Monthly Archives July 2014

Online Security Primer for Your Business: Monitoring (part 3 of 3)

Monitoring train speed at the rail car retarder shack Alright!  Part 1 of this online security series talked about the importance of limiting who has access to your data.  Part 2 covered what made a good password and policies about changing them, including a tool to make that easier.  Here, this series of tips to make your data safer concludes with one more simple thing you can do in case the worst happens.

I was hacked!

Even if you have a good policy about security, bad stuff can still happen to you.  Think of the security breaches you’ve heard of in the news.  You know those companies had better systems than you, right?  Well, same here.  It shouldn’t come as any surprise then (particularly given the header of this section) that the hackers found a vulnerability and hacked my site. Now, before I go on, I should say that it wasn’t this site, and the hack wasn’t so bad.  What happened was they inserted some code into an ecommerce site that sent visitors to a different site that sold knock-off drugs of the type you might see in spam emails.  It was dreadfully unprofessional, but the bad guys didn’t get credit card information or anything like that.  And they got in because of a weakness in the web store software that was being used, so no matter how good my password and personnel policies were, it could have happened at any time. My story brings me to the first recommendation for this article:

Recommendation 1: Update!  Update!  Update!

If you use some kind of software to run your online stuff (which you probably do), you will need to update it.  This might be Drupal for your website, or WordPress for your blog, or Zen Cart for your online store.  There are hundreds of different packages out there.  And for each there are widgets and plugins that add useful functions.  Any and all of these may have security vulnerabilities that are discovered over time.  When good developers discover these problems, they update their software to close that weakness. That does you no good, though, unless you keep your own installation updated to the most recent version. On a regular basis, then, you should log in everywhere and see if there are updates.  Most sites have a menu option somewhere to check for updates.  Many even check for you and have a notification system when they find a newer version.  Explore the software you’re using, figure out what to look for or what to do to check for newer version, and then do that often.  Like once a week.  You might be able to get away with checking only once a month or once a quarter, but if you’re vulnerable, you’d like to lock that down sooner rather than later, right?

The Story Continues…

There I was, looking at disbelief at the website.  Clearly something was wrong in a very bad way.  I didn’t know what had happened, or how, or how bad it was.  But I did know one thing: it had to be fixed.  Now. I started digging around.  In the code.  I’m not a web developer.  I can generally figure out what a bit of HTML or PHP is doing, but I’m no expert.  It’s about the same level as I am with Chinese: I can have a simple, limited conversation but don’t ask me to read a book because I’d have to look up every word.  I can work my way through the code but it’s not fast and it’s not pretty. The store software was made up of perhaps hundreds of different small files, each working together and contributing a bit of functionality to the whole.  And I found (in multiple files, but not most of them) code that looked like nothing I’d seen before.  My book in Chinese suddenly had Arabic passages in it that hadn’t been there before. Luckily, I had backed up the site not too long ago, so when I found a file with the weird code in it, I replaced it with the backup.  Unfortunately, as I went back to check, I found that the restored files were being re-infected faster than I could correct them.  I was losing the battle against some kind of obviously automated attack.  I was out of my depth.

Recommendation 2:  Backup!  Backup!  Backup!

I know you’ve probably heard this before, but make a backup.  Your web host’s help files should be able to tell you how to make a backup of your site.  Do this as often as you think you need to based on what your site does.  If you’re making transactions multiple times a day, with frequent new customers, you will want to back up more frequently.  If your website is little more than a digital business card or portfolio (meaning the information doesn’t change that often) a less frequent schedule will probably work. Something else to look out for: backup both the files and the databases used.  Many sites use both, so be sure you’re getting everything and not just one or the other.

Recommendation #3:  Consider Hiring a Monitoring Service

The conclusion of my story is wrapped up in this recommendation.  After several days of fighting an uphill battle against technologically superior forces, I was just about ready to shut my site down completely.  Just at that time, I got a referral from a friend and signed up at Sucuri Security (my affiliate link) for site cleaning and monitoring.  To this day, it was the best $90 I’ve ever spent for something related to a website. When I signed up, I gave them access to my site.  Within 24 hours, they had found the vulnerability, locked it down, disabled the bad code within the site, and cleaned up the infected files.  Since several search engines had detected that my site was infected, they had started putting up a warning before letting people go there.  Sucuri let them know they should re-check and remove the warning. Not only that, but the cost of having them fix it also included a year’s worth of monitoring.  So they check my site regularly to see if anything is amiss and let me know before it gets out of hand.  There was a minor breach some time later which remained minor because of the early warning. Finally, once it was cleaned up, they also included tips on “hardening” my site against future attacks.  It was a checklist of things to do, each making it just a bit more difficult for a problem to occur again in the future. And if you’re just curious how your site is doing right now, you can always use their free SiteCheck page to see if they can find any malware, blacklisting by web safety sites, code injections (the thing that got me!), and defacements.

Summing Up (or TL;DR)

Part of your online security plan is monitoring.  You should monitor your software platforms to make sure the software itself, as well as any plugins or themes you use, are up to date.  You should monitor the frequency of your backups.  And you should monitor and fix any breaches that do occur as quickly as possible to minimize damage to your reputation, your company, and your customers.   (And if you use my affiliate link to sign up for Sucuri Security to do that last item, thank you!) Image source:  No known copyright restrictions.  Modified by Michael J. Coffey. 

Posted by Michael J. Coffey  |  0 Comment  |  in Tools & Terms

Online Security Primer for Your Business: Password Safety (part 2 of 3)

Photograph of Workers Dusting Veteran's Administration Records, 06/26/1936

Gotta keep all those passwords dust free!

In part 1 of this series, I went over the importance of doing an audit of your data access—who can get in to see your stuff?  One of the recommendations to increase your online security was to force-change the passwords of anyone who shouldn’t have access any more (if not delete their accounts entirely).  But that raises questions about passwords that I hope to answer in this post.

Be Smart With Your Passwords

There are a couple of basic ideas that can really improve your password security.  The first is that you should change your passwords regularly.  That way even if you don’t take any of the precautions from part 1 of this series, the next time you change your password, anyone that had the old one automatically doesn’t have access any more.  And don’t just increase the number at the end by one.  Everyone does that, and everyone else knows it.  So if they find that your password used to be “SnowWhite7” the first thing any hacker or disgruntled ex-employee is going to try is “SnowWhite8” and “SnowWhite9” because they know everyone pulls that trick when they’re forced to change a password (even I used to do this!).  Change it to something completely new (more on this in a minute).

Next, while it’s useful to have a capital letter and a symbol and so forth, what’s even better (in general) is a longer password.  So even though “SnowWhite7” has uppercase, lowercase, and a number, it may not be as secure as snowwhiteandthesevendwarvesismyfavoritestory simply because if a hacker is using a computer program to try and break into accounts, they’re more likely to randomly come across the right combination on a short password—because most people’s passwords are pretty short.  It’s kind of like the idea of outrunning a lion (or zombies, or whatever’s chasing you): you only have to be faster than the slowest person.  With passwords, it’s length, not speed.

That said, it wouldn’t hurt to mix it up with capitals and symbols, too: SnowWhite&the7Dwarves=myfavor8story, for example.  Still long, but with a larger character set in use.

Finally, it’s great to have a different password for different sites.

And to have each of them be long and complicated.

And to come up with a new one for every site every time you change employees, contractors, and sometimes just for the fun of it.

This is where I think I hear heads exploding.  “I’ll never be able to remember them!” and “I have a hard enough time remembering which site uses which password already and I only have 3 passwords that I use, total!” and “I’m going to have to get a second page to write all my passwords down next to my computer…”

Don’t fret.  It’s actually not that hard with a tool I’ll mention in just a second.

First, though, I want to underline why it’s important to have different passwords on different sites: human psychology.  One way that people get into your accounts is by tricking you through either psychological or technical means to reveal your password on some account that’s really not that important, or that you use so often that you don’t think of it as being important to your digital security (for example, your email password).  But they know that most people aren’t that creative and probably use that same password elsewhere.  So they start trying that password particularly if they also have your email to either log directly into other accounts or to start going through those “lost your password?” links to get into something more important like your bank account.  They might call customer service and pretend to be you to get your login information changed to something they can use.

So let’s make it easy to take care of all of these things at once!

Use a Password Tool Like LastPass

There are a number of tools out there that will help you remember your passwords. However few are as well regarded as LastPass.  It is a good choice for a number of reasons:

1) The folks at LastPass never actually get your information.  It is “scrambled” and “unscrambled” on your computer when you log into LastPass.  They can only ever see the scrambled file, not your data.  Even if they had a disreputable employee or a security breach, your passwords are safe.

2) It can be set to auto-logout, so if you are away from your computer for too long, or shut down your browser, you’re automatically logged out.  That means once you’ve got it set up that way, even if your own laptop is stolen, the thief still won’t be able to log into your accounts.

3) It generates and memorizes those crazy passwords that are more secure.  It’s as easy as selecting “Generate Secure Password” from the menu.  For example, I did that just now and it gave me the following password and asked if I wanted to save it for use on my current site:  5oHX3YxwbMAbwf%CR72NhBk^&9f  Now that’s a password you would never remember, but neither would a hacker be likely to guess it.

It’s very easy then, using LastPass (or a similar tool if you find one that has these same capabilities and security features) to have a different password for every site.  It’s almost effortless to change the passwords often.  They can be long and practically random and use a wide mix of characters.  And best of all, you don’t have to remember anything except your login and password for LastPass and it takes care of the rest.

Caveat:  They don’t have access to your information.  That’s secure.  But it also means that if you forget your LastPass password, they can’t retrieve it or change it for you.  So although you only have to remember one password, you have to remember it.  They do let you create a hint for yourself, though, just in case.  

Do It All Yourself—If You Must

If you don’t like the idea of using LastPass for whatever reason, the previous goals are still what you’re aiming for.  Change your password frequently.  Use different passwords on different sites. Use long and complicated passwords with a variety of different characters.  A couple of do-it-yourself resources you might find useful include this guide to creating a strong password and this set of links on how to keep your Google account safe (assuming you’ve got some Google account somewhere—Google Plus, YouTube, Gmail, Picasa, or Chrome, for example).

But do check out LastPass…it’s made my life much easier and more secure.

Image source:

Posted by Michael J. Coffey  |  1 Comment  |  in Tools & Terms

Online Security Primer for Your Business: Limit Access (part 1 of 3)


Lots of business owners avoid making the jump to online tools for marketing or selling because of security fears. Usually, however, the fears are misplaced. Yes, there are dangers and things you need to look out for, but the real dangers aren’t what people often think they are. I don’t know how many times during social media classes I had someone express concern about their personal information going public and being spread around the internet. Yes, that can happen–but I would usually point out that they have the option of not posting anything that they thought was too personal for the internet. And that getting stuff spread around the internet is precisely what marketing online is supposed to do.

On the flip side, many who are new to the digital world, or even those who just wouldn’t call themselves “tech savvy,” are not concerned about things that they really should be. Perhaps “concerned” is a little strong. But there are some basic things you can do to avoid making the stupid mistakes or fall prey to the opportunists out there in the less polite part of the internet. For example, the top two most common passwords on the internet right now are “123456” and “password” and hackers know that–heck, Slate published the 25 most common earlier this year. That’s why I’ve put together this three-part series on the basics of online security.

Part 1 will describe internal practices and follow-up that every company who spends any time online should pay attention to. Part 2 will cover passwords, and I’ll share a tool that will make doing it right really easy. Part 3 will close with some recommendations about avoiding data breaches and what to do if you get hacked (with the story of my own experience of being hacked) and how I got it cleaned up in about a day…well, one day after I stopped doing the wrong thing and made a key change. So, on with part 1!

Know Who Has Access to Your Accounts

I recently sent an email to a group I have worked with in the past, but am not currently doing any work for. I’d noticed that I was still an admin on a couple of their pages, which got me wondering about what else I still had access to.  I checked other accounts I had with them when we worked together and I could still get in to every one of them.  So in this email I let them know that they should remove me (and anyone else they’d given access to but no longer worked with) in case I go ballistic and decide to do whatever the digital equivalent of sweeping everything off the desk in a fit of rage would be.

While I’m not a danger to them, you never know when someone is either disgruntled or is less than perfectly honest.  It’s best not to let outside people have access to your site, your social media pages, your traffic data, or your sales records.

What should you do, then?  I’ve got two action items for you.  There’s the cleanup of whatever mess you might have now, and there’s the system you’ll put in place so that a similar mess doesn’t get made in the future.

Cleanup Steps:  Do an access audit.  First, go through all of your accounts with an online login and just list them.  Some ideas:

  • Accounting records
  • Ecommerce/web store
  • Social media accounts (Google+, Facebook, Twitter, Instagram, LinkedIn, etc.)
  • Email marketing (Mail Chimp, Constant Contact, etc.)
  • Bank account
  • State and local business- and tax-reporting agencies (here in Washington, that might include the Secretary of State, Department of Revenue, Labor and Industries, Department of Licensing, Employment Security Department, etc.)
  • Web host and/or domain name registrar (for some people these are the same company and for others they’re two different companies)
  • Cloud storage accounts (Google Drive, DropBox, etc.)
  • Internal systems or programs (For example, can your sales people log in from their smart phone to check client details in your customer database?)

Next, for each site you listed, note of all the people that might have gotten access at some time.  Think of interns, consultants, former employees, former business partners, and even friends that helped you out that one time.  Many programs and sites allow the admin / owner / master / poweruser account to see a master list of all possible users, which might make some of these easy to assess.

Finally, for each access point, make sure that only the proper people can have access.  Old usernames and other login information should be either deleted or at least have their passwords changed to something the old employee or whoever won’t know or guess.

Proactive Steps: Now that you’ve locked out anyone who should no longer have access, develop a sensible policy to track when someone is given access.  This will allow you to easily revoke access when they shouldn’t have it any more.  And have a way of triggering that review at an appropriate time—like scheduling an “update access” task for the day after someone’s last day when they give notice, or the week the contractor’s work is supposed to be done or the internship ends.

At the very least, put a little recurring task on your calendar to remind you stop, ask yourself the question “has anyone’s access status changed in the last 30 days?”, and take the appropriate action if the answer is “yes”.  It’s not an ironclad plan, but even this could save you a heap of hurt and only takes a few moments each month.

This, of course, leads us to the teaser for the next part, which will be all about passwords!  Don’t be like #17 on Slate’s list with “monkey” as your password.  Or 111111.  Bad.  Instead, read the next article and be a password whiz!

Image source: 

Posted by Michael J. Coffey  |  2 Comments  |  in Tools & Terms

Digital Strategy is the New SEO

Chess as Strategy Practice
When I tell people I’ve gone into business for myself, they ask “Oh? What do you do?” I tell them I’m a digital strategist and then something happens to their face. It goes through this rapid cycle of reactions that seem to range from “That’s sounds smart and complicated and technological” (i.e., confused) to “That sounds like jargon and doesn’t give me the slightest idea of what he does” (or, a different flavor of confused). So here we go: an inglorious look behind the scenes of what a digital strategist does.

A General Description

The shorter and general idea is this: I help small business owners (typically new small business owners) figure out and articulate their business goals, how progress toward those goals might be measured, and then come up with a strategy for them to use to achieve those goals.

There are actually a lot of skills, behaviors, mental patterns, and more that go into this, but it’s all about getting a business owner from feeling unsure, confused, anxious, lost, and befuddled to having narrowed down the possibilities so that at any given time there are just a small handful of things that might be “next.”  This leaves you (I’m assuming you’re a business owner or a potential entrepreneur) feeling clear, effective, and ready to act.

What Falls Under the ‘Digital Strategy’ Heading?

In a way, a digital strategist is many things and one thing.  The ‘one thing’ is a strategist.  This is how my top “signature theme” on was described in Now, Discover Your Strengths by Marcus Buckingham & Donald Clifton:

The Strategic theme enables you to sort through the clutter and find the best route. It is not a skill that can be taught. It is a distinct way of thinking, a special perspective on the world at large. This perspective allows you to see patterns where others simply see complexity. Mindful of these patterns, you play out alternative scenarios, always asking, “What if this happened? Okay, well what if this happened?”  This recurring question helps you see around the next corner.  There you can evaluate accurately the potential obstacles.  Guided by where you see each path leading, you start to make selections.  You discard the paths that lead nowhere. You discard the paths that lead straight into resistance.  You discard the paths that lead into a fog of confusion.  You cull and make selections until you arrive at the chosen path—your strategy.  Armed with your strategy, you strike forward. This is your Strategic theme at work. “What if?”  Select.  Strike.

The ‘many things’ part of being a digital strategist is all of the possible paths.  Your business is going to be different than mine, which are both going to be different than the shop on the next corner.   If my specialty, then, is lending the “special perspective on the world” part of my brain to you, the rest of the role is a generalist.  I need to know enough things about enough ways to know what’s going to work best for you.

For example, depending on your needs and skills and business goals, I might draw on any of the following areas in order to put together the right strategy for you:

Email Marketing:  Helping you set up ways to build your mailing list.  Once you’ve got a decent sized list, it might be figuring out how to best use it to do what you want—building relationships with your customers, building loyalty, increasing repeat purchases, or moving list members to make their first purchase.  Whatever it is that’s right for where you are.

Social Media Marketing:  So, do you have a Google+ business marketing plan?  Should you be on Instagram?  Having mentioned on Facebook that you’re in business doesn’t constitute a strategy.  I can teach you how to use the tools to your best advantage once we’ve figured out which ones you can safely ignore.

Search Engine Optimization / Search Engine Marketing (SEO/SEM):  A huge amount of traffic is directed by Google and Bing.  Gone are the days of just stuffing a page full of keywords.  We can work together to serve your audience first, but without getting in the way of the needs of the search engines; in fact, many things you can do on your website help both!

Content Marketing:  Are you good with words?  Good with graphics or photography?  Good with video?  Perhaps you can bring those skills forward and market with “content” (the online marketer’s term for “stuff people share and link to on the internet”).  There are an unbelievable number of tools to help you show off your expertise, particularly if you are comfortable creating content…or willing to learn!  You can, quite literally, become a publisher or produce a TV-style show from the comfort of your laptop.

Advertising:  “Do people really click those ads?”  Yes, they do.  And if that’s the right way to go for you, I can help you figure out how to write the ads, figure out where to buy ad space, track the results, and experiment to increase your return on investment (ROI).  The techniques prior to this one can all be largely done for little to no cost, but this one can cost you—particularly if you go about it the wrong way.

Referral Marketing and Lead Generation:  Ardea Coaching actually started as a life-coaching service, and it was almost entirely built on referrals.  (Thanks, Jeff!)  Some industries have ethics rules that govern how they advertise or market.  Others just recognize that having a bunch of leads and others referring good business to you is a really useful thing to have.

Website/Conversion Optimization and Analytics:  Oh, the things you can learn from the people who visit your website!  This is, in many respects, the purest science of marketing.  You’re actually finding the things that are mathematically better for your business.  You may really like that picture on that page, but our A/B test shows that the picture you don’t care for as much is 18.3% more likely to result in a sale.  Now you can choose what you want to do from a more informed position.

(One organization I worked with found a surprising amount of its traffic came from a neighboring city’s government website, and that website traffic in general accounted for the majority of their new clients.  I recommended that they explore collaborating with city, and doing events there more frequently.  Clearly, the data showed there was interest there!)

Summary (or TL;DR)

I don’t really like throwing around jargon.  If you’re unfamiliar with it, “TL;DR” stands for “Too Long; Didn’t Read” and is sometimes used as the short summary and takeaways of a longer article.

A digital strategist, or digital marketing strategist, is a professional who utilizes strategic thinking to narrow client options down to the most useful approaches that are right for achieving their business goals.  It draws on multiple disciplines of online marketing, business development, coaching, skills assessment, psychology, and education.  And done right, will make you more money.

Interested in exploring the possibilities or in getting started right away?  Contact me to get your business a digital strategy!  Or have comments or question?  Please leave them in the comments below!

Posted by Michael J. Coffey  |  0 Comment  |  in Tools & Terms

Small Business Owner or Entrepreneur?

A confrontation between two men

I’ve been in quite a few discussions about definitions of the term “entrepreneur” in particular, and how it relates to the term “small business owner.”  Of course there is a constellation of other related terms that get thrown about in these discussions, like “solopreneur” and “micropreneur” and so forth.  But those first two are the main ones that get discussed.  And here’s what I’ve found.

Some people differentiate (often with very strong and clear opinions and definitions), and others couldn’t be bothered.

I’m in the latter camp…which is strange because I usually have pretty strong opinions when it comes to linguistic things.  (Ask me about the Oxford comma, for example, or why you should put two spaces after a period.)  But I am aware that there are those out there who do see “entrepreneur” and “small business owner,” which I’ll call E and SBO from here on out, as two clearly and distinctly different things. Now, since it’s important to understand how people are using words if you’re going to understand them, so here’s how most of the people who care seem to break it down.

E represents the sexier, daring, and glitzy risk-taker side of things.  An E is someone who gets a business idea, develops it, plans it (sometimes), and launches it.  This is the key bit of the definition.  Notice there’s nothing there about running the business.  To those who differentiate, an E is a creator of something new, like a poet or an inventor.

A SBO, on the other hand, doesn’t necessarily need to have created anything new at all.  A person who buys a car-repair franchise shop can be a SBO but not an E.  A SBO is someone who is a maintainer not an inventor; a person who sells a product or service for money, not the engine of innovation and economic development.

Now, you may note that I’ve worked in a bit of judgement into those paragraphs about which of the two it’s better to be.  This is on purpose.  I’ve found that those who make the distinction seem to clearly prefer E, and see it as a superior role than SBO.

But that’s not my take.

I see these two things as intertwined.  That’s why image I used for this post comes from a poster for Dr. Jekyll and Mr. Hyde—they’re different and yet the same. Sure, one person may come up with the idea and someone else carries it out.  But that’s simply because those tasks require different skills.  As Michael Gerber describes it in The E-Myth Revisited, there are three skills needed to start and run a business: the Technician (the person who can do the service or make the product), the Manager (the person who can keep the ship running efficiently), and the Entrepreneur (who maintains shared vision and makes long term strategy decisions).  He says the ideal business person has all three in roughly equal proportion.  But that’s pretty rare—often times people are predominantly one.

The point, however, is that these are skills, and they’re skills that are needed.  Which is why I use the terms E and SBO more or less interchangeably.  Because I define them both as “someone who has some responsibility for and vested interest in the success of a business.”  I don’t get too precious about which contribution is more or less important.  Frankly, a mediocre idea with great execution can sometimes be more successful than a great idea with mediocre execution (think Chia Pets, for example).

What is important, though, is the success, and that depends on doing everything at least well enough.

What are your thoughts?  Do you differentiate?  Do you define things differently than I have here?  Let me know in the comments.  Thanks!

Posted by Michael J. Coffey  |  0 Comment  |  in Tools & Terms
  • Stay Connected