Pre-Mortem? They May Be Useful

Standard

strategy-planning-thinkstockThanks to The Var Guy and Penton Media for the engaging interview about the concept of pre-mortems.  Essentially, taking the time to consider all the possible ramifications, both positive and negative, that may result for something you are considering.  It’s essentially the exact same thing as a post-mortem, but done up front, instead of after the fact.

You can check out the full article here.

I am quoted in the following section:

Voice of the Practitioner

When it comes to the importance of pre-mortems to corporate culture, would-be merger partners should heed the experience of MJ Shoer. After running Jenaly Technology Group, an MSP outside of Boston for 19 years, Shoer sold his company to Internet & Telephone, LLC in December 2015. Negotiating the sale of his company as well as advising clients on sundry deals taught Shoer the value of thinking about what can go wrong before signing on the dotted line. Here’s an edited version of a conversation we had with Shoer:

You need to look very hard at the worst-case scenarios in case everything that I think is positive turns out to be 180 degrees opposite. It’s important to create a safe environment where you can challenge ideas and the accepted norms. What’s the worst thing that is going to happen? Will we be OK? Will our customers be OK? Will our employees be OK? You’ve got to do your best to think through all these things. I think the pre-mortem is an interesting concept because you can try to think outside of the box. A lot of times, the people who are involved in the acquisition get so involved that it’s hard to see the impacts of decisions. If you have a process by which you have those discussions, you’re going to be a step ahead of not having them, for sure.

“Companies can prevent a lot of trouble later by spending a lot more up front time considering the culture of the two companies and how the cultures are going to be integrated. Whether that will be a straightforward process or whether that brings out some issues that you need to be concerned about, you need to try to head them off. I’m talking about simple things, like looking at how the people in the merged company will integrate and how their positions will align or the seniority of managers and things like that. Often there’s too little pre-thought put in and so you wind up dealing with tensions because something’s not working out.

Yup, Here’s Another One…Voicemail Scam Alert

Standard

The phishers are at it again.  This time, it’s an email from Microsoft that purports to have a voicemail message for you.  Attached to the message is a zip file with the supposed Voicemail-Scam.pngvoicemail.  DON’T open it.  Opening the voicemail to “play” your message will allow the hacker to load their malware onto your PC.  This is a pretty simple phish and one that’s been used and reused over the years.  Don’t get tricked by this!  If you do get legitimate voicemail message in your email, they are probably not from a company like Microsoft and they are almost certainly not in zip files.  Remember to play it safe, don’t open unknown attachments.

I really hope my next post is something more positive than another scam alert 🙂

Beware: Tax Season

Standard

The following article was published in today’s Seacoast Sundayonlinescams.

There are two new scams making their way around email and they worth knowing about. The first targets tax preparers, as tax season gets into full swing. The second targets users of Google’s Gmail free and paid email services.

Tax scams were in the news quite a bit last tax season. Those scams targeted taxpayers. This year’s scam takes a new path, targeting tax preparers. If you are a tax preparer, read on. If you use a tax preparer, consider warning them about this scam. Here’s how it works.

A hacker will send an email to a tax preparer, posing as a potential client seeking tax preparation services. If the tax preparer responds to this email, the hacker has a live fish on the hook. They will then send you a response with links or attachments that will contain malware. They may go nowhere or contain no information, but by clicking on them, the tax preparer will have malware installed on their computer.

Once this happens, the tax preparers computer network is now penetrated. The hackers may have unrestricted access to the tax preparers’ network or they may have installed a key logger on to the computer, thereby allowing the hacker to see everything that is typed on that computer. Just imagine the wealth of personal information that would be exposed if a hacker was able to see everything that is keyed into a typical tax return form. Hackers may use this information to file false tax returns, steal a person’s identity, open new credit accounts and more.

If you’re in the tax preparation business, you should never exchange tax-related information via insecure email. Be sure you use a secured file transfer system or encrypted email. You should initiate the electronic exchange, not the other way around. Most of this is common sense, but in this busiest time of year, it’s easy to fall prey to scams like this, so be on the lookout and when in doubt, call your prospect or client on the phone to confirm what they have sent before you open it.

The second scam is a fairly sophisticated attack on Gmail users. You receive an email that appears to come from someone you know and includes an attachment that looks legitimate. Normally, when you click an attachment in the web browser interface for Gmail, it will preview the file in the window. They key with this scam is that it pops a new window asking you to login to Gmail in order to view the attachment.

This login window looks nearly identical to Google’s login page and even the URL appears to be a Google URL at accounts.google.com. However, it’s not. This login prompt is the hacker’s creation and it captures your email address and password. At this point, the hacker has control of your email account and can reset the password to lock you out. Another complication with this hack is that accounts.google.com is a legitimate URL. However, it should only be in the format of https://accounts.google.com. If you see anything suspicious in the URL, close it out. This particular hack inserts data:text/html in front of the URL, but it’s hard to catch on the fly. This is why even security conscious users are reporting being tricked by this one.

Even if they do not lock you out, which they may not do initially, they now have access to your entire mailbox. They scan your folders looking for messages with useful information, like access to other online systems. They can then use the forgotten username and/or password features on most websites to reset your credentials, now that they have access to your email. From there, the damage may be extensive.

Google is said to be aware of this scam and working to update their defenses to defeat it. No timeline has been given, so you need to be vigilant. A good rule to work by is that anytime you open what you think should be a legitimate attachment, if it asks you to login, that’s a big red flag. Immediately change your password and take all the available options offered to secure your account.

As always, if anything just doesn’t seem right, play it safe and delete the message or don’t open it until you can contact the sender and confirm if they actually sent you a message. It’s an extra step, but if could be your best protection against a hack that could cause you years of problems. Stay safe online!

If You Are a Tax Preparer, Be Aware of This Phishing Attack!

Standard

Security firm KnowBe4 has issued a timely warning for tax preparers.  As the tax season ramps into full swing, enterprising hackers are targeting tax preparers.  While this is not necessarily new, it’s starting up early and it’s evolving.

The hacker may start with an email to a preparer, posing as a potential tax_scam_1_-54d39dfa3c63bclient, looking for tax preparation services.  Don’t respond to these unsolicited messages.  That’s exactly what the hacker wants and they will send you a response, including links or attachments containing malware.  This is a textbook social engineering attack, designed to get you, the preparer, to open their message and install their malware onto your computer.  You know where this is going now…

Now the hacker may have unfettered access to a tax preparers computer.  They can use this access to send email to actual clients, asking them for sensitive tax information.  They could also use the tax preparers computer to compromise the preparers network and the sensitive data that’s there or hosted elsewhere.

The information the hackers may be able to obtain could be used to file false tax returns, among other things.  Last year, we saw an alarming increase in the number of false tax returns filed.  Don’t compromise your business.  Do not exchange tax information via unencrypted, open email.  Be sure you know who you are communicating with, at all times.  Play it safe.  When in doubt, pick up the phone and verify the sender actually sent you the email.  If they included unencrypted sensitive information, advise them they may now be at risk and they should take steps to protect their potentially exposed information.

For a list of known tax scams tracked by the IRS, check the following web site:

https://www.irs.gov/uac/tax-scams-consumer-alerts

 

 

TripIt is a Great App/Website

Standard

tripitIf you travel, whether for business or pleasure, check out TripIt, if you are not familiar with it.  It’s one of the best travel apps/websites there is.  It will help you keep track of your travel plans and automatically organize them so you don’t have to worry about keeping all the elements of your travel itineraries on hand as you move from place to place.

If you travel for business, you may wish to subscribe to the Pro version for $49.00 a year.  It’s a bargain.  The free version is very capable on its own, so I recommend you try that out and if you think the Pro features are worth the cost, subscribe.

What I like most about TripIt is that it will automatically import nearly any travel confirmation email from your inbox to the app/website.  You can work with the information via the website or an app of your smartphone, tablet or Apple Watch.

As an example, let’s say you are taking a trip to Washington, DC for the upcoming Presidential Inauguration.  First you book your hotel, then you book your flights and then you book tickets for various things like the Inauguration itself, museums, etc.  TripIt will import your flight and hotel information, including all the important information related to your booking.  They will be placed on the proper date and times for things like hotel check in and out.  Slightly more obscure things like museum tickets may not actually import, but you can forward them to plans@tripit.com and they will show up as an item that needs to be filed, so you can move it to your trip on the day and time you intend to go.

It makes for a smooth and far less stressful trip, especially with the notifications TripIt can provide.  Everything from check in reminders, to connecting flight updates to delays and even tracking your preferred seat for your flights.

There’s even a social media aspect to it, where you can connect with your friends who also use TripIt.  I don’t use that feature very much, but you are traveling to the same place, it makes it a snap to organize meeting up.  Check it out, you’ll be glad you did.

Technological Tumult in 2016

Standard

This column was originally published in the January 8, 2017 edition of Seacoast Sunday.

year-in-review2016 was another interesting year in the world of technology. There have been some great advancements and there have been some incredible failures. As the New Year is upon us, I wanted to look back at some of the technological developments that may have an impact on you, not just this past year, but well into the future.

Looking large is the trend of “everything as a service.” In its simplest form, this translates into changing the way you acquire your technology from that of one time purchases to ongoing monthly subscriptions. This has started in the software space and is quickly moving into hardware as well. Adobe was one of the first major companies to move to this model. Many people have been accustomed to purchasing Adobe software, be it Acrobat or Creative Suite, as one time purchases for several hundred dollars a license. Adobe is now primarily a subscription only company. You now subscribe to its Creative Suite and other popular applications as a monthly subscription. Prices can range from $30 a month to several hundred, depending on what software and how many copies you need.

Microsoft has also become a primarily subscription company. Office 365 is now the leading email platform for businesses of all size and coupled with this, acquiring the venerable Microsoft Office suite of software is now available as part of your Office 365 subscription. Microsoft is also shaking up the hardware world with its new Surface subscription for businesses. The marketing states that you will never have to buy a new PC again. Instead, for as little as $53 a month, you can purchase a Surface computer on a monthly subscription and have a current computing platform at all times.

Some of these subscriptions are still very new to the market and time will tell if they will be successful. What has been successful and will continue to evolve is this new consumption model. The Cloud has been a major driving force to this as well. With Amazon Web Services, Microsoft’s Azure and companies like Rackspace and others, making it easy to subscribe to the computing resources you need, on a monthly basis. Instead of purchasing that $10,000 server, you may be able to subscribe to these services for hundreds of dollars a month and have a far more robust server infrastructure than if you did it on your own. Be careful about the appeal of the lower monthly expenses. Over time, these subscriptions will cost you more. However, they may also be the best and most cost effective option to accomplish what you need.

Mobile technology continues to evolve at a rapid pace. Apple sold its 1 billionth iPhone in 2016. One billion! That’s a first and that’s an impressive accomplishment and confirms that we have become a mobile world. More people are computing in the palm of their hand than ever before. The mobile phone has not replaced the computer…;yet…;but there are companies working on exactly that. Will 2017 be the year that your mobile phone becomes your primary computing device? It very well could.

Virtual reality is another area that made strides in 2016. You see the devices more and more, but for now, the application has primarily been for entertainment in the consumer space. Whether 2017 sees virtual reality enter the mainstream of the business world is yet to be seen. There are certainly several applications for it, from modeling engineering designs to health care, space exploration and more. Expect to see more of this technology.

2016 also had some spectacular failures. Data breaches continued to expand both in frequency and scope. The alleged cyber interference in the 2016 presidential campaign will likely dominate headlines well into the new year and exposes a very serious concern about our reliance on technology. With all the good that technology brings, it also brings the potential to encourage cyber bullying, false news and the reality that you can’t trust everything you see and read. Fact checking has become more important than ever, in daily life, not just as a political buzzword. Be informed, be skeptical and most importantly, don’t jump to conclusions. The easy availability of these massive amounts of real time information means we each have a responsibility to be our own researchers, validating our findings before stating them as fact.

The Internet or Things or IoT also had a massive failure this year. The plethora of connected devices in all walks of life has given rise to new and significantly expanded hacking vectors available to those looking to exploit vulnerabilities for gain. Right here in New Hampshire, Dyn, a local company based in Manchester, was victim to one of the most successful and widespread attacks that renders parts of the Internet useless for the better part of a day. To most people, it just looked like various web sites were down that day. The reality was that the sites themselves where fine. The road to reach them had been clogged with so much traffic that you just couldn’t get there. Welcome to DDoS. A Distributed Denial of Service attack. It was not the first and it certainly won’t be the last.

Technology is still far more good than bad, but we need to become smarter about how we use it. That’s the challenge for 2017 and beyond. Technology is a force for good, there is no question about it. Let’s be sure that as we continue to evolve as technical citizens and businesses that we don’t become blind to the risks that come with the rewards. Happy New Year!

New Cybersecurity Event Recovery Guide from NIST

Standard

NIST.pngThe National Institute for Standards and Technology (NIST) has released its new Guide for Cybersecurity Event Recovery.  This is a free publication available for download at https://doi.org/10.6028/NIST.SP.800-184.

While the Guide is written originally for government use, I think it will be equally useful for the business community.  To date, the primary Cybersecurity focus in the business world has been on prevention.  Unfortunately, the hackers are continually advancing ahead of the defensive technologies and finding their way into what most will consider secure networks.  They are doing this by targeting not just technology, but people, processes and the vast amount of social engineering data available from social media sites.

While defensive measures remain a necessity, training and response have become more important than ever.  This new Guide seeks to clarify what a breached entity should be concerned with and do. It is an excellent resource to help you develop containment and recovery strategies to minimize the impact of a successful breach into your network.

The Guide is 53 pages long and I encourage you to read it.  I am certain you will find valuable information and strategies that will help you in the event your business should discover that you have been hacked.  The guide is technology neutral, so it focusses on the risk from an appropriate level, regardless of the technologies you have invested in.  It also lays out ten specific recommendations for containment and response.

Major themes are planning, continuous improvement, recovery metrics and building a playbook.  There are even two example scenarios to review that will help bring everything into context.  There are also several useful appendices that provide a wealth of additional information to review.

Give it a read, you’ll be glad you did.