Crash Course on Document Management
by Chris Geiser – cgeiser@pcstechnology.com

This month we’ll take a look at why document management systems (DocMgmt) are often dismissed as irrelevant by small businesses and what value those DocMgmt systems actually pose.

Five Myths about Document Management Systems

1. Our File Server Is Good Enough
With most file servers, end users get to choose their own folder, subfolder, and file naming convention and may only save files to their private drive. For their co-workers, finding useful documents is akin to finding a needle in haystack in a padlocked barn.

2. A Paperless Office Will Never Exist – So Why Bother?
By some standards the amount of paper printing has only increased in the digital age. It’s true, paper documents will need to be accommodated for the foreseeable future, but a thoughtfully designed DocMgmt system can capture all important paper documents upon arrival, classify them, route them to the right people/places and send the hard copies to the secure shredding facility.

3. Document Management Systems Are for Large Companies Only
Perhaps this myth was true 10 years ago, but most DocMgmt software companies now scale their pricing packages to as few as 2 users. Additionally, the implementation of DocMgmt systems can now start within a single company department (i.e. Accounting) and expand to more conservative departments once the proof of concept has been established.

4. Our Users Will Say “It’s too complicated”
Change is always hard. So with a new DocMgmt implementation it’s often best not to immediately change the way users do their work. Save those process changes for after users demonstrate their ability to work with digital documents.

5. The Document Management System Doesn’t Work with Our “Insert Company’s Most Important Application Here”
Every company has their prized application, the one where their money is made. Sometimes it’s called CRM, other times ERP, or accounting application. These applications were not typically designed to manage documents. The best DocMgmt systems will integrate with these critical applications so that any document can be found from any screen where that document is relevant.

Basic Features of a Document Management System

The basic features have been around for quite some time. Most small businesses have evolved their other (non-DocMgmt) systems to accomplish:

1. An organization-wide naming convention can be automatically enforced so that files can be stored in a retrievable and searchable fashion.
2. Indexing information can be added to every saved or imported file. Index information helps users to quickly find documents later on. Index information can include: created date, last modified date, author, work/sale/invoice order numbers (or any other custom field you wish).
3. Document Check In and Check Out is another basic feature that can prevent two users from corrupting one another’s work on a document.
4. A permission system can be added to any folders, determining which users have read and edit rights to documents or document types.

Advanced Features of a Document Management System

Some of these features have been around long enough, but there’s not yet been widespread adoption in small businesses.

1. Document Comparison – This is similar to the “Track Changes” featured in Microsoft Word.
2. Web Publishing – Make the files securely accessible from anywhere, once they’re saved to this system.
3. Application Integration
   a.  Email – Put a button in Outlook to import an email plus all of its attachments into the document management system
   b.  Hot Key – With an advanced document management system you could be able to hover over any of these document numbers, hit a hot key (ctrl + right click), and open the actual document without having to open the actual document management system.
4. Form Creation – 85% of business processes depend on forms (Gartner Group)
   a.  Create digital version of your existing forms (i.e. Sales Order)
   b.  Create new forms to collect/organize scattered information (i.e. Employee PTO Request)

Workflow: The Holy Grail Feature of any Document Management System

Imagine a document arrives at your business. It doesn’t just sit there. It demands that you and your co-workers process it. Examples include a customer signed contract, a salesperson’s receipt for a client lunch, a vendor’s invoice for equipment, or a prospective employee’s job application. These documents must go from one person to the next for review and some action. The processes you impart on these documents are often repeatable, meaning that they are also time-consuming (read: expensive).

Rulebooks without Referees

Each time you and your co-workers process a document, a set of rules must be followed for that process to work correctly. For example:

1. if an invoice is more than $500, then route to Paul for approval
2. once contract is signed by customer, send to CEO for second signature, and then to billing department for invoicing.

Of course, your company’s processes are considerably more complicated than these examples. It begs the question though, where does your company keep your process rules?

Danger: Tribal Knowledge Ahead

If you’re like most small businesses, you don’t have a process map, opting instead to depend on tribal knowledge, where a subset of employees just “knows how” that process works. The danger inherit in tribal knowledge is that there’s often no stated turnaround time expectations, no audit trail, and little hope for process improvement. In worst case scenarios, tribal knowledge also becomes an employee stronghold they use to keep others from impeding on their turf.

Digitize and Conquer

Have you ever looked at a UPS or FEDEX package tracking online? It’s insane the amount of information gathered about one parcel. But it keeps everyone in the loop and accountable for their responsibilities.

Today’s document management systems offer the opportunity/excuse for small business managers to get acquainted with any document driven process in their department, map it out (like FEDEX would), and recreate or improve it, only this time in the digital world. The benefits include:

1. Decrease occasion of lost documents or abandoned processes
2. Provide co-worker transparency and identify bottlenecks in processes
3. Build scalable processes that can incorporate additional people or resources when necessary
4. Establish clear understanding of current process so that impact of changes can be fully-understood

Cool, Why Are You Writing About Document Management, Again?

Admittedly, I knew very little about document management 1 year ago, before we acquired LBC Technology of Des Moines, Iowa. You see, PCS has long been in the business of implementing and supporting IT infrastructure, letting our customers decide what applications are best-suited for their business. This strategy made sense because each of our customers needed different applications, (i.e. manufacturer needs an inventory management application whereas a physician practice needs patient/insurance billing). However, very few of these primary line-of-business applications adequately address the ubiquitous role of document management. Document management systems are best thought of as a flexible platform that can be configured to provide each document a secure and complete pathway through your company’s operations.

Cloud Security: Risks vs. Reality
used with permission by IBM ForwardView

The mobility of smart phones, netbooks, tablet PCs and other portable devices has fundamentally changed the when, where and how of our computing lives. And with cloud services, the source for data and applications used by these devices can be anywhere, too. The flexibility of cloud to scale bandwidth up or down at will, and its affordability as a pay-as-you-go service, have resulted in an interconnected, intelligent approach to smarter computing.

The benefits of cloud computing are well-recognized. In fact, cloud computing ranks among the most popular new IT initiatives, with 66 percent of midsize companies implementing cloud strategies, according to IBM’s study, “Inside the Midmarket: A 2011 Perspective.” Yet the excitement about leveraging cloud’s economies of scale to lower total IT costs and improve agility is often tempered by concern that this external delivery of services could compromise security.

Perceived risk versus actual risk

Cloud may seem new, but the fact is companies have been outsourcing services and technology for years. Providers already deliver hosted technology offerings that are located offsite with client access via the Internet. This is a common scenario for services such as remote storage or hosted email and other software as a service (SaaS) solutions. And just because companies may give up some control to the provider when they move to a cloud-based environment (just as they give up some control in any outsourced arrangement), it doesn’t mean they have to compromise on security.

Companies still weighing the advantages of cloud with the perceived security risk should begin by asking the right questions and examining the right considerations to help build a “trust and verify” relationship with the cloud provider that will support success.

Although there are additional variations, let’s consider the three main types of cloud service and deployment models: software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS).

Each version has its own level of control for the provider and the company purchasing services, but all cloud services can help companies increase agility and boost efficiency by removing the burden of managing all of their own IT. This frees up organizations to do more with less and stay focused on their core competencies.

• Software as a service (SaaS) puts most of the responsibility for security management with the cloud provider and is commonly used for services such as customer relationship management and accounting. This popular option is considered low-risk because it primarily deals only with software and not hardware or storage. With SaaS, companies are able to control who has access to these cloud services and how the applications are configured. The complexity of software installation, maintenance, upgrades and patches, meanwhile, is automated and handled by the provider.
• Platform as a service (PaaS) is similar to SaaS but often includes further application-specific software to help businesses create customized services. For example, a company using PaaS could develop its own custom cloud software to perform some specialized task, whereas SaaS offerings generally are provided as-is. Most PaaS offerings are multi-tenant, meaning that some of the services may be shared with other companies. This means it is critical for companies who use PaaS to have a well-defined trust relationship with the provider on security issues such as access, source code distribution, navigation history, and application usage
• With infrastructure as a service (IaaS), companies get a unified, scalable cloud package that offers tighter control over many aspects of a traditional IT infrastructure than they do with SaaS or PaaS. Companies using IaaS pay on a per-use basis to access services and applications, and can also tap the operating system that supports virtual images, networking and storage environments for additional control. Often, IaaS is offered as a private cloud, giving companies complete internal control over access and security.

Questions to ask to ensure cloud security

Regardless of which flavor of cloud a company chooses, it’s important to remember that the same factors apply to ensuring security whether it is cloud-based or within a traditional IT infrastructure. The key difference in the cloud model is that it includes external elements, and those elements will be managed by the cloud service provider. This means companies need to understand the environment beyond their own data center and consider how it impacts the organization from a security standpoint.

To help ensure security and peace of mind, and to craft the most effective working relationship with the cloud provider, the client company should always identify and prioritize cloud-specific security risks beforehand. Often, companies will find they have the same amount of control, if not more, with a cloud service.

For identity and access management issues, companies need to control passwords, support privileged users and enable role-based access to these cloud services. With data protection, a key concern is knowing whether or not a company’s hosted data is secure, especially if data from rival companies is also being stored on the provider’s cloud service. Companies should also be asking how the cloud provider is deploying antivirus software on all supported systems that could be exposed to virus or spyware attacks, and ensuring that selected programs can identify and protect against malicious software or processes.

From an auditing and monitoring perspective, companies need to determine how the cloud provider is testing and assuring the infrastructure. The legal, regulatory and privacy requirements include making sure the company and the provider understand the rules of engagement by determining who is responsible for governance and meeting any regulatory restraints.

Reaping the benefits of cloud

On a smarter planet—the when, where and how of living and working is more instrumented, data-driven and interconnected than ever before-cloud computing can be a powerful way for companies to be more agile, effective and efficient.

Organizations interested in reaping the benefits of cloud can best begin by understanding the security ramifications of a cloud deployment to their business, keeping in mind they can start small by deploying cloud in low-risk workload areas like email services. This easing-in process gives organizations valuable time to become familiar with cloud on a scale that’s simpler to grasp and doesn’t put them at increased security risk. And as familiarity of cloud and trust in the provider grows over time, companies can expand their use of cloud computing into other areas of business. By following this gradual path, companies can learn to wield the power of cloud in a way that’s safe and secure.

Empty Your Inbox: 4 Ways to Take Control of Your Email
used with permission from Microsoft at Work
by Sally McGhee

If your email Inbox is out of control, you might want to rethink your methods for organizing your email and emptying your Inbox. Developing a new approach to processing your Inbox can help you to gain more control, improve your response time, and keep up with critical actions and due dates.

This article covers four key factors that can help you process your email more efficiently—both at home and at the office. Although some of the productivity tools mentioned here are specific to Microsoft Outlook (Outlook 2010, Outlook 2007, and Outlook Web Access), most of the techniques—and even the organizational attitude described here—can help you to more efficiently process email and empty your Inbox, even if you use an email application other than Outlook.

1. Set up a simple and effective email reference system

The first step toward an organized Inbox is understanding the difference between reference information and action information.

• Reference information is information that is not required to complete an action; it is information that you keep in case you need it later. Reference information is stored in your reference system—an email reference folder, your My Documents folder, or a company intranet site, for example.
• Action information is information you must have to complete an action. Action information is stored with the action, either on your to-do list or on your Calendar.

Most people receive a considerable amount of reference information through email. Sometimes as much as one-third of your email is reference information. So it is essential to have a system that makes it easy to transfer messages from your Inbox into your email reference system—a series of email file folders where you store reference information to ensure you have easy access to it later. Learn more about setting up a reference system.

After you take care of filing your reference information, you can use the next three steps to handle the email that you have to do something with—your action information.

2. Schedule uninterrupted time to process and organize email

How many times are you interrupted every day? It’s nearly impossible to complete anything when there are constant interruptions from the phone, people stopping by your office, and instant messaging. So it’s critical that you set aside uninterrupted time to process and organize your email.

Many email messages require you to make a decision. The best decisions require focus, and focus requires uninterrupted attention. Establish a regular time each day to process your email so that you can empty your Inbox. Of course, you can scan your email during the day for urgent messages or requests from your boss.

Book yourself a recurring appointment for an hour a day to process email, and mark that time as “busy.” During that hour, don’t answer the phone or take interruptions, and work only on processing your Inbox. You can also turn off the audio alert that sounds each time you receive a new email—which can be a distraction in itself. In Outlook, click the File tab. Click Options. On the Mail tab, under Message arrival, clear the Play a sound check box.

At first, keeping these appointments will take discipline. But over time, the discipline becomes habit. And after you completely empty your Inbox, you’ll see the value of this one hour a day and you’ll stick to it like glue.

Microsoft Outlook 2010 makes it easier to keep this email appointment and to process your Inbox. The new anywhere access features of Outlook 2010 mean that you don’t have to be at home or at the office to keep your daily email management appointment.

Conversation view in Office 2010 enables you to organize email folders by date and conversation. When Conversation view is turned on, messages that share the same subject appear as conversations that can be viewed as expanded or collapsed, helping you to quickly review and act on messages or complete conversations.

Also, improved search tools in Office 2010 make it easier to narrow your search results by using criteria, like sender or subject keywords, and other information, such as attachments. The Search Tools contextual tab includes a set of filters that efficiently focus your search to isolate the items that you want.

Instant Search in Outlook 2010 provides many ways to search your email for specific messages.

3. Process one item at a time, starting at the top

When you sit down to process your email, the first step is to sort it by the order in which you will process it. For example, you can filter by date, by subject, or even by the sender or receiver of the email message. In Outlook 2010, on the View tab, in the Arrangement group, click the arrangement option you want.

From the View tab, you can filter your email by date, category, sender or receiver, and more.

You can also change the arrangement directly from your Inbox. To display the list of options, under the Search box, right-click the Arrange By: box.

The Arrange By: box in your Inbox gives you convenient access to even more options to arrange your messages.

Tip:  If you use Outlook 2010, enable the reading pane (called the preview pane in Outlook 2007) so that you can view your messages without having to open them. To enable the reading pane, on the View tab, in the Layout group, click Reading Pane. To enable the Outlook 2007 preview pane, on theView menu, click AutoPreview.

Resist the temptation to jump around in your Inbox in no particular order. Begin processing the message at the top of your Inbox and only move to the second one after you’ve handled the first. This can be hard at first, when you might have thousands of messages in your Inbox. But as you reduce the number of messages over a few sessions, eventually you’ll get to the point where you can process the 60–100 messages you get every day and regularly get your Inbox down to zero.

4. Use the “Four Ds for Decision-Making” model

The “Four Ds for Decision-Making” model (4 Ds) is a valuable tool for processing email, helping you to quickly decide what action to take with each item and how to remove it from your Inbox.

The expanded Ribbon in Office 2010 is designed to help you quickly find the tools that you need to complete your tasks. Features are organized in logical groups collected together under tabs. You can also customize the Ribbon to include tabs you personalize to match your own style.

The expanded Ribbon in Outlook 2010 replaces Outlook 2007 menus, giving you easy access to tools on conveniently organized tabs.

The Quick Steps feature, new in Outlook 2010, speeds up managing your email even more. This feature enables you to perform the multi-stepped tasks you use most often, such as moving email to a specific folder or moving a message and replying to it with a meeting request, with a single click. The Quick Steps gallery includes buttons for one-click file and flag, sending messages to your team, and other popular commands. For more information, see Automate common or repetitive tasks with Quick Steps.

The Quick Steps feature turns your most frequent tasks—whether forwarding messages to your co-workers or copying messages to a specific folder—into one-click operations.
Tip: Learning a few basic keyboard shortcuts in Outlook 2010 can make performing these tasks even easier and faster. Read our article on how to save time with quick computer shortcuts.

Decide what to do with each and every message

How many times have you opened, reviewed, and closed the same email message or conversation? Those messages are getting lots of attention but very little action. It is better to handle each email message only once before taking action—which means you have to decide what to do with it and where to put it. With the 4 Ds model, you have four choices:

1. Delete it
2. Do it
3. Delegate it
4. Defer it

Delete it

Generally, you can delete about half of all the email you get. But some of you shudder when you hear the phrase “delete email.” You’re hesitant to delete messages for fear that you might need them at some point. That’s understandable, but ask yourself honestly: What percentage of information that you keep do you actually use?

If you do use a large percentage of what you keep, your method is working. But many of us keep a lot more than we use. Here are some questions to ask yourself to help you decide what to delete:

• Does the message relate to a meaningful objective you’re currently working on? If not, you can probably delete it. Why keep information that doesn’t relate to your main focus?
• Does the message contain information you can find elsewhere? If so, delete it.
• Does the message contain information that you will refer to within the next six months? If not, delete it.
• Does the message contain information that you’re required to keep? If not, delete it.

Outlook 2010 helps you get rid of the “noise” in your Inbox by providing two new commands: Ignore Conversation and Clean Up Conversation. If a conversation is no longer relevant, you can prevent additional responses from appearing in your Inbox. The Ignore command moves the whole conversation and any future messages that arrive in the conversation to the Deleted Items folder.

Easily delete an entire conversation so that no new responses to it will appear in your Inbox.

When a message contains all the previous messages in the conversation, you can click Clean Up to eliminate redundant messages. For example, as people reply to a conversation, the response is at the top and the previous messages in the conversation are below. Use the Clean Up command to keep only the most recent message that includes the whole conversation. For more information, see Use Conversation Clean Up to eliminate redundant messages.

Cleaning up your conversations makes it easier to stay focused on the task being discussed.

Do it (in less than two minutes)

If you can’t delete the email messages, ask yourself, “What specific action do I need to take?” and “Can I do it in less than two minutes?” If you can, just do it.

There is no point in filing an email or closing an email if you can complete the associated task in less than two minutes. Try it out—see how much mail you can process in less than two minutes. I think you will be extremely surprised and happy with the results. You could file the message, you could respond to the message, or you could make a phone call. You can probably handle about one-third of your email messages in less than two minutes.

Office 2010 helps you respond to email messages faster. You can view the availability of a person and instantly reach out to them using a variety of communication methods—all on a new easy-to-access contact card. You can even customize the context menu of the contact card to include tasks you perform most often, saving you more time.

Delegate it

If you can’t delete it or do it in two minutes or less, can you forward the email to an appropriate team member who can take care of the task?

If you can delegate it (forward it to another team member to handle), do so right away. You should be able to compose and send the delegating message in about two minutes. After you have forwarded the message, delete the original message or move it into your email reference system.

Defer it

If you cannot delete it, do it in less than two minutes, or delegate it, the action required is something that only you can accomplish and that will take more than two minutes. Because this is your dedicated email processing time, you need to defer it and deal with it after you are done processing your email. You’ll probably find that about 20 percent of your email messages have to be deferred.

There are two things you can do to defer a message: Turn it into an actionable task, or turn it into an appointment. When you’re using Outlook, you can defer emails that require action by dragging the messages to your Task List to turn them into tasks. Name the task to clearly state the required action so that you don’t have to reopen the email message. The result is a clearly defined list of actions on your Task List that you can prioritize and schedule to complete on your Calendar. Or you can turn the message into a meeting request by dragging it to your Calendar.

Tip: Use the To-Do Bar in Outlook 2010 and Outlook 2007 to drag an email message from an email folder to a date on your Calendar or to your Task List. On the View tab, in the Layout group, click the To-Do Bar. When the bar appears, drag the message to your Calendar or to your Task List. This copies the message to the new location; it doesn’t move it out of the original mail folder, so you’ll still be able to find what you need.

Use the 4 Ds model every day

Using the 4 Ds model on a daily basis makes it easier to handle a large quantity of email. Our experience shows that, on average, people can process about 100 email messages an hour. If you receive 40 to 100 messages per day, all you need is one hour of uninterrupted email processing time to get through your Inbox. Our statistics show that of the email you receive:

• Fifty percent can be deleted or filed.
• Thirty percent can be delegated or completed in less than two minutes.
• Twenty percent can be deferred to your Task List or Calendar to complete later.

Of course, if you have a backlog of hundreds of messages, it will take time to get to the point where your daily routine keeps you up to date. It’s important to get that backlog down, so I would suggest setting blocks of time aside to work through it. Then, you can really enjoy processing your messages every day using the 4 Ds.

Why You Need a Managed Services Provider

Information technology (IT) systems are expected to meet high standards of operation, while offering 24/7 availability, security, and performance. In today’s environment, you have to keep pace with the constant changes in IT, performance demands, and pressure to deliver competitive IT functionality. To meet these challenges, many organizations consider outsourcing their IT activities to be an attractive option.

What is a Managed Services Provider?
A Managed Services Provider (MSP) lets you delegate specific IT operations to them. The MSP is then responsible for monitoring, managing and/or problem resolution for your IT systems and functions.

Managed services providers offer services such as:

• Alerts
• Data backup and recovery for different devices (desktops, notebooks, servers, etc.)
• Patch management
• Security

Basic services often start with a monitoring service which notifies you of problems, but you resolve them on your own. More intensive services cover everything from alerts through problem resolution.

MSPs act as an extension of your IT department, taking care of routine IT infrastructure monitoring and management around the clock and freeing up your IT staff to focus on more important projects. An MSP proactively monitors and maintains your systems in order to help you avoid problems and downtime.

Outsourcing your IT is not like outsourcing other services: you maintain control of your IT. You decide what you want your provider to take care of and what you want to handle yourself. In addition, the MSP subscription model gives you more budget predictability.

Internal IT vs. MSPs
Sometimes it seems that the easiest way to handle all of your IT needs is to dedicate your resources to having an in-house team of IT professionals. While this may seem like the most fiscally responsible move, it can end up costing more than hiring an MSP.

A technology professional with five years of experience may be worth $70,000+ a year. That $70,000 salary only gets you one person, not a team of professionals with expertise and knowledge.

When you hire your own IT staff, there are also challenges scheduling around vacation, training, and illness. An MSP provides full time IT coverage, but vacations, illness, and other absences don’t affect your support.

There are also hidden additional costs when you hire internally—for example, training. Combining this with the cost of equipment and other supplies, expenses can quickly add up. When you have an IT partner or MSP, training and other “hidden” expenses are no longer your concern.

How to Choose an MSP
IT firms are a dime a dozen, but finding the right IT advice and technology professional for your business can be compared to finding a needle in a haystack. This list should provide you with the insight you need to select the MSP that is right for you.

• Do they follow industry standards and best practices? Are their technicians certified in the solutions and services they provide?
• Do they have experience serving other clients in your industry or of the same business size?
• Do they have enough resources to serve you effectively and in a timely manner?
• What are their normal business hours and availability outside of those hours? Can you contact them 24/7 in an emergency?
• Do you they properly document work so that you have accurate and complete records?
• Do you trust them?

MSPs have become an attractive option for many organizations and should be an integral part of your overall business strategy, involving senior executives and key IT staff. The decision to hire an MSP is not one that should be made lightly. It is a decision that can have a significant, long-lasting influence on the reputation and the performance of your organization. If you are interested in how you can benefit strategically, financially, and technologically by working with an MSP, please contact us.

Managing your business would be a breeze if you could eliminate the time wasters and energy drains like office gossip, power struggles, tattling, and the relationship challenges. Think about how smoothly your department, operation or company would run if each person in the company knew how to communicate effectively, handle disappointment and stress without resorting to blame, criticism, or finger pointing. A workplace climate of stress and negativity would be replaced with personal growth and empowerment, and customers would notice the increase in professionalism, attention to detail and service.
Continue Reading »

Free antivirus software may seem like a bargain, but it’s not. Learn what issues you need to consider before you download this particular “freeware.”

In this tough economy, getting something for free is always a good thing, right? Short answer: It depends on your tolerance for risk.

Take free antivirus software as an example. It may seem like a bargain, but it’s not. Here are the issues to consider before you download this particular “freeware.”

First and foremost, free antivirus software doesn’t provide the comprehensive protection you need against today’s biggest online threats. So when you trust your computer, applications, files and identity to free antivirus software, it can end up costing you more in time, aggravation, and money than you ever imagined.

Most free antivirus software is really just bait that some software companies use to lure you in. It’s usually a “light” version of one of their paid products that offers only limited protection against today’s online threats.

After you install most free antivirus software, you can expect to be hit with a barrage of annoying, time-wasting pop-up alerts telling you that it only provides “basic” protection. Then you’ll receive recommendations to switch to one of the software maker’s paid security products for “complete” protection. Continue Reading »

Anyone who manages a network is embarking on an exciting ride. Maybe you’ve already strapped on your seat belt and are underway, riding through:

• A steep climb in Internet traffic and network access from smartphones and tablets
• Increased traction in cloud services and virtualization
• The growing popularity of IP voice and video
• Challenging twists and turns in security, including international hacking

We’ll do a flyover tour of the ride at 30,000 feet, then take a ground run for 2012. Continue Reading »

Personal information from nearly one out of three Massachusetts residents, from names and addresses to medical histories, has been compromised through data theft or loss since the beginning of 2010, according to statistics released yesterday by the office of Attorney General Martha Coakley.
A state law enacted in 2007 requires all companies doing business in Massachusetts to inform consumers and state regulators about security breaches that might result in identity theft. That could include leaks of individual names along with other sensitive information, such as Social Security numbers or bank account, credit card, and debit card numbers. The law was passed in 2007, after hackers stole 45 million credit card numbers from Framingham-based retailer TJX Cos.

More at http://www.boston.com/business/technology/articles/2011/09/21/two_million_mass_residents_hit_by_data_breach_leaks/

It’s a sunny Friday afternoon in August and, while other companies might have already quit for the day, your team at I&T is having a team meeting to discuss quality control and how better to serve our customers.

The scene: A narrow, poorly lit inner-city alleyway. You turn the corner and face an old wooden door entrance to a Prohibition era speakeasy. Your hand reaches out to give an assertive, yet discreet, knock. A small porthole opens. A grimly looking face appears and asks you for your password. You think for a moment and respond “pass1234,” he frowns and slams the porthole closed. “No . . . wait . . .  that’s the password for the speakeasy down the street. Try ‘QWERTY67.’ What’s that? Oh, right, we’re on the East side of town, I need at least one special character.

Computer passwords were invented ~50 years after this scene. They have been in play for 50 years since. They will probably be existence for 50 years more.

Passwords never used to be so complicated, but then again, they’ve never been so potentially dangerous. Passwords are the keys to our private kingdoms; kingdoms that are now accessible from anywhere on the globe with an Internet connection. These days there’s very little information we wish to keep private that is not protected by a password of our own choosing.

In this month’s edition of Gigabytes we examine passwords, their flaws and their undeserved longevity. Then, we will reintroduce a password management strategy that can reduce password aggravation, while improving our personal online security.

Passwords Fail Us All
At least once per week most of us receive a random email from a friend’s personal Yahoo, Hotmail, or Gmail account containing nothing more than a web link featuring 50% off prescription drugs. A few hours later arrives the apology message: “Please don’t click on the link, that’s how this whole mess started for me!” The likely cause of this fiasco: a weak password.

Perhaps you’re not as alluring of a target as Sarah Palin was in 2008 when a college student in Tennessee hacked her personal Yahoo email account. The hacker reset Palin’s password using just her birthdate, ZIP code and information about where she met her spouse, (the security question on Palin’s email account) eventually correctly guessing ‘Wasilla high’.

How Can It Be So Easy?
According to Forrester, password problems and resets generally constitute between 25% and 40% of all help desk incidents. Recent projections state that Yahoo has at least 250 million email addresses. Let’s assume that just 1 in 10 Yahoo email users needs to reset their password an average of once/year at a cost of $10 per reset. That’s $250 Million dollars each year. While it’s easy to fault the mail providers for using minimal safeguards to protect their users’ identities, perhaps we, the users, are equal in blame.

After all, when selecting your personal email provider, your bank, your search engine of choice, or your travel agent, how much emphasis did you put on that firm’s commitment to your security? The fact is, most of us are many times more likely to complain about security measures that in anyway complicate or delay our access to our beloved online tools than we are to promote a provider who touts higher security standards.

Cracking Passwords
While the college student from Tennessee used a password reset technique to unlock Palin’s email address, one could just as easily automate such an attack. A hacker could simply run a dictionary attack against any username/password prompt and return after lunch to see what’s turned up. The average time to crack a 6 character (all lowercase) password is just 10 minutes! Incorporating uppercase characters extends that to 10 hours. Mixing in numbers and symbols raises the average time to crack to a whopping 18 days. Do you see why IT management pushes for those special characters and account lockouts after 5 failed attempts?

Out of the Paranoia and Into the Fire
We users were very leery about entering our personal information into the Internet, at least initially. But, the banks and credit card companies assured us that if fraud on our account did occur, we wouldn’t have to shoulder those financial responsibilities. We grew out of paranoia.

Soon every company we interacted with wanted us to create a username/password. We were lectured by the IT pros of the day to never write any passwords down. That’s a dead giveaway! What choice did we have but to start using the same passwords for everything?

Addicted to Passwords
Passwords are to the IT industry what oil is to the energy industry: dirty, aggravating, and increasingly expensive, albeit a lot cheaper than anything else we have so far found. As sure as a car needs gas to move, businesses desperately need to interact with their customers online. Need proof? Try counting the cars through a bank drive up window versus the ATM one lane over. Passwords, PINs, challenge questions, and the like are annoying, but our addiction to cheap authentication means that they are not going away for a long, long time. Perhaps another 50 years?

Write ‘Em Down
There continues to be no excuse for those among us who append to their monitor a post-it note with their password on display for all who pass by. We cannot protect those who refuse to protect themselves. For the rest of us, an old password management strategy is re-emerging. Develop a complex password (8+ characters, special characters, numbers, CAPs, etc). Write it down. Stuff it into your wallet. You are already good at securing pieces of paper in your wallet, right?