I found the recent fines levied by the NBA on two players – Kobe Bryant and Joachim Noah as a good lesson on the cost of non-compliance.

The NBA has consistently fined players who were in non-compliance of its rules and these violations range from the serious to what one could argue is the absurd – like kicking a ball in frustration, or throwing a basketball into the stands in celebration of a win.

Here is a sample of violations that could get an NBA entity in trouble:

• derogatory slurs, flagrant fouls, speaking out against or complaining about poor officiating, altercations during a game, making comments about the collective bargaining negotiations, violating team rules,;
• contact between NBA personnel and underclassmen, receiving 16,18 and 20 technical in one season [A player is automatically suspended for 1 game for his 16th, 18th, 20th etc technical foul in the regular season];
• shoving another player in the face during a game, escalating an altercation, throwing a ball at a referee during a game, missing a shoot-around, fighting with a teammate, verbally abusing a referee;
• leaving the court during a game, improper conduct toward a referee (whatever that means), conducting illegal draft workouts, failing to leave the court in a timely manner following an ejection;
• removing jersey on the court, asking publicly to be traded or released, throwing a basketball into the stands during  game.

Article 35(c) of the NBA_Constitution gives the commissioner broad discretion to fine players whose “act or conduct […] has been prejudicial to or against the best interests of the Association or the game of basketball

Notable NBA fines include:

• $100,000 by Kobe Bryant of the Los Angeles Lakers for using a derogatory slur on a referee during a basketball game;
• $50,000 by Joachim Noah of the Chicago Bulls for directing a derogatory slur at a fan during a game in Miami;
• $500,000 by Dallas Mavericks owner Mark Cuban for repeatedly criticizing the league’s officiating;
• $75,000 by Lakers coach Phil Jackson after he spoke to reporters about ongoing collective-bargaining negotiations;
• $3.5 million by the Minnesota Timberwolves (in addition to five first-round draft picks) for making an under-the-table deal with forward Joe Smith;
• $5 million by Ron Artest who served an 86-game suspension because of his role in the mega-brawl among players and fans at an Indiana Pacers-Detroit Pistons match;
• $100,000 by Cleveland Cavaliers owner Dan Gilbert for calling LeBron James’ decision to play for the Miami Heat a “cowardly betrayal” and a “shocking act of disloyalty.”

The latest in the rounds of fines were the $100,000 levied on  Kobe Bryant of the Los Angeles Lakers for using a derogatory slur on a referee and $50,000 on Joachim Noah of the Chicago Bulls for directing a derogatory slur at a fan.

The fines on Noah and Bryant generated a lot of debate because they happened “in the heat of the game” where the players were either reacting to what they felt were bad calls or were being heckled by a fan of the opposing team. Joachim Noah for example said he was “just caught up”.

And as a fan commented, “The … slur is probably uttered a dozen or more times on the court during a game and nothing happens. These two incidents were simply caught on camera. A couple of fines are not going to change a culture that was years in the making. Get real.”

What does this teach us about non-compliance? A lot of pain and suffering. But the critical factor here is that they were fined because they got “audited” if you will. Can anyone deny that players use very raw language all the time? Even during the course of a game, I have heard people say “oh, he used a bad word” when a player misses a shot or a team loses a game. The X-Factor here is that Kobe and Noah had TV cameras on them when the “violations” happened.

If we take Kobe and Joachim as small business owners and the TV cameras as auditors, a fine resulting from non-compliance can be devastating and can lead to a lot of hurt. Granted Kobe, Joachim Noah and Coach Phil will hardly miss the “chicken change” called fines, but I bet you Ron Artest missed his five million when he has to sit out an entire season due to suspension as will a small business that may be forced to cough up millions of dollars due to a violation.

These are the laws that lay down rules or regulations that could lead to fines:

• Health Insurance Portability and Accountability Act of 1996 (HIPAA) – enacted to improve efficiency in healthcare information delivery by standardizing electronic data interchange.
• Health Information Technology for Economic and Clinical Health Act (HITECH) – which imposes data breach notification requirements for unauthorized uses and disclosures of unencrypted Personal Health Information (PHI) among other things
• Stored Communications Act (SCA) – addresses voluntary and compelled disclosure of email and other digital communications stored on the internet by third-party internet service providers.
• Sarbanes Oxley Act (SOX) – holds the CEO and CFO accountable for maintaining effective internal controls over financial and operational processes. Failure to comply can result in significant fines and even criminal penalties.
• Payment Card Industry Data Security Standard (PCI DSS) – a worldwide standard that includes specific technical requirements, such as data encryption, user access controls, activity monitoring and event logging systems for the protection of cardholder information. Non-compliant companies risk losing their ability to process credit card payments and being audited and/or fined.
• Gramm-Leach-Bliley Act (GLBA) – comprised of several components related to the collection, disclosure, and protection of consumers’ nonpublic personal information including: the Financial Privacy Rule, the Safeguards Rule, and Pretexting Protection.
• UK Data Protection Act of 1998- Organizations that do business in the United Kingdom must comply with the broad-sweeping Data Protection Act of 1998. This legislation that governs the security of personal data—defined as any data about a living and identifiable individual.

And many others.

The lesson for small and medium businesses are that while they may think they are “too small” to worry about compliance issues, when the auditors (TV cameras) put the spotlights on them, it won’t matter whether the cat made away with a compliance policy or that the security team “planned” on encrypting PII data “soon”.

If does not make a difference if your violation was due to the dog eating your paperwork, or whether your kid used your laptop as a Frisbee, you are going to be fined. Did Kobe or Noah mean any harm by what they said, I believe it is safe to say “No”. But they knew the rules and agreed to be bound by the rules and regulations of the “Association”.

For example, here’s what HIPAA violations can do to you:

• a fine of up to $50,000, or up to 1 year in prison, or both; (Class 6 Felony)
• if the offense is committed under false pretenses, a fine of up to $100,000, up to 5 years in prison, or both;  (Class 5 Felony)
• if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000, or up to 10 years in prison, or both.  (Class 4 Felony)
• HIPAA also provide for civil fines to be imposed by the Secretary of DHHS “on any person” who violates a provision of it. The maximum is $100 for each violation, with the total amount not to exceed $250,000 for all violations of an identical requirement or prohibition during a calendar year.  (Class 3 Felony)

An argument can also be made that the biggest consequence of noncompliance with the law are lawsuits. They are expensive, time-consuming, and morale killers.
For example, a group of pipe-fitters refused to install a weaker and cheaper valve in a line for a nuclear power plant. One of the pipe-fitters got some more expensive and stronger valves that would hold the pressure, these were installed. Instead of receiving praise for their work, they were laid off by the management of the company. The employees sued, claiming retaliation for blowing the whistle on the company and management for the use of the weaker and cheaper valve. The jury of 12 awarded the pipe fitters with $4.7 million.

Another example is the Health Information Technology for Economic and Clinical Health (HITECH) Act that was enacted in 2010 which among other things improved and expanded current Federal privacy and security protections for health information. The new law ensures that new entities that were not contemplated when the Federal privacy rules were written, as well as those entities that do work on behalf of providers and insurers, also known as “business associates”, are subject to the same privacy and security rules as providers and health insurers.

One sector that will face non-compliance challenges under the HITECH Act is the legal sector in that whereas the focus of HIPAA privacy compliance in law had previously been limited or quasi-restricted to legal entities who handle health-related information (typically HR), lawyers are now bound by the same HIPAA security and privacy guidelines as healthcare providers, including penalties for data security breaches and/or non-compliance with Federal regulations. They are now required to implement all of the HIPAA Security Rules for all client-related electronic protected health information (ePHI).

So while many of us may understand that Kobe and Joachim committed their non-compliance violations in the heat of the moment and that they did not mean any harm, they agreed to abide by the the rules and policies of the NBA just like a health care provider agreed to abide by the rules of HIPAA. They were well aware of the consequences of any violations.

If you are a small or medium business out there without a boatload of cash to handle a case of non-compliance, the best bet is to start now. Review the regulations that impact your organization and make sure your organization stays up-to-date with constantly changing rules to help stay compliant.

According to an Iron Mountain report on “Best Practices for Records Management” which encompassed a diverse, broad-based sample of nearly 3,500 organizations across almost every vertical market:

• 13% of all organizations surveyed managed electronic records in compliance with a records retention schedule.
• 29% of all respondents said they had no written employee notification procedure should there be a need to cease disposal of records related to actual or anticipated legal actions, investigations, or audits.
• 63% of all respondents did not have a records training program.

Shameless Plug:

If you own a small business in the Austin area and have less than 20 employees, see how you can get started with compliance risk assessment without upfront or out-of-pocket cost here. Tech Prognosis can review your current environment to see where you may need help.

The ABCs of a Business Continuity Plan: How To Stay in Business After an Extended Outage

You’ve probably heard this sermon a million times, but we will keep harping on it until small business owners start taking the issue of business continuity and disaster recovery planning more seriously.

Those in the trenches know the familiar drill: you get a call about a failed hard drive, a system that is down, a lost laptop, a folder encrypted by a former employee, or the worst, an inaccessible office. Of course the first statement you make is “no problem, we’ll just restore from backup”. That is until you see the guilty look on the client’s face and the reality hits you: there is no backup or if there is one, it is either not up to date or has never been verified.

Although the business world has enough reminders about what could happen to companies without adequate business continuity and disaster recovery plans – hurricanes Katrina and Rita, the Indian Ocean Tsunami, The Earthquake in Japan, the recent deadly floods, and the numerous fires and vandalism that plague businesses every year, the hash reality is that SMEs (Small and Medium Enterprises), do not have business continuity and disaster recovery as priorities. As Anne Marie Staley of the New York Exchange aptly put it:

Until recently, most organizations treated business continuity like health insurance. [They focused on] getting the cheapest coverage, hoping nothing ever happens, reluctantly paying the premium each month and praying that when the inevitable happens, they have enough coverage.

Most SMEs are content with the fact that there is access to the server (a converted Windows XP box in most cases) and employees have access to the network, the internet and email are working; until a virus hits one of the workstations that was hosting the customer database, or the server goes up in smoke and suddenly business grinds to a halt and the scramble begins to get the IT guy. Nothing is more painful than seeing a business close its doors because of lack of a simple business continuity and disaster recovery plan.

What is Business Continuity Planning?

Removed from the high-level talk, business continuity planning simply means providing methods and procedures for dealing with outages and disasters that could last for a long time, like a tornado wreaking havoc in Alabama as happened recently.

Business Continuity Planning is the last leg (Availability) of the the concept known as the CIA Triad (Confidentiality, Integrity, Availability) in information security circles. It specifically deals with the “now” after an event, before humpty-dumpty is put back together. It tackles the issue of how to ensure that the resources required to keep the business going is available to those who need them within the company.

What do we do now that the building has burned down? How do we reach or communicate with our staff when communication lines are disabled? What do we do now that our building has been washed away along with our servers and desktop computers? Having access to critical data that a company needs to get up and running as quickly as possible in the event of a disaster – man-made or natural, is the main goal of a Business Continuity Plan (BCP). Call it planning ahead or having the foresight o improve the chances of resuming business should stuff happen.

These could be resources, personnel and tasks that are required in order for the business to stay profitable. It does not matter if the disruption was caused by an earthquake or an accidental deletion of your customer database. Statistics have shown that the longer it takes a business or an organization to resume normal operations after a disaster, the higher the possibility that it may never recover.

The big question is, can you continue to operate as a business should some type of disruption happen?

• Do you have a backup of your accounting database for example, on something as simple as a USB stick that you can copy to a folder and reconnect so your business can go on?
• If a critical employee calls in sick, or leaves the company, does business grind to a halt or can someone else fill in?
• Do you have supply chain partners that provide critical services? What happens if they go out of business or are unreachable? Even a big company like Nissan recently had to shut down factories and operations for three days because its suppliers could not make deliveries.
• What happens if the internet connection is down? Is there a backup internet connection like a dial-up or broadband? I had a client once that fussed when we suggested a broadband subscription as a backup to their T1. The benefit of that investment came when they had a major roll-out of an e-commerce site and the T1 connection had problems and we switched to the broadband line while the T1 line was being worked on.
• Do your employees know what to do, who to call, where to go etc. in the event of an emergency?
• Do you have an evacuation plan and are employees aware of that plan?

There is a tendency for those of us in IT to focus too much on the technology aspects of a business continuity plan. Yes, data is essential, but so are people. This is exemplified by the instructions you get on an airplane -  “In case of an emergency, save ya neck and forget your Versace briefcase!”

What is included in planning for Business Continuity?

The first thing is to adhere to the rule of ” Know thy self!”. There is hardly any point in planning for BCP if an organization has no understanding of how it works – its processes, people and systems – in enough detail to make rebuilding effortless. Knowing the organization means knowing the core pieces and parts that make it tick. It means knowing how people, data, network and functions are tied to the various roles within the organization. If the CEO were to suddenly “take off”, do you have a plan for succession? Take a look at the Zachman_Framework on to give you an idea of what it means to “Know thy self”.

The next question to ask is “Why?” While the main reason for a BCP usually revolves around dealing with an unexpected mishap, it sometimes goes a little deeper. The primary reason for a BCP should be to maintain the goals of the business or organization. For commercial entities, that could mean sustaining profitability, and for non-commercial entities, the main reason could be o ensure that service to the community is not disrupted or that disruption is reduced to a minimum level.

According to National Institute of Standards and Technology (NIST, Publication 800-34), there are six crucial steps in Business Continuity Planning:

1. Develop a planning policy statement – for guidance and the assignment of authority to various roles (or decide who gets axed should stuff happen)
2. Conduct a Business Impact Analysis – you identify critical systems, processes and people; identify vulnerabilities or weaknesses, potential threats and accompanying risks.
3. Identify preventive controls – determine how to reduce the risk level of the business.
4. Create contigency strategies – backup and recovery, offsite storage, alternate sites, equipment replacement, cost considerations, roles and responsibilities
5. Test, Train and Conduct Exercises (TT & E)
6. Maintain the plan

The performance of a Business Impact Analysis is very important. This is where a business or an organization identifies the systems, processes and resources that are most crucial  and the effect an extended disruption in access will have. The greater the potential impact, the more investment  a company should spend to restore a critical system, resource or process quickly. For instance, a  company may decide to pay for completely redundant IT systems that would allow it to immediately start processing at another location, or decide that it is safe to wait for 24 hours or longer before resuming business.

A Business Impact Analysis will help companies set a restoration sequence to determine which parts of the business should be restored first.

Other important suggestions include:

• Develop and practice a contingency plan that includes a succession plan for your CEO.
• Train backup employees to perform emergency tasks. The employees you count on to lead in an emergency will not always be available.
• Determine offsite crisis meeting places and crisis communication plans for top executives. Practice crisis communication with employees, customers and the outside world.
• Invest in an alternate means of communication in case the phone networks go down.
• Make sure that all employees-as well as executives-are involved in the exercises so that they get practice in responding to an emergency.
• Make business continuity exercises realistic enough to tap into employees’ emotions so that you can see how they’ll react when the situation gets stressful.
• Form partnerships with local emergency response groups-firefighters, police and EMTs-to establish a good working relationship. Let them become familiar with your company and site.
• Evaluate your company’s performance during each test, and work toward constant improvement. Continuity exercises should reveal weaknesses.
• Test your continuity plan regularly to reveal and accommodate changes. Technology, personnel and facilities are in a constant state of flux at any company.

In summary, a viable Business Continuity Plan will be highly dependent on the overall planning framework adopted, a thorough Business Impact Analysis, the identification of operational recovery requirements, recovery strategies, plan development, testing and feedback mechanism and delivering awareness and training throughout an organization.

If you need help putting a Business Continuity Plan together or revising an old one, Tech Prognosis can help. Give us a call at (512) 814-8044

Have you ever subscribed to a “free” magazine only to spend frustrating months trying to get them to stop billing you for the useless magazine? Think of that situation magnified ten times. Here’s why.

Say you sign up for a free trial of a payroll management software and entered all your data and your employees trained for it and you used it for a couple of weeks and decided that the investment was not worth it. What then? Are you going to remove all your data from the trial software and start all over with something different? Most like not. And that is what the offer of the free trial is all about. A typical bait, especially if you are coming from a heavily manual system to an automated on. The sheer horror of the amount of work involved in the “cancellation” makes most people buy the license for the software.

Take another example, the Hardware-as-a-Service offering. When you are asked to try out servers, phones, desktop computers and switches for ninety days after which you can remove them with no questions asked, shouldn’t you ask what happens after the trial? Do you bring your old systems back online? Do you tell your users “sorry, I know you loved the new Windows 7 computers but we have to give them back”? How about the sales people who just love their Cisco Unified Communications (UC) systems that allows them to put their feet up and video conference with clients? Do you tell them to give up their new toys and risk a huge collapse in morale? My guess would be, not likely.

What Do You Do?

Be sure to do your due diligence before accepting any offer of a free trial. We had the experience once of using a “trial” software that the employees just loved but the price post-trial was outrageous. It turned out that we did not ask enough questions and did not know about the limitation of the trial version  to three users. That was not going to work in an office of fifty employees. Know what you are getting for the trial. How many users are allowed? Is there a guarantee that there will be no price creep once you sign up – one of those “oh, that was not part of the original quote” scenarios you hear about.

Try the software in a virtual environment. Hardware is affordable enough these days that you can afford to buy a hefty server with enough hard drive space and memory so you can simulate your production environment without affecting your current data. Oracle’s Virtualbox is a free (no trial here) virtualization software that is cross-platform – works on Windows, Linux Macs, Solaris. You can use Windows 7 for 30 days without a license and that should cover your trial period. If not, just create a new virtual machine and go for another 30 days.

Using a virtual environment for trying out software is especially important if the software is a newer version than your current version, since that will likely involve an upgrade . And you do not want to use a trial software to upgrade your production system. This is even trickier because not all software will allow you to roll back to your old version.

If you are subscribing to a Hardware-as-a-Service solution, get one of everything – server, desktop, phone, switch etc. and run them in parallel with your current system using sample data. It is even better to create a test network or sub-network with limited access to your production environment. If things appear to be working and you want to move forward, encourage a gradual transition with your less critical systems first. You do not want to come into the office on Monday and discover that your new network is not working.

If it is a cloud-based service trial, avoid using live data during the trial period. Why? What if you decide that it is not what you want and say “Thanks, but no thanks? Your live data is now sitting on someone’s server and there is no way of knowing if they will remove it permanently. Remember that most of the providers have real-time backup systems that will copy a file to multiple locations as soon as the data hits the data center.

Work with a professional if you think you are in over your head. It is your company we are talking about. There is no shame in asking for help, even if it makes you “look stupid”.

Happy computing.

It should be repeated for those who do not pay enough attention to backups. Please make a complete system backup before you even install an agent of the new software in your environment. That way, you can suffer the indignity of having to restore your system, but have the satisfaction of limiting the damage, or worse, losing data.

Shameless Plug:

If you own a small business in the Austin area and have less than 20 employees, see how you can refresh your computer systems without the “free trial” gimmick and no upfront or out-of-pocket cost here.

The argument is that IT infrastructures have become too complex and fragile for the pace and dynamism of modern day business. Champions of everything to the cloud are quick to point out that over 70 percent of current IT investment remains focused on maintenance. Worse yet, it is argued, users are clamoring for faster response times and of course management wants all the good stuff but are unwilling to pay for it. So, cloud computing to the rescue.

It is true that cloud computing holds real promises of agile, efficient IT service delivery that could dramatically reduce the complexity surrounding modern computing infrastructure, significantly reduce costs, and lead to greater business responsiveness. The concern, especially for the small business owner is that this promise of  “ease” will be carried to an extreme and due diligence will be a victim. There seem to be a tacit assumption that once it is in the cloud, it must work and there is no need to do anything else.

Vendors who are pushing these offers of “a new model that cuts through IT complexity by leveraging the efficient pooling of on-demand, self-managed virtual infrastructure, consumed as a service” are not doing enough, in my opinion, to educate prospective candidates of cloud services about what lies ahead and what could happen should the cloud generate some thunderstorm and lightening. The “just put in the cloud” marketing blitz is using an overly simplistic approach that tend to trivialize the complex workings of cloud services.

For example, when a vendor convinces a merchant to turn payroll over to the cloud, are there fall-backs in place so that employees can still get paid even if the cloud service is unavailable. How about payment processing? Do you stop collecting payments when your online credit card system stops working or can you still collect payments and sync with the provider when service resumes? Is there a possibility that you (the subscriber) could lose your data, encounter massive disruptions and incur additional costs?

Take a look at the big guns of cloud services who have suffered some form of outage in recent times – Amazon, Yahoo!, Google, Microsoft, Skype, The Planet, Intuit, Netsuite, Hostin.com, Twitter, EMC Atmos, Salesforce.com, etc. Obviously these giants of cloud services did everything in the books to make sure they achieved the enviable five nines of uptime. But as we have seen, when stuff happens, it happens. The question is how prepared are subscriber to cloud services when there is an outage. When the Amazon outage came down, only a few companies had the foresight to pay extra money for fail-over locations and were thus able to avoid significant down time. The key word there is “extra money”.

We have read reports of businesses that lost lots of data because they put all their trust on a cloud service and got burned. The Amazon outage which was sparked by an error made during a network configuration change led to disruptions and service outages for its Elastic Compute Cloud (EC2) and Relational Database Service (RDS) customers and lasted for about four days. That is a lot of time to close shop if you had no alternative. The main reason most people were caught by surprise by the Amazon outage was because “it (Amazon’s Cloud Services) had worked well for so long and we did not think this would ever happen”.

How prepared are you to handle the disruption to business, and services to customers when lightening strikes; and how patient are you willing to be when the cloud service is offline and the provider is “working feverishly” to resolve the problem?

For example, when Intuit’s online accounting and tax services went down due to a power failure that occurred during a routine maintenance procedure, the incident affected the company’s primary and backup systems, and took down a number of the company’s Websites and services. The result was that as many as 300,000 small and midsize businesses were left in limbo until services were restored – several days worth of limbo.

So what now? The key to realizing the advantages of cloud computing is tailoring the cloud model to work for your business and your approach to IT. The bottom line is that we have to go back to basics – step back if you will, and take another look at the plan for cloud services if there is one. If there is none, grab your service provider or IT staff and hash one out.

What exactly are you purchasing and what is plan B? Do you understand the technology you are buying? How long can you afford to be closed for business when something goes wrong? Does it make sense for you to do a 50/50 implementation where you have your critical services on a fail-over server on premise or at a different geographic location (from the current host)? With virtualization technology and the falling cost of high-end hardware, one server can do a lot these days, does it make sense to have a box sitting in your office that you can fire up and at least get some work done when the cloud goes dark?

The IT world is used to outages and disruptions and can handle it very well. The mind-set of a business owner is different. It is no fun when you watch thousands of dollars slip away because your website is offline or the payment processing cloud service is down. At the end of the day, disaster recovery and fail-over strategies are key in dealing with outages in cloud services.

If you are a small business owner considering moving your critical applications and services to the cloud, the best path will be to have a subject matter expert assist you in the process.

The gist of the case is that a disgruntled employee of Cyberlynk managed to log back into the Cyberlynk network after he was fired and proceeded to delete about 304GB of data which happened to include an entire season of the TV show called “Zodiac Island” produced by WeR1 network.

That is the ethics part of it, that a former employee was “wicked” enough to delete “…an accumulation of two years of work that included animation artwork and live action video production, with contributions from several hundred people and over three dozen companies in the United States and Asia”. Data he must have known were valuable to another entity who probably had nothing to do with his firing, or did they?

Ordinarily, this would not be a big issue because we will just assume that since this is a service provider, they can just restore the data from backup. Therein lies the “danger” part of the whole situation. Apparently, there were no reliable and complete backups because CyberLynk’s President Adam Hobach supposedly admitted that CyberLynk’s security and backup had failed and it could not recover all the data. Now that is a scary situation for business owners who rely solely on external providers to backup their critical data

Of the 304GB of data deleted, about 65GB was permanently lost, leaving the production company with only snippets of its 14-episode season. WeR1 argues that “[b]ecause this destroyed data includes fragments from each of the 14 episodes, it is now impossible to re-assemble any of the episodes in its entirety”.

My question is, where is the responsibility on the part of WeR1 in all of this? We were taught that “The Data Owner is always ultimately responsible” for their data. It is okay to “go after” a service provider for losing your files on their FTP server, but what happened to due diligence?

Was it too much for WeR1 to make local backups of its own data – given how cheap storage devices are these days? Is it reasonable to assume that there were no formal policies and implemented procedures that would ensure that critical assets were properly protected?

I think it is fair to expect more from a company with “…an accumulation of two years of work that included animation artwork and live action video production, with contributions from several hundred people and over three dozen companies in the United States and Asia”, instead of just relying on the promises of a service provider.

Sadly, WeR1 is representation of the state of many small businesses today, especially those who are “DIYers” and are too busy to follow up with external vendors on the state of their data. The cloud hype is admittedly on full assault mode with all kinds of promises of quick access to data, triple backups and 7 nines etc, but…that does not excuse negligence and laziness on the part of WeR1.

Although this was a case of files on an FTP server, the lesson from this , especially for small business owners, is to look before you leap into “cloud” services – where an external entity has your corporate data in their location whether it’s a web server, database server or just plain files. You have to be sure your “stuff” can be recovered is the servers of your providers go belly up, or a mischievous employee or ex-employee decide to try their hands at “hacking”.

As a small business owner with your data at a remote location, how many times have you asked for a test restore? Never? Well, maybe you should.