On that very day, we needed to lock down their network and secure their data.  We changed passwords,  blocked access, discovered and patched holes that could allow this person or others back into the systems if they decided to delete data or do anything else to compromise the company’s assets.

When we began to look at email, nobody at the sizeable organization knew anything about how email was delivered, or where it came from.  We quickly found out that they had commercial Gmail as their mail system. Since the IT Director was the only administrator of the account, we didn’t have the passwords.

In this particular case, the password was provided by the accused party without argument, and the email was able to be secured, but it raised major red flags thinking about security in the cloud for small businesses.

In this instance with Gmail, if the password had not been given up, it could have taken days to get Google to change the administrator password on the company’s email.  Google obviously is not going to do that for anyone, and you will need to prove you are who you say you are before any changes are made.

Since there was no email archiving taking place, and there was no email continuity solution either, this time gap would have provided the IT Director unlimited access to the mail. He could have deleted incriminating data and down from there. 

There are some simple steps that your business should take to avoid being in such a vulnerable position.  If your corporate data is presided over by any individual – whether IT staff of not – with complete administration rights, play close attention. 

• Have a password policy in place that keeps passwords documented and encrypted.  Use a product like Ironkey or similar
• Use a third party email archiving service to archive email and comply with eDiscovery rules.  You never know when this may become critical in an internal HR issue, as in this example.  Just archiving email to another server in the office would not have helped this situation at all.
• Use a third party email continuity service. Usually implemented to avoid business interruption during technical difficulties and Internet outages, the right continuity product can actually be an invaluable security tool by giving you the ability to re-route your hijacked email and keep your business running during a security incident.
• Keep detailed documentation on your network resources, hardware, IP addresses, DNS service, etc.  Having this information will save time and money if a third party has to understand your network in a hurry.
• Develop a simple “expert system” – a written process with a succession plan, contingencies and simple SOPs (standard operating procedures) so everyone knows what to do during a security breach.

Almost every security incident and the resulting damage to small businesses that we ever see are avoidable. Security on the cloud is no different. The combination of common sense, basic organization, and a trusted advisor to set things up and monitor them for you will always allow you to sleep easier.

A summary of these new regulations can be found here on the Commonwealth’s web site: 201 CMR 17:00 (PDF)

It is important to understand the impetus behind these laws and what caused the state to take such sweeping action.   The TJX breach of 2007 was the major wakeup call that put these regulations into motion.  For months, sensitive information was being stolen from this company without anyone in management knowing what was happening.  When it was finally discovered, there were over 94 million records that were compromised!

After a series of similar incidents, Massachusetts has come down harder on this issue than any state in the union, because legislators don’t want such breaches to happen at any scale, and neither should you, since these are our credit cards numbers (and other personal information) that are being stolen and potentially used for identity theft.

For organizations who conduct any business in Massachusetts, whether they have physical locations in the state or not, and businesses that handle the personal information (SSN, drivers license number, address and phone number, credit card info, financial account info) of any Massachusetts residents, the state mandates specific assets, processes and performance.  If you think about it, that affects everyone from the corner pizza parlor that takes credit cards all the way to the biggest insurance carrier.

The regulations, in summary, require your business to:

1. Take the necessary steps to protect personal information, both physically and electronically
2. Comply with specific computer security requirements and put resources into place if they don’t exist
3. Have the ability to know when a breach happens and report it to the state if it does
4. Have a written plan that describes your policies and procedures with respect to info security
5. Have a designated go-to person in the company for compliance with these regulations
6. Train your employees on these policies and procedures
7. Require similar performance from all your relevant vendors
8. Monitor your systems and have them audited for continued compliance

The regulations provide much more detailed information and definitions of terms, and we highly recommend you look them over.  The state promises to impose heavy fines and penalties on companies that do suffer a breach while not in compliance with the laws.  Risks of non-compliance include:

• Audit and penalties by the state
• Loss of goodwill and reputation
• Consumer law suits – torts by individuals whose information has been compromised

Please don’t do what I heard a business owner tell me the other day. He said, “Well, if I don’t do anything, then I won’t know if a breach happens, therefore I can’t report what I don’t know, so I’m good!”

If you want to still own a business after a data breach, I suggest you don’t take this person’s advice. It will be tough enough to make up for your lost reputation when your clients find out you caused their sensitive data to be compromised.  For a quick look at businesses that have reported a breach check out the ID Theft Center .

If you haven’t done your 201 CMR 17 compliance project, it’s not too late! Find a service provider with demonstrable 201 CMR 17 compliance experience, or better yet, a consortium of service providers representing the IT/technical, legal and security aspects of compliance, and protect your small business today so you can get back to work with peace of mind.

So how did we get here? Here’s a short history of the business telephone system that won’t make your eyes glaze over.  When Ma Bell first offered telephone service to businesses, every person in your office received a physical phone and a 7-digit number. All calls were routed through a central office in town that was connected to many other central offices all over the state and eventually the country.  This was called a Centrex system and offered many of the features of a PBX (Private Branch Exchange, or phone system) system that you would buy for your office. It was essentially renting a piece of a giant phone system located in the center of town.

As this service became more expensive and the price of a PBX was driven down by overseas competition, business moved toward owning your own system to drive down costs and give you more control of your telephones. 

With the penetration of high-speed Internet and the maturation of VoIP (Voice over IP), the business model is now turning back to buying your phone system as a service – just like it was in the beginning.  Back then, the only hardware you had was the phone you rented from the phone company. Just as the computing tide is turning back to centralization of the “brains” through cloud computing, the same is happening in the telephone world.

Unlike buying a new hardware-based phone system that happens to support VoIP, with a hosted system, you are not incurring a capital expense or buying hardware that requires a maintenance contract.  The best hosted  phone system deals usually come with very low installation fees and a monthly service fee that includes all of your local and long distance minutes. More importantly, it becomes part of your operating budget and rolls into your Internet and voice calling services (local and long distance) operating expense.  In most cases you can say goodbye to your current phone and Internet service bills, as the provider of the hosted system can configure your service to carry both your voice and data services. 

Look for hosted phone system services that are offered by large, reputable voice and data carriers who provide you with a dedicated connection from the hosted phone system to your office. That means, the connection to the brains of your system is direct and not through the Internet.  At the very least, make sure the provider of your hosted service is delivering it to your door via some private network like MPLS (Multiprotocol Label Switching) – not just straight through the Internet.  There are service deals that will provide you with a hosted system that only require you to have an Internet connection.  These should be avoided for now, as there is no control over the quality of service, and the cloud provider will not take any responsibility for the quality of the calls.

Hosted phone systems are highly desireable solutions for the right business requirements, and they can save you substantial amount of money while reducing headaches.  Yet they are not right for everyone.You should speak with an independent telecom advisor before making such an important decision that will affect the day-to-day performance of your business. Factors such as the number of phones, specific features and functionality, number and geography of locations, and availability of T1 services need to be considered.

Due to the underlying complexity, there are unfortunately no formulas and no rules of thumb that fit all cases. Only an objective advisor with encyclopedic and up-to-date knowledge of the rapidly changing small business telecom landscape can help you decide whether and which hosted phone system may be right for you.

Overall

We rated the Apple iPhone 3GS from AT&T, the Motorola DROID from Google and Verizon and the BlackBerry Storm2 from RIM and Verizon.

The iPhone 3GS is a winner in terms of business functionality, applications and fun factor, while lacking in mobile service and cost. Overall we scored it 21 out of a possible 25.

The DROID is a decent overall phone with perfect marks for mobile network and ease of use and a high score for apps and fun. Cost was pretty average. Overall we scored it 20 out of a possible 25.

The Storm2 is definitely geared more toward business and was lacking in the ease of deployment of email, as well as fun factor. Overall we scored it 17 out of 25.

For a business looking to add 3 or 5 smartphones, you can’t go wrong with the iPhone or the slightly less impressive DROID. BlackBerry Server Express and BlackBerrys are intriguing technology, but don’t necessarily make a lot of sense for a business with 3 or 5 smartphones, unless there is a lot of loyalty to BlackBerry. However, as a business adds more and more smartphones, say 10 or more, the costs involved in BlackBerry Enterprise Express start to make a lot more sense. The BlackBerry smartphones are a bit less expensive and the central management makes for a much higher value and return on investment when a business deploys a lot of smartphones, so before making your decision, think a bit of your smartphone deployment strategy – and find the right technology partner to guide you through this process.

Next up, the BlackBerry Storm2 from RIM and Verizon.

There are several BlackBerry models from several carriers we could have reviewed. In the end, we decided to review the Storm2 from Verizon, because it has a full screen like the other smartphones in this review.

There are 2 potential methods to connect your BlackBerry smartphone to your Microsoft Exchange or Google Apps push mail, but neither is all that user friendly. Most of our clients who use BlackBerry use BlackBerry Enterprise Server Express (which recently was released as a free basic product, before February similar BlackBerry technology cost several hundred dollars). To connect your device to your user data, you must either physically connect the device to the server, or go through the clunky process of over the air Enterprise Activation, which takes a long time and is an involved process that uses temporary passwords and hardly ever works on the first try. The other method, which is not available on all BlackBerry smartphones, is to use Push through BlackBerry Internet Service, but this does not always give you access to Calendar and Contact data. For Google Apps, you must use this method. 1/5.

Apps on the BlackBerry is a tricky category. The BlackBerry Storm2 is geared especially to business users, and actually comes with several business apps standard out of the box that you do not find on the iPhone 3GS or the DROID, such as support for Office and PDF documents. Until recently, loading and deploying apps to the BlackBerry was too much of a hassle for a small business, that is until BlackBerry deployed their own store, the BlackBerry App World, similar to the Apple iTunes App store. The App World is available from the Storm2, but not necessarily on older BlackBerry models. 4/5.

What can we say about the network that we haven’t already said? The Storm2 that we tried was on the Verizon network, which has the highest customer satisfaction and fewest dropped calls, although there are BlackBerry models available on every carrier in the United States. 5/5.

The cost of the BlackBerry Storm2 is somewhat less out of the box than other reviewed models at $179.99, and the voice and data plan are a little less than either the DROID or the iPhone 3GS at around $65 per month. Be careful on Verizon, however, as Verizon imposes a charge of $15-$25 per month extra, depending on the phone model, in order to do the very basic task of Enterprise Activation if you happen to use BlackBerry Enterprise Server Express. Verizon is the only carrier to have this extra charge to my knowledge. As I already mentioned, BlackBerry Enterprise Server Express was recently released as a free licensed product. BlackBerry Enterprise Server Express takes about 2-3 hours to install. Despite the added time costs, if an organization hopes to deploy 10 or more smart phones, BlackBerry Enterprise Express may be the way to go because of the ease of administration and policy deployment not available with regular Microsoft Exchange Push, especially if you go with even less expensive smartphone models. 4/5.

The BlackBerry Storm2 is clearly a smartphone designed for business and therefore rates a little lower on the fun factor than other reviewed smartphones. You can play games and have other means of entertainment, and the preloaded Sims 3 and Tetris are actually quite fun. Also, Verizon’s V Cast Song ID is a fun inexpensive app. 3/5.

Overall, the BlackBerry Storm2 from Verizon rates a 17/25.

Next up, the DROID from Motorola, Google and Verizon.

The Motorola DROID runs Google’s Android OS – a relatively new OS designed for mobile computing. Because of this, it aims to be more flexible than the mobile platforms from Apple and Microsoft, and one of DROID’s main marketing strategies was to tell the end user all the things that DROID does that the iPhone 3GS presumably can not do. Lets dig in.

Right out of the box we were able to connect to Microsoft Exchange and Google Apps mail within a few minutes. As quick and easy as any smartphone we’ve seen. This is a must for busy professionals, especially when you’re in Seattle for a business presentation and your phone is stolen and you need a replacement quick. It happens to our clients more often than you think. 5/5.

While the DROID does not claim to have over 200,000 apps like the Apple iPhone 3GS, the number of apps is building quickly as more people start to use the DROID. One huge advantage the DROID has over the iPhone is that anyone can write and release their own app, you can load your own software, and there are numerous stores to buy apps for the DROID (as opposed to the iTunes App store for the iPhone). So while the number of apps lags behind the iPhone, the quality and cost are comparable, and the speed which they are released is faster. Some key apps such as Dragon Dictation and Box.NET are not yet available or are coming soon, however. 4/5.

The DROID we tested was for the Verizon network, although you can get other DROIDs and other generic Android smartphones through other manufacturers and carriers. Verizon’s network in the United States is still the industry leader, both in fewest dropped calls, and customer satisfaction, as this article suggests. 5/5.

The DROID is priced similar to the iPhone 3GS, as most of the smartphones are on the high end of what consumers will reasonably tolerate. The phone itself costs close to $600, though you can get it for as low as $199.99 with a two year contract. Typical monthly cost will be about $80 for voice and full data, and apps and accessories are typically the same price, though Verizon’s in store BlueTooth accessories seem to run more than AT&T for some reason. 3/5.

The DROID can be a fun toy, if you are on the geeky side. There are plenty of games and entertainment to be had. The interface itself is definitely not as sleek and polished as the iPhone 3GS. Overall it seems more pixel-ly and the theme sounds are more in line with what a computer-jock teenager would find appropriate, rather than a business person. First thing you’ll want to do is change the sound scheme. The ability to program your own apps on the DROID can definitely be appealing to the hobbyists and software designers out there, but is not useful to a small business that does not have access to in house programmers. 3/5.

Overall the Motorola DROID from Verizon rates a 20 out of a possible 25.