 |
|
 |
|||
 |
 |
Technology News You Can UseJanuary 2009 – Issue XLIIIn This Newsletter
Comments from the EditorsAs the economy and financial markets are mired in turmoil, we are all challenged to become more efficient with the resources we have and to do more with less. Technology often plays a key role in making your business run smoother, and at a lower cost. This month's articles focus on preparing yourself and your computer systems in case of service disruption and to prevent security violations. There is also an article on how to use Web 2.0 technologies to expand your customer base, and fully engage your employees and to reach out to your prospects. We hope you enjoy these tech tidbits, and please feel free to provide us with your feedback and comments on any of these topics Brent Daugherty and Matt Reedy INNOTECH TECHNOLOGY CONFERENCE RETURNS TO
The North San Antonio Chamber of Commerce continues its support of the tech community as a key sponsor of the InnoTech San Antonio Conference & Expo, taking place on
InnoTech will also be the site of the 6th annual North Chamber Technology Council’s
And, don’t forget the InnoTech Happy 45-Minutes (held inside the exhibit hall, including complimentary beverages) a fun, energetic, networking opportunity that is sure to become a favorite of InnoTech participants. The InnoTech After Party will be held in conjunction with the Technology Connexus Association Technology Showcase and Hi-Tech Mixer at the SATC building,
Registration for InnoTech, North Chamber CIO Panel and Hi-Tech Mixer ar enow open at www.innotechsat.com If you are interested in InnoTech’s exhibit and/or sponsorship opportunities; please contact Karen Rodriguez, Executive Director, at Five Essential Elements of Business Recovery, Rolinda Carrington, IBMIn the current business environment, the old adage “time is money” applies now more than ever. So what happens when everyday operations are disrupted? According to the U.S. Labor Department, more than 40 percent of all companies that experience a disaster never reopen—and more than 25 percent of those that do reopen after a disaster occurs will close down for good within two years. But even if your company doesn’t go through a major disaster, chances are high that it will experience the negative consequences of unplanned outages that make business as usual impossible. The problem is amplified in challenging economic times, says Warren Sirota, a segment executive with IBM Business Continuity and Resiliency Services. “If the business is already suffering from lower revenue because of the economy and a significant outage occurs, the impact can be much more dramatic than during good times,” he says. Downtime quickly becomes revenue loss Even though a crippling outage is almost certain to hit most companies someday, many executives running midsized organizations adopt an “it won’t happen here” attitude. They would be wise to think again. A business may not be located on the coast where hurricanes strike, but power outages can still occur. According to Infonetics Research, most companies suffer between 300 to 1,000 hours of downtime a year. Wildfires may not be prevalent where a business operates, but no company is exempt from the risk of a building fire. And while Mother Nature is responsible for many outages, downtime can also be caused by air conditioning failures, coffee machine malfunctions, bursting pipes, human error, insects, roof cave-ins and vandalism. No matter the cause of a disaster, the accompanying costs quickly add up. In some industries, says Infonetics Research, downtime costs can equal up to 16 percent of revenue. And according to the analysis firm Meta Group, every hour of downtime carries an hourly cost of more than $200 for every employee on staff. Unfortunately, many routine security and business continuity precautions are of little help once disaster strikes. For example, a high-availability server system is a great investment for protection against many types of outages. Yet if all of its components are located in the same area as the cause of an outage, it too will go down. Understanding business recovery essentials “Avoiding lost sales is the most significant benefit of having a good recovery plan,” says Sirota, who suggests that understanding the importance of the five essential elements of business recovery can help midsized businesses stay afloat amid outages large and small. These five areas, he says, make up the most important parts of operating a business: people, facilities, information, networks and technologies. Planning for inevitable disruptions requires an understanding of the essentials of each of these five elements: 1. Keep people busy with business as usual Planning for employees, business partners and customers makes up the most critical aspect of business recovery planning, Sirota says. Depending on the nature of the outage, you may need to figure out how and where people can continue working. For a brief period of time, everyone may need to work remotely, but you’ll need to have these contingency plans ready, along with automatic notification to tell employees to work at home. 2. Make accommodations for facilities Facilities make up an important part of business recovery planning. According to the U.S. National Fire Protection Agency, 35 percent of businesses that experience a major fire are out of business within three years. So, if having everyone work at home is not the best option for your business, recovery vendors can provide interim workplaces such as prefabricated mobile offices or buildings designed specifically for use in times of crisis. 3. Secure information before the storm hits Data can make or break a business. According to the U.S. National Archives and Records Administration, 80 percent of companies without well-conceived data protection and recovery strategies go out of business within two years of a major disaster. Backup tape and storage testing services can help ensure that critical data will be available after a major outage. Ideally, says
4. Prepare alternate networking routes Can you keep networks open—or restore them quickly? What happens if you don’t have local area network (
5. Keep technology up-to-date and aligned with recovery plans Keep tabs on how technology is applied within your organization. This can be as simple as making sure a security patch has been correctly applied. Otherwise, recovery plans can be easily derailed when new software and hardware is added or upgraded without testing the potential consequences of changes to business technology. That’s why experts like Sirota recommend routine system checkups, as well as longer-term business continuity and resilience planning services. “Resilience is the ability to take a blow and keep on going,” he says. Regular checkups provide the best results Sirota suggests that business recovery plans be tested annually. “Plans go out of date very quickly,” he says. “Exercise your plan once a year. People find that’s when they realize what they really need to do to improve their plans.” Many of these activities are best done with the assistance of an outside specialist company, Sirota explains, “A small business doesn’t have the staff and the in-depth expertise available to do a full-blown plan.” He adds. “Obviously they have some people responsible for their IT infrastructure, but typically those people are focused on the day-to-day operations and not all the ins and outs of what could happen in a disaster scenario.” But when the ins and outs of continuity planning are taken seriously, midsized businesses can bank on being competitive—which beats flirting with disaster when it comes to the inevitable periods of unexpected downtime.
Web 2.0 and You, Stephen K. High, Gartner Executive ProgramsYou may have heard the term “Web 2.0,” but are wondering what it means and how it could affect your organization. Web 2.0 describes a “second” generation of Internet technologies, including wikis, mashups and social networking (e.g., crowdsourcing), that are focused on helping people collaborate and share information online. At a recent conference, several CIOs discussed Web 2.0 projects, describing initial conflict between IT staff and business users that required intervention, followed by great advances through IT and non-IT collaboration. Wikis are structured containers for information to encourage collaboration between users. The information and links to other Web pages are created and consumed by users who have a vested interest in the content being correct and complete. One CIO recounted a wiki rollout undermined by IT. “My central IT staff ignored meeting requests,” she said. “Ultimately, they estimated $600,000 in required resources over a six-month development cycle.” Six weeks later, a decentralized business unit unveiled and launched its own wiki site hosted on a shared departmental server built by non-IT volunteers. This organizational wiki pooled over 2,000 contributing members out of a workforce of 3,800 employees. This likely succeeded due to its single specific purpose driven by motivated vested interests. A mashup is a Web site or Web application that combines content from more than one source into a view that is richer than any single source alone. Another CIO described a mashup opportunity originally estimated by IT to cost over $500,000 due to supposed complexities of four existing IT-maintained Web sites. Only four weeks and $25,000 later, a simple mashup site was created that incorporated traffic video, weather information and road data from the four Web sites. The IT organization then took an active role and matured the site. During a recent weather event, this mashup site received over 9 million hits in a single day. Crowdsourcing is basically the outsourcing of company tasks to a crowd of people that works on these tasks (usually for free). This method is being used to leverage and tap into a wealth of knowledge outside of the existing organization. One CIO reported that his IT department squelched an innovative community-based crowdsourcing opportunity by overestimating the project at $1 million. The disenfranchised business employee who initiated the request then developed the pilot site over the weekend. Ultimately, an investment of less than $50,000 was required to initially launch this site, which is now being used nationwide by tens of thousands of users to collect and rank community data. This is a perfect example of restricting the initial purpose to a specific, narrow set of design requirements. CIO CALL TO ACTION CIOs and IT Directors should: • Define a purpose; don’t just install a tool—because the users might not exploit it if the purpose isn’t clear and beneficial. • Set executive direction that supports and cultivates Web 2.0 initiatives, such as training staff, publicizing benefits and launching new projects. • Observe and squelch Web 2.0 disruptive activities within IT by anointing Web 2.0 evangelists. • Enact necessary organizational changes as required to reduce conflicts. • Define "guardrails" or guidance to minimize concerns of security, governance or abuse. • Drive innovation through the deployment of Web 2.0, such as new internal or external wikis, mashups or crowdsourcing sites. • Tap into user passion, and let the community carry the message.
Do you have to stand outside to make a cell phone call? Duane Roundtree, CellTeks
Maybe your cell phone does actually work inside your home or office –as long as you happen to be next to a window or stand in that ONE spot in the hallway and DON’T DARE TO MOVE. This might sound funny unless you’re one of the increasing numbers of cell phone users who have become hopelessly reliant on these devices but keep finding themselves in the equivalent of cellular prison. The solution is MORE BARS - bars of signal strength that is. Virtually all cell phones, PDA’s, & wireless aircards have the ability to display relative cell signal strength to give the user an idea of what quality reception they can expect. When inside a building, factors such as cell tower proximity, topography, and construction materials can all cause signal attenuation resulting in poor voice quality, slower wireless broadband speeds, & more dropped calls. The most common culprits in residential applications include the increasingly common use of radiant barrier roofing in attics, Low E glass windows, metal roofs, and stucco exterior walls. Subscribers inside commercial buildings contend with extensive metal infrastructure, thick brick exterior/interior walls, data/electrical cabling & wires and the “urban canyon” effect created by tightly packed neighboring structures. A cellular booster/repeater is a viable remedy to the problem. These systems employ the use of an externally mounted antenna to capture a “donor” signal from the carrier. This signal is carried inside through a coax cable and routed to a bi-directional amplifier which boosts the strength of the signal to as much as 3 watts. Compare this to the FCC limited six-tenths of 1 watt capability of handheld cellular devices to understand the significance. The amplified signal is then routed again through coax cable to one or more internal repeater antennas, depending on size of desired coverage area. These antennas provide enhanced wireless coverage for multiple users in the same coverage zone by yielding an average increase of 2 – 4 bars of signal strength. These systems can be tailored to meet the needs of any size commercial building, home, office, apartment, or dorm room. Available dual band amplifiers support multiple carriers providing broad spectrum bandwidth and encompassing GSM, CDMA, & 3G networks. When considering a booster/repeater system, feasibility needs to be determined. A sufficient donor signal (-85dbm to -90dbm is recommended) must be achieved in order to provide viable in-building signal strength. In other words, a 100% increase of absolutely NO signal = “no service”. On-site testing and actual product demonstration by qualified personnel adds proof to the pudding and will aid in making the decision to take this step.
Security Assessments: Minimize your vulnerabilities, Rolinda Carrington, IBM
Insufficient security can result in downtime, or even worse, reduce credibility with customers and partners. Just as worrisome, noncompliance with regulations can result in hefty fines. With new viruses and malware emerging, more sophisticated hackers, and mobile employees accessing systems remotely, it’s an increasing challenge for SMBs to protect their businesses across all fronts. But perhaps even more challenging is how to identify areas of vulnerability. Security assessments can reduce information risks in the same way that physical examinations diminish the possibility that minor health problems can become a full-blown medical crisis. System-wide security checkups can be as simple as network scans or as in-depth as hacker intrusion simulations to strategically locate areas of potential weaknesses. Typically, these assessments gauge four areas where information security is vital to business health: overall security capabilities, privacy, risk management and compliance. Assessing security program design shortens emergency reaction time Many SMBs have preventive security measures in place, such as firewalls, antivirus systems and network monitoring software. But while prevention can go a long way in safeguarding information assets, having a plan in place for meeting potential threats is critical, says David Puzas, business line manager for Realizing comprehensive security relies upon your ability to strategically assess areas of potential weakness, which is where having an assessment of your overall security program comes in. Often called security program design and management, these checkups review how—and how quickly—an organization can react in the case of an information breach. For SMBs, these examinations should provide a blueprint for supporting existing business processes, without requiring an overhaul of existing IT investments. A security program design and management assessment answers the question of how secure an organization can become by looking at overall security design. Typically an overview of the security measures in place is accompanied by an examination of all the components that make up an SMB’s IT infrastructure. These assessments, according to Eric Maiwald, Vice President, Security & Risk Management Strategies, at the Burton Group research firm, “look at the risks, then you look at the countermeasures you have already deployed, you look at the ability of the organization to implement additional controls.” The intent or outcome of an assessment, he explains, “highlights areas where an enterprise can cost-effectively manage their risk.” Assessments facilitate cost/benefit considerations, Maiwald continues, “the executive can make an informed decision as to whether it's better to place that money against risk management or whether it's better to put the money against some other type of business expansion or business risk.” Still, many businesses seem to operate on a good dose of optimism instead of reviewing the potential courses of action should the unthinkable occur. But thinking the unthinkable, says Maiwald, is good business practice. By providing company decision-makers with a sense of what is likely to occur should disaster strike, he says, SMBs can make better decisions about how potential risks will affect the business. “We want to look at it from an availability standpoint—what are our availability requirements?” he asks rhetorically. “Do we really require 24/7/365 or are there certain times when we can be down for maintenance? How do we deal with longer outages where we might have to implement the disaster recovery plan—or what might be our business continuity plan to continue operating if something really bad happens?” Once the consequences are understood, says Maiwald, SMBs can move forward with a blueprint for overall security. “If you want an architecture for security or for risk management, it really has to start with the business risk and how the business actually goes about making money,” he says. “So if you understand where your business—or how your business—functions, that allows you to understand what the risks are.” Privacy assessments keep the right doors closed Today’s free flow of information can extend to people who have no business need for accessing systems. Even within an SMB, few people really need access to all data the company holds. Assessments of security privacy typically include an overview of how well policies, procedures and permissions affect overall security. For example, access rights to certain kinds of information, such as financial transactions or human resources records, are often best reserved for certain managers. But as a company grows, the policies that govern access can quickly become outdated and ineffective. Privacy assessments, however, help create policies that ensure critical information is not damaged or stolen internally. Burton Group’s Maiwald suggests some questions SMBs need to have answered for privacy assessments. “Are there cases where we need to understand how that information can be used by authorized individuals?” he asks. “Do I have accountability requirements?” How an SMB protects customer and partner information held in servers and storage devices is also examined in privacy assessments. Retailers, for example, need to protect credit card information, which is sent to servers; privacy assessments examine both the electronic and physical ways in which this critical information can be protected from identity thieves. This can include simulating attacks on Web-based applications, as well as using next-generation video surveillance techniques to monitor computer rooms and server cages in data centers. But regardless of how privacy is assessed, the conclusions must lead to action, says Maiwald. “An assessment is really worthless if all it provides to the enterprise is a list of technical vulnerabilities that are found on systems,” he says. “It might be as simple as being able to reconstruct a transaction so as to be able to show a customer how something occurred or why a specific charge occurred. It may be something entirely different to be able to reconstruct a set of events because you had some type of a breach.” Intentional hacking reduces security risks Simulated attacks are also a useful tool in examining security risks. Applications and databases can easily be hijacked and used to pose crippling internal threats—transforming helpful business tools such as billing systems and customer relationship management software into instruments of harm. To discover and fix these built-in weaknesses, penetration testing is frequently used in security risk assessments. Also known as ethical hacking, these attack simulations see security experts attempt to penetrate a network by mimicking the techniques used by malicious attackers. This provides a hacker’s-eye view of vulnerabilities and discovers weaknesses that need to be addressed. Less dramatically, security experts examine any application that makes use of the Internet for security vulnerabilities. More often than not, these software packages require fine-tuning for optimal security, yet most SMBs often do not examine the security of each application on a regular basis. Most security risk assessments evaluate each application and create a list of applications most vulnerable to attack. Physical hardware housing applications, databases and operating systems can also be vulnerable to damage. By looking at things such as enclosures, power supplies and hardware placement, security risk assessments review areas where these assets can be accidentally damaged. The possibility of intentional damage is also appraised. As with privacy assessments, security risk assessments frequently use video surveillance to monitor who is near assets—and whether these people should continue to be granted access to these locations. Regulatory compliance lowers the possibility of fines Discovery of IT systems at risk also includes comparing the way information is used against areas where sound security is required by law. Assessments can help ensure compliance with regulations such as the Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry (PCI) Data Security Standard, as well as regulations required by 30 states in the
Regular examination of the software and systems used to hold sensitive information also reveals ways in which business processes can better meet regulatory compliance requirements. And here, regularity is critical, as regulations change as often as the number of security threats. For any business that uses credit card information, these assessments are essential. The same goes for organizations in healthcare. By combining the tactics of privacy and risk assessments, regulatory assessments create lists of areas where SMBs are out of compliance, as well as areas where they may risk falling out of compliance. Handing off assessment chores can magnify the scope of examinations Because of the complexity of in-depth security assessments, many SMBs are unable to perform these examinations internally. Outside vendors offer services in this area, and can often be more cost-effective than a midsized business attempting to review the minute details of IT infrastructure. Characteristics SMBs should look for in outsourced assessment providers include the ability to provide all four major security assessments, as well as capability to tailor these services to particular industries. Some of these services are available on a subscription basis, while others provide training for SMB IT staff. The Burton Group’s Maiwald also suggests that when selecting an outside provider, experience providing assessments for specific industries should be a key consideration. “So, the best of all possible worlds is you find an assessment team who has worked in your industry before and understands what kind of business you have and how your business functions. Having the technical chops to do some of the detailed assessment, yeah, that’s important, but I look at that as secondary to the understanding of what the business environment is.” Whether performed internally or by outside vendors, these examinations do more than zero in on weak spots. With security assessments, midsized businesses are better equipped to make informed decisions about immediate and long-term security requirements that can make all the difference in long-term profitability. Contact UsTechnology Chair: Chuck Weisbrich Co-Editors: Matt Reedy, Matt Reedy & Assoc and Brent Daugherty, Time Warner Cable North Chamber Contact: Debby Zucker
|
|
