Information Technology – a double edged sword

Technology has transformed the way we do business. We can make timely, informed decisions by extracting meaningful business information from a multitude of recorded data, literally in seconds. We can improve our customer satisfaction by automating the order processes and let our customers check their online status. We can also discuss marketing plans with our global business partners through web conferencing and other collaboration software.

However, information technology is a two edged sword. It can seriously damage your business if you don’t handle it properly.

IT Security

IT security awareness has been significantly improved over the last five years.  However, most IT security strategies are still very primitive and only include installing anti-virus software and a firewall.  Let me share a few stories with you to illustrate my point.

Too Much User Rights

A client asked me to investigate why the computers in his office were getting slower and slower. During my investigation, I noticed that the security software on some of the machines was disabled because the users wanted to speed up the machine.  The question to be asked is how can security software protect the PC if you turned it off?

Data Encryption

Some employees work from a home office from time to time and need to access data with their office computer.  They use laptops, and USB drives.  Unfortunately, most of these methods are not protected against accidental loss or computer theft.  What would happen if your employees lose their laptops or USB drives?  Some clients told me that all their laptops were password-protected and no one could access the data without a password.  I proved otherwise in just a few minutes!

Remote Connection

If you allow your staff to access data in your office via remote desktop or other file sharing software, you open a door of uncertainty.  Do you know what computer they are going to use?  Is their home computer secured?  Are they only using a home computer?  They may work on a computer in public library while they take their kids to a swimming lesson.  The bottom line is someone else may already have their user id and password if you allow them to remote login to office computer.

Security Patch

If you read the Symantec Global Internet Security Report, you would be surprised to see how many software security vulnerabilities exist.  The good news is that software vendors are usually able to fix problems with a patch. Installation, however, is your responsibility.  When was the last time that you installed any security patch?  How about your security software?  How old is your virus and spyware definition file?  There is new virus and spyware are being introduced every day. How can the security software protect your computers if you are still using a two-year old virus and spyware definition file?

Online Presence

Most marketing professionals suggest you should use social media sites to increase your visibility — LinkedIn, Facebook, and Twitter among them. Certainly, social media sites reach out to your client, improve your branding and collect market intelligence. Another positive result is you expand your client data base. Before you relax and enjoy the rewards, please read David Airey’s story. David is a brand designer and his website got hijacked. I heard similar stories about other social networks. If you don’t keep your user id and password safe, someone may take control of your account. The damage can be huge.


If you are hosting your own file server, web server or email server, the security issue can get much more complicated because all your critical business data is stored in the servers. Imagine if someone hacked your email server and sends inappropriate literature to your entire data base?


Do you know that your smartphone is actually a very powerful computer and it also contains some sensitive business information? How do you safeguard it? I did an informal survey in a networking event; over 70% people had a smartphone but less than 20% had it password protected or locked. I hope they never lost their phone!

A proper security strategy is not just about technology; it should include processes and people. You are naïve if you believe only installing current security hardware and software is sufficient. I sincerely hope you change your mind after reading my article. And if I will fail to convince you of the need for a properly planned and implemented security strategy, then you may want to read about the recent cyber-attack on Google. Google has invested a lot of resources on IT security but all the hacker need is one single unpatched computer.

Business Continuity Planning (BCP)

I am an IT consultant, not an insurance broker, but if your office is hit by a natural disaster, e.g. fire, flood or tornadoes, would you not happy that you were covered by insurance? However, insurance companies do not guarantee the continual operation of certain critical business processes. You have to have your own business continuity planning to cover the risks. Since most offices are heavily reliant on computers; IT should be a critical component in your business continuity planning.

What is Business Continuity Planning?

BCP is not disaster recovery planning (DRP). DRP recovers Information Technology (IT) assets after a disastrous interruption; it does not prohibit a stoppage in critical operations. BCP proactively ensures critical services to be continually delivered to clients.

BCP includes:

  • Identification and prioritization of necessary resources to support continuity of critical business processes.
  • Plans, implementations, control and tests to ensure the continuous delivery of critical services.
Why do we need Business Continuity Planning?

Every organization is at risk from potential disasters that is high impact but low probability. BCP can lower the cost of disruption and enhances an organization’s image with your clients by demonstrating a proactive attitude. During the course of conducting BCP, we normally find additional benefits including better understanding of business operations, improvement in overall organizational efficiency and identifying the key personnel, business partners and financial resources to critical services and deliverables.

How to create a Business Continuity Planning?

Every BCP is unique but generally it involves six steps:

  • First get management buy in. You would be surprised how difficult this can be. Management understands the impact can be high but most of them argue the probability is extremely low. Good Luck to them!
  • Build a BCP Committee which is comprised of the sponsor, BCP coordinator, and key personnel from IT, operations, security and finance.
  • Identify risks, critical services and their dependencies; prioritize them; and identify internal and external impacts of disruptions.
  • After the analysis it is time to prepare detailed procedures and arrangements to ensure continuity. The pros and cons of each possible option for the plan should be considered, keeping cost, flexibility, minimum level of critical services and probability of risks in mind. For each critical service, choose the most realistic and effective options when creating the overall plan.
  • A lot of companies stop after planning. BCP is not just about planning; you have to implement it, train your staff what to do in the event of a disaster and have frequent training sessions to achieve and maintain high levels of competence and readiness. How often do you have fire drill in your office?
  • BCP is a living process and it would evolve with your business and its external environments, e.g. a lot of companies in Toronto down town are reviewing their BCP to prepare for the G20 meeting. Continuous appraisal of the BCP is essential to maintaining its effectiveness.

BCP is not free! However if critical services cannot be delivered, then consequences can be severe and the potential damage can be huge. We are all at risk and face potential disaster. A Business Continuity Plan is an insurance to make sure your business can continuously deliver critical services despite disruption.

IT Management

Management 101 – you either manage it or it would manage you.  A lot of small business owners do not have any IT management so they let their IT take control; here are a few example of what the problems could be:

  • Desktop environment is not standardized – I noticed a lot of small business offices have machines from Acer, Asus, Dell, HP; and have a full spectrum of Microsoft Office, e.g. 2000, XP, 2003, 2007 and soon 2010.  They purchased PC from local computer store, and the decision is normally driven by the price.  It is just chaos and costly to support such IT infrastructure!  Standardizing desktop hardware and software, organizations can ultimately save money advance toward a more flexible, agile, and optimized infrastructure.
  • They don’t manage the users – their users can install anything they want; configure whatever they feel fit including disabling antivirus software; or even downloading illegal movies/ music.  I did a software inventory audit for one of my clients and I found over 500 software installed on three different machines that I randomly selected.  You may also want to find out how much internet usage is used for downloading music or watching YouTube.
  • No training is provided – most users are still using very basic functions; e.g. they have all their email in their Inbox because they don’t know how to create new folder or use macro to automatically filter the email.  Proper training can definitely increase the productivity in your office; however, it is very difficult to train your employees if they are using different versions of Excel.

What I described is only the tip of iceberg!  If you ask an IT consultant to do an audit on your IT infrastructure, processes and usage, you may find out how lucky you are that you don’t have any major issues.  IT is a very powerful tool and you may be enjoying the benefits that it offers but if you don’t manage it carefully and professionally, then it can bite you badly soon or later.  Use IT wisely!

Andrew Chan is the owner and founder of ALG Inc.

We help you to make better and faster decisions!

Should I buy a new computer?

Is your computer getting slower and slower?  It used to take only couple minutes to start but now it takes nearly 10 minutes.  You tried:

  • DiskCleanup to free up disk space;
  • Disk Defragmenter to speed up data access;
  • Error Checking utility to detect and repair disk errors; and
  • Security software to clean your computer against malware, spyware and virus.

Nothing worked!  Every morning, you can enjoy your coffee and donut while waiting for your computer to start.  Should you buy a new machine?  Before you take out your credit card, you may want to try 1 more thing’; disable some of your startup applications.

Startup Applications

When you start Windows; some applications would automatically start with Windows.  It is not uncommon to see a computer with over 100 sartup applications (or 200+ at some extreme cases).  I bet you probably don’t know most of them if you go over them in System Configuration dialogue.  Do you need them all?  I highly doubt it!  You should seriously consider disabling them or even uninstall them!

You may want to discuss with your IT consultant on what application should be loaded during startup.  I can often disable 90% of them and regain the power of my client’s machine.

You can review your startup applications list by:

  • Enter msconfig at command prompt.
  • Select Startup tab at System Configuration dialogue.


It is very simple to disable startup applications; however, the bigger question is why these startup applications were installed at the first place?  Does your company have change management strategy in place?  Can your staffs install anything they want on their computer?  Do you know what applications were installed in your company?

Andrew Chan is the owner and founder of ALG Inc.

What is your backup plan?

Don’t worry!  I have one.”  This is the typical answer from my clients.  But when I go on to ask more questions, the problem starts coming up to surface.

  • “When is the last time you did the backup?”
  • “Have you tried to recover data from backup?”
  • “Where do you store your backup?”
  • “Do you backup all the desktop?”

No all my clients do a daily backup and most of my clients put their backup drive next to their machine, never test the recovery process or just backup the server.  In a more technical term, they don’t have a Disaster Recovery Plan (DRP).  But they all indicated they understood the importance of their data.  Do they?

What is the cost of computer outage?

I urge everyone who has a computer to answer this question.  If you don’t know the answer, turn off all your computers in office and see how long you have to turn it on again.  Days?  Hours?  Minutes?

Can you afford it? According to a HP’s report; 70% of small firms that experience a major data loss go out of business within a year.  What does small business owner do to avoid it?  I found the following data from the reports:

  • 37% admitted backing up their files less than once per month.
  • 9% admitted they have never backed up their files.

Not a lot!  I hope none of you belongs to this 9% group.  I am not trying to address DRP in this blog. DRP is a huge subject and I don’t think I can cover it in 1 blog or even 10 blogs.  But I hope you are really aware of the problem and discuss it with your IT consultant. 

If you don’t have the resources to implement a DRP now, then you should at least consider online backup / storage.  But I have to emphasize that both online backup / storage cannot replace DRP.

Online Backup

Online backup is not for everyone but it is getting very popular.  It is gaining momentum because it is reliable and easy to use.  You let experts who have robust software, remote server, redundant hardware and secure environment to handle your critical data.  If you lose your laptop, hard drive is crashed or even your office is burnt, you can recover your data from your online backup provider as long as you have an internet connection.

Online backup is not your DRP but it can play an important role in your DRP.  Again discuss the potential of including online backup in your DRP with your IT consultant.

It is a very hot market and there are many players:

Online Storage

Do you know that Facebook has provided online storage to its users to create & share documents?  Microsoft’s SkyDrive gives you 25 GB online storage and don’t forget about Google Docs.  Virtually all major IT vendors have online storage, either on its own or bundles with other cloud services.  It would not eliminate the need of DRP; however, it would make your DRP easier.

Call to Action

If you only have 10 minutes after reading my blog, I would suggest you should at least quickly read through HP’s report

You should call your IT consultant and develop a disaster recovery plan NOW!  It is like insurance; we include it as part of our operational cost.  If there is a fire in your office tomorrow, they would pay for your office physical damage.  You can buy a new server, new desktops, and new laptop.  Well, does your insurance give you back your critical business data?

Andrew Chan is the owner and founder of ALG Inc.