One of my clients is beginning the process of their cloud migration.

The first thing to report is that it’s not less expensive, but they’re doing it because it better serves their business needs. That’s the correct way to make a cloud vs local decision: it’s not about saving money, it’s about what works best for your business model.

Now, the real point of this post: I’m helping the decision makers with architecting the entire program, not just the migration itself.

We’re talking about three things:
1) The Business Continuity Plan (BC)
2) The Disaster Recovery Plan (DR)
3) The Incident Response Plan (IR)

In the case of a major, lengthy outage of their cloud apps and data, this particular client needs four functions:
1) Continue providing their services (their billable work)
2) Continue paying bills (accounts payable)
3) Continue generating invoices (accounts receivable)
4) Continue issuing paychecks (payroll)

For a manufacturing company, the list of requirements looks slightly different. For example, a manufacturer needs to be able to continue ordering and receiving raw materials.

THE LESSON
The cloud migration itself isn’t the only thing you need to be concerned with. Design your new BC, DR, and IR plans at the same time. It affects what your migration plan looks like, how long it will take, and how much it will cost. These aren’t things you do after the migration. They’re intrinsic migration design elements.

#CallMeIfYouNeedMe #FIFONetworks

#InformationSecurity #BusinessContinuity #DisasterRecovery

This is what happens when you design systems that are wholly dependent on Internet connectivity, and don't plan for operational continuity during a disaster.

Food and energy cannot be delivered.
Transportation stops.
And, in this case, people die.

BBC News article:
"Ransomware attack contributed to patient's death"

https://www.bbc.com/news/articles/cp3ly4v2kp2o

#CallMeIfYouNeedMe #FIFONetworks

#cybersecurity

Recently I did a remote tech support call with someone in Seychelles, south of the equator in the Indian Ocean. Not long after that, I did a remote tech support call with someone in Brunei, in the South China Sea. Now I’m wondering if there’s a niche market for English-speaking tech support in some of the world’s faraway places.

#CallMeIfYouNeedMe #FIFONetworks

#TechSupport #RemoteSupport #HelpDesk

If it's new, it has undiscovered vulnerabilities.

This doesn’t mean you shouldn’t use it. It does affect how you roll it out, though.

#CallMeIfYouNeedMe #FIFONetworks

#cybersecurity #StrategicPlanning

Do you have capital budget responsibility? It’s mid-June, so if you didn’t start your capital budget prep at the beginning of the year, now it’s absolutely time to get rolling. A well-managed company whose fiscal year matches the calendar year will be collecting capital budget requests in September or October. Mismanaged companies will have their pants on fire and do a half-baked rushed budget in November or December.

1) Start preparing a list of capital items you need.

2) Hold some team meetings. What do your people advise that is needed?

3) Check equipment age and manufacturer’s end-of-support and end-of-life lists. What is working, but should be replaced?

4) For everything on the list: what support equipment is required? The support equipment may or may not be capitalized, but you need to include it in your planning.

5) For everything on the list: what employee training is required? Training that’s part of a capital project can be capitalized, too.

6) Know your labor needs. Does this project require additional headcount? If so, will you need to hire additional full-time employees, or obtain the assistance of integration vendors or consultants?

7) Parallel to steps 1-6, start getting quotes from vendors. Be kind to your vendors. Drop vendors that raise your blood pressure.

8) When requesting quotes, tell your vendors, “I’m getting quotes for things we may not purchase for another year. Include any projected price increases.”

9) Prioritize your list. When you go into your budget negotiation meeting, you’re not going to negotiate on dollars. You’re going to negotiate on projects.

10) This one should be obvious from #9: know your “why.” For every project in your capital budget, know why it should be done, the benefits of doing it, and the consequences of not doing it.

11) Know your calendar. Don’t kid yourself into thinking you can do a two-year project in one year, or a six-month project in three months.

12) When you go into your budget negotiation meeting, don’t use fear tactics. Fear tactics alienate the decision maker(s), and reduce your credibility. You’ll be viewed as a fear-monger, not a trusted advisor.

13) Don’t pad your numbers very much. The financial decision makers will include an overall pad in their planning behind closed doors. That’s not your issue. Make your numbers realistic, with enough margin to account for price increases. Have supporting documents (vendor quotes, for example) to justify your numbers. Have a spreadsheet to show how you calculated your capitalized labor costs.

14) Include a couple of “nice to have” projects. This gives you something to negotiate away. They’re sacrificial lambs.

15) Consider bringing me in as your consultant on budget preparation. I’ve done a lot of multi-million dollar budgets. Paying for an hour a week could save you money and reduce your stress level.

#CallMeIfYouNeedMe #FIFONetworks

#CapitalBudget #Budgeting #ProjectPlanning

Today a repeat client contacted me via text messaging (RCS). It was in the last half of a Friday afternoon. I was sitting at my desk doing paperwork. I texted back, “I can help you right now, if that works for you.” Their reply was, “Now would be great.” I called them, then connected remotely to their MacBook Air, and took care of the issue. And a little before 5pm, I emailed them the invoice.

The paperwork can wait. Speed matters.

#CallMeIfYouNeedMe #FIFONetworks

#TechSupport #RemoteSupport #HelpDesk

“If you have turned on two-step verification and cannot access any of the alternate methods to get a verification, we cannot help you, sorry.” (Source: support(.)microsoft(.)com)

Yesterday I tried to assist a client with Microsoft account recovery. This client had enabled 2FA/MFA on the account using the Microsoft Authenticator app. Then, the phone with the Authenticator app broke.

There was no alternate 2-factor authentication enabled. No alternate email, no option for SMS (text messaging) verification, no Yubikey. When the client initially set up 2FA with the Authenticator app, they were offered the option to save recovery codes, but didn’t write them down.

The client is highly educated. If you blame the client, I will block you, because you’re a jerk.

Microsoft, and other companies, need to do a much better job of ensuring workable account recovery options are not just available, but actually enabled.

This is a paid annual account. By default, Microsoft works hard at making sure at sign-up that you enable auto-renewal. Do you see the problem? The client can’t access the account, and will have to cancel the credit card to avoid continued payments.

THE LESSON
It’s up to you to make sure you have alternate account recovery mechanisms in place. The cloud service companies will not help you. They are not your friend. They don’t even make it easy to contact them to discuss account problems.

If you’re not comfortable setting up secondary account recovery options, I can help. Do it now, before your phone breaks.

#CallMeIfYouNeedMe #FIFONetworks

#AccountRecovery #TechSupport #RemoteSupport

Instead of chasing customers, be the one customers hunt for.

#CallMeIfYouNeedMe #FIFONetworks

Using the company website as the launch point for the employee login is a common practice. With adequate Identity and Access Management (IAM), it seems secure enough. But, there’s another piece to this.

When the well-known domain is the launch point for the employee login, it sometimes means that the employee data is stored on, and accessible from, the same server group, and in the same IP address range. In other words, the employee data may be accessible and downloadable without an employee’s authentication credentials.

I know of a law firm that has its billing and financial data literally on the same hard disk as their website. If the cybercriminal breaches the website, they have access to everything.

THE LESSON
The more separation you have between your public website and your private data, the better.

#CallMeIfYouNeedMe #FIFONetworks

#cybersecurity #NetworkArchitecture

If you never stop learning, you're 25 years old, and you have 5 years of experience, you're cutting edge current.

If you never stop learning, you're 30 years old, and you have 10 years of experience, you're cutting edge current.

If you never stop learning, you're 40 years old, and you have 20 years of experience, you're cutting edge current.

If you never stop learning, you're 50 years old, and you have 30 years of experience, you're cutting edge current.

If you never stop learning, you're 60 years old, and you have 40 years of experience, you're cutting edge current.

If you never stop learning, you're 70 years old, and you have 50 years of experience, you're cutting edge current.

You can’t solve today’s problems with yesterday’s solutions.
But you can always be current.

#CallMeIfYouNeedMe #FIFONetworks

Stop trusting cloud service providers so much.

This screenshot from a post on Threads is a great example of the kinds of real-world problems people (and companies) experience when they use a cloud-only architecture, through ignorance or intentional design.

Every person, and every company, needs to design their data systems architecture so that they have local control of all data. Put it in the cloud if it’s essential to your business operations, sure, but keep local copies as well.

We live in a time when most systems architects don’t even consider off-cloud elements in their design. It literally does not occur to them. When I do crisis support for companies after a ransomware attack, it’s gotten to the point where I expect them to say “no” when I ask them, “Do you have any offline copies of your data?”

(Description of screenshot: a woman posted on Threads that she lost access to her Microsoft account through a combination of events, some of which she could have prevented, and now it will be thirty days before Microsoft will allow her access to her files).

#CallMeIfYouNeedMe #FIFONetworks

#cybersecurity #DisasterPreparation #backups

Disaster recovery depends on good disaster preparation.

Over the weekend I saw a TV segment that reviewed the MGM ransomware attack in September, 2023. Twelve MGM casinos were affected, and the outage lasted for days.

You should assume that this will happen to you. You should be able to restore operations in less than 24 hours.

It’s not if it breaks. It’s when it breaks.

#CallMeIfYouNeedMe #FIFONetworks

#cybersecurity

Last night after hours, I did remote maintenance for another client with a maxed out Microsoft Outlook email archive. I tell my clients not to rely on Microsoft's email archive. If you really want to keep a record of emails sent and received, it's better to create your own archive that's completely under your control.

The archive maximum file size is large enough for most users, but in certain professions there can be a lot of attachments, and legal requirements to store the information in the email as well as saving the attachment itself.

When it comes to possible litigation, the email header (metadata) is also important.

I like to work with clients first on alternate solutions. For example, if they don’t need the emails, are they willing to learn how to save the attachments? An amazing number of people “store” the attachments by referring to them in the original email. This is generally not a good idea.

Another way to reduce the size of the archive is to exercise that ol’ decision making capability, and delete the unnecessary emails instead of saving everything. Some people are digital hoarders. They can’t let go. Using Outlook rules, a lot of emails can be removed from the archive (and other folders) very quickly.

For those people who must maintain a large store of emails, or who simply choose to, an external, company-controlled archive is the way to go.

#CallMeIfYouNeedMe #FIFONetworks

Here’s a little Wi-Fi trick to keep the CEO happy: disable automatic channel management for the wireless access point in the conference room the CEO uses all the time.

WHEN TO DO IT
It’s not always beneficial, but I’ve seen it many times. In “busy” wireless (RF) environments, as users come and go, dynamic channel management can end up causing a lot of channel switching. In a perfect world, wireless handoffs and channel changes would be seamless and unnoticeable, but the world isn’t perfect. Those channel changes can result in pauses and delays in data streams.

WHAT TO DO
In the conference room (or the CEO’s office, or wherever you want consistent Wi-Fi performance), set that one AP to a fixed channel. It will serve as an anchor. All of the APs around it will adjust for best performance in their little area. They won’t use the fixed channel assigned to the one AP, because it’s in use, and the other APs are looking for other channels that don’t receive interference from the fixed-channel AP.

DON’T OVER-DO IT
Unless you have a spectrum analyzer and a real grasp of RF signal propagation, you should only set one AP to fixed channel. Then the other APs can float around it. If you try to do this in two locations (for example, Conference Room A and Conference Room B), you could end up creating interference problems for yourself that you wouldn’t have if you just let the system manage automatic channel assignment.

OTHER APPLICATIONS
Do you live in an apartment building? Does your Wi-Fi seem unpredictable? Try setting your AP in your apartment to a fixed channel. Then, everyone else’s AP in the apartments around, above, and below you can automatically adjust to avoid your signal. This works because modern residential-grade APs always have dynamic channel management enabled by default, but in the settings you can turn that off and choose a specific channel.

IN ALL CASES
If, after a day or two, you decide that it made things worse instead of better, go into the settings and enable automatic (dynamic) channel management again. You’ve got nothing to lose, and it helps more often than not.

#CallMeIfYouNeedMe #FIFONetworks

Do you know why rat poison works? To the rat, it tastes good, but it’s fatal. It’s slow-acting enough that the rat doesn’t see the connection between its behavior and the results. And because it tastes good, the rat comes back for more and more and more.

In the cybersecurity realm, there’s a digital version of rat poison. It takes the form of myths.

The Myth of the Cloud.
Business has so completely consumed the Myth of the Cloud that it’s almost impossible to find any network architect under the age of 40 who doesn’t start with the assumption that the network design, any network design, must be cloud-centric. The cloud is a constant, never-ending drain on financial resources. There is no such thing as a payoff date. You can never burn the mortgage. There is no asset to depreciate. There is no location security, only authentication security. The cloud has a global attack surface, and is globally attacked.

The Myth of Centralization.
Blow up a balloon. Keep blowing. It gets bigger and bigger and bigger. You know what else happens? The balloon’s membrane gets thinner and thinner. As the balloon gets bigger, it becomes more fragile. The more you centralize your data and your operations, the more fragile your business becomes. The cybercriminal doesn’t get a piece of your information. The cybercriminal gets all of your information. The cybercriminal doesn’t disrupt the California division, or obtain only the records of customers whose last name begins with the letters A through F. Instead, the cybercriminal gets everything. The cybercriminal disrupts the entire business.

The Myth of Automation.
When Eli Whitney introduced the idea of interchangeable parts for the manufacture of rifles, he set the stage for automation and the Industrial Revolution. To this day, we are enamored with automation. Like those hungry rats, we come back for more. The problem is that an automated system does one thing well. This automated system makes the hammer. This automated system makes the spring. Cybercriminals, by contrast, are always looking for something new. The result: there is never an automated system for what the cybercriminal will do tomorrow. There is one other insidious problem that will never be solved by automation, and that is social engineering. The authorized user will be persuaded to do the cybercriminal’s bidding. And because the user is authorized, no automated security mechanism will prevent them from doing it.

If you want systems that
1) do not have a global attack surface,
2) are truly decentralized, and
3) cannot be entirely wiped out by one successful social engineering event,
then call me.

#CallMeIfYouNeedMe #FIFONetworks

“It’s spooky to watch your computer doing things when you’re not touching it. It’s hard to let someone have remote control of your computer.”

I was talking to a client in Colorado yesterday. He was recalling the first time he let me work on his computer remotely from my office here in Seattle.

It does take a certain amount of trust. And right now, I’ll be the one to warn you not to let a complete stranger on the Internet have remote access to your computer! Word-of-mouth advertising and referrals mean a lot.

#CallMeIfYouNeedMe #FIFONetworks

#HelpDesk #TechSupport #RemoteSupport

Passkey authentication is only as strong as its weakest account recovery method.

#CallMeIfYouNeedMe #FIFONetworks

Does your smartphone show good cellular signal strength, but your voice calls sound unintelligible? Can you hear the other person fine, but they tell you that your audio is breaking up? Try disabling Wi-Fi calling.

1) When the Wi-Fi calling option is enabled, your phone may default to the Wi-Fi network even if the call quality would be better on the cellular network.

2) Even if your phone shows great Wi-Fi signal strength, the Wi-Fi call quality can depend on how many other users are consuming bandwidth, and on the quality of the data path all the way back to your ISP.

3) If you have a metered Wi-Fi connection and unlimited calls on your wireless plan, Wi-Fi calling may unnecessarily use your Wi-Fi data limit.

4) On the other hand, if you have unlimited Wi-Fi and a metered wireless plan, Wi-Fi calling can be a money saver in places where it works well.

THE LESSON
Instead of saying, “I don’t know,” check and see if you have a Wi-Fi calling option, determine if its enabled or disabled, and experiment with it. Get familiar with both the benefits and limitations of this feature.

#CallMeIfYouNeedMe #FIFONetworks

The day the CIO lost his job.
THE SCENE: The CEO invited Marty, the CIO, to a meeting in Conference Room 2 North to inquire about the network.

CEO: Marty, thanks for coming. Please show me a random sampling of our VMs.

CIO: Sure. Let me log in and pull this up. Now, I’ll project my laptop on the conference room screen so you can see it. There you go.

CEO: <picks one VM at random> Okay, show me the backup of this VM. If it failed, what would we do to get it back online?

CIO: <goes to a different screen> Here’s the VM image, and here’s the VM backup data. There are a couple of things we can do. We can reload from the snapshots, or we can build a new VM from the image and then reload the data.

CEO: Where is this VM?

CIO: It’s in AWS.

CEO: Where are the backups?

CIO: They’re in AWS, too.

CEO: Are there backups anywhere else? What if we lost our connection to AWS?

CIO: Oh, that’ll never happen. They have backups to backups. They’re too big to fail.

CEO: Okay, thanks for explaining this. You can go now.

CIO: Okay, bye.

CEO: <Back in his office. He calls Jordan, the HR Manager> Jordan, we need to talk. Please come to my office.

HR Mgr: <Jordan enters the CEO’s office> You wanted to see me?

CEO: Yes, thanks for coming so quickly. Please shut the door.

HR Mgr: <shuts door> What’s up?

CEO: This needs to stay absolutely quiet. I want you to find me a new CIO. I’m replacing Marty.

HR Mgr: Wow, that was unexpected. Sure, I’ll get some interviews lined up for you offsite. What happened?

CEO: Marty has placed the destiny of my company – the company I started, the company I own – completely at the mercy of a cloud services provider.

HR Mgr: <Looking puzzled> Doesn’t everyone do that?

CEO: Not the smart ones. A company should be able to rebuild their business anywhere they want to, anytime they want to, for any reason.

HR Mgr: Okay, I get what you’re saying. But that could be expensive.

CEO: This is a military-grade problem. Cloud service providers are a military-grade target. There are dangers from cyber warfare, conventional warfare, supply chain attacks. My company will be able to pivot, without waiting for some cloud service provider to get its entire infrastructure back online. I want someone who cares about my business continuity and my disaster recovery.

HR Mgr: I’m on it.

#CallMeIfYouNeedMe #FIFONetworks

This morning I did a tech support phone call with an existing client. Based on her area code, I think she’s in California, but I don’t actually know that for sure. It’s kind of humorous! With credit card billing, I have to enter the billing zip code, but I don’t bother looking them up. The location just doesn’t really matter.

Anyway, back to the call. She visited a website for an animal rescue organization. Seems safe enough, right? She ended up with an uncontrollable, noisy pop-up that said her computer was infected. “Don’t turn your computer off!” it said, and it wouldn’t stop beeping.

She did the right thing. She turned her computer off! I’m so proud of her.

At some point, she turned her computer back on, and everything seemed normal. She called me to see if there was anything else to do. An extremely computer literate person in her life had recommended that she do a factory reset on her computer, but she was hoping she wouldn’t have to do that much work.

This is where risk assessment comes in.

I told my client that her advisor was not wrong at all. That was absolutely the safest and best advice.

But, usually those pop-ups are the baited hook, and not the malware. If my client had clicked on a link, or called the “support” phone number in the pop-up, the risk level goes up immediately. Instead, she did the one thing the cybercriminal told her not to do, because it defeats the infection attempt: she turned the computer off.

I offered to reset the browser, but warned her that doing so might delete some saved security settings, and she’d probably have to re-enter passwords on some of the sites she visits. I also told her that she could keep using the computer for a few days without any changes, and if the problem doesn’t reoccur, everything is probably fine.

Remember, the pop-up is the baited hook, not the malware.

For now, she chose to take no action. The call was ten minutes long. She offered to pay. I told her no, let’s call this one customer care. I told her that if she had agreed to have me to reset the browser or run a virus scan, and things like that, I would’ve charged her, but not for answering a few questions.

THE LESSON
The client is the person with the power. Explain options and risks. Let the client make the decision. It’s their equipment. It’s their life. It’s their money.

I could’ve taken advantage of the situation and said, “Oh, yes, your advisor is right! We must factory reset your computer! I’ll help you do that right now!” That’s how I would’ve made the most money today. Instead, I chose to keep a client for life. The money will come.

#CallMeIfYouNeedMe #FIFONetworks

#HelpDesk #TechSupport #RemoteSupport