS may be changing HOW businesses purchase and use technology, but it is not changing WHY they do it.  Businesses buy IT because they think it will solve a problem – they have expectations. The reseller can find and provide the added value: the reasoning (meeting expectation) for selecting the solution, why it is the right choice for the customer organization, and how they will ensure that the solution delivers the benefits described and expected.

Joanie Mann Bunny FeetMake Sense?

J

Read  more about Helping a Small Business Customer Choose Your Solution

Posted on

The Business Cloud: Hype versus Reality

The Business Cloud: Hype versus Reality

There is no doubt that cloud and mobile computing models are driving technology adoption as well as changing the landscape of how consumers and businesses purchase and use IT.  Accompanying any great shift – which in this case is fueled not simply by cloud technologies but by social computing – are the purveyors of propaganda and hype.  Cloud computing and social media won’t make you popular, is not always safe or free, and it doesn’t whiten your teeth. What it can do is help businesses increase agility, collect and use information better and reduce the cost of change. There are many benefits to be achieved with cloud computing models, yet many providers continue to play on the hype rather taking the more difficult road of communicating how their solution actually solves real business problems.

Gartner research tracks this type of activity, producing reports offering assessments of the “maturity, business benefit and future direction of over 1,900 technologies”.  In the Gartner 2011 Hype Cycle Special Report, entries were grouped into 76 different “Hype Cycles”, revealing the similar patterns of “over-enthusiasm, disillusionment, and eventual realism” that comes with every new technology or innovation.  Hoping to provide guidance business IT decision makers, the report intends to inform businesses about when they should consider adopting technologies or IT models in order maximize the value of the approach.

Yet the market is bursting with definitions for “cloud computing”, and services providers offer their wares with varying levels of service and capability.  It’s really difficult to compare one private cloud solution to another, as they are all seemingly offering the same value proposition described in the same language – and none of it really describing what the solution is, how the business takes the greatest advantage of it, and what disruption can be expected along the way. Layer on top of that confusion a big heap of expectation, and the belief that cloud computing technologies are somehow different from “real” on-premise systems in that they are not subject to the same potential for breakage, failure, or unexpected cost.

elastic-2

For example, even though Amazon may use the term “elastic”, cloud computing does not automatically create a stretchy and eternally-dynamic resource that can grow without end.   There are still limitations and costs associated with growth.

There is also a great deal of hype around applications and their performance in cloud environments.  When a piece of software is poorly designed and crashes frequently on a local computer or network, it is just as likely that the application will perform poorly in the cloud. It’s simply a reality of software that even great products that are designed to run exactly the way they are being run don’t have a guarantee that nothing will ever go wrong. With cloud computing models, however, there may be a service provider working in the background to manage the systems and keep things running.  You simply might not notice the failures and hiccups as much, but they are still there.

And not all cloud services mean everyone is sharing servers and infrastructure.  While the term cloud generally applies to multiple scaled systems, it doesn’t mean that everyone shares everything and benefits from tremendous levels of redundancy and fault tolerance. In most cases, a solution described as a “private” cloud means that the service has been customized for the unique needs of the organization, and that there are resources of certain types allocated exclusively to the use of that customer. On the other hand, a private cloud may mean that the system elements are all contained within the business infrastructure, providing “cloud” type of services but being delivered from company resources.  There are a wide variety of ways to describe these configurations and approaches, and quite a bit of inconsistency in use of terminology.

The best thing for a business owner to do now is to just ignore the term “cloud” and simply consider how the business might leverage resources from service providers to gain more IT capability at reduced costs, and how outsourcing certain technology needs allows a greater focus on internal innovation and improvement.  Centralized management, improved security, disaster recovery, and increased mobility are all benefits to be realized with the right business cloud implementation.  Just because it is to be an outsourced solution does not mean that the business organization should not still architect and understand the solution they will depend on.  If this level of participation and understanding is not in place, the solution is unlikely to deliver the resulting benefits expected and hoped for.

Outsourced IT service, remote access and server-based computing aren’t new concepts.  It still requires using common sense and reasoning when considering any change in business technology and the innovative application of IT in a business – this cannot be outsourced.  When it comes to cloud computing… to put it bluntly, just avoid the hype and stay away from unrealistic marketing and sales messaging.  If it sounds too good to be true… it probably is.  Technology hasn’t come that far.

Joanie Mann Bunny FeetMake Sense?

J

Posted on

Migrating Business Data to the Cloud

Migrating Business Data to the Cloud

When businesses elect to have their desktop applications hosted in the cloud with a hosting service provider, they are also electing to have their data hosted with the provider.  This point is not always obvious to non-technical users and those unfamiliar with the hosted application concept.  Many business owners have adopted an online or hosted application solution and then realized after-the-fact that their data was no longer present on their computer.  At least, no current data was present, and it was quite a surprise the day they wanted some information but could not get it because they were not connected to the Internet at the time.  An important thing to remember, and the essential factor in measuring risk associated with use of cloud services and hosted solutions, is that adopting online applications in almost any form means that the data associated with (and possibly even data remotely associated with) the application will also migrate to the cloud.

mobile cloud data

Migrating on-premises servers – and the applications and data residing on them – to the cloud makes sense for many businesses.  Particularly as network and internet threats increase in number and as system vulnerabilities are more frequently introduced with remote and mobile access technologies, cloud solutions can significantly assist a business in mitigating the risks of being connected.  Yet business owners and IT managers must be diligent in terms of understanding the measures their service providers take to protect and preserve as confidential the customer’s business data.  And it becomes more than essential that any and all tools or services implemented be part of a strictly controlled information management and data protection plan.

Where applications are simply interfaces and logic; the value for a business is in the data used by the applications – data containing information about the company, how and with whom it does business, and how it makes money.  It is critical that the business consider how and where users need access to applications and data, so that any cloud deployment does not wind up hindering productivity rather than facilitating it to a greater level.  It is when the user becomes disenfranchised, unable to perform their work due to lack of access to information or tools, that “shadow IT” deployments appear, and data sharing solutions are introduced outside of the governance of management or IT.

The vast number of offerings for hosting applications and managing business data in the cloud makes finding and implementing the right business solutions a complicated and often frustrating process.  Even large providers that specialize in delivering from a menu of business cloud solutions often forget that their target customers may not be particularly tech-savvy, and will fail to recognize the nuances in service delivery or protection that could make big differences to the business down the line – like in the case of a system failure or outage.

Among the keys to a successful cloud solution deployment, particularly when critical and frequently used applications and data are to be migrated off-premises, is a thorough understanding of how users currently work with the tools provided, ensuring that processes and utilization can be fully adapted to the new IT model.

As long as users are able to retain their productivity and efficiency, and when improvements in workflows and information access become additional benefits, the security and protection of the business data is more likely, as users will feel less compelled to find alternative and less secure means for making the business data available from the cloud.  You may want to migrate your business data to the cloud, but you don’t want your data to migrate further than you can reach.

Joanie Mann Bunny FeetMake Sense?

J

Posted on

A Higher Level of Customer Relationship Management: Building Closer Customer Relationships

A Higher Level of Customer Relationship Management: Building Closer Customer Relationships

Most businesses recognize the importance of creating a quality experience for customers doing business with them.  The thing that many business owners overlook is how their internal workflows and information management systems serve to either support or impede the delivery of a well-rounded positive customer experience.  Growing businesses must adjust their processes and improve their tools in order to have the necessary information available to workers at various levels of the organization, providing a centralized means for collaboration, data sharing and analysis.   With the right information systems and process support, even small businesses are able to function at exceptionally high levels and provide the consistently high-quality service and customer experience that establishes long-term value in each and every customer relationship.

Businesses which excel at providing very high levels of customer service tend to have a few common characteristics – features of the business that identify it as an organization geared towards growth and success in driving the customer engagement and business value.  Among these characteristics is the recognition of the need to use technology better – leveraging automation to a greater degree to create consistency in work performance, and improving information collection and integration to provide more context and depth to the data. Added efficiency which affords employees time to focus on customer oriented tasks and elevating the customer experience even more is the payback.

total-business

Many CRM solutions describe the benefits of a “360 degree” view of the customer, yet these solutions often orient themselves to supporting only sales and Contact Management and do not address product and/ or service delivery (fulfillment of what was sold/ordered)  or project management, contracts and agreements tracking or other aspects of doing business with the customer.

Granted, customer interaction occurs most frequently with sales and service teams, but there are potentially vast number of processes and tasks performed within the business which operate with the same information as sales and services, and which would benefit by integration within the same information and workflow framework.

By selecting a solution that addresses the wider variety of business and information management requirements rather than focusing solely on sales and support, business owners and managers find that they are better able to address internal workflows with streamlined process automation.

The result is significant improvement in the quality and completeness of the information available to users throughout the organization, ultimately improving the quality and nature of customer engagement and interaction. Perhaps even more impactful is the ability for the business to better understand  the context of and motivations for customer interactions, and (most importantly!) having the capability to take immediate action based on that knowledge.

With the right customer relationship and business management solution in place, and with a focus on systematic approaches to enabling process and workflow automation, businesses can become more flexible and responsive to changing customer needs and expectations.  Creating the complete view of the customer relationship and capturing the data which helps users understand the dynamics of the entire relationship serves to build closer customer relationships that will strengthen and grow over time.

When a business needs to implement a Customer Relationship Management solution to address sales and support needs, it makes sense to also review information management requirements for:

  • Delivery of products and/or services  – i.e. fulfillment of what was promised by sales
  • Scheduling of Work/Service Orders and integrated billing based on completed work
  • Time and personnel activity management as well as time reporting and billing
  • Project or job resource and time management and reporting
  • Documents, contracts, before & after pictures, and agreements of all types
  • Products and services, proposals and quotes, price books and channels

Additionally, since the processes are so closely related in terms of the information collected or used, it makes sense that the CRM solution would also work with:

  • Marketing campaigns and activities, lead generation systems and e-newsletter solutions
  • Accounting solutions which also utilize customer, product, job, time, cost and other data
  • Expense spending management, approvals and reporting

To be truly useful, the solution must also support remote and mobile workers since field service personnel and other workers are often not in the office when they need to get something done.  Whether the access is via hosted solutions providing full remote desktop functionality, or via web-based application extensions allowing device independent access (or both!), the solution should be designed to allow users to access the system and perform their work from wherever it is required.

Even more, a comprehensive approach to managing business activities and information, particularly with a focus on providing all departments with all the information and capability they need to get their jobs done properly, requires that everyone in the company be on board.  There really isn’t a great way to centralize and manage critical business data when the approach is to give a few people some information and functionality, leaving it up to human beings and individual initiative to connect the dots (and the data).  The result is almost always a series of gaping holes in various processes where information and requests get lost.

Among the best solutions I have found which delivers the foundation for all of this functionality is Results CRM.  Thousands of users have successfully migrated from ACT!, Goldmine, Telemagic, Salesforce.com and other SFA and CRM solutions to the Results CRM platform, and have benefitted from better workflow automation, more logical company and contacts associations, and a broader range of functionality supporting everything from sophisticated quote and proposal development to comprehensive project, time and expense management.

At the end of the day, it’s the reporting that wins.  If the data isn’t in the database, you can’t report on it.  If you can’t report on it, you can’t measure it. If you can’t measure it, you can’t make good business decisions and grow the business.

Make sense?

J

Posted on

Security and Users: Change is the Only Constant

Security and Users: Change is the Only Constant

Managing user accounts and access to business IT assets is challenging, particularly as cloud and social computing models introduce new wrinkles in security and identity management. Information has become “mobile” along with the users accessing it, yet management of user behavior is even more complicated that trying to manage a digital resource.

If you look at the history of security breaches, you’ll find that many of them started with a user making a mistake – like losing a laptop or clicking on a phishing email, downloading bad software, or forgetting to report an employee termination to the IT dept – something which inadvertently created a vulnerability that could be exploited.  It’s tough to stop breaches because there are so many possible ways for them to happen.

If most security breaches start with a user mistake, then IT departments have their hands full because users aren’t static, unchanging objects to monitor and manage.  Users change, sometimes a lot.  It is this constant change which undermines the ability for some IT departments to meet the demand to adequately secure company information systems and data. Now is the time to take control of user security and identity management, creating automation and controls to protect business assets in a constantly evolving environment.

It is not simply employee turnover that challenges security management.  Certainly, IT departments have been dealing with user account creation and termination for a long time.  And sure, users have sometimes been promoted and demoted, resulting in the requirement for IT to increase or perhaps decrease access to information and applications.  These are normal and expected activities for a business IT department.  Unfortunately, IT often doesn’t hear about the user’s change in status.  An account isn’t disabled, access isn’t restricted, and the system is left vulnerable.

Just to pile on, think about what happens when a user is more than just a single system user.  It may be manageable when where a single identity and set of credentials governs their access to applications and information.  But the proliferation of web-based services and SaaS solutions has made it commonplace for users to have multiple applications and services available to them, each with their own approaches to identity management.

For even a small business IT department, the security of all of these access points and applications must be managed and monitored – no small task when the department may not even be aware that the solution is in use.  It is not unusual for file sharing, data sync, or other applications to be implemented in businesses without the knowledge or participation of the IT department.  Actually, many services attract users due to their simplicity and ease of use, leveraging the fact that they can be deployed without the “assistance” of IT.

Users are becoming increasingly mobile, accessing information and applications from public and private locations while using any number of possible mobile devices.  Vulnerabilities which may exist in public networks and the increased potential for device loss or theft are high on the list of concerns of IT departments managing remote and mobile user access.  Mobility is driving many changes in how information technology and access to systems is provided to users, and it is changing user demands for what they should be able to easily accomplish while being mobile.

Businesses need to recognize that their continued existence may rely on keeping their information systems and assets safe and secure.  Disaster recovery and business continuity applies not only to loss of physical systems, but also to losses of various forms due to data breach. The disaster recovery and continuity plan (you have one, right?) should not only address situations after they happen; planning by definition is proactive.  It is not enough to have a plan to recover from loss or failure; the business must actively engage in activities which will prevent loss and reduce vulnerability. 

Part of this plan necessarily centers on managing users and user identities, ensuring that the company knows about all access or user accounts involved and employs strict processes and guidelines for making sure they are constantly up to date and have the authority to do what they’re trying to do.  In short, the plan must also be a plan for change, providing change management processes to guide the business as the evolution of information technology and the dynamics of user interaction continue to change.

jmbunnyfeetMake Sense?

J

read more about IT Security and Engaging users to reduce vulnerability

read more about Mobility and the Cloud, Managing BYOD and securing company resources