Monday March 6, 2000 CyberSense Chaim Yudkowsky, CPA, is the chief information officer at Textilease Corp., a Beltsville, Md.-based uniform rental and first aid company and president of Byte of Success, Inc., a technology consulting company. If you have comments about this column, you can send email to him at cyudkowsky@amcity.com or visit his Web site at www.ByteofSuccess.com.

CyberSense

Y2K remediation -- don't stop being prepared Chaim Yudkowsky For many businesses I know, the reason why the "Y2K thing" was a nonevent was that businesses made investments to address technology issues before Jan. 1 passed.

We each underwrote some of that estimated $600 billion of remediation and testing cost. Many of those changes were new systems and even whole new processes to address more than just the underlying fear. The thinking was "since we are replacing old legacy systems, why not do it right?"

We are done with Y2K, now let's address e-commerce. Overwhelmingly, surveys are demonstrating that the next big topic in business technology investment involves e-commerce and e-strategy. Anything beginning with "e-" seems more attractive to competitiveness and growth than the mundane "waste that much of technology investment has been spent on the last few years." We, the management of our businesses, can demonstrate (at least on paper) how "e-business" will make our businesses more profitable.

But in the haste and focus of our systems working after Jan. 1, many of the traditional concerns were not completely addressed or were ignored. As a result, now is a good time to revisit those concerns to make sure that we are as fully prepared for the everyday operations and blips that we should expect. In addition, addressing some of these concerns now will also provide a healthier foundation for our web-based initiatives.

Do not forget the basics The basic ingredients of a sound technology environment include some basic elements: knowledgeable overseers and users; available and resilient systems; disaster avoidance and recovery planning; operational and access controls; security; and a framework for dealing with user privacy and information. To elaborate, let me share some specifics.

1. Operations. How are the new systems really operating? On one recent snowy Sunday afternoon, I had my car serviced at a Jiffy Lube location. During my visit, the computer and credit card authorization system was down and I wondered whether it was weather-related. The manager responded that since a new "Y2K-compliant system" went in, they were down at least a few times a day.

Working out the nuances of new systems and even bugs of new systems that went in during the last 18 months still requires attention, especially if the new systems are to be permanent opportunities to correct "the way things were done." Our new systems have introduced the efficiencies and "best practices" ideas that off-the-shelf or slightly modified/customized off-the-shelf software offer over the homegrown systems that are 5 or 35 years old. Some of these concepts were never before discussed in our management meetings because we "knew how we did business forever. Therefore, our still new improvements and changes to the way we operate still need our attention, if we are to get the biggest return on our Y2K remediation.

2. Security. The recent attacks on popular web sites demonstrate not only how vulnerable systems can be, but lull us into the false sense of believing that we are most at risk by outsiders, unknown attackers.

This could be no further from the truth. The greatest risk is still folks who know or have known us from the inside. In our haste to work, one of the most commonly minimized and procrastinated aspects of an implementation is addressing appropriate access and usage data and application security measures.

Now is a good time to again begin by asking some basic questions:

 Do you have a process of disabling departed or terminated users?

 How open is your email system to use by spammers? The spam mailer risk are folks who find vulnerable email systems and use those systems to forward email to large populations using your systems.

 What physical access points are there and how are they controlled? When not properly setup, RAS (a Windows NT service), pcAnywhere (published by Symantec), and like products, can leave your networks wide open.

3. Re-educating your keepers and users. For many, moving to Y2K preparedness meant introducing new technologies both to IT Departments and to users. In many instances, the adjustment and adaptation to these new technologies requires not only new learning, but a realization that the rate of obsolescence of some of the new knowledge is incredible. Helpdesk people, who are supporting users of the technology, need a re-education in the new, often more decentralized, environment. Especially for companies that have transformed information technology from big mainframe and minicomputer systems to the WINTEL standard, this requires work and commitment to education.

The American Institute of CPAs (AICPA) recently presented its annual Top Ten Technology Issues for 2000. Interestingly, that list contains many of the elements discussed above. For more information about their list and their recommendations, I'd suggest visiting www.toptentechs.com

http://www.amcity.com/extraedge/consultants/cybersense/2000/03/06/column189.html

-- Martin Thompson (mthom1927@aol.com), March 11, 2000