I have a spreadsheet with over 150 passwords on it. I have to change my work passwords every 45, 60, and 90 days depending on the system. I ask myself ‘is this more secure?’
I’m no security expert, and sometimes the rules really bug me. Why do I need to change my password? Why should I have different passwords? What is the risk if I don’t follow the rules? I wanted to vent a little, so I started this article. Then I did my research to better understand the issue. Here is what I learned:
The security experts tell us to change our password often. The best reasons I have seen have to do with holding off the attackers long enough for the password to have changed. If an attacker gets ahold of a password file, from a backup tape, the trash, or breaking in; then they could use that to log onto any accounts that haven’t changed the password.
The nice thing about those password files is that they are encrypted, or hashed, so that hackers don’t actually put in your real password, they use the hashed version from the file. If you simply change 1 letter, or add a number, then the hash is different and can’t be hacked. The problem is that a hacker could break the encryption and actually figure out your password pattern. Then they could easily guess your next password giving them access to your account.
What are the odds that you or I would be singled out for attack? Hopefully, those odds are not very high, but how much risk are you willing to take? If your whole company system gets stolen, copied, shut down, or broken, how much blame do you want to take? It’s probably better to just suffer by changing your password.
Why can’t all my passwords be the same? The problem with that is that hackers can get passwords from the least secure system. Even worse, is that the people who run all of those other systems have access to your unencrypted password. Joe, at buycoolstuffhere.com, created the site simply to steal people’s password with a good username. He then uses those codes at every financial web site until something works. Then he has full access to your money.
Why do I have to answer security questions? The security questions are usually there in case you forget your password. The answers are usually pretty simple to find on the internet and are the most risky for casual users. People in the public eye are constantly having their email spilled to the public by people who figured out what street they lived on when they were growing up. Some advice from the internet is to have answers that are not really answers, but hints to your password. What was the name of your first pet? “My favorite song lyric”
Bad passwords and pins: American Express has an authentication pin that has to be 4 digits. When I tried to give them numbers I could remember, they told me it had to be a date. Why would they decrease the security possibilities from 10,000 down to 365?
I can see my payroll info online if I remember an 8 digit pin number. The problem is that I am running out of unique numbers that I can actually remember. For me to remember an 8 digit number, it must be a full date, or part of a phone number; I don’t have any other long numbers that are burned into my brain well enough to not forget.
Internal security is just as important as external security. Most companies won’t get hacked by strangers in a way that will cause them any material harm. It is the employees who pose the most danger. If your employees have access to everything, what’s to stop them from downloading the customer list and selling it to the competition? It is important to divide up all data, and only give access where it is needed for people’s jobs. Look at SOX requirements even if they are not necessary; they make sure that users don’t have too much access to the system. That may be why you are limited on your own system, and sometimes can’t even get data you actually need.
So, until a better security system is built, I’ve got over 150 passwords to remember. My spreadsheet doesn’t actually have the real password listed, just a hint to it. The file itself is password protected, heaven help me if I forget that one.
Do you have a good security story? Leave it in the comments below. Do you know that it’s a global world and Technology makes it happen?
ERP – Who to Choose 12/30/2012
I’ve often been asked “Did we choose the right system?” Usually it is right after we experience a serious bug, or something goes wrong causing a project delay. Would another system have prevented this particular issue?
The answer is always ‘Yes’. We did pick the right software, despite the current problems. And ‘Yes’ another system would probably have allowed us to avoid this problem, but would have caused others. As long as we followed our plan, identified our priorities and compared correctly, we know we chose as best we could.
So what was the plan? What do you need to plan in order to choose a new software system?
The single most import aspect of choosing your new software is the list of requirements. You need to understand what you need to succeed, and a list of benchmarks so that you know when you get there. Everyone in the company should have the opportunity to help prioritize the requirements. This is the chance to visualize the company running at peak operational efficiency and growing as fast as possible. The new software needs to be able to accomplish all of the current requirements plus future needs.
You need to think about your requirements from a perspective of the future. Will it be scalable enough? Does it have the modules to cover functionality that you don’t need now, but could find a use for when there is time to experiment? What other tools will you need to go along side your new software? How much data does it need to accept and how? What other systems will you connect it to?
I make a long list of requirements, and then prioritize them from most important to least important. Then I like to make a single sheet listing the top requirements with room for evaluation and notes. These note pages can be used as a scoring sheet for objective comparisons between systems.
You will need a lot of support during the years of using this software. Make absolutely certain that the company you choose will have smart people who can guide you when you have problems. You might have to call other companies already using the system to get a good idea of how their support program works.
Some companies charge extra for support, and some have fixed contracts that automatically include support. You will need to know the structure of support before going into negotiations to buy your new software.
Working with another company to implement new software is not an easy project. You must be ready to accept them as partners. They should have lots of experience working with companies in your industry and of your size. They should be ready to explain the process, their expectations, how long it should take and how many people need to be involved. You need to get a feel for the difficulty of an implementation, and how much work your team will do compared to how much work will be done by outsiders. Training will take up a large amount of implementation and could be done in different ways; how much time will this one take?
When getting trained, you will have to make choices on the basic setup of the system and how much to change the out-of-the-box configurations. Most large software allows you to process similar functions differently depending on requirements; you must have an idea of how many different choices there are to be able to compare the different choices of software.
Loading Legacy Data
Your system will begin either fresh with no data, or have old data loaded into it. You will need to get some idea of the difficulty of loading data into the system. Some data may be easily added using standard formats like Excel; and some may require more effort. You may have to load data compiled from different systems; it will have to be mapped to the new system. How much help will you get? How much experience do they have mapping data from your old system? How successful have other companies been with loading data?
Obviously your new software will need to run on a computer. Whether that computer is located in your own office, at a server farm, hosted by a third party, or transparent to you in a SaaS environment is totally up to you. Make sure that your needs are covered by the company producing your new software. It would be a regrettable decision to buy software that couldn’t be run as a service and then ask them to setup SaaS.
Interfacing with Other Systems
Any software your run should not be run in a vacuum. It will need to create send data to people and systems, as well as receive data from people and systems. You may want automatic interfaces setup to continuously communicate with existing systems. This should all be possible on any new software that you choose to buy.
One of the main reasons I left my first job was that the software I used couldn’t communicate with anything. Even creating a report was difficult. I knew that software like that was doomed to obscurity and I needed to get out before I was left in the dust.
Make the Choice
Using your prioritized criteria, you should be able to make a good decision of which software to purchase. Don’t look back for regrets; you made your decision the best way you could. There will be problems that you will be able to solve, don’t let that destroy all of the hard work you put into making the right decision.
Have you been through the decision process? Did it work for you? Do you like the new software? What would you have done differently? Let me know in the comments.
Be happy with your new software. You now understand that it’s a global world and Technology makes it happen.
Choosing Your New ERP System 11/29/2012
After you’ve gotten the approval to start the process for a new ERP software system, it is time to start the search and make the decision of what to buy. It is a project on its own just to make that decision. It should take one to three months to go through all of the options to determine the best solution.
The way to begin this project is to lay out your plan. You need to have an idea of what steps you will take and how long you have to finish. The plan needs to include who will be involved, how much, and who gets to make the final decision.
The first part of the plan is who will be included. This is an important project and the right people need to be included on the team. A senior manager that knows how important the project is, and has authority to set priorities needs to be on the team. Others as representatives of major departments need to be included. The best person to represent the department doesn’t have to be the highest manager; you need to include the one who understands what is needed, but also has the time to attend the meetings.
As you get a commitment from enough people to fairly represent the company, you will create a meeting schedule. Once a week may be enough to start, but eventually you will have vendor responses to review and demonstrations to watch. This will increase the time commitment from the team. These people need to understand that this project is just as important as their ‘day jobs’. They will need to dedicate some time to this project, even if it means doing overtime on their normal responsibilities. This part is crucial because ignoring the project for too long will ensure failure.
Probably the most important part of the selection process is the requirements. The team needs to define their requirements for the new system and prioritize their needs. Not all software will do exactly what they need in the way that they want it, so they need to be ready to determine what is critical and what is nice to have. The requirements should start with replacing what they already do, and then consider what is needed for the future of the company. You will need to include the details of current operations such as Purchasing, Selling, Accounting, etc. Also think about reporting, dashboards, paper output and screen design.
Along with the processes, you will have to consider the technical aspects of the software. Will you want it in the cloud or on premises? If you are thinking about the cloud, do you want software as a service (SAAS) or platform as a service (PAAS)? You need to know the difference, and understand the language so that when a vendor describes their solution you can correctly interpret what they are saying.
Can your IT department support the new demands of the software? Will you need new people to create reports, customize the software, and support the growing demand for security? These are import discussions to have before choosing the final software.
Once you have a good set of requirements, you can send out some sort of questionnaire, request for proposal (RFP), or other document to a list of vendors. Their responses should be evaluated by the full team to determine a short list for demos.
You can have 4 or 5 short demos if your list of vendors is still too long to decide. That should help you narrow the choice down to 2. These demos need to be held to under two hours, and the vendor needs to be aware that you will cut them off if necessary. Doing a lot of demos can be overwhelming to the team and they will forget what the first demo looked like at the end of the process. You need to make sure that discussions are timely and that notes are taken for later review.
Your final choice should be made from the top 2 vendors. These final vendors should be given the opportunity to show you their best presentation. Give them the amount of time that they need to impress you. This might take several hours for each of them and require a couple of days worth of time from your committee.
I like to prepare a document for the team that lists out the requirements and gives them the ability to write notes about each requirement and give each a grade. The grades can then be tallied to objectively decide which software is better. If notes are made using the same format, they are easier to compare. The notes also make it more difficult to forget the important parts.
One of the hardest parts of this process will be to notify the losing company that they were not chosen. They may come back with lots of questions that will require more work and put you in an uncomfortable position. One time, I had a salesman email my boss describing how unfair my process was, and how they thought they were being strung along when the decision had been made in advance. While embarrassing, I had the full documentation to show that no decision was made until the end, and the notes showed the grades where the number 2 company was very close, but clearly the second choice.
Once you make the decision and notify the winning company of your intentions, it is time to sign a contract. Make sure that you have professional negotiators at the table to get the best deal possible.
Now that you have decided on your new ERP or other large software project, the fun is just beginning. You already have a good team who understands the issues, and are ready to work. They know that it is a global world, and Technology makes it happen.
ERP – The User Conference 08/27/2012
This month I went to the User Conference for the ERP system that I have been implementing. It is incredibly important to network with other users of the same software. I met numerous people who have struggled with the same issues I have, and had great conversations about their insights. I learned about other ways the software can be used, and workarounds for known problems. I traded contact information with people who might be able to help us in the future, or whom I might be able to one day give a hand.
The conference was huuuge; there were around 4,500 people. Apparently we trended on Twitter twice during the week. They included partners who sell and support the software, they had customers, and they had vendors who make bolt-on products. There was a trade show with booths for companies that work with the software.
I loved walking around the trade show area, where I could learn so much about the possibilities for the IT department. I viewed demos of scanning equipment which could improve the manufacturing process and integrate seamlessly. I had a discussion with the people at a company who have a better alert system that reads data right from SQL. I saw several great BI products to make dashboards or reports.
They had presentations running all day covering all kinds of subjects. Obviously, the software was a main topic, but they also had generic business presentations to talk about creating a vision, or managing technical people. I went to all the presentations that I could possibly get to, but there were more than any team of people could cover.
The presentations were great for talking about using the software in new and unique ways. I had an interesting discussion with an IT director on why he bought some software to automate sending out invoices. The ERP system could be made to do it, but it would have taken the IT department quite a bit of time and opportunity costs to get it done. The automation company came in with consultants, talked with his sales staff, trained them on the software and got everything setup. He and his team then got some quick training later to be able to support it. While all of that was going on, he could concentrate on other more important projects. It was a win-win for them. I kept thinking about how I could get the ERP system to do the same thing, but realized how much time it would take to support.
I did a presentation on security that was well received. I talked about how I helped a company create a very complex security system within the ERP system without customization. I showed a group of around 80 people what was possible when using the software to its fullest potential. Hopefully some of them got some good ideas from the hour-long talk and will be able to implement them easily. One person even surprised me and asked about setting up even more complicated security.
After the official activities were concluded each day, there were cocktail ‘parties’ hosted by companies who wanted our attention. These were not only fun, but included people that I would not have otherwise gotten a chance to talk to. These were some of the movers and shakers at their own companies. They were the IT people who really understood the software and could easily discuss issues and problems.
I saw plenty of people skipping out on a presentation or activity to use the Wi-Fi to dial in to work and fix a problem or two. I thought about how sad it was that their company couldn’t let them alone for just a few days to participate in this amazing experience. Instead of learning about new possibilities, they were stuck dealing with the status quo. But at least they were there and got a taste of the future.
I have worked with people who couldn’t justify the cost for an out-of-town trip and three to five days out of the office for this kind of event. I say to them that the cost is higher when no one goes. An ERP system from a large software company has so many people with good ideas that they shouldn’t hide from them. They can’t operate in a vacuum and ignore the possibilities that exist. They have to learn that it’s a global world out there and technology makes it happen.
ERP Training and Power Users 06/28/2012
A full ERP implementation project will contain plenty of training. All the members of the company need to start from scratch to learn the use of the new system. I’ve scheduled classes where we have 10 days of classes plus three alternates a week or two later for anyone who missed it. The thing to remember is that is just for the basics; you will spend much more time with the people destined to become your ‘Power Users’.
The main classes that will be scheduled are for beginning 101, learn how to navigate type instruction. When users logon for the first time, they need an idea of what to expect, how to get what they need and what they are allowed to do. Everyone will need that class so it will be the biggest or most offered class.
After the beginning class, you will need some specific classes. The Accounting group will need to go into detail on the accounting screens. The Manufacturing groups will need specifics on how to run MRP, use Work Orders, order Supplies, etc. The Customer service group will need to understand Sales Orders, Cases, how to change documents, and update notes. The point is that these classes will be smaller and need to include only the groups that focus on the topic being taught.
Most project managers and organizers will stop there. They will teach what is needed and then allow the users to figure out if they need further functionality or further help. It has been my experience that users don’t know to ask for more. They will start using the system in the way that they are taught and not try to branch out for better, more efficient processes. Usually a new employee, or outside consultant will bring in ideas on how to use the software better. It’s rare that someone just figures out better functionality, communicates the process with their manager and gets the company to adopt the new process.
As I wrote in a previous article, follow-up training is necessary. Once users become familiar enough with the software, they need a time to go back to ask questions. They will want the details on why they do what they do. They need to know how it impacts the company and what the big picture looks like.
That full process will take care of most of your users. Beyond that, however, are the ‘Power Users’. These are the people who seriously want to take advantage of the system and use it to the fullest extent possible. These are the people who currently have massive spreadsheets that they download to understand the data. They need to understand what is going on at a basic level and make decisions based on that information.
These are the people who will try your patience once the new software is going strong. They will need one-on-one guidance for their crazy projects. They will stretch your understanding of the software to its limits and force you to call the vendor.
Now is the time to plan for their training. They know what they do, and will be able to explain what they need. You will be able to schedule one class for a bunch of them, or several classes if needed. Getting them together may even work in your favor, giving them other resources to go to and other further ideas on how to improve the status quo. You need to be at the top of your game and have good backup support for these classes. You might want managers included in the room so that if ideas get out of hand, they can be cooled down.
Watch the beginning classes for the people who ask the most questions in the most detail. Figure out who you think will become your ‘Power Users’ to include in the new classes. Talk to them in advance to get an idea of what they will need. Figure out how many of them can go into the same class.
These are the people that will figure out how to drag the last penny of profit out of what you currently have. They will need data; all they can get, and more if possible. They will need access to the system; more than the IT department currently provides for them on the standard templates. They will need instruction on what other departments do, and how that relates to what they do.
We spend so much time on teaching the basics. Many classes have to go at the speed of the slowest user. This won’t allow the best use of the software, and won’t create that immediate ROI that was the biggest reason for the software. Spend a little more time and attention on the best and the brightest. They are the ones who will have the biggest return on your investment. They are the ones who know that it’s a global world and Technology makes it happen.
Comment with your stories of how users stretched the possibilities of your new software and how you had to develop new training to keep up.