Companies all across the web are responding to a multitude of security threats by encrypting the web. Energy and resources are being expended to do the better thing and make their systems as difficult as possible to compromise. This is a great thing.

However, the small business usually doesn't have the resources or know-how to tackle these kinds of complex technology problems. The little guys don't know about encryption, Open SSL vulnerabilities, two-factor identification, or risk assessment. That makes small business substantially more vulnerable to attack and compromise: their IT systems are easier to hit and exploit by comparison.

I'm spending a great deal of time this quarter talking security with my clients. I'm making a slew of recommendations to improve their defensive posture. It's the right thing to do. It'll help provide a reasonable deterrent and make them less vulnerable as low-hanging fruit. If you have concerns about the state of information security in your small business, give me a call. I'd be happy to talk about practical, low-cost approaches to address these problems.

Thanks!

R 

I often write draft policy documents for my clients. I thought I'd go through a refresh those documents, and begin a blogging series that highlights the importance of Administrative Controls.

Administrative Controls are a "best practice" approach to managing information technology assets. They are the policies, procedures, and work instructions that convey management's expectations governing the use of those assets. These controls demonstrate management's interest and engagement in the process of managing information technology.

The risk concerning Administrative Controls is found in their absence, especially in areas of technical compliance. If management never bothered to create a policy governing their IT assets, they never bothered to create and communicate expectations to their employees, shareholders, or consumers, and therefore it could be construed they never intended to manage their IT environment in the first place. That lack of attention could be thought of as negligence, like, "why didn't management take reasonable, 'best practice' precautions in managing their stuff, anyway?"

In legal terms, management loses a "due care" argument: they never understood nor accepted the risks for managing their IT environment and never took "due care" obligations seriously. That becomes a hole in their defense of a negligence claim. 

The first policy I help my clients introduce is the IT Authority Policy. The IT Authority Policy identifies the executive responsible for implementing the suite of IT policies and procedures. This is the party responsible and accountable for IT policy implementation. This document serves as authorization from the chief executive or board of directors, delegating authority for managing the IT problem, and becomes the basis from which all other IT Policies are drafted.

This is a reasonable Authority Policy that can be modified to suit your needs; it is intended for use with a small to mid-range business. Have fun with it. Meanwhile, stay tuned for more policies and procedures that'll be introduced through my blog and available eventually from my website.

R

Well, it was a good idea.

Everyone, everywhere, regardless of your size or complexity, should have unfettered access to the Internet; everyone's packets should get treated the same way no matter who you are; the superhighway shouldn't get an HOV lane or a premium lane or levied a toll for crossing; the Internet should be a neutral place where anyone could get their foot in the door, to become the next Facebook, Apple, or Google.

Net Neutrality has been a long-standing idea behind the design and implementation and regulation of the Internet. Until now.

All that's about to change. 

New changes in upcoming FCC regulation will allow ISP's (already fattened, regulated monopolies in this country) to charge for higher speed access to American consumers, effectively creating a fast lane for premium rate-payers.

That's bad news for small business who'll end up having to pay more to keep up with a premium "look and feel" as the larger companies who can afford the higher transfer rates.

It'll also keep downward pressure on startups and innovators who want to disrupt the ecosystem and dethrone the reigning content providers. 

It's bad news for web design and developers who'll need to create tiers of design strategies based on the bandwidth budgets of their customers.

And it's bad news for the consumer who'll suffer through second-class speeds unless they browse to the websites of premium rate-payers. Let alone our Internet speeds suck. In Seoul and Stockholm, users are paying $25/month - 1/17th of the American price-tag - for gigabyte service: 100x faster than what we in the United States experience. The average Joe from South Korea flies out here and thinks we live in a 3rd world banana republic because our Internet connectivity is so bad. And with the recent Time Warner/Comcast merger, US consumer is left getting kicked in the ribs over and over again.

If the Internet is the emergent platform for innovation in business, commerce, medicine, engineering, biotechnology, nanotechnology, cloud computing, big data, research, and education, the FCC and SEC are doing their darnedest to keep the United States in a perpetual state of uncompetitiveness. Over time, greed and discrimination hurts everyone - even the greedy. Except it'll hurt our small businesses and our kids even more.

R