The Equifax Data Breach – What happened, What’s the impact, What to do and what NOT to do

What happened?

Equifax, one of the 3 major credit rating companies in the US, disclosed last week that their systems were hacked in July publicly exposing 146 million Americans’ names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.

What is the impact?

This information can now be used and cross referenced with publicly available information (online directories, public government record, etc.) and other publicly available data-breach data from other high-profile data breaches (Yahoo, Verizon, InterContinental Hotels Group, Dun & Bradstreet, Saks Fifth Avenue, UNC Health Care, OneLogin, Blue Cross Blue Shield / Anthem, etc.) to form complete personal profiles of nearly half the population of the United States.  A malicious actor with this kind of information can easily impersonate, steal from and financially ruin an individual.

This data breach is so bad and compromises the personal and financial security of so many Americans, that it cannot just be swept under the rug.  While I hope financial and legal remedies are imposed, we should all reach out to our state representatives to ensure that Congress takes on this issue.

What can I do to protect myself and my family?

You must become an active protector of your and your family’s public financial record:

  1. Get your free annual credit report, review and correct as necessary using the site https://www.annualcreditreport.com/index.action
  2. Check the credit of yourself and all family members including children (Sometimes children have their identities stolen only to find out when trying to apply for College loans)
  3. Implement a Credit Freeze with all three credit bureaus.  Learn more about Credit Freeze here http://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/
  4. Always follow Safe Internet Behaviors outlined in this post

DO NOT do the following:

  1. Do NOT waste your money on credit monitoring services.  There is a great article here exploring the problems and benefits with credit monitoring services like LifeLock, etc. http://krebsonsecurity.com/2014/03/are-credit-monitoring-services-worth-it/
  2. Do NOT bother with Equifax’s free 12 month monitoring service offering.  You will waive your right to participate in a future class action suits and limit your future ability to take other legal action against them for damages.
  3. You can use the info at https://www.equifaxsecurity2017.com to learn more about the disclosure but Do Not bother enrolling to determine if you’ve been impacted by this disclosure.  You should just assume you have been, either by this disclosure or by another one and take the above outlined steps.
  4. Do NOT panic, this high profile Equifax disclosure only highlights the risks that were already there.  Following the above steps will significantly help protect your financial security.

 

To work is the play, better productivity all day?

Last September, a year ago, I posted an article on the messaging platform Slack. Since then, our office has transitioned to Microsoft Teams internally. I’m not certain if this will be our final resting point but it offers a significant advantage for us, it integrates with our existing Office 365 services, saves the chat history indefinitely and doesn’t cost anything additional. However, working and experimenting with both platforms has raised some interesting discussions in our office about productivity and the role of “play” in the work environment.

Slack seems more fun than Teams, does that matter?

One of the things our users felt was that when comparing Slack and MS Teams, Slack was more playful and fun to use. And I think that is one reason we picked up the platform so quickly and easily. This got me thinking about what factors contribute to the successful adoption of new technologies and software. Usually software programmers are focused exclusively on core functionality and usability and not how fun the program is to use. This is especially true of line of business applications like SAP, Salesforce, etc.  BORING!!!!

So, I wonder is there a role for fun and playfulness in today’s professional office that will encourage productivity, creativity, better outcomes and improve the work environment? I’m not talking about the ping pong and pool tables or video games of the Dot Com/2000s work environments. I’m talking about making fun and playfulness an integral part of daily tasks, programs, etc.

Fun is like dessert, there’s always room

I remember entering the workforce after college and marveling at how serious people took their jobs and how stressed they’d become. Of course, I had no real responsibilities at the time except a car payment. In hindsight, I wasn’t very sympathetic to my coworkers with kids, mortgages, bills, etc. I would get so mad at how their desire for predictability would prevent them from trying anything new or taking on any new risks.

In this first job, I was tasked to educate a workforce who didn’t use email, had limited exposure to the Internet and relied heavily on manual logs, to start using modern computer and Internet based systems.

After deploying a new Exchange based email system, new high speed Internet (384K fractional T1) and all new computers, I set to work to try and get people to use these new systems and show their value to my bosses. I created daily and weekly games asking users to run through virtual scavenger hunts and trivia questions, and search for information online on any one of the many search engines of the time (Altavista, Lycos, Yahoo, Excite, etc.(Google didn’t exist)). People played along, we had fun and it worked! They learned how to effectively perform Internet based research, use email, and get Internet based driving directions!

Successful technologies and companies know the power of fun and play, go ask Facebook, Youtube, Woot and Giphy!

One company you’ve probably never heard of is Giphy. This company is built 100% on having fun and helping people express themselves. They collect, license and curate animated gifs and then make them available to many platforms including Slack and Teams, so users can insert the perfect animated images to show how they feel, creating more fun interactions with friends and coworkers.  Now that’s fun!

giphy

Fun play keeps us engaged, creative and helps us stay relaxed and lucid. My grandfather taught me the value of fun when I was young. He was a constant tease and prankster. My family tells the story of when he brought a cow to the top of the Brown University Clock Tower knowing full well cows can easily go upstairs but not down.

Facebook and Apple use Fun to disrupt markets

Looking to grow their business beyond the confines of social networking, Facebook has started moving into the business world with their new product Workplace by Facebook. It is a new work focused messaging and productivity platform to take on the likes of Slack, MS, and Google! With a huge existing user base who knows their product, a product built around fun and play, Facebook is in a position to totally disrupt and take over as the business communications and collaboration platform of choice.

Apple turned the business phone market on its head in 2010 with the introduction of the iPhone. Users and developers flocked to the new platform because it was fun and flauted the restrictive conventions that the Blackberry products adhered to including using a physical keyboard and minimizing bandwidth use. They effectively put BlackBerry out of business and supplanted them as the business phone platform of choice.

Diverse work environments with young people is important and is fun!

As a traveling consultant, I get to see the inner workings of many of businesses. Based on that experience I think keeping a diverse workforce with young people is important. Young people don’t seem to have the same problem with embracing fun and new technologies as older people, myself included. I always learn something new and fun when I hang out with the younger staff at client sites.  They are less rigid, more easily see the flaws in existing thinking and are more willing to take chances.

Is there a place for fun and play in my business?

I am convinced that having fun is critical to the success of my business.  We are in a customer service business. We are the first people our clients call when things don’t work. Even though this is what we are here for, it is hard to regularly be on the receiving side of this negativity. It is easy to get burned out.

But we survive with daily, silly group rants, silly Giphy images, and occasional company outings. For me, this creates a sense of community (even though we’re constantly spread out), elicits an occasional laugh and helps me keep perspective during what can be long days.  I think this elevates our service to our clients by keeping us happy and able to respond to our clients positively.

I don’t know if this approach will work for everyone, but I do think fun is powerful and can help with many businesses and organizations. I’ve seen successful sales and client service teams leverage silly messages to customers.

For example I once got the following message from one of our technology partners at the bottom of one of his emails.

“Also, if you’re having a bad day and stressed out here’s some baby elephants to cheer you up. http://i.imgur.com/zCiJtRd.mp4 “

Of course in today’s heightened security minded environment, clicking on a random links in an email is not advisable, so i’m not sure this is the best approach. But it was an interesting idea and the message did make me smile.

I don’t really know if there is a formula for fun and play in the workplace. In fact I suspect using a specified prescription could be experienced as formulaic and have the opposite effect. But I know for me it is a matter of keeping things light, remembering we’re not in the heart surgery business and that we should all be here by choice.

 

 

In a Cloud world, does backup still matter?

If your business is in the Cloud, don’t let ignorance be bliss. You may regret it!

I recently worked with a client, a law firm, on their Business Continuity plan. A Business Continuity plan is simply a document that spells out how a business will respond to different kinds of business interruptions including systems failures or catastrophic events.

Like many businesses, they’ve been working to migrate many of their systems to the Cloud. As I reviewed the different failure scenarios (ie, fire/natural disaster, hardware failures in the office, Office 365 becoming unavailable, Cloud app becoming unavailable, etc.) we realized that unlike the in-house systems where we have multiple backups, online back up and failover, we really had no way of recovering if the Cloud solutions became unavailable or lost their data. The only option was to wait for the service to become available again and hope to recover the data.

 

A Cloud Provider Perspective: Trust us, our availability and retention systems are enough!

Several years ago I sat in a seminar put on by Microsoft for its Partners designed to educate and promote their evolving Cloud solutions including Office 365. One of the Partner participants asked “how are we supposed to backup the client data in Office 365.” The Microsoft representative seemed totally puzzled and annoyed. He simply said the systems will be available and offered an additional MS solution to enable mailbox archiving for an additional cost. For Microsoft Partners, this was a shocking perspective since MS has been promoting backup best practices through their certification programs for years.

This kind of laissez faire response about backup is typical among Cloud providers. The Cloud is supposed to be simple, secure and easy, like turning on the switch from a utility. It turns out that backing up your data offline from a Cloud solution is difficult and is often an unbudgeted cost. So these questions are often swept under the rug by the providers and ignored by the subscribers.

 

Availability and retention, how does it differ from Backup?

Most Cloud solutions rely on availability and retention solutions to protect your data. This means they have sophisticated systems and redundant infrastructure so that if their system suffers a failure, their systems will remain available. They also keep multiple versions, changes and deletions for a certain amount of days. But it’s important to remember that availability and retention are not a backup strategy.

A backup strategy employs unique copies of data in disparate systems, physically separated from production systems. They employ good retention policies that can keep copies of data for at least several months, a year or possibly longer. A good backup strategy also takes into account recovery of data to production or backup system and how long that recovery will take (Time to Recovery).

 

So how secure is my data on the Cloud? The truth is cloudy

I looked at the Service Level Agreement (SLAs) and Master Service Agreements (MSAs) of several of the big Cloud providers to see what they actually do to protect your data.

Salesforce – Salesforce’s seems to be one of the most limited I’ve seen on the market. Their MSA says they will “…use commercially reasonable efforts to make the online Services available 24 hours a day, 7 days a week, except for:… (List of exceptions)” There is no statement ensuring backup of data or change retention. They also clearly spell out that the most they can be liable for under any circumstance is 12 months of services paid. If they lost all of your Salesforce data or couldn’t recover your account for 1-2 weeks, is that enough for you to stay in business?

Microsoft Office 365MS’s SLA is a bit more confusing as they provide a financially guaranteed uptime formula for compensation called Service Credits. Service Credits “…are your sole and exclusive remedy for any performance or availability issues…” The financially guaranteed uptime guarantees makes no guarantees of data integrity specifically but they do spell out all the efforts they make to protect your data. Like Salesforce, they also make no claims of backups.  They do indicate they replicate data between 2 or more geographically disparate data centers and make other specific efforts to prevent data loss. If MS lost some or all your data or couldn’t recover your account for 1-2 weeks, would receiving the financial benefits described in the Service Credits be enough for you to stay in business?

G Suite/Google – Google provides their Terms of Service as well as a SLA, but provides very little detail in terms of data protections or guarantees. They do offer an additional document on security here, which outlines some of their technologies and systems to protect customer data. The TOS and SLA specifically address “down time,” the period for which their service are unavailable.  They offer similar language as Microsoft and offer Service Credits as a customer’s “…exclusive remedy for any failure by Google to meet the G Suite SLA.” If critical GoogleDocs become corrupt or unavailable for an extended period of time, how resilient would your business be?

 

What is the risk, is Google/Salesforce/MS likely to lose my data or go offline for an extended period of time?

The short answer is no, it is unlikely and the risk is low that any of these large Cloud solutions providers will lose your data or will remain offline for an extended period of time.

These providers are heavily invested in the protections of your data and the availability of their systems. For their own credibility and future of their business, there is a heavy burden to make sure their systems meet the expectations and needs of their users. One major loss of data or extended down time could significantly hurt their credibility and possibly put them out of business. It may be the case that some of the smaller and niche Cloud providers represent a higher risk though, as they likely don’t have the same systems and resources that MS, Google and Salesforce do.

But hope and ignorance are not a plan and there is always some risk. These Cloud businesses work on large scales, so the loss of 100 Google Docs, while important to you, is likely not going to rock the Google ship! Getting resolution to 1 or 2 missing or corrupt Google Docs is not going to get a fast and personalized response even if they are critical to your $1M contract.

 

Betting on the Cloud is like going on a cruise

When I think about the question of risk with Cloud services, I always think of going on a cruise. Cruise ships are sophisticated giants, like floating cities, that roam the World’s oceans. They rarely have problems and have so much girth and sophistication that they can manage most challenges (Weather, systems failure, medical emergencies, food, etc.) But when things do go wrong, the outcomes can be disastrous. You do not want to be stuck on a cruise ship during a major storm, system failure, Norovirus outbreak, etc. And we still do keep lifeboats on board for a reason.

 

What should I do, I love what the Cloud does for me and my business

No one is arguing for not using Cloud solutions. In fact, leaving Cloud solutions out of your businesses technology arsenal will limit your competitiveness. But business owners and managers must treat Cloud solutions as a critical business relationships rather than the as a “utility” as is promoted by the Cloud industry.

To make sure your business is strong, you must make sure these relationships are strong. Business owners and managers should do the following:

  1. Evaluate what Cloud solutions are in use and what functions they play within your operations
  2. Determine risks to your business should Cloud service or data become unavailable
  3. Evaluate existing contracts and determine what can be changed or enhanced to limit risk
  4. Implement backup and recovery solutions to mitigate identified risks
  5. Evaluate business continuity and cyber insurance to ensure your risks are properly covered
  6. Review Cloud relationships regularly to make sure your plans are still adequate for identified risks and newly identified risks

Ultimately, managing a Cloud solution is no different than what we’ve been doing for years to manage internal in-house infrastructure. Going to the Cloud has not eliminated the risks of technology failure, it has only shifted the operational burden. The risks still need to be identified and managed.

 

The challenge of Digital Identification in a Cloud world, Password Managers Emerge

At time when the news headlines are filled with a parade of data breaches (DNC, Yahoo, etc.), the Password Manager has emerged as an effective tool to solve the problem of Digital Identification.  Digital Identification is the way you prove who you are to all your Cloud based online accounts.

The Password Manager is a online system combined with software tools that allows users to create long, complicated password strings that are unique to each online system. This prevents passwords from being guessed and prevents compromised passwords from being used to access other sites if one system has been hacked.

The challenge for online service providers is to secure their systems and accounts but allow users easy and convenient access.  Without a Password Manager, long, complicated and unique passwords are not something that people can easily use.

Without a Password Manager, username and passwords are ineffective because:

  1. People choose passwords they can remember, which are simple for criminals to figure out.
    • Brute Force techniques allow criminals to guess thousands and millions of common combinations (Ex. Password1, Sex123, etc.) from dictionaries and lists of already discovered passwords from previous data breaches.
    • Old fashioned PI work is surprisingly successful using social media and public records to formulate possibilities including children’s initials, birth dates, mailing addresses, pets names, hobbies, etc.
    • Phishing techniques like was used in the DNC hack trick users into sharing their passwords through fake websites and email solicitations.
  2. Long, random, secure passwords are difficult for humans to remember and as a result are not used or are stored insecurely.
    • Often, passwords are kept on sticky notes under keyboards, in note pads and in insecure online address books in Google or Outlook.
    • Users find creative ways to compromise complex password requirements by making minor modifications, writing  them down but leaving out some characters, etc.
  3. The same passwords are often shared across different systems.
    • Long complex password that change frequently are hard to remember, so users use the same or similar passwords across many systems
    • Hackers know passwords are shared across multiple systems so they try and access other online systems once a password is discovered and verified.

The Password Manager evolves

The original password managers were not useful because they were inconvenient.  They presented too much of a challenge to setup, organize and access.  Also, securing all your passwords and private information with a single password seemed like having all your eggs in one basket.  If that system and password was compromised, so was everything else!

Modern password managers have solved most of these challenges.  They are now the hub of your digital identity.  Products like 1Password, LastPass and Dashlane provide simple solutions to protect your passwords and provide convenient access from all your devices and online.

You are in control

  • With the help of these tools, long, random, unique and complex password are created for your online accounts.  The Password Manager software makes logging in and accessing your online accounts simple without having to remember these passwords.
  • There is no need for 3rd party solutions like certificate authorities to issue and manage your credentials.  No one else can grant access to your online accounts and you don’t have to use permanent physical characteristics like your fingerprints, DNA, etc. to identify yourself.
  • No one but you can see your passwords and account info. None of these online solutions store your passwords in a form that is accessible to anyone other than yourself. They do this by employing high levels of encryption within their systems and they encrypt your passwords with your own master password, which they don’t have.

Isn’t this risky, putting all your eggs still in one basket?

Many people still get stuck on the single master password and the concern with having all your eggs in one basket.  It’s a legitimate concern but these systems have checks in place to limit this risk.

  • Before you can attempt to un-encrypt your database with the master password, you must first authorize your devices and demonstrate control of the email account associated with your account.
  • Attempts to access your account are logged and reported to you so you’ll know quickly if someone else is trying to access your account.
  • 2FA/Multifactor Authentication can additionally be added onto your account.
  • The Master Password is never stored in their system, so if they become compromised hackers still should not have access to your information.

Emergency access

One feature that I find particularly compelling is “Emergency Access.”  When someone becomes ill or passes away unexpectedly, there is a panic among family, friends and sometimes within businesses to try ensure access to online accounts and protected files.

My wife and I have many online accounts related to finances, insurance, mortgages, photo sharing, etc.  One day I realized I had no idea what passwords my wife was using for many of these accounts as they change often and have so many different requirements.  With the Emergency Access feature, I can setup emergency access to her passwords after a 2 day waiting period.

Why shouldn’t we just use alternatives to passwords?

Biometric or genetic authentication: Science fiction has often extolled the benefits of genetic or biometric authentication including retinal scanners, fingerprint readers, voice recognition or DNA scanning.  The problem with these technologies are twofold:

  1. They can be fooled:  If a would be hacker learns a target’s fingerprint, retinal pattern or DNA unique identifiers, systems can be devised to represent these unique patterns in a way that can fool an automated system.  There are currently many examples online of fingerprint readers being fooled.
  2. Once a biometric or genetic marker has been compromised, users cannot “reset” them, they are hard coded into our bodies.  So if one’s identity was stolen and it was tied to a unique DNA identifier, the individual is now unable to easily reclaim his identity.

Digital Certificates: For a time there was a lot of discussion about how Digital Certificates from certificate authorities could replace passwords.  These certificate systems are currently widely used for securing websites, securing corporate and the government systems, and to sign software code.  They use a private and public key model to encrypt and identify authorized users and systems.

However, Digital Certificate systems have failed to become broadly used because of two major challenges:

  1. There is no one to trust with all this power!
    • Over the past few years there have been several high profile compromises of certificate authorities including Comodo, Symantec, and others.
    • Certificate authorities hold the master keys, allowing a single point of failure.  This allows malicious actors who successfully compromise one of these systems to access unauthorized systems or issue illegitimate certificates.  This allows the publishing of fake bank, google, or other systems where users are tricked into providing information through fake systems.
  2. Public and private key certificate systems have proved to be too complicated and inconvenient for most average users.
    • Users have to be able to understand the private and public key model, which is often beyond the interest and abilities of most users.
    • Personal certificates are not very convenient.
      • I can load my Private Key on my computer so that when I go to my banking site I can easily log in, but what do I do when i’m at my parents house?
      • I can load my Private Key on a USB Smart Card but that opens up many other challenges and security risks including plugging in USB drives to other people’s computers.

2FA or Multi Factor Authentication: 2FA (Two form Factor Authentication) or Multi Factor Authentication is the technique of using 2 or more methods to uniquely identify a user.  This usually includes some form of password combined with a text message, phone call or possession of physical hardware Token (USB device, Phone App or computer app that generates random numbers, etc.).

  1. 2FA or Multi Factor Authentication doesn’t get rid of passwords but makes them much harder to compromise.
    • Even if a hacker knows a user’s password, they cannot gain access to a system without the second or third authenticator.
  2. 2FA and Multi Factor Authentication methods are becoming broadly and freely available with many online systems including Apple, Facebook, Google, Yahoo, Microsoft, etc.
    •  The problem with these solutions are that they make access a lot less convenient. This is especially true if you’ve misplaced your smartphone or are not working on your own computer or if you’re sharing access to a system (usually can’t list multiple cell phone numbers).
    • Additionally they don’t eliminate the password, they just make it more secure.

A good option now for greater security

The convenience of the Cloud’s always on, always available nature means that these systems are always available to enterprising criminals all over the world.  Long gone are the days when systems are safely behind physical walls and firewalls requiring special software and/or physical access.  There is a significant need now for greater security across all these systems and the Password Manager is one of our best options.

 

Best Bluetooth speakers for home and office with some business inspiration to boot!

This subject may seem like a fluff topic but I have to tell you about these speakers and the company behind them.  They’ve got me pumped because they are great speakers, lots of fun to use, have great business applications and even offer a great business lesson.

The Product

The products I’m talking about and love are the Oontz Angle 3 and Oontz Angle 3XL.  They are inexpensive ($30-$110) Bluetooth speakers with truly incredible sound given their size and cost.  They have a built-in mic for use with phones and computers as a sound source and are super easy to setup and pair with your devices (phones, computers, etc.).

As you can imagine, they are a great way to bring music wherever you are but they also offer impressive portable speakers for business presentations and can be used as a portable speakerphone for ad hoc conferences when paired with your smartphone.  So these are great to place in conference rooms or with traveling executives and sales staff.

One unique feature of the Oontz Angle 3XL (the larger unit) is that if you buy two of them, you can set them up to offer true stereo sound with each one carrying a separate stereo channel.  I have not tested this as the single units have proved to be more than sufficient for my needs.

The history

I used to be a bit of an audiophile when I was younger and was really into a company called Cambridge Soundworks, based in my home town of Newton MA.  I visited their factory store, dreamed of their speakers and even tried to get a summer job there.

Cambridge Soundworks has gone through enormous changes over the years.  At one time they had a national chain of retail stores and huge online direct distribution.  But with anyone familiar with the consumer electronics and Hi Fi industry, everything changed with the iPod and digital music and people lost interest in component music and high fidelity sound systems.  And so the likes of Lechmere, Tweeter, Circuit City and many others went out of business in the late 2000s.

Cambridge Soundworks was no exception and was struggling in the late 90s but had a niche with products that worked directly with computers and the new portable music players like the iPod, known as SoundWorks.  They had comparatively good sound next to the competition.  In 1998 Creative Labs, a computer components and portable electronic manufacturer, acquired Cambridge Soundworks.  As best I can tell, Creative Labs cannibalized Cambridge Soundworks for their technologies and distribution and ended up closing all their retail locations. Their products dwindled, there was no innovation and their brand suffered.  As a loyal and committed customer, it was very sad to see this downfall.

In 2011, SoundWorks, Inc. was formed and purchased the remaining assets of Cambridge Soundworks from Creative Labs Inc.  They relaunched the business based on a new product called Oontz, a portable Bluetooth speaker system.  Frankly I was dismayed.  As someone who was into sound quality this was the last straw! Bluetooth was notoriously bad at carrying high fidelity sound and the speakers were so small that I couldn’t imagine anything worthwhile coming out of them.

Fast forward to 2016 and I’m a HUGE fan!  I think the Oontz products are incredible.  Yes, they still don’t offer truly high fidelity sound, but they do provide an exceptional solution for a convenient, connected speaker and mic system with good sound. And they have achieved this with a product that is simple to use and has better sound than the competition at a lower cost.

My takeaway

As a business owner I can become overwhelmed with the necessity and constant pressure to innovate and evolve to stay relevant. It is easy to get stuck in the nostalgia and wishful thinking of what used to work or how things used to be.  All you have to do is think of behemoths like Polaroid and BlackBerry to know what the risks are.  But when I think of Cambridge Soundworks, I’m inspired and amazed at the vision and guts it takes to truly innovate and evolve a business.

I’m inspired by Cambridge Soundworks because they were not held back by their own old products and past successes.  They were forward looking, understood their unique value proposition of good simple sound products at a lower cost, and created great brand new products that people want.

The result is a business reborn and great speakers I can call the Best Bluetooth speakers for home and office.

To Slack or not to Slack?

As many already know, the cloud based messaging tool Slack burst onto the market in the summer of 2013 and has become one of the hottest business messaging platforms around.  Honestly I was slow to pick up on its relevance and what differentiated it from other solutions.  I remember reading about it, looking into it and thinking I just didn’t have time for another gimmicky or niche solution which could expose me and my clients to security risks.

I’ve seen many new technologies come and go over the years and some of them stick around but don’t have the adoption or credibility to be a real business solution.  This has been the greatest challenge to Slack, because in order for it to become a solution that people can use, they have to prove that it is a safe, secure and reliable place to put businesses communications and files.

Brilliantly, Slack has used the same playbook as DropBox.  They managed to get their product into teams and businesses through the IT back door by offering free services that anyone can setup, offering simple, well written software and web apps.  And they have been so overwhelmingly successful at promoting their product that they have real credibility now.

Our Experiment

In our office we’ve been using Skype for Business for the last 4+ years and found it to be a great solution for keeping track of people’s Presence and reducing Inbox bloat.  So when we switched a couple months ago to Slack on a trial basis, I was very skeptical and didn’t want to give up what we already had.

In Skype for Business, Presence allows users to post their availability and what they are up to, like an electronic bulletin board.  This makes looking for help and answers much quicker than sending out multiple emails, calls, checking calendars, etc.

Skype for Business has also been great at reducing the Inbox bloat associated with the multiple interoffice emails, which tend to crowed out important emails.  And Skype for Business keeps your conversations available and searchable in your mailbox for review and documentation.

The Verdict

So after getting everyone connected on Slack and running it in place of Skype for Business for several weeks, we decided to stay on Slack.  In the end Slack offered several benefits that users felt better served our needs.

Pros:

  1. The Slack software and web interface are simpler and more usable.  They are easy to understand and follow and get the information we need.  Slack provides great software for smart phones, Macs and PCs.  In Skype for Business, the software is slow to load and connect.  On the Mac users are still limited to an old Lync client, which is very limited and buggy.
  2. Conversations among multiple users (Channels in Slack parlance) remain persistent, which is enormously helpful.  This allows messages to be posted and users to review and contribute to them at another time.  They can also see the history of the conversation to give them context and allow them to catch up.  In Skype for Business, conversations are immediate, meaning you can’t send a message for someone to receive and respond to later.  If you do message someone who’s busy or offline, they may (not reliably) get an email with the “missed conversation.”  Once someone disengages a chat session, the session is over and a new conversation must be established without the chat history.
  3. Notifications and continuity between devices is very smooth and reliable.  Slack always seems to know where to notify you (Computer, phone, web, etc.) and is very good at reliably reflecting which messages are new and unread regardless of where you check.  Also, being able to manage notifications based on topic (Channel), direct messages or specific words is helpful in limiting unnecessary distraction.
  4. Extensibility is a very strong and a unique feature of Slack.  It allows integration and extension of the Slack systems to many third party solutions and plugins.  I haven’t used many of these yet but they are widely used with many 3rd party add-ins.
  5. Slack offers persistent file storage.  Unlike Skype for Business, which transfers files from one system to another when they are shared, Slack actually stores them.  This has some collaborative benefits but also introduces new security considerations. We have not been using the file sharing capabilities as we’ve implemented Slack with a very specific purpose and strict usage guidelines.  We don’t allow client data, sensitive information or files stored in the Slack systems.

Drawbacks

Using Slack does have some drawbacks.

  1. Its support for Presence is very limited.  It really only has a “Do not disturb” mode and a light indicator to show if a person is online.  You cannot easily reflect location, current task or to indicate if you’re in the office but busy in a meeting.  This has also been reflected in the feedback I’ve gotten from users that Skype for Business seems more immediate.
  2. The user interface can become very muddled with what I call “Channel Creep” or “Channel Sprawl.”  Having too many Channels and overlapping Channels can get very confusing.  Ultimately someone needs to be in charge and maintain some level of order in an organization.
  3. Slack can also be another monthly cost.  In the Cloud age, businesses are saving on capital expenses but are being drained by the growing list of monthly subscriptions critical to their daily operations. It is true that the free offering may be sufficient for many users, but the free offering is limited and may not always be available.
  4. Slack possesses some security and data portability challenges.  The lack of data portability means you cannot easily take your data elsewhere if for example you decide you don’t want to use Slack anymore.  You can export your data for compliance and archiving, but the exported data is mostly unusable outside the Slack system.
  5. Security is also a consideration as Slack creates a new attack vector exposing communications and documents stored outside primary communications and storage systems like Google for Work, Office 365, DropBox, Box, Egnyte, etc. It constitutes yet another system, set of user accounts, passwords and copies of duplicate files for businesses to try and manage.  In 2015, Slack suffered a major security compromise exposing all their user profiles including passwords to hackers.

Alternatives

There are alternatives to Slack with similar communication models including HipChat and Fleep.  Both products have received much less media coverage then Slack but offer very compelling alternative solutions.  Not to be outdone, Microsoft is planning on introducing Skype Teams, which reportedly will have much of the same capabilities as Slack.

Conclusion

All in all, Slack is a great messaging technology that many businesses should consider using.  It offers a unique approach to messaging with significant advantages over older communication platforms like email, IM and voice.

The Cloud requires a new kind of intelligence, “Cloud Smarts”

Growing up as kids we could easily differentiate between school smarts and street smarts.  School smarts were the skills needed to excel in the classroom and school institution and street smarts were the “intuitive” skills that some had to survive on the “streets” and negotiate challenges, strangers, bullies and other potential threats.  These different kinds of smarts came to different kids with different levels of ease and were learned and taught in school and the home.

But in today’s Cloud enabled world driven by Big Data, there is a new set of skills and understandings that almost all of us are unaware of.  I would like to term these skills and understandings as “Cloud Smarts.” As a society, it’s increasingly critical that we cultivate an awareness of Cloud Smarts and its impact on our daily lives.  Without this awareness our democracy, economy and even our own free will are at stake!

The Cloud and Big Data Explained

The Cloud allows data and systems for many users to be maintained centrally.  This has a lot of benefits including huge operational and development efficiencies and improved access through web-based systems.  It also allows the data from a huge sampling to be analyzed, giving insights and making sense of data that would otherwise be inaccessible and seem random.  Big Data is the ability to analyze and make sense of these huge seemingly unrelated data sets.

Here are a few good examples of the positive impact of the Cloud and Big Data.

Example 1:

A large restaurant Point of Sale (POS) Cloud solution is able to see across thousands of its subscriber restaurants and develop insights using Big Data tools that can identify likely fraud patterns by analyzing retail, inventory and transaction information.  They share these findings as a benefit to its subscribers and alert them when likely fraud is taking place in their operation.

Example 2:

A large Antivirus company uses its millions of software agents across its installed base to inventory file signatures of all the files its software scans.  With this information, Big Data tools can help identify maliciously modified files and files that don’t belong on systems.  This helps the Antivirus company to identify threats that have not yet been discovered and improve the accuracy of detection of known threats.

Example 3:

A large Cloud provider of file and email services is able to see logon and access patterns of users across a large user set and geography and is able to use Big Data tools to identify likely hacking attempts by a sophisticated global actor. With this information they are able to notify the affected users and put in place counter measures to limit user exposure.

Anonymity and therefore privacy are lost forever

Cloud systems and Big Data are wonderful when they help solve problems that are becoming increasingly complex in a connected world.  However, with this incredible insight into huge amounts of data and patterns, anonymity becomes a thing of the past.

It doesn’t matter how many laws the EU puts into place “protecting” privacy or how well the medical industry protects your medical records through HIPAA compliance practices, people’s online behaviors generate unique patterns that, through the use of Big Data along with publicly available data sources, can uniquely identify them.  If you don’t believe me, check out this article.

Your Internet behaviors are being collected from many sources including your ISP (through sold DNS traffic), your Cloud service providers and Ad tracking systems (like the SilverPush system linked above). They are being carefully curated and stored by companies you’ve never heard of before called Data Brokers.  Data Brokers are happy to sell any of this information to whomever is willing to pay for it and allow the information to be used for whatever purposes the buyer would like.

With the loss of anonymity and personal privacy, the Cloud and Big Data can lead to some scary outcomes.  Here’s a few examples of the Cloud and Big Data gone wrong.

Example 1:

A large sales organization uses several online Cloud services to help facilitate their sales team.  The team can “share” materials with prospective consumers by sending presentation materials and links to online resources about their services and products.  Because the prospect is logged into Google online services (Chrome web browser) and also their FaceBook account, the Sales person can pull lots of personal profile information about the prospect without them being aware.  This is permissible through the Google and Facebook terms of use.  Also, the tool used to share the product materials allows the sales person to see what pages the recipient spends most time on, what info is skipped, etc. all without the prospect knowing it. The sales person is now armed with a trove of personal information without the prospect having any idea that the scenario is lopsided and the prospect’s chances of making an informed and fair decision are significantly impaired.

Example 2:

Large stock traders already use High-Frequency trading to connect directly into the electronic stock markets using fiber optic lines and high-speed computers to make hundreds and thousands of trades in fractions of seconds.   They use algorithms to anticipate even very minor changes in stocks and the market and make many buys and sells as a stock goes up or down.  These small changes can mean big money if you’re able to sell thousands of stocks in a fraction of a second.  Many people already find the High-Fequency trading unfair to the average joe trader.  But now imagine if High-Frequency trading firms were able to combine this capability with seemingly inside knowledge only available to them through the use of huge data sets and Big Data tools?  They might be able to correlate information from Data Brokers, Internet traffic behaviors, trending on FaceBook, trending on Twitter, trending on Google, weather feeds and other data sources to anticipate specific movements in the market.  They may even be able to track the likely geographical movement and purchasing behaviors of key executives to help determine certain outcomes.

Example 3:

It is possible that local and national elections are being impacted by well financed special interest groups using Data Brokers and other online data sources to create highly customized and individualized advertisements that would directly speak to individuals’ specific situations and concerns in order to influence their thinking and voting?  This advertising is unfair and manipulative because the viewer has no idea that the message is individualized and is based on inside knowledge of them.  These advertisements may not even look like Ads and may direct them to seemingly reputable resources and reporting with a specific political bent or misinformation.  It is very difficult to regulate these types of efforts and the use of Big Data and the availability of information in the Cloud makes these efforts relatively simple and scalable to roll out.

We must develop a good sense of “Cloud Smarts”

I’m constantly asking my friends, colleges, clients and family if they care if Google (The Cloud) knows so much about their behaviors: Searches, documents, photos, movements around the globe, phone calls, friends, etc.  And resoundingly they all say for the most part, No they don’t care!  They like the information, convenience and free services they get and are willing to give up “some info” to get them.

So what do we do to protect ourselves and make sure we continue to benefit from the Cloud and Big Data while not giving up the freedoms that make our society great?

Ultimately Laws will need to evolve to catch up with the technology to adequately protect citizens.  But until then, individually we have to cultivate an awareness of what data is out there, how easily it is collected, who has it (anyone who wants it) and how it can be used to impact our behaviors and our fortunes.  This trend is only accelerating as more systems and solutions move to the Cloud and more of our daily lives are conducted online.

We can also demand transparency and clarity from our Cloud providers.  One company who is setting the bar for this level of transparency is Microsoft with Office 365.  They clearly spell out how data is stored, protected and used and provide tools for customer auditing.

Cloud Smarts starts with a healthy sense of feeling vulnerable, a good defensive posture and being mindful of what data you knowingly put online (Ex. Google, Facebook, “free” services, Ad links, etc.). We can no longer browse the Internet believing we’re in control, because mostly we’re not.  We have to understand that Ads, links, sales people and other “strangers” likely have more information about us than we realize.

Brian Krebs is a well known reporter and blogger on computer and Internet security.  His blog posts and writings on security breaches and the general sense of online insecurity are eye opening and have helped me stay informed and understand the full scope of the issues.  He has several posts about ways to protect yourself online including setting up a Credit Freeze and Tools for a Safer PC.   There was also a very interesting article about Data Brokers on NPR worth reading.

Staying informed, aware and skeptical are the foundation of the new Cloud Smarts we should all start practicing.  Perhaps if we’re lucky the kids in school will learn about this, give it a better name and help teach us about the new reality.