Computers In Business: Are You Maximizing Your Potential?

There’s no denying it: we live in a digital age. From a business perspective, embracing the modern culture is essential if you want the company to thrive. After all, if you can’t beat them, join them.

In 2016, it’s almost impossible to find a venture that doesn’t utilize those computing facilities in one shape or form. However, it’s even harder to locate one that is seeing the full benefits of what those digital communications can bring.

Regardless of your industry, computer systems can become the heartbeat of your entire business. Follow the tips below to maximize the impact, and you’ll be amazed at how quickly your company reaches the next level. Let’s get started.

office security


When it comes to business, safety comes first. Modern tech can be used to protect your staff, customers and assets alike. As such, it should be the very first item on your agenda. Even if some of the items won’t come into place until you’ve made other investments, possessing the right strategy now is vital.

Using wireless CCTV can boost the protection of your business premises. However, it’s equally important to think about virtual security too. Keeping data safe through the right firewalls and antivirus software is essential. Meanwhile, you’ll want to be sure that passwords aren’t easy to guess either.

Security needs to be a 24/7 job, which is why many companies benefit from outsourced IT. Protection is far from being the only advantage of using external experts. However, knowing that your business is safe from attacks is key. Similarly, avoiding potential lengthy outages will ensure that you’ll see greater productivity.

Perhaps most importantly, this will help you build trust from the clients. Without this, you’ll be destined for failure. For that reason alone, attending to this issue should be a priority for all modern companies. Do not forget it.


Team Assembly

Every entrepreneur should understand that teamwork makes the dream work. Employees are your most valuable asset, and if computer tech can help you gain more from them, you should grab the opportunity with both hands.

Online facilities can allow you to hire freelancers for a specific job. This can reduce staffing costs as well as equipment expenses. Meanwhile, using internet communications for posting and filling full-time vacancies can work wonders too.

To see the full benefits, you need to be sure that employees are trained in using those modern facilities too. Aside from ensuring that they perform better, it will help the entire group follow standardized practices too. After all, operating as a cohesive unit can only have a positive impact on proceedings.

Either way, a stronger team will drive your business to far greater results. Embracing computer tech to unlock those possibilities is a must. It will be great news for your employees, your business, and your personal endeavors. What more incentive could you ever need?



Using computers to build a great team will provide a solid foundation. However, it’s equally important that those facilities actively promote greater productivity. It’s not a difficult equation; the more you put in, the more you’ll get out.

Advanced computer tech can transform offices into well-oiled machines. Using the latest and greatest software can speed up various admin processes. Whether it’s using Excel spreadsheets to manage data or accounting packages doesn’t matter. Time is money, and making the most of those facilities can only be a step in the right direction.

Organization is a key element of any business operation. This is especially true when dealing with both online and offline sales. Managing your inventory with automated computer systems will make life a whole lot easier. Better still, it will prevent the embarrassment of selling items that don’t exist. Refunding a customer because an item is sold out could potentially sever all ties.

Greater productivity will lead to increased profitability. In turn, this will inevitably accelerate your growth too. But as well as having the right software, just remember to keep your computers in great health. There’s nothing more frustrating than waiting for faulty hardware to complete those processes.


Everything you do in business should essentially be geared towards increasing your customer numbers. A larger client base will bring a greater volume of sales. But before converting those sales, you need to gain interest from the customers. Given that we live in a digital age, it should come as no surprise that computer technology can be your secret weapon.

Even if the business doesn’t take online purchases, your audience almost certainly uses the internet on a daily basis. A well-designed website can become your greatest marketing tool, especially when you use a blog to keep readers coming back for more. Building familiarity with the brand can help you generate sales both online and offline. Moreover, it’s another factor that can help build trust.

Gaining the full benefits of embracing the digital world should be your goal. Therefore, you must also capitalize on opportunities gained from external platforms. Improving your visibility on Google can give the company a more professional vibe. More importantly, it will be seen by more people, which should lead to more visitors. Assuming the website and core features of the business are fine, this should help generate far greater revenue.

And if you can get people to leave positive reviews of your business, either on your site or others, do it. Those words could have a huge influence on the decisions of others. If it converts interest into sales, this could be the most important element of all.


First and foremost, computer technologies were built as a communication tool for business. If you aren’t using your facilities to perfect the links throughout your operation, you’re making a mistake. Changing this should be one of the key items on your to-do list.

video conferencing

By now, you should be aware that cloud computing can help productivity. But it’s also a great way to encourage better collaboration and ensure that every member of your team is working as a collective unit. If the staff is split over several locations, video conferencing is another door that computers can open. Either way, a team that works together will always produce far greater outcomes. Better still, it should ensure that the customers receive a consistent service too.

Ultimately, keeping the customers happy should be one of the chief priorities. Interaction is a crucial concept, and using computer technology is key. Social media platforms like Twitter can be a great way to offer customer care on a 24/7 basis. Adding Live Chat facilities to your website is another fantastic solution. If it helps you provide the best service possible, you should not ignore it.

Greater communication will promote increased confidence from the client. In turn, this can boost your hopes of repeat business significantly. Giving them a better insight into the personality of your brand by using Periscope and other cool features can help build excitement. If that doesn’t boost your chances of turning a profit, nothing will.

Financial Control

It’s difficult to run a business without focusing heavily on the chase for revenue. However, all company owners need to appreciate that your expenses have a massive impact on your overall finances. Essentially, if you want to gain maximized profits, you must make the operation cost-effective.

Online price comparison sites can be a godsend. Whether it’s insuring a fleet of business vehicles or finding cheaper energy rates, those savings will make a difference. If you’re going to borrow money, learning about crowdfunding and loan alternatives is vital too.

Another top trick is to find guides and tutorials. In many cases, cutting out the middle man to complete tasks yourself can be a great way to lower those monthly overheads.

Income and savings

In many situations, it is possible to gain help from governing bodies and business schemes. Whether it’s making the office more eco-friendly or gaining relief on loans, a few hours of research could save you thousands.

Secondary Income

As a business, using computer technology to maximize your core incentives should always be the main aim. However, those facilities can also earn secondary forms of revenue. Quite frankly, you’d be a fool to overlook the benefits that it can bring.

In addition to being a fantastic marketing tool, social media can earn you money. Monetizing a YouTube channel through adverts is easy while Google Ads will generate funds through your website too. Likewise, Instagram and other social media platforms can be utilized to gain additional costs too.

Alternatively, if your company has expensive facilities that you don’t always use, they can be rented out. Whether it’s lending filming equipment, office essentials or other items doesn’t matter. There will always be a demand for those products on the internet. You could be earning money for old rope.

Ok, those additional funds aren’t going to be the difference between success and failure. Nonetheless, they can boost your cause, and it’s an opportunity that you should capitalize on. When combined with the core features above, your company won’t go far wrong.

All modern businesses should be using computer facilities to their full potential. Make the necessary upgrades immediately, and you will reap the long-term rewards.

security of web applications

Security Considerations for Web Applications

From websites to applications, website developers require to know almost everything there is about developing. There is plenty to consider when developing an existing platform or something from new. A brief may state that a new application must be user-friendly, accessible and secure.

Over recent years, there is an enormous emphasis on building a web application with security at the heart of the development. It is no wonder that this is now the case. We live in a world where security threats and access breaches are common place. It is a scarier world out there today than it was ten years ago.

There are many considerations when it comes to building web applications, especially when it comes to security. Is the site or application protected against service attacks? Is business and customer data safe and stored correctly within a database? Could an individual compromise the application and pollute the database? Could an attacker access information that is restricted?

For those that need to outsource, it may be worth stumping up for the security certification cost and relevant in-depth training. For those that want to tackle this head on, this article will cover some of the essential security components when it comes to web application development.

Cross-Site Scripting

This is where an attacker will trick a web application user into inadvertently executing code from another website. This can be done in a variety of different ways. A message, pop-up or email could be used to direct the inadvertent to execute this code.

Once bad script is loaded, the script can then be used to access or take contents from cookies. This information can then be used to send spam, install malware or even change the contents and development code of the web application.

As a developer, you should be able to use PHP’s input file extension to minimize the potential damage caused by cross-site scripting.

Cross-Site Request Forgery

This is where a visitor is tricked into carrying out an adverse action on our very own web application. This type of security attack tends to happen on websites that the visitor visits frequently, on web applications that are not properly secure.

Click jacking

This security threat has been given almost celebrity status after attacks against Facebook and Twitter. As these platforms are social, with plenty of daily interaction, the threat spread quickly throughout both applications.

The threat may come from the attacker using our web application in a frame within their own website. They do not have control over our website, but they do control the iFrame that it sits within. One way we can protect ourselves is to disable any submit button and use a JavaScript code to enable it again, once we have found that there is no threat.

As web developers we need to be conscious of all security threats, not just the ones detailed above. Security is an essential and vital part of all development work, whether you are a front-end coder or back-end developer. Protecting what is ours is paramount, more so today than at any point historically.

How To Administer Risk Associated With Web Applications

Corporate around the world are working on innovative ideas and building web based applications as they provide flexibility, low maintainability cost, rich functionality and adds up the benefits of its own. Companies offering services are also major player and they will stay in the market for very long time (as per survey).
Software as a service (SaaS), in particular, is playing out pretty well in today’s economy, according to IDC, which predicts the sector will see a 36 to 40 per cent growth in 2009.

Yet many organizations, especially at the enterprise level, worry about offloading corporate data to a third-party vendor. Will security risks increase? What happens when reliability begins to suffer? How can they access critical data/systems during an outage? These are valid questions, but many experts actually think that your data is safest with a credible third-party whose business in effect is (or should be) managing the security and reliability of data across many customers. After all, if a vendor screws up, it will lose revenue, customers and market share in a heartbeat.

Still, due diligence is imperative for any SaaS implementation. Here are 10 risk administering factors to consider when offering web-based software to your employees.

1: Identify a low-penalty area of the business to serve as your first SaaS project

The first time you enter an arrangement with a vendor to host software and data for you, avoid outsourcing a highly visible area of your business. If HR is not strategic to profits that might be one place to start. Save the high-stakes CRM project for later, when you have learned a few best practices.

2: Assess your risk

Before you can come up with metrics and other requirements for vendors, you need to determine exactly which business and IT priorities of the data/system you want to outsource and what will be the fallout of any sort of breach or data loss. How do your internal requirements for encryption, network security, privacy, disaster recovery, auditing and monitoring align with the services provided by the vendors under consideration?

3: Choose vendors carefully

I would recommend you to select vendors with a long track record of providing web-based software and services. You may have to pay more for established vendors, but doing so will likely lower your risk. Let someone else do the thinking (and risk) ahead of you.

4: Do a deep dive on your SaaS vendor’s security infrastructure and approach

It’s not out of the question to request a third-party audit of the company’s security systems and policies. What security certifications does it hold? Is the company compliant with any relevant industry regulations, such as PCI DSS for credit card transactions? Following is a checklist you can use:

  • How and where data encryption is used (for instance, on backups as well?)
  • The quality of the network defenses in the data center
  • How authentication and secure connections are handled
  • The use of data loss protection (DLP) technology
  • The question of multi-tenancy, since you’ll be sharing computing resources with other customers

5: Ask how your vendor handles disaster recovery

What protections will you have from your vendor in case of an outage due to system failure or natural disaster? Will you have offline access to the data? You can, for instance, ask your vendor if there’s a way to periodically store data into an on-premise system just for that purpose.

6: Get it in writing

Involve business and IT colleagues, client references of the vendor, your legal department, and whomever else might be helpful to ensure that you have an airtight contract. The document should cover not only financial terms but included services, performance metrics, and reliability and security provisions. How much uptime do you need and what does the vendor agree to do if they miss it? This could come in the form of fees, credits or other creative paybacks.

7: Get chummy with your vendors

It goes without saying that you want a collegial not an adversarial relationship with your SaaS vendor. After all, they’re there to help your business grow and be more flexible, so think of them as a strategic business partner. Meet frequently to go over the metrics and to discuss how to improve experiences for your employees and external customers that may interface with the system. Now that you have freed up time of internal IT staff members who used to work on implementations and maintenance, dedicate at least one individual to managing this critical relationship.

8: Look out for new monitoring tools

Many businesses, as they grow in size, install system monitoring tools that keep an ever-present eye on networks, PCs and applications for any abnormalities such as viruses, inappropriate access or performance lags. Increasingly, such tools will include scanners that can also test web applications for vulnerabilities.

9: Consider the help of a security consultant

Unless security is an area of expertise in your group, an outside consultant can help make sure that you are asking all the right questions and not overlooking any important technical details. Information security consultant suggests asking questions such as whether your vendor can support your e-discovery requirements and how authentication is handled.

10: Devise a PR and response strategy

Regardless of how vigilant you are in selecting and managing vendors, there is always the chance that a security breach or data loss will happen anyway. Rest assured: the media and angry customers will be coming to you, not your vendors. Put together a plan stating which employers will be on your response team and what actions should occur in what order. Make sure you have a capable media relations expert on hand to help work responsibly and cordially with media inquiries. Withholding information should be avoided as more transparency means happy customers and stakes holders.

If you’ve got any thoughts, comments or suggestions for things we could add, leave a comment! Also please Subscribe to our RSS for latest tips, tricks and examples on cutting edge stuff.

Linux v/s Windows: Linux is Winning

User community is slowly loosing its faith in Windows. Windows XP wins the heart of many people but Microsoft’s other products in OS range aren’t doing that well. Windows 7 is a buzz these days but many people from open source community feels that it will again be old wine in a new bottle. Community is feeling that Linux will be on top in OS community in near future. I know Window’s Fan will be shocked after reading this. So, how and why windows is loosing ground to Linux? Read on

1: Inconsistent Windows releases

One of the things you can always count on from Microsoft is that you can’t count on its new operating systems to be reliable. Let’s take a look at the individual releases:

  • Windows 95: revolutionized personal computing.
  • Windows 98: attempted to improve on Windows 95; failed miserably.
  • Windows Me: a joke, plain and simple.
  • Windows NT: attempted to bring enterprise-level seriousness to the operating system; would have succeeded had it not taken Steven Hawking-like intelligence to get it working.
  • Windows XP: brought life back to the failing Windows operating system. It hadn’t been since Windows 95 that the operating system was this simple.
  • Windows Vista: see Windows Me.

With this in mind, what do we expect from Windows 7? Myself, not much.

2: Consistent Linux releases

Converse to number 1, you have the far more consistent releases of the various Linux distributions. Yes, there have been a few dips along the way (Fedora 9 being one of them). But for the most part, the climb for Linux has been steadily upward. Nearly every Linux distribution has improved with age. And this improvement isn’t limited to the kernel. Look at how desktops, end-user software, servers, security, admin tools, etc, have all improved over time. One could easily argue that KDE 4 is an example of a sharp decrease in improvement. However, if you look at how quickly KDE 4 has improved from 4.0 to 4.3 you can see nothing but gains. This holds true with applications and systems across the board with Linux.

3. Continuing Windows price hikes

Recently, I have had a number of long-time Microsoft administrators asking my advice on solid replacements for Exchange. The reason? Microsoft changed its licensing for Exchange to a per-user seat. Now anyone who logs on to an Exchange server must have a license. You have 100 employees (including administrators) who need to log on to Exchange? Pony up! This gets serious when your company starts having to cough up the money for 500+ Exchange licenses. The very idea that Microsoft would make such a bold change to licenses is made even more ridiculous considering the current state of the economy. Companies worldwide are having to scale back. And like Exxon Mobile celebrating record profits amid the catastrophe known as Hurricane Katrina, Microsoft creating such a cost barrier while the globe is facing serious recession is irresponsible and reprehensible.

4. Stable Linux “prices”

Converse to number 3, the prices of open-source software licenses have remained the same — $0.00. When those administrators come to me asking for open source replacements for Exchange I point them to eGroupware and Open-X-Change. Both are outstanding groupware tools that offer an even larger feature set than their Microsoft equivalent. Both are reliable, scalable, secure and free. The only cost you will have with either is the hardware they are installed upon. And with both packages, there is no limit to the amount of users that can be set up. One user, 1,000 users — it’s all good with open source software.

5: Windows hardware incompatibility

Microsoft Vista was a nightmare when it came to hardware compatibility. Not only was Vista incompatible with numerous peripherals, it took supercomputer-level iron to run the operating system! Sure this was a boon to Intel, which stood to make a pretty shiny penny. Intel knew a good amount of the public would be shelling out for new hardware, and the new hardware would cost more because it had to be faster to run Vista in all its Aero glory. But even hardware that would run nearly any other OS with lightening-fast speed was brought to a slow, grinding halt with Vista.

6: Linux hardware compatibility

Converse to number 5, Linux continues to advance in the category of hardware compatibility. Take Xorg, for example. Recent developments with the star of Linux’ graphical desktops have the X Windows server running sans xorg.conf. This was done primarily because the system had grown so good at detecting hardware. And so long as there wasn’t a cheap KVM between your monitor and your PC, Xorg would easily find the mode for your display and run X properly. With new distributions (such as Fedora 10), X configuration is becoming a thing of the past. Most other pieces of hardware are finding the same level of recognition.

7: Windows promises

I wanted to save this for last, but seeing as how it is number 7… We’ve all heard the pundits proclaiming Windows 7 will be the resurrection of the Microsoft operating system. But I recall this same proclamation with nearly every release from Redmond. Windows Vista was going to revolutionise the way the user interfaced with the computer. Vista was going to be the operating system you would never notice. Instead, Vista refused to NOT let you notice. And Windows Me was going to take Windows 98 and make it far more simple for the average user. What did it really do? Remove nearly every actual functioning system in the operating system, leaving little more than a browser and an email client.

Everyone is always fond of saying the next Windows release will redefine the personal computer. But the public has finally reached such a point of apathy for Microsoft’s up and coming, the majority doesn’t even realise something new is coming out. The media can continue to push Windows 7, but the public will continue using XP until Microsoft pries it from its cold, dead fingers. And, of course, no one really knows when Windows 7 will land. How many dates Microsoft announces vs. how many dates change will probably be a 1:1 ratio.

8: Linux transparency

Converse to 7… The next release of any Linux distribution is never shrouded in mystery. Because of the nature of open source, the release candidates are always available to the public (and not on a limited basis), and the timeline is always made available. Any user can know exactly when a feature-freeze happens for a release of any distribution. And all Linux distributions work under the “full disclosure” model. Because of this, there is little false advertising going on with Linux. And unlike with Microsoft, you will never hear of a distribution claiming that its next release will revolutionise computing. If you go to the Fedora Project Wiki, you can view all the proposed and accepted features that will be included in the next release. You can also view the completed release schedule, where you will see that Fedora 11 has set an alpha release of 3 February 2009, a beta release of 24 March 2009, and a final release of 26 May 2009. These dates are fairly firm and almost always on target.

9: Feature comparison

Let’s compare the feature lists of Windows 7 and Fedora 11.

  • Windows 7: OS X-like Doc, multi-touch screen, mapping application similar to Google Earth, Hyper-Visor virtualisation, location-aware apps, User Access Control improvements, Sidebar removal.
  • Fedora 11: 20-second boot time, btrfs file system, Better C++ support, Cups PolicyKit integration, DNS Security (DNS SECurity), ext4 default file system, fingerprint reader integration, IBUS input method replaces SCIM (to overcome limitations), GNOME 2.26, KDE 4.2, Windows cross-compiler inclusion.

If you look at those features in and of themselves, you could easily argue that either one could be the more impressive list (depends upon your bias). But understand that the Fedora 11 features are added on an already outstanding operating system, whereas the Windows 7 features are being added to a lesser operating system. And what Microsoft is proclaiming to be the biggest improvement (multi-touch) doesn’t actually improve the operating system and also requires, surprise, new hardware! To get the most out of Fedora 11, you’ll be good to go with what you already have.

10: Hardware requirements

Vista-lite? Out of the mouths of Microsoft comes the proclamation that Windows 7 will run on any hardware that would run Vista and even slightly less powerful hardware. Slightly less powerful? What exactly does that mean? Well for one, Windows 7 will have no luck in the netbook market. And since XP is dying, the netbook market will be owned by Linux. Netbooks are not gaining enough power to run anything from Windows but the watered-down version of XP. Netbooks are not going anywhere, and consumers (both home and corporate) have their limits on how many hardware upgrades they will make to fulfil an operating systems’ needs. As of Fedora 10, the minimum system requirements look like something out of the mid ’90s.

In your opinion, has the court of public opinion already condemned Microsoft to failure or will Windows 7 pull Microsoft out of the muck and mire created by Vista? Will Linux continue its climb above Microsoft? If you’ve got any thoughts, comments or suggestions for things we could add, leave a comment! Also please Subscribe to our RSS for latest tips, tricks and examples on cutting edge stuff.

Are you banned by Akismet for spaming?

You must have experienced that you try to post comments on your friends blog but  your comment never appears. This happens because you are banned by Akismet. Akismet system has been protecting WordPress bloggers for a while now from comment and trackback spammers.

Akismet system relies heavily upon blog owners marking your comments/trackbacks as spam and reporting them back to Akismet as such via the WordPress plugin. This means that many innocent bloggers are “false positives” in the Akismet system due to either malicious or ignorant behavior on the part of other bloggers.

I faced the same problem and went to akismet contact page to file my request, its been weeks and i haven’t received words back from them. Notice that they are using Math question on their contact form. Moreover, i have encountered scripts which can solve the math question in order to post spam messages.

There is a huge number of bloggers who are marked incorrectly as ’spammers’ by people who don’t like them for one reason or another or who’re simply ignorant and incorrectly marking any and all trackbacks as spam.

How Spammers can play with Akismet system and get you banned?

Lets take an example of a blogger who wrote a harsh comment on other blogger’s website. Now the other blogger will take his identity (username, email and URL) and put them into a spam script (believe me there are plenty out there) and he will set the script to send out 100’s of comments/trackbacks to other blogs. Of course, most of these blog owners who got the ’spam’ would flag these comments as spam. This would result in your credentials being incorrectly marked as spam comments by hundreds of bloggers, thus ruining your expertise to promote your site.

ignore.jpgWhat is surprising here that Akismet doesn’t do IP tracking. It seems that they could figure out that there were 10000 spammy comments from one IP address and 150 legitimate comments from another address. But, apparently, they don’t do this. What does it cost them in order to follow the above isn’t clear to me and many people are waiting until they change their logic to flag ID’s as SPAM, to me it looks like clear negligence. What about those who are falsely got banned because of some reason?

Million dollar Question is how to get unbanned from Amismet?

Well, there are two ways that can get your id unbanned by Akismet:

  • You can contact Akismet and ask them to un-ban your status
  • Ask those bloggers who have flagged you as Spam to change your status back to “Not Spam”.

What do you think? will that be easy, well i don’t think so.

Suggestions for Akismet

Akismet apparently relying too much on automated systems and this leaves the whole process open to exploitation by malicious individuals. Furthermore, they seem to place a lot of weight on just a few reports which could be simply ignorance of how trackbacks work or perhaps someone reacting out of anger to a negative comment.

Lastly, they need to make it crystal clear how to get your credentials cleared after being given a false positive status in the system. Having an anti-spam system for blogs is important. However, having an anti-spam system that can’t be easily gamed or that gives credibility where credibility isn’t due is also important. Akismet needs to step up and correct these serious and growing problems in their system.

What you can do to avoid all this and enjoy your posting the way you were doing earlier?

Well, I have used Disqus comments plugin for wordpress which takes commenting to next level. It automatically checks for spam but you will have option to approve any spam which you think isn’t a Spam. Moreover, you can track conversations with video comment option. You can build a community using that plugin on your website. Use it unless Akismet works out for you.

Ask your friends to flag your comments as “Not Spam” if they aren’t using Disqus plugin.

Have you been the victim of an Akismet false positive? Have you gotten a lot of Akismet false positives in your filter? Leave me a comment and let me hear your opinion. If you’ve got any thoughts, comments or suggestions for things we could add, leave a comment! Also please Subscribe to our RSS for latest tips, tricks and examples on cutting edge stuff.

Strong passwords-realistic or burdensome?

Hackers and information thieves grow more sophisticated everyday. That forces you, your company’s main line of defense, to be more diligent. Passwords are a good example of this constant drive to protect your small company’s data. Large organizations have the benefit of more sophisticated security measures and policies, but small businesses have to rely on smaller-scale options, such as strong user passwords.

Trying to stay one step ahead of thieves and mischief-makers, we add rule upon rule to the process of generating passwords. Each rule makes sense, but they can become a burden to your users, who will take shortcuts — so do all those rules help or hinder the process? In theory, the rules are good. In practice, they can become impractical.

You’re probably already familiar with the general guidelines for creating and using passwords, which originated with the Department of Defense (DOD Password Management Guideline):

  1. Use a unique password for every account that requires one.
  2. Memorize your passwords; don’t write them down.
  3. Passwords should be at least six characters long (more is better).
  4. Replace all passwords regularly.
  5. Passwords should contain a mixture or characters: upper and lower case letters, numerals, and other special characters.

Again, in theory, there’s a good reason for each rule, but you might have a hard time enforcing them. User resistance in a small shop can be especially frustrating due to the lack of standardized policies. Right or wrong, users in a small shop are more apt to think who really cares…who’s going to know? First, the atmosphere is just less formal in smaller shops. It’s much easier to bend the rules. Second, small shops don’t have the personnel to enforce policies. Third, training is often hit or miss and users might not even be aware that you have a password policy. Users in general aren’t being malicious by bypassing your rules, they’re just trying to get their work done, just like you.

Where does that leave you? Well… mostly uninformed as to whether your users are following password security policy. To find out, you’ll have to get inside your users’ heads. Their reasons might be legitimate:

  • It’s difficult to memorize several patterns of numerous characters that mean absolutely nothing.
  • Just about the time users are comfortable with all those different, meaningless patterns, you change all of them and they have to start all over again.
  • If they forget a password, which is easy to do, the interface is likely to lock them out. This happens when they enter the wrong password a few times. As a security measure, most systems lock users out after a few incorrect attempts to sign on. That means they have to wait for you to reset their account — it wastes their time and annoys you.

Too bad, you say? Maybe, but that sentiment alone won’t keep your users from cheating.

Here’s my challenge to you: Over the next few days, visit each user and ask to look under their mouse pads and keyboards. I predict you’ll find a few lists of passwords if your company changes passwords on a regular basis. Be sure to turn over the pads and keyboards because the smart ones will tape their lists to the bottoms. If you don’t find a list under or taped to the mouse pad or keyboard, ask each user where he or she keeps their list. They’ll pull them out of their top desk drawers and file cabinets and point to their bulletin boards.

Of course, you must reassure them that they’re not in trouble and that they’re actually helping you. In a small shop, this really shouldn’t be too hard because of the friendly and casual atmosphere, right?

What it all boils down to is this: If rules become too hard to follow, users ignore them. Learning how your users mind your security policies is just the first step. How you resolve the problem is up to you. Just don’t make the mistake of thinking all is well — because it probably isn’t. In a small shop, with fewer stop gaps and fewer resources, you can’t afford to ignore even the smallest potential for trouble.

10 common security mistakes that should never be made

The following is a list of ten security mistakes I see all the time. They’re not just common, though — they’re also extremely basic, elementary mistakes, that anyone with a modicum of security knowledge should know better than to make.

  1. Sending sensitive data in unencrypted email: Stop sending me passwords, PINs, and account data via unencrypted email. Please. I understand that a lot of customers are too stupid or lazy to use encryption, but I’m not. Even if you’re going to give them what they want, in the form of unencrypted sensitive data sent via email, that doesn’t mean you can’t give me what I want — secure communications when sending sensitive data.
  2. Using “security” questions whose answers are easily discovered: Social security numbers, mothers’ maiden names, first pets, and birthdays do not constitute a secure means of verifying identity. Requiring an end user to compromise his or her password by specifying a question like that as a means of resetting the password basically ensures that the password itself is useless in preventing anyone that is willing to do a little homework from gaining unauthorized access.
  3. Imposing password restrictions that are too strict: The number of cases I’ve seen where some online interface to a system that offers the ability to manage one’s finances — such as banking Web sites — impose password restrictions that actually make the interface less secure is simply unacceptable. Six-character numeric passwords are dismayingly common, and the examples only go downhill from there.
  4. Letting vendors define “good security”: “There’s no such thing as a vendor you can trust”. Ultimately, the only security a corporate vendor really cares about protecting is the security of its own profits and market share. While this sometimes prompts a vendor to improve the security of its products and services, it sometimes prompts exactly the opposite. As such, you must question a vendor’s definition of “good security”, and you must not let vendors tell you what’s important to you.
  5. Underestimating required security expertise: People in positions of authority in corporations often fail to understand the necessity for specific security expertise. This applies not only to nontechnical managers, but to technical IT managers as well. In fact, standards working groups such as the one that produced the WEP standard often include a lot of very smart technologists, but not a single cryptographer, despite the fact they intend to develop security standards that rely explicitly on cryptographic algorithms.
  6. Underestimating the importance of review: Even those with security expertise specific to what they’re trying to accomplish should have their work checked by others with that expertise as well. Peer review is regarded in the security community as something akin to a holy grail of security assurance, and nothing can really be considered secure without being subjected to significant, punishing levels of testing by security experts from outside the original development project.
  7. Overestimating the importance of secrecy: Many security software developers who make the mistake of underestimating the importance of review couple that with overestimation of the importance of secrecy. They justify a lack of peer review with hand-waving about how important it is to keep security policies secret. As Kerckoffs’ Principle — one of the most fundamental in security research — points out, however, any system whose security relies on the design of the system itself being kept secret is not a system with strong security.
  8. Requiring easily forged identification: Anything that involves faxing signatures, or sending photocopies or scans of ID cards, is basically just a case of security theater — putting on a great show without actually providing the genuine article (security, in this case) at all. It is far too easy to forge such second-generation (or worse) low quality copies. In fact, for things like signatures and ID cards, the only way for a copy to serve as useful verification is for it to actually be a good enough copy that it is not recognized as a copy. Put another way, only a successful forgery of the original is a good enough copy to avoid easy forgery.
  9. Unnecessarily reinventing the wheel: Often, developers of new security software are recreating something that already exists without any good reason for doing so. Many software vendors suffer from Not Invented Here disease, and end up creating new software that doesn’t really do anything new or needed. That might not be a big deal, if not for the fact that the new software is often not peer reviewed, makes security mistakes that have already been ironed out of the previous implementation of the idea, and generally just screws things up pretty badly. Whenever creating a new piece of software, consider whether you’re replacing something else that already does that job, and whether your replacement actually does anything different that is important. Then, if it is doing something important and different, think about whether you might be able to just add that to the already existing software so you will not create a whole new bundle of problems by trying to replace it.
  10. Giving up the means of your security in exchange for a feeling of security: This is a mistake so absurd to make that I have difficulty formulating an explanation. It is also so common that there’s no way I can leave it out of the list. People give up the keys to their private security kingdoms to anyone who comes along and tells them, “Trust me, I’m an expert,” and they do it willingly, eagerly, often without thought. “Certificate Authorities” tell you who to trust, thus stripping you of your ability to make your own decisions about trust; Webmail service providers offer on-server encryption and decryption, thus stripping you of end-to-end encryption and control over your own encryption keys; operating systems decide what to execute without your consent, thus stripping you of your ability to protect yourself from mobile malicious code. Don’t give up control of your security to some third party. Sure, you may not be able to develop a good security program or policy yourself, but that doesn’t mean the program or policy shouldn’t give you control over its operation on your behalf.

If you follow or even try to implement few in your daily life i am sure you won’t get hacked or forged by some smart person.