HOW TO MANAGE TECHNOLOGY IN BIKE SHOPS, PART 3, PASSWORDS

The initial article in this series dealt with systems used by your business and who should have what kind of access. In most cases, access is granted by the system administrator and conferred by a password. This makes password discipline an important component of your data security.

This discussion on password discipline does not mean your company won’t have a systems breach or that data will not be exposed. However, password security and protocol is a good first-line defense and hopefully you will find some best practices in this article you can incorporate in your business.

Is password security a big deal? Yes, it is. How passwords are created is a key to greater systems security. In a major systems hack in 2020, over 32 million passwords were compromised.  Around 1% (320,000) of the passwords were “123456.” The next most commonly used password was “12345” followed by “11111”, “qwerty” and “abc123.”

In 2021 there were 1,862 data breaches, according to CNET. There were also 2,690 ransomware attacks. Both of these numbers represent double digit percentage increases from the previous year. They also represent only the attacks that were reported. It is not unusual for companies to not publicly report a hack or ransomware attack to lessen any panic or embarrassment.

When you or your employees create passwords, there should be a format so you don’t end up with the type of passwords shown above. Passwords should never use personal information such as the user’s name, age, birth date, pet’s name or anything else that might be found on-line.

Passwords should include a combination of letters, upper and lower case, numbers and characters. That may seem like common sense, but people don’t want to have to remember complex passwords or forget them if they don’t use them every day. Strong passwords can be easy to remember but hard to guess. A couple of examples; Iam:)2b29 (I am happy to be 29) and 2B-or-Not_2b (to be or not to be).

Another security protocol is passwords should not be reused. Users, in an attempt to remember passwords for multiple systems, will use the same password for each system, e-mail, social media, payroll, accounting, POS and more. Two recent breaches revealed a password reuse rate of 31% among victims. Reusing passwords is bad enough when someone outside your business is trying to get access to your data, but also presents a significant and often overlooked risk internally.

Passwords should not only be system specific, but individual specific too. Being able to see who logs into systems used by your business allows for audit if data goes missing or is compromised. Like so many other threats to your business, bad actors are not always external, so being able to track internal data access is important.

How often should passwords be changed? The thinking on that is evolving. It was originally recommended changing a password every three months. That recommendation made sense initially, but thinking has changed somewhat. A cyber security consultant at intrust IT told Business Insider, “Unless you become aware of a password breach, there is no need to change your passwords regularly if each is a strong, unique password” (emphasis mine). So should you regularly force password changes or not?

The emphasis above about a strong and unique password cannot be overstated. Let’s start with some best practices for strong passwords.

Never reveal your password to others. This may seem logical, but many times employees share a password in an attempt to simplify system use and in a misguided sense of efficiency. Employees may feel they have been denied access to some systems to which they should have access to do their job, or that management made a “wrong” decision. A way to do that is using a password from someone who does have access.

Use different passwords for different accounts/systems. This may also seem logical, but as noted above employees will move towards what is easier for them. Many times that manifests itself by using one password for all systems.  

Length trumps complexity. The longer the password, the more difficult it is to crack. Is the extra digit a capital letter? Lower case letter? Number? Special character? A brute force attack against a 6-digit password would take around 22 hours, an 8-digit password 46 hours, and for a 10-digit password an average 2 years.

Complexity still counts. Use a combination of upper and lower case letters, numbers and characters. A gibberish (y_?\E4Dj) password is better than one actually made up of words. Note the sample here and the two examples given earlier.
  
The question remains, should you change your passwords regularly? The answer comes back to how strong and unique are the passwords being used. Obviously you can police your own passwords, establishing protocols for your employees, and inspection. This will insure they too will create strong passwords.   

If you think one of your systems has been compromised, you should change your passwords immediately. When an employee leaves, you should change your passwords. While it may seem the parting was on good terms, things change. Just because you think an employee leaving was to go back to school, a better job or a relocation, doesn’t automatically make it so.

Something could change and that “friendly” parting might change, so why take the risk. The former employee may end up working at a competitor and decide getting a list of your customers, your inventory or profit margins would make them more valuable. Of course, something more sinister might happen,  so protecting your data is always the best thing.

Earlier this article mentioned hacks and ransomware attacks. Both are targeted at your business data, but with slightly different purposes. If your systems get hacked, it may be to get a look at and/or copy some of your business data. Hackers could look at your customer credit card numbers, phone numbers, addresses and more. They could look at the financial information about your business like bank account numbers and personal information on your employees. This information may be sold and/or used to steal identities and cause significant problems for you, your customers and employees.   

A ransomware attack also targets your business data. Instead of just looking at the business data, a ransomware attack will encrypt your data or make it unusable to you. The endgame is to get your business to pay a ransom for a key to unlock your data. Most ransoms are requested in a crypto-currency in return for an electronic key.

Either of these attacks should be reported to the authorities to allow tracking and hopefully keep this from happening to someone else. It also allows the opportunity to alert customers their information has been compromised and to quickly make changes and look for fraudulent charges.

As mentioned earlier, password security is a big deal. I’ve touched on two external threats but there are others both external and internal.  In a future article, I’ll address those and how and where you can back-up your data to minimize those threats. 

Thoughts? Contact Steve Bina: steve@humanpoweredsolutions.com.

HOW TO MANAGE TECHNOLOGY IN BIKE SHOPS, PART 2

In Part 1 of this series (read here), there was a discussion leading to a better understanding of the systems used in your business, how they function, how they are administered, and who should have what kind of systems access. The last article also talked about the data each system generated, captured, saved and analyzed.

In this installment, we’re going to explore what kind of data you have and how that data could be managed. Some of the systems used in your business may be managing the data automatically. Maybe that is the case, but more than likely the management of your data is a manual process.

As before, this topic and the things we’ll discuss won’t guarantee you’ll never have a systems or data problem, breech or loss of data. But hopefully this will provide tips that will minimize the chances of that happening.

The first and very significant question you need to answer is how much data do you have. That should be a simple question to answer yet, more often than not, the answer is, “I don’t know.” The business owner will say their computer or server has X number of gigabytes and since there is still empty space there can’t be more data than that. The short answer is that’s correct, but may not be accurate.

Computers and servers host all types of software. That takes up a lot of space on the hard drive. In some hardware configurations there may be multiple hard drives, some that host the software and some that host the data. Which brings up the issue of where do you store your data? In house? In the cloud, with a managed service provider (MSP)?

Where data gets stored may seem like a simple issue but has a number of facets to consider. How often will you need access to the data? For example, data from a point-of-sale (POS) system will, hopefully, see many inputs during the business day. As I mentioned in the first article, how each of your business systems interface is crucial.

A sale processed through your POS system will have data points needed for your accounting system and inventory system at a minimum. Your business may also wish to capture data points on the customer, the date of purchase, the reason for the purchase, whether a promotion of some kind brought the customer to your business, if this sale was to a new or repeat customer, whether the customer was local, and other relevant data points. Not all of this data needs to be stored on your business computers or servers. It could be but would it truly be necessary? There are options to consider.

Another example is e-mail correspondence. When an e-mail is written and transmitted, every person keeps a copy. It can be saved or deleted at your convenience. If the e-mail is written and sent to a single person there are two copies, one for the sender and one for the recipient. What happens if the e-mail is copied to a couple of people in your business to keep them informed? Each person now has their own copy saved somewhere on your company’s computer or server. This is something almost no one thinks about. Over time it can consume a LOT of disk space, especially if there are attachments.

If all your data is kept on your computers and servers, are you also running some data protection or data management software? If you aren’t, you probably should. There are numerous companies that offer this kind of software, your systems administrator, the company that oversees your hardware and/or industry organizations should be able to make recommendations.

One feature to look for when considering data management software is deduplication. This is a feature that eliminates the kind of duplication I described with the previous e-mail example. Typically, a record that is deduped will still retain a “stub” that, when called upon, will allow recall of the original record for display.

Another feature to look for is the data metering. Most data management software will use “upfront” metering, meaning data is measured when it is first input through the software. This is important as most data management software products are priced by the amount of data it protects. With upfront metering, any backups or subsequent internal copies are not counted against the purchased capacity.

So, where is your data stored? Earlier I asked this question. Now I’ll talk about the alternatives.

I spoke recently with a business owner and asked him that question and was slightly stunned by his response. He told me “All the data in my business is stored on a couple of one terabyte thumb drives.” That may work, but certainly would make any retrieval or analysis of that data problematic. The question I was really asking him was where is his data stored, on-site, off-site or in the cloud. There are pluses and minuses to each, so you need to understand them to make the best decision for your business. There is no right or wrong answer, but how your business intends to use the data will have an impact on where it’s kept.

Having all your data stored on-site is fine when you have a handle on how much data you have, how often you need access to that data (some or all), and how you intend to analyze the data to help run your business. However, keeping all the data on-site may cause problems with actual storage and disaster recovery, something I will talk about in subsequent articles.

Having all the data off-site also is workable when you understand how much and what kind of data you are managing. It makes disaster recovery less of an issue through it really just pushes the issue downstream. Is the facility that is storing the data able to recover and restore if they suffer a disaster? If so, how long will they take to restore the data so your business can get up and running?

Storing off-site also may make it more difficult to retrieve data in a timely manner, requiring advance planning to make sure data is available and accessible.
Another consideration is cost. Most data storage facilities, commonly called managed service providers (MSP), charge storage by the gigabyte per month. The question your business should investigate is whether the storage fee is more or less expensive than the cost of having your own storage and maintenance of that storage. And note, some MSPs will offer a hybrid solution where they manage the data both on-site on your infrastructure, and off-site on their infrastructure.

Finally, understanding how much and what kind of data you have is also important when considering a cloud solution. Most cloud solutions closely resemble what is described above as an MSP with one big difference. Cloud data is always off-site storage and usually can be accessed from almost anywhere from almost any computer with the right credentials. (If you didn’t read the first installment about systems access in the February Micromobility Reporter, now might be good time if you’re considering a cloud solution.)

Now that the business is thinking about how much data it has and where it should be stored, you also should be thinking about how you curate your data. The primary consideration is the legal requirement for data retention in your jurisdiction. Of course, not all business data will be subject to legal requirements, so seek counsel on what needs to be legally retained and for how long. And as important as it is to retain certain data for a specified period of time, it is just as important to delete data that is no longer legally required. Why? Should the business ever get audited, it will only be required to produce data within the legal retention requirements. If the business has been inconsistent with when/what data is deleted, it could be deemed suspicious and lead to a prolonged audit.

If the business is paying for off-site storage, you will want to properly manage the amount of data being stored since that will be the basis of your monthly bill.
In my first article I discussed the importance of who has access to the systems in your business and the interfaces. The same care needs to be applied to the curation of the data the business creates. Likely this isn’t something you’ve spent a lot of time considering. Who has the ability to delete or retain data could have a huge impact to your business.

Managing your data and where it is stored can help your business run more smoothly and provide timely information. The next article will discuss system and password security.

Questions? Comments? Contact Steve Bina, steve@humanpoweredsolutions.com

HOW TO MANAGE TECHNOLOGY
IN BIKE SHOPS, PART 1

Does this look like how you manage the systems in your business? You’d be surprised how many times I hear “yes, it is.” Then again, maybe you wouldn’t.

Too many times the systems used to manage a small, and not so small, business are treated as a nuisance rather than tools. Like any tool your systems need to be cared for properly, upgraded as necessary, protected and kept sharp.

Over the next few installments, we’re going to talk about how the systems that keep your business running can be and should be managed, protected and strengthened. We’ll discuss how you can set up protocols to protect passwords, how often and where you can or should back up your data, and how to identify and mitigate threats to your data.

These won’t guarantee that you’ll never have a systems problem, breach or loss of data. But, hopefully they will provide you with tips that will minimize the chances of that happening.

Your business depends on information you can trust. Some of that information is intrinsic and obvious, some of it not so much. A lot of the information you need comes from the data you capture, save and analyze from the systems you use to manage your business.

Some of the systems may be simple, a spreadsheet to track the hours of your employees or card files to keep track of inventory.  Some of the systems may be more sophisticated, a payroll system that makes sure deductions and taxes are calculated correctly, or an accounting system that lets you measure the profitability of your business or where investments will have the greatest return.

So a starting point is to identify the individual systems you use in your business.
I mentioned a couple of them above but you should make a list so you know what is running in your business, Again, you might be surprised by how many business owners don’t fully realize how many systems they have running. Here is a partial list to get you started:

> Accounting/Taxes
> CRM (customer resource management)
> Inventory
> Operating System – primary
> Ordering
> Payroll
> POS (point-of-sale)

The above listing may not be complete relative to your business. If not, go ahead and add what I missed.

Once you have listed all the systems you use, then you should determine whether the system is wholly contained inside your business (internal) or is connected to a server or company outside your business via an internet connection (external). A system that is wholly contained internally doesn’t mean you can ease up on how you manage it, but may not require all the protocols we’ll discuss today or in subsequent articles.

Once you’ve determined what systems you use, and whether they are internal or external, the next step is to determine who has access and at what level. Depending on what a specific system does will determine which employees should have access and with what permissions.

Typically, the highest level of access is for the system administrator. Administrator access should be restricted and tightly controlled. While it may be tempting to have yourself as the sole administrator, it is good practice to have one other person with administrative permissions on select systems. This provides the business a backup should one person be away and changes need to be implemented.

Each system usually will have different levels of user access as well, limiting what parts of the system they can access and/or what kind of input they are allowed to enter.  For example, if you have a payroll system, you could allow employees to enter their hours but not their pay rate.

In addition to system access, you will also want to determine who has what access to system interfaces, i.e. what data from one system gets transferred to another, and who has the ability to make or change how data passes from one system to another. An example of this would be an interface from your POS system to your inventory system and more, accounting, payroll (is there a commission component to compensation?), and possibly others.   

Access is a tightrope, and there is no right or wrong way to determine who should be granted what kind of access. The general rule of thumb is you want to restrict access to protect your business, but not so much as it causes dysfunction. So how much access is too much? I’ve always found it is easier to grant as little access as necessary initially, and as conditions warrant allow additional access. It is far easier to grant new systems access to an individual than to take it away.

It is also a good practice to re-evaluate systems permissions periodically. When employees get promoted or move to a different department, their access requirements to company systems may change as well. Sometimes access to certain systems should be removed when an employee changes position. New access should not be added without a review of current system access to determine if any is no longer needed.

Another thing to consider as you evaluate the systems your business uses, is the management and updating of those systems. It doesn’t matter whether this is an internal or external system, or whether it is a manual or computer system, at some point they will need to be upgraded. For a manual system it can be done at your convenience, though that may get driven by the interface to a computer system which has issued a new release and requires a revised interface.

There is another area where the nuisance part of systems happens. Most software programs are continually updated with new features, bug fixes and general improvements. It is important to stay current with these updates. Microsoft continually sends updates to Windows and will tell you when a particular released will no longer be supported. Some other software programs don’t. Rather, they will notify you of an update or send you new code you need to install. To insure your systems are running the latest version, you should have a specific person who is responsible for system upgrades. Most often this would be one of the system administrators. And it is incumbent upon the business principal to make sure all systems are using the latest version.

Along with making sure the systems themselves are up-to-date, it is important the hardware is also up-to-date. This may come as a result of an upgrade to a specific system that requires new capabilities from a specific piece of hardware, adding another device to an existing network, or replacing a device already attached. As with software updates you will probably want to keep this ability reserved for your system administrators. However, keeping the hardware updated may require outside help to make sure all the hardware works together.

A lot of the above may seem like common sense, and a lot of it is. The key is it also requires advance planning, to keep the tools of your business cared for properly, protected and sharp. In the coming installments we’ll look at systems security, how much and often you should consider backing up your data, and how to minimize threats to your data.

Comments? Thoughts? Reach Steve Bina at: steve@humanpoweredsolutions.com