Keep it private

By Guest    September 2, 2009

Did you know that every time you install a Facebook application, you give that application developer ALL of your personal profile information and access to your friends information? That developer could be anyone from a reputable company to a teenager in a foreign country. Did you want to provide all that personal information? Well, you did. And so did I and almost every other Facebook user. Most of us simply click on a pop-up box without reading or understanding all the legal fine print.

Internet companies are by default operating around the world and need to comply with the laws in countries where their users reside. Guest contributor, Nicholas Cheung explains the Facebook incident which also highlights considerations for designing your company’s privacy policies.

Global Privacy Implications for Facebook

Last month, the Office of the Privacy Commissioner of Canada (OPC) issued a report on Facebook after months of investigation into the privacy practices of the popular social networking tool.  In the report, the OPC found that third party applications had unfettered access to personal information that they didn’t need, kept personal information long after accounts had been deactivated and did not make it easy for users to delete their accounts.  Last week, Facebook relented and agreed to make the requested improvements to its privacy practices.

The benefits of these changes are significant as Facebook will make the changes applicable to all users worldwide, not just in Canada. Quite the achievement for the OPC since Canadian users only account for about 12 million of the 250 million users across the globe.

There are over a million developers for the third party applications (such as quizzes and games) in Facebook.  Not only were these developers obtaining access to personal information above and beyond what they needed for their applications, it was virtually impossible for Facebook to protect this data once it was obtained.  Under changes that will take about a year to develop, Facebook will allow users more control over the data being accessed by these third party developers.

Canada is fortunate to have strong privacy laws which apply from coast to coast.  Our federal privacy sector law, the Personal Information Privacy and Electronic Documents Act (PIPEDA), applies to all private sector organizations across the country unless a substantially similar law exists in that province.  Our federal privacy commissioner is an officer of Parliament (similar to the U.S. Congress) and independent of the government of the day.  She enforces our privacy laws and acts as a privacy advocate.

Unfortunately, the U.S. does not have a federal private sector privacy law or a federal privacy commissioner and it may be time to renew the debate over the merits of having either.  The instances of identity theft occur so frequently that it is almost a fact of life.  However for those that are affected, it can take years to rebuild their reputation or have devastating financial consequences.  Just ask Ben Bernanke, the chairman of the U.S. Federal Reserve Bank whose wife lost her purse that contained her checkbook and social security number at a Starbucks.  If it can happen to him, it could surely happen to you.

Sometimes it is possible to change the world in a small way.  Well, at least one emoticon at a time maybe.

Guest contributor Nicholas Cheung is the contributing author of The Canadian Privacy and Data Security Toolkit for Small and Medium Enterprises which is available for purchase at Knotia..

Addressing SaaS Concerns

By Guest    July 9, 2009

This is the second part of a two part post on using SaaS (Software-as-a-Service) applications within your business. In the first part, Guest Author Vikram Prashar looked at the benefits of using SaaS and why it has become so popular. In this post, he will provide information on the potential risks of using this software and ways to mitigate those risks.

How do you make sure YOU are comfortable?

Ultimately, the most important point is for the accounting department- generally the CFO & Controllers to be comfortable that their valuable data is held somewhere secure and that privacy is maintained.  Any organization regardless of size should have an in-house security policy in place that addresses access levels, access control, password policy, etc.  Without an enforceable agreed upon policy the business is vulnerable to internal employees.  This would hold true for manufacturing or engineering applications as well, but financial data tends to draw greater security concerns.  To take this to a level where the CFO will be more comfortable a comprehensive list of items must be addressed regarding SAAS:

• What access controls are in place? Who can make changes to various user groups within the application and are those changes logged?
• What change control processes are in place? When can the systems be brought down for scheduled maintenance or patches? Does it require client approval or is it determined by the service provider?
• Does the service provider conduct regular external 3rd party security audits on their systems? The service provider should have a penetration test conducted by an external firm such as eEYE or Qualys.  These reports should be made accessible to the clients for their systems upon request.
• What kinds of backup and recovery methods exist? Can the service provider ensure that backups are done in manner consistent with company policy? Furthermore, can they restore data deleted either accidently or maliciously?  This MUST be tested before going live.
• If the application connects to your internal user directory (Active Directory), how is the connection? Is it a point to point VPN? How does that affect your access away from the office? Many applications offer single sign on, but that requires access to your network.  It is not unreasonable to ask for security certifications from the provider’s network engineers- CCIE, CCISP, or similar.
• Does the service provider have a Statement on Accounting Standards (SAS-70) certifications? This helps validate that they have adequate operational controls in place.
• Does the service provider give agreeable Service Level Agreements on all their services? It is imperative that clients get a detailed SLA in writing from any service provider but particularly for a financial application.  What are the consequences for clients not being able to access their systems- refunds, credits, ability to exit the contract?
• Just because the application is provided by an external service, it doesn’t mean the organization can ignore all the application specific security issues. They must make sure they have controls and methods to ensure password policy, account lock-outs, detailed log files that record unauthorized access, etc. One item to ask them is whether passwords are sent over the internet encrypted or clear-text.  This will provide a strong indication as to the security focus of the Application Service Provider.  If you get a blank look from them when asking them this question, that would be a major red flag.
• If the application can be accessed via a web browser, who is responsible for updating the security certificate?  Lastly, ask them about the tools used in their application and whether they routinely plug holes for their Java or similar tools.
• The ASP should be willing to provide you with a tour of their data center upon request. It need not be the exact data center where your applications are stored but it will give you a general idea of their operations.

Summary

In conclusion, SAAS can be as secure as any in-house application.  It requires a similar level of due diligence as the security of your office network, in fact more.  If the aforementioned items are covered and the service provider will give references for any of their clients (you select which ones you want from the service provider’s website) you should be able to enjoy the many benefits of SAAS.  Understand that you will be required to maintain a relationship with your service provider to make sure they continue to meet your needs in a secure and auditable manner.  Enlist the services of an experienced IT consultant or ensure that someone from within the organization does a comprehensive check on these and other organizational specific security concerns.  All application providers will swear that they have a secure and reliable infrastructure, but it is ultimately your responsibility to ensure that a sound policy and service level agreement exist and that these can be enforced.

For further information, Vikram Prashar can be contacted at vprashar@prasharconsulting.com.

Is SaaS right for your business?

By Guest    July 2, 2009

SaaS stands for Software-as-a-Service. It is sometimes referred to by the terms “on demand” or “cloud computing” and is gaining in popularity with smaller business. Traditionally, desktop software was installed on a single computer for one person to use while enterprise software was installed on large servers with many users connecting to it via a client application (or increasingly through a browser).  SaaS vendors run their enterprise scale software in large data centers and allow individual companies and users to use the software remotely over the internet. This has become big business – Salesforce.com became the first company of this type to reach over $1B in annual revenue.

In this two part post, Guest Author Vikram Prashar will look into why you might use SaaS applications and how to mitigate the risks. Vik is an IT Consultant who has held VP roles at large organizations managing IT departments.

Why SAAS?

SAAS has steadily been emerging as a very popular method of operation for companies of all sizes.  For larger firms, they like the ease of implementation, ability to easily charge back costs to departments, and low overhead required for these applications.  Smaller firms have benefited from it in many ways too.  The biggest advantage is they get pricing normally offered to large corporations.  Additional benefits include:

• Increasing costs of running a data center
• Server consolidation
• Reduced capital investment
• Reduced energy usage
• Ability to use the latest technology and tools
• Business continuity advantages
• Reduced IT staffing needs
• Ability to run applications from any location

These are all good reasons why more and more companies are relying on SAAS for their ERP needs.  Applications are becoming more of a commodity that can be purchased on demand on a per user per month basis.  As the company grows licenses can be purchased or returned generally with little impact on software contracts.  From an end user point of view, there are really not a lot of differences between a SAAS vendor and an internal IT department.  Generally an application on a server located on the same local network will perform better than on the cloud, but for many applications the differences are not significant enough to outweigh the numerous benefits of hosted applications.

Basic Concerns:

Of course just because the software is essentially outsourced, it doesn’t mean we can ignore all the other components of application service.  Many of the same concerns that apply to in-house applications also apply to SAAS.  These include:

• Security
• Backups & Restores
• Application availability
• SLA’s for uptime and performance
• Application support- patches, software updates, etc.

In Part 2 Vik will give you suggestions on how to mitigate these risks. For further information, you can reach Vikram Prashar at vprashar@prasharconsulting.com.

Virtual Resources

By Trishan Arul    June 16, 2009

In the last post, I discussed how the decreasing price and increasing availability of a wide variety of services have enabled entrepreneurs to run a “virtual company” by outsourcing many of the functions that comprise departments at larger companies. This time, I’m providing a list of various services that can help you create your virtual business. This is by no means an exhaustive list and while I may use some providers, I’m not endorsing any company – I’m just providing some examples to give you a start. Feel free to add more suggestions in the comments.

People Resources:

• PartnerUp – search listings of opportunities or people looking for new opportunities
• Fairsoftware – Propose a software project, outline terms (revenue share), and find developers
• Werkadoo – Remote work environment pulling together people and companies
• Virtual Assistant – Company (one of many) that provides executive assistants to handle administrative tasks
• Finance & IT - Shameless plug for our firm! But that’s the last one. At least in this post…

Website & Email:

• Squarespace – Inexpensive website & blog hosting with simple to use tools
• Wordpress – Blog hosting & software to power your own blog or a simple CMS for an entire website
• Google Apps – cloud based email, calendar, intranet, or website with mobile sync

Production Hosting:

• Amazon Web Services – Scalable, pay as you go, remote computing infrastructure including virtual servers and storage.
• Rimu Hosting – Virtual servers running a variety of software platforms

Productivity Applications:

• Open Office -Full Office suite comparable to Microsoft Office with Linux, Mac OS, and Windows versions
• Google Docs – Online spreadsheet, word processing, and presentation programs
• Zoho – Suite of web applications geared towards collaboration

Payment Services:

• Google Checkout – Shopping cart application and credit card processing
• PayPal – Credit card processing and online “bank” accounts with website integration tools

Office Space:

• Regus – Executive suites and virtual offices (mailing address)
• Sandbox Suites – Shared office space
• Plug and Play Tech Center – Shared office spaces & startup resources

Logistics & Fulfillment:

• Fulfillment by Amazon – Complete inventory & shipping solution
• Rush Order – Order processing, payment, customer service, warehousing, and shipping

Hope this gives you a head start in creating your new virtual business or for taking your existing business virtual.

Go Virtual

By Trishan Arul    May 28, 2009

When I first entered the working world, having a business meant that your company had an office in a big building with furniture, a receptionist & other employees, a fax machine, a phone system, lots of filing cabinets, fancy stationery, you get the picture: a business = physical location. That was then.

In 2009, its possible to have a thriving and successful business without a substantive physical presence. We now have the technological tools that enable us to work from anywhere, but even more importantly, people are willing to accept a “virtual business” as a service provider, partner, or customer. With a good website and competent outsourcing partners, its very possible to have a one person company that has the capabilities and appearance of a much larger company. Even in traditional heavy manufacturing industries, new competitors like Fisker Automotive are moving towards a decentralized, virtual business model.

Should you run a virtual business? The answer will depend on the type of business, the talent that is needed, and a host of other factors. Some of the benefits of going virtual include:

• Lower overhead costs: offices, utilities, furniture, etc are all expensive. For most service businesses, facilities is the biggest expense after payroll so being able to minimize or eliminate it this expense a big boost to the bottom line or if you’re just starting out, it will reduce your startup expenses.
• Flexibility: without a physical office, your team is free to work from anywhere, to collaborate as & when needed. You are also not tied down to a physical location which could constrain your growth.
• Environmental: no commuting and no wasted office space (empty at night & weekends) are just the start of the reduction in your carbon footprint.
• Productivity: eliminating commuting time, unnecessary meetings, physical distractions at the office, and other wasted time could result in more time for productive work vs. just putting in face time at the office.
• People: eliminating physical constraints allows you to hire from a much broader pool of qualified individuals and many people will consider it a huge benefit to be able to work remotely on their own schedule.

There are of course downsides, the most common being:

• Perception: despite changing attitudes, some people still expect to do business with companies in tall downtown office buildings. One entrepreneur told me that his office address in San Francisco’s financial district helped him close a deal with a large East Coast company that wouldn’t have done business with a smaller startup. He was in executive office space but we won’t tell anyone that.
• People: Some people just work better and need to collaborate in a physical setting. Others need the discipline of a 9 to 5 office location to keep them productive. Some end up spending all their time (including nights and weekends) working while others spend all their time on personal chores, Facebook, and Twitter. Its critical to find the right people to make a virtual company successful.

I would say that the benefits for a typical service or Web 2.0 business still outweigh the drawbacks. Some tips to increase your chances of succeeding:

• Set expectations up front about working hours, deadlines, work load, etc.
• Be very selective when hiring people, you have to trust them to do their work unsupervised, to motivate themselves, and to be very technically literate.
• Have daily communication with your staff or outsourced service providers, between phone, email, and IM, there’s really no excuse not to check in regularly.
• Physically get together on a routine basis for meetings, happy hours, celebratory lunches, and so forth to create that human connection. We aren’t robots and most people do work better remotely when they have a face to put to a name.
• Invest in technology: from your website, to computers, to cellphones, to systems, make sure that you invest in the best tools to create a seamless work environment that offers the productivity of a traditional office.

If you decide to take the leap and create a virtual company or convert your current business into a virtual business model, drop us a line and let us know how it went!

Why Outsource?

By Trishan Arul    March 18, 2009

Full disclosure upfront, this is somewhat of a self-serving post since my company provides outsourced accounting services. However, having been on both sides of the coin, I do think I have a good perspective on the pro’s and con’s of outsourcing. Additionally, I think it is especially important for smaller companies to proactively consider how things get done – it’s too easy in the daily rush of things to end up with the wrong people doing the wrong tasks which can, over time, balloon into bigger problems.

Let’s start with the potential drawbacks:

• Loss of control: You have to rely on another person to accomplish tasks and in some cases they are remote so you can’t “see” them.
• Increased communication: The nature of the relationship requires that you spend more time defining projects up front. You’ll need to keep in contact on an ongoing basis, even if it’s just to check in.
• In-house talent: Using an outsourced provider means that your own staff isn’t developing the necessary skills to perform certain job functions.
• Cost: This is normally a benefit but hiring a good, experienced provider may cost more in the short term than having one of your staff take on more work

I would argue that many of the oft perceived drawbacks are actually beneficial in the long term. For example, losing some control and having to clearly define processes will often result in improved internal control & work flow. Even the cost issue is a misnomer. Many companies I’ve worked with made the mistake of having someone with no accounting experience fumbling around in Quickbooks. This results in many weeks of work to clean up months or years of errors. In those cases, doing it right the first time would have been much cheaper in the long run.

Let’s also take a look at the direct benefits:

• Expertise: An experienced professional will be able to offer specialized skills that would otherwise be unavailable to your business. They can stay up to date in their field (critical for fast moving areas like IT), will be able to oversee/mentor junior staff, are more efficient, and have probably seen & solved your current problems in the past.
• Cost: If you only need a part time person, an outsourced provider can provide that service at a comparable or cheaper cost because they have greater efficiencies of scale. And tying into the previous point, you can get an experienced person that you would otherwise have not been able to afford. Further, you can avoid one time capital costs such as buying software or servers.
• Scaling: Some businesses, especially project based, need to scale up & down rapidly to meet changing business conditions. Outsourcers can handle this variable level of work which eliminates the need to hire, train, or use temporary workers which could result in poor performance and potential layoffs.
• Focus: In my opinion, this is the most important reason to outsource. It allows your company to focus on the skills that set you apart in the market. A successful business does something far better than its competitors and whatever that is needs to be you team’s core focus. Let someone else handle the tertiary tasks involved in running a business while you keep a strategic view of the company and build on the key competencies that make your business unique & successful.

That’s a high-level rundown of the pro’s and con’s of outsourcing. At the end of the day, what really matters is that you spend time to choose the RIGHT outsourced provider which can make all the difference in your company’s success..

Look for a provider:

• with deep experience in their specialty
• who has worked with similar types & sizes of business
• with the infrastructure necessary to service your business
• whom you trust and have a good rapport with

For small business, it usually comes down to the person that you will be working with on a daily basis. Don’t be afraid to ask probing questions and speak with references. Make sure that person fits in to your company culture and shares your long term goals for the company. That will lay the groundwork for a successful outsourcing relationship.