Thursday, August 13, 2009

Security in the Air...

With the new trend on internet on airplanes, I am presented with a new question.

Is airplane wireless any different than coffee shop or or other public hotspots or cell carrier wireless?

Of course, that goes on top of these other questions I already had. What do you tell your clients about their security concerns when accessing internet access while on the road or a business trip? Should clients be using those "privacy screens" on their laptops? Does wifi devices have any additional concerns?

These are all questions that I have asked myself about lately. Right now, at this very moment, I am for the first time using internet on a Delta flight. I find that the questions are even more insistent as I type this from my seat at 28C.

Now, I know that it seems that I have an answer for everything. But I do not. I post those things were I have reached a conclusion based on my long experience in the field as both technician and business advisor. But for this, I do not have answers.

Now, don't get me wrong. I have some ideas, but they are not as polished as I would like, and the final conclusions are still in a state of flux. Of course, shield your laptop screen if possible, but do we push this with our clients, especially if they are using a business laptop for recreation on vacation? Do we get them to use those little wireless routers or the new hotspot devices from Verizon and Sprint? Do we advise them to not use the free Wifi at the airports because nefarious people put up hotspots cloning the same SSID as the airports wifi? (True story, that does happen and I have seen it!)

There is help on the way! I am excited about the new multi policy firewall inside Windows 7 that will allow multiple network connects at once with a different policy for each. Paul Cook writes about how it will help to enable the mobile workforce.

Lots of questions and I am still looking for my final answers on this.

Sunday, August 09, 2009

Justifying the Cost of Security...

Security is always a balance between available money and potential for threats.

Ever been in that situation with a client were they NEED some righteous security upgrades, but you haven't figured out how to get them to pay for it?

Yep, if you have been in business any amount of time, you can say "YES" to that statement. I have often been there and have tried different methods to get the client to do the right thing. So, here are my thoughts on how best to do this.

  • FIRST, decide if this is a keeper client. If they fight you on every upgrade that you advise, then disengage with them. This becomes the item you can use to "request" the client become serious. Let them know that, if they do not "get with the program", you will have to refer them to another tech firm.

  • SECOND, Do not result to lists of feature sets. Most smaller clients (50 desktops and under) could care less. They do want to know that this will help them be compliant, and that you truly believe it is best for them, but they do not want to understand the plumbing.

  • THIRD, Use your Trusted Advisor status. If you have done well with the client, then you will have it. If they see your confidence in the security solutions, and they have confidence in you, then they will buy in emotionally.

  • FOURTH, Relate to them that this is STANDARD security, and that you are not selling them anything exotic. Let them know that you require this level of security in your clients because it will save the network from disruption and downtime. This means better ROI from their investment in personnel and capital.

  • FIFTH, Explain the possible consequences of not doing it. While Amy Babinchak of Harbor Computer Services makes a very good point about the dangers of using FUD (Fear, Uncertainty, and Doubt) to sell, the client still needs to be focused on the problem to solve. If no evident risk, no need for solution. Use examples of botnets, etc to focus the client on the fact that a solution is needed. Preventive in nature, but still needed.

  • SIXTH, Sell them on the fact that this is a duty to their clients to keep their client data as secure as possible. You can also relate the legally mandated (in some states) cost of having to inform their clients of security breaches.

  • SEVENTH, Help them find some way to pay for it. Either spread it with financing (such as Microsoft Financing) or leasing or HAAS. Another idea is to use a vendor such as Calyptix that can bill a monthly MSP fee so the client can "pay as they go".

  • So many of our clients are out of balance. Hopefully, this will help you help them get the security that they need.