25th May 2022 | Passwords, Security and Safety
Yes, this is fair and unpaid
Just so you know, our decisions are based on our experience and there was no money from relevant services or monetised links.
For a number of years we have been using a password manager called ‘LastPass’. This has been great – as it has allowed us to securely share passwords among the staff here. Even when they had a data breach, it did not affect us as we used 2 Factor Authentication and, in common with similar services, they only store encrypted data on their servers. Without the security keys we hold, the data is entirely safe. Data is only encrypted on our computers.
New Challenges
Time has moved on.
- There were a number of pain points – organisation of the passwords was increasingly difficult, as was seeing who had access to which client’s passwords.
- Just organising the credentials was difficult – resulting in duplications.
- Duplications are not too bad until you update the password and you are not sure which of the duplicates has the new password.
- Often it would not fill in the passwords onto the websites.
- very time the computer did an update the app would be missing off the web browser, etc.
So we did a review of various alternatives.
Other Pains
In our search, we were reminded of other pains.
One of the new pains is that many services require 2 factor authentication (2FA) – you know those 6 digit numbers that change every 30 seconds and we could not share those in LastPass. (It looked like it may have been possible to set up, but also looked like a real pain.) When we shared a credential in LastPass, the person logging in still had to ring up the person with the phone set up as the 2FA device.
What about if you need to share a password with someone outside your organisation for a limited time? Not formerly possible!
As you may have guessed, we finally went for 1Password. It is a bit more expensive than LastPass… but…
- 1Password allows you to store those 2FA numbers as part of the vault – so you can properly share credentials. It does this securely and almost magically.
- It allows you to securely share passwords outside your organisation, for a limited period of time.
- Import of the LastPass vault was a doddle – so all of the old passwords were brought over simply.
- It was at this point we realised how disorganised they were… secure, but disorganised. In 1Password it was so easy to re-organise them. It took minutes!
With the business package all your team mates get family vaults – so that they can store there passwords in a separate, secure vault rather than in the business account. (Actually each team member gets 5 vaults for free to share with family members. If they leave the company, they can take those vaults and start paying a subscription.)
Our passwords are secure, easily managed and all our problems are solved.
It makes logging in a pleasure! Even setting up new accounts is MUCH easier and the App seems far more robust.
Works on Windows and Macs.
So, I would recommend it. What is your experience?
Here is 1Passwords comments on how it secures passwords. Even if the company goes bust you will still be able to access your passwords!
15th Apr 2021 | Charity, Consultancy, General Information, Salesforce, Security and Safety, Training
One of the bigger, if not the biggest business decision is purchasing a new CRM system. (Customer Relationship Management system)
This information is not Salesforce specific!!!
While I do consult on Salesforce, this guide is deliberately about what a CRM can do for your business or charity. It is not about Salesforce!
So, grab a cuppa, sit back and watch the video. It’s about 20 minutes long.
At the end you should know what to consider before looking for a CRM system.
Good luck!
2nd Apr 2021 | Accounting, Consultancy, GDPR, Salesforce, Security and Safety
Spreadsheets are wonderful. I have a load of them. Everything from personal ones that calculate my kg weight in stones and pounds (apologies to US readers) and my BMI through to things that help me calculate budgets and so on.
I even have transient data in them, when I am doing data imports, etc.
I do not run my business on them.
When I say this to fellow small business owners, I often get the response:
Of course you are against spreadsheets, you use CRMs all day.
I then show them my mastery of spreadsheets. For instance, if you have a first name and last name in one field of a spreadsheet there is a (relatively simple) formula to split them into two cells. I have seen people who live in spreadsheets doing this work manually… for thousands of entries.
I then show them how you can copy this formula to their entire spreadsheet with a few clicks.
To finish, I show them how you can autosize all of the columns in your spreadsheet in one single-click and two double-clicks.
I do not claim this as high-level mastery… but it is often what those same business owners are capable of.
They then show me how they keep all their accounts in a spreadsheet
I know that even in my small business, it causes ‘problems’ if I send out two invoices to different customers with the same number. I often use a laptop on the road and a desktop at home. Sometimes the sync isn’t as fast as I would like, so I would risk the spreadsheet getting out of date or corrupted.
Heaven knows what would happen if I had my accountant accessing it at the same time. (Did you know that AT LEAST as far back as 1995 you can put Excel spreadsheets in ‘multiuser mode’. You lose a few features, but you can safely have multiple people accessing it!)
So, for my accounts I use a simple, online accounting system. It auto-numbers my invoices. It automatically sends out my regular invoices. The data is held securely and, even better, my accountant can access it without bothering me.
People who run their business in spreadsheets are keeping personal data on their PC.
Why would this bother me? Well, I can ethically get into a laptop or PC in a few minutes by bypassing the password. There are legal, ethical tools on the internet to enable this.
I can even do this on enterprise servers. How? Microsoft document this process on their website. It is not illegal (as long as you have permission) and the information is freely available.
I have done this for clients when they were stuck. ‘Breaking into’ a corporate server took me about 15 minutes… and I was being slow and careful.
If I wanted the ‘quick and dirty’ way, I would just take the hard disks out and shove them in my disk reader. A process of a few minutes.
There is a preventative measure you can take and that is to encrypt your hard disks. When I ask small business owners, ‘are your hard disks encrypted’ they tend to look at me blankly. Basically, if they lost their laptop someone could be reading their data in under a minute.
This is the ethical, computer tech way of accessing data.
Cyber-criminals attack your computer while it is switched on. Disk encryption is no protection against this type of attack. For recent attacks most anti-virus/anti-malware software is useless. (With certain caveats.)
That is not to say that disk encryption is useless. It does protect against loss of laptop or theft of desktop in a burglary. I does not protect against many types of malware attack.
If this is buzzing way above your head already, then you have answered the ‘why’ of why you should not be storing your business data on your local computer. It is a complicated subject and you do not have time in your business to work on this.
I am not here to convince my potential clients away from spreadsheets!
That sounds like a bold claim, but if people are ‘believers’ that a spreadsheet solution is sufficient then I do not have enough breath or, frankly, will to convince them otherwise. Where I have tried that in the past they tend to be suspicious that I am pulling a fast one to get them into a solution that does not involve spreadsheets. Every decision will have to be justified, repeatedly… and their mate down the pub says that I am just scaremongering.
I am fine with that. They are not in the required state of maturity to become clients.
I know that at every stage they will be trying to circumvent the safety measures I put in place. When they go down, they will be trying to bring me down as well. Like a petulant child they will spend their time trying to prove me wrong. Time that I could be using to help them improve their business processes.
Let me be clear:
I am not against people who use spreadsheets. My opinion is that they are not adequate for running a business.
So, I have usability concerns in terms of accounting. I also have security concerns when handling personal data. Frankly, the most compelling argument is that running a business through spreadsheets is so damned difficult. Keeping track of which spreadsheet holds the latest version of what, following arcane copy and paste procedures to create new invoices.
Why do a twenty stage process where any incorrect step can lead to disaster as opposed to a simple, single-click where the computer will hold your hand and guide you?
The point of online accounting and CRM systems is not that they are there to make things difficult. They are there to make things easy. Even for single-person operations this brings benefits that far outweigh their costs. It also means that if/when you sell your business or expand your business you have solid procedures in place that enable collaboration.
Use spreadsheets to run your business if you want to stay small and vulnerable.
If you have an eye to growth, then you need something better, easier and more robust. You need something that will stand the rigours of due diligence and regulatory compliance. At that stage you need someone to help you take that next step. We are called consultants. When that nagging feeling that using a spreadsheet is not the right tool, come and talk. You will find that we are lovely and helpful. My job is not to convince you that spreadsheets are inadequate. That is your job.
My job is to help you on your journey into a bigger, brighter world.
26th Jun 2020 | General Information, Security and Safety, Web Hosting, Websites
These are odd times.
To say the least.
Many people have been furloughed or wondering what to do with their lives. Will they have a job? Are they happy with the job they have?
With so much spare time, many people have taken this as a opportunity to think about their future.
However, money is scarce.
Many people are choosing to PIVOT to new careers, but budgets are tight.
Part of launching a new business is having a website to go with it… but just getting some hosting and an installation of WordPress is only the start. What about SSL certificates, forms for people to request you contact them, a high quality theme… all those cost money. Then there is the hosting… some is just so slow that you will lose customers.
I saw these problems and came up with a solution.
It is a package with everything you need set up. All you do is give us some text and graphics. We will put them up for you and get you going. At that point you have an amazing website package. When we totted it up, if you purchased it yourself the components would cost £450 per year. That would stretch most starter budgets. As we have mass buying power, we offer it all for £247… and it is all properly configured… and backed up… and the software is regularly updated, minimising data risks. Even if you completely ‘break it’… we can have it back to the previous days configuration in under an hour.
So, you have one fewer thing to worry about.
You save money.
You have a full, working website. (Unlike some other providers who give you a ‘reduced functionality’ website.)
How much?
Just £347 (inc VAT!) per year.
Look at what some of our recent clients have done with it.
Your Path . Guru – where Em Melrose will gently help you find Your Path
Ty Llwyd Fach – Socially distanced camping
Perky Wales – Expert counselling from Gwilym Roberts
All of these are on our super-fast hosting.
So, what have you got to lose?
To book yours, go to Pivot Sites – we set it up for tutors, dog groomers and virtual assistants… but so many others are making use of it.
23rd Dec 2019 | Defeating spam, e-Commerce, GDPR, General Information, Passwords, Security and Safety
Let me tell you of an IT company. It had started off small so the director had chosen a favourite password ‘D0neit01‘
This was some time ago, so the fact that it had numbers in made it really secure. It wasn’t particularly long, but it was memorable. Much better than other familiar passwords, like ‘Password01’ or ‘letmein’.
There were five of them working for this company and they were all really good friends. Three directors and two minions. They were working with cleaning companies and whoever would take them on. They realised that their level of service was a cut above everyone else’s, so they realised they could aim higher.
With one of those flashes of inspiration that sometimes hits small companies they realised that they could start working with the finance industry. They already had some contacts in that area of business and, well, those clients had money. It was a sure-fire hit!
Success Breeds Success
A few years later and they had an impressive portfolio of clients. Around a hundred in the bespoke finance industry. Hedge-fund managers, bespoke bankers, investment companies. Their clients loved their high level of service. In part this was because an engineer visiting site knew what the top admin password would be. You’ve guessed it.
By this point about a hundred of their clients were investing more than $1B each. (Yes, 100 x $1,000,000,000 = $0.1T). Which starts to look like a significant part of the UK’s GDP.
Some of the companies demanded ’secure passwords’ with funny characters in. For those companies the password became ‘D0nit01!’. Engineers knew that if the ‘low security’ password didn’t work you could use the high security one. Simples!
One of the managers was tasked with looking for a password manager. This would be able to hold all types of password. It would be able to fill in passwords automatically. You could give different members of the company different levels of access.
It came back with a price-tag of £10,000.
That was a lot of money.
The directors were not convinced that it was necessary.
An Innocent Mistake
One day, one of the directors was logging into a client, let’s call them ‘securefinance’. Their website was ‘securefinance.com’. The director had not noticed that in their speed they had typed ‘securefinance.co’. The website looked EXACTLY like securefinance.com so why would they notice?
Over the coming months they started to notice that some of their clients were failing. In one bad incident a client lost $0.1B in a week! That client immediately started the process of winding down. It was sad – they were a difficult client, but they had been a good payer.
You are probably going to guess what had happened. That fake website had grabbed the entered username and password and was now beginning to use it on lots of websites. They were getting lucky. They were also trying password variations automatically. So they were picking off both the ‘low’ and ‘high’ security clients.
Bad Guys Collaborate
They had also submitted the successful usernames and passwords to a database that is maintained by hackers. (Yes, this really does exist.) So lots of other people were trying these passwords… but they were not using them themselves. They were getting computers infected with ‘malware’ to try them. That IS the job of a lot of malware. If the malware successfully logged in then they would update the database. If the password failed then the bad guys were untraceable. Either way the bad guys win.
By now, clients were getting picked off at an increasing rate.
It was looking very bad.
Several consequencies could have happened, including a significant impact on the UK economy, jail terms and collapse of the IT company. This is based on a true story. The directors were potentially negligent, so could have lost the shirts off their backs.
The Good News
A good password manager is available for FREE. It has greater capabilities than that old software costing more than £10,000.
There is an Enterprise version which has all the granular controls you require for a little bit more.
With a password manager, doesn’t that mean that I am committing all my passwords to a database protected with ONE password? Surely that is a really BAD idea? Yes, it would be UNLESS you set up 2 factor identification. This means that you have a code to type in that is sent to you or generated on an app on your phone in addition to the password. As a hacker will not have both access to your password AND your phone your database is safe. It is also highly encrypted and if you lose your phone or your admin dies there are very secure ways to recover the database.
Here is the manager we use: Lastpass It is not the only one out there, but it is very good. We manage more than 1,500 passwords with it. All our client’s passwords are unique, long and very complicated.
You might not be managing billions of dollars, but you wouldn’t want to lose what you have.
9th Nov 2017 | Coding, Consultancy, GDPR, Security and Safety
Here are 7 GDPR myths (General Data Protection Regulation) or ’new Data Protection Act’. We hope this is of some help:
1) It only applies to computers. No, it all applies to all records containing personal data, including those stored on scraps of paper and written in quill pen.
2) You can buy a piece of software that will make you compliant. No! It is more about you knowing how you hold and process data and how you have other people hold and process your data. In other words, it is about you having policies.
For instance,
- How long do you retain a client’s information after they become an ex-client?
- How do you ensure that data is fully deleted if a client requests it?
- How do you gather data together is a client requests a portable, electronic copy of the data you hold on them? (and they are entitled to this.)
- and many more.
3) It will cease to apply after we leave the EU. Wrong! we are committed to upholding the GDPR after we leave.
4) It only applies to large companies. Wrong! It applied to all companies.
5) It only applies to the ‘owner’ of the data. No! This regulation applies to data processors as well.
6) You can continue to direct market to your potential customers. Do you have their informed permission? Was it given within a reasonable time?
7) If your company holds Cyber Essentials Plus certification you are covered. No! Read all the above again.
Here are the promised truths.
Yes, the top fine is €20M or 4% of global annual turnover, whichever is greater!
Yes, you do have to report all data breaches within 72 hours.
We are running a masterclass on Wednesday 22nd November. This will help you sort out the fact from the fiction.
https://bit.ly/GDPR-MC
See you at the masterclass to get it all sorted.
John
