INFORMATION TECHNOLOGY PART 6: PREPARING FOR DISASTER

The last article on information technology (part 5 in this series) addressed the issues of hacking and ransomware. The article discussed some, but not all, of the causes. This time we will look at some of the other causes, and the main issue a business may face regardless of the cause: disaster recovery.

As with all of these articles in The Micromobility Reporter, be aware that there is no guarantee your company won’t suffer an attack or data loss. Hopefully, some of the processes and tips in these articles will help stave off an attack or minimize the disruption.  

Hacks and ransomware as discussed are primarily initiated by individuals or groups seeking recognition and/or monetary gain. Just this week The Wall Street Journal reported that a ransomware attack believed to have been instigated by North Korea targeting healthcare providers and hospitals, was disrupted by law enforcement. Recall in the last article on this subject, I wrote whenever you have evidence of a hack or a ransomware demand, or you think you or your business have been targeted, you should alert the authorities. In this instance, because law enforcement was looking, not only was the attack stopped from impacting others, but a significant amount (about half a million dollars) of paid ransom in cryptocurrency was recovered.

State actors are the top end of hackers, and represent the most sophisticated of external threats to your systems and data. There are also internal threats that may not be as malicious, but can cause as much damage. I’ve already written about employee sabotage. This may come about in a number of ways such as being passed over for a promotion, getting mad at a supervisor or the owner, attempting to prove a point, or an employee taking action to gain access because they believe it will make them more efficient. An employee can lose or compromise data or provide system information to people outside the business, allowing them access to hack or encrypt data. All the more reason. This is why it is important to compartmentalize systems access and use tight password control.

On the other hand, people make innocent mistakes which an employee could do at any time. A mistake is just that, but whether data is lost or compromised, whether it happens maliciously or by mistake, it’s still a problem.

Another thing that can cause data or system issues is hardware and/or software failures. An earlier article mentioned the importance of making sure software updates are installed in a timely manner. It is also important to make sure your system hardware is appropriate to the software requirements. A correct correlation between software and hardware is essential to insure the software can function correctly, and that the suite of systems your business uses can interface and communicate necessary data effectively. When your business upgrades one, make sure upgrades to the other are considered and implemented as needed.

One set of potential problems that tends to be overlooked are natural disasters. Depending on where your business is located (or perhaps with multiple locations), you may be exposed to tornados, wildfires or facility fires, floods, hurricanes, earthquakes, or any combination. You may have some control concerning most of the threats I’ve written about in this and the previous article. However, natural disasters are completely out of your control, and may occur when you least expect them. Nonetheless they are real, and can cause just as much damage as a malicious attack.

Finally, a power surge or outage can do significant damage to hardware. Either could have a detrimental effect on your data and systems as well. Depending on the severity of the surge or the length of an outage, hard drives or other internal hardware devices may suffer failures, making data retrieval difficult to impossible. This scenario brings into focus the previous article in this series talking about backups. Hardware failures often do not allow for data recovery, so a backup could be the only way to restore your data.

For each of these possibilities the best defense is a good offense. Understand the systems used to run and manage your business. Take the time to find out how much data your business has generated. Initiate system user and password protocols to compartmentalize systems access for your employees, and manage how passwords are created. Make sure your data is backed up regularly and with multiple copies. And when disaster strikes, make sure you have a recovery plan.

Recovery failures happen most often because there is no plan in place. Talk with your system administrator to develop a plan to address these multiple threats. In fact, you may need to develop multiple plans, one for reach type of threat. The plans should be documented and updated as your systems, hardware and personnel change. The plans are important, but the planning process is even more so. An out of date plan that won’t work is of no help.

The plans should be simple and straightforward. They should be threat specific, and the steps should have a logical progression. They should be flexible to allow adjustments as a threat that may morph during an attack.

With proper planning, you and system administrator should hopefully be able to minimize any disruption in your systems and protect/restore your data with minimal downtime.

Feedback? Contact Steve Bina: steve@humanpoweredsolutions.com.

INFORMATION TECHNOLOGY PART 5: PROTECTING FROM THREATS

This series of articles has covered issues of managing your business data, understanding how much data your business has, how passwords are created and protected, and how and where you back up your data. These articles have been leading to this: protecting your data from threats, natural, internal and external.

All the procedures and tips I have written about can help you protect your business data. However, there is no guarantee these procedures and tips will prevent a determined attack or natural disaster. The intent is should your business become victim of an attack or data breech, you will be able to recover as quickly as possible.

Previous articles mentioned, in passing, different kinds of data threats, internal and external. This time we’ll discuss a couple of different kinds of threats in more detail.

Hacking

Hacking is gaining unauthorized access to data in a system or computer. Hacking is not always done for malicious purposes, but more and more references to hacking and hackers designate them as cybercriminals and what they do as illegal. They can be motivated by financial gain, protest, revenge, spying, or even just for the “fun” of the challenge.

Hackers may be individuals, part of a larger organized group, or possibly sponsored by a government. An earlier article concerning password protection said you should change all passwords when an employee leaves to protect your systems. The article on passwords suggested that even if an employee left on good terms, that doesn’t mean they will stay that way or that in the future the person may want to try and make some money off of a vulnerability.

Hackers may be looking for specific information, names, addresses and social security numbers of employees, names and credit card numbers of customers, bank account numbers and more. Hackers may be looking for information about your business that would provide a competitive advantage to another business. Hackers may simply make subtle changes within your systems or on your web site to prove they were there.

How do you protect against hacks? The password protection and protocol article was a good first start. Next, download a reliable malware detection product that can both detect and neutralize malicious software. Make sure your software is up-to-date, download and install any software updates, making sure those updates are from a trusted and safe source. You and your employees should avoid unsafe/unknown web sites and should never download unverified attachments or click links from unfamiliar e-mails.

While it may be embarrassing, any hack should be reported. You may think your being hacked is a singular event when it could be part of a larger attack. Reporting the hack will alert authorities to the threat. You should also alert your customers and suppliers so they can be looking for anomalies in transactions.

Regardless, any time you suspect a hack has occurred you should immediately change all your passwords.

Ransomware

Ransomware is malware that prevents or limits users from using their systems by locking or encrypting all data. Often the infecting malware will delete itself after locking up the data, and a ransom is demanded to restore and release the data.

Ransomware attacks are almost universally about extorting money from the victim. Recall in the article about backing up your business data where a comparison was made between your data and your physical inventory. If your business suffered a theft of a number of bicycles that may have an impact on your sales, but you probably have insurance that would mitigate the financial impact of the stolen inventory. The loss of data would have the same impact on your business, perhaps even more so, but likely there would be no insurance to ease the financial impact or cover the ransom payment.

Protection against ransomware attacks utilizes the same tactics as protecting against hacking. Unfortunately, cleaning up after a ransomware attack is much more complicated than a hack. Your data is either locked or encrypted. The quickest way back is to pay the ransom demanded.

On the other hand, depending on how long ago the ransomware attack was, and how often you are doing backups, you may be able to recreate your data set from a previous backup assuming that backup was not affected by the ransomware. (Remember the 1-2-3 rule. If you aren’t sure go back to the article on backups.)

As with a hack, a ransomware attack should be reported to the authorities. In fact, that may become a moot point as many ransomware attacks become known because a specific company probably has become paralyzed because their data is locked up.  

Should you pay the ransom? Most law enforcement agencies say no. A recent survey by CSO of businesses across different industries shows that 66 percent of the respondents say they would never pay a ransom. In a separate survey it was found that 65 percent of companies that suffered a ransomware attack paid the ransom.

Ransomware is a big business. In 2019 ransom payments were estimated to be $7 billion in paid ransoms and time/business lost. This represents a 15X increase over what was determined in 2017. Big ransoms and the large companies involved make the news, and those payments are sometimes in the millions of dollars. Today, the majority of large ransomware demands are in cryptocurrencies making tracing the money and who gets it more difficult.

On the other hand, most ransomware demands are against smaller companies in the range of $2,000 to $2,500 ransom.  The payment of a ransom is often determined by a cost-benefit analysis of the amount of the ransom versus the lost time and business, making these smaller amounts more palatable, and mostly explains the 65 percent payment number above. Still here is the part of the equation that usually gets overlooked. Once a cybercriminal finds out you’ll pay, they probably will be back.

Leakware

Leakware is an offshoot of ransomware. This starts with a ransomware attack, with the attacker threatening to make public personal information from the data unless a ransom is paid. The exposure of confidential data often makes the targeted company nervous about possible liabilities and makes them susceptible to paying the ransom.

The protections and protocols mentioned above concerning hacking and ransomware apply to leakware as well.

The above threats come mostly from external sources. There are other dangers to your business data as well from internal and natural sources. I’ll address those in the next article in this series.

Regardless, the best defense for any of these threats is to not become a victim. The procedures and protocols that have been discussed in this series will help to preclude a successful attack. Your systems administrator should be taking proactive steps to protect your systems and data. Make sure you have that discussion with them. 

Questions? Comments? Contact Steve Bina: steve@humanpoweredsolutions.com

INFORMATION TECHNOLOGY PART 4:
BACKING UP

How you back up your data and how often is as important, maybe more so, than anything I’ve written about so far about information technology in the bicycle business.

This article on backing up data does not mean your company won’t run the risk of losing data or having it compromised. However, taking these steps may well allow you to rebuild quickly or keep your business running should the unthinkable happen.

Keeping your systems and data secure is as important as making sure your inventory is secure and accurate. In some ways managing your inventory is easier. It has a physical presence. You can see it, touch it and count it. Your business data is a non-physical asset. Like your physical inventory, your data takes up space albeit in a much more compact form than a back room filled with bikes, parts and accessories. Knowing where specific parts of your data are stored and how often inventory is “counted” (updated) is just as important, and maybe more, than your physical inventory itself. Having an accurate and timely backup of your businesses data not only prepares you for a time when your systems go down, but can mitigate other data threats (which I’ll talk about in the next article).

How often should your business data be backed up? Let me expand on the comparison I’m making between your business data and your physical inventory. If you’re like most businesses, you have different categories or types of physical inventory based on value and/or usage. You also likely do inventory counts on a staggered basis. Some items may get counted on a weekly basis, some monthly, some quarterly, and some annually. You do this to insure your inventory is accurate, so that you can correctly calculate the cost of sales and profitability and prepare an accurate balance sheet.

Business data can be viewed the same way. You can, and should, determine what data needs to be backed up and how often.

Important data, (sales receipts, employee time/payroll, etc.) should be backed up every day. Employee records, inventory counts and values and other less critical data can be backed up less often, but probably not less than weekly. A general rule of thumb is to err on backing up more often rather than less often.

If you have software that helps manage your business data, it likely has an automatic backup facility that will perform at regular pre-determined intervals. If you aren’t using data management software, you can still do manual backups. Manual backups should also be done at regular predetermined intervals. Most always backups are done when systems are not in use, meaning after business hours, so having automatic backups scheduled means you don’t have to spend extra time at your place of business.

When you perform backups, the recommendation is the 3-2-1 rule: three copies of your data, two local (on different devices) and one off-site. For most businesses, this means the original data on your computer, a backup on an external hard drive, and another on a cloud backup service. A mix of internal and external/cloud location is critical to make sure your data is protected and can be quickly retrieved if necessary. 

While it is generally agreed that backups need to be done at regular intervals, the next question is what type of backup is appropriate. There are four basic types of backup: full, incremental, differential and synthetic full. Let’s look at each and define what they are.
 
Full Backup

A full backup is exactly what the name implies. It is a full copy of the entire data set of your business. Although a full backup usually provides the best protection, many businesses do not need to do them on a daily basis. The files that are to be copied during the full backup process are designated beforehand by a backup administrator or other data protection specialist.

If you haven’t been doing backups in your business, a full backup is the place to start. The first full backup becomes the baseline against which subsequent backups will be compared and applied.

Full backups consume the most tape or disc capacity and are time consuming, as they back up the most data. Full backups only need to be done once though you may decide that on occasion a new full backup should be done. But keep in mind the 3-2-1 rule. You shouldn’t be making just one copy, and each copy will require adequate storage. The second article in this series addressed finding out how much data you have, which was leading to this, so you would know how much storage, both internal and external (cloud), would be required. 

Incremental

Incremental backups are a way to increase backup speed and decrease storage space compared to doing a full backup. Incremental backups only back up data that have changed since the last backup.

As an example, suppose you created a full backup on Saturday evening, and used incremental backups for the rest of the week. The backup done Sunday evening would only capture the data that changed since Saturday. The backup done Monday evening would only capture data that changed since Sunday, and so on.

The primary disadvantage of using incremental backups is they can be time consuming when a restore is required. Using my previous example, suppose you wanted to restore the backup from Tuesday. To do so, you’d have to restore Saturday’s full backup. After that you’d have to restore Sunday’s backup and then Monday’s backup.
Additionally, if any of the backup is damaged or missing, you will have an incomplete data recovery.   

Differential

Differential and incremental backups are similar as both start with a full backup, and subsequent backups contain only data that have changed. The difference between differential and incremental backups is that an incremental backup only includes data that have changed since the previous backup, while a differential backup contains ALL of the data that have changed since the last full backup.

As an example of a differential backup, suppose you wanted to create a full backup on Sunday evening, and differential backups the rest of the week. Monday’s backup would capture all the data that have changed since Sunday. At that point it would then be identical to an incremental backup. However, on Tuesday the differential backup would back up any data that had changed since Sunday as well.

The advantage a differential backup has over an incremental backup is shorter restore times. Any scenario where downtime is critical, such as disaster recovery, rapid restore is important. Restoring a differential backup never requires more than two backup sets. Incremental backups could require numerous additional backup sets. The tradeoff is as time progresses, differential data can grow and contain much more data than incremental backups and require additional storage resources. 

Synthetic Full

A synthetic full backup is a variation of an incremental backup. The backup routine begins with taking a full backup followed by a series of incremental backups. Synthetic backups take it a step further.

What differentiates a synthetic backup from an incremental backup is the backup server actually produces a full backup. This is done by combining the existing full backup with data from the combined incremental backups. This creates a synthetic backup that is indistinguishable from a full backup created the traditional way.

The primary advantage of a synthetic full backup is it significantly reduces the time needed to do data restoration. Restoring a synthetic full backup does not require multiple tapes or disc sets like an incremental backup. 

What type of backup you choose depends on how often you want to do a backup, what your need is to possibly restore data, and how much capacity you have, internally and externally, to store the backups. This is a conversation you should have with your system administrator. It’s also important to periodically review your backup requirements and protocols as your business needs may change. 

You also should be doing backups on other devices used in our business. Your smart phones and tablets also need to be backed up to make sure all the data you depend on can be restored when needed.

Next time I’ll discuss the data threats to your business and devices.

Comments? Contact Steve Bina: steve@humanpoweredsolutions.com

HOW TO MANAGE TECHNOLOGY IN BIKE SHOPS, PART 3, PASSWORDS

The initial article in this series dealt with systems used by your business and who should have what kind of access. In most cases, access is granted by the system administrator and conferred by a password. This makes password discipline an important component of your data security.

This discussion on password discipline does not mean your company won’t have a systems breach or that data will not be exposed. However, password security and protocol is a good first-line defense and hopefully you will find some best practices in this article you can incorporate in your business.

Is password security a big deal? Yes, it is. How passwords are created is a key to greater systems security. In a major systems hack in 2020, over 32 million passwords were compromised.  Around 1% (320,000) of the passwords were “123456.” The next most commonly used password was “12345” followed by “11111”, “qwerty” and “abc123.”

In 2021 there were 1,862 data breaches, according to CNET. There were also 2,690 ransomware attacks. Both of these numbers represent double digit percentage increases from the previous year. They also represent only the attacks that were reported. It is not unusual for companies to not publicly report a hack or ransomware attack to lessen any panic or embarrassment.

When you or your employees create passwords, there should be a format so you don’t end up with the type of passwords shown above. Passwords should never use personal information such as the user’s name, age, birth date, pet’s name or anything else that might be found on-line.

Passwords should include a combination of letters, upper and lower case, numbers and characters. That may seem like common sense, but people don’t want to have to remember complex passwords or forget them if they don’t use them every day. Strong passwords can be easy to remember but hard to guess. A couple of examples; Iam:)2b29 (I am happy to be 29) and 2B-or-Not_2b (to be or not to be).

Another security protocol is passwords should not be reused. Users, in an attempt to remember passwords for multiple systems, will use the same password for each system, e-mail, social media, payroll, accounting, POS and more. Two recent breaches revealed a password reuse rate of 31% among victims. Reusing passwords is bad enough when someone outside your business is trying to get access to your data, but also presents a significant and often overlooked risk internally.

Passwords should not only be system specific, but individual specific too. Being able to see who logs into systems used by your business allows for audit if data goes missing or is compromised. Like so many other threats to your business, bad actors are not always external, so being able to track internal data access is important.

How often should passwords be changed? The thinking on that is evolving. It was originally recommended changing a password every three months. That recommendation made sense initially, but thinking has changed somewhat. A cyber security consultant at intrust IT told Business Insider, “Unless you become aware of a password breach, there is no need to change your passwords regularly if each is a strong, unique password” (emphasis mine). So should you regularly force password changes or not?

The emphasis above about a strong and unique password cannot be overstated. Let’s start with some best practices for strong passwords.

Never reveal your password to others. This may seem logical, but many times employees share a password in an attempt to simplify system use and in a misguided sense of efficiency. Employees may feel they have been denied access to some systems to which they should have access to do their job, or that management made a “wrong” decision. A way to do that is using a password from someone who does have access.

Use different passwords for different accounts/systems. This may also seem logical, but as noted above employees will move towards what is easier for them. Many times that manifests itself by using one password for all systems.  

Length trumps complexity. The longer the password, the more difficult it is to crack. Is the extra digit a capital letter? Lower case letter? Number? Special character? A brute force attack against a 6-digit password would take around 22 hours, an 8-digit password 46 hours, and for a 10-digit password an average 2 years.

Complexity still counts. Use a combination of upper and lower case letters, numbers and characters. A gibberish (y_?\E4Dj) password is better than one actually made up of words. Note the sample here and the two examples given earlier.
  
The question remains, should you change your passwords regularly? The answer comes back to how strong and unique are the passwords being used. Obviously you can police your own passwords, establishing protocols for your employees, and inspection. This will insure they too will create strong passwords.   

If you think one of your systems has been compromised, you should change your passwords immediately. When an employee leaves, you should change your passwords. While it may seem the parting was on good terms, things change. Just because you think an employee leaving was to go back to school, a better job or a relocation, doesn’t automatically make it so.

Something could change and that “friendly” parting might change, so why take the risk. The former employee may end up working at a competitor and decide getting a list of your customers, your inventory or profit margins would make them more valuable. Of course, something more sinister might happen,  so protecting your data is always the best thing.

Earlier this article mentioned hacks and ransomware attacks. Both are targeted at your business data, but with slightly different purposes. If your systems get hacked, it may be to get a look at and/or copy some of your business data. Hackers could look at your customer credit card numbers, phone numbers, addresses and more. They could look at the financial information about your business like bank account numbers and personal information on your employees. This information may be sold and/or used to steal identities and cause significant problems for you, your customers and employees.   

A ransomware attack also targets your business data. Instead of just looking at the business data, a ransomware attack will encrypt your data or make it unusable to you. The endgame is to get your business to pay a ransom for a key to unlock your data. Most ransoms are requested in a crypto-currency in return for an electronic key.

Either of these attacks should be reported to the authorities to allow tracking and hopefully keep this from happening to someone else. It also allows the opportunity to alert customers their information has been compromised and to quickly make changes and look for fraudulent charges.

As mentioned earlier, password security is a big deal. I’ve touched on two external threats but there are others both external and internal.  In a future article, I’ll address those and how and where you can back-up your data to minimize those threats. 

Thoughts? Contact Steve Bina: steve@humanpoweredsolutions.com.

HOW TO MANAGE TECHNOLOGY IN BIKE SHOPS, PART 2

In Part 1 of this series (read here), there was a discussion leading to a better understanding of the systems used in your business, how they function, how they are administered, and who should have what kind of systems access. The last article also talked about the data each system generated, captured, saved and analyzed.

In this installment, we’re going to explore what kind of data you have and how that data could be managed. Some of the systems used in your business may be managing the data automatically. Maybe that is the case, but more than likely the management of your data is a manual process.

As before, this topic and the things we’ll discuss won’t guarantee you’ll never have a systems or data problem, breech or loss of data. But hopefully this will provide tips that will minimize the chances of that happening.

The first and very significant question you need to answer is how much data do you have. That should be a simple question to answer yet, more often than not, the answer is, “I don’t know.” The business owner will say their computer or server has X number of gigabytes and since there is still empty space there can’t be more data than that. The short answer is that’s correct, but may not be accurate.

Computers and servers host all types of software. That takes up a lot of space on the hard drive. In some hardware configurations there may be multiple hard drives, some that host the software and some that host the data. Which brings up the issue of where do you store your data? In house? In the cloud, with a managed service provider (MSP)?

Where data gets stored may seem like a simple issue but has a number of facets to consider. How often will you need access to the data? For example, data from a point-of-sale (POS) system will, hopefully, see many inputs during the business day. As I mentioned in the first article, how each of your business systems interface is crucial.

A sale processed through your POS system will have data points needed for your accounting system and inventory system at a minimum. Your business may also wish to capture data points on the customer, the date of purchase, the reason for the purchase, whether a promotion of some kind brought the customer to your business, if this sale was to a new or repeat customer, whether the customer was local, and other relevant data points. Not all of this data needs to be stored on your business computers or servers. It could be but would it truly be necessary? There are options to consider.

Another example is e-mail correspondence. When an e-mail is written and transmitted, every person keeps a copy. It can be saved or deleted at your convenience. If the e-mail is written and sent to a single person there are two copies, one for the sender and one for the recipient. What happens if the e-mail is copied to a couple of people in your business to keep them informed? Each person now has their own copy saved somewhere on your company’s computer or server. This is something almost no one thinks about. Over time it can consume a LOT of disk space, especially if there are attachments.

If all your data is kept on your computers and servers, are you also running some data protection or data management software? If you aren’t, you probably should. There are numerous companies that offer this kind of software, your systems administrator, the company that oversees your hardware and/or industry organizations should be able to make recommendations.

One feature to look for when considering data management software is deduplication. This is a feature that eliminates the kind of duplication I described with the previous e-mail example. Typically, a record that is deduped will still retain a “stub” that, when called upon, will allow recall of the original record for display.

Another feature to look for is the data metering. Most data management software will use “upfront” metering, meaning data is measured when it is first input through the software. This is important as most data management software products are priced by the amount of data it protects. With upfront metering, any backups or subsequent internal copies are not counted against the purchased capacity.

So, where is your data stored? Earlier I asked this question. Now I’ll talk about the alternatives.

I spoke recently with a business owner and asked him that question and was slightly stunned by his response. He told me “All the data in my business is stored on a couple of one terabyte thumb drives.” That may work, but certainly would make any retrieval or analysis of that data problematic. The question I was really asking him was where is his data stored, on-site, off-site or in the cloud. There are pluses and minuses to each, so you need to understand them to make the best decision for your business. There is no right or wrong answer, but how your business intends to use the data will have an impact on where it’s kept.

Having all your data stored on-site is fine when you have a handle on how much data you have, how often you need access to that data (some or all), and how you intend to analyze the data to help run your business. However, keeping all the data on-site may cause problems with actual storage and disaster recovery, something I will talk about in subsequent articles.

Having all the data off-site also is workable when you understand how much and what kind of data you are managing. It makes disaster recovery less of an issue through it really just pushes the issue downstream. Is the facility that is storing the data able to recover and restore if they suffer a disaster? If so, how long will they take to restore the data so your business can get up and running?

Storing off-site also may make it more difficult to retrieve data in a timely manner, requiring advance planning to make sure data is available and accessible.
Another consideration is cost. Most data storage facilities, commonly called managed service providers (MSP), charge storage by the gigabyte per month. The question your business should investigate is whether the storage fee is more or less expensive than the cost of having your own storage and maintenance of that storage. And note, some MSPs will offer a hybrid solution where they manage the data both on-site on your infrastructure, and off-site on their infrastructure.

Finally, understanding how much and what kind of data you have is also important when considering a cloud solution. Most cloud solutions closely resemble what is described above as an MSP with one big difference. Cloud data is always off-site storage and usually can be accessed from almost anywhere from almost any computer with the right credentials. (If you didn’t read the first installment about systems access in the February Micromobility Reporter, now might be good time if you’re considering a cloud solution.)

Now that the business is thinking about how much data it has and where it should be stored, you also should be thinking about how you curate your data. The primary consideration is the legal requirement for data retention in your jurisdiction. Of course, not all business data will be subject to legal requirements, so seek counsel on what needs to be legally retained and for how long. And as important as it is to retain certain data for a specified period of time, it is just as important to delete data that is no longer legally required. Why? Should the business ever get audited, it will only be required to produce data within the legal retention requirements. If the business has been inconsistent with when/what data is deleted, it could be deemed suspicious and lead to a prolonged audit.

If the business is paying for off-site storage, you will want to properly manage the amount of data being stored since that will be the basis of your monthly bill.
In my first article I discussed the importance of who has access to the systems in your business and the interfaces. The same care needs to be applied to the curation of the data the business creates. Likely this isn’t something you’ve spent a lot of time considering. Who has the ability to delete or retain data could have a huge impact to your business.

Managing your data and where it is stored can help your business run more smoothly and provide timely information. The next article will discuss system and password security.

Questions? Comments? Contact Steve Bina, steve@humanpoweredsolutions.com

HOW TO MANAGE TECHNOLOGY
IN BIKE SHOPS, PART 1

Does this look like how you manage the systems in your business? You’d be surprised how many times I hear “yes, it is.” Then again, maybe you wouldn’t.

Too many times the systems used to manage a small, and not so small, business are treated as a nuisance rather than tools. Like any tool your systems need to be cared for properly, upgraded as necessary, protected and kept sharp.

Over the next few installments, we’re going to talk about how the systems that keep your business running can be and should be managed, protected and strengthened. We’ll discuss how you can set up protocols to protect passwords, how often and where you can or should back up your data, and how to identify and mitigate threats to your data.

These won’t guarantee that you’ll never have a systems problem, breach or loss of data. But, hopefully they will provide you with tips that will minimize the chances of that happening.

Your business depends on information you can trust. Some of that information is intrinsic and obvious, some of it not so much. A lot of the information you need comes from the data you capture, save and analyze from the systems you use to manage your business.

Some of the systems may be simple, a spreadsheet to track the hours of your employees or card files to keep track of inventory.  Some of the systems may be more sophisticated, a payroll system that makes sure deductions and taxes are calculated correctly, or an accounting system that lets you measure the profitability of your business or where investments will have the greatest return.

So a starting point is to identify the individual systems you use in your business.
I mentioned a couple of them above but you should make a list so you know what is running in your business, Again, you might be surprised by how many business owners don’t fully realize how many systems they have running. Here is a partial list to get you started:

> Accounting/Taxes
> CRM (customer resource management)
> Inventory
> Operating System – primary
> Ordering
> Payroll
> POS (point-of-sale)

The above listing may not be complete relative to your business. If not, go ahead and add what I missed.

Once you have listed all the systems you use, then you should determine whether the system is wholly contained inside your business (internal) or is connected to a server or company outside your business via an internet connection (external). A system that is wholly contained internally doesn’t mean you can ease up on how you manage it, but may not require all the protocols we’ll discuss today or in subsequent articles.

Once you’ve determined what systems you use, and whether they are internal or external, the next step is to determine who has access and at what level. Depending on what a specific system does will determine which employees should have access and with what permissions.

Typically, the highest level of access is for the system administrator. Administrator access should be restricted and tightly controlled. While it may be tempting to have yourself as the sole administrator, it is good practice to have one other person with administrative permissions on select systems. This provides the business a backup should one person be away and changes need to be implemented.

Each system usually will have different levels of user access as well, limiting what parts of the system they can access and/or what kind of input they are allowed to enter.  For example, if you have a payroll system, you could allow employees to enter their hours but not their pay rate.

In addition to system access, you will also want to determine who has what access to system interfaces, i.e. what data from one system gets transferred to another, and who has the ability to make or change how data passes from one system to another. An example of this would be an interface from your POS system to your inventory system and more, accounting, payroll (is there a commission component to compensation?), and possibly others.   

Access is a tightrope, and there is no right or wrong way to determine who should be granted what kind of access. The general rule of thumb is you want to restrict access to protect your business, but not so much as it causes dysfunction. So how much access is too much? I’ve always found it is easier to grant as little access as necessary initially, and as conditions warrant allow additional access. It is far easier to grant new systems access to an individual than to take it away.

It is also a good practice to re-evaluate systems permissions periodically. When employees get promoted or move to a different department, their access requirements to company systems may change as well. Sometimes access to certain systems should be removed when an employee changes position. New access should not be added without a review of current system access to determine if any is no longer needed.

Another thing to consider as you evaluate the systems your business uses, is the management and updating of those systems. It doesn’t matter whether this is an internal or external system, or whether it is a manual or computer system, at some point they will need to be upgraded. For a manual system it can be done at your convenience, though that may get driven by the interface to a computer system which has issued a new release and requires a revised interface.

There is another area where the nuisance part of systems happens. Most software programs are continually updated with new features, bug fixes and general improvements. It is important to stay current with these updates. Microsoft continually sends updates to Windows and will tell you when a particular released will no longer be supported. Some other software programs don’t. Rather, they will notify you of an update or send you new code you need to install. To insure your systems are running the latest version, you should have a specific person who is responsible for system upgrades. Most often this would be one of the system administrators. And it is incumbent upon the business principal to make sure all systems are using the latest version.

Along with making sure the systems themselves are up-to-date, it is important the hardware is also up-to-date. This may come as a result of an upgrade to a specific system that requires new capabilities from a specific piece of hardware, adding another device to an existing network, or replacing a device already attached. As with software updates you will probably want to keep this ability reserved for your system administrators. However, keeping the hardware updated may require outside help to make sure all the hardware works together.

A lot of the above may seem like common sense, and a lot of it is. The key is it also requires advance planning, to keep the tools of your business cared for properly, protected and sharp. In the coming installments we’ll look at systems security, how much and often you should consider backing up your data, and how to minimize threats to your data.

Comments? Thoughts? Reach Steve Bina at: steve@humanpoweredsolutions.com