Technology Made Simple
Monday December 6th 2021



Leaders Fix Processes Don’t Blame Employees

I’ve talked several times about learning the lessons from every leader that I’ve ever had, good or bad. I was recently talking with a mentee, and they had an issue at their work and their boss berated the entire staff for making a mistake that brought a system down. From the description of the incident, it was an honest mistake, wasn’t intentional, but they asked the best way to deal with it.

Digging further into this incident, I learned that there were no defined processes for updating or making changes to the systems they were managing. They got their tickets and they made the changes accordingly. So obviously the simple fix is to start to build processes and policies in place to have a more vetted approach. Yet that’s not what I want to discuss here, that’s management 101 and while they wanted to take a stab and fix it, my focus became on the manager’s behavior. I’ve had these managers, and my lesson learned from them, was to try and never be that way.

Now I will start this out, by saying this isn’t a blanket statement, that processes always need to be fixed, and sometimes it is the employee. Sometimes no amount of process is going to fix all your problems and every organization has its own ability to self-police it processes or adds checks and balances in place for every step. These are given flaws in the processes.

Now that is out of the way, let’s talk about what your thought process should be. As a leader, your first response to any type of incident, shouldn’t be “who did it?”, it should be what broke in the process, that allowed the thing to happen. When you focus on the WHO and not the WHAT, you start to impact your team. You end up not empowering your team and taking their confidence down and making them afraid to act. I’ve talked before about ending the fear of making a mistake so that you can encourage your team to try new things. Yet under these leaders, teams end up dissuaded from making even the basic of decisions or improvements.

Plus, I don’t think that blaming an individual or team, really gets to the root of the problem. The more constructive and beneficial thought will be what went wrong, for this to occur. For one, it doesn’t assume that it’s a “people” issue, and maybe there is a gap that needs to be filled. For example, when there have been disasters with the space program, you don’t see, “Bob was supposed to connect this wire to the space motherboard, and it was done incorrectly that’s why it happened”, the figure out what caused the issue and put processes in place, or sometimes even backup procedures in place to avoid the issue from occurring in the future.

Blaming a person or team only corrects it for that one person and makes it hesitant for that part of the process again. Instead try figuring out if the process can be improved, where everything is documented, the risks listed, and the approvals documented. In some cases, having a simple thing like another staff member reviewing the change before committing the change, to make sure they don’t see any mistakes or the logic is thought out. I had a leader early in my life, that use to have me check configurations before he committed it.

I always want my teams to grow intellectually and where I can try not to stifle their innovations. I want to put in place processes that allow innovation, but also allow for someone to review and make sure that it will work. While nothing will be “perfect”, this gives your team confidence and a check and balance system. Even if the HotWash/After-Action/Post Mortem says that your process is missing altogether.

Mentor your staff

I think an often overlooked part of leadership for many people on every level, is mentorship. In my career, I’ve had no mentors, indirect mentors, and only one real mentor. Yet from every boss that I have ever had, I have learned something from them, sometimes positive, other times not so much. Yet, I do wish that it was something that more leaders actively did. I have tried to mentor many of the people working on my teams, there are some I still reach out to on an infrequent basis, to see how they are doing or if there was any advice that I could help them with, sometimes it’s work and sometimes it’s not. I wanted to share some of the reasons, I think about finding a mentor or mentoring someone.

Find Someone not like you

This is one, that originally I didn’t like, it didn’t seem to fit me very well, as my first few mentors were exactly like me. Yet, some of the skills and thought processes I use on the regular came from those people whose personalities and management styles weren’t like mine. We all have some blind spots in our jobs, or if you don’t like blind spots, more accurately tunnel vision. “We’ve done it this way forever”, finding a mentor who is different from you, can help you start to see the thought processes, you might not have ever tried, since you always did it this way. While it can be a little uncomfortable at first, there’s a lesson to be learned from new ways and new perspectives.

Mentors support growth

Mentorship can help cultivate growth in your own organization, by helping raise someone to a new level. My personal take is it’s always better to hire someone from within, they know some if not all of the ins and out within a particular company. Also, why would you not want to help someone with personal and professional development (if they are ready for it) and help them grow and see them grow? Plus this helps workplace satisfaction if they feel that you are invested in them.

Encouragment helps

One of my favorite parts of mentoring people is the encouragement part…we all need this every so often. Sometimes we can get down on ourselves and only see the errors we make (I’ve been there), and a mentor can encourage us to get back up and try again when we fail…and help push success. It’s easy to get stuck down in the weeds of work, and being the person who helps them see the bigger picture can reinvigorate a talented person.

Mentors serve as a source of knowledge

Now, this is an obvious one. I’ve learned so much from my mentors about how to approach work, how to interact with fellow employees, and set my moral compass. I am, on a level, every lesson learned from all my previous mentors. All they have taught me makes me the kind of leader that I am today. Now, this isn’t all good, I like to think I’ve passed on my failure lessons to the people I mentored. My hope is that they learn from all aspects, where I have succeeded and where I have failed, so they get a full view and learn that failure isn’t the end…you need to get back up and try again.

Someone to listen

Sometimes we just need someone to bounce some ideas off of, and there is where a mentor helps. They can listen, and give you objective advice or opinions with their relevant experience. This isn’t an all-or-nothing thing, but having someone to listen and provide opposing viewpoints lets you work through thought, and like mentioned before can help you see something you might have missed.

Mentors are Trusted Allies

I honestly debated this one, but I think it needs to be said. Your mentor needs to be someone you trust, and if you are someone’s mentor you need to make sure they can trust you. It’s one of the most important things because you can’t be honest if you think they’ll say something to someone else. This is a constant trust exercise and needs to be there on both sides of the mentor relationship.

Anything I forget, let me know below.

Auditing Standard: A Starting Line not a Finish Line

In one of the many groups I belong to, someone had asked how much do standards really help a company. My answer, as much as I wanted to be, wasn’t straight-forward. I uttered a, “It depends…” I went on to explain the same thing I will here, the nuances of my thoughts.

For a small company or a business that is growing these standards (NIST, ISO, SOX2, etc) help to build the framework which you need to grow to achieve. As when you start this process you have nothing, and this gives you an easily attainable objective, something that is time tested and usually lot of resources that help you achieve the goal. So in this case, standards and auditing are a real help.

On the other side of this discussion are companies that have been around a while and have these standards followed (or closely followed) and they get their regular audit and they pass and they’re happy. This is where working to an auditable standard, in this case, no longer is a value add. Yes it does help to make sure you maintain compliance or find maybe some systems you may have missed, but in the most part, it’s a check box.

This is where I say to companies, if you are just working to the standard, you’re already behind. See the standard is just that, a standard and in our personal lives (if you have money), you don’t settle for that anymore. All cars follow a standard, but I bet when you look into your organizations parking lot, executives don’t just have a base standard vehicle, they go with a vehicle that goes beyond a standard, a company that goes above and beyond for their comfort. Well that’s the same with IT and Security standards…that’s the entry model we should be getting into…and then building a better product, not just a standard one.

This is something that needs to start from the top down, look at your last audit and what controls can you “tweak to 11” look at other compliance standards what can you take from them to build a more robust defense. That’s what I want every person to think…if you are passing audits regularly, then it’s time for the next step figure out how you can do better, plan and achieve it. To a degree we do this already, if you are trying to implement zero trust, the most standards don’t just call that out.,,that’s something above and beyond.

Like most of my security advice, this is a stepping stone process, not every company needs to get to this level immediately, take your time and build just to a standard at first. Security is not an off and on switch, you can turn all these controls on and not cause chaos and user hatred. Security should be thought of as a sliding scale, and as long as you are moving up…then you are moving in the right direction, until you get a few passed audits under you belt…then set your next goal and target that.

Multi Factor Authentication Considerations

It still is somewhat shocking to me that most businesses still aren’t taking Multi Factor Authentication seriously, and don’t mandate it for the employees and like I mentioned the other day for executives. Yet, I see articles like this one from Yubico that shows that people are making the effort in increasing spending by 75%. This is great, and I think if you work in any kind of business, MFA should be a required part of getting an account.

Yet, I think some people are so quick to jump to MFA/2FA that they don’t do the required amount of thought before rolling out the tool. Before I go any further, these are things you need to consider, and your business maybe willing to accept the risk of these discussion points, or another reason. This discussion should also not make you write off using MFA/2FA, just things that you need to plan for.

1. Text Message MFA is not secure

Microsoft pressed users to move away from text based MFA due to a lack of security among telephone networks. The text messages you get containing the business verification codes aren’t encrypted, so attackers can gain access to them fairly easily. I mention this, because it’s the most popular way to get codes, and there are many businesses that only offer this at the MFA method you can use. I have this for a couple of my accounts, and while it’s better than no MFA, it’s not as inherently secure as we might be lulled into believing. It’s better to use an authenticator like Microsoft or Googles (or any other third parties) or even a token based version.

2. Tokens have high cost to implement and maintain

So I said that text messages shouldn’t be your go to, so obviously tokens have been around forever, so that must be the better choice. So the problem with these for many companies is selling the upfront cost to the company, you’ll need to buy these for every user in your organization, which depending on size can be costly. Then you need to figure out the amount you’ll need to hold onto for when people loose them…and I do this with my own keys for personal accounts (and I later find them…the record was loosing one for 8 months). So in a business you’ll need to have some you can give people when they are lost.

Following on the lost thought process of lost, what are you processes when an employee forgets their token at home? We’ve all gotten half way (or all the way) to the office, and then realized that we forgot something that we needed, how will your MFA plan account for this? This can really hamper a persons productivity and may get your IT or Security unit blamed when a user can’t work.

3.Lost MFA

So I touched on this, but it is something that needs to be called out on it’s own. So I explained earlier I had a security token (YubiKey), which I use for my own personal accounts. I used this key to secure an authenticator (double security…yea it was smart and dumb simultaneously) and then I lost that key for the better part of 8 months. I was locked out of using some of my accounts because I lost my security key. This doesn’t just apply to token based security, there are times where my phone was wiped and then realized that my rolling authenticator codes were on there (I’m forgetful if you don’t see a pattern). In both cases, I lost my MFA ability and needed to get into my accounts, and you need to plan for when a user has the same issues…”tough luck” isn’t going to cut it.

4. Overconfidence in two-factor authentication

There is always a part of information security that is psychological, anyone who has studied social engineering can attest. Users will behave less safely when they believe they are being kept safe by others means. Computer users who run anti-virus software are more likely to install risky software, as that should protect them if there is anything malicious. Yet, we as information technology worker, can tell you that only catches stuff that has been out there a while. Researchers have shown that this applies to the use of two-factor authentication, they observed that users who were required to employ a second factor (they used a fingerprint in their study) chose weaker numeric PINs than those who were not. So take that into account, If you believe that MFA is a fool-proof way to protect your user accounts, they may be more willing to login from an untrusted computer or more likely to risk linking a cloud or software from an unknown or unfamiliar publisher which can steal their data.

5. The more factors the better

One of the best things you can do is allow multiple factors, not a single option. This will give your users the largest chance to give themselves access to their account. For example, at one place I worked, I had the ability to choose how I was to MFA whether it was phone call, text, authenticator push (on multiple devices), token or even a rotating code. Now I had to set all of these up, and we didn’t mandate how many we needed to use, but I encouraged everyone I helped to set up as many as possible, to avoid lock out. Now were all of them the most secure? No! But the system allowed me to make the choice, I had text set up…but I never once needed it, but it was a safety net in-case I did.

6 Lock all other methods out

Once MFA is in place, make sure you use it everywhere and lock out any protocol or legacy system that lets you bypass MFA. This is probably the most difficult from some companies to implement, so you may not be able to shut off those systems that bypass, but figure out some other compensating controls that will allow you to secure your environment., because I’ve seen first hand, when malicious actors see MFA or any other security control, they will switch tactics and look for legacy ways to get in, without MFA.

Like most things, knowing the right areas to look before rolling out your tool and making it simple for the end users is key to make any security work. Too many security methods can be draconian, and people will either not follow them. Also MFA should be part of a well rounded security program and when paired correctly, can be a useful tool.

Anything I missed, let me know in the comments below.

Protect the Executives

Locked Laptop

For years, I’ve advocated spending extra attention to accounts on a network that once compromised, can cause devastation to the environment. Depending on what industry your work in, these are Executives, VIPs, Politicians, or even the C-Suite, whatever you call them, these are accounts, you may not have considered dangerous, but they can be. The damage from one of these email account takeovers can run into millions of dollars. In 2019, Toyota Boshoku Corporation lost $37 million after the information in a payment transaction was changed, sending millions to the fraudsters.

Information Security professionals responsible for securing sensitive C-suite email accounts face a two-fold challenge, first securing accounts with wide-ranging permissions coupled with a significant educational role with the largely non-technical executive. Surprisingly, this struggle is added by malicious actors knowing this and their brute-force attacks for C-suite mailboxes have escalated by 671%, according to the latest report from Abnormal Security.

What tends to make security headlines now, is all ransomware, but that’s not all we need to focus on. I’ve made the case before, that most security professionals know, that regardless of how sophisticated our tools are to detect intrusions, we all know that our users are the weakest links. Out of the typical user, the executives of the organization are the groups most at risk. In my personal opinion, the two best targets in business are first and foremost, the executives and then IT people.

Let me explain my thought process on this view of the landscape. Executives, by nature of their position, may not be the most technologically savvy user, that’s not their position in the organization. Secondly, that same group may be more likely to have exemptions to the security practices for your standard user. Our average users, generally can’t opt-out of the practices to defend the network, but an executive who wants to get around Multi-factor authentication will put pressure to be exempt. Plus in the numerous companies, I’ve worked within the past, some of them are more than likely administrator’s to their own systems. Plus the example I give every IT person, if your boss’s boss’s boss, asks you to do something now, how likely are you to hesitate or quote policy to them? If we’re honest, not many.

In an article from CSO, Terry Thompson, adjunct instructor in cybersecurity at Johns Hopkins University said, “The combination of social engineering and clever use of email made to look like it’s from the boss/CEO is a real threat in business email compromise’s,” He also stressed that the importance of securing these accounts, comes with the “greater vulnerability and risk to the organization, which will be exposed to ransomware, email spoofing, and related threats.” Executives are the most trusted with corporate secrets and confidential data, and their communication is more likely to be read and their instructions followed. “[C-suite executives] are more likely to change technology and more likely to insist on breaking the rules. They are also more prominent and therefore easier to target and imitate for abuse,” says Holden.

The second coveted group is the IT department. Though honestly a tougher target than executives, if you can get an account with privileged access, then your whole job is easier. You may be able to leverage an executive account to gain access to a privileged account, by just asking. The reason an IT account is an amazing catch reminds me of a story from an Information Security professional, where malware from a compromise was hidden in a group policy object, to install and infect the network when a user logged in. How scary is that?

So after all that…what can we do to protect those accounts? Well, I wish it was easy, but like most of our work in the information security field, it’s not. You really need to educate those executives and make sure they really understand the why…and keep themselves from exempting themselves out. I recommend going through tabletop exercises to raise their awareness and run through the process if something does happen. Like most things with executives, make the exercises and training, non-threatening and try to give them the information they need to prioritize this and other threats.

Once the awareness part is in place (or underway), then the technical controls need to be worked on with the executive suite. This is probably what you are doing with others in the organization, but you may need to make it easier for them. One example is multi-factor authnerication, but maybe changing the tactic with them…for example, if your system allows it, let the executives use push notifications, rather than the text, random codes, or security keys that your average user is using.

The third step to this is to make sure the executives know the importance that they play in the process. For any security program to really succeed in the organization, everyone needs to know the executives support this 100%, and not only do they back it, but they are also doing the same thing as every other user. It’s like the foundation of a building, if they are strong and understand the why and the risk and back it, there will be fewer people who are willing to challenge it. I remember this discussion at a position when I had an important user try to fight against security protection, and I mentioned the top person of the organization was doing it, and if they needed an exemption they’d need to explain why they deserve to be expected when everyone else was included. They weren’t happy, but as far as I know, they never tried to exempt themselves again.

These may read like easy tasks, but I can assure you they are not. Information technology professionals have a difficult time explaining the technology risks already, let alone security ones. So these may not be single engagements, and you’ll need to spend a lot of time laying the knowledge foundation to get everyone on the same page.

Q&A Monday: Is IT Security nothing but paperwork?


Oh boy, I’m excited, I haven’t done one of these in a while!


In my current company, I just switched over from the server operations side to the security side of the business. While I have only been in this position for about two weeks so far, I’ve been doing more meetings and paperwork than I have other work. Is security nothing but paperwork?

Evelyn Clayton
Okmulgee, OK

This is a good question, because I have heard this a couple of times…and while I wish there was a straight forward answer, but the real answer is it depends. IT Security can be different depending on where you work or what you are doing. For example if you are doing Red Team (penetration testing), there would be more technical work, but there still is the meeting and reporting piece. People who work in Security Operation Center’s tend to not have paperwork (per se), but tend to work on tickets instead.

Like I said, this all depends on the company you work for, small or medium companies may not have all the normal security roles filled. In these places, while you may have a title (like security analyst) but you may fill many other roles that traditionally have separate roles. I’ve seen security analyst who did risk management type of work, since they didn’t have someone to fill that, but the organization needed their Security professional to complete that task.

Now this isn’t something that it just tied to security, but I feel like more people have an expectation of security roles. For example, I was a Systems Administrator in one company and I did almost everything on the network, configured switches, rack and install servers, manage VoIP phone systems,etc. all while friends with the same title at other companies just managed servers, and have teams to rack servers, or a telecom team to manage the VoIP phones. This is something in IT we all need to be cognizant of, what does the role really entail. There is nothing good or bad about these extra roles, but you need to make sure you understand the position before excepting it.

Now from my personal experience, I’ve had a lot more on the meeting, compliance and paperwork side this is something that I don’t mind, as I view this as something that you need to build a successful security program from, but I need people with the expertise to do the scanning and reporting the results, to help me build a successful strategy.

So to answer concisely, understand what security means for your company, and what is expected. If it’s not for you, that doesn’t mean you need to give up on security, maybe look for a position that more matches your needs. If it’s not too overwhelming, doing a multi-faceted security role can help you learn skills without the pressure of having to be excellent at it. When you sole skill is penetration testing, there’s sometimes a little pressure to be good at it. Either way, you need to make the decision for yourself and what’s best for where you want to go in your career.

If  you have any questions that you want Jim to answer, from business servers to home computers, drop him a line at, and he’ll try to answer your question.  Check back every Monday for a new Question and Answer session, and check back Wednesday and Friday for other technical insights.

Leading Remotely…Making better Leaders

Most businesses are switching to either a remote or hybrid model to help employees in these pandemic times, and employees are loving the freedom in which it brings. I’ve seen more than a couple managers struggle with this change, so if you have felt this way, you are not alone. Most managers are used to being able to see the people they are leading, and without that, it makes it harder.

I like to not look at this as a challenge, and more of a shift that should make managers up their game, per se. I think many managers tend to use seeing people in the office as a crutch to good leadership. Relying on keeping an eye on your team, was nice, but now you need to become a better leader by being more deliberate in what you are doing with your team.

So what do I mean by being more deliberate? Well, some managers are used to being in the office and hands-off unless something needed to be done, and then finding the person with the least load, and assigning them the task. That’s easy when you can easily see all your team, but remotely, you need to be actively more aware of the workload and what tasks might be coming to your team. It’s switching from a passive to an active leadership strategy.

I think this may be a controversial statement, but I think the office environment helps mediocre managers. If you communicate something wrong, you can see your mistake and correct it and continue to make those mistakes. While remote management is less forgiving in this manner, you may not catch a miscommunication until hours later. If a team member is struggling, it’s easier to see that in an office environment, and you’ll need to improve your skills to catch this remotely.

Communication is a key thing, that I’ve heard and seen many managers struggle within this remote environment. There is way more communication than there was in the office, but that doesn’t mean that the communication is better. There’s a balance that needs to be struck, and a more direct and succinct direction given. Think of communication as a wild animal, that needs to be tamed to do what we need it to do, not over-communicate and not under-communicate, something that strikes balance, and that’s not easy.

Goal setting is something that you’d expect every leader to have, and while I wish that was the case, it’s not. Most leaders have a solid handle on what the task is but may miss “why” is this task important. In an office setting, some people can learn this through talking with coworkers naturally, but you need to make sure your team still gets the bigger picture.

While all this discussion has been about existing teams, I would be remiss if I didn’t mention the leadership skills when it comes to new hires. Every job I’ve had, I’ve had the advantage of sitting with or near my teammates. This let me naturally pick up the flow of the job, rules of the job, and even the knowledge I needed to be successful. Remotely you’ll need to encourage that in your team and be an active part of it, rather than most leaders’ formerly passive approach.

I’d like to put it this way, I’ve yet to be at a company where I haven’t leaned on a team member who’s been there forever to point me in the right direction or help influence someone to assist me in getting a task done. They have the built-in trust of other employees that carry weight or help you through a process. I’ve yet to be at a place, that was so perfectly documented that I didn’t need that assistance, it’s hard for a new person to navigate that.

So all this is to say, take this opportunity, while remote to make yourself a better leader. Take some time to adjust your previous strategies, talk candidly with your employees, make sure you use clearer communication, don’t over-communicate, don’t under-communicate, and most importantly, if you do go back in the office…don’t let these skill improvements fade and lean on the crutch of mediocre leaders.

Project communication between “non-techie” stakeholders and “techies”


In all the different jobs that I’ve had over my career, I’ve had a mix of technical and non-technical managers on projects. Most of the time, the non-technical managers just leave the technical stuff to the technical ones in the project, but sometimes I don’t believe that’s the best for a project, because each of these disciplines will come at a project in a different manner.

This dual approach may work for you, and it may not. Both teams want the same thing, for the project to succeed, but my take to projects, is you need both teams to effectively communicate for a project to have the minimum amount of issues. So if you find yourself as a stakeholder in a project, and you are non-technical working with technical resources, here are some tips.

  1. How to communicate with the technical resources?
    I list this one first, because depending on your organizations size, this may or may not be a huge problem. You may have a project or IT manager, inwhich to coordinate and communicate with, and in this case you got someone who can filter that coversation. If you don’t have one, or if they just point to a technical resource, then this question becomes even more important. Technical resources often still have day to day tasks to take care of, and you don’t want to bother them at the inoppertune times, so this question lets you understand how best to communcate with them, in a manner that they prefer. For example, I know I perfer phone calls or email, where I’ve met technicians who prefer just emails.
  2. Are you waiting on me for anything?
    Project managers keep track of opened items, but if you don’t have one, this is a great question everyone should ask. This makes sure that you’ve submitted everything that you need for the project to move forward. I’ve seen people think that they’ve completed their part, only to forgotten they agreed to somethnig else or more data.
  3. What’s Testing Look Like?
    I’ve seen many projects where the testing part of the project where things go belly up. I think it should be something that the begining of every project gets discussed. If your testing of the software or application is done correctly (and that’s something that varies), the launch will be smoother (nothing is perfect). If you test with the wrong set of users, you can see roll out identify major issues that weren’t discussed, planned for or even available to assit.
  4. How does this system impact other systems
    Some companies have lots of systems that interconnect with each other, so it’s important to identify or know how a change will affect other connected systems. As stakeholder, you should dedicate some time to thinking through how this project impacts downstream processes. If the new system connects with other exsisting systems, make sure they’re data flow is in the test strategy.
  5. What is the process, when it breaks
    This is kind of lumped in question, that is trying to understand what happens when things don’t work. This one has had different meaning based on many many roles over time, but each part is important to understand. So the easiest one, what happens when I put data in wrong or miss data. This will let you know what the data validiation of the system looks like, and if it throws are error what’s the full process to resolve. Do you contact the help desk, do delevopers need to be contacted, etc.
    If the system goes completely offline or unavailable for whatever reason, what the buisness plan to keep the processes flowing. This is more of a disaster recovery planning piece, what are the mechanisms in place that you’ll pick up if this system is unavailable. You don’t want to have to figure this out, as the unavialbility is occuring. So plan in advace, what’s going to change…are you going to pencil and paper, is the another tool you can load data into and the once availablilty is restore, then load that back in.
  6. Is there System Aduit Trail?
    This is something that from my security background, I think is important (and it comes up often), that should be discussed during the project phase. It is inevitable that some employee somewhere will do somethin that shouldn’t or you need to track down an issue. It’s important to know if there is an audit trail and what data it contians, so that if you want to see if someone accidentially deleted something or if someone changed data, who was it?
  7. Whats happens during project handoff?
    The highest risk for a project falling apart during the handoff from the tech team to the business. Make sure it is planned out exactly what happens when the testing phase is completed. You need to make sure the technical team has a solid plan for moving the system into production and transitioning from project testing to operations. This should identifying the system owner. Also make sure the technicial resources are available just incase to deal with any launch issues.
  8. What are you thoughts?
    This is a powerful question, that isn’t asked enough in my opinion in projects. The business stakeholders can gain some understanding, in the right situation, by asking this to the technical staff. I say this, because you technical staff works with the end user of the projects, they may have insight into the process or atleast let you know of any concerns. Most technical staff, wont just say this during a meeting, so by asking this question, you are giving them a chance to let you know their thoughts.

I’m sure there are a bunch of other questions you can ask at the start or early in a project to help succeed, I know I’ve looked at: 15 Questions You Should Ask Every Time You Start A Project , and there are others. These are just the ones that I’ve noticed through my time, that I think should be helpful. Are there any ones you recommend, let me know in the comments below.

How to Improve your enterprise E-mail Security

One of the things that I’ve noticed during my time is that phishing emails, ebb and flow like the waves of the ocean. It seems like nothing significant for a few weeks, then the flood gates open and a bunch all come in a short period of time. The security, mail and support teams get flooded with what may or may not be legitimate emails. Now honestly, looking at an individual email to determine if it’s spam, phishing, or legitimate email, takes some time, but when you pile on different types, it can get hard and be time consuming.

When you team needs to crawl through all those emails to make a determination, you look for ways to make it easier on them (that doesn’t mean a silver bullet that kills all phishing emails, but gets at the low hanging fruit). The easiest target is those phishers who fake the sender of emails, those are the ones where they look like they are coming from a trusted source, or even you own company, but aren’t. Most (not all) Spam, Fraud emails and viruses come from someone pretending to be from another email address.

So the best first line defense, is verifying the identity of the sender. The best way is to utilize the three main email security protocols of SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting, and Conformance), and DKIM and these three complement one another, so it really is best to implement all of them. The three together will prove to ISPs, mail services, and other mail servers that senders are truly authorized to send an email. When properly set up, all three prove that the sender is legitimate, that their identity has not been forged. These anti-spam measures are becoming increasingly important, and will one day be required by all mail services and servers.

Now by no means are these super easy to set up, and depending on your email hosting situation may make it either easier or harder. Yet, there isn’t really a good reason that you shouldn’t invest the time and money into getting these turned on.

Sender Policy Framework (SPF)

  • SPF secures the DNS servers and limits who can send emails on your behalf. This keeps others from spoofing your domain.
  • SPF consists of three primary components: a policy framework, an authentication technique, and particular headers in the email itself that convey this information.
  • Email providers can use your SPF record to verify that a mail server is permitted to send email for your domain.
  • In short a SPF record is a DNS TXT record that lists the IP addresses that are permitted to send email on behalf of your domain.

Importance of SPF:

  • Receiving mail servers use SPF to verify that incoming email from a domain was sent from a host approved by the domain’s record. This is why it’s stored in the DNS entry.
  • The receiving mail server then uses the rules specified in the sending domain’s SPF record to decide whether to accept, reject, or otherwise flag the email message.
  • SPF improves the protection of email users from spammers. Because faked “from” addresses and domains are frequently used in email spam and phishing,
    • Publishing your domains SPF data is regarded one of the most dependable and simple anti-spam tactics.
  • Many email systems use a reputation score for you domain to decide if you are known for unwanted emails…So if you have a good sending reputation, a spammer may try to send email from your domain in order to benefit from your ISP’s good sender reputation.
    • This is where SPF authentication will show the receiving server that even though the domain may look like yours, the sending server has not been authorized to send mail for your domain.

If SPF is so great, I’ll just use that!

While I made a case for why SPF is good, like I mentioned it should be part of a 3 legged approach. Why SPF is good, it doesn’t survive the email forwarding process, so it’s not perfect. SPF only says what servers can send on behalf of your

 DKIM signing can withstand forwarding. SPF does not work with forwarding since it is merely a list of servers that are authorized to send on behalf of your domain, and a domain owner cannot maintain a list of forwarders. 

What about DKIM?

DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiving server to check that an email was indeed sent and authorized by the domain owner. This is achieved by giving the email a digital signature that’s encrypted in the email header.

Once receiving system determines that an email is signed with a valid DKIM signature, it knows that the email among the message body and attachments haven’t been modified. DKIM signatures are not shown to end-users, the validation is done on the server side.

Like SPF mentioned above, DKIM is also used in DMARC alignment. The DNS has a DKIM record, although setting it up is a little more challenging than SPF. DKIM has the advantage of being able to withstand forwarding, making it preferable to SPF and a solid basis for email security.

Why DKIM is important:

DKIM is checks the following 3 things:

  • The sender of the email owns the DKIM domain, or is authorized by the owner of that domain.
  • The contents of an email have not been tampered with.
  • The headers in the email have not changed since the original sender sent and that there is no new “from” domain.

OK, so I’ll just use DKIM then!

While DKIM is great, you need to remember isn’t a perfect detector of validating the email sender’s identity on its own, and it doesn’t prevent the spoofing of the domain visible in the email’s header. These problems are solved by using DMARC because the domain the end-user sees is the same as the domain that is validated by DKIM and SPF.


How DMARC works:

Since DMAC employs both DKIM and SPF records to validate the sender of an email, DMARC is used (or highly recommended) for businesses. A DMARC record allows a sender to say that their messages are secured by SPF and/or DKIM, and it instructs a recipient what to do if neither of those authentication techniques succeeds – such as discard or reject the message.

The domain administrator publishes the DMARC policy in the DNS record, defining its email authentication practices and how receiving mail servers should handle mail that violates this policy. When an inbound mail server receives an incoming email, it uses DNS to look up the DMARC policy for the domain then checks, is DKIM Valid, Did it come from an authorized source and is the domain alignment correct. Depending on what this check the receiving server is ready to apply the sending domain’s DMARC policy to decide whether to accept, reject, or otherwise flag the email message.

The good thing about DMARC, is that the receiving server will report back to the original domain originator, as defined in the DMARC policy. So you are able to detect if anything went wrong or wasn’t handled the way it was expected.

In Conclusion:

Cyber-criminal activity is not going to end anytime soon, so the only logical thing to do is to secure your email domain from fraud.  DMARC has benefits regardless of the size of a business. It provides full domain visibility, control over the email traffic, and security from phishers and spoofers. Utilizing all three of these services, you can make sure your email systems are secure, you limit spoofing and you make sure your emails make it to the intended audience. This is a time investment for your IT team, but this is one that is worth it.

Designing and Implementing a Document Control Number System

While most mature organizations already have a well documented process for creating, approval and numbering of documents, not all do. So what do you do, when you come across one, where you a making the process. The first question, you might come across is why, do you need these documents?

Those policies and procedures for your organization help your employees have access to the resources they need to do their jobs effectively and repeatable. If each of you work departments or units have have policies and procedures, implementing a document control numbering system that will make it easier to keep track of and find these individual policies. Also if done correctly it’ll let you reference them, without needing to look at a policy key to reference them.

Consider a user-friendly Document Control Numbering System by Function

In your business you have multiple departments, separating policies and procedures by department is a user-friendly way to organize them. However you decided to number them, make sure that it’s something that everyone can easily remember. There are two popular ways of accomplishing this, that I’ve seen used in many companies.

  1. List all of your departments in Alphabetical order and then assign them each a number. For example, this way you might have your accounting department as number 1, so all accounting policy, procedures and standards start with a 1, where Sales might have a 6 and IT would have a 4. These numbers will change depending on how big or small or organizational chart is. The one downside to this, if you organization is growing and adding new teams, you either loose the alphabetical numbering order, or you have to redo all the numbers, which can lead to confusion.
  2. You can also institute an alphabetic (or alpha-numeric) numbering system, instead of just using numbers for departments like the other way. Using alphabets can help them identify the department more quickly. An example of this type would be labeling all policies from IT start with ‘IT’ or all policies from Human Resources start with ‘HR’. I recommend that if go down this path, you keep all the abbreviations the same length, but that’s a personal preference.

The Type of Document

Once we identify how you will number your policies by department, then it’s time to determine , next is typing calling out the type. businesses that have many different kinds of documents, like policies procedures,standards and guidance, so identifying what kind of document by placing it in the document control numbering system can simplify the process for users. In this example, all procedures can be identified with SOP or PROC, or Standards can be STD and all policies can be identified with POL.

This is a totally optional step, that a lot of companies don’t use, but I think it does make it easier for an end user for the end user to find exactly what they are looking for. It means, if you store them on a file share, they can sort the policies, procedure and so forth easily.

Actual Numbering

Now, we’ll number each individual policy within the departments. For example, if the Human Resources department has 10 policies, you can number them like IT POL 3, IT POL 4, IT POL 5 and so on. Some people may create sub policies, like IT POL 4.1, if it’s a separate policy that ties into the main one.

Follow Practices

The main point that you need to remember here, is making it easy for your users to find and follow the policies, so keep it simple. I have been guilty in the past of over engineering policies, procedures and after I designed a bunch, I quickly realized it wasn’t easy for anyone to follow. I added some weird tags like internal policies and external policies into the naming scheme. I then had to have a self realization, that I didn’t consider how I failed to make the document control numbering system intuitive, so my staff and users could easily identify what kind of document they are looking at without having to use a reference key, and that was a bad numbering system.

Make sure once you settle on one you communicate your document control numbering system to all employees before or at minimum once you implement it. Let them know where your policies and procedures can all be found and make it easy for them to get to, searching for them isn’t ideal. Also I recommend you add a table of contents or index so everyone can easily locate a specific policy.

Document Control Numbering Discussion

I talked a lot about different methodologies for numbering your documents, but there is a great little forum, that I saw when first looking at this question a few years ago, in which a bunch of people where discussing the best way to do it. The forum discussion Any suggestions on a document control numbering system? It’s a dated post now, but that doesn’t mean the information wont be helpful, to see how others discuss their document control number system.

 Page 1 of 20  1  2  3  4  5 » ...  Last »