When I got my second Pfizer vaccine shot and now ponder the possibility of a third, I started thinking about what it means for me to be afforded added protection from the threat of COVID. Should a vaccine change how I behave and what, if any, additional precautions I should take? With the appearance of new variants, how do I identify the risks? How does it affect my overall approach to protecting my health, my friends and family’s health, and even my business’s continuity?

As a person who spends his professional life mitigating risk for his clients. I couldn’t help but see the parallels between managing cyber security and the lessons we’ve learned, and continue to learn, during COVID. Just like the COVID-19 pandemic, cyber risk to businesses is global, is indiscriminate, is unrelenting, and requires personal, national and global effort to limit its impact on our businesses and ultimately, our society.

Reading security blogs, Twitter feeds and the musings of CISOs, one walks away thinking good cyber security is only successfully achieved through the efforts of an elite group of cyber-geeks who never sleep, live on stress, can code with abandon, are networking experts, and can understand complex systems. It can feel unapproachable.

The truth is, managing cyber risk and protecting yourself and your business is not as difficult as it appears. Cyber security businesses and technologies want you to think it’s complicated stuff, impossible for a lay person to understand, and requires the magic wand of AI and advanced technologies. While modern businesses have complicated systems to manage, the concepts behind cyber security are largely intuitive.

Let me outline a few important cyber security principles that we can all understand and that are highlighted by our shared COVID experience.

“Defense in depth” is a term common to cyber security professionals . It sounds fancy but really just refers to a layered approach to security. Cyber security experts know their defenses will eventually fail no matter how well crafted, so if you have several overlapping systems or protections in place, if one fails, the other protections should stop or minimize the impact of an attack. Living through a pandemic, this idea is familiar to us all. We maintain social distance (layer 1), wear masks (layer 2), wash hands and sanitize (layer 3), limit exposure to as few people as possible (layer 4), and get vaccinated if possible (layer 5). We know that none of these things alone will stop COVID from spreading entirely but that the combination of these efforts will systemically minimize its impact and its spread.

“Risk management” is another phrase found within the cyber security lexicon. Again, this can sound more complex than it is; it refers to the decisions we all make about how much risk we choose to tolerate during daily activities. We know intuitively that doing some things are riskier than others. For example, if I go to a large indoor party with people who don’t wear masks, I know that if one person shows up COVID positive, the virus has a higher risk of spreading to many people at that event. I also know that if I get sick, there is some chance I could get very sick. The key to risk management is understanding the risk factors. If I don’t know that being in a crowded room with unmasked people is risky, I can’t make an informed decision. This is true of cyber security, once informed, our clients determine the amount of risk they can manage given their unique situation and the consequences of the risks they take on.

“Cyber hygiene,” another bit of cyber security jargon, describes a connected system, up-to-date and patched, configured to limit vulnerability to misuse. While this, too sounds fancy, you can think of it much like maintaining a clean working environment and being thoughtful about your and your staff’s overall health. Choosing to stay home with a running nose, cough or compromised immune system helps limit the spread of disease and infection. This is the same with technology. Maintaining a healthy, resilient systems means keeping technology up-to-date and using protective software that monitors and protects against malicious activity.

“Authentication,” “access control” and “privileged access” may sound officious but in fact, describe really simple concepts, the kind of lessons that we teach our kids from a very young age. We all have ways to identify people and determine whether we are comfortable with or if they are authorized to enter our lives in different ways. People have names, we recognize their faces and voices, and we put them in the context of their relationship to us and the people around us. Is this person someone I know who is allowed to pick me up from school? Of course, it’s my aunt who picks me up every Wednesday! Is this person allowed to make medical decisions and talk with my doctor? No, it’s my coworker who brought me to the ER when I injured my leg. Authentication, access control, and privileged access are simply electronic ways to identify people and determine who they are contextually and what they should be allowed to do.

The last cyber security term, “Compensating Controls,” means that when we know there is a weakness or vulnerability we can’t control, we do something else to help minimize the risk it represents. So, because my child is under 12 and has other health risks, we don’t send her to school. We home school her to minimize her exposure to other people and limit her risk of contracting COVID. Keeping her home is our “compensating control.” If we have a computer system that only supports weak passwords, then as a compensating control we might consider allowing only physical access to the system and not connecting it to the Internet. This would limit the risk of it being compromised because only a small group of people would be able to physically access the system.

When it comes to cyber risk, it is the combination of these measures that provides optimum security, no matter how simple or complex your system. The Colonial Pipeline hack is a high profile example of an organization not employing defense in depth, good access controls or good cyber hygiene. The attackers were able to compromise their systems using a leaked or stolen password combined with a VPN connection that didn’t require multifactor authentication, demonstrating poor authentication and access controls. They also appear to have had few defense in-depth measures, so once the attackers were inside, little else prevented additional access or provided detection. Additionally, there was lax cyber hygiene, allowing attackers to further compromise unpatched and poorly configured systems.

It is true that large businesses like Colonial Pipeline have many complex systems complicating the process of managing cyber security, but the fact is, these measures are not out of reach for any business. Educating staff and implementing management systems are the key to successfully maintaining good cyber security and putting an end to the recent ransomware and international supply chain hacking. The lessons are much the same in taming the spread of COVID: becoming educated, implementing control measures, and creating layers of defense will minimize the risks of its impact and disruption.

For this month’s OGN post, I’d like to bring attention to one of my oldest clients, Curly Girl Design.

After 9/11, like so many other people, I decided to make changes in my life. I moved back to Boston to be closer to my friends and family. I met Alyssa, the person who was to become my wife and mother to my three children, and I decided to start Mantra Computing. 

Back then I was a poor 26 year old, starting a new business and living in my parents’ basement. I was following the girl of my dreams every week to hot and sweaty power yoga classes. Through volunteer work at the yoga studio, Alyssa and I became friends with many of the staff and community and through that connection we became friends with Leigh, the founder of Curly Girl Design.

In fact, I was first introduced to Leigh’s work in the bathrooms of Baptiste Power Yoga Institute (BPYI) in Boston. Leigh was friends with Mariam and Rolf Gates, who were managing the BPYI studio and they were helping to promote her work. And what better place to see joyful, mindful and inspiring work than in the bathrooms!?

Leigh’s work is incredible. Her web bio says it’s “whimsical and witty,” which is true, but it is also colorful, wise and beautiful. In 2004 Leigh took the brave step of starting Curly Girl Design, a business based around licensing and distributing her designs. The pictures below are some of the pieces hanging in my home. You can see a lot more of her work on her Instagram page and in shops throughout the US. 

Turmoil and unrest bring change. Things change in ways that we cannot always see in the moment. During “these hard times,” as I often hear it said during the COVID quarantine, we can see all the big things including sickness and death of loved ones, social unrest, economic hardship, and social inequities. But the changes that will matter most are invisible to us now.

September 11th was one of those big moments that changed my life in ways, that until now, I didn’t fully understand. The big stuff was the attack on the towers, the loss of life, the ensuing war in Afghanistan and all the changes to air travel and the economy. But what doesn’t get recorded or noticed are all the little decisions people make as a result of the big stuff including things like my move to Boston or Leigh’s move to go out on her own.

As I reflect on the early days of Mantra Computing and working with clients like Curly Girl Design, I can see all the beautiful things that grew from the 9/11 tragedy.  I try to remember that as we all deal with today’s challenges. 

Through Leigh’s designs and words, Curly Girl Design helps remind us of what’s important. She helps us reframe our reality and refocus us on a future that isn’t always clear. If you’re looking for inspiration, please check out Leigh’s creations at Curly Girl Design.

As part of the my OGN series (Operation Good News), I’d like to profile a long time client and brand that many of you are familiar with, Vibram.  Vibram makes the soles for top footwear brands and also designs and develops their own products like Vibram FiveFingers and Vibram Furoshiki. I began working with what was then called Vibram USA, back in 2007.  At the time, Vibram was a mostly Italian company with a small presence in the US. There were two pieces of the business on the US side, Soles and Components, who helped other footwear companies design and use Vibram Soles, and a small upstart called Vibram FiveFingers.

FiveFingers was a design concept developed in Italy that Vibram thought other shoe companies would be interested in.  When no other brands took interest, Vibram decided to take the product direct to market.  This development coincided with a movement of minimalist and barefoot running, which was propelled forward by the popularity of the book Born to Run, by Christopher McDougall in 2010.

There were only 6 people in the Vibram Concord office and they didn’t require much assistance given their small size. Also, the FiveFinger shoes seemed strange and hard to wrap my head around. So at the time I didn’t give them much consideration. Over time, however, Vibram has become one of the most gratifying and interesting experiences of my professional life.

Between 2007 and 2011, Vibram USA grew from a business with just a few US sales to revenues in the tens of millions. In that time, Vibram went from a mostly Italian company to a truly Global business.

In 2015, when Vibram acquired Quabaug Corporation in North Brookfield, MA, a business that’s been manufacturing rubber products in the US since 1916, it quickly and dramatically changed the size and operations of Vibram’s Global business. It also created one of the most dramatic and exciting cultural mashups I have ever been a part of.

One might wonder, what does an IT consultant know or care about culture? Although I started my career as an Electrical Engineer, I ended with an undergraduate degree in Cultural Anthropology and Studio Arts.  And of particular interest was Italian culture, inspired by one of my all time favorite books, an ethnography called The Broken Fountain, about the urban poor in Naples.

At Vibram, the cultural mashup included the corporate Italian culture, driven by the design and innovative heritage of the Bramani family in Northern Italy; and the young and more urban and entrepreneurial startup culture of Vibram USA and FiveFingers. And lastly the established and more conservative culture of a rural US manufacturing icon, in North Brookfield MA.

I believe the resulting company has emerged stronger and more dynamic, due in part to the resulting diversity of ideas and experiences. This was most recently demonstrated to me by the way Vibram has managed through the COVID-19 pandemic.

I have been impressed by their leadership and their commitment to their business and their people. They have successfully managed staff and business operations in three major virus hotspots including Northern Italy, Boston and Guangzhou, China.  Just this month they reopened their manufacturing facility in Albizzate, Italy.

Stories of responsible businesses should be celebrated in these times of challenge. There are too many negative stories of big businesses stealing recovery funds, pushing for the bottom line and sacrificing the safety of their front line workers.  Vibram can stand proud of its record and I’m proud to have contributed in some small way to their success over the last 13 years. Vibram has certainly demonstrated it has a lot more soul than the soles it produces.

Information about Vibram and their products can be found on their website and their myriad of social media channels, which I’ve listed below.  Looking for their iconic Vibram logo on your next pair of shoes is the best way to support them.  If you’re a member of the US military or have family who are, you’re already walking around on Vibram soles manufactured right here in North Brookfield, MA.

Website: www.vibram.com
Linkedin: www.linkedin.com/company/vibram-s-p-a-/
Instagram: www.instagram.com/vibram/
Twitter: twitter.com/vibram
FB: www.facebook.com/VibramUS/

With the Quarantine dragging on and the days and the weekends melding into one long stretch, I have been thinking a lot about how lucky I am and how lucky I am to have such incredible clients. I know there is a lot of loss and suffering including lost jobs, lost business, lost health and life, and food insecurity to name just a few. It is hard to stay focused each day and stay positive. So I’m launching OGN, Operation Good News! With 17 years in business and lots of incredible clients and experiences, I have some things I’d like to share!

The first client I’d like to profile is From the Top. I was first introduced to From the Top in 2007 through a relationship I had with Kevin Marren, a salesperson from Thrive Networks. These were the early days of Mantra Computing and there were only 3 of us on staff.  Any new business was good business and Kevin was a life line. At the time Thrive was so busy with work that they kept throwing us any business they didn’t want. We were happy to take it.

From the Top had suffered some technology challenges including a crashed server and lost emails.  From our first meeting I knew we could help them and get them back on firm ground. These days many of us take rock solid email, contact and calendaring for granted with offerings like Office 365 or G Suite.  But back then we actually had to stand up our own solutions! Also, From the Top was a mostly Mac operation and Mantra Computing was one of the few shops in the area with deep Mac knowledge operating within Windows network environments.

I knew From the Top produced an NPR radio show but I didn’t understand the scope of their work. The show is just the tip of the iceberg! They find extraordinary kids from all over the country, mentor them, give them opportunities to learn from professionals and then perform on a national platform on the radio, online and in theaters!

I’ve been to several From the Top shows, and the quality of the production and the talent of these children is really mind blowing. When you see these kids come on stage and perform, it would be easy to feel excluded or put off. The subject matter can feel inaccessible to many of us, not being familiar with classical music and its etiquette. Also, these kids are so talented and have spent so much time learning the subject that their performances seem superhuman. But that is the magic! Instead of walking away feeling left out or overwhelmed, you feel inspired, awed and included.

I remember at age 15, traveling on a summer bike trip, our group was invited to attend a classical performance. Can you imagine a bunch of smelly 15 year olds, who’d been biking for 2 weeks and sleeping in tents, being led into a theater? Truthfully, we were dubious and the surrounding audience didn’t look too pleased either. But the performance began and it was incredible. After the first movement we all clapped enthusiastically.  It seemed like everyone was moved like I was. But then after the second movement, we all clapped enthusiastically again! We were quickly shunned by the surrounding guests. We learned you do not clap between movements. I can only speak for myself, but after that shaming, it was very hard to enjoy the rest of the show. And I have carried that experience with me to this day and still feel some anxiety when I try to enjoy a classical performance. I’m always worried about what I’m doing wrong and what I may be missing.

From the Top offers an opportunity for young people that is opposite from my summer bike trip experience. They find ways to engage and amaze the audience, who are often young people elementary to high school age.  Their mission is to celebrate the power of music through the hands and eyes of a broad and young audience. When you’re there, you know something special is happening. I took my kids and walked away with a memory that I hope they will reflect on positively when they become adults.

Right now, the Quarantine presents a huge financial and operational challenge for cultural institutions, especially performance driven ones. From the Top specifically is limited in their ability to pursue their education and performance activities, which they rely heavily on for funding and donations. During this time of Quarantine, in addition to the support we give to essential workers, social and charity organizations, we all need to step up and make an additional effort to support our critical cultural institutions. If we don’t, we stand to loose them and all the beauty they bring to our lives. While the government relief funds are targeted at keeping the economy open and supporting critical businesses and institutions like hospitals, there is no special carve out for cultural institutions.

Please consider making a donation today to your favorite cultural institution. If you’re looking for a worthy organization, please check out From the Top. I’ve provided links about From the Top below, their online content and how to make a donation. They’re actively seeking and need the support to keep their programs running.

https://www.fromthetop.org/
Daily Joy: https://www.fromthetop.org/landing_page/from-the-top-daily-joy/
YouTube Channel: https://www.youtube.com/user/fromthetop
Donate to From the Top Now

As you may have noticed, it has been over 2 years since I last posted! Honestly, the time has flown by so fast that I really didn’t think it had been that long. But there is good reason! My team and I have been busy working on a new project. And given the current craziness surrounding the Coronavirus, I thought, now is a good time to sit down and post and let everyone know what we’ve been up to!

In 2013 I read an article, referenced here, about how Facebook identified a zero-day Java exploit on one of its engineer’s laptops by monitoring Internet traffic and that hackers were using it to communicate with their servers to steal data.  Running an IT consulting and managed service firm, this article freaked me out.  I thought, if this ever happened to one of my clients, how could they possibly be expected to detect and survive an attack like this? Facebook and its large dedicated data security team found a needle in a haystack.  But this needle would not be hard for cyber criminals to place wherever they wanted and most organization would have no way of knowing about it.

A lot has changed since 2013, and there are tons of new cybersecurity products on the market. Many of them leveraging artificial intelligence to try and fill the gap identified in that 2013 article to help security teams find the needle in the haystack. But a critical problem still remains with all these products.  What do you do if you get an alert!  All cybersecurity product block the most egregious offenders, but things that are just not normal or look suspicious get flags and alerts.  Someone must evaluate the alert, determine if the alert is suspicious and develop and action plan to mitigate the risk or compromise.

The truth was, we were doing the best we could and followed all the best practices for an IT consulting business, but we could not effectively protect our clients from evolving and real threats.  We also did not have the resources to monitor and respond to changing risks.  We needed help like most small and medium businesses.

And so we embarked on a 2 plus year journey learning, testing and training on all the latest security solutions.  We trialled many platforms and actually put the slick marketing to the test.  We developed a backend and an organization to drive and support these products.  Today, Ihloom is protecting over 1,600 endpoints and over a 100 different organizations.  We have identified and mitigated more than 5 serious cyber attacks in the last year saving our clients from real losses and business disruptions.

If you want to get your organization secure and compliant, Ihloom can help.  What differentiates Ihoom are real, practical, vetted solutions and the knowledgeable staff and knowhow to get businesses secure. Putting a solution like this together takes time, hard work and experience and we’re proud of the outcome.

Meltdown and Spectre

Two new critical security flaws were disclosed late last week related to Intel processors and also some other processor platforms including AMD and ARM, which can be found in servers, computers, cell phones, internet connected devices, etc. This applies to all operating systems including Windows, Linux, MacOS, IOS, Droid, etc.

The details of these flaws has been shrouded in secrecy. Understanding the full impact of both their risks and proposed software fixes has been difficult to assess. At this point we know a lot more but we still have a lot to learn. The full impact of the related software patches will only be understood as they are rolled out and reporting continues.

What are the details of the security flaws, what does this mean from a risk standpoint?

The two flaws are being commonly referred to as Meltdown and Spectre. They are both flaws in the design of the processor hardware, not software, and affects how the processors handle unique processes and prevent those processes from accessing each other. In other words, these two flaws allow programs on computers, devices and Cloud services to access information from other processes without authorization.

These flaws allow malicious code, which could simply be a web page you visit, to access secure passwords, encryption keys, etc. stored in processor kernel memory. So for example a web page running Javascript in your web browser could potentially have access to information related to your password manager program or the encryption key for your secure drive. Or in a Cloud environment like Amazon Web Services (AWS), customer A’s virtual machine could potentially access data from customer B’s virtual machine if they are sharing the same physical processor.

Based on my readings, official awareness of these flaws dates as far back as June 2017. The software fixes currently being provided by Linux, MacOS and Windows, are on the kernel level and are very sophisticated. These types of changes require a lot of development time and testing. The fact that they’re rolling them out now means they’ve had a lot of time to work on them.

These design flaws have been present in chips manufactured for the past 10 or more years.

What’s being done about it and what action do I need to take?

Software updates have been developed both on the OS level (Windows, Linux, MacOS, etc.) and by web browser manufacturers (Chrome, IE, Edge, Firefox, Opera, etc.) to mitigate the risks of these hardware flaws. It is important to install these patches but at this time I’m recommending taking a slow and measured approach. There are some known software compatibility issues as well as significant machine performance degradation associated with the patches.

The following is a prudent approach

• For desktop computers, delay installing them for a short period of time, 1-4 weeks due to the complexity and low level of the software changes in the OS patches. There are known software incompatibilities with many Antivirus packages and there may be other software impacted by these changes that have not yet been discovered.

• • Mac OS High Sierra has been patched as of 10.13.2
  • Microsoft will be rolling out updates this week on Patch Tuesday
  • Many Linux distributions have started releasing updates.

• Update web browsers ASAP including Chrome, IE, Edge, Opera and Firefox. The recent browser updates have protections to help prevent compromised or malicious websites from leveraging the processor vulnerabilities.
• Check with your Antivirus software MFG for updates and confirmation their product is compatible with the latest updates from Microsoft and Linux.
• Update mobile phones and tablets as soon as patches become available.
• For Servers, delay installing them for one or two patch cycles to ensure compatibility issues are addressed and performance considerations are properly planned for.
• If you run any applications or systems in AWS, Microsoft Azure and Google Compute Engine be aware of the following:

• • Amazon AWS has been in the process of deploying software patches and fixes started last Friday which may impact availability and performance of your instances
  • Microsoft Azure will be performing updates and patches on January 10th which may impact availability and performance of your instances
  • Google Compute Engine appears to have already undergone needed updates but is requesting clients restart certain processes

• Newer versions of the Intel processors will be updated with a microcode update, which will help mitigate the issue.

At this point the vulnerabilities have been around for over 10 years.  We know the vulnerability was officially known as far back as June 2017.  I think it would be naive to assume some state actors and/or organized crime was unaware of this issue either since last summer or perhaps well in advance of that.  We should assume users have already been exposed to this risk and that mitigating it should be done cautiously so as to minimize interruption to productivity.  There is no sense in running around with our heads cut of in panic.  We should take care of the systems at greatest risk first, browsers and workstations, and cautiously work to address the rest until the next big revelation.

What happened?

Equifax, one of the 3 major credit rating companies in the US, disclosed last week that their systems were hacked in July publicly exposing 146 million Americans’ names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.

What is the impact?

This information can now be used and cross referenced with publicly available information (online directories, public government record, etc.) and other publicly available data-breach data from other high-profile data breaches (Yahoo, Verizon, InterContinental Hotels Group, Dun & Bradstreet, Saks Fifth Avenue, UNC Health Care, OneLogin, Blue Cross Blue Shield / Anthem, etc.) to form complete personal profiles of nearly half the population of the United States.  A malicious actor with this kind of information can easily impersonate, steal from and financially ruin an individual.

This data breach is so bad and compromises the personal and financial security of so many Americans, that it cannot just be swept under the rug.  While I hope financial and legal remedies are imposed, we should all reach out to our state representatives to ensure that Congress takes on this issue.

What can I do to protect myself and my family?

You must become an active protector of your and your family’s public financial record:

1. Get your free annual credit report, review and correct as necessary using the site https://www.annualcreditreport.com/index.action
2. Check the credit of yourself and all family members including children (Sometimes children have their identities stolen only to find out when trying to apply for College loans)
3. Implement a Credit Freeze with all three credit bureaus.  Learn more about Credit Freeze here http://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/
4. Always follow Safe Internet Behaviors outlined in this post

DO NOT do the following:

1. Do NOT waste your money on credit monitoring services.  There is a great article here exploring the problems and benefits with credit monitoring services like LifeLock, etc. http://krebsonsecurity.com/2014/03/are-credit-monitoring-services-worth-it/
2. Do NOT bother with Equifax’s free 12 month monitoring service offering.  You will waive your right to participate in a future class action suits and limit your future ability to take other legal action against them for damages.
3. You can use the info at https://www.equifaxsecurity2017.com to learn more about the disclosure but Do Not bother enrolling to determine if you’ve been impacted by this disclosure.  You should just assume you have been, either by this disclosure or by another one and take the above outlined steps.
4. Do NOT panic, this high profile Equifax disclosure only highlights the risks that were already there.  Following the above steps will significantly help protect your financial security.

Last September, a year ago, I posted an article on the messaging platform Slack. Since then, our office has transitioned to Microsoft Teams internally. I’m not certain if this will be our final resting point but it offers a significant advantage for us, it integrates with our existing Office 365 services, saves the chat history indefinitely and doesn’t cost anything additional. However, working and experimenting with both platforms has raised some interesting discussions in our office about productivity and the role of “play” in the work environment.

Slack seems more fun than Teams, does that matter?

One of the things our users felt was that when comparing Slack and MS Teams, Slack was more playful and fun to use. And I think that is one reason we picked up the platform so quickly and easily. This got me thinking about what factors contribute to the successful adoption of new technologies and software. Usually software programmers are focused exclusively on core functionality and usability and not how fun the program is to use. This is especially true of line of business applications like SAP, Salesforce, etc.  BORING!!!!

So, I wonder is there a role for fun and playfulness in today’s professional office that will encourage productivity, creativity, better outcomes and improve the work environment? I’m not talking about the ping pong and pool tables or video games of the Dot Com/2000s work environments. I’m talking about making fun and playfulness an integral part of daily tasks, programs, etc.

Fun is like dessert, there’s always room

I remember entering the workforce after college and marveling at how serious people took their jobs and how stressed they’d become. Of course, I had no real responsibilities at the time except a car payment. In hindsight, I wasn’t very sympathetic to my coworkers with kids, mortgages, bills, etc. I would get so mad at how their desire for predictability would prevent them from trying anything new or taking on any new risks.

In this first job, I was tasked to educate a workforce who didn’t use email, had limited exposure to the Internet and relied heavily on manual logs, to start using modern computer and Internet based systems.

After deploying a new Exchange based email system, new high speed Internet (384K fractional T1) and all new computers, I set to work to try and get people to use these new systems and show their value to my bosses. I created daily and weekly games asking users to run through virtual scavenger hunts and trivia questions, and search for information online on any one of the many search engines of the time (Altavista, Lycos, Yahoo, Excite, etc.(Google didn’t exist)). People played along, we had fun and it worked! They learned how to effectively perform Internet based research, use email, and get Internet based driving directions!

Successful technologies and companies know the power of fun and play, go ask Facebook, Youtube, Woot and Giphy!

One company you’ve probably never heard of is Giphy. This company is built 100% on having fun and helping people express themselves. They collect, license and curate animated gifs and then make them available to many platforms including Slack and Teams, so users can insert the perfect animated images to show how they feel, creating more fun interactions with friends and coworkers.  Now that’s fun!

Fun play keeps us engaged, creative and helps us stay relaxed and lucid. My grandfather taught me the value of fun when I was young. He was a constant tease and prankster. My family tells the story of when he brought a cow to the top of the Brown University Clock Tower knowing full well cows can easily go upstairs but not down.

Facebook and Apple use Fun to disrupt markets

Looking to grow their business beyond the confines of social networking, Facebook has started moving into the business world with their new product Workplace by Facebook. It is a new work focused messaging and productivity platform to take on the likes of Slack, MS, and Google! With a huge existing user base who knows their product, a product built around fun and play, Facebook is in a position to totally disrupt and take over as the business communications and collaboration platform of choice.

Apple turned the business phone market on its head in 2010 with the introduction of the iPhone. Users and developers flocked to the new platform because it was fun and flauted the restrictive conventions that the Blackberry products adhered to including using a physical keyboard and minimizing bandwidth use. They effectively put BlackBerry out of business and supplanted them as the business phone platform of choice.

Diverse work environments with young people is important and is fun!

As a traveling consultant, I get to see the inner workings of many of businesses. Based on that experience I think keeping a diverse workforce with young people is important. Young people don’t seem to have the same problem with embracing fun and new technologies as older people, myself included. I always learn something new and fun when I hang out with the younger staff at client sites.  They are less rigid, more easily see the flaws in existing thinking and are more willing to take chances.

Is there a place for fun and play in my business?

I am convinced that having fun is critical to the success of my business.  We are in a customer service business. We are the first people our clients call when things don’t work. Even though this is what we are here for, it is hard to regularly be on the receiving side of this negativity. It is easy to get burned out.

But we survive with daily, silly group rants, silly Giphy images, and occasional company outings. For me, this creates a sense of community (even though we’re constantly spread out), elicits an occasional laugh and helps me keep perspective during what can be long days.  I think this elevates our service to our clients by keeping us happy and able to respond to our clients positively.

I don’t know if this approach will work for everyone, but I do think fun is powerful and can help with many businesses and organizations. I’ve seen successful sales and client service teams leverage silly messages to customers.

For example I once got the following message from one of our technology partners at the bottom of one of his emails.

Of course in today’s heightened security minded environment, clicking on a random links in an email is not advisable, so i’m not sure this is the best approach. But it was an interesting idea and the message did make me smile.

I don’t really know if there is a formula for fun and play in the workplace. In fact I suspect using a specified prescription could be experienced as formulaic and have the opposite effect. But I know for me it is a matter of keeping things light, remembering we’re not in the heart surgery business and that we should all be here by choice.

If your business is in the Cloud, don’t let ignorance be bliss. You may regret it!

I recently worked with a client, a law firm, on their Business Continuity plan. A Business Continuity plan is simply a document that spells out how a business will respond to different kinds of business interruptions including systems failures or catastrophic events.

Like many businesses, they’ve been working to migrate many of their systems to the Cloud. As I reviewed the different failure scenarios (ie, fire/natural disaster, hardware failures in the office, Office 365 becoming unavailable, Cloud app becoming unavailable, etc.) we realized that unlike the in-house systems where we have multiple backups, online back up and failover, we really had no way of recovering if the Cloud solutions became unavailable or lost their data. The only option was to wait for the service to become available again and hope to recover the data.

A Cloud Provider Perspective: Trust us, our availability and retention systems are enough!

Several years ago I sat in a seminar put on by Microsoft for its Partners designed to educate and promote their evolving Cloud solutions including Office 365. One of the Partner participants asked “how are we supposed to backup the client data in Office 365.” The Microsoft representative seemed totally puzzled and annoyed. He simply said the systems will be available and offered an additional MS solution to enable mailbox archiving for an additional cost. For Microsoft Partners, this was a shocking perspective since MS has been promoting backup best practices through their certification programs for years.

This kind of laissez faire response about backup is typical among Cloud providers. The Cloud is supposed to be simple, secure and easy, like turning on the switch from a utility. It turns out that backing up your data offline from a Cloud solution is difficult and is often an unbudgeted cost. So these questions are often swept under the rug by the providers and ignored by the subscribers.

Availability and retention, how does it differ from Backup?

Most Cloud solutions rely on availability and retention solutions to protect your data. This means they have sophisticated systems and redundant infrastructure so that if their system suffers a failure, their systems will remain available. They also keep multiple versions, changes and deletions for a certain amount of days. But it’s important to remember that availability and retention are not a backup strategy.

A backup strategy employs unique copies of data in disparate systems, physically separated from production systems. They employ good retention policies that can keep copies of data for at least several months, a year or possibly longer. A good backup strategy also takes into account recovery of data to production or backup system and how long that recovery will take (Time to Recovery).

So how secure is my data on the Cloud? The truth is cloudy

I looked at the Service Level Agreement (SLAs) and Master Service Agreements (MSAs) of several of the big Cloud providers to see what they actually do to protect your data.

Salesforce – Salesforce’s seems to be one of the most limited I’ve seen on the market. Their MSA says they will “…use commercially reasonable efforts to make the online Services available 24 hours a day, 7 days a week, except for:… (List of exceptions)” There is no statement ensuring backup of data or change retention. They also clearly spell out that the most they can be liable for under any circumstance is 12 months of services paid. If they lost all of your Salesforce data or couldn’t recover your account for 1-2 weeks, is that enough for you to stay in business?

Microsoft Office 365 – MS’s SLA is a bit more confusing as they provide a financially guaranteed uptime formula for compensation called Service Credits. Service Credits “…are your sole and exclusive remedy for any performance or availability issues…” The financially guaranteed uptime guarantees makes no guarantees of data integrity specifically but they do spell out all the efforts they make to protect your data. Like Salesforce, they also make no claims of backups.  They do indicate they replicate data between 2 or more geographically disparate data centers and make other specific efforts to prevent data loss. If MS lost some or all your data or couldn’t recover your account for 1-2 weeks, would receiving the financial benefits described in the Service Credits be enough for you to stay in business?

G Suite/Google – Google provides their Terms of Service as well as a SLA, but provides very little detail in terms of data protections or guarantees. They do offer an additional document on security here, which outlines some of their technologies and systems to protect customer data. The TOS and SLA specifically address “down time,” the period for which their service are unavailable.  They offer similar language as Microsoft and offer Service Credits as a customer’s “…exclusive remedy for any failure by Google to meet the G Suite SLA.” If critical GoogleDocs become corrupt or unavailable for an extended period of time, how resilient would your business be?

What is the risk, is Google/Salesforce/MS likely to lose my data or go offline for an extended period of time?

The short answer is no, it is unlikely and the risk is low that any of these large Cloud solutions providers will lose your data or will remain offline for an extended period of time.

These providers are heavily invested in the protections of your data and the availability of their systems. For their own credibility and future of their business, there is a heavy burden to make sure their systems meet the expectations and needs of their users. One major loss of data or extended down time could significantly hurt their credibility and possibly put them out of business. It may be the case that some of the smaller and niche Cloud providers represent a higher risk though, as they likely don’t have the same systems and resources that MS, Google and Salesforce do.

But hope and ignorance are not a plan and there is always some risk. These Cloud businesses work on large scales, so the loss of 100 Google Docs, while important to you, is likely not going to rock the Google ship! Getting resolution to 1 or 2 missing or corrupt Google Docs is not going to get a fast and personalized response even if they are critical to your $1M contract.

Betting on the Cloud is like going on a cruise

When I think about the question of risk with Cloud services, I always think of going on a cruise. Cruise ships are sophisticated giants, like floating cities, that roam the World’s oceans. They rarely have problems and have so much girth and sophistication that they can manage most challenges (Weather, systems failure, medical emergencies, food, etc.) But when things do go wrong, the outcomes can be disastrous. You do not want to be stuck on a cruise ship during a major storm, system failure, Norovirus outbreak, etc. And we still do keep lifeboats on board for a reason.

What should I do, I love what the Cloud does for me and my business

No one is arguing for not using Cloud solutions. In fact, leaving Cloud solutions out of your businesses technology arsenal will limit your competitiveness. But business owners and managers must treat Cloud solutions as a critical business relationships rather than the as a “utility” as is promoted by the Cloud industry.

To make sure your business is strong, you must make sure these relationships are strong. Business owners and managers should do the following:

1. Evaluate what Cloud solutions are in use and what functions they play within your operations
2. Determine risks to your business should Cloud service or data become unavailable
3. Evaluate existing contracts and determine what can be changed or enhanced to limit risk
4. Implement backup and recovery solutions to mitigate identified risks
5. Evaluate business continuity and cyber insurance to ensure your risks are properly covered
6. Review Cloud relationships regularly to make sure your plans are still adequate for identified risks and newly identified risks

Ultimately, managing a Cloud solution is no different than what we’ve been doing for years to manage internal in-house infrastructure. Going to the Cloud has not eliminated the risks of technology failure, it has only shifted the operational burden. The risks still need to be identified and managed.