On that very day, we needed to lock down their network and secure their data.  We changed passwords,  blocked access, discovered and patched holes that could allow this person or others back into the systems if they decided to delete data or do anything else to compromise the company’s assets.

When we began to look at email, nobody at the sizeable organization knew anything about how email was delivered, or where it came from.  We quickly found out that they had commercial Gmail as their mail system. Since the IT Director was the only administrator of the account, we didn’t have the passwords.

In this particular case, the password was provided by the accused party without argument, and the email was able to be secured, but it raised major red flags thinking about security in the cloud for small businesses.

In this instance with Gmail, if the password had not been given up, it could have taken days to get Google to change the administrator password on the company’s email.  Google obviously is not going to do that for anyone, and you will need to prove you are who you say you are before any changes are made.

Since there was no email archiving taking place, and there was no email continuity solution either, this time gap would have provided the IT Director unlimited access to the mail. He could have deleted incriminating data and down from there. 

There are some simple steps that your business should take to avoid being in such a vulnerable position.  If your corporate data is presided over by any individual – whether IT staff of not – with complete administration rights, play close attention. 

• Have a password policy in place that keeps passwords documented and encrypted.  Use a product like Ironkey or similar
• Use a third party email archiving service to archive email and comply with eDiscovery rules.  You never know when this may become critical in an internal HR issue, as in this example.  Just archiving email to another server in the office would not have helped this situation at all.
• Use a third party email continuity service. Usually implemented to avoid business interruption during technical difficulties and Internet outages, the right continuity product can actually be an invaluable security tool by giving you the ability to re-route your hijacked email and keep your business running during a security incident.
• Keep detailed documentation on your network resources, hardware, IP addresses, DNS service, etc.  Having this information will save time and money if a third party has to understand your network in a hurry.
• Develop a simple “expert system” – a written process with a succession plan, contingencies and simple SOPs (standard operating procedures) so everyone knows what to do during a security breach.

Almost every security incident and the resulting damage to small businesses that we ever see are avoidable. Security on the cloud is no different. The combination of common sense, basic organization, and a trusted advisor to set things up and monitor them for you will always allow you to sleep easier.

A summary of these new regulations can be found here on the Commonwealth’s web site: 201 CMR 17:00 (PDF)

It is important to understand the impetus behind these laws and what caused the state to take such sweeping action.   The TJX breach of 2007 was the major wakeup call that put these regulations into motion.  For months, sensitive information was being stolen from this company without anyone in management knowing what was happening.  When it was finally discovered, there were over 94 million records that were compromised!

After a series of similar incidents, Massachusetts has come down harder on this issue than any state in the union, because legislators don’t want such breaches to happen at any scale, and neither should you, since these are our credit cards numbers (and other personal information) that are being stolen and potentially used for identity theft.

For organizations who conduct any business in Massachusetts, whether they have physical locations in the state or not, and businesses that handle the personal information (SSN, drivers license number, address and phone number, credit card info, financial account info) of any Massachusetts residents, the state mandates specific assets, processes and performance.  If you think about it, that affects everyone from the corner pizza parlor that takes credit cards all the way to the biggest insurance carrier.

The regulations, in summary, require your business to:

1. Take the necessary steps to protect personal information, both physically and electronically
2. Comply with specific computer security requirements and put resources into place if they don’t exist
3. Have the ability to know when a breach happens and report it to the state if it does
4. Have a written plan that describes your policies and procedures with respect to info security
5. Have a designated go-to person in the company for compliance with these regulations
6. Train your employees on these policies and procedures
7. Require similar performance from all your relevant vendors
8. Monitor your systems and have them audited for continued compliance

The regulations provide much more detailed information and definitions of terms, and we highly recommend you look them over.  The state promises to impose heavy fines and penalties on companies that do suffer a breach while not in compliance with the laws.  Risks of non-compliance include:

• Audit and penalties by the state
• Loss of goodwill and reputation
• Consumer law suits – torts by individuals whose information has been compromised

Please don’t do what I heard a business owner tell me the other day. He said, “Well, if I don’t do anything, then I won’t know if a breach happens, therefore I can’t report what I don’t know, so I’m good!”

If you want to still own a business after a data breach, I suggest you don’t take this person’s advice. It will be tough enough to make up for your lost reputation when your clients find out you caused their sensitive data to be compromised.  For a quick look at businesses that have reported a breach check out the ID Theft Center .

If you haven’t done your 201 CMR 17 compliance project, it’s not too late! Find a service provider with demonstrable 201 CMR 17 compliance experience, or better yet, a consortium of service providers representing the IT/technical, legal and security aspects of compliance, and protect your small business today so you can get back to work with peace of mind.

So how did we get here? Here’s a short history of the business telephone system that won’t make your eyes glaze over.  When Ma Bell first offered telephone service to businesses, every person in your office received a physical phone and a 7-digit number. All calls were routed through a central office in town that was connected to many other central offices all over the state and eventually the country.  This was called a Centrex system and offered many of the features of a PBX (Private Branch Exchange, or phone system) system that you would buy for your office. It was essentially renting a piece of a giant phone system located in the center of town.

As this service became more expensive and the price of a PBX was driven down by overseas competition, business moved toward owning your own system to drive down costs and give you more control of your telephones. 

With the penetration of high-speed Internet and the maturation of VoIP (Voice over IP), the business model is now turning back to buying your phone system as a service – just like it was in the beginning.  Back then, the only hardware you had was the phone you rented from the phone company. Just as the computing tide is turning back to centralization of the “brains” through cloud computing, the same is happening in the telephone world.

Unlike buying a new hardware-based phone system that happens to support VoIP, with a hosted system, you are not incurring a capital expense or buying hardware that requires a maintenance contract.  The best hosted  phone system deals usually come with very low installation fees and a monthly service fee that includes all of your local and long distance minutes. More importantly, it becomes part of your operating budget and rolls into your Internet and voice calling services (local and long distance) operating expense.  In most cases you can say goodbye to your current phone and Internet service bills, as the provider of the hosted system can configure your service to carry both your voice and data services. 

Look for hosted phone system services that are offered by large, reputable voice and data carriers who provide you with a dedicated connection from the hosted phone system to your office. That means, the connection to the brains of your system is direct and not through the Internet.  At the very least, make sure the provider of your hosted service is delivering it to your door via some private network like MPLS (Multiprotocol Label Switching) – not just straight through the Internet.  There are service deals that will provide you with a hosted system that only require you to have an Internet connection.  These should be avoided for now, as there is no control over the quality of service, and the cloud provider will not take any responsibility for the quality of the calls.

Hosted phone systems are highly desireable solutions for the right business requirements, and they can save you substantial amount of money while reducing headaches.  Yet they are not right for everyone.You should speak with an independent telecom advisor before making such an important decision that will affect the day-to-day performance of your business. Factors such as the number of phones, specific features and functionality, number and geography of locations, and availability of T1 services need to be considered.

Due to the underlying complexity, there are unfortunately no formulas and no rules of thumb that fit all cases. Only an objective advisor with encyclopedic and up-to-date knowledge of the rapidly changing small business telecom landscape can help you decide whether and which hosted phone system may be right for you.