Yes.

We’ve recently learned of some very bad microcomputer vulnerabilities that even Google is calling the worst in a decade: Spectre, Meltdown, and - in the last 24-hours - a new BIOS-level attack against a machine has been announced.

Still, if we’re to borrow some excellent advice from Douglas Adams, Don’t Panic. Stay froody, grab your towel, and order a Pan-Galactic Gargle Blaster. It’s going to be what it’s going to be.

You have to get kind of Zen over computer vulnerabilities and here’s the reason why.

There is no spoon.

Well, actually, that’s from The Matrix but it’s the first thing that comes to mind.

There is no such thing as absolute security.

This is a true axiom in many things. We’re at risk the moment we sit behind the wheel of a vehicle; when we walk down the street in a public square; when we decide to start a business. There are always risks. And there’s a lot of rapidly-evolving risks with microcomputers. That’s the way it’s always been, and that’s the way it’ll always be.

If you accept that distributed computing is always going to be risky and that security isn’t absolute, you’ll be in a better position to manage the recent news. It isn’t scary. It just is.

The fact is that the safeguards that we implement today are the same safeguards we implemented yesterday, and that we’d continue to implement tomorrow. If you’re a small business, the strategy for safeguarding your IT assets is a constant.

1. Strong Administrative Controls - Vigilance. Management directives in the form of policies and procedures govern a company’s reaction to these kinds of problems. Your business should have a documented approach to managing IT assets that help weather risk. Follow your directives. Manage user expectations. Manage your assets. Pay attention to risk and slightly alter your course where it’s necessary.
   

2. Solid Technical Controls. You’ve got strong passwords, 2FA, intrusion detection and prevention, good firewall rules, a standardized process for managing user access, a view of the assets under your control. All of these are technical factors that help secure your computers and networking equipment. Although we’d be fools to assume we’ve enough safeguards to counter all risk, we’re still conscious of our controls and put faith in their ability to protect our systems.
   

3. Updates and Patches. Security in the microcomputer arena is an ever-moving target. It’s best practice to constantly apply new updates and patches from software providers and hardware OEM’s. It’s just the right thing to do. If we keep managing those updates, we’re going to receive the necessary software to improve our security posture.
   

4. Planned Retirement and Acquisition. All computers die. All networking equipment eventually ages. There should be a plan to retire assets according to a managed schedule. Some assets may be older and - indeed - more vulnerable, but we should already have a process in-place to both plan for the acquisition of new equipment and the disposition of old machines, so that our company is less-vulnerable over time.
   

5. Audit and Corrective Action. Finally, we can’t rely entirely on assumption. We can’t assume that everything we do (from crafting good policies, to implementing strong technical controls, to updating our systems regularly, and from retiring older assets) is perfect. Remember: there is no spoon. We need to check on it. We need to validate that what we’re doing is working. The only way to do that is to investigate the results of our strategy, report on our mistakes or misfortunes, and implement stronger controls to prevent the bad stuff from happening again.

Nothing of what I’m saying here is new. If it is, then you’re likely more at risk anyway because you’ve made some assumptions about your security posture and you’re not verifying those assumptions. You’re hoping that everything will be okay. That’s not management. Managing implies control, oversight, the awareness of risk, organizational learning.

So don’t sweat the bad news. Don’t Panic. There’ll always be more bad news.

The good news is - if you’re following these five guidelines - you’re as prepared for it tomorrow as you were yesterday. Everything is going to … be.

R

Every so often, a client will want to buy a new microcomputer. "Look at this great deal!", they'll say, and show me an ad for a discounted computer system. I always shake my head. "This isn't the best deal," I'd say, "In fact, it's not what you need, and it'll hurt you in the long run." Here's why.

1. Software Licenses.

When buying retail, you're usually buying devices that're being sold to end-consumers and not businesses. So the software licensing for the operating system or productivity applications may not be compatible with what you've got going on in your office. A Microsoft Windows Home product, for example, can't interact with a Windows Server; it's not the Professional licensing needed for that. 

2. Warranties.

Usually, when buying something at a discount or off-the-shelf, they're shipping with limited OEM (manufacturer) warranties and a stronger warranty may be available from the retailer as a premium up-charge. So instead of a year's worth of OEM warranty that you may get from a business machine, you may end up with 90 days worth of OEM warranty. If something breaks outside of a quarter, your investment is out the window. Small businesses need reliable machines that they can just swap out and replace if they break within a 12 month period, and that kind of warranty isn't available from a retailer.

3. Lower-End Specs. 

When you're buying retail, you're buying the lowest common denominator: a generalist machine that'll fit most consumer budgets. It doesn't have high-quality parts or components (in fact, they'll have the cheapest components available to the OEM), and the machine won't be optimized for specific purposes; example, lots of RAM for databases, or a solid state drive for faster I/O, or, the graphics card won't be sufficient for CAD, a lower-end processor to meet a lower price-point, etc. Remember: you're buying a low-end machine meant for an end consumer at a discount so somebody can clear their inventory; they're willing to break-even or even suffer a loss to move the inventory off of their shelves. Why would you want a machine like that?

4. Crap Software.

When you buy a machine retail, you're buying something that will be given to you with a bunch of dumb software you won't use or don't need. That's because these software companies pay the OEM for a ride on the hard drive to meet new consumers, and potentially engage them in new business. These applications run in the background and sap RAM, processor, and disk I/O, slowing down the machine - or potentially exposing the user to malware, like what recently happened to HP -  and you have to spend time uninstalling them. Why buy a product that you have to expend your labor to uninstall stuff you don't need?

5. Useful Life.

Because of these issues - low-end specs, limited warranties, wrong licenses - the useful life of a retail machine is much smaller than a business machine purchased through business channels. Maybe the small business could get 18-24 months out of a machine purchased retail, instead of 60 months out of a quality business machine.

Like many things in life, it's caveat emptor, and, you get what you paid for. If you're willing to pay for a discounted machine at bargain-basement prices, you're not going to get a lot of utility out of it, or, you're going to have to invest more to make it useful.

Instead, small businesses should plan for capital asset expenses just like larger businesses, and make such purchases through established business channels to obtain volume discounts, correct software licensing, staged with the best components at the highest warranty, running only the software you need to operate your business.

R

Today, I'll be delivering a presentation on Facebook Privacy. Here's the presentation!