Category: IT Management

Posted on

Mobility and the Cloud – Managing “Bring Your Own Device” and Securing Company Resources

There are lots of reasons why businesses are adopting cloud and Internet technologies in great number, and supporting mobile workers is one of the big ones.  In order for traveling sales people or workers in remote offices to have access to business applications and data, many organizations are turning to hosted and cloud solutions to centralize systems and make enterprise-wide access easier to deliver and manage.

What many businesses are just now realizing, however, is that allowing individuals to use their own mobile devices to access corporate data is exposing the enterprise to new (and often unknown) risk with each and every device and app that gets used.

Most businesses recognize the need to secure corporate systems while allowing users to remotely access resources from home or mobile computers.

Many CIOs and IT managers are failing to address the vulnerabilities introduced through the proliferation of tablets and smartphones in the business. Some enterprises initially embraced the concept of “bring your own device” [BYOD], as it tended to encourage users to work from home or while on the road, increasing employee productivity and keeping workers more “attached” to their jobs – all without the business having to pay for the device.

With growing numbers of reported “rogue apps” and apps that secretly collect and pass data, the potential benefits of allowing workers to use their own devices is rapidly being overshadowed by the risks involved.

Earlier this year, Apple, Facebook, Yelp and several other firms were sued for privacy-infringing apps that, among other things, pillaged users’ address books. …but what if the app uploads a sales representatives’ contact list and the developer then sells it to a competitor? That’s a new type of data leakage that most organizations aren’t ready for.

http://www.cio.com/article/716368/Free_Mobile_Apps_Put_Your_BYOD_Strategies_at_Risk  

Phones, in particular, have not traditionally been viewed by most business owners as a primary platform for information theft or damage – other than when an employee uses one to tell someone something they shouldn’t.  But in terms of intrusion, data theft, application hacking and things like that… not so much.

But that was before phones got really smart.

Phones that most folks carry around now are actually computers with a great deal of processing and storage capacity, and as such are just as capable of running bad programs and being vulnerable to attack as their more obvious portable computer counterparts.  Perhaps they are even more vulnerable because of the “connected” nature of the device, because by its very nature it is geared towards communication of information, not just processing it.

It’s not that hackers and developers of exploits (or just bad code) are necessarily focusing on stealing your business data (well, OK, a lot of them are).  Maybe someone just got lucky one day, when they first realized that the employee phone was the “camel’s nose under the tent” which would get them inside, far enough to deliver access to confidential corporate information and data someone would pay for.  People tend to be the weakest element in the security chain, and exploiting vulnerabilities under the guise of “making things easier” for the user has been a highly successful approach (would you like to sign in with your Facebook account?).

..because attacks that target employees may well end up targeting the employer as well, even if the employer wasn’t the original target.

Whether it is intentional or not, the risk is very present, and every business and enterprise has a responsibility to recognize the vulnerabilities introduced with mobile device use and to do what it can to mitigate that risk.  It is also important to recognize that the risk is not a purely personal one, either.

Since the information held by most businesses also includes the information of others – customers, vendors, partners, etc. – it is essential that the business not expose itself to unnecessary problems (litigation, fines or penalties, or simply lost opportunity) caused by accidental leakage of confidential information belonging to 3rd parties.

For some businesses, the best answer may be to only allow use of devices the business provides, along with clearly written use policies and guidelines.  This approach allows the organization to determine which applications may be installed and to dictate how the device is to be used for business needs.

There are even solutions available which can assist businesses in managing the expenses related to mobile devices in the enterprise, addressing not only security and privacy concerns but also helping to optimize expenditures on mobile devices by monitoring contracts and usage, identifying underused agreements or overage charges, or even identifying contracts still in force which should have been cancelled.

For many businesses, however, allowing users to continue accessing business resources with their personal devices may be desirable for a variety of reasons, cost being only one of them.  If this is the case (as it is most often in small and growing businesses), it is important to make certain that users understand what is and is not appropriate device use, and to inform users on the policies relating to apps which may or may not be allowed and why.

Make sense?

J

Posted on

The Holistic Approach to Cloud-Enabling Your Firm

The Holistic Approach to Cloud-Enabling Your Firm

Today’s professional accounting or law practice has a number of issues to contend with, not the least of which is technology.  While IT has been serving the firm for years, shifting paradigms in computing are leading professionals to wonder exactly which direction they should turn for advice.  It’s easy, at a high level, to see the value and benefit of outsourced IT services and being able to focus on your core offerings, but it’s a little harder to find exactly which path your firm should follow.  One thing has proven true over the past few years: taking a holistic approach to cloud-enabling your firm is far better than any uncoordinated exchange of applications and services.

There are four areas the firm should explore when looking to more fully leverage technology to its benefit, which is what “cloud-enabling” the practice really means:

  1. Transitioning to a paperless (or less paper) office
  2. Exploring alternative billing methods (value versus time?)
  3. Outsourcing non-core and non-strategic tasks and processes
  4. Streamlining procedures to create consistency in service levels

The challenge is that firms have numerous options and approaches being thrown about, none of which represent obvious solutions to the entire problem.  In pieces, cloud services and online applications can deliver new capability and functionality, but a professional practice has the requirement for systems to work together to be effective.  Re-entry or redundant storage of data is inefficient, so it is difficult to streamline procedures when the systems run on different platforms or don’t integrate well.

One approach is the “hybrid” approach, where you take the best of the tried and true, and deploy it in new ways to create new capabilities.  Also introducing cloud-based and SaaS solutions where they can truly help the firm innovate makes sense, as long as those solutions can connect back to the core systems. The key is to not lose what efficiency and business intelligence the firm already has while attempting to transform and improve upon those models (digital transformation).

The new thinking by some firms is to adopt web-based practice management solutions that make it easier to collaborate with team  members and clients.  Many of these solutions get great reviews and indeed do make it easier for users to access information from anywhere and on mobile devices.  Lots of neat features for the forward-thinking practice are available, yet the problem is that these solutions usually don’t have general accounting functionality required by the business, nor do they address some of the fundamental capabilities that apps on the desktop can.

For the online applications serving line-of-business functionality, the easy answer to finance department questions is to connect to an online accounting solution, like QuickBooks Online.  While this may serve the needs of the developer, the needs of the business finance department often outpace the functionality available in the smb online accounting products.  To address this reality, many developers have created the means to export data to the QuickBooks software running on the local desktop.

The desktop editions of QuickBooks remain extremely popular with professional service firms and the businesses they serve. In a cloud and mobile world, the firm and their client doesn’t have to be tied to the local desktop in order to keep their desktop software or collaboratively work in the data.  When the QuickBooks desktop software is setup within a secure remote access environment (whether on-premises or with a hosting provider), users benefit from the same mobility and realtime collaboration advantages as with a SaaS solution, like anytime/anywhere access.

Virtual desktops and remote application models allow users to access what seems like a workstation in the cloud, with business applications such as QuickBooks and Microsoft Office and whatever else the firm uses. The desktop is a true Windows platform, so the features and functionality are just as they are when working directly on a local PC.

Most remote or virtual desktop setups also let the user access the Internet and use a browser on the remote desktop, allowing users to run the SaaS solutions they’ve subscribed to alongside their desktop applications yet still remain in a totally virtual and mobile working environment. This approach allows the firm to centralize management and administration of internal servers and networking resources, or eliminate much of the maintenance and management by outsourcing to a hosting provider. Outsourcing the hosting and management of systems further establishes predictability in cost and increases IT agility.

The thing to remember is that one size does not fit all, and every firm will need to work within their own requirements and motivations to come up with the proper approach.  What works for a solo practitioner or small firm won’t necessarily work for a larger firm… or maybe it will, depending on the company culture and structure. There are a lot of options with the cloud when it comes to outsourced information technology models, online practice management and other business solutions, and mobile services which reduce the impacts of time and distance.  It’s time to start implementing on-demand access and mobile-friendly service options before the competition leaves you behind.  Interestingly enough… the competition that looks like a huge and successful firm could be just one person using some really smart IT.

 

Make sense?

J

Posted on

Compliance in the Cloud – Their System; Your Responsibility

Can you outsource compliance to the cloud?

Outsourcing IT to a cloud service provider can be tremendously beneficial for a business.  The model allows an organization to offload not just IT infrastructure costs, but also the costs associated with developing and maintaining all of the practices and processes involved in managing and maintaining the infrastructure and systems.   There is tremendous responsibility in handling everything from platforms and infrastructure to creating best practices for maintenance, management of scalability and growth, forecasting bandwidth requirements, implementing and monitoring security compliance, creating effective and comprehensive disaster recovery plans, and more.

The question which begs to be asked is whether or not HIPAA, PCI/DSS or any other compliance requirements, and the complexities, risk and legalities that come along with them, can also be outsourced to the CSP. For that matter, can any real level of responsibility be fully outsourced, where the liability for non-performance or noncompliance is also fully shifted?

Ummm. No. It is still your problem.

What too many companies really don’t understand is that they aren’t eliminating risk by moving to the cloud, and the requirement to meet various compliance requirements really can’t be outsourced. Particularly in this area, businesses need to recognize that outsourcing certain functions doesn’t reduce or eliminate responsibility or liability.  Just the converse, it could make things a bit more difficult if you don’t keep close tabs on how the provider implements and is involved with your solution. Even beyond that, what is the impact to the business operation when requirements are not met?  Cost recovery from the provider may be one option, but how does that help the business remain operating in the meantime?

Gramm-Leach-Bliley (GLB) Act  Requires financial organizations to enter into contracts with third parties that they share their customer information with (including cloud vendors) to ensure that the third-party handles that information securely. Executives of those financial organizations can be held personally liable for failure to do so.

Sarbanes-Oxley Act (SOX)  Defines specific security mandates and requirements for financial reporting to protect shareholders and the public from accounting errors and fraudulent practices. SOX dictates which records are to be stored and for how long and requires the data owner to know the location of the data in the cloud and to maintain control of it. Failure to comply can result in fines and/or imprisonment.”

source: CIO.com

This discussion Isn’t limited just to compliance with regulations (at least it shouldn’t be)

In this conversation we need to also address what a business should do in terms of protecting and preserving its information assets (data!) even beyond what the CSP offers. Keeping confidential and private information secure and protecting the data of the business (and clients or patients or other entities) is essential, even when the CSP fails in its obligations or abilities.  This aspect of disaster recovery and continuity planning is not often considered by the CSP yet remains critical to the business customer. The sales pitch, however, never really delves into this area, because it represents an aspect of service coverage that the provider simply can’t provide.

Illustrating this particularly difficult aspect of outsourcing to the cloud is the hard lesson learned by customers of a QuickBooks hosting provider who experienced a severe outage due to a ransomware attack. The hosting service provider promised customers it backed up their data and it did, but the backup archives were also compromised.  In order to restore service, customers were expected to have their own backups of the cloud-hosted data.

While there may have been items in the service agreement which address these issues, I can say – based on a great deal of experience in just this area – the service providers rarely make this point very clear to customers, and more frequently tell customers backing up their data is no longer something they need to really worry about. It’s like that really tiny type at the bottom of a contract that nobody notices until it is too late.

“..restoration proved more difficult in Texas. Lezama explained that for the Texas clients, the backups had been compromised as well, because their backup data had synchronized with corrupt files. But Cloudnine clients are obligated backup their own data as well, as a sort of third-level security measure..”

source: AccountingToday

With compliance in the cloud, it’s their system, but your responsibility.

Outsourcing IT to a cloud service provider in no way eliminates or reduces the obligations of the business to manage certain aspects of information systems and data.  What outsourcing can do is deliver a greater operational capacity and agility more affordably.

The responsibilities to establish information and systems management practices and processes remain firmly with the business, and actually represent a strategic component of the business that is unwise to outsource anyway. Resilience in a business and its ability to conform to regulatory and other requirements are the foundations of sustainability. Remember that cloud providers and services can be leveraged to improve certain cost and system performance metrics, but it remains solely with the business customer to find ways to reduce risk and create a greater assurance of continued operational capability.

Make Sense?

J

Posted on

There are only two types of businesses: those who have lost their data, and those who will

The portable computer was the secret business weapon of yesterday, and is today’s essential business tool.  The processing power, portability, storage, and connectivity available with laptops, tablets and even smartphones can create a seamless extension of the office.

Truly, the workforce of today is mobile and fully-enabled.  Business owners, working in conjunction with their accounting advisors and business consultants, are able to access all the information and analytical capability they need to make informed business decisions at any time, capture and collect important information, and keep productivity at the highest levels no matter where they are.

Mobility doesn’t come without risk, however.  Some studies estimate that as much as 80% of the business data that a company has (like customer files, contracts, financial data, product specifications) is stored on portable computing devices.   While these files may be recoverable from backups in the case of loss or damage, there is an even larger potential cost in terms of exposure of confidential or proprietary – or personal and private – information.

Loss or theft can create big business and legal problems, too. Customer or client privacy may be compromised, sensitive information may be exposed, and confidential plans may be made public if a business doesn’t take steps to secure mobile data.   Software and network attacks are also prevalent, with a variety of exploits designed to take advantage of any vulnerability present.

There’s an old saying we IT folks have that there are only two types of businesses: those who have lost their data, and those who will.  Imagine the potential chaos and risk exposure, not to mention the expense, of losing your valuable business data, or having it exposed to unauthorized users.

While computing mobility delivers a host of advantages to the business and the user, care must be taken to ensure security, privacy, and confidentiality of business information.  Cloud computing solutions and managed IT services will help you provide the mobile capability your business needs, but with the additional protection, additional security, and ongoing management that the value of the data demands.  Increased exposure to liability is a reality for any mobile business, and the risk is only multiplied by the number of systems a company has in the field.  The smart business reduces risk by deploying secure yet versatile platforms for their workers that allow data to be stored and protected in centralized environments, rather than on the individual computing devices. Via the cloud, businesses of all kinds are reaping the benefits of new and innovative service delivery models and enhanced security solutions, achieving the freedom and functionality (and data security) the mobile workforce demands.

Here are a few data loss statistics for your reading pleasure…

Enjoy  🙂

J

(stats drawn from summary on BostonComputing.net.  They may be a bit dated, but the numbers have only increased since then.) http://www.bostoncomputing.net/consultation/databackup/statistics/

The following statistics were gathered from various sources:

  • 6% of all PCs will suffer an episode of data loss in any given year. Given the number of PCs used in US businesses in 1998, that translates to approximately 4.6 million data loss episodes. At a conservative estimate, data loss cost US businesses $11.8 billion in 1998. (The Cost Of Lost Data, David M. Smith)
  • 30% of all businesses that have a major fire go out of business within a year. 70% fail within five years. (Home Office Computing Magazine)
  • 31% of PC users have lost all of their files due to events beyond their control.
  • 34% of companies fail to test their tape backups, and of those that do, 77% have found tape back-up failures.
  • 60% of companies that lose their data will shut down within 6 months of the disaster.
  • 93% of companies that lost their data center for 10 days or more due to a disaster filed for bankruptcy within one year of the disaster. 50% of businesses that found themselves without data management for this same time period filed for bankruptcy immediately. (National Archives & Records Administration in Washington)
  • American business lost more than $7.6 billion as a result of viruses during first six months of 1999. (Research by Computer Economics)
  • Companies that aren’t able to resume operations within ten days (of a disaster hit) are not likely to survive. (Strategic Research Institute)
  • Every week 140,000 hard drives crash in the United States. (Mozy Online Backup)
  • Simple drive recovery can cost upwards of $7,500 and success is not guaranteed

 

Posted on

Help Your Business Move to the Cloud

With all of the cloud computing options and services available to support business operations and administration, selecting the right ones can be a daunting task for any business owner.  While some cloud solutions offer simple “get started” options and “click to activate” plug-ins, its important to recognize that each business and operation works a bit differently. While there are standard requirements to support every business, individual business owners may have strong beliefs or habits that will impact how well or not a solution works for their particular operation.

Selecting the right technologies and applying platform and application solutions wisely can introduce efficiency in both time and cost that was previously not recognized by the business, or it can create all sorts of havoc and disrupt what were once smoothly-operating workflows. And once a solution is “plugged-in”, consider what might happen if it needs to be unplugged at some point in the future.

Because there is no single solution or set of products which will provide the necessary functionality for the lifespan of the business, it’s important to establish a process and framework which recognizes the need for agility and addresses the requirement to meet new business needs as they arise.

“With the evolution of cloud computing, one inescapable reality continues to surface and that is, as with service-oriented architecture before it, the fact that cloud computing promotes the idea of continuous proliferation of services,” said Daryl Plummer, managing vice president and chief Gartner Fellow.

While software and data integrations and “plug-in” data may be delivered through technology, there will always be a requirement for individuals who understand just how the pieces need to fit together and how the data and work must flow. Its okay to rely on service providers to service and support the implementation, but the direction and design of how the information and work will flow throughout the entire company can provide a strategic advantage and should be an internally-driven project.

As your business looks to the cloud for innovation, efficiency, and mobility – remember to keep your feet firmly planted on planet earth until you know where you’re going.  There are a lot of options available, and not all of the hype is representative of reality.  You’ll want experienced professionals to help you get off the ground the right way.  That’s where we come in.

“What sits between you and the cloud will become a critical success factor in cloud computing..”

Daryl Plummer, managing vice president and chief Gartner Fellow