ISOutsource is expanding to Spokane!

I am very pleased to announce our upcoming expansion into the Spokane region. We will be open for business as of May 1, 2016 with Matt Simmons taking the role of vCIO and General Manager of the Inland Northwest region. If you have an office in Spokane, talk to your consultant or contact sales@isoutsource.com about how we may be able to provide the same excellent levels of service for that office as we do for you here in the Puget Sound region!

At ISOutsource, we create HAPPY, PRODUCTIVE and SUPPORTED clients.

Contact us today and let us talk about how you can experience Happy Computing!

Richard Brunke – President & COO

Focusing on Security – An Overview

There has been a lot of news lately regarding security breaches, break-ins and data theft.   Some of the more recent incidents have involved a leveraged combination of weaknesses in technology and/or spear phishing attacks to allow unauthorized access to sensitive data.

When it comes to security, there are two key areas of focus

  1. The technology itself
  2. The people using the technology

Having the right technology, configured properly is good, but it isn’t enough; you must also train your people.

The Technology Side

  • Making sure the technology is secure is half the battle.  Let’s start with the basics that are easy and relatively inexpensive to implement:
  • Strong passwords on elevated accounts that are changed regularly
  • Don’t reuse passwords across multiple accounts
  • Set account lockout polices across all accounts and devices with alerting when an account is locked out
  • Run an Antivirus solution that uses the latest scan engine with definitions that are updated regularly.
  • Deploy application updates on a regular basis, not just Microsoft products, but those “other” applications too – Flash Player, Adobe Reader, Java, Firefox, Chrome, etc.
  • Regularly update firmware and embedded operating systems on servers, storage appliances, firewalls, switches, routers, printers, etc.  Basically, if it is connected to the network, make sure it stays up-to-date.
  • Resist the temptation and keep the Windows firewall enabled when connected to the domain.
  • Use a next generation firewall with intrusion detection and prevention services that are updated regularly.  These can go a long way to protect your network from external threats, including some Zero-Day exploits.
  • Disabling protocols and services that aren’t needed on servers and workstations, especially when they are Internet facing.
  • Encrypt portable devices.
  • Have a security response plan, which includes a good Disaster Recovery plan.  Make sure it has been tested.

I could go on (and on, and on), but I’ll make that a topic for a later time.

The People Side

Even with rigorous security practices, your network isn’t truly secure until your users are trained.  Nor is it good enough to train someone once. Training needs to happen regularly and multiple times per user.  Training outcomes also need to be tested.

When it comes to security training:

  • Train everyone, even if your organization has people that don’t use computers as part of their job.  Discuss important topics, such as:
    • Password management & security
    • How to identify fake websites, phishing scams and other targeted attacks
    • What business should and should not be conducted over email
    • Mobile device security
    • How to properly handle data, including portable media
    • Reporting suspected threats (or mistakes)
    • Security for those users that travel, especially overseas.
  • Train regularly and repeatedly.  Once a year should be a minimum.  Schedule shorter meetings each quarter that review key topics, including areas where you feel your users need a refresher and keep it relevant by discussing recent or current events.
  • Test your users’ knowledge.  Call your users and pretend to be “the new support guy or gal” – make sure you use an unknown or blocked caller ID.  See if you can convince the user to give up their password or install software on their computer.  Try the same thing via email.

The Balancing Act

There is a balance between security and usability, especially when working in the Small to Medium Business market.  Make your network too secure or too difficult to use and your organization will lose productivity, spend too much on IT support or, worse yet, your users will simply revolt and just use their personal equipment to do their work.  You’ll also find your users complex passwords written down on sticky notes attached to their monitors.  Be too relaxed and you risk viruses, ransomware or data theft or loss.  There is a balance, and finding it requires an iterative process that encompasses industry best practices with the business’ goals and user needs.

The Death of the Traditional IT Model

For decades now, there has been two opposing choices in managing IT- do it yourself, or outsource it.

With increasingly technical, business and compliance complexity, the old school concept of the fixed internal IT team is becoming increasingly expensive and unrealistic. The fact is, a myriad of IT skills are required in today’s IT environment, but rarely are those skills required full time, and they are expensive and hard to maintain and grow. Expensive and underutilized are rarely good bedfellows.

The industry answered the call for help of those seeking to avoid IT management with the all-inclusive fixed price managed service offerings. This brought about the rise of the Managed Service Provider (MSP) both big and small. These offerings, while compelling on the surface create another set of issues and uncertainty for business and often have unintended consequences.

First of all, the nature of the relationship is conflicting – the provider, in order to retain profitability must reduce labor costs on accounts by utilizing as little actual labor as possible and then using as cheap of labor as possible. The client is seeking services and is focused on ensuring productivity, wanting to maximize the service their provider offers. This rub creates an adversarial relationship, especially when you consider these are often multi year contractual relationships. In my opinion, no service provider should force you contractually to continue doing business with them. After all, if the service is fantastic, why would you leave? If they believe in their product and your satisfaction with it, then no contract should be required. After all, it’s not like they are recouping hard costs for getting you signed up (like with a cellular phone and a new service contract).

And of course all inclusive is a myth… as virtually all of these providers will have a list of exclusions that includes such things as hardware and software failure, viruses, etc. If you ever really read one of these lists of exclusions, your first response will be ‘really?’ It sort of looks like you pay a fixed fee for things to work then start paying extras when they don’t. Many times, these costs can greatly exceed the fixed cost, and always seem to come as a surprise, and the entire concept of ‘fixed price’ seems not to jive well with ‘exclusions’. So, that IT budget you set your contract to may be irrelevant and actual costs may balloon.

They also, to control the environment to their best ability, will NOT partner with any internal IT, ensuring that you have NO ability to operate outside of their control. Finally, they will place requirements on you in terms of your network, PC conformity, software conformity, etc to reduce costs and complexity. At some level, this sounds ok, but really, shouldn’t you have the technology you want and need, not that which is most efficient for your IT vendor to support? Isn’t technology supposed to enable productivity? Aren’t we in the age of mixed environments, mobile computing and cloud?

All of these things drive me crazy. As a business person, I expect my technology to support me, and my provider to do the same. I don’t expect to be given rules, limitations and exclusions.

But enough of a rant on what is not working… So, what is the answer?

Actually, the answer is simple and compelling and it has to do with the integration of multiple modes of support to best meet your business needs, size, budget and complexity. It is what we are calling Flex-Sourcing at ISOutsource. It is a partnership between internal IT, and a menu of services that can be delivered in multiple ways to meet your business needs. Frankly, if you have high maintenance users and they need to maintain productivity, then you should have full and unlimited access to support. That should be available from a dedicated local team of IT professionals large enough to handle multiple simultaneous instances of support and should be something you can do on a fix price or time and materials basis depending on your need and budget.

Also, key expertise should be available on an as needed basis as well as included in any proactive plan with scheduled visits on a monthly, weekly, or daily basis depending on your needs. In house IT should be sized appropriate to ongoing daily workload and should have general skills to take care of ‘normal business’ (depending on the size of the business, this may include NO employees, or dozens of employees) and key expertise that is rarely needed (but when needed is critical) should be outsourced. Outsourced IT should be a mix of proactive planning and reliable and immediate reactive services with a broad base of technical and consultative skills with a team large enough to ensure consistent support throughout the year (ever have that lone IT consultant go on vacation then have a server go down?) with a primary team of consultants familiar with account and able to provide backup as needed. Your IT consulting partners are there to enhance your existing team, partner with them and make them look good, not replace them. They are there to help adjust to large project needs, cover vacations, provide key skills and offer consultative support and training.

All of this can be done within a budget and within your required cost parameters. The idea that time and materials = suck your bank account dry is simply counterproductive and not sustainable as a business model. By intelligently budgeting a mix of proactive work to reduce downtime and reactive expected hours, you can have a very accurate budget to spend to with controls to keep an eye on things. When an emergency occurs, spend will go up, but when things are running well, spend can be lower than normal. Additionally, the team can rapidly flex up or down based on changes in your business and adapt to your needs, which is another challenge with fixed long term contracts.

Ultimately, the goal of IT is to ensure that your business is supported by its technology. This requires an increasing based of expertise that can become so broad based that it makes no sense to hire individual experts for every need. The days of needing a support desk person, a network engineer, and a software support person are gone for the most part. The managed service provider model of ‘simplify, reduce costs, reduce complexity, reduce support’ sounds reasonable until you realize that your need is to ‘increase productivity, enhance competitiveness and grow your business’. Those two differing sets of requirements may not match up well in many cases, though there is a place for that model too.

So, while internal IT is NOT dead, the expectation that you should hire a person for every need should be dead (or the costs of it will destroy your business). Nor is the concept of managed IT services dead… though it is fitting into a more narrowly defined space in the market all the time. Service providers have to flex to fit your needs. Cloud computing and the growth of bring your own device and mobile computing (amongst a host of other technical, business and compliance challenges) are changing how you want your technology and support delivered. Never forget, you are the customer, it is your business, and technology is the foundation upon which your productivity will be built in many cases. Expect more from your IT provider. Expect flexible solutions that can go where you need them, at a cost that makes sense, whether you have no IT employees and don’t want any, or you have a large team and simply want a partner, to anything in-between.

IT has come a long way, and is continuing to evolving rapidly. Its time to stop holding onto the past and flogging dead IT models that can’t meet your needs.

The right approach to IT will leave you feeling Happy, Productive and Supported. And it has always been about Happy Computing!

Richard Brunke

Okay, I get that you may not like change. I understand that Windows XP is like a trusted friend who’s been at your side for a decade or more. I get that it works, and hey, if it ain’t broke, why fix it…

Really I do understand. But you really don’t have a choice anymore, and the fact is, it is broke, and about to get a lot more broke…

Before I even get into the security reason you HAVE to upgrade to a newer version of Windows, there are some legit other reasons too! For starters, there is new functionality in newer versions of windows (7 or 8) that are time savers. Things like management of windows (maximizing and minimizing, snapping to half the screen, etc) that are really handy. Windows 8 adds to this with a lot of cool management functions like Automatic Maintenance and the ability to restore a file to any point in history. While these may seem like little things when compared against losing the long time comfort of Windows Windows XP, trust me, they are not. Windows has come a long ways from a usability and productivity standpoint, and I think you’ll wonder why you waited after changing!

And of course there are little things like USB 3.0, which is backwards compatible with Windows XP, but it defaults to USB 2.0 speeds, transferring data at a fraction of the speed you could get. And newer tech coming along are coming with Windows XP drivers with less and less frequency.

But really, the moose on the table here is security. In April, when the last patch comes out for Windows XP, it will, in effect, become wide open to exploits and there will be nobody making fixes to correct for them. It is believed that many Windows XP exploits are simply being held on to by hackers and other folks wishing bad things upon your PC and data until after that last update so that they can’t be countered.  Once support ends, it is open season for Windows XP users. Your PC and your data will be seriously open to exploits of all kinds, and trust me, hoping for the best is not going to cut it.

The current service pack of Windows XP already has an exploit rate 650% higher than 64 bit Windows 8. And that is before support ends.

Think about it. If your enterprise has any PC’s running Windows XP, you NEED to get those changed over. As in now. There is nothing but pain coming for those of you who wait until after the last update and after the zero hour exploits hit the scene. If you wait, you will be working from a far worse position such as needing data restores, losing local files, or finding that your data has been breached and made available for whatever nefarious designs hackers may have to it. Never a fun situation.

So, seriously, if you are on Windows XP, it is time to change it out. I know many companies have waited (because we have upgraded literally hundreds and hundreds of machines in the last month alone for our clients). Sometimes change is good. More to the point, sometimes change is necessary. Upgrading from Windows XP to Windows 7 or 8 falls into that category.

And if you are a Windows XP user, upgrading is the ONLY way to continue practicing Happy Computing!

Richard Brunke

It’s that time of year: Time to decide what to do with surplus IT budget. If you find yourself with some surplus in your IT budget and are trying to decide what to do with it here are a few suggestions that may be helpful in your decision making process.

 Nice to Haves

Many companies get to the end of the year and find themselves with surplus budgets and ask the wrong questions. What do we NEED to do next can often times be answered with “Nothing! We don’t really NEED anything right now.” One approach to excess budgets is to ask the question, “Where can we invest that budget that we would otherwise not consider?” What are the “nice to have” initiatives or projects that you would otherwise not be considering? Think about things like:budget

  • New Development Environments
  • Monitor Refreshes
  • Software Upgrades
  • RAM Upgrades (both desktop and servers)

 Employee Productivity Boosters

Employee Productivity can often times take a back shelf to necessity. Simple additions to an employee’s work life can increase productivity as well as improve employee morale.  A faster printer, desktop scanners, keyboard and mouse refreshes even a new smart phone, can all go a long way to help employees be more productive and who doesn’t like new stuff? Your users will be happy that you were thinking of them and their job quality with regards to IT.

Pilot Programs

Surplus Budgets can be a great place to invest into pilot programs that you may or may not otherwise be open to.  Often Pilot Programs get scratched from annual budgets due to the risk to their success rate. Some ideas for pilot programs that would fit any surplus budget include:

  • Tablet Computing Initiatives
  • Mobile Computing Initiatives
  • Telecommuting Initiatives
  • Video Conferencing Trials/Testing
  • Cloud Based Initiatives

 

Redundancy Upgrades

Similar to the Nice to Have’s Category Redundancy Upgrades are a great way to spend surplus budget. Redundancy Upgrades are equipment or services that will give you more flexibility in those “just in case” scenarios. An additional Internet connection. A failover firewall or an extra switch. A few new laptops/desktops. Extra virtual hosts or SAN’s. Each of these may go a long way in the case of an emergency or failed equipment. Surplus budget is a great way to prepare for the events we all hope never occur but sometimes do.

 

 Save for a Rainy Day

Just as our grandparents used to say, “Save it for a rainy day!” Depending on how your company does budgeting and its policies, you may be able to roll over your surplus into next year’s budget or sock it away for unforeseen circumstances. Talk with your accounting department and see if you can save some money away!

 

Regardless of the amount of money you have left over at the end of the year, budget surpluses can ALWAYS be put to good use. If you would like some additional ideas, check with an ISOutsource consultant. We would be more than happy to help you invest in the most effective manner possible!

Traditionally the kinds of virus and malware we see on client computers is fairly benign. While it may disrupt the flow of business, it is generally not destructive. It may require a computer to be formatted and reinstalled, but as a rule of thumb, the irreplaceable data is left in tact. It can be quarantined and cleaned. A new piece of Malware called CryptoLocker has changed that. You may have heard about CryptoLocker on the news recently as it represents a change in the way that virus and malware creators are operating.

What is CryptoLocker?

An example of traditional "ransomware"

Example of traditional “ransomware”

CryptoLocker is part of a family of malware called “ransomware.”  “Ransomware” is a program that maliciously takes over your computer and demands a ransom before it gives back control. The goal is to trick users into giving the malware writers money in exchange for returning the “normal” use of their computers. This ransom should NEVER be paid under any circumstances.

CryptoLocker alters this strategy by not just making your computer difficult (or even impossible to use) it automatically encrypts any data it can find on any physical or mapped network drives. The malware then notifies you that the only way to decrypt the data is to pay a ransom and you will get the decryption key. There is a count down timer that will destroy the key forever if the files are not decrypted before the time runs out.

Is It As Bad As It Sounds?

Example of CryptoLocker

Example of CryptoLocker

The reality is that this may actually be worse than it sounds. There is simply no way to decrypt the data without that key and paying the ransom is no guarantee that you will actually receive the correct key. Unfortunately once the data has been encrypted, it should be considered lost forever. The only way to retrieve the data is to restore it from backups or through Windows Previous Version feature (if it is enabled).

Can I Prevent It To Begin With?

The good news is that this malware is very avoidable. A standard rule of internet safety is to NEVER click on a link or file that you did not expect to receive. CryptoLocker is typically distributed via an email that pretends to be from a reputable company such as a shipping company (UPS, FedEx, etc.) regarding a customer support issue.  If you receive one of these emails either delete it immediately or reach out to a member of the ISOutsource support team. We can help determine if the email is legitimate.

Are There Any Other Precautions I Should Take?

The old saying is true, “An ounce of prevention is worth a pound of cure!”  Preventions in this case just happen to be great standard practices:

1.  Make sure all antivirus/malware software is up to date.  

This may not keep you protected 100% of the time due to the changing nature of virus and malware software, but it is a great place to start.

2.  Regular monitoring and testing of your backups.

Your backups are only as good as your ability to restore from them. The integrity of your data and your ability to restore it when needed should be regularly put to the test. How? First by making sure that all backup jobs complete properly. Secondly, by testing backups to make sure that data can be successfully retrieved.

3.  Consider a desktop backup solution.

If users are allowed to keep data locally (on their computer) you may want to consider a local backup solution for every computer that has data on it. Web-based solutions are a cost effective way to ensure that local data is being backed up.

4.  Review current data policies

Since CryptoLocker can only encrypt files that the infected user has permission to write to, users should be divided up into security groups and data shares should be locked to only those users who need to access them.

 

What if I Am Infected?

If you ever suspect that a computer you are using has become infected, start by removing it from the network. In the case of a physical connection it should be unplugged from the network. In the case of wireless, simply turn off the wireless. If you are at all concerned call ISOutsource IMMEDIATELY and we will be able to help you.

 

If you have any questions or concerns, call us today! ISOutsource has been keeping our clients happy, productive and supported through these kinds of issues for over 21 years.

Toll Free: (800) 240-2821 Press Option 1. 

I was reading an interesting article that asked the question “Is Bad Tech Costing Your Company” and it really brought home the reality of ‘old school’ IT thinking and the importance of having the right technology, AS DEFINED BY YOUR EMPLOYEES! Millennial workers are leading the way in the BYOD charge, as they have had the best tech available through school and life and are not particularly interested in your 2 year old low spec laptop you are asking them to work on. Efficiency has been hard wired into them, and many companies will find that they are actually lagging behind in what they offer as it relates to productivity needs of their workers. New, large screen mobile devices, tablets, touch enabled laptops… these are all things that many workers have available at home, and come to work to find out that they are handicapped by poor technology.

It is an interesting problem, and one that won’t wait. As the article states, 38% of all workers will be working on BYOD devices by 2016. Those clunky old laptops and old small screen mobile phones may not be worth re-purposing another year… Don’t step over dollars to pick up dimes when it comes to employee productivity, and don’t let old habits lock you into poorly thought out technology investments!

Otherwise, it’s fairly certain your team won’t be experiencing Happy Computing!
Richard Brunke

A lot of talk these days surrounds Mobile Device Management, why you need it and how you can use it to help control your mobile workforce.  But did you know that if you work with a recent version of Exchange server, you have some portion of the control for mobile devices that sync to your email server built in to the service?

Starting with Exchange 2003, Active Sync policies have allowed you to force devices to use a password and in extreme cases even wipe the contents of the phone when an employee has been terminated or the device was lost or stolen.
Starting in Exchange 2007, this became a self-service as well where end users could log into their OWA interface and perform basic management tasks on their own mobile devices.

Starting with Exchange 2010, mobile device policy has gone even further, culminating with some pretty sophisticated policies that are available in Exchange version 2013.

Here are 2 links which speak to the available options that you have when creating and applying mobile policies in Exchange 2010 and 2013:

http://technet.microsoft.com/en-us/library/bb123484(v=exchg.141).aspx

http://technet.microsoft.com/en-us/library/bb123783(v=exchg.150).aspx

Keeping Your Devices Secure

Part of keeping your device secure is making sure that if it is lost or stolen, other people cannot access your data. Both IOS and Android have built-in device encryption which renders the data on the device useless if the password is unknown.

  • To encrypt an iPhone or iPad (3GS or later):
  • Touch Settings, this should take you into the General settings area.
  • Touch the Turn Passcode On button
  • Type in your passcode (a 4 digit code) and repeat when prompted
  • Slide Siri to the off position when device is locked (otherwise Siri can bypass your locked device)
  • Slide Erase Data to the on postion (this will wipe your device if someone tries guessing your code over and over.
  • You will see at the bottom of the screen that “Data protection is enabled”

This method of encryption can be toggled on or off depending if you use a password or not – once enabled you’ll need to enter your passcode when you want to access these settings.

This is a good article which speaks to the security that is provided by enabling this feature on an iPhone or iPad: http://www.technologyreview.com/news/428477/the-iphone-has-passed-a-key-security-threshold/

Most mobile cloud apps are aimed toward consumerism.  News organizations like CNN have mobile apps to get the latest headlines, Netflix lets you watch the latest movies, Pandora and Spotify help you enjoy music from wherever you have 4G.

It’s tougher to find applications that help you do your job in the same way.

We recently came across a great app that works with iOS (iPad and iPhone) and Android (although only with the JellyBean version at present).  CloudOn delivers a cloud work space which allows you to connect to some of the most popular cloud storage sites like SkyDrive, Dropbox and Box.net.  You can then create, open, edit, and save Microsoft office documents.   Word, PowerPoint, Excel – they are all there on your mobile device.  If saving to the cloud and grabbing the document from your PC isn’t fast enough, CloudOn even enables you to email from the app with whichever connected email account you have set up on your mobile device.

You can get CloudOn for free from either the AppStore on IOS or from Google Play Store on Android.

Read more about it here:  CloudON

See more top app lists from Business Insider and Information Week