The GDPR: Is your company affected?

In May 2018, the EU’s GDPR (General Data Protection Regulation) will go into full force.

GDPR is a set of regulations protecting EU consumer data and covers businesses both inside AND outside the EU.  In other words, if your U.S. company sells goods or services to people in the EU, you must protect their personally identifiable information as prescribed by GDPR.

Like many U.S. data protection regulations, GDPR is broad but short on specifics.  Part of this is because it will allow each EU country to provide its own specifics.  GDPR covers data breach notifications, user consent, data sharing, data protection for children, and a number of other privacy issues.

If you don’t sell consumer products or services to EU consumers, or maintain any data about EU consumers, you are not required to comply with GDPR. And since most high-profile cloud vendors and SaaS applications (e.g. Amazon Web Services, Microsoft Office 365) plan to become GDPR compliant, we don’t expect many of our clients, even those with EU consumers, will need a lot of technology changes.

As a first step, if you do have EU consumers, we strongly recommend you contact your legal counsel to discuss whether you need to comply with GDPR regulations, and if so, reach out to us so we can help evaluate how your technology infrastructure may be impacted.

The Equifax Disaster – A Quick Guide

Now that some dust has settled, and some confusing misinformation has shaken out, here’s our succinct guide to the credit agency’s data breach.  We’ll keep you posted if anything changes. Good luck, and stay safe!

What happened?  

Between May and July, Equifax’s systems were breached, and the personal information of approximately 143M customers, including their social security numbers and addresses, were exposed.

How did it happen?

They’re not saying…yet.

How do I know if I was affected?

Equifax’s website that lets you check is….unimpressive to say the least (we’re being kind).  You should assume you and your entire family’s data were affected.

Could my business be affected?

Equifax does collect business data, however no information about this has been disclosed.  Note that basic business data such as EIN, name, and address is public information anyway.

What should I do?

Two things. First, put a credit freeze in place for you and your family at all four credit agencies. Then pull and review your credit reports to make sure everything is safe.

Freezing your Credit: To read about what that means, see this government site. To freeze your credit, visit each of the following agencies:

Equifax Security Freeze *
Transunion Security Freeze 
Experian Security Freeze 
Innovis Security Freeze 

*Equifax is offering a security freeze for free to everyone.  in NY State, your first freeze is free at all the agencies.

2. Reviewing your Credit Reports
You should also look at all your credit reports.  You can do this from one place at, which is a joint site by three of the above agencies.

Should I sign up for other monitoring and alert packages?

If you successfully freeze your credit, the only organizations that can access your reports are companies you’re already doing business with, and certain government agencies. Therefore, additional notifications are not necessary. However, if it makes you feel better, review the terms of any “free” monitoring packages carefully.

Secure e-mail isn’t really e-mail. Is it really secure?

Most e-mails are not encrypted.  What this means is that if someone intercepted your email message, they would be able to read it.  This is, of course, a big concern to those sharing sensitive information.

One solution is to avoid e-mailing any sensitive information. Many online apps (such as Box and Cisco’s Sharefile) offer secure alternatives to email. While these work well, many of our clients find that when they’re in a rush, they end up e-mailing sensitive information regardless.

Another option, one that has been in use for many years, is known as secure or encrypted e-mail.  Secure e-mail applications work directly with your e-mail system. For instance, Microsoft Office 365’s Message Encryption (“OME”), which is included in some Office 365 subscriptions, works seamlessly with Microsoft Exchange and Outlook.

Microsoft Office 365 Message Encryption (Source - Microsoft (c))

Microsoft Office 365 Message Encryption (Source – Microsoft (c)

When a user puts a code word into the subject line (e.g. ‘PRIVATE’) and presses send, Microsoft’s OME converts the e-mail message into a web page.  Instead of the message, the link to the web page is then sent to the recipient.  The recipient can then open the message in a browser, but first must confirm her identity through a one-time code, which is autotically sent to her e-mail address.

Since the message is encrypted end-to-end, Microsoft’s OME is a substantial improvement over standard email.  However, as you might expect, secure e-mail has some vulnerabilities.  For example, if someone can access the recipient’s mailbox, he can decrypt any secure message using the code that is sent subsequently.  In addition, a sophisticated hacker can “listen in” over a network, wait for an encrypted e-mail, and then wait for the code.  The code, however, does expires after 15 minutes, severely limiting an attacker’s time window.

Even though it’s not a perfect solution, secure email’s ease of use, in-transit and at-rest encryption, and expiring codes, make it a useful tool for those sending sensitive information over email.

Can you see me now?

Working from homeVideo calls have become a staple of business communication. Most business communications packages, including those by Google and Microsoft, already include some form of video capability.

At Cartwheel, we use video to communicate with each other when working remotely, conducting interviews with candidates, and in some client meetings. Since we use a number of different video applications, we wanted to share our take on which work best.

For businesses that rely on very high-quality video and audio, we recommend stand-alone systems such as BlueJeans. Although they require expert implementation and are costly,  these systems can integrate into existing phone systems, reserve bandwidth on your network, and have advanced features such as recording and broadcasting.

For the rest of us that want decent video conferencing ability, but don’t mind the occasional hiccup in quality, below are the ones we’ve used. Note that all these applications offer both iOS and Android apps for video on the go.

Video for internal communication

  • Slack: We were originally skeptical of Slack’s usefulness, but have grown to love it. Primarily used for team communication, Slack helps eliminate lots of back and forth emails. Slack has both audio and video conferencing, and both are very good. In addition to a simple, effective interface, Slack recently added  screen sharing. However, we do sometimes experience video dropping while on calls with many users.
  • Google Hangouts: For those using G-Suite for email, Hangouts is the logical choice. Fortunately, it’s also a very solid one. Google has combined its chat and video capability in Hangouts. The video and audio sound quality are strong, however the integration into other Google tools is a little confusing. For instance, clicking on Contacts from Hangouts does not bring up your G-Suite Contacts, but instead takes you to your “Hangouts” contacts. Why another list?
  • Skype for Business: For Microsoft Office 365 users, Skype for Business is included in most packages. In typical Microsoft fashion, Skype for Business is a combination of a few different applications and platforms. Lync, the now retired chat application, and the consumer version of Skype were combined onto the Office 365 platform. This can make things a bit confusing to set up, but once you do, you’ll find Skype for Business a solid video experience.

Video for external communication

Communicating with people outside your organization, customers or vendors for instance, requires a different type of video application. Features such as easy sign-in, browser-based clients, and quick set-up are important requirements.

  • Zoom: A heavily funded “unicorn”, Zoom has grown by offering simple, high-quality video calls, webinars, and training tools. We’ve had a few calls through Zoom, and found the application easy to install, and the video quality excellent.
  • ClickMeeting: This marketing company spin-off focuses on webinars, and includes branding and recording tools. The price is right for events up to 500 people, and the set-up is relatively easy.
  • Webex:  One of the earliest entries in the video conferencing and webinar market, Webex has tried to keep up with the competition with a number of different options, including screen-sharing and phone dial-in capability. Still, the application feels stale, the install is a bit messy, and the pricing is not as favorable as some of the newcomers.

Are you a founder?

On a recent flight from the west coast, I watched a biography, The Founder, about Ray Kroc, the founder of McDonald’s.

Kroc was a middle-aged, struggling blender salesman with a history of entrepreneurial failures. He came across the McDonald brothers after they order some blenders. The McDonalds were running a small, popular hamburger stand in San Bernardino, California. They innovated by eschewing the trendy, restaurant-style  burger joint and instead invented the no-frills, fast-food approach. The McDonald brothers were happy micromanaging their small operation, and were wary of franchising and losing quality control.

Kroc, convinced they were sitting on a gold mine, persuaded them to give him a chance to sell some franchises. After a few years of fast, aggressive growth,  Kroc bought out the McDonald brothers.  Kroc died a billionaire in 1984.

It’s a fascinating story that sheds light on what it takes to start a business, to run a business, and to grow a business.  The McDonald brothers were great at starting and running their hamburger stand. However, when it came to growing, they didn’t have the personality, the drive, nor the tools. Kroc was the opposite – an aggressive, extroverted man willing to do whatever it takes to sell an idea. Was he a founder? I guess it depends on our definition. He was a certain kind of founder.

The Founder got me thinking about the businesses I’ve founded, ran, and grown, as well as those of my clients and friends. Are you a founder? What kind are you?


What’s in your stack?

Stack of pancakes

Stack of pancakes

You may have heard various computer people throw around the s-word. A stack, in IT terminology, usually refers to a solution stack. Any software application, whether it’s your website, email client, favorite iPhone app, or your online CRM, is developed and run on top of a set of standardized, prebuilt, building blocks. These building blocks, each running on top of another, together define a stack. Application builders have a choice of different stacks, and usually choose based on the type of application, the target device(s), cost, and personal preference.

The archetypal stack consists of Linux, Apache, MySql, and PHP, and is therefore known as LAMP. The LAMP stack has historically been used for many of the most popular web applications including the original Facebook!

This simplified diagram is the LAMP stack that ran the original Facebook site. In this stack, which is all open-source and free to use, the servers are running an operating system known as Linux. On top of Linux, runs Apache, a web server that was responsible for “serving” your Facebook pages to your browser. MySQL, which also runs on Linux, is a general-purpose database, in which Facebook stored user names, posts, pictures, etc. Finally PHP is a scripting engine, that when run on Apache, can interpret code in order to customize web pages by using the information stored in the MySQL database.

In order to build the first Facebook, our young Mark Zuckerburg only had to design his database and build dynamic web pages using HTML and PHP. The stack would then allow the Facebook web site to run on practically any hardware, and work on any standard browser. Before publicly available stacks like LAMP were built, programmers had to create all the building blocks themselves, which greatly increased the time and effort required to bring a product to market.

Today, typical stacks add many more blocks and layers, and usually reside in the cloud. Some stacks, such as AWS Lambda, completely free application developers from worrying about servers, operating systems, or databases, and can even provide drag and drop interfaces that empower users to build complex business processes without even knowing any code!

Your Personal Password Plan

Computer Web Signin User SecurityA few days ago, Yahoo revealed that a suspected 2014 security breach generated enough media to give us a much-needed respite from the presidential campaign. Some simply recycled the same old password resetting advice, some boldly predicted apocalypse, and some entertained us with CYA articles from within Yahoo.

Leaving behind the hyperbole, the only certainty is that passwords are not going away anytime soon, and that this will surely happen again. If you’re like most people, you need a plan so that you can feel safe enough, and can ignore these articles in the future.

Here’s the plan. It will take you a while, but once you’re done, you can relax that your important personal data is as safe as it can reasonably be:

  1. Make a list of all the websites and apps that you use regularly
  2. Mark the ones that have important personal information* stored in them
  3. Download LastPass** and install it on your computer and mobile devices. Splurge for the $12/year LastPass Premium, your passwords are important.
  4. Install the basic Google Authenticator App (available from your device’s app sotre) on your mobile device
  5. Create a very strong master password in LastPass, memorize it, and turn on two-factor authentication in LastPass using Google Authenticator
  6. On every site/app you marked, do the following:
    • Change the password to a unique, LastPass generated strong password.  It is very important that you do not use the same password across multiple sites/apps.
    • Turn on two-factor authentication using Google Authenticator
    • Add each site/app to your LastPass account
  7. Set password and/or fingerprint locks on all your mobile devices
  8. Encrypt the hard drives on all your laptops

*All financial websites, all email accounts (Gmail, Yahoo,, etc.), all cloud files (Dropbox, iCloud, Google Drive, etc.), all health-related sites, all insurance sites. Shopping sites? If you don’t store your credit card number on them, then don’t worry too much. Only store your card on shopping sites you use regularly, like Amazon or Seamless, in which case you should mark those as personal information.
**Why LastPass? Because we like it. All well known online password managers such as 1Password and Dashlane all work well.

Frequently Asked Questions:

  1. What if LastPass gets hacked? The short answer is, it doesn’t really matter because your passwords are strongly encrypted and only you have the key. You also have multi-factor authentication, which will protect you while you change your passwords.
  2. What is two-factor authentication? It’s an additional way to ensure you are whom you say you are. This is currently the best way to protect sensitive information. Even if someone, somehow, figures out your password, they can’t log in as you unless they also verify identity through other means such as a text message or Google Authenticator.
  3. Am a 100% safe if I do all this? Of course not. But you will have done everything you reasonably can do to protect yourself.
  4. What if I share passwords with other family members? Get them a LastPass account too, and share the passwords with them through LastPass.
  5. Do I need to regularly change passwords? Not a bad idea, but not necessary if you do all the above.

The Problem with Microsoft OneDrive

imagesSince its inception in 2007, Microsoft OneDrive for Business, a cloud file sharing tool, has been plagued by marketing missteps. Given Microsoft’s Azure and Office 365 excellent launches into the cloud space, OneDrive’s inability to gain market share among IT departments or consultants is a head-scratcher.

Compared to its main rivals Box, Dropbox, and Google Drive,  OneDrive sits dead last in usage, stability, and business-related features. In addition to technical issues such as a buggy sync tool,  marketing miscues include a painful re-branding following a lawsuit from Britain’s Sky TV service and a recent walk back from a promise of unlimited storage.

As an IT provider and a staunch supporter of the public cloud, we’ve tested and supported all the major cloud file sharing platforms. Considering OneDrive’s advantage of tight integration to Windows and Office 365, we expected much more. Instead, Microsoft’s product led to the the highest number of support calls and lowest user satisfaction.

Microsoft revealed its own lack of faith in OneDrive with a 2014 partnership with Dropbox, which has recently deepened. In a quiet IPO market, an acquisition announcement may not be far off.

Until then, Microsoft will continue to hedge its bets with updates to OneDrive, knowing that most IT experts prefer its rivals. Stay tuned.

Blockchain: change is coming

blockchainFew people outside of the tech industry have heard of blockchain, which is the technology behind Bitcoin. Many technology experts believe that over the next decade, blockchain will revolutionize how we do business.

Today, almost all business transactions, whether paying a vendor, buying an item on eBay, or trading stocks, take place through an intermediary  that verifies, logs, and validates the transaction. For example, in the case of banking, the intermediary is known as a clearing house. This model, which was established long before the internet, has several drawbacks. For one, the middleman takes a piece of the action.  For example, exchanging currencies carries a hefty fee. An intermediary also slows things down – think of the last time you deposited a check, and how long you had to wait for it to clear. Finally, this model is vulnerable; if an intermediary is incapacitated, the entire marketplace can grind to a halt.

In 2008, a person or group (it’s not entirely clear) named Satoshi Nakamoto proposed a different way of transacting business. Instead of an intermediary, we could use technology to ensure that every business transaction is verified, logged, and validated. Instead of an intermediary,, all business participants keep a copy of a list of all the relevant business transactions. Then when a new transaction is requested, anyone can log it in the list (called a “ledger”). The ledger would then automatically sync to all the other copies of the ledger. The transaction is verified and validated when a majority of participants record and approve the transaction.  Since there is a history of all transactions, and multiple copies of the ledger, the system is less vulnerable to fraud and outages.

While the jury is still out on Bitcoin, the best-known example of blockchain technology in action, financial services companies worldwide, including most major banks, are aggressively testing variations of blockchain to conduct financial transactions. They know that traditional banking models will eventually go the way of the newspaper and the travel agent, and they don’t want to be left behind.


The Weakest Link in your Company’s Security Plan? It’s You

chain with paperclipBest practices for cybersecurity at small-medium sized businesses (SMBusually focus on network security, operating system patches, password management, and monitoring.

While these practices are important components of every security plan, the lowest-hanging fruit for potential attackers has shifted over the last few years. As more businesses have moved their email servers and other sensitive applications to the cloud,  fortifying a typical attack vector, attackers have shifted their strategy.

Nowadays, the most common damaging security breeches involve sophisticate spear-phishing attacks that penetrate every company’s weakest link, its people.

It’s well known that people are biased to believe a good story. Technology itself will never prevent a good con. In addition to strong monitoring, what a business needs to do is prepare and educate.

Preparing means controlling the damage that spear-phishing can do. For example, limiting the amount of money of a bank transaction to $5,000 without multiple approvals. Educating involves familiarizing your staff with specific examples of common social engineering attacks, and building a healthy skepticism in your all employees Education must be ongoing and reinforced to be effective.

Next time you think about how you’ll improve your company’s security, or even the security in your personal life, follow all the recommended best practices. But don’t forget that you, your employees, or your family, may be the weakest link in the chain, and take action to prepare and educate.