Thursday, 31 January 2013 19:30

How to strengthen your weakest security link

If you are a C-level business executive, have you ever stopped and given serious thought about how much confidential data is in your email?

If you are like most executives, you have full financial statements in Excel attachments. You’ve got emails surrounding confidential business deals, acquisitions and the like. And you’ve got information in there that would be of great value to a competitor, like client lists or top deals that have closed.

Now stop and think again — where is this data all stored? For 99 percent of us, it exists on our mobile phone, says Zack Schuler, founder and CEO of Cal Net Technology Group.

“It’s on that device that we leave laying around just about anywhere: on our desk, on a table at a restaurant, in our gym bag, in our golf cart, in our car, in our hotel room, by the pool — just about anywhere,” Schuler says.

Smart Business spoke with Schuler about the need to protect company data contained on cellular phones.

What should companies do to protect data on cell phones?

Companies spend thousands of dollars protecting servers with firewalls, locked doors, complex passwords, etc., but how much money or time do they spend protecting the data on cell phones? Probably almost none.

One could even make the argument that if a cell phone was compromised or stolen, a thief would have a much easier job getting to the data that he’s looking for, because it’s all organized nicely in folders. A folder might even be labeled ‘private,’ ‘confidential’ or ‘financial information.’ You get the picture.

So what’s the solution? You need to treat the mobile devices that access your network just like you treat the rest of your network. You need to manage them and manage the security around them. This is why the term ‘mobile device management’ (MDM) has recently come into the spotlight.

What is mobile device management?

It is a centralized system that manages all of the mobile devices that connect to your network. It is a piece of software that is downloaded to a mobile device and then communicates back to the corporate network, letting you do all kinds of nifty security things. First and foremost, it can force any user connecting to your email server to use a password. Sure, you can set a companywide policy that they need to have a password, but lazy people will turn it off. With mobile device management, they can’t turn it off.

How secure is that four-digit pass code anyhow? If I were someone who knew you and wanted to get into your phone, I’d try your birthday, your year of birth, your address, the last four digits of your Social Security number, the year you got married, the last four digits of your phone number, etc. I’d probably have a pretty good chance of being right. With the right MDM solution, you can actually have the software wipe your phone after X number of incorrect password attempts. How cool is that? You also can do things such as limit access to app stores, set Web browser security preferences, restrict use of the camera and more.

What happens if a phone is lost?

You call your IT department or support provider and they wipe your phone, which can be done even without MDM. But what’s even better is that you can go to the Verizon store, get a new phone, and your IT department/provider can send you a text containing a link to download your MDM app. You download the app, and they can provision your email and the rest of your phone — think remote desktop support for your phone.

Regardless of whether your employees have their own devices or if they are company issued, if they connect to your network, they must be secured.

Zack Schuler is founder and CEO of Cal Net Technology Group. Reach him at ZSchuler@CalNetTech.com.

Insights Technology is brought to you by Cal Net Technology Group

Published in Los Angeles
Friday, 30 November 2012 19:40

How to keep your IT department up to date

Many organizations have in-house IT staff that has been around for a long time. However, if the organization has not invested in employee skills, there is a tendency for complacency and stagnation, says Lou Rabon, Cal Net Technology Group’s information security practice manager.

“This stagnation comes in the form of believing that solutions the in-house IT people are providing are the best ones out there based on their experience,” Rabon says. “For loyal IT staff, their experience is usually only in one environment, and if no new education or experience has been acquired, then an element of risk is introduced into the organization. Not only will the organization be getting outdated and inadequate service and solutions, but the risk introduced may prove to be fatal to an organization’s data, as well.”

Smart Business spoke with Rabon about how to spot IT staff stagnation and what steps to take to address the problem.

How critical is the need to update IT skills?

Information technology experiences paradigm changes over very short periods of time. New, disruptive technologies are appearing all of the time, sometimes in as little as months. In information security, this trend is even faster, where minutes and seconds can separate effective solutions from completely inadequate, and expensive, defenses.

What are signs that IT staff might have stagnated?

If your IT person has been doing the same thing since 2007, you can be assured that there are going to be problems. Large and small companies should take stock and ask:

• Does current IT staff/policy favor convenience over security?

• Are there direct remote connections to machines because a virtual private network or remote access solution was considered too complicated or not possible?

• Are there passwords that are not complex or do not change?

• Do easy-to-remember — and therefore easily crackable — administrative passwords exist that have access to sensitive data?

• Is there a lack of visibility on the network?

• When problems occur, is root cause rarely determined and downtime frequent?

• Is there resistance to change?

• Are overly technical and confusing answers given when approached for advice or questions?

These are just some of the more obvious ways to determine if your current IT staff might need a knowledge refreshment or replacement. Unfortunately, most internal IT staff will believe everything is being done right, despite evidence to the contrary. This is what psychologists call the Dunning-Kruger effect, ‘in which unskilled individuals suffer from illusory superiority, mistakenly rating their ability much higher than average.’

What steps can be taken to address this problem?

The first might be to look at how staff is managed. Maybe the reporting structure should be changed. In many growing organizations, IT will typically be CFO-led. Ideally, IT staff should fall under a COO or, better yet, a dedicated CIO who can look at the big picture of where an organization is headed and drive this strategy.

Another option is training. Incompetence of any staff might be a failing of the organization itself to properly invest in its work force. Picking the right training can be a challenge, but there are a number of solutions. Vendor training is an option and can typically be obtained at a reasonable cost, especially if the organization has used one vendor’s technology over a long time and can leverage fidelity for a reduced training cost. New vendors also can be looked at to displace existing technology and they may throw in training as part of a purchased bundle. Many specialty organizations offer training such as A+. For security, the SANS Institute has an excellent Security Essentials Boot Camp, which can start to embed some of the basic tenants of security for any staff working with sensitive information or information technology. Finally, continuing education at a local university and even some of the free courses released by institutions such as Stanford might be a good way to stimulate critical thinking and encourage the staff to refresh its skills.

Another solution, which could be the easiest, is to augment the staff with outside talent. Bringing in an outside consulting firm can give an internal IT department a kick in the pants. Personnel will respond differently to this, with some seeing it as a threat and others embracing the help. Both perceptions can be helpful. An outside firm will help you navigate the technology, but more importantly, a good outside firm will help you identify who in the organization you should keep and who should go.

What about outsourcing all IT work?

Some organizations are much better off going in this direction, depending on what internal resources are available. IT, in and of itself, is a business, and, if you’re a small to mid-sized company, you might want to ask yourself, ‘What business am I in?’ For those organizations that prefer to concentrate on their core competency, outsourcing is a great solution. Doing so can help dramatically reduce costs, increase efficiency and productivity, and increase the security posture of an organization. A good IT outsourcing company is continually investing in its team, and because it sees many different IT environments, it is in a unique position to see what works best and provide those best practices to its clients.

Risk in any organization must be managed and mitigated as much as possible. Continuing to employ or engage unskilled or inadequate IT resources introduces an unacceptable level of risk. Your first step is to take a hard look at your organization, and evaluate whether or not you need to invest in IT skills or bring in external resources to best manage the information assets of the organization.

Lou Rabon is information security practice manager for Cal Net Technology Group. Reach him at (818) 721-4414 or lrabon@calnettech.com.

Insights Technology is brought to you by Cal Net Technology Group

Published in Los Angeles

Microsoft SharePoint is a product that invades your company culture, in a good way.

“In its most basic sense, SharePoint is an intranet, used primarily by companies to increase collaboration and efficiency,” says Zack Schuler, founder and CEO of Cal Net Technology Group. “The current version is SharePoint 2010, but it has been out in some form or fashion for the last eight to 10 years.”

Smart Business spoke with Schuler about how SharePoint works and how to determine whether it makes sense for your organization.

How does SharePoint change the way your company operates?

Again, it is an intranet, which means it is a place where workers will spend their time when it comes to tasks like document management, or when they need a central place to collaborate on a new project or idea. It can be used as a portal where you can post metrics and key performance indicators of how your company is doing in different areas. SharePoint displays that data in a way that is meaningful to your employees. It is also frequently used for workflow applications.

How can SharePoint improve workflow?

Here’s a basic example. Let’s say an employee wants to request time off. At Cal Net, they will go to the HR SharePoint team site and enter the days they want off. The SharePoint site integrates with our HR information system and notifies the employee how many hours they have accrued for time off. The employee will submit the form, which will automatically be routed to their manager as well as the HR manager, then get electronically approved or denied, all through an automated routing system.

SharePoint can handle just about any business workflow you can think of, and it does an exceptional job with it.

It integrates well with Outlook and the entire Microsoft Office stack. It integrates natively with SQL server, so it can integrate with an accounting application to pull and display data that is meaningful to employees.

How does SharePoint help employees make better decisions?

Let’s say the company shares the gross margin percentages of each department with the department head. There are three ways to do that. The first way is to have the CFO or controller log into the accounting system, look at the gross margin and e-mail that to the department head. That is a lot of work.

The second way is to give the department head access to the accounting application and let them look themselves. Most companies probably aren’t going to do that.

The best way to do it is to pass that data along in an automated fashion to the SharePoint team site and present that department head with the data they need to see: the gross margin or sales of that department. Then, the department head can use that information to make better decisions.

How does SharePoint foster collaboration in the workplace?

Here’s an example of how SharePoint can be used in collaboration. If three people in a department are all working on a procedure manual, the traditional way of accomplishing that task is for one person to work on it, then e-mail it to the next person. As the document goes back and forth, it becomes difficult to figure out what changes were made or who has the latest version. With SharePoint, you would simply post that procedure manual on the SharePoint server, then different people can check in and edit that document.

How can SharePoint eliminate the traditional computer files, folders and e-mail attachments?

Rather than documents getting stored in a particular folder, they are stored on the SharePoint site. Then, you assign ‘audiences’ who are able to view particular documents.

For example, if a document is one that all the staff needs to see, like an employee handbook, we will store that on what we call our ‘people’ site. This is where all employees would go for anything related to HR: handbook, insurance forms, company phone directory and calendar of days off.

Instead of sending file attachments, if someone asks you for the latest phone list, you send a link in their e-mail that takes them to the document on the SharePoint server. Then you don’t have to worry about a company phone directory floating all over the place.

What about security and difficulty of setup?

All of the individual SharePoint team sites are set up on the SharePoint server. For example, you can have a management team site where you would store all management-related information. You would have to be in the management group to get to that site. If you’re not in that group, you won’t even know it exists. When you go to the listing of sites, only the ones available to you are shown. No one will click on a group site and get an access denied message – they just won’t see it in the first place.

At its most simplistic form, it is a day or two worth of work. But when you start digging into it, the possibilities are limitless. That can take more time.

How can a company determine if SharePoint would help them?

Every company has documents, so it’s going to be valuable for every company. However, it is especially useful for companies with no formal automated workflow or document management system.

If a company already has a business automation system in some sort of software application, there might not be an advantage. But most small and medium-size companies don’t. Those are the companies that can benefit the most from SharePoint.

Zack Schuler is the founder and CEO of Cal Net Technology Group. Reach him at ZSchuler@CalNetTech.com with any questions about SharePoint.

Published in Los Angeles

As fears of identity theft and online privacy concerns increase, PCI compliance has become a vital priority to any company that deals with credit card information. If you allow customers to pay with a credit card, you have to pay attention to the regulations and stay compliant. The consequences are severe: Just one data breach can wreck your company’s finances and reputation in one fell swoop.

“Everyone is bound by PCI compliance,” says Zack Schuler, founder and CEO of Cal Net Technology Group. “It doesn’t matter if you are a small, ‘mom and pop’ hardware store or a national retail chain; if you accept credit cards, you have to adhere to the rules.”

Smart Business spoke with Schuler about what business owners need to know about PCI compliance, and how to ensure your business isn’t breaking any rules.

What is PCI compliance?

PCI compliance is a standard that has been required by the credit card companies that defines the way that anyone who accepts a credit card has to protect that card information. It is a very specific standard that outlines all of the data protection requirements, as well as the physical security requirements and all types of other issues as they relate to security, with the end goal of making sure the card information is protected.

Regardless of whether you are a small, one-location business or a national retail chain, everybody is bound by the rules of PCI compliance.

Why is it important for companies to be compliant?

The first reason it is important is because if your systems are hacked, and you are PCI compliant, the chances of the intruder being able to get to some of your protected credit card information is quite slim. If you follow the security protocols outlined in the compliance standard, you should be all right.

Now, if you are not following the rules in terms of protecting that credit card data, you probably won’t be as lucky. For example, if your point of sale system that collects credit card information does not encrypt the swipe data, then that POS system is more easily compromised and hackers would be able to take all of that data.

What will happen in that situation is the credit card companies will be able to link the breach to you, because they have very sophisticated software programs that track where the breach happened, and narrow it down to a single location at which a credit card was used. When they collect all the different cards that were part of the breach, and they see that all the cards had one thing in common — this particular location on this particular day — you’re in trouble.

What type of trouble is possible in the event of a breach?

‘Trouble’ involves being fined by the credit card companies. There are different levels of PCI compliance to which companies must adhere. The compliance goes from level 1 to level 5. A small mom and pop store will be at level 5, because they are not collecting a ton of credit card information. A national retail chain or eBay will be at level 1.

However, if your company is at level 3 and the company is subsequently hacked, you immediately have to build up to the security protocols of a level 1 company. And the necessary work to put in those most stringent security protocols is astronomically expensive.

Why should companies pay attention to this issue sooner rather than later?

Cyber crime is on the rise. On a go-forward basis, it is just going to keep becoming more of an issue. More and more companies are getting hacked. That is the reality. There are hacking toolkits out there that make it easy to hack companies. More and more companies are having their credit card information stolen from them. If your company is taking credit cards, it’s your job to protect the consumer and not share that information with anyone else. If you are hacked, the credit card company will find out about it and it will be expensive.

Also, if you don’t comply with what the credit card companies are asking of you, they will make it so you can’t take credit cards anymore.

How does a company know what level of compliance it must reach?

Anyone who accepts credit cards has received a self-assessment questionnaire from the credit card company. The credit card companies will tell you, based on volume and other various factors, what compliance requirements are necessary for you.

What steps should be taken to ensure compliance?

The first and best step is to hire a company that understands PCI compliance to come in and assess your computing environment to determine if you are in or out of compliance. If you are out of compliance, an assessment will help you determine what steps are necessary to regain compliance.

Next, going through that self-assessment questionnaire on your own or with your information technology team, because a lot of the questions are IT-related, will give you a good idea of your current compliance status.

If you’re going through the questionnaire and it asks a bunch of technical questions like ‘Do you have a firewall in place that segregates your network traffic?’ and you keep answering no, it is probably pretty likely that you have some work to do. The questionnaire can provide a good indicator of whether your company is compliant or not.

Zack Schuler is the founder and CEO of Cal Net Technology Group. Reach him at ZSchuler@CalNetTech.com.

Published in Los Angeles

You may not want to think about it, but it’s bound to happen sooner or later: turnover in your IT department.

“Not a day goes by where we don’t receive an emergency phone call from a frantic executive with a story that we hear time and time again, ‘My IT guy has just quit, and he has all of our passwords, and we can’t do anything without him,’” says Zack Schuler, founder and CEO of Cal Net Technology Group.

Many companies don’t plan for this sort of exit, though this type of exit will be inevitable for every company at some point or another. It is safe to say that no one stays with a company forever, and when IT people leave, it can be especially painful.

Smart Business spoke to Schuler about how to put the proper backups and protocol in place to keep operations running smoothly even after the departure of trusted IT personnel.

What protective measures can businesses take to be ready for the departure of a key IT person?

1) Insist that your IT folks provide you with administrator and all passwords that they are in possession of. There is nothing worse than an IT person leaving, and not being forthcoming with password information. If you make this a requirement early, and ask for any changes often, you shouldn’t have an issue getting the information that you need. There are pieces of software that you can buy to securely store your passwords that you can give two or more people access to. The key here is making sure that there isn’t one person who has the ‘keys to the kingdom.’

2) Your IT team should provide you with complete and comprehensive network and systems documentation. I could fill up this article with the list of everything that should be documented, but let’s leave it simple and say that everything related to IT that has a power cord should be documented. Also, it is not good enough to document it once and then walk away, but a routine and methodical process of having it updated, at least quarterly, is a critical step. IT changes quickly, so you always want to have up-to-date documentation.

For some companies, this will be hard to get. For many companies, they’ve asked this of their IT folks, and it hasn’t been produced. Why? Most of the time, the pushback from IT is, ‘I have other, more pressing issues that get brought to my attention every day, and documentation always gets put on the back burner.’ One tip we’ve used here is to ask the IT folks to come in on the weekend (and offer to pay them if they are hourly, which they likely are, or at least should be), in order to get documentation done, uninterrupted. It doesn’t take that long once they get into the groove. If IT still pushes back, hire a company to come in and do the documentation for you. You’ll get it done, and have the benefit of an audit of your IT person’s work.

Once this is done, and done well, if the IT person leaves, it is a lot easier to have someone jump into their shoes and take over quickly.

3) Do your best to ensure that your IT people are cross-trained to the fullest extent possible. If you put a serious cross-training program in place, it may save you in the long run. It also gives you the opportunity to feel like you are not tied to a ball and chain with any one IT person, and it makes them replaceable, if the need be.

4) Develop a ‘lock out’ procedure. In the event that an IT person leaves, or is asked to leave, it is important to have a lock out procedure documented, and a plan in place to execute it. As soon as or just before the person is out the door, you should disable their user account and wipe their cell phone, if it is company property. Also, many times it is wise to have the user community reset their passwords, as, in some organizations, the IT guy had access to those as well. An exit agreement drafted by your attorney that lets them know that they are to give back any confidential information is advisable as well.

5) Hire an outside firm to be your backup. One of the duties that we fill for many of our clients is the role of backup IT provider. Most of our clients have an in-house IT staff, and we work with their staff on issues that they don’t have the skill sets to tackle themselves, or in areas where there is simply more demand than supply. Many of our clients hire us to help out, with the secondary benefit of being able to rely on us should an IT person quit or be let go. We are able to fill in for that person with minimal interruption because we’ve become familiar with the environment. Sometimes the company realizes that just part-time consulting work is all that they need, and other times we continue to work full time until they’ve backfilled us with a new resource, who we then train. Having a backup IT provider can be a very smart move.

It’s not always well received when the backup IT provider is brought to the table, as internal IT usually feels threatened. That being said, in almost every case, we work alongside that person well, and they get to understand our value. In many cases, we become the reason that the IT person is able to go on vacation, as we become his or her trusted resource. We want to become the IT person’s trusted resource, as well as the executives’ trusted resource, should the employment relationship go awry.

In short, protecting your IT environment means making sure that you have control over it. Nobody ever got fired for being prepared.

Zack Schuler is the founder and CEO of Cal Net Technology Group. Reach him at ZSchuler@CalNetTech.com.

Published in Los Angeles

When it comes time to search for an IT consulting partner, there are a lot of areas that you should consider before selecting a firm. According to Zack Schuler, founder and CEO of Cal Net Technology Group, it takes a specific skill set to understand and address the technology issues that businesses face.

“Over the years, we’ve taken over from sub-standard providers, and I’ve seen some pretty bad work that our clients have paid a lot of money to get done,” he says.

Smart Business spoke to Schuler about how to choose the right IT partner for your business’s needs.

How can business leaders best approach the process of finding the right IT firm?

In my experience, there are six things to look for when selecting an IT consulting partner:

1. Years in business. I’ve seen a ton of ‘fly-by-night’ IT companies. They usually start with a very technical owner, who has difficulty hiring and managing good people, and are out of business within three years of getting started. When looking at years in business, it is important to see whether or not the company survived the last recessions. For example, if they started their business in the ’90s, they’ve been through the dot-com bubble, as well as the latest recession. If they survived one or both, that is a good sign. My recommendation: if they’ve been in business less than five years, I would steer clear.

2. References from your industry. Even though many of the IT systems are the same across industries, there are some industries that have their idiosyncrasies. For example, with accounting firms, an IT provider familiar with that industry would plan upgrade projects in November. Then, between the Christmas holiday and April 15th, they wouldn’t make any changes unless absolutely necessary. And while they might not be experts in tax accounting software, they have enough experience with the packages to know when to call the software vendor when they run into an issue. My recommendation: hire an IT firm who can provide references in your industry, and call those references.

3. Industry certifications. IT is one of those areas where you don’t need any sort of minimum certification to practice. It’s like hiring a contractor without a license, or a lawyer who hasn’t passed the Bar. Because of this, it is important to see if the companies themselves have industry certifications. This entails their engineering team to have personal certifications, among other things that the company has to do. Also, check to be sure that their certifications are current. For example, they could have been a Microsoft Gold Certified partner two years ago, but haven’t qualified this year for the new requirements. My recommendation: look closely at industry certifications when selecting a partner, and make them prove their currency.

4. Strategic IT consulting. In today’s times, it’s relatively easy to find an IT provider who can patch your servers and workstations, update your anti-virus software, and fix your e-mail when it’s not working. These types of services have become somewhat commoditized simply by the fact that so many people can perform them. That being said, to find a company who can truly be a ‘strategic partner’ with your organization is another set of skills entirely. This would be a company who can, with your input, write a full-scale strategic plan around technology. They would be able to manage any other vendor you’ve got who provides a technological role, as well as track your IT assets, forecast your upcoming expenses, etc. These are duties typically involving an IT director or CIO, and you should have the expectation that a firm you work with, no matter your company size, should have these types of resources.

5. Number of employees. While even the smallest of IT organizations can have some very talented people, those talented people can’t know everything. It is hard to throw a number of people out there as to what the ideal number of people is. On the smaller end, somewhere between 15 and 20 people is a good number, assuming that they don’t have too many disciplines, nor cover more than a county or maybe two. You want to make sure the IT provider has great ‘back-office’ support (i.e. HR department that can hire quickly if they lose a key employee, good accounting department, etc.) as well as field personnel who are ‘local’ to your place of business, and have redundancy. In other words, if you have a ‘subject matter expert’ on your account who knows a specific piece of technology, you want to make sure that the IT provider whom you partner with has multiple experts on that technology as redundancy. My recommendation: ask how many employees they’ve got, and then go to their office to see their place of business. It’s an easy step if you are going to trust them with your IT

6. Hiring and retaining. The last and perhaps one of the most important aspects to inquire about is how they hire and retain their people. I would encourage you to read our August article, entitled ‘Your toughest hire.’ This article outlines how to hire a good IT person, and I feel as though IT providers should be placing these same standards upon themselves.

In terms of retaining, there is no harder employee to retain than an IT employee, and this can spell bad news for you if the company that you are partnering with is riddled with turnover. Every time an employee at your IT partner turns over, there is going to be some knowledge lost — it is likely the idiosyncrasies of your business, but sometimes, that can be a lot. I think it is important for you to ask them, ‘How do you retain your people?’ An average sales person might not know the answer to this, but any member within their management should have a good answer for you. My recommendation: inquire hard about hiring and retention processes.

Zack Schuler is founder and CEO of Cal Net Technology Group. Reach him at ZSchuler@CalNetTech.com.

 

 

Published in Los Angeles

If your business isn’t completely dependent on technology, then you are in the minority these days. Given this dependence, protecting your business from an IT failure should be at the top of your priority list.

“Having been in the IT business now for 16 years, I’ve seen my fair share of close calls and, unfortunately, my fair share of outright disasters when it comes to IT,” says Zack Schuler, founder and CEO of Cal Net Technology Group. “There are three particular disasters that stick out in my mind. In each of these three cases, the companies were taking nightly backups of their data, and they thought this was enough.”

Smart Business spoke to Schuler about how businesses can avoid these kinds of mistakes.

What are some of the worst disasters you’ve encountered?

The first case was a company that had a sprinkler break right above its servers. They were taking a daily backup, however, they left the tapes on top of the servers, and the tapes were drenched and basically unusable after the downpour. The server hard drives were sent to data recovery, and after several days the company was up and running again. Had the tapes been taken off site, the downtime would have been significantly less, though they still would have had a day or two of being down, which in most cases is not acceptable.

The second case was a company whose building burned down. Their current tapes were stored on site; however, they had an older set that was taken off site. After a painful data reconstruction process, and several months later, they were able to get back on their feet.

The last case was a company whose Internet went down for a week, due to a major telephone company issue that had their T1 down. This was their only connection to the Internet, and their business was highly dependent on e-mail, so this outage had a significant impact on their business. They lost a percentage of their revenue as a result of the outage.

Needless to say, none of the above companies were prepared for the type of disaster that they suffered, yet all of them were backing up their data. I’ve seen too many companies think that a simple backup of their data, whether it be to tape, disk, or the cloud (a.k.a., the Internet), is sufficient.

How can businesses avoid costly downtime?

Here are three important questions that you can pose to whoever manages your IT, and some tips that will get you one step closer to being truly prepared in case of emergency.

1. What is your plan in case of a lengthy Internet failure? The smart thing to do is to make sure that you have multiple connections to the Internet, over different mediums. Having a connection via a T1 and a DSL line is not a smart move, as they both traverse over the strands of wire. An Internet connection through a telephone company and another through a cable provider is the way to go. This requires some complex routing and firewall work in order to maintain a seamless connection, but all of that will be well worth it when one of the two connections goes down.

2. What is your plan in case of a physical site failure, such as a fire, earthquake, etc.? Something as simple as a long-term power outage in your building can be a lot more common than one would think. On more than one occasion we’ve seen a building lose power for several days, and companies basically send their employees home. We had a client who was prepared in this scenario. They sent their employees to work from home, as they had a hot-site set up that employees were able to connect to from home and continue on with their work.

3. What is your plan in the event of a major hardware failure? Even if your equipment is under warranty, if a particular part fails on a server, and the vendor is out of stock on that part, you could see some downtime. I’ve seen this happen more than once.  In this scenario, you should have a transition plan documented whereby you can easily move the data from this server’s backup over to another server, perhaps in a virtualized environment, to keep running.

What is the most common issue you’ve encountered with companies’ backup plans?

Perhaps the biggest overall error that I’ve seen companies make is that they don’t have any documented plan in place to recover from any of the above scenarios. Executives have been told that it’s all taken care of; their backups are off-site, and maybe they happen in real time up to a cloud provider utilizing state-of-the-art technology.

However, most companies simply don’t test their backups by going through a simulated failure. They assume that the backup is running, as they’ve been told. The No. 1 smartest action that you can take is to go through a simulated failure. Pretend that any of the above scenarios has happened, and try to recover from them. You’ll quickly realize that your IT department hasn’t thought everything through. Going through this exercise will be a great first step for them to figure out what they don’t know.

We assist IT departments with this type of work frequently, and we’ve never walked into a disaster recovery test whereby we didn’t make a tweak of some sort to make the plan better, thus more recoverable. Hiring an outside expert is certainly a great idea, but if you lack the resources to do so, another good move is to have one person in your IT department own the process of setting up the recovery plan, and then have another person in your IT department own the process of testing the recovery plan. If one person can test someone else’s work successfully, then you are well prepared.

Zack Schuler is the founder and CEO of Cal Net Technology Group. Reach him at ZSchuler@CalNetTech.com.

Published in Los Angeles

"Not a day goes by where I don’t read a headline talking about ‘the cloud,’” says Zack Schuler, founder and CEO of Cal Net Technology Group. “The current, overused definition of the cloud is ‘anything that happens on the Web,’ but in the business world, the more accurate definition of cloud computing is leveraging someone else’s hardware/software and services in order to complete a business task.”

Smart Business spoke to Schuler about the role that cloud computing has played for businesses over the last two decades, and in what ways it can benefit their operations today and in the future.

How does Cal Net Technology use cloud computing?

When I started Cal Net Technology Group 15 years ago, we didn’t host our own e-mail server. We used an outside company (Earthlink) to host our e-mail, which, in essence, meant that Earthlink was providing ‘cloud services’ for us.

We also have been using an online payroll service for eight years now, whereby we enter our payroll data into a website, and they process our paychecks for our employees. Many other businesses might be doing the same. This is truly a ‘cloud service’ that has been around for close to a decade.

Some companies use an Internet-based product called Postini, which has been around since 1999, to scrub their e-mail for spam. I bring this up to point out that all of us have been leveraging the cloud for quite some time now, and we probably didn’t even think about it; in actuality, it really isn’t a very new phenomenon.

What are some examples of how businesses can move functions to the cloud?

There is a definite shift in moving some computing resources into another company’s data center in order to save you some headaches and, in some cases, time and money, as well. I use the word some with emphasis here, because if you think that your entire business is moving to the cloud anytime soon, you are probably mistaken.

The most prominent shift to cloud computing is the migration of e-mail back into the hands of hosted providers, similar to how it was 15 years ago. Microsoft is now in the hosting business with its Exchange Online product and will soon release Office 365. Don’t be fooled by the name though; this isn’t ‘Office in the Cloud.’ It’s really Exchange, SharePoint (an intranet product), and instant messaging (dubbed Lync Online) in the cloud, with the ability to ‘rent’ Microsoft Office on a per-user, per-month basis, with Office still being installed locally on your desktop.

In moving from an on-premise e-mail solution, such as Microsoft’s Exchange Server, over to Exchange Online, the migration has been very time-consuming, and thus very costly. These migrations have proven to be more costly than moving from one on-premise solution to another. That being said, there can be some significant savings in hardware and software costs, reducing CapEx spending for many companies. Additionally, after the solution is running, the ongoing maintenance of on-premise solutions will be gone, which should equate to a cost savings in the long run.

Google has made a significant impact in cloud computing with their Google Apps software. From what I’ve seen of the software, it is a good solution for individual use, and for the use of ‘micro-businesses,’ but it reminds me of Office 95 from a functionality standpoint. So, I couldn’t recommend this to any business that relies heavily on word processing within their organization.

Perhaps the most successful case study, and a company who I feel has truly made its mark by delivering software over the Internet, is Salesforce.com. They have a very robust feature set within their application, and I think it was remarkable what they were able to do early on in the cloud-based CRM space.

There are some other line-of-business applications that are cloud-based, as well, and truly deliver a rich user experience, but these are few and far between.

What are some challenges that businesses face with using the cloud?

In our experience with cloud computing thus far, the biggest challenge is integration among systems. With as smart as technology has gotten these days, many systems are now talking to each other. For example, your accounting system might automatically e-mail invoices to your clients utilizing your e-mail system. Well, if you are on a cloud-based accounting system, and a cloud-based e-mail system, and these are at two separate cloud providers, you could lose that functionality. When both of these systems are located on your office network, then the two systems have an open enough architecture that they can have their ‘hooks’ into each other and can truly integrate. This lack of integration is what stopped us from putting our e-mail into the cloud. We simply have too many integrated systems that make it necessary to keep our e-mail on premise.

Another show-stopper for many of our clients is the fact that you completely lose control of your data and uptime when you are in the cloud. If your business is 100 percent cloud-based, a simple Internet outage at your company, or at your cloud provider, means that you are sending people home for the day, and your customers are going elsewhere. No one asks about how your cloud provider is backing up your data either. Many assume that this is happening, but I can point to many examples of lost data in the cloud as well. This is not good if you are trying to run a business.

How can businesses determine what to take to the cloud?

Is the cloud here to stay? The answer is yes. Is it truly ready for prime time? My opinion is no. The wise approach to the cloud is to hire an IT firm with expertise in this area to evaluate your systems, determine the few that may be ready for the cloud, and take a hard look at the overall ROI in moving them.

Zack Schuler is the founder and CEO of Cal Net Technology Group. Reach him at ZSchuler@CalNetTech.com.

Published in Los Angeles