Cyber Wellbeing

It’s been over 6 months since my last post, and frankly the time during Covid seems to pass at warp speed! I can’t believe I’m already thinking and planning for the summer! We are making progress in the fight against Covid, vaccines are rolling out, and schools are opening, which has got me thinking more about building my business again.

But overshadowed by my new optimism and all the headlines of the election, the storming of the Capitol and Covid, the last six months have been witness to the most active and destructive cyber security events in recent history. The depth and breadth of these attacks is staggering, with implications for our economy and government. We are in a new age of cyber risk for businesses, so we all need to get better prepared to manage and guide our organizations through these new challenges and new growth. Here is just a quick list of what you may have missed…

  • SolarWinds supply chain hack, which affected 18k businesses and multiple government agencies including Microsoft, Cisco, Amazon, the US Treasury Department, Department of Commerce and many others. This hack lead to the disclosure of untold sensitive and critical data to foreign adversaries and the loss of control of critical government and business networks.
  • Microsoft Exchange hack leading to over 60,000 organizations having their email systems compromised and likely accessed by unauthorized users.
  • Accelion supply chain hack, which lead to the compromise of thousands of high profile businesses and government agencies and the disclosure of personal, privileged and sensitive information around the globe.
  • FireEye systems and data breach leading to disclosure of critical client information, which includes many Fortune 500 and government agencies and included the code to sophisticated testing and cyber espionage tools used by their offensive testing team.
  • SITA systems and data breach exposing personal and sensitive information about airline riders from over a dozen airlines.
  • BlackBaud systems and data breach compromising their systems and exposing sensitive information about donors and Not for Profits including healthcare systems, charities, universities and hospitals
  • and so many more…

To help business owners and managers understand and address these new realities, I recently penned a blog post for Ihloom, Mantra Computing’s sister cyber security business, about a new set of business skills we call Cyber Wellbeing. Like many business owners and managers, I am comfortable reviewing my businesses financial wellbeing, knowing where our revenues are, expenses, inventory, sales pipelines, etc. But most business owners and managers have no idea what their current risks are of a debilitating cyber event. What are the costs of preventing a cyber event? What are the costs of being unprepared? Will my cyber insurance cover my losses and ensure continuity of business?

My colleagues and I will be blogging on the Ihloom site and sending out related communications to continue educating business owners and managers on the concepts of business Cyber Wellbeing. If this is something that’s of interest to you, please check out the post and subscribe to our mailing list.

Like many of you, I’m excited about a post Covid rebirth. However, successfully capitalizing on this new opportunity will require being prepared. As G.I. Joe used to remind me, “Knowing is half the battle!”

OGN: Curly Girl Design

For this month’s OGN post, I’d like to bring attention to one of my oldest clients, Curly Girl Design.

After 9/11, like so many other people, I decided to make changes in my life. I moved back to Boston to be closer to my friends and family. I met Alyssa, the person who was to become my wife and mother to my three children, and I decided to start Mantra Computing. 

Back then I was a poor 26 year old, starting a new business and living in my parents’ basement. I was following the girl of my dreams every week to hot and sweaty power yoga classes. Through volunteer work at the yoga studio, Alyssa and I became friends with many of the staff and community and through that connection we became friends with Leigh, the founder of Curly Girl Design.

In fact, I was first introduced to Leigh’s work in the bathrooms of Baptiste Power Yoga Institute (BPYI) in Boston. Leigh was friends with Mariam and Rolf Gates, who were managing the BPYI studio and they were helping to promote her work. And what better place to see joyful, mindful and inspiring work than in the bathrooms!?

Leigh’s work is incredible. Her web bio says it’s “whimsical and witty,” which is true, but it is also colorful, wise and beautiful. In 2004 Leigh took the brave step of starting Curly Girl Design, a business based around licensing and distributing her designs. The pictures below are some of the pieces hanging in my home. You can see a lot more of her work on her Instagram page and in shops throughout the US. 

Turmoil and unrest bring change. Things change in ways that we cannot always see in the moment. During “these hard times,” as I often hear it said during the COVID quarantine, we can see all the big things including sickness and death of loved ones, social unrest, economic hardship, and social inequities. But the changes that will matter most are invisible to us now.

September 11th was one of those big moments that changed my life in ways, that until now, I didn’t fully understand. The big stuff was the attack on the towers, the loss of life, the ensuing war in Afghanistan and all the changes to air travel and the economy. But what doesn’t get recorded or noticed are all the little decisions people make as a result of the big stuff including things like my move to Boston or Leigh’s move to go out on her own.

As I reflect on the early days of Mantra Computing and working with clients like Curly Girl Design, I can see all the beautiful things that grew from the 9/11 tragedy.  I try to remember that as we all deal with today’s challenges. 

Through Leigh’s designs and words, Curly Girl Design helps remind us of what’s important. She helps us reframe our reality and refocus us on a future that isn’t always clear. If you’re looking for inspiration, please check out Leigh’s creations at Curly Girl Design.

OGN: Vibram, This Sole’s got Soul!

As part of the my OGN series (Operation Good News), I’d like to profile a long time client and brand that many of you are familiar with, Vibram.  Vibram makes the soles for top footwear brands and also designs and develops their own products like Vibram FiveFingers and Vibram Furoshiki. I began working with what was then called Vibram USA, back in 2007.  At the time, Vibram was a mostly Italian company with a small presence in the US. There were two pieces of the business on the US side, Soles and Components, who helped other footwear companies design and use Vibram Soles, and a small upstart called Vibram FiveFingers.

FiveFingers was a design concept developed in Italy that Vibram thought other shoe companies would be interested in.  When no other brands took interest, Vibram decided to take the product direct to market.  This development coincided with a movement of minimalist and barefoot running, which was propelled forward by the popularity of the book Born to Run, by Christopher McDougall in 2010.

There were only 6 people in the Vibram Concord office and they didn’t require much assistance given their small size. Also, the FiveFinger shoes seemed strange and hard to wrap my head around. So at the time I didn’t give them much consideration. Over time, however, Vibram has become one of the most gratifying and interesting experiences of my professional life.

Between 2007 and 2011, Vibram USA grew from a business with just a few US sales to revenues in the tens of millions. In that time, Vibram went from a mostly Italian company to a truly Global business.

In 2015, when Vibram acquired Quabaug Corporation in North Brookfield, MA, a business that’s been manufacturing rubber products in the US since 1916, it quickly and dramatically changed the size and operations of Vibram’s Global business. It also created one of the most dramatic and exciting cultural mashups I have ever been a part of.

One might wonder, what does an IT consultant know or care about culture? Although I started my career as an Electrical Engineer, I ended with an undergraduate degree in Cultural Anthropology and Studio Arts.  And of particular interest was Italian culture, inspired by one of my all time favorite books, an ethnography called The Broken Fountain, about the urban poor in Naples.

At Vibram, the cultural mashup included the corporate Italian culture, driven by the design and innovative heritage of the Bramani family in Northern Italy; and the young and more urban and entrepreneurial startup culture of Vibram USA and FiveFingers. And lastly the established and more conservative culture of a rural US manufacturing icon, in North Brookfield MA.

I believe the resulting company has emerged stronger and more dynamic, due in part to the resulting diversity of ideas and experiences. This was most recently demonstrated to me by the way Vibram has managed through the COVID-19 pandemic.

I have been impressed by their leadership and their commitment to their business and their people. They have successfully managed staff and business operations in three major virus hotspots including Northern Italy, Boston and Guangzhou, China.  Just this month they reopened their manufacturing facility in Albizzate, Italy.

Stories of responsible businesses should be celebrated in these times of challenge. There are too many negative stories of big businesses stealing recovery funds, pushing for the bottom line and sacrificing the safety of their front line workers.  Vibram can stand proud of its record and I’m proud to have contributed in some small way to their success over the last 13 years. Vibram has certainly demonstrated it has a lot more soul than the soles it produces.

Information about Vibram and their products can be found on their website and their myriad of social media channels, which I’ve listed below.  Looking for their iconic Vibram logo on your next pair of shoes is the best way to support them.  If you’re a member of the US military or have family who are, you’re already walking around on Vibram soles manufactured right here in North Brookfield, MA.


OGN! Lets take it From the Top

With the Quarantine dragging on and the days and the weekends melding into one long stretch, I have been thinking a lot about how lucky I am and how lucky I am to have such incredible clients. I know there is a lot of loss and suffering including lost jobs, lost business, lost health and life, and food insecurity to name just a few. It is hard to stay focused each day and stay positive. So I’m launching OGN, Operation Good News! With 17 years in business and lots of incredible clients and experiences, I have some things I’d like to share!

The first client I’d like to profile is From the Top. I was first introduced to From the Top in 2007 through a relationship I had with Kevin Marren, a salesperson from Thrive Networks. These were the early days of Mantra Computing and there were only 3 of us on staff.  Any new business was good business and Kevin was a life line. At the time Thrive was so busy with work that they kept throwing us any business they didn’t want. We were happy to take it.

From the Top had suffered some technology challenges including a crashed server and lost emails.  From our first meeting I knew we could help them and get them back on firm ground. These days many of us take rock solid email, contact and calendaring for granted with offerings like Office 365 or G Suite.  But back then we actually had to stand up our own solutions! Also, From the Top was a mostly Mac operation and Mantra Computing was one of the few shops in the area with deep Mac knowledge operating within Windows network environments.

I knew From the Top produced an NPR radio show but I didn’t understand the scope of their work. The show is just the tip of the iceberg! They find extraordinary kids from all over the country, mentor them, give them opportunities to learn from professionals and then perform on a national platform on the radio, online and in theaters!

I’ve been to several From the Top shows, and the quality of the production and the talent of these children is really mind blowing. When you see these kids come on stage and perform, it would be easy to feel excluded or put off. The subject matter can feel inaccessible to many of us, not being familiar with classical music and its etiquette. Also, these kids are so talented and have spent so much time learning the subject that their performances seem superhuman. But that is the magic! Instead of walking away feeling left out or overwhelmed, you feel inspired, awed and included.

I remember at age 15, traveling on a summer bike trip, our group was invited to attend a classical performance. Can you imagine a bunch of smelly 15 year olds, who’d been biking for 2 weeks and sleeping in tents, being led into a theater? Truthfully, we were dubious and the surrounding audience didn’t look too pleased either. But the performance began and it was incredible. After the first movement we all clapped enthusiastically.  It seemed like everyone was moved like I was. But then after the second movement, we all clapped enthusiastically again! We were quickly shunned by the surrounding guests. We learned you do not clap between movements. I can only speak for myself, but after that shaming, it was very hard to enjoy the rest of the show. And I have carried that experience with me to this day and still feel some anxiety when I try to enjoy a classical performance. I’m always worried about what I’m doing wrong and what I may be missing.

From the Top offers an opportunity for young people that is opposite from my summer bike trip experience. They find ways to engage and amaze the audience, who are often young people elementary to high school age.  Their mission is to celebrate the power of music through the hands and eyes of a broad and young audience. When you’re there, you know something special is happening. I took my kids and walked away with a memory that I hope they will reflect on positively when they become adults.

Right now, the Quarantine presents a huge financial and operational challenge for cultural institutions, especially performance driven ones. From the Top specifically is limited in their ability to pursue their education and performance activities, which they rely heavily on for funding and donations. During this time of Quarantine, in addition to the support we give to essential workers, social and charity organizations, we all need to step up and make an additional effort to support our critical cultural institutions. If we don’t, we stand to loose them and all the beauty they bring to our lives. While the government relief funds are targeted at keeping the economy open and supporting critical businesses and institutions like hospitals, there is no special carve out for cultural institutions.

Please consider making a donation today to your favorite cultural institution. If you’re looking for a worthy organization, please check out From the Top. I’ve provided links about From the Top below, their online content and how to make a donation. They’re actively seeking and need the support to keep their programs running.
Daily Joy:
YouTube Channel:
Donate to From the Top Now

Introducing Ihloom! (pronounced illume, as in illuminate)

As you may have noticed, it has been over 2 years since I last posted! Honestly, the time has flown by so fast that I really didn’t think it had been that long. But there is good reason! My team and I have been busy working on a new project. And given the current craziness surrounding the Coronavirus, I thought, now is a good time to sit down and post and let everyone know what we’ve been up to!

In 2013 I read an article, referenced here, about how Facebook identified a zero-day Java exploit on one of its engineer’s laptops by monitoring Internet traffic and that hackers were using it to communicate with their servers to steal data.  Running an IT consulting and managed service firm, this article freaked me out.  I thought, if this ever happened to one of my clients, how could they possibly be expected to detect and survive an attack like this? Facebook and its large dedicated data security team found a needle in a haystack.  But this needle would not be hard for cyber criminals to place wherever they wanted and most organization would have no way of knowing about it.

A lot has changed since 2013, and there are tons of new cybersecurity products on the market. Many of them leveraging artificial intelligence to try and fill the gap identified in that 2013 article to help security teams find the needle in the haystack. But a critical problem still remains with all these products.  What do you do if you get an alert!  All cybersecurity product block the most egregious offenders, but things that are just not normal or look suspicious get flags and alerts.  Someone must evaluate the alert, determine if the alert is suspicious and develop and action plan to mitigate the risk or compromise.

The truth was, we were doing the best we could and followed all the best practices for an IT consulting business, but we could not effectively protect our clients from evolving and real threats.  We also did not have the resources to monitor and respond to changing risks.  We needed help like most small and medium businesses.

And so we embarked on a 2 plus year journey learning, testing and training on all the latest security solutions.  We trialled many platforms and actually put the slick marketing to the test.  We developed a backend and an organization to drive and support these products.  Today, Ihloom is protecting over 1,600 endpoints and over a 100 different organizations.  We have identified and mitigated more than 5 serious cyber attacks in the last year saving our clients from real losses and business disruptions.

If you want to get your organization secure and compliant, Ihloom can help.  What differentiates Ihoom are real, practical, vetted solutions and the knowledgeable staff and knowhow to get businesses secure. Putting a solution like this together takes time, hard work and experience and we’re proud of the outcome.

2 Critical Security Flaws disclosed in Intel and other modern processors – what you and your organization need to know

Meltdown and Spectre

Two new critical security flaws were disclosed late last week related to Intel processors and also some other processor platforms including AMD and ARM, which can be found in servers, computers, cell phones, internet connected devices, etc. This applies to all operating systems including Windows, Linux, MacOS, IOS, Droid, etc.

The details of these flaws has been shrouded in secrecy. Understanding the full impact of both their risks and proposed software fixes has been difficult to assess. At this point we know a lot more but we still have a lot to learn. The full impact of the related software patches will only be understood as they are rolled out and reporting continues.


What are the details of the security flaws, what does this mean from a risk standpoint?

The two flaws are being commonly referred to as Meltdown and Spectre. They are both flaws in the design of the processor hardware, not software, and affects how the processors handle unique processes and prevent those processes from accessing each other. In other words, these two flaws allow programs on computers, devices and Cloud services to access information from other processes without authorization.

These flaws allow malicious code, which could simply be a web page you visit, to access secure passwords, encryption keys, etc. stored in processor kernel memory. So for example a web page running Javascript in your web browser could potentially have access to information related to your password manager program or the encryption key for your secure drive. Or in a Cloud environment like Amazon Web Services (AWS), customer A’s virtual machine could potentially access data from customer B’s virtual machine if they are sharing the same physical processor.

Based on my readings, official awareness of these flaws dates as far back as June 2017. The software fixes currently being provided by Linux, MacOS and Windows, are on the kernel level and are very sophisticated. These types of changes require a lot of development time and testing. The fact that they’re rolling them out now means they’ve had a lot of time to work on them.

These design flaws have been present in chips manufactured for the past 10 or more years.


What’s being done about it and what action do I need to take?

Software updates have been developed both on the OS level (Windows, Linux, MacOS, etc.) and by web browser manufacturers (Chrome, IE, Edge, Firefox, Opera, etc.) to mitigate the risks of these hardware flaws. It is important to install these patches but at this time I’m recommending taking a slow and measured approach. There are some known software compatibility issues as well as significant machine performance degradation associated with the patches.


The following is a prudent approach

  • For desktop computers, delay installing them for a short period of time, 1-4 weeks due to the complexity and low level of the software changes in the OS patches. There are known software incompatibilities with many Antivirus packages and there may be other software impacted by these changes that have not yet been discovered.
    • Mac OS High Sierra has been patched as of 10.13.2
    • Microsoft will be rolling out updates this week on Patch Tuesday
    • Many Linux distributions have started releasing updates.
  • Update web browsers ASAP including Chrome, IE, Edge, Opera and Firefox. The recent browser updates have protections to help prevent compromised or malicious websites from leveraging the processor vulnerabilities.
  • Check with your Antivirus software MFG for updates and confirmation their product is compatible with the latest updates from Microsoft and Linux.
  • Update mobile phones and tablets as soon as patches become available.
  • For Servers, delay installing them for one or two patch cycles to ensure compatibility issues are addressed and performance considerations are properly planned for.
  • If you run any applications or systems in AWS, Microsoft Azure and Google Compute Engine be aware of the following:
    • Amazon AWS has been in the process of deploying software patches and fixes started last Friday which may impact availability and performance of your instances
    • Microsoft Azure will be performing updates and patches on January 10th which may impact availability and performance of your instances
    • Google Compute Engine appears to have already undergone needed updates but is requesting clients restart certain processes
  • Newer versions of the Intel processors will be updated with a microcode update, which will help mitigate the issue.


At this point the vulnerabilities have been around for over 10 years.  We know the vulnerability was officially known as far back as June 2017.  I think it would be naive to assume some state actors and/or organized crime was unaware of this issue either since last summer or perhaps well in advance of that.  We should assume users have already been exposed to this risk and that mitigating it should be done cautiously so as to minimize interruption to productivity.  There is no sense in running around with our heads cut of in panic.  We should take care of the systems at greatest risk first, browsers and workstations, and cautiously work to address the rest until the next big revelation.

The Equifax Data Breach – What happened, What’s the impact, What to do and what NOT to do

What happened?

Equifax, one of the 3 major credit rating companies in the US, disclosed last week that their systems were hacked in July publicly exposing 146 million Americans’ names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.

What is the impact?

This information can now be used and cross referenced with publicly available information (online directories, public government record, etc.) and other publicly available data-breach data from other high-profile data breaches (Yahoo, Verizon, InterContinental Hotels Group, Dun & Bradstreet, Saks Fifth Avenue, UNC Health Care, OneLogin, Blue Cross Blue Shield / Anthem, etc.) to form complete personal profiles of nearly half the population of the United States.  A malicious actor with this kind of information can easily impersonate, steal from and financially ruin an individual.

This data breach is so bad and compromises the personal and financial security of so many Americans, that it cannot just be swept under the rug.  While I hope financial and legal remedies are imposed, we should all reach out to our state representatives to ensure that Congress takes on this issue.

What can I do to protect myself and my family?

You must become an active protector of your and your family’s public financial record:

  1. Get your free annual credit report, review and correct as necessary using the site
  2. Check the credit of yourself and all family members including children (Sometimes children have their identities stolen only to find out when trying to apply for College loans)
  3. Implement a Credit Freeze with all three credit bureaus.  Learn more about Credit Freeze here
  4. Always follow Safe Internet Behaviors outlined in this post

DO NOT do the following:

  1. Do NOT waste your money on credit monitoring services.  There is a great article here exploring the problems and benefits with credit monitoring services like LifeLock, etc.
  2. Do NOT bother with Equifax’s free 12 month monitoring service offering.  You will waive your right to participate in a future class action suits and limit your future ability to take other legal action against them for damages.
  3. You can use the info at to learn more about the disclosure but Do Not bother enrolling to determine if you’ve been impacted by this disclosure.  You should just assume you have been, either by this disclosure or by another one and take the above outlined steps.
  4. Do NOT panic, this high profile Equifax disclosure only highlights the risks that were already there.  Following the above steps will significantly help protect your financial security.


To work is the play, better productivity all day?

Last September, a year ago, I posted an article on the messaging platform Slack. Since then, our office has transitioned to Microsoft Teams internally. I’m not certain if this will be our final resting point but it offers a significant advantage for us, it integrates with our existing Office 365 services, saves the chat history indefinitely and doesn’t cost anything additional. However, working and experimenting with both platforms has raised some interesting discussions in our office about productivity and the role of “play” in the work environment.

Slack seems more fun than Teams, does that matter?

One of the things our users felt was that when comparing Slack and MS Teams, Slack was more playful and fun to use. And I think that is one reason we picked up the platform so quickly and easily. This got me thinking about what factors contribute to the successful adoption of new technologies and software. Usually software programmers are focused exclusively on core functionality and usability and not how fun the program is to use. This is especially true of line of business applications like SAP, Salesforce, etc.  BORING!!!!

So, I wonder is there a role for fun and playfulness in today’s professional office that will encourage productivity, creativity, better outcomes and improve the work environment? I’m not talking about the ping pong and pool tables or video games of the Dot Com/2000s work environments. I’m talking about making fun and playfulness an integral part of daily tasks, programs, etc.

Fun is like dessert, there’s always room

I remember entering the workforce after college and marveling at how serious people took their jobs and how stressed they’d become. Of course, I had no real responsibilities at the time except a car payment. In hindsight, I wasn’t very sympathetic to my coworkers with kids, mortgages, bills, etc. I would get so mad at how their desire for predictability would prevent them from trying anything new or taking on any new risks.

In this first job, I was tasked to educate a workforce who didn’t use email, had limited exposure to the Internet and relied heavily on manual logs, to start using modern computer and Internet based systems.

After deploying a new Exchange based email system, new high speed Internet (384K fractional T1) and all new computers, I set to work to try and get people to use these new systems and show their value to my bosses. I created daily and weekly games asking users to run through virtual scavenger hunts and trivia questions, and search for information online on any one of the many search engines of the time (Altavista, Lycos, Yahoo, Excite, etc.(Google didn’t exist)). People played along, we had fun and it worked! They learned how to effectively perform Internet based research, use email, and get Internet based driving directions!

Successful technologies and companies know the power of fun and play, go ask Facebook, Youtube, Woot and Giphy!

One company you’ve probably never heard of is Giphy. This company is built 100% on having fun and helping people express themselves. They collect, license and curate animated gifs and then make them available to many platforms including Slack and Teams, so users can insert the perfect animated images to show how they feel, creating more fun interactions with friends and coworkers.  Now that’s fun!


Fun play keeps us engaged, creative and helps us stay relaxed and lucid. My grandfather taught me the value of fun when I was young. He was a constant tease and prankster. My family tells the story of when he brought a cow to the top of the Brown University Clock Tower knowing full well cows can easily go upstairs but not down.

Facebook and Apple use Fun to disrupt markets

Looking to grow their business beyond the confines of social networking, Facebook has started moving into the business world with their new product Workplace by Facebook. It is a new work focused messaging and productivity platform to take on the likes of Slack, MS, and Google! With a huge existing user base who knows their product, a product built around fun and play, Facebook is in a position to totally disrupt and take over as the business communications and collaboration platform of choice.

Apple turned the business phone market on its head in 2010 with the introduction of the iPhone. Users and developers flocked to the new platform because it was fun and flauted the restrictive conventions that the Blackberry products adhered to including using a physical keyboard and minimizing bandwidth use. They effectively put BlackBerry out of business and supplanted them as the business phone platform of choice.

Diverse work environments with young people is important and is fun!

As a traveling consultant, I get to see the inner workings of many of businesses. Based on that experience I think keeping a diverse workforce with young people is important. Young people don’t seem to have the same problem with embracing fun and new technologies as older people, myself included. I always learn something new and fun when I hang out with the younger staff at client sites.  They are less rigid, more easily see the flaws in existing thinking and are more willing to take chances.

Is there a place for fun and play in my business?

I am convinced that having fun is critical to the success of my business.  We are in a customer service business. We are the first people our clients call when things don’t work. Even though this is what we are here for, it is hard to regularly be on the receiving side of this negativity. It is easy to get burned out.

But we survive with daily, silly group rants, silly Giphy images, and occasional company outings. For me, this creates a sense of community (even though we’re constantly spread out), elicits an occasional laugh and helps me keep perspective during what can be long days.  I think this elevates our service to our clients by keeping us happy and able to respond to our clients positively.

I don’t know if this approach will work for everyone, but I do think fun is powerful and can help with many businesses and organizations. I’ve seen successful sales and client service teams leverage silly messages to customers.

For example I once got the following message from one of our technology partners at the bottom of one of his emails.

“Also, if you’re having a bad day and stressed out here’s some baby elephants to cheer you up. “

Of course in today’s heightened security minded environment, clicking on a random links in an email is not advisable, so i’m not sure this is the best approach. But it was an interesting idea and the message did make me smile.

I don’t really know if there is a formula for fun and play in the workplace. In fact I suspect using a specified prescription could be experienced as formulaic and have the opposite effect. But I know for me it is a matter of keeping things light, remembering we’re not in the heart surgery business and that we should all be here by choice.



In a Cloud world, does backup still matter?

If your business is in the Cloud, don’t let ignorance be bliss. You may regret it!

I recently worked with a client, a law firm, on their Business Continuity plan. A Business Continuity plan is simply a document that spells out how a business will respond to different kinds of business interruptions including systems failures or catastrophic events.

Like many businesses, they’ve been working to migrate many of their systems to the Cloud. As I reviewed the different failure scenarios (ie, fire/natural disaster, hardware failures in the office, Office 365 becoming unavailable, Cloud app becoming unavailable, etc.) we realized that unlike the in-house systems where we have multiple backups, online back up and failover, we really had no way of recovering if the Cloud solutions became unavailable or lost their data. The only option was to wait for the service to become available again and hope to recover the data.


A Cloud Provider Perspective: Trust us, our availability and retention systems are enough!

Several years ago I sat in a seminar put on by Microsoft for its Partners designed to educate and promote their evolving Cloud solutions including Office 365. One of the Partner participants asked “how are we supposed to backup the client data in Office 365.” The Microsoft representative seemed totally puzzled and annoyed. He simply said the systems will be available and offered an additional MS solution to enable mailbox archiving for an additional cost. For Microsoft Partners, this was a shocking perspective since MS has been promoting backup best practices through their certification programs for years.

This kind of laissez faire response about backup is typical among Cloud providers. The Cloud is supposed to be simple, secure and easy, like turning on the switch from a utility. It turns out that backing up your data offline from a Cloud solution is difficult and is often an unbudgeted cost. So these questions are often swept under the rug by the providers and ignored by the subscribers.


Availability and retention, how does it differ from Backup?

Most Cloud solutions rely on availability and retention solutions to protect your data. This means they have sophisticated systems and redundant infrastructure so that if their system suffers a failure, their systems will remain available. They also keep multiple versions, changes and deletions for a certain amount of days. But it’s important to remember that availability and retention are not a backup strategy.

A backup strategy employs unique copies of data in disparate systems, physically separated from production systems. They employ good retention policies that can keep copies of data for at least several months, a year or possibly longer. A good backup strategy also takes into account recovery of data to production or backup system and how long that recovery will take (Time to Recovery).


So how secure is my data on the Cloud? The truth is cloudy

I looked at the Service Level Agreement (SLAs) and Master Service Agreements (MSAs) of several of the big Cloud providers to see what they actually do to protect your data.

Salesforce – Salesforce’s seems to be one of the most limited I’ve seen on the market. Their MSA says they will “…use commercially reasonable efforts to make the online Services available 24 hours a day, 7 days a week, except for:… (List of exceptions)” There is no statement ensuring backup of data or change retention. They also clearly spell out that the most they can be liable for under any circumstance is 12 months of services paid. If they lost all of your Salesforce data or couldn’t recover your account for 1-2 weeks, is that enough for you to stay in business?

Microsoft Office 365MS’s SLA is a bit more confusing as they provide a financially guaranteed uptime formula for compensation called Service Credits. Service Credits “…are your sole and exclusive remedy for any performance or availability issues…” The financially guaranteed uptime guarantees makes no guarantees of data integrity specifically but they do spell out all the efforts they make to protect your data. Like Salesforce, they also make no claims of backups.  They do indicate they replicate data between 2 or more geographically disparate data centers and make other specific efforts to prevent data loss. If MS lost some or all your data or couldn’t recover your account for 1-2 weeks, would receiving the financial benefits described in the Service Credits be enough for you to stay in business?

G Suite/Google – Google provides their Terms of Service as well as a SLA, but provides very little detail in terms of data protections or guarantees. They do offer an additional document on security here, which outlines some of their technologies and systems to protect customer data. The TOS and SLA specifically address “down time,” the period for which their service are unavailable.  They offer similar language as Microsoft and offer Service Credits as a customer’s “…exclusive remedy for any failure by Google to meet the G Suite SLA.” If critical GoogleDocs become corrupt or unavailable for an extended period of time, how resilient would your business be?


What is the risk, is Google/Salesforce/MS likely to lose my data or go offline for an extended period of time?

The short answer is no, it is unlikely and the risk is low that any of these large Cloud solutions providers will lose your data or will remain offline for an extended period of time.

These providers are heavily invested in the protections of your data and the availability of their systems. For their own credibility and future of their business, there is a heavy burden to make sure their systems meet the expectations and needs of their users. One major loss of data or extended down time could significantly hurt their credibility and possibly put them out of business. It may be the case that some of the smaller and niche Cloud providers represent a higher risk though, as they likely don’t have the same systems and resources that MS, Google and Salesforce do.

But hope and ignorance are not a plan and there is always some risk. These Cloud businesses work on large scales, so the loss of 100 Google Docs, while important to you, is likely not going to rock the Google ship! Getting resolution to 1 or 2 missing or corrupt Google Docs is not going to get a fast and personalized response even if they are critical to your $1M contract.


Betting on the Cloud is like going on a cruise

When I think about the question of risk with Cloud services, I always think of going on a cruise. Cruise ships are sophisticated giants, like floating cities, that roam the World’s oceans. They rarely have problems and have so much girth and sophistication that they can manage most challenges (Weather, systems failure, medical emergencies, food, etc.) But when things do go wrong, the outcomes can be disastrous. You do not want to be stuck on a cruise ship during a major storm, system failure, Norovirus outbreak, etc. And we still do keep lifeboats on board for a reason.


What should I do, I love what the Cloud does for me and my business

No one is arguing for not using Cloud solutions. In fact, leaving Cloud solutions out of your businesses technology arsenal will limit your competitiveness. But business owners and managers must treat Cloud solutions as a critical business relationships rather than the as a “utility” as is promoted by the Cloud industry.

To make sure your business is strong, you must make sure these relationships are strong. Business owners and managers should do the following:

  1. Evaluate what Cloud solutions are in use and what functions they play within your operations
  2. Determine risks to your business should Cloud service or data become unavailable
  3. Evaluate existing contracts and determine what can be changed or enhanced to limit risk
  4. Implement backup and recovery solutions to mitigate identified risks
  5. Evaluate business continuity and cyber insurance to ensure your risks are properly covered
  6. Review Cloud relationships regularly to make sure your plans are still adequate for identified risks and newly identified risks

Ultimately, managing a Cloud solution is no different than what we’ve been doing for years to manage internal in-house infrastructure. Going to the Cloud has not eliminated the risks of technology failure, it has only shifted the operational burden. The risks still need to be identified and managed.


The challenge of Digital Identification in a Cloud world, Password Managers Emerge

At time when the news headlines are filled with a parade of data breaches (DNC, Yahoo, etc.), the Password Manager has emerged as an effective tool to solve the problem of Digital Identification.  Digital Identification is the way you prove who you are to all your Cloud based online accounts.

The Password Manager is a online system combined with software tools that allows users to create long, complicated password strings that are unique to each online system. This prevents passwords from being guessed and prevents compromised passwords from being used to access other sites if one system has been hacked.

The challenge for online service providers is to secure their systems and accounts but allow users easy and convenient access.  Without a Password Manager, long, complicated and unique passwords are not something that people can easily use.

Without a Password Manager, username and passwords are ineffective because:

  1. People choose passwords they can remember, which are simple for criminals to figure out.
    • Brute Force techniques allow criminals to guess thousands and millions of common combinations (Ex. Password1, Sex123, etc.) from dictionaries and lists of already discovered passwords from previous data breaches.
    • Old fashioned PI work is surprisingly successful using social media and public records to formulate possibilities including children’s initials, birth dates, mailing addresses, pets names, hobbies, etc.
    • Phishing techniques like was used in the DNC hack trick users into sharing their passwords through fake websites and email solicitations.
  2. Long, random, secure passwords are difficult for humans to remember and as a result are not used or are stored insecurely.
    • Often, passwords are kept on sticky notes under keyboards, in note pads and in insecure online address books in Google or Outlook.
    • Users find creative ways to compromise complex password requirements by making minor modifications, writing  them down but leaving out some characters, etc.
  3. The same passwords are often shared across different systems.
    • Long complex password that change frequently are hard to remember, so users use the same or similar passwords across many systems
    • Hackers know passwords are shared across multiple systems so they try and access other online systems once a password is discovered and verified.

The Password Manager evolves

The original password managers were not useful because they were inconvenient.  They presented too much of a challenge to setup, organize and access.  Also, securing all your passwords and private information with a single password seemed like having all your eggs in one basket.  If that system and password was compromised, so was everything else!

Modern password managers have solved most of these challenges.  They are now the hub of your digital identity.  Products like 1Password, LastPass and Dashlane provide simple solutions to protect your passwords and provide convenient access from all your devices and online.

You are in control

  • With the help of these tools, long, random, unique and complex password are created for your online accounts.  The Password Manager software makes logging in and accessing your online accounts simple without having to remember these passwords.
  • There is no need for 3rd party solutions like certificate authorities to issue and manage your credentials.  No one else can grant access to your online accounts and you don’t have to use permanent physical characteristics like your fingerprints, DNA, etc. to identify yourself.
  • No one but you can see your passwords and account info. None of these online solutions store your passwords in a form that is accessible to anyone other than yourself. They do this by employing high levels of encryption within their systems and they encrypt your passwords with your own master password, which they don’t have.

Isn’t this risky, putting all your eggs still in one basket?

Many people still get stuck on the single master password and the concern with having all your eggs in one basket.  It’s a legitimate concern but these systems have checks in place to limit this risk.

  • Before you can attempt to un-encrypt your database with the master password, you must first authorize your devices and demonstrate control of the email account associated with your account.
  • Attempts to access your account are logged and reported to you so you’ll know quickly if someone else is trying to access your account.
  • 2FA/Multifactor Authentication can additionally be added onto your account.
  • The Master Password is never stored in their system, so if they become compromised hackers still should not have access to your information.

Emergency access

One feature that I find particularly compelling is “Emergency Access.”  When someone becomes ill or passes away unexpectedly, there is a panic among family, friends and sometimes within businesses to try ensure access to online accounts and protected files.

My wife and I have many online accounts related to finances, insurance, mortgages, photo sharing, etc.  One day I realized I had no idea what passwords my wife was using for many of these accounts as they change often and have so many different requirements.  With the Emergency Access feature, I can setup emergency access to her passwords after a 2 day waiting period.

Why shouldn’t we just use alternatives to passwords?

Biometric or genetic authentication: Science fiction has often extolled the benefits of genetic or biometric authentication including retinal scanners, fingerprint readers, voice recognition or DNA scanning.  The problem with these technologies are twofold:

  1. They can be fooled:  If a would be hacker learns a target’s fingerprint, retinal pattern or DNA unique identifiers, systems can be devised to represent these unique patterns in a way that can fool an automated system.  There are currently many examples online of fingerprint readers being fooled.
  2. Once a biometric or genetic marker has been compromised, users cannot “reset” them, they are hard coded into our bodies.  So if one’s identity was stolen and it was tied to a unique DNA identifier, the individual is now unable to easily reclaim his identity.

Digital Certificates: For a time there was a lot of discussion about how Digital Certificates from certificate authorities could replace passwords.  These certificate systems are currently widely used for securing websites, securing corporate and the government systems, and to sign software code.  They use a private and public key model to encrypt and identify authorized users and systems.

However, Digital Certificate systems have failed to become broadly used because of two major challenges:

  1. There is no one to trust with all this power!
    • Over the past few years there have been several high profile compromises of certificate authorities including Comodo, Symantec, and others.
    • Certificate authorities hold the master keys, allowing a single point of failure.  This allows malicious actors who successfully compromise one of these systems to access unauthorized systems or issue illegitimate certificates.  This allows the publishing of fake bank, google, or other systems where users are tricked into providing information through fake systems.
  2. Public and private key certificate systems have proved to be too complicated and inconvenient for most average users.
    • Users have to be able to understand the private and public key model, which is often beyond the interest and abilities of most users.
    • Personal certificates are not very convenient.
      • I can load my Private Key on my computer so that when I go to my banking site I can easily log in, but what do I do when i’m at my parents house?
      • I can load my Private Key on a USB Smart Card but that opens up many other challenges and security risks including plugging in USB drives to other people’s computers.

2FA or Multi Factor Authentication: 2FA (Two form Factor Authentication) or Multi Factor Authentication is the technique of using 2 or more methods to uniquely identify a user.  This usually includes some form of password combined with a text message, phone call or possession of physical hardware Token (USB device, Phone App or computer app that generates random numbers, etc.).

  1. 2FA or Multi Factor Authentication doesn’t get rid of passwords but makes them much harder to compromise.
    • Even if a hacker knows a user’s password, they cannot gain access to a system without the second or third authenticator.
  2. 2FA and Multi Factor Authentication methods are becoming broadly and freely available with many online systems including Apple, Facebook, Google, Yahoo, Microsoft, etc.
    •  The problem with these solutions are that they make access a lot less convenient. This is especially true if you’ve misplaced your smartphone or are not working on your own computer or if you’re sharing access to a system (usually can’t list multiple cell phone numbers).
    • Additionally they don’t eliminate the password, they just make it more secure.

A good option now for greater security

The convenience of the Cloud’s always on, always available nature means that these systems are always available to enterprising criminals all over the world.  Long gone are the days when systems are safely behind physical walls and firewalls requiring special software and/or physical access.  There is a significant need now for greater security across all these systems and the Password Manager is one of our best options.