You’ve done the hard work we outlined in the previous two parts of our series on the email beast, and now you are ready to tackle the summit of your email Everest. There are a variety of reasons to retain email, but they generally fall into two categories: “legal” or “industry/business best practice”.
Interestingly enough, there is no federal mandate (yet) directing US businesses on how much or how long email must be retained. However, if your industry is bound by legal or regulatory requirements to retain certain types of electronic documentation for a certain amount of time, you should consult with your lawyer about where this may intersect with documents and information stored in email. If your company establishes a retention policy, it’s incredibly important to adhere to that policy. Deviations or failures to enforce a formal company policy (“I have no idea where that email is, your Honor,”) are dealt with harshly in court, and will be costly. Relying on a manual process (such as Outlook’s “archiving” functionality) is fraught with failure, so any formal retention policy should be a centrally managed and maintained by an automation process rather than a human. Not all email providers include this capability, especially the consumer “free-mail” services like Gmail, Outlook.com, Yahoo, etc. Business-class service will typically offer retention capabilities as an add-on service, so make sure that if you need it, you can actually implement it on the server side.
Bottom line: If you have a formal retention policy, you must enforce it or you could face significant consequences in litigation.
If you fall into the broader, less compliance-bound audience that would like to keep track of the information that is contained in your vast email archives, consider a different way of retaining that data rather than relying on Outlook archives and your overstuffed email server hard drives. In most cases, people retain emails in order to track conversations with clients, customers, vendors, etc. If your business relies on this information, you should consider a tool that is built specifically for that purposes, and you’ve probably already realized that Outlook is not that tool. Before you despair, I do have good news for you: there are literally hundreds of Customer/Client Relationship Management (CRM) solutions that integrate very well with Outlook. Implementing a CRM solution for your company is not as easy as the sales videos would have you believe, but it may be very worthwhile in the long run.
The most crucial element in successfully implementing a CRM solution to funnel your customer/client emails into is follow-through and consistency. Everyone needs to be fully trained on how to use the system properly, and then they must use the system consistently. Most CRM implementations fail not because the software is bad, but because the company doesn’t get 100% buy-in from ones that need it the most: executives and the sales team. If everyone has sales responsiblities, then everyone has to use the CRM software.
At the very end of this long climb up “Mount Email”, regardless of what solution you choose to retain, the final consideration should always be data backups. Whether it’s a formal retention platform, CRM solution, or simple PST files, make sure your platform of choice is supported by a solid backup strategy that includes at least 2 different backup mediums. Understand how often your data is backed up, where it’s stored, and how you retrieve it in the event that disaster strikes.
Image courtesy of bplanet at FreeDigitalPhotos.net
Last week we talked about our “growing” email problem. The average size of an individual email as well as the overall volume has increased substantially over the years, and some parts of the email technology platform have changed to accommodate that. In other critical areas it has only barely kept pace or fallen woefully behind. Though it’s changed its look over the years, Outlook still works essentially the same way it did nearly 20 years ago. And while we have more ways to read our email now with the proliferation of mobile devices and cellular data networks, I rarely come across a business professional who isn’t struggling to stay afloat in the growing email tide.
So how do we address this weighty issue?
First off, reduce the volume in any way you can:
- Better spam filters – the best ones work at the server level, and don’t rely on your local email client. If you are using a local spam filter on top of your provider’s “filter”, you need to adjust the settings on the server side so they never get delivered, or change providers. It’s a hassle, but a good spam filter will make it all worthwhile.
- Ditch the mailing lists – if you spend more time shuffling unread newsletters into the “later” folder, you should either look at subscribing to a less frequent digest, or unsubscribe altogether. Ironic advice coming from someone who sends a newsletter. Hopefully because you are reading this, our newsletter makes the cut.
- Separate business and personal – modern email clients and mobile devices allow you to stay on top of multiple email accounts, so there’s no good reason to keep everything in the same mailbox. Don’t go hog wild (5 separate mailboxes is just as bad as single overstuffed box), but if you are using your business mailbox for everything, you really need to move the personal stuff to a separate email account.
- Delete, don’t archive – once you get over the initial fear of throwing away an email permanently, you may find it amazingly liberating and a great way to reduce stress. Be mindful of your company’s retention policy and business practices, but delete anything that isn’t critical. Because it’s “virtual”, email becomes a convenient way for our “inner hoarder” to manifest itself. As with anything hoarded, the volume rapid overtakes any benefit gained from keeping the stuff around. Be merciless, even cruel, and give your delete key a solid workout.
A lot of you have heard this advice before (probably from me), but it always bears repeating. The only way to drink from a firehose is to reduce the pressure. Getting in front of your daily email workload will grant you time to focus on the next task: sorting, filing and putting to use the email you do decide to keep.
Make sure to stop in next week for the final part of our series on taming the email retention beast!
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Believe it or not, email has been around since the 1960’s, though it didn’t make its way into mainstream business culture until the early 1990’s. Judging from some inboxes I’ve come across, some of you might actually have email dating back that far. Depending on your industry, this may or may not be necessary, but storing and keeping that much email usable is almost a universal problem that smaller businesses and individuals struggle with daily.
Are you impacted?
Some of you may be asking, “I’ve been storing email in Outlook for years and it’s only a problem now?” This isn’t a sudden, unexpected crisis, but one that has been growing (pun intended) for some time. Lately I’m seeing more and more folks hit “critical mass” and it’s due to the coincidental rise of several technology factors:
- Mobile devices with increasingly higher-resolution cameras. The iPhone can take an 8MB photo, and a 43MB panoramic photo. As a reference, GoDaddy’s email attachment limit is 20MB, and Gmail’s is 25MB. Whether their reason for sharing several high-res photos via email is for business or pleasure, a handful will put most people right over their size limit and capabilities of Outlook.
- Faster internet connections. We don’t think twice about sending larger files via email, or multiple emails to get around the attachment limits.
- The rapidly diminishing cost of storage, both in physical media like hard drives and on cloud platforms like DropBox, iCloud, SkyDrive, etc. This encourages to disregard file size, something that email (remember the tech is over 50 years old) was never designed to handle.
Combine the above with email archives going back years and you can end up with an inbox grossly over the limit. Overly large email boxes (and large email attachments) can lead to noticeable performance degradation, especially in the corporate poster child of email clients, Microsoft Outlook. Depending on your server limits, you may have been forced to move your old emails to one or more archives, which, when they too become oversized, can also lead to headaches and data loss.
Next week: we discuss how to solve this thorny problem.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Due to a vulnerability in Android’s implementation of MMS, nearly one billion smartphones and tablets could be impacted by a security weakness known as Stagefright. In a nutshell, an attacker exploiting this vulnerability could send an MMS message with an infected attachment that could literally take over your device without you knowing it. Even though Google has released a fix for this vulnerability none of the major carriers and manufacturers have pushed the update to the affected devices, including Google’s own Nexus devices, which are due to be patched next week.
What this means for you:
This vulnerability can affect you even if you don’t open an infected MMS attachment, which could appear as a picture, movie or just about anything that can be attached to an SMS message. Stagefright’s actual purpose is to provide you with the thumbnail preview of the attachment in your SMS application, so having the attachment appear while scrolling through your messages would be enough to get infected. Regardless of what app you use to view MMS messages on your Android device, the only way to combat this attack is to prevent your device from automatically downloading MMS attachments. In Google’s default SMS application Hangouts, this is accomplished by doing the following:
- With Hangouts open, tap the Menu icon (3 horizontal lines in a stack) in the upper left corner.
- Tap the “Settings” icon (looks like a gear)
- Tap “SMS” (usually at the bottom of the list, below “Add Google Account”)
- Scroll down to “Auto retrieve MMS” and uncheck that box.
If you aren’t using Hangouts to view your SMS and MMS, make sure you check with the software developers to find out if disabling this option is possible in their app. I was previously using ChompSMS as my messaging app, and this option was NOT available, so I immediately switched back to Hangouts.
Of all the operating system releases in their long and storied history, Microsoft seems at last to be launching an OS that is at once very competent and highly anticipated. In case you didn’t know what today was, Microsoft is launching Windows 10 to the world, and it’s a sure bet that thousands (if not millions) of people are attempting to upgrade right now. As technology evangelist, I applaud their enthusiasm, but as your technology consultant I strongly advise against taking the plunge on opening day.
Here five reasons why:
- Even though Windows 10 has been large-scale testing and beta for months, there will likely be plenty of as-of-yet undiscovered bugs and problems. This has been the case with every operating system ever released in the history of computing. I don’t think I’m going out on a limb to say there will be bugs, and it will take time to sort them out. Day one upgrades rarely go well for the average computer user.
- Though supposedly the upgrade process is the easiest it’s ever been, I’ve already seen problems with user-initiated upgrades. If you are not careful, you could lose access to business-critical apps, or even your data. Make sure you back up before you upgrade!
- Unless you’ve already tested them, make sure your business critical apps will run on Windows 10 before upgrading your work computers. Even if they do, make sure the software developer has officially given the “thumbs up” – many are not supporting Windows 10 yet, and it may be many months before they are ready to do so.
- Microsoft’s new terms of use have taken a much more invasive stance with regards to your personal privacy. This article summarizes them neatly, but in a nutshell, Windows 10 will be sharing a lot about you, your data and browsing habits unless you disable these “features”. It’s a safe bet that in the first heady days on our whirlwind romance with the new OS, many of us will ignore or forget about this.
- As most will get their free copy of Windows 10 as an upgrade to an existing install of Windows 7 or 8, you need to make sure your current OS is in perfect health. Upgrading a damaged or compromised OS will only lead to heartache and headache, so make sure you get a clean bill of health before upgrading to 10.
If you’d like to read more about Windows 10, I recommend Microsoft’s FAQ. At the very minimum, check with your nearest IT professional about upgrading before you take the plunge, and make sure you have a contigency in place, because, despite our industry’s efforts, Murphy’s Law remains incontrovertible.
Hacktivism is not new, but when the data stolen and released targets a group already beseiged by violent acts of “protest”, have the hackers stepped over the line into actual terrorism? What if the data stolen contains sensitive data aside from financial information, such as medical records, or proof of infidelity? What if the security hole could be used to crash a moving vehicle? Following the scandalous breach at Ashley Madison comes three more hacks that will add to your gray hairs. First up is the “doxing” of Planned Parenthood employees after a hacking group penetrated their network and gained access to employee information, which they promptly released online. It’s not a far stretch to imagine those 300 people being targeted for harassment and violence by more “hands-on” anti-abortion groups now that their information has been made public. Regardless of your feelings about a group’s politics, lining up people in the cross-hairs on an issue known to incite extreme acts of violence is never the right way to protest.
That’s not the worst of it. Keep reading.
UCLA Health – one of the largest hospital systems in the country – revealed that it too had been hacked, and sensitive data on 4.5 million patients and employees has been compromised. While admitting that the usual sensitive information was likely exposed, UCLA officials could not confirm whether the data had actually been stolen, and to add insult to injury, they are only now admitting to the hack, months after the actual breach was detected. No mention was made whether medical records were exposed, though one imagines if such a thing had happened, the enormous liability exposure would lead to full disclosure. One would hope.
If you happened to be a UCLA patient and the owner of a new Jeep Cherokee, you are probably having a really bad week. Fiat Chrysler is recalling over one million new SUV’s after details were released by two hackers who were able to physically disable a moving Jeep Cherokee and send it into a ditch, while the driver was helpless to do anything about it. With our cars becoming increasingly automated and connected (and at some point, self-driving), you can bet this type of event will become more commonplace. It’s good that Fiat Chrysler decided to recall the potentially dangerous vehicles, but indicative of a wider blind spot in all industries of the mounting threat of cyberattacks. Hackers have supposedly been trying for years to call attention to security problems like ones exploited in the Jeep, as others have in industries like airplane manufacturing. Let’s hope no one has to crash a plane to get their attention.
Hackers will go where the data resides, and there is perhaps no “juicier” website than the infamous Ashley Madison website that facilitates extra-marital relationships for nearly 40 million people. Owned by the Avid Life Media group, the Ashley Madison website is part of a family of similarly-minded websites including Couger Life and Established Men. The breach was allegedly perpetrated by a group known as the Impact Team, and according to their posted manifesto, the attack was in response to alleged corporate malfeasance on ALM’s part – not, as many might think, in response to the encouragement of cheating spouses. Impact Team alleges that the program promoted by ALM called “full delete” does not in fact do what it promises: for a fee, members can request their profiles be completely erased from ALM records. The supposed “hacktivists” are threatening to post online all the data they’ve stolen from ALM unless their demands are met: take Ashley Madison and Estalished Men offline permanently.
What this means for you:
Personally identifiable information aside, getting outed for having an account on an adultery website is really “sensitive” data, no question. Though it shouldn’t hurt your employment prospects in theory – employers can’t discriminate based upon marital status (or fidelity for that matter) because that category of information falls under protected status, it can definitely wreck a marriage, and theoretically your finances from that point on. Assuming Impact Team plans to release all the data they’ve stolen, someone will undoubtedly turn it into a searchable database, and even the most trusting of spouses would be hard tempted to not have a peek. So on top of having your identity stolen, you could also lose the love and trust of a spouse, friends and family. I’m pretty sure the latter is worse than the former.
Despite ALM’s vague promises to remove confidential data as it appears, once data is on the internet, you can never take it down. It’s clear that ALM has no plans to accede to any of Impact Team’s demands, and even if the hackers don’t make good on their threats to publish, it’s still highly likely that trove of info will get sold or stolen and consequently published and used. So what do you do if you happen to have an entry in ALM’s database? It’s too late to take advantage of their “full delete” service-if it ever worked in the first place! If you haven’t already done so, getting some form of credit watch service lined up is a good idea, and changing your passwords is a solid first step. Next, I’d recommend seeking advice from qualified professionals in the areas you’ll most likely be living through from here on out.
Last week’s breach of Italian security firm Hacking Team exposed documentation that detailed the firm’s use of previously unknown security weaknesses in Adobe’s pervasive Flash platform. Typically known as “zero-day” vulnerabilities, these types of holes are being exploited by cybercriminals from the moment they are discovered, and companies will scramble madly to patch the problems and distribute the fix to their customers. Apparently fed up with the ongoing security failures of the plugin and Adobe’s lackluster speed at fixing them, Mozilla has started blocking outdated Flash plugins from running in Firefox, and Facebook’s security czar has called for the troubled platform to be retired:
It is time for Adobe to announce the end-of-life date for Flash and to ask the browsers to set killbits on the same day.
— Alex Stamos (@alexstamos) July 12, 2015
What this means for you:
If you are the owner of a website that uses Flash, you should review whether its use is optional or required, with the latter choice presenting numerous challenges, including alienating a large segment of your mobile browsers; both iOS and Android require special, third-part apps to run Flash that are typically not free. Adding this to Google’s latest ranking algorithm which disfavors sites that aren’t mobile friendly, and you could end up with a website that gets relegated to a dark corner of the internet.
As a website visitor, at minimum you should update your Flash plugin immediately, and only do so by getting the latest version from Adobe’s website. Do not follow links or popups that appear while visiting websites – 99% of the time they are not legitimate and will lead to a malware infection. If you’d prefer to stop using Flash altogether, you can follow these instructions to make Flash ask for permission every time it runs:
Today’s headline alludes to a concept perhaps as old as civilization itself. Plato expressed it as, “Quis custodiet ipsos custodes?” Who will watch the watchers? In a spectacular demonstration of what a well-executed hack can do, an unknown hacker has virtually imploded the operations of a digital surveillance company known (ironically now) as Hacking Team. Despite the rather colorful name, this Italian security company has contracts with dozens of government agencies from all over the world, including the United States. Their product? Essentially spyware for conducting remote surveillance and other covert digital operations. The unknown hacker taunted the company and its employees by taking over Hacking Team’s Twitter account and began sharing extremely sensitive internal files through tweets purportedly coming from the company itself. Once the breach was discovered, Hacking Team contacted its clients and strongly recommended they cease using any of the company’s software. Given the general public distaste for Hacking Team’s type of software and the amount of daylight this shines on its customers, its highly likely that very few contracts will be renewed, leaving the company’s future in very uncertain terms.
What this means for you:
Unless you happened to be on the list of Hacking Team customers, there’s not a lot you need to worry from your own organization’s perspective. However, as a citizen of a supposedly democratic nation, you should be concerned about how our government agencies conduct themselves. Should law enforcement agencies be allowed to break the law in order to do their jobs? Who will watch the watchers? Are those people (I’m talking about Congress now) qualified to make proper decisions when they barely understand how the Internet works? To translate this into more relatable (and actionable) terms, do you understand enough about your own organization’s security and technology to make informed decisions on what to buy, what to use, and who to hire? In the case of Hacking Team, it appears that the hacker breached the company through the personal computers of its own system administrators, an irony within an irony. Are you adhering to the security standards to which you hold your own employees accountable?
I am increasingly encountering a dangerous misconception about data backups that could lead to some serious “facepalm” moments. On at least three separate occassions while speaking with someone about data backups, the person I was with referred to DropBox as their primary data backup platform. In case you are unfamiliar with DropBox, it’s a cloud-based platform that can be used to sync files and folders between multiple computers, while also maintaining a copy of that data in the cloud as well. This cloud component is what many folks like to believe is their “offsite backup”. It’s true – if your local hard drive were to fail and you lost files that were being synced by DropBox, you could retrieve a copy from one of your other mirrors or the copy in the cloud. However, what if you or one of your employees who has access to the DropBox repository accidentally deleted some important files? DropBox doesn’t know you (or they) didn’t mean to delete those files, but it will make sure that change is reflected across your entire DropBox repository. What if you got hit with one of those nasty ransomware viruses which encrypts files, including the files in your DropBox repository? DropBox will dutifully overwrite your data with the encrypted copies, effectively destroying your “offsite backup”.
Let me ‘splain:
DropBox’s strength lies in easily establishing a set of files and folders that can easily be synced across multiple machines and locations, and it does this through a simple mechanism which essentially looks at each endpoint (and the cloud) and says, “Make all these the same.” This same strength is a resounding weakness when it comes to proper backup methodology. In a nutshell, your backups should keep track of your data across time, in set intervals, so that you can, in theory, go back to any one of those points in time and retrieve the data as it was at that moment. The reason this is important is for the two situations mentioned above (and many other scenarios as well). In both cases, mistakes were made. Our best course of action would be to go back in time to before those mistakes were made, but seeing as we can’t actually time travel yet, we use backups to accomplish nearly the same thing with our data. Even if the mistakes weren’t noticed for a period of time, as long as you have sufficient version depth in your backup strategy, you can look back to a time interval before the deletion and retrieve the files. This is something that DropBox can’t do, and probably shouldn’t, as it’s not meant to be a data backup platform. There are hundreds of viable backup solutions that range in price and complexity, and many of them are as easy to set up as DropBox. Don’t stop short of using a real backup solution just because you’ve got a copy of your files somewhere else. A good backup solution requires some thought and determination, but can pay back huge dividends when mistakes or disaster strikes.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net