| Carolinas IT

Experience peace of mind.


Leader’s IT Checklist for 2015 – 10 Questions to Save Time and Avoid Headaches

If you are like most leaders I know, your time is one of your most valuable assets.   Taking time to think about your computer system may only happen rarely or if there are problems.   As a leader, I’ve found that one of my most powerful time saving tools for being proactive is to ask questions of my staff. The answers provide insight into what is going right, and what needs improvement.    I’ve put together a quick hit list of questions to help you be proactive, and ask the right questions to avoid problems, wastes of time, and productivity drains on your organization in 2015.   There are many more, but these should provide a nice starting point to get the conversation going in the right direction.

 1. What is your cloud strategy? As a leader, can you succinctly articulate it? Most organizations aren’t ready for a complete migration to either a Public or Private Cloud, but you should have a strategy that maps out your plan for leveraging the cloud over the next few years.       Perhaps you start with one aspect of your network, such as email, and then systematically move other applications and services to cloud based platforms.

2. When was the last time you actually did a restore from your backup? If your office is shut down for a few days or weeks, or a critical component fails or data is destroyed, how would you keep functioning? How long (realistically) will it take to get you back in business? Can your team work from home if power is off at the office? Where are the backups actually kept, and who has access to them both(physically and logically?

3. How are you protected against the new wave of self-mutating viruses and ransomware? It became very evident in 2014 that traditional firewalls do not provide protection against viruses that can spawn thousands of variants in a day, and even the best anti-virus offers incomplete protection. Don’t find yourself in a situation where you are at the mercy of an Eastern European extortion scheme that is costly in terms of downtime, potential data loss, and compromise of confidential information.

4. If you had to produce documentation of licensing for every copy of Microsoft Office and every server and Client License in use, could you do it? Microsoft, Adobe, Symantec, and other software companies are very serious about enforcing software licensing.       Saying “I thought it came with the PC” won’t help. In addition to the expense of getting in compliance, software firms will require historical records so they can figure out how much is owed from previous years, and then there are the fines and penalties. We’ve seen a dramatic increase in the number of these type of audits over the past year.

5. Do you know who within your organization has rights to information on your network? Who can see that HR spreadsheet that lists everyone’s salary? What about employee reviews? Hint – if they are backed up every night, then more people than you think probably have rights.

6. How would you know if something were about to go wrong or had already gone wrong on one of your critical devices? I don’t know how many times I’ve walked into a server room and seen a red light on a hard drive indicating it was either failed or had already failed, and the system was running on a spare drive. Most devices have an amazing ability to provide information that gives       insight into their health, how are you leveraging that ability?

7. If a laptop or mobile device was lost or stolen, would you worry about what information was on it? What data would be on it? Could you absolutely be certain the data could not be accessed or used?

8. Do any of your employees use file sharing or backup services such as Dropbox, Carbonite, Crashplan, or Google docs? Do you have access to this account? How do you control what they share with the world? Would it be possible for an employee to copy key documents from your network for use after they left your team?

9. How do you know that all of the devices on your network are patched, have the latest anti-virus, and are virus/malware free? Your network is only as strong as the weakest link. With more and more employees bringing their own device to work, you don’t want to let the virus that someone got from home cause a disruption to your business.

10. Do you have formal policies in place, and has everyone in your firm been trained on them and has this training been documented? Remember, it’s tough to hold someone accountable for something you didn’t tell them they couldn’t do. Some networks can combine all of these into a single policy, others will need separate and distinct policies.

    • Acceptable Use – What they can and can’t do on the network
    • Mobile Device – What type of device can be used and how
    • Internet Access – What they can and can’t do on the Internet
    • Email and Communications – How email and communications tools can be used, how electronic communications are archived for future reference
    • Network Security – How the network is secured logically and physically from threats
    • Remote Access – How the network can be accessed remotely, by what devices and where
    • Media Destruction -Destruction of old hard drives, disks, and mobile devices containing data handled




Avoiding a Social Engineering Attack

I’ve had a few clients ask, “How do I know an email or call is legitimately from Carolinas IT?” This is a very good question so I wanted to address it in this post. For any organization, standard company procedures and training form the first line of defense against being hacked or infected. Make sure your employees don’t give out information or follow links that could cause your system to be compromised. A social engineering attack is one of the most common ways that hackers attempt to penetrate your defenses. For instance, if one of your users gets a very generic email or call from someone they don’t know that claims to be from their “IT Department”, and this caller or email requests that they provide password or account login information, or download a new “patch”. These type of calls or emails are generally very plain, with no contact information, logos or other identifying information. This is very likely a fraud, and something that our staff would not do.

Emails and calls from Carolinas IT will always plainly feature our logos, contact information, and the name of the person sending, who is most likely someone you have dealt with in the past. If you have any questions, the best thing to do is to just pick up the phone and call our main number and ask for the person. Our main phone number will not change, so by calling back in you have verified that you are speaking to someone who is legitimately from our organization. You can always call your Carolinas IT account rep as well.

A Few Comments From Our Clients

One of my favorite activities as the company president is to review the feedback that comes in daily from our clients. I summarize and send back out to all of our employees as a small way to recognize their efforts. I’ve pasted a screenshot from the folder where I keep those emails below. Makes me very proud to lead this team!


What Are You Reading?

Over the years, a common question that has been posed to me is, “What are you reading?” I try to mix it up a bit to gain perspectives from different angles, but my favorite topics are evident: History, Leadership, Inspiration, and Technology. Podcasts and audiobooks have become a mainstay of my professional education, turning otherwise wasted time travelling or waiting into a much anticipated period of learning. The list below is by no means comprehensive, but it hits most of the significant points that come to mind and have some lasting value. The Bible is a daily resource for me, and I refer to others frequently, such as The Gallic Wars, and Emerson’s writings. I didn’t include the mountain of technical books on administration and engineering of specific software applications, or Marine Corps centric publications and manuals. I hope you find something on the list of value!

Here’s a link to the full list: Reading and Podcast List.

With Warm Regards,


10 Things You Should Know About Cloud Computing

Over the past few years, much of the work we have done with clients involves some aspect of Cloud Computing. I thought I’d list out a few thoughts for anyone interested. For the sake of brevity, I just listed the main points that seem to come up frequently. There are many more, but these will get you started. As always, I’ll be glad to discuss any of them with you if you have questions.

1. “The Cloud” is not one single thing, it is comprised of an array of services offered by thousands of vendors across the Internet. Some may be of use to you, others probably aren’t. Much like you get services at home from various power, water, waste, yard maintenance, cleaning, painting, and maintenance providers, shifting services to the cloud allows you to pay for the service you are using. You don’t need to own the lawnmower and edger, you just want to know that the yard will look nice.

2. Just because you move one segment of your data to the cloud doesn’t mean you have to move everything there. It might make sense for your specific situation, but it isn’t a requirement. It might make sense to move your email first, but keep a local file server and have a cloud based backup system.

3. Most of our clients find that a hybrid strategy makes the most sense, leveraging public cloud services for some applications such as line of business, CRM, or ERP functions, while keeping highly sensitive or customized data and applications in a private cloud that they have more control over.

4. Private cloud usually provides more control, flexibility and performance, public cloud provides specific applications at a lower price. Both offer freedom from hardware and software upgrades cycles. Don’t assume either is secure, ask questions pertinent to your particular requirements. Don’t assume that all private clouds are equal. One may be running on a couple servers in someone’s basement, and another might have high end enterprise equipment. A tour to actually see the datacenter and meet the support personnel is a very good idea if possible.

5. Migrating data and applications to the cloud doesn’t always directly save money, it just shifts expenditures from Capital expenses to Operational expenses. Potential cloud savings may come in terms of operational efficiency, scalability, security, or flexibility rather than direct costs. Running an ROI analysis that incorporates as many aspects as possible will help you analyze and make a good decision.

6. The most important aspect of introducing cloud services into your organization is thinking through the workflow. How does your team members operate currently, how is the optimal way to operate, and can the cloud give you the workflow desired? If the design doesn’t support the workflow, the cloud deployment will fail, or end up being very expensive in terms of lost productivity.

7. It pays to understand licensing agreements of cloud models, especially with Microsoft products. The cheapest license may not be the one that supports your cloud workflow, and it may require you to purchase duplicate licenses to be in compliance. When a Microsoft audit (this is happening more frequently now) finds discrepancies, saying that you didn’t understand the licensing mode won’t help pay the hefty fine.

8. Putting any aspect of your operation on a cloud based platform makes your internal network more important. Switching, routing, and security must be optimized to facilitate access to applications outside of your network. You will most likely need more bandwidth, but that isn’t the end of the story. Network addressing and naming are critical, as is a unified directory that minimizes creation of multiple accounts for multiple services.

9. When evaluating a cloud services provider, you should ask lots of questions. If the cloud provider is offended or secretive, find another vendor. Remember that data centers in other countries may not have the same requirements and controls of those in the US.

- Where is the data stored, backed up, and secured? What certifications does the data center have?

- What is their disaster plan? Do they have written SOPs? What kind of redundancy is built in?

- Who will have access to the data?

- Who provides support when needed, and what Service Level Agreements are available?

10. Everything has a beginning and an ending. It’s important to know that in the event you need to get your data back from a cloud service provider, you understand the costs, timeline, and downtime required for a move. You don’t want to be a “captive audience” of a service provider that doesn’t meet your needs.

Best Regards,


Cryptolocker Virus

We are beginning to see cases of a malware program called Cryptolocker.  It is a dangerous malware/virus that infects a PC, and then uses that system to infect files on the network.  Once infected, the files cannot be accessed, and a ransom demand is made in order to get a key to unlock the files.  If the demand isn’t met, the files are permanently unusable.  Even if the payment is made, sometimes the files are damaged beyond repair.  This has the potential to make all files on your network unusable, so it is very serious. 

 Here is a safe link that provides details:


 Carolinas IT recommends the following actions to protect your network, please contact your account representative if you have any questions.


  1. Be sure that all servers and workstations are up to date with patches and anti-virus updates.  Use Active Directory to lock down systems on the network so the virus can’t run.  (If you are covered by NetOp Complete, we take care of this for you)
  2. Don’t open attachments or links you weren’t expecting.  If it’s an email attachment or link you weren’t expecting, or from someone you don’t know or do business with, pick up the phone and call them to verify that it is legitimate.  We have seen Cryptolocker arrive in an email that appears to be concerning Payroll data.  Malware attempts can be sneaky, arriving in the form of what look like Facebook, LinkedIn, shipping, or banking notifications with vaguely named attachments. NEVER open an attachment unless you know the person sending it to you and you’re expecting a file on the topic mentioned.
  3. If you do click on something unsafe and receive a CryptoLocker message, disconnect from your network connection immediately. While this won’t save your computer and files from infection, it may keep the program from spreading and infecting the rest of the network.
  4. Have a reliable backup mechanism and test it monthly as part of a disaster recovery plan.   Once infected with Cryptolocker, the only resolution is to delete the files and restore from a good backup prior to the infection.
  5. Upgrade your firewall to a model that scans files as they enter your network.  This gives you a defense in depth that should stop threats at the perimeter of your network before they have a chance to do damage.  Cisco, Palo-Alto, and Watchguard all have very good solutions.  Make sure the specific model of firewall you have actually has this functionality, many basic models do not.

Building the Reservoir of Trust

This blog post is a summary of a group discussion from our company meeting held on June 7th, 2013.  Hopefully this will explain the conversational nature of the post, and you will forgive the poor structure.

One of the most intense scenes from a movie is the D- Day landing from Saving Private Ryan. I’ve watched it many times, and each time I’m amazed by the firm determination of the American troops as they assaulted the beach into the waiting German defenders. What kind of leadership must have been in force for those men to plan and carry out that attack, knowing that at any moment they could be killed or horribly injured?

Most of the leadership challenges we face are nowhere near as intense as that, but solid leadership is still important. As I think about the kind of leadership that must have been present that day, “Esprit de Corps” seems to be a foundational component.

That bond between team members, that common spirit and devotion to the group that inspires enthusiasm. The glue that securely holds that bond is trust, without it nothing else amounts to much. When you don’t have trust – when trust breaks down, it’s easy to spot

-          Every question from a leader becomes a challenge to the competence, loyalty or ability of the team member.

-          Every response from the team member becomes insubordination.

Here’s what is sounds like: “Well, what about the specifications right here on the paper? Did you think about this variable? Why didn’t you anticipate x, y or z? (Say it in an accusatory manner with a sneer to get the full effect)

We’ve analyzed the increased operational tempo that is made possible by decentralized operations, so I won’t go into detail here, but decentralized ops relies on an implicit contract between leader and those led.

The leader will provide big picture, the vision, the intent, and the subordinate agrees to make decisions in line with that big picture.

The leader agrees to delegate that authority in order to gain the rapid tempo unleashed when the person on the scene with the facts can make a decision and act on it quickly.

What if we analyzed the implicit agreement in the other direction, what would that look like?

In order to figure this out you’d have to ask yourself, what does the team want?

-          To be listened to.

-          To have as much information as is reasonably possible.

-          To be treated with respect.

-          To be encouraged and mentored.

-          To be provided with as good of a working environment as is possible.

In exchange for those things, what will the team do for the leader?

The team will give their leader the benefit of the doubt, understanding that he’s going to make decisions and ask them to do things that may not always seem to make sense at the time. Over cycles of operation, the trust will build and become so ingrained that the leader and his/her team operate as if they are in constant communication, even if they haven’t spoken for days.

Decisions will be vigorously and enthusiastically implemented as if the team had come up with them originally.

Not begrudgingly, not with whispers and eye rolling.  You won’t hear someone say something to the effect of “I really don’t think this is a good idea, but the boss says it’s the way we’ve got to do it, so that’s what we’re going to do.”

What about dissent? How should that be handled?

Dissent is important as a source of new ideas and as a disruption from the normal routine.  Dissent plays a vital role in giving rise to innovation.  However, it must be presented respectfully, in the right time and place.  Good leaders provide mechanisms to capture, analyze and evaluate dissent such as regular meetings with subordinates,  suggestion boxes, and group discussions.  Dissent presented in a positive manner is helpful and should be encouraged.  Dissent presented at the wrong time, with the wrong attitude, in a disrespectful manner should be handled with decisiveness, firmly and calmly, and the individual should be immediately removed from the scene.

Tip for leaders – You’ve got to build up enough of a reservoir of trust and respect, that even when they don’t agree with you, the team will have enough confidence in your ability and judgment that they will give you the benefit of the doubt, remain loyal, and circle back to discuss when time allows.

A common mistake many leaders make is being short and not feeling like the team deserves an explanation.

You should try to provide the team as much of the big picture as you can, along with your intent and vision.  Bits and pieces leave them scratching their heads and wondering why they can’t be trusted with the truth and provided with updated situational awareness.

Leaders  remember – you owe them an explanation.  You can’t expect to just give your team bits and pieces of information and then hammer them when they ask questions.  Take the time, show them the respect of explaining what’s going on.    Communicate (that means listen as well as talk)  Show respect, take the time to build up that reservoir of trust and see how your Esprit de Corps develops.


Avoiding a “Zero Day” Attack

Over the past few months, we have seen an increasing threat to networks we support.  The problem is that the new viruses are changing so fast that the Anti-virus providers can’t keep up with them.  The pattern we are seeing is that code is embedded into an existing virus that causes it to change (mutate) into a new version that makes it look like something the anti-virus software hasn’t labeled as a virus.  This leads to what is known as a “zero day” attack, where you get hit before your AV product has the latest code.

A better long term solution is to upgrade the firewall to something that actually scans files as they enter your network and controls what your network users can do on the Internet.  A basic firewall is good, in that it blocks intruders from unauthorized access to your network.  It works kind of like the doors/windows on your house.  You can open certain doors or windows, and let things that normally come in to those doors through.  So for instance, you open the door (actually called a port) that web traffic comes in and out on so your employees can use the web for legitimate work.  Well, that port is now open, so in addition to legitimate work, they can browse facebook.  Unfortunately, if they click on a facebook post that has a virus, that virus can come in through the open port.

What is needed is something that not only controls ports, but actually looks at the traffic that comes in through the port, and allows you to control that traffic in a very granular manner (so for instance, you could allow certain employees to access Facebook during lunch, but not use Facebook chat)

We’ve seen these next generation firewalls in action and they are very impressive and give you great visibility to what is coming into and going out of your network.  The system uses built in intelligence, and links back to a research center to screen for threats that are known as well as threats that haven’t yet been documented.

Both Cisco and Palo Alto have some great solutions.   Which one you choose depends on your particular needs.   Here’s a link to an information sheet that gives a very good description of how they work. : http://media.paloaltonetworks.com/documents/datasheet-firewall-feature-overview.pdf

Here is some good Cisco reference material on their Intrusion Prevention System: http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78-459520.html

Here is a link to some videos that describe how one of the the systems work: http://www.paloaltonetworks.com/literature/videos/    Check out the one labeled “Next-Generation Firewalls: A New Dimension to Network Security”  for an overview of the system.

A New Vision By Asking Some Tough Questions

Over the years, I’ve read volumes of books and articles that address the subject of maximizing business performance and operations.  Most all of them agree that one of the most critical things you can do as a business owner is to stake out your vision for the company.   The vision should be the statement of your intent as the business owner.  It describes how you as the business owner see the company evolving.  It is a statement of where you want the company to go.  Many years ago, we as a company embarked on a discussion to craft our own vision statement.  We were all proud of our completed product:

“Our vision is to be the technology support partner of choice for organizations in the Southeastern United States through our innovation, dedication to operational excellence, leadership, and effective delivery of professional services.”

Earlier this year, I began to ask myself some tough questions.  Does the vision truly reflect who we want to be?  Does it accurately represent why we exist as a company?   Does it reflect what makes us unique?   When you parse it out, is it in sync with my most basic ideas of leadership?  I had a nagging feeling that it was too similar to the vision of every other company whose leader read Good to Great.   That it sounded overly “corporate”.  That it was more about who I thought we should be than who I knew we should be, and who we truly were.  Over the course of a few weeks,  I began to work up a new vision.  I realized that the vision had to say things that only I could authorize.  I wanted it to be a bold pronouncement of who we were, of what made Carolinas IT such a special place.  It had to give guidance that a team member could use when making decisions.  With some help from our team, it  took shape.  I think we finally got it right.

Can you see any differences?  Let me know what you think.  What would the answers be if you asked yourself some tough questions?

“We are building a world class technology services organization where our team members are valued and treated with respect.  Our company provides talented professionals with a challenging opportunity to learn, contribute, and grow while supporting their families and maintaining a healthy work-life balance.   Our formula for providing great services to our clients depends on enabling and supporting our employees, enhancing their quality of life while enabling them to share in our financial success.”



Page 1 of 3