Why we use Fortinet Products

Recommending products to clients is always a tricky proposition.  When most of us hear someone suggest we spend a lot of our own money, we tend to think, “that’s easy for you to say.”  That’s doubly true if there are cheaper alternatives out there.  In our line of work, we often have to recommend business security systems to our clients.  They’re usually not for profit organisations and small to medium businesses who have little excess money to spend, and we have to justify every recommendation.  Nevertheless, we try to persuade them to use Fortigage products—here’s why.

The managed services process starts with implementing some inexpensive recommendations.  This allows us to get the basics right.  Those basics include policies, procedures and processes: creating a disaster recovery, business continuity process and business resilience.  And in some cases, we need to change the culture through training and awareness programs. 

But none of these improvements can provide their full benefit without a state-of-the-art internet connection device.  That’s where clients sometimes balk at the cost.  It may seem like we’re pushing certain products, but we’re just looking out for the customer’s best interest.  Fortinet and the Fortigate products have the best return on investment of any security vendor on the market

Over six years of working with Fortinet, we have found that they have the best and most inexpensive enterprise-ready systems available for businesses.  There is a vast leap in technology from a modem/router that is purchased from a retail store to the modem/router made by a high-end security vendor like Cisco and Juniper but the fortigate products are as easy to set up and as good as the high end systems that are available. 

Why am I saying this?  Well, with a Fortigate router, we can do so much more with your business at the cyber protection level than we ever could before. 

Let’s take Facebook, for instance.  Most businesses and organisations use Facebook as a marketing tool, so certain people need access to it during working hours—but does everyone?  Using simple rules, you can restrict users who don’t work with social media.  Or maybe you want your staff marketing through Facebook, but not wasting time on Farmville.  With other settings you can also make that happen.  But you don’t want to seem like an ogre—you want to allow full access to Facebook over lunch.  Once again, a simple addition of a rule can do that.

A single Fortigate device can manage applications that precisely.  in addition to that, the standard Fortigate system using its UTM (Unified Threat Management) system comes with next-generation firewall capabilities, VPN Connection, web filtering, intrusion detection, malware protection, and a level of anti-SPAM.  It can also come with a high-end wireless system that is independent of the main network. 

Since all these functions are now combined in one connection device, you need to ensure that that your business will not suffer.  Fortigate supplies a four-hour replacement warranty, but in addition to that we also keep spares ready to go into a site at a moments notice.

Using Forticlient (a free AV product for PC, MAC, IPhone and Android) you can protect all of your devices, but when it’s combined with a Fortigate appliance you can use it to manage, monitor, and enforce your business policies on all connection devices in the system. 

You don’t have to believe Fortinet’s own hype; all of their systems hold their own when independently tested against others in their class.  In a number of cases—Forticlient AV, for instance—the product has proven better than most of the independent AV providers.

So the reason we use Fortinet products is threefold:

·         They have the best integrated product

·         Their support is top-quality

·         They have the best return on investment (ROI) of all other security vendors

I know—it’s easy for me to say.  But if you’re serious about security, you might want to consider Fortinet.

The golden rules for BYOD in the workplace

BYOD is huge, it is one of the up and coming technologies that SME’s either embrace or totally hate. Either way it is something that is going to become more prominent over the coming years.

Gone are the days where a business gives you a laptop and mobile phone when you start, in today’s business world the reality is that your staff would rather bring their own device than be controlled by your requirements. So not only do you have to protect your information and critical data but you need to understand how to manage the BYOD revolution.

Here are a couple of ideas that could help.

Make sure that all devices have a Personal Identification Number (PIN) or password. This is the first and only level of protection for a stolen or misplaced device. All BYODs need to have a PIN. The attitude of no PIN no device is a good stand to have.

If data is to be downloaded to the device then all that information needs to be encrypted, so that anything at rest of the device cannot be casually read or used.

Applications that bypass security and get to the heart of your business should be tempered with paranoia. File sharing like drop box need to be weighed with benefits.

Have a BYOD policy, this protects your business but it also explains what your business expectations are of the device. If staff fail to sign that policy then they have no expectation of being supported by the business. This policy will also include what rights your business has to the unit, Including auditing, management and remote wiping of the unit.

Define the devices you will support, with minimum operating systems requirements, versions of android or IOS have to be stipulated.

Finally make sure that the devices do not have apps installed that can or will compromise your business security.

Although BYOD is the up and coming technology your business needs to be wise enough to manage it correctly. It is a disruptive technology, but it can be used for good. It is also here for a while so you have to get use to it but you can do it on your own terms.

Communication is the key to Cyber Security

Communication inside a business is not a 140 character tweet, or a comment on Facebook.  Communication is what you do within your business to make it work better.

One thing I have noticed in my role to educate the public in business security and the framework needed to be secure, is the fact that ICT and business do not talk.   Not at the level that is needed to create a secure business.

Sounds like a broad statement but in most cases it is very true.   The more I look after my clients, as well as doing contract work with larger departments and organisations, the more this reality is noticeable.   There is a fine line between over commitment and generating a constant barrage of information and no information at all.   Most businesses are at the no information at all stage.

I have some thoughts on what both an IT manager, CIO, CEO and a managed services provider can do.

For a small or medium business and not for profit organisation employing an external source to manage their system is becoming the norm.   These suppliers can do so much for their clients as part of their business model.

I believe that communication is the best way to build the culture within a business and it always has to come from the top, whether it is management or owner.

Most businesses and organisations do not have regular meetings or a regular email / letter update within the business.   This is an opportunity lost.   Whether it is keeping the staff informed, talking to shareholders and stakeholders through external means or talking to prospects in general on the website there is so much that business can talk about.

I know one of the major problems is that people do not know or want to write things down.   It is very hard to put information into some form of written process, I have this problem with getting people to produce content for web sites so I can understand how difficult it can be.

Once started it is relatively easy to keep going, like most things you just have to have a will to START.  An internal email to your staff every Friday, praising an employee, setting internal goals, discussing problems and informing them of progress is a very good place to start.   The next question is where do you incorporate the security information.

As a start, look at your internal security policy, start a discussion on social media, teach people how to create complicated passwords.   Explaining how and why something is working is also of great business to your organisation.   You can even make it competitive, award prizes, look at increasing the knowledge within the business.

The good thing about security information is that it can be recycled.   Not too regularly but within reason, once every 10 or 15 comments interspace with new information is good.

You can also beg borrow and steal from the Internet, improve on others information, make it better to suit your industry or business.   All relatively easy to do but it will have a marked effect on your business.

So there you have it, communication, a way to keep your universe in touch.   In some cases you may even find it easy to do.   The interaction between communication and internal security cannot be over emphasised.   The important fact is that you are educating your staff which will make them mode secure but will carry through to your business making it more secure as well.

Managed Service Provider – A better way to support your Business?

How often have you taken your car to a backyard mechanic, got the guy next door to do your tax return or represent you in a court of law?

Most businesses want their technology to just WORK.

  • Why doesn’t it just WORK?
  • Why doesn’t it WORK the way it use to?
  • Why doesn’t it just WORK the way it did in the sales brochure?

All good questions with a myriad of answers.

Most businesses have lousy ICT!    A hotch botch of old legacy systems and cutting edge technology and lots of stuff in between.   In most cases it is held together with string, gaffa tape and chewing gum.   It causes inconvenience and often impacts the businesses bottom line.   More often than not it is unstable, unproductive and a bitch to work with.   Ask your staff!

This jumble of technologies makes it hard to do business.    It creates instability.   Systems no longer work properly, you purchased a new computer and the old software is incompatible with the new operating system, most annoying!   There is no consistent ICT management, there is no consistent budgeting or forecasting and worst of all there are constant problems with things just not working.

The small problems are the most annoying.   They are the time consuming problems that never get fixed.   They cause problems with your staff and management.   Worst of all they impact your business productivity.

Most of these problems are not worth spending money on to get fixed, except for the inconvenience that they cause to your staff.    If you have on site IT support these are the jobs they spend most of their time on.   Your IT department has become the fire department, always putting out the small fires or the raging infernos.   There is no time or resources to innovate, to make your business more stable, more resilient more productive.  There is never a chance to stand back and put new technology on a business path, to discuss where technology will fit into the business strategy.

To understand the relations between good business technology and your business takes an expert.   Someone who understands your business and can implement the right systems to make your business hum.   Make it better, make it more stable, make it just WORK.

Today’s operating systems are complicated, they seem to be easy and for some of the tasks they are, but it takes an expert to understand them and to get the most out of them.   But if you think the operating systems are complicated then applications take it to another level.   Applications that have been written by outside programmers can be even more problematic to say the least.

How often have you taken your car to a backyard mechanic, got the guy next door to do your tax return or represent you in a court of law?   I would say never, but for some reason businesses go to the unqualified staff member to fix their ICT.   Invariably in business it is the guy who “knows computers” who gets the gig as IT manager.

Why do business owners and managers do that?

They get the best accountant and lawyer their business can afford and then scrimp on something everyone in the business uses to generate revenue and profit.   Computers are tools, expensive yes, but tools never the less.   They are used to do your job, just like a tradie who uses a hammer, most or all of your staff use a computer.   Email, documents, client management, sales and marketing are all done on a tool.   That tool can be a computer, phone, tablet, server, cloud based environment or a combination of all of them.   Why not get the best available to support the tools that are absolutely critical to your business viability.

The combination of understanding the technology, understanding your business and combining your business capabilities in a stable and productive environment is something that managed service providers (MSP) are very good at.   That is only the start of it, they can also do so much more.

Need to know what technology will help your business grow, ask a Managed Service Provider.

Want to keep track of what is happening within your business at a technical level, ask a Managed Service Provider.

Want to know how to secure your business, ask a Managed Service Provider.

What is this cloud stuff, ask a Managed Service Provider.

Need help writing an internet policy, ask a Managed Service Provider.

To most business the additional cost of having their own on call technical expert is worth it, normally at a factor of 10 times.   In addition to this a single monthly cost and technical support on call or regularly visiting.   What could be better for your business.

In addition they will finally sort out those little nagging problems that cause so much grief within your business.   Look after the little problems.   Someone to discuss the next upgrade with.

All achieved with R & I ICT Consulting Services platinum service.

We have specific packages for all types of business.  We are experts with not for profit Organisations.   We understand small business.   We know that money is tight, we know when to push to spend money and when to work with what is available.   We know when less is better.   We know where you will get that cheap software, a computer for that new role (you may not even need one) or that new application that will improve your business.

We know how to improve your business.   And we will guarantee it!   If you employ us as your MSP,we will give you a three month money back guarantee that we will stabilise your business environment, make it more profitable, manage it as well as report monthly on the condition it is in.

Businesses use the Internet, they use computers, servers, laptops, smart phones and tablets to do business.   It is the driving force for business.   It is the be all and end all of business requirements.  You invest large amounts of capital in your technology so get someone to help you manage it properly.

Call now!!!!!

Business continuity is not just backup and redundancy

Contingency Planning mind mapIn all SME’s there is always the fight over business continuity, disaster recovery and business resilience.   The usual arguments are based around cost and what you actually get for your money.

One of the areas that is seldom though about is historical data.   If something happens how can you roll back that database, get a copy of that old deleted email or a copy of a very important spread sheet from 6 weeks ago or more difficultly 6 months ago.

Some disaster recovery systems are only based on duplicating the data to an off site location, it is normally a regular process of writing over the old just so that the organisation has an up to date copy of the data.   Copying data to a USB drive or an external Hard drive is great if all you are interested in is the ability to recover if the building burns down.

This fails when someone has been using the test database to input real data, where the financial information has been compromised and you need to go back and dissect the information from old backups or you have been infected with a virus and do not know when it started.   When that happens, that off site DR copy is not going to help.

Not every SME does this but there is a high proportion that do not have a way to look at old information or have the capability to bring it back into the business.   Without this capability your business could suffer substantially.   A busy office, doing 200 transactions a day, rebuilding the accounting information could take days to resolve, not the type of problem that a business would like to face.

That is when you need a proper back up system, one that takes regular snap shots of your data and keeps that information in a different back up stream.

There are a number of product in the market that does this but all of them have a cost.   Just get one that suits your business,

Essential SME business cybersecurity – the main points

To most small and medium business and not for profit organisations, cybersecurity is one of the last points of interest at the management level. This assumption is not only bad for business but it can seriously damage you reputation as well as severely compromise your cash flow.

Like anything else in business – everything is connected.   Want to take payments online then you have to implement tighter security processes to make it happen.   Some SME’s understand this correlation, many don’t!

As an SME these points are where you need to start on your cybersecurity journey.

 Everyone has something to loose

No matter who you are, what your business is and who your customers are, you are selling something to someone.   With that point comes a number of other points.   You have to protect your business.   You have to protect you business information.  You have to protect your customers and their information.   Finally you have to make sure that your staff are protected as well.

What you use to do that is a matter of personal choice, as well as how you have been sold by the best salesperson available.  Just remember one solution is not the be all and end all of cybersecurity.   Cybersecurity is a process, almost a holistic process.   All of the parts have to work together to make a secure business environment.

Before the Internet, there was such a comment as ” too small to be a target”.   This no longer applies to the Internet world.   Just by being connected to the Internet you are a target.   It is like taking you business and moving it into the worst neighbourhood in the city, putting a lock on the door and hoping that someone doesn’t steal your “stuff”.

On the Internet there are no police on the corner, there are no niceties of business.   You are a target and the only thing that you can do is arm yourself with the biggest “gun” you can find.   It would be nice if we could turn it around on the cyber criminals and go on the offensive, but we cannot.  So we have to put in place protections that will keep the cyber criminals on the outside as well as protecting those people coming to you to purchase your goods.

 Proactive and paranoia play a large part in you protection

If you are not already PARANOID, Then I suggest this is the time to do it. In the world of cybersecurity paranoid is good, because everyone is after you.  Truly after you.   They want to steal your money, your intellectual property, your business and in some cases you complete identity.

So in cricket terms, you have to get on the front foot.   You have to position your business in such a way that it is only the very clever cyber criminal who have a chance of breaching your protections.   There is no such thing as inpeneteratable, your cybersecurity objective is to make it so hard and difficult that the cyber criminal will go else where, preferably your opposition.

There are lots of things that you can use to do this but these three things are a start.    Use passwords, difficult and complicated on everything. (check this out)  Train and teach your people the art of being suspicious and questioning things that look out of place and use some level of data encryption when the information is out of your control.   Finally put a security framework around your business.

Growth and opportunities have to be tempered with protective solutions

Since SME’s have little understanding of cyber resilience and cybersecurity making the business grow without implementing some level of protection is fraught with danger.  Most SME’s understand that opportunities have to be grasped with both hands.   A cyber resilient business is not only protected now but it has the ability to react to changes in the industry that will deliver better business opportunities.

Most business that are more that ten years old have a different perspective and focus that what they had when they started.   They have seen opportunities is other markets, different markets and some in the same.   Most businesses are in areas where they did not think they would be when the wrote their business plan.

These opportunities have developed through social media, the Internet or cloud computing.   Getting your marketing and brand out there are critical to a business and it has never been easier to compete on the world stage than now.   just remember the moment you attach yourself to the Internet, you are target.

So apart from the bad and to quote a song “the future’s so bright we will have to wear shades”.    Just make sure that your cybersecurity complements you business requirements.

Protecting mobile devices here are four ideas!

The proliferation of the BYOD and business supplied devices makes it very easy to loose any of them.   Whether they are lost or stolen the final outcome is the same.   To make sure that your business is protected you need to make sure that they are protected at all times.

Keep it safe

This in the physical protection of your device.   Most mobile devices are accidentally lost or stolen at places where you have to relinquish normal levels of control over the device.   Most user will keep them safe but there are times when that personal protection is overcome by a lapse in thought.

To make sure that the device is safe then you need to make sure that you manage your level of oversight.   In places where you have to go though security, where you think it would be safe to not be watching your device is invariably where it will happen.   Keep your eyes on your device at all times when going through a security check.   Do not leave your device at a table when you go to get another cup of coffee.   Always keep it close to your person in crowded areas.

Keep it encrypted

The critical business information if it is on your tablet, phone or laptop should be encrypted.   This ensures that the loss of the device will not endanger your business.

Most businesses do not encrypt data because it is an extra level of inconvenience for the users, but the loss of this critical information will have a detrimental effect on your business if lost or stolen.

Keep it separated

In the world of BYOD you are often in the situation where the line between business and home blur.   If possible keep the two separated.   That can be done in a number of ways, different accounts and passwords for mail, separate business by using RDP or VDI so there is a definitive separation between work and home.

Keep people informed

This is critical, if your device is lost or stolen then you need to inform the authorities as soon as possible.   If the item was insured you will need to complete a police report.   If there was business information on the device then you need to ensure that that critical information is reported to the owner.

There are a number of systems available that will allow you to track your lost piece of kit and will also allow you to wipe it remotely if lost or stolen.   Do not hesitate to do this if you know it is stolen, the faster this system is activated the better will be the chance that business information has not been compromised.

So by keeping the device safe, keeping the information encrypted, keeping business and home information separated and keeping everyone informed you will have a better understanding of your business protections and how they apply to your mobile devices.

A couple of tips for Internet banking security

I believe that the numbers for internet banking are in the high 90% of all banks in Australia.   Most people and businesses have access to their bank through either computers, laptops, tablets or smart phones and most banks now have a secure application that can be downloaded.

With all of this access most people forget how much of an impact it would have if someone stole all,of your money.   Here are a couple of ideas that you can use to create a little more security around your banking access.

Audit your own access – some banks have a system whereas every time that you access your bank account you receive either an email or message.   This shows that your account has been accessed.   Most people would access their bank once a day and this is a good way to keep track of each of those accesses.   If you receive an email or message about access and it wasn’t you then you can get onto the bank straight away.

Banking that has a third access process are more secure – some banks have a system where you need a user name, password and a third component to access your account.   This third component is usually a 4 diget number that is generated so that it is different every 5 minutes or so.   This added complexity to access your account makes it harder for criminals to access your account.

Update your software / operating system regularly – because you are accessing your bank account from either your computer or a mobile device you need to make sure that you have the most secure systems available.   Make sure that you apply updates regularly.

Do not access your account from free wireless connections – I know that free wireless is great but because there is no encryption between your mobile device and the wireless point then anyone with the right equipment can capture your username and password and therefore access your account. M free wireless where you are given a access code are OK.

Regularly scan your computer with a decent end point protection system – every system, no matter how careful you are, can be infected with a virus, spyware or malware.   To make sure that you are not infected to a regular scan of your device for these types of problems.

Use complicated passwords (alpha numerical and punctuation like – The easy way to create complicated passwords) – this can be hard because some credit unions use passwords consisting of just numbers, but this is changing.   Use a complicated password, longer than 7 characters, no real words and different from any other password.   Do not write  it down.

Change passwords regularly – I know of people who have had the same bank password since the account was activated.   This is not good.

If you think about your banking details – they are critical to your well being.   Just ask someone who has been hacked.   Most banks will cover a certified breach and theft but the violation that occurs when it happens if not the best feeling in the world.

Ethical dilemma’s for an IT consultant

“Ethics consist of knowing what not to do” Aristotle. 

There have been a number of times in my career in the managed services industries where I have been asked by a client about another client in the same business.   How they find out about them is probably through recommendations and testimonials which, at times, can be a double edged sword.    These questions have to be handled delicately but they have to be handled.

When working on client systems we always protect the data from scrutiny without compromising the security of the business.  Unless it is absolutely critical that we know what the data is, our business is to ensure that the data is protected at all times that includes protection from not only your staff but also our IT staff.

My philosophy
In our business you have to be exceedingly honest when it comes to protecting your clients information.   In most cases a service level agreement (SLA) has the necessary protection in place for both your clients and yourself.   The SLA should include a clause stating your understanding of the business requirements for protecting your clients network and data.

Staff involvement 
All of YOUR staff should also have an understanding of the SLA requirement and if any information from a client site is revealed in the process of doing their job it is not to be revealed to anyone outside the clients business.   In most cases we ensure that it is not revealed to anyone in our business either.
The staff should understand their priorities within a business, loyalty is to the business owner or manager first at all times, followed by loyalty to our business then to everyone else.   Mates and friendship are far down the list of approved disclosure routes.   Staff should always err on the side of management no matter what.    Protective resources can also be deployed to ensure better than normal auditing on file and folder access to ensure compliance with these principals.

How to ensure that the data is secure.
Critical client business data – intellectual property, financial records and banking details should be considered highly classified and have a need to know system applied to it.   If you don’t need to know the information then you shouldn’t have access to the information.  Pretty basic but at times the lines can become blurred.

Ethics is a interesting principle when allied to business dealings at a MSP level but they are definitely a driving principle for the client as well,as the supplier.

Just in passing what is the ethical position for an MSP when they discover a client is doing something illegal.   Does disclosure of the information become an issue or are you bound by your SLA.   What would you do?

Moving to the cloud – a basic checklist

Smart IT programmer drawing information technology diagram

Smart IT programmer drawing information technology diagram

Your moving to the cloud, you have taken the plunge and you are going to move critical components of your business to the cloud.   You have investigated and approved the move and how it will be done.   The next step is the actual project of moving your data and infrastructure to the new systems.

Do you have a plan for the move?

Although the cloud and virtualisation are totally different from normal business in infrastructure requirements there are still some similarities that can be used to make the move as smooth as possible.   Here is a five point checklist for the move.

1. Create a new continuity plan
Before you start migrating data to the cloud base you need to know that if something happens that you have a recovery point.   Make sure that the migration of data does not compromise the source.
A business continuity plan for the new data location needs to be in place prior to the new system going live.   The moment new data is written to the new location the old data is obsolete.   You need to have a business continuity plan that ensures that the moment new information is written to the new location that you have a way of recovering it.
In most cases the business continuity plan is not in place until well into the testing process.   It is something that needs to be In place prior to the migration not something that is tacked on at the end.

2. System visibility
Visibility  and availability are tied together.   If the system is not visible to the users, management and in some cases the outside world then you will not have the required availability of the cloud based system.   System visibility is a combination of security, access and policy.   Each one of these components needs to be looked at prior to moving to the cloud.

3. Centralised control systems 
In most cases a centralised control system is required to ensure that the cloud based system will be accessed correctly.   A centralised system is required for the addition of and removal of users – new users need to be added in a timely manner, old users need to be removed smartly.   Both addition and subtraction of users should be done through your HR process.   Never leave access to your systems to a user who has left the company to work with someone else.
The centralised control should also have some level of management and reporting at a system level.   In true cloud systems this allows management to add and subtract CPU, RAM and storage space as required.

4. Disaster recovery 
Disaster recovery is a huge requirement for moving to the cloud.   Where is the data stored, is there separate geological locations for the data and is there a system in place that backs up the data to a separate location.   Another important feature of this quire net is keeping track of news and event happening around where your data is located.  If there are floods, fires and earthquakes in one location then there better be a secondary location for your data.

5. Testing
Once the cloud based system has been deployed and before all users have access is the best time to test the business continuity and disaster recovery systems.   If it fails here then it can be fixed, if it fails in production then you could be looking for a new job.

These are five checks to make concerning moving to the cloud.  Other check that are also important – do you have a service level agreement with the Vendor?   Is there the possibility of data lock out?  Does the contract specify who’s data it is?

Moving to the cloud is a business decision that needs to be backed by good project management and technical skills.   The decision to move is easier that the actual process of moving.