Tools & Terms

“In 2003, one year before Facebook was founded, a website called Facemash began nonconsensually scraping pictures of students at Harvard from the school’s intranet and asking users to rate their hotness. Obviously, it caused an outcry. The website’s developer quickly proffered an apology. ‘I hope you understand, this is not how I meant for things to go, and I apologize for any harm done as a result of my neglect to consider how quickly the site would spread and its consequences thereafter,’ wrote a young Mark Zuckerberg. ‘I definitely see how my intentions could be seen in the wrong light.'”  From Why Zuckerberg’s 14-Year Apology Tour Hasn’t Fixed Facebook by Zeynep Tufekci, Wired.

“It’s clear now that we didn’t do enough to prevent these tools for being used for harm as well.  And that goes for fake news, foreign interference in elections, and hate speech, as well as developers and data privacy.  We didn’t take a broad enough view of our responsibility, and that was a big mistake. And it was my mistake.  And I’m sorry.”  –Mark Zuckerberg’s opening remarks during his Senate testimony, 10 April, 2018.

“Nothing wrong with apologizing, but saying I’m sorry does nothing when you continue to make the same mistakes.”  –Unknown

What is one to do with Facebook in light of all the problems that have been coming out about it?  Really, for those of us who have been really keeping close tabs on Facebook, the Cambridge Analytica news is merely the biggest bit of news, not something that seems surprising.  I remember a presentation by a representative of the FTC that I went to four or five years ago where he said they had repeatedly investigating Facebook for breaching their own privacy policies.  Remember, this latest news wasn’t a data breach in the sense that someone broke through Facebook’s security protocols to steal data. Cambridge Analytica and their associates used Facebook-provided tools to collect the data with Facebook’s blessing. The “breach” part is that they then used the data in a way that Facebook hadn’t sanctioned. But the collection of your personal data, and that of your friends, was expressly what Facebook’s tools were for.

What can you do?  Well, the easy answer is stop using Facebook.  Download what information you can and then delete your account.  Of course, they make it seem easy to do, but be careful for so-called “reactivation traps” that cancel out your request to delete your account for weeks afterward.  (If helping clients use Facebook wasn’t part of my consulting work, I’d have deleted my account nearly a decade ago.)

Let’s say, however, you’re addicted and can’t live without your regular Facebook fix; you just don’t want your private messages shared with foreign political operatives.  That’s fair, if that’s where you are.

First, some assumptions.  Since there is a dynamic tension between security and convenience, and between privacy and both social sharing and marketing, I’m assuming that you are a typical casual Facebook user who wants your personal data to be more secure than you are now…but without much extra effort.  I’m assuming you want to be free to connect with friends and family, or to market your small business (in other words, not totally locked down in a high-security bunker)…but not being an easy mark for data thieves.  Like that joke of the hikers and the bear, you don’t have to be faster than the bear, you just have to be faster than at least one other hiker.  Security level:  at least I’m not last.

Also, I’ll also not talk about general security, like what makes a strong password or using a different password on different sites.  That stuff is out there already, or in other articles in this blog.

Pay Attention to These Issues on Facebook First

The very first thing you should think about is what you’re posting.  Remember that the defaults on Facebook are almost always for everything to be “public.”  In other words, your first line of defense is that old saying of only doing on Facebook what you’d be comfortable having published in the newspaper.  Think broadly, too.  With just a few points of data, it’s really easy using “big data” techniques to discover the identities and details about supposedly anonymous users.  For example, if you are doing check-ins on Facebook from your home, you are advertising your home address to everyone with an internet connection.  If you then check in from your beach-front hotel in Hawaii, you’re also publishing that you’re not currently at home.  That’s an invitation for a break-in with only two data points.

A related issue is how you use Facebook.  To be extra careful, just skip playing any of the games or taking any of the quizzes that tell you what Game of Thrones character you are, or who your celebrity boyfriend is, or what your IQ or personality is.  It was that kind of app that opened the door for Cambridge Analytica.  Similarly, when you go to other sites that give you the option of making a new account or signing in with Facebook, make the new account.  Using that “Sign in with Facebook” button is easy, but also potentially opens the door to data snooping.  Okay, enough of the general stuff.  To the specifics!

It’s time to log into Facebook and click the little triangle in the upper-right corner to open the menu.  Select “Settings.”  This is the area where there are tons of things to adjust.  From here on out, I’ll refer to the sidebar on the left as the “settings menu.”  Weirdly, you want to skip the “Security and Login” option for now and jump straight to “Apps and Websites.”

What to Look For in ‘Apps and Websites’

On this page, there are three tabs: Active, Expired, and Removed.  Look at the list on the Active tab.  These are apps/websites that currently have access to some or all of your data.  It may be that they only can see your basic identity.  They might provide some kind of function that you want.  For example, I have the YouTube “app” on my account.  This allows me to automatically post a link to new YouTube videos I upload to my YouTube account.  I want the ability to to do that, so I want to keep that app.  But if you see anything that you no longer need, or don’t recognize, click the little check box next to the app, then hit the “Remove” button.

Next, the other tabs: Expired and Removed.  These are apps you gave permissions to at some point in the past and then they either expired, or were removed (including apps removed in the previous step).  Note that when you “remove” an app it doesn’t go away, it just goes into another category.  Since these have been authorized by you in the past, the pages/organizations/people represented probably collected some information about you.  Removing the app on Facebook doesn’t mean these organizations will delete the information they have on you.  You’ll have to contact them directly and ask that they delete what they’ve got.  They may or may not do so, but that’s part of the “fun.”  There will no doubt be tearful conversations about privacy policies and data retention schedules.  It’ll be great.  Do you have to do this?  No…but like going to the dentist and having an annual physical, it’s generally better if you do.

Oh, and if there’s one or two that seem particularly egregious, tell your friends to contact them as well, since you may have put all of their data at risk.  That’s how the 270,000 people who used Cambridge Analytica’s app opened up 87 million people’s data to them: the average Facebook user has about 330 friends (though the median number is closer to 200).

What to Look for in ‘Ads’

Back to the settings menu to click on the next item:  Ads.  The settings menu will disappear and you’re now in the world of what Facebook uses to sell your attention to advertisers.  There’s some interesting stuff here, like under “Your Information” there’s a “Your Categories” tab, where you can see what categories Facebook thinks you fall into.  It says I’m a fan of soccer.  I’m not.  I’m not even sure what Seattle’s team is called.  Heck, the only soccer rules I know are that you aren’t supposed to use your hands and… no, that’s all I know about soccer.

Anyway, the important place to look is “Ad Settings” (at the time of writing, it’s got a little blue circle with a white gear in it).  Turn off everything in this section.  “Ads based on your use of websites and apps” is where that annoying thing is where you visit a website once and then Facebook is showing you underwear ads for the next three months or whatever.  It’s your permission for tracking to follow you from websites you visit back to ads on Facebook.

“Ads on apps and websites off of the Facebook Companies” is the reverse permission.  This allows other, non-Facebook companies to use what Facebook knows about you to show ads on their own websites.  So since Facebook happens to think I’m a soccer fan, I might see ads featuring soccer balls and shoes with cleats if I were to go to a sporting goods website.  Turn this one to “No,” too.

Finally, the last option in this section is “Ads with your social actions.”  This is Facebook using your name entice your friends to buy things.  Change this option to “No one.”

Unrelated to privacy per se, you can also look at “Hide Ad Topics” which is where they put the most frequent “distressing” ad topics that you can turn off:  alcohol, parenting, and pets.

Extra Steps For the Extra Mile

In the settings menu, there’s one other section to look at:  “Privacy.”  Yeah, all this so far and we haven’t even looked at the privacy settings yet.  But this is where you’re going to have to do some thinking about how you want to interact with people.  The previous stuff was basically about how advertisers and Facebook interacted with you.  This stuff impacts you connecting with others.

The “Who can see your future posts” sets the default visibility for stuff you post from here on out.  It’s probably set to “Public” which means anyone, whether they’re friends or multinational corporations or spies from Russia and China, can see it.  That might be good, if you’re reasonably careful about what you post, or it might not be.  This can be changed to “Friends” (only people you’ve friended can see it), or several other options.

“Review all your posts and things you’re tagged in” is where you can see the stuff where people have mentioned you and remove the link to your profile if it doesn’t seem appropriate or you don’t want other people’s friends to have an easy link to you.  For me, most of my tagged posts are from the school where I teach, or my own marketing, so after reviewing my list I left everything as-is.  You may choose otherwise.

The “Limit the audience for posts you’ve shared with friends of friends or Public?” option is like the future-posts choice above, only for previous posts.  You can un-public them; of course, if someone has already harvested that data, there’s nothing you can do.  But you can prevent future scraping of the data from your past posts.

A final couple of options to look more closely at are “Who can look you up using the email address you provided?” and “Who can look you up using the phone number you provided?”  On the one hand, having these turned on makes it easier for your old classmates and dowager aunts to find you.    But it also means if you’ve given your email to that one sketchy company to get the free download of that song or ebook or whatever, that company can find everything on your profile and maybe your posts, and friends list, and so on.  In other words, this is where you have to balance your desire to be available to others with your desire to be secure.

Good Advice, But Doesn’t Really Protect Your Data

Finally, there are a bunch of things fall into a category of good tips for security, but also have little impact on how secure your personal data is.  Why?  One big reason is that hacking an account isn’t really a thing that happens that much.  So is it good to have a strong password?  Yes.  Should you spend a ton of time making the strongest password?  Well, no, probably not.  You’re more likely to be tricked into giving away your password, or giving access to someone you don’t really want to be giving access to, rather than someone actually doing “hacking” in the sense of digital breaking-and-entering.  In other words, do these things–just do them because they’re good sense, not because they’d have prevented the Cambridge Analytica problem.

Security and Login

This is why I had you skip the “Security and Login” section of the settings menu.  The things in that section help you prevent being hacked, but don’t do that much when it comes to sharing of your personal data.  However, a brief list of things to look at if you want to pay attention here:

• “Choose friends to contact if you get locked out”:  Set this up.  Pick a couple of trusted friends.  If you get locked out of your account because of, say, a hacking attempt, these are the folks that will be given a code they can give to you (in essence, verifying your identity) so that you can get back in.
• “Where you’re logged in”:  Visit this every so often and see if there are any weird locations or devices listed.  Be aware that the location they show is really the location of the company that provides your internet connection, so it might not be your specific town, but should be pretty nearby.  If it’s in another state (or worse, country), that could be a problem.  Any suspicious places you can click the three dots on the right and either choose “Not you?” if you’re sure it’s not you, or just “Log out” — like when it still thinks you’re logged in at your in-laws’ house from the last long weekend.
• “Setting Up Extra Security”:  These are all a little more technical, but a good idea.  Two-factor authentication means that when you log in from a new location/device, it’ll give you a second way to verify that it’s you.  The easiest is with the Text message (SMS) option.  When you log in, you’ll get a text to your cell phone with a code you have to type in.  That way the bad guys have to have your password AND your phone to successfully get in.  Likewise, the “Get alerts about unrecognized logins” lets you know when Facebook thinks something fishy is going on.

Some Final Words of Warning

Great.  You’ve gone through all this, tightened up your security settings, warned your friends about apps that might have stolen their data, and had a deep think about how (if?) you want to use Facebook in the future.  Ta da!  You’re done!

Not so fast.  Facebook has said they are working on a new, better, more centralized way of tweaking your privacy settings.  It’s supposed to debut in a few weeks.  Unfortunately, if the past settings updates are any indication, you’ll likely be opted into the most open settings when the transition happens.  That means from the point they make the switch on your account (likely without notifying you) until you notice and have a chance to go in and modify all your settings again, the door to your data will be open for a little harvesting.

It’s a good idea to go back every so often and checking all of your settings in all of the categories to see if there’s something new that’s set to something you don’t want.  It happens all the freaking time with Facebook.

P.S. — To see if your data was grabbed by Cambridge Analytica, whether directly or because of a Facebook “friend”, read Wired’s article on how to check.

P.P.S. — If you find any of this confusing or overwhelming, send me a message and I’d be happy to have a conversation with you about it.  Helping people with their online presence is what I do.

Alright!  Part 1 of this online security series talked about the importance of limiting who has access to your data.  Part 2 covered what made a good password and policies about changing them, including a tool to make that easier.  Here, this series of tips to make your data safer concludes with one more simple thing you can do in case the worst happens.

I was hacked!

Even if you have a good policy about security, bad stuff can still happen to you.  Think of the security breaches you’ve heard of in the news.  You know those companies had better systems than you, right?  Well, same here.  It shouldn’t come as any surprise then (particularly given the header of this section) that the hackers found a vulnerability and hacked my site. Now, before I go on, I should say that it wasn’t this site, and the hack wasn’t so bad.  What happened was they inserted some code into an ecommerce site that sent visitors to a different site that sold knock-off drugs of the type you might see in spam emails.  It was dreadfully unprofessional, but the bad guys didn’t get credit card information or anything like that.  And they got in because of a weakness in the web store software that was being used, so no matter how good my password and personnel policies were, it could have happened at any time. My story brings me to the first recommendation for this article:

Recommendation 1: Update!  Update!  Update!

If you use some kind of software to run your online stuff (which you probably do), you will need to update it.  This might be Drupal for your website, or WordPress for your blog, or Zen Cart for your online store.  There are hundreds of different packages out there.  And for each there are widgets and plugins that add useful functions.  Any and all of these may have security vulnerabilities that are discovered over time.  When good developers discover these problems, they update their software to close that weakness. That does you no good, though, unless you keep your own installation updated to the most recent version. On a regular basis, then, you should log in everywhere and see if there are updates.  Most sites have a menu option somewhere to check for updates.  Many even check for you and have a notification system when they find a newer version.  Explore the software you’re using, figure out what to look for or what to do to check for newer version, and then do that often.  Like once a week.  You might be able to get away with checking only once a month or once a quarter, but if you’re vulnerable, you’d like to lock that down sooner rather than later, right?

The Story Continues…

There I was, looking at disbelief at the website.  Clearly something was wrong in a very bad way.  I didn’t know what had happened, or how, or how bad it was.  But I did know one thing: it had to be fixed.  Now. I started digging around.  In the code.  I’m not a web developer.  I can generally figure out what a bit of HTML or PHP is doing, but I’m no expert.  It’s about the same level as I am with Chinese: I can have a simple, limited conversation but don’t ask me to read a book because I’d have to look up every word.  I can work my way through the code but it’s not fast and it’s not pretty. The store software was made up of perhaps hundreds of different small files, each working together and contributing a bit of functionality to the whole.  And I found (in multiple files, but not most of them) code that looked like nothing I’d seen before.  My book in Chinese suddenly had Arabic passages in it that hadn’t been there before. Luckily, I had backed up the site not too long ago, so when I found a file with the weird code in it, I replaced it with the backup.  Unfortunately, as I went back to check, I found that the restored files were being re-infected faster than I could correct them.  I was losing the battle against some kind of obviously automated attack.  I was out of my depth.

Recommendation 2:  Backup!  Backup!  Backup!

I know you’ve probably heard this before, but make a backup.  Your web host’s help files should be able to tell you how to make a backup of your site.  Do this as often as you think you need to based on what your site does.  If you’re making transactions multiple times a day, with frequent new customers, you will want to back up more frequently.  If your website is little more than a digital business card or portfolio (meaning the information doesn’t change that often) a less frequent schedule will probably work. Something else to look out for: backup both the files and the databases used.  Many sites use both, so be sure you’re getting everything and not just one or the other.

Recommendation #3:  Consider Hiring a Monitoring Service

The conclusion of my story is wrapped up in this recommendation.  After several days of fighting an uphill battle against technologically superior forces, I was just about ready to shut my site down completely.  Just at that time, I got a referral from a friend and signed up at Sucuri Security (my affiliate link) for site cleaning and monitoring.  To this day, it was the best $90 I’ve ever spent for something related to a website. When I signed up, I gave them access to my site.  Within 24 hours, they had found the vulnerability, locked it down, disabled the bad code within the site, and cleaned up the infected files.  Since several search engines had detected that my site was infected, they had started putting up a warning before letting people go there.  Sucuri let them know they should re-check and remove the warning. Not only that, but the cost of having them fix it also included a year’s worth of monitoring.  So they check my site regularly to see if anything is amiss and let me know before it gets out of hand.  There was a minor breach some time later which remained minor because of the early warning. Finally, once it was cleaned up, they also included tips on “hardening” my site against future attacks.  It was a checklist of things to do, each making it just a bit more difficult for a problem to occur again in the future. And if you’re just curious how your site is doing right now, you can always use their free SiteCheck page to see if they can find any malware, blacklisting by web safety sites, code injections (the thing that got me!), and defacements.

Summing Up (or TL;DR)

Part of your online security plan is monitoring.  You should monitor your software platforms to make sure the software itself, as well as any plugins or themes you use, are up to date.  You should monitor the frequency of your backups.  And you should monitor and fix any breaches that do occur as quickly as possible to minimize damage to your reputation, your company, and your customers.   (And if you use my affiliate link to sign up for Sucuri Security to do that last item, thank you!) Image source: https://www.flickr.com/photos/smu_cul_digitalcollections/12776595634/  No known copyright restrictions.  Modified by Michael J. Coffey. 

Gotta keep all those passwords dust free!

In part 1 of this series, I went over the importance of doing an audit of your data access—who can get in to see your stuff?  One of the recommendations to increase your online security was to force-change the passwords of anyone who shouldn’t have access any more (if not delete their accounts entirely).  But that raises questions about passwords that I hope to answer in this post.

Be Smart With Your Passwords

There are a couple of basic ideas that can really improve your password security.  The first is that you should change your passwords regularly.  That way even if you don’t take any of the precautions from part 1 of this series, the next time you change your password, anyone that had the old one automatically doesn’t have access any more.  And don’t just increase the number at the end by one.  Everyone does that, and everyone else knows it.  So if they find that your password used to be “SnowWhite7” the first thing any hacker or disgruntled ex-employee is going to try is “SnowWhite8” and “SnowWhite9” because they know everyone pulls that trick when they’re forced to change a password (even I used to do this!).  Change it to something completely new (more on this in a minute).

Next, while it’s useful to have a capital letter and a symbol and so forth, what’s even better (in general) is a longer password.  So even though “SnowWhite7” has uppercase, lowercase, and a number, it may not be as secure as snowwhiteandthesevendwarvesismyfavoritestory simply because if a hacker is using a computer program to try and break into accounts, they’re more likely to randomly come across the right combination on a short password—because most people’s passwords are pretty short.  It’s kind of like the idea of outrunning a lion (or zombies, or whatever’s chasing you): you only have to be faster than the slowest person.  With passwords, it’s length, not speed.

That said, it wouldn’t hurt to mix it up with capitals and symbols, too: SnowWhite&the7Dwarves=myfavor8story, for example.  Still long, but with a larger character set in use.

Finally, it’s great to have a different password for different sites.

And to have each of them be long and complicated.

And to come up with a new one for every site every time you change employees, contractors, and sometimes just for the fun of it.

This is where I think I hear heads exploding.  “I’ll never be able to remember them!” and “I have a hard enough time remembering which site uses which password already and I only have 3 passwords that I use, total!” and “I’m going to have to get a second page to write all my passwords down next to my computer…”

Don’t fret.  It’s actually not that hard with a tool I’ll mention in just a second.

First, though, I want to underline why it’s important to have different passwords on different sites: human psychology.  One way that people get into your accounts is by tricking you through either psychological or technical means to reveal your password on some account that’s really not that important, or that you use so often that you don’t think of it as being important to your digital security (for example, your email password).  But they know that most people aren’t that creative and probably use that same password elsewhere.  So they start trying that password particularly if they also have your email to either log directly into other accounts or to start going through those “lost your password?” links to get into something more important like your bank account.  They might call customer service and pretend to be you to get your login information changed to something they can use.

So let’s make it easy to take care of all of these things at once!

Use a Password Tool Like LastPass

There are a number of tools out there that will help you remember your passwords. However few are as well regarded as LastPass.  It is a good choice for a number of reasons:

1) The folks at LastPass never actually get your information.  It is “scrambled” and “unscrambled” on your computer when you log into LastPass.  They can only ever see the scrambled file, not your data.  Even if they had a disreputable employee or a security breach, your passwords are safe.

2) It can be set to auto-logout, so if you are away from your computer for too long, or shut down your browser, you’re automatically logged out.  That means once you’ve got it set up that way, even if your own laptop is stolen, the thief still won’t be able to log into your accounts.

3) It generates and memorizes those crazy passwords that are more secure.  It’s as easy as selecting “Generate Secure Password” from the menu.  For example, I did that just now and it gave me the following password and asked if I wanted to save it for use on my current site:  5oHX3YxwbMAbwf%CR72NhBk^&9f  Now that’s a password you would never remember, but neither would a hacker be likely to guess it.

It’s very easy then, using LastPass (or a similar tool if you find one that has these same capabilities and security features) to have a different password for every site.  It’s almost effortless to change the passwords often.  They can be long and practically random and use a wide mix of characters.  And best of all, you don’t have to remember anything except your login and password for LastPass and it takes care of the rest.

Caveat:  They don’t have access to your information.  That’s secure.  But it also means that if you forget your LastPass password, they can’t retrieve it or change it for you.  So although you only have to remember one password, you have to remember it.  They do let you create a hint for yourself, though, just in case.  

Do It All Yourself—If You Must

If you don’t like the idea of using LastPass for whatever reason, the previous goals are still what you’re aiming for.  Change your password frequently.  Use different passwords on different sites. Use long and complicated passwords with a variety of different characters.  A couple of do-it-yourself resources you might find useful include this guide to creating a strong password and this set of links on how to keep your Google account safe (assuming you’ve got some Google account somewhere—Google Plus, YouTube, Gmail, Picasa, or Chrome, for example).

But do check out LastPass…it’s made my life much easier and more secure.

Image source: https://www.flickr.com/photos/usnationalarchives/14318685223/

Lots of business owners avoid making the jump to online tools for marketing or selling because of security fears. Usually, however, the fears are misplaced. Yes, there are dangers and things you need to look out for, but the real dangers aren’t what people often think they are. I don’t know how many times during social media classes I had someone express concern about their personal information going public and being spread around the internet. Yes, that can happen–but I would usually point out that they have the option of not posting anything that they thought was too personal for the internet. And that getting stuff spread around the internet is precisely what marketing online is supposed to do.

On the flip side, many who are new to the digital world, or even those who just wouldn’t call themselves “tech savvy,” are not concerned about things that they really should be. Perhaps “concerned” is a little strong. But there are some basic things you can do to avoid making the stupid mistakes or fall prey to the opportunists out there in the less polite part of the internet. For example, the top two most common passwords on the internet right now are “123456” and “password” and hackers know that–heck, Slate published the 25 most common earlier this year. That’s why I’ve put together this three-part series on the basics of online security.

Part 1 will describe internal practices and follow-up that every company who spends any time online should pay attention to. Part 2 will cover passwords, and I’ll share a tool that will make doing it right really easy. Part 3 will close with some recommendations about avoiding data breaches and what to do if you get hacked (with the story of my own experience of being hacked) and how I got it cleaned up in about a day…well, one day after I stopped doing the wrong thing and made a key change. So, on with part 1!

Know Who Has Access to Your Accounts

I recently sent an email to a group I have worked with in the past, but am not currently doing any work for. I’d noticed that I was still an admin on a couple of their pages, which got me wondering about what else I still had access to.  I checked other accounts I had with them when we worked together and I could still get in to every one of them.  So in this email I let them know that they should remove me (and anyone else they’d given access to but no longer worked with) in case I go ballistic and decide to do whatever the digital equivalent of sweeping everything off the desk in a fit of rage would be.

While I’m not a danger to them, you never know when someone is either disgruntled or is less than perfectly honest.  It’s best not to let outside people have access to your site, your social media pages, your traffic data, or your sales records.

What should you do, then?  I’ve got two action items for you.  There’s the cleanup of whatever mess you might have now, and there’s the system you’ll put in place so that a similar mess doesn’t get made in the future.

Cleanup Steps:  Do an access audit.  First, go through all of your accounts with an online login and just list them.  Some ideas:

• Accounting records
• Ecommerce/web store
• Social media accounts (Google+, Facebook, Twitter, Instagram, LinkedIn, etc.)
• Email marketing (Mail Chimp, Constant Contact, etc.)
• Bank account
• State and local business- and tax-reporting agencies (here in Washington, that might include the Secretary of State, Department of Revenue, Labor and Industries, Department of Licensing, Employment Security Department, etc.)
• Web host and/or domain name registrar (for some people these are the same company and for others they’re two different companies)
• Cloud storage accounts (Google Drive, DropBox, etc.)
• Internal systems or programs (For example, can your sales people log in from their smart phone to check client details in your customer database?)

Next, for each site you listed, note of all the people that might have gotten access at some time.  Think of interns, consultants, former employees, former business partners, and even friends that helped you out that one time.  Many programs and sites allow the admin / owner / master / poweruser account to see a master list of all possible users, which might make some of these easy to assess.

Finally, for each access point, make sure that only the proper people can have access.  Old usernames and other login information should be either deleted or at least have their passwords changed to something the old employee or whoever won’t know or guess.

Proactive Steps: Now that you’ve locked out anyone who should no longer have access, develop a sensible policy to track when someone is given access.  This will allow you to easily revoke access when they shouldn’t have it any more.  And have a way of triggering that review at an appropriate time—like scheduling an “update access” task for the day after someone’s last day when they give notice, or the week the contractor’s work is supposed to be done or the internship ends.

At the very least, put a little recurring task on your calendar to remind you stop, ask yourself the question “has anyone’s access status changed in the last 30 days?”, and take the appropriate action if the answer is “yes”.  It’s not an ironclad plan, but even this could save you a heap of hurt and only takes a few moments each month.

This, of course, leads us to the teaser for the next part, which will be all about passwords!  Don’t be like #17 on Slate’s list with “monkey” as your password.  Or 111111.  Bad.  Instead, read the next article and be a password whiz!

Image source: https://www.flickr.com/photos/uw_digital_images/5018161220/ 

When I tell people I’ve gone into business for myself, they ask “Oh? What do you do?” I tell them I’m a digital strategist and then something happens to their face. It goes through this rapid cycle of reactions that seem to range from “That’s sounds smart and complicated and technological” (i.e., confused) to “That sounds like jargon and doesn’t give me the slightest idea of what he does” (or, a different flavor of confused). So here we go: an inglorious look behind the scenes of what a digital strategist does.

A General Description

The shorter and general idea is this: I help small business owners (typically new small business owners) figure out and articulate their business goals, how progress toward those goals might be measured, and then come up with a strategy for them to use to achieve those goals.

There are actually a lot of skills, behaviors, mental patterns, and more that go into this, but it’s all about getting a business owner from feeling unsure, confused, anxious, lost, and befuddled to having narrowed down the possibilities so that at any given time there are just a small handful of things that might be “next.”  This leaves you (I’m assuming you’re a business owner or a potential entrepreneur) feeling clear, effective, and ready to act.

What Falls Under the ‘Digital Strategy’ Heading?

In a way, a digital strategist is many things and one thing.  The ‘one thing’ is a strategist.  This is how my top “signature theme” on was described in Now, Discover Your Strengths by Marcus Buckingham & Donald Clifton:

The Strategic theme enables you to sort through the clutter and find the best route. It is not a skill that can be taught. It is a distinct way of thinking, a special perspective on the world at large. This perspective allows you to see patterns where others simply see complexity. Mindful of these patterns, you play out alternative scenarios, always asking, “What if this happened? Okay, well what if this happened?”  This recurring question helps you see around the next corner.  There you can evaluate accurately the potential obstacles.  Guided by where you see each path leading, you start to make selections.  You discard the paths that lead nowhere. You discard the paths that lead straight into resistance.  You discard the paths that lead into a fog of confusion.  You cull and make selections until you arrive at the chosen path—your strategy.  Armed with your strategy, you strike forward. This is your Strategic theme at work. “What if?”  Select.  Strike.

The ‘many things’ part of being a digital strategist is all of the possible paths.  Your business is going to be different than mine, which are both going to be different than the shop on the next corner.   If my specialty, then, is lending the “special perspective on the world” part of my brain to you, the rest of the role is a generalist.  I need to know enough things about enough ways to know what’s going to work best for you.

For example, depending on your needs and skills and business goals, I might draw on any of the following areas in order to put together the right strategy for you:

Email Marketing:  Helping you set up ways to build your mailing list.  Once you’ve got a decent sized list, it might be figuring out how to best use it to do what you want—building relationships with your customers, building loyalty, increasing repeat purchases, or moving list members to make their first purchase.  Whatever it is that’s right for where you are.

Social Media Marketing:  So, do you have a Google+ business marketing plan?  Should you be on Instagram?  Having mentioned on Facebook that you’re in business doesn’t constitute a strategy.  I can teach you how to use the tools to your best advantage once we’ve figured out which ones you can safely ignore.

Search Engine Optimization / Search Engine Marketing (SEO/SEM):  A huge amount of traffic is directed by Google and Bing.  Gone are the days of just stuffing a page full of keywords.  We can work together to serve your audience first, but without getting in the way of the needs of the search engines; in fact, many things you can do on your website help both!

Content Marketing:  Are you good with words?  Good with graphics or photography?  Good with video?  Perhaps you can bring those skills forward and market with “content” (the online marketer’s term for “stuff people share and link to on the internet”).  There are an unbelievable number of tools to help you show off your expertise, particularly if you are comfortable creating content…or willing to learn!  You can, quite literally, become a publisher or produce a TV-style show from the comfort of your laptop.

Advertising:  “Do people really click those ads?”  Yes, they do.  And if that’s the right way to go for you, I can help you figure out how to write the ads, figure out where to buy ad space, track the results, and experiment to increase your return on investment (ROI).  The techniques prior to this one can all be largely done for little to no cost, but this one can cost you—particularly if you go about it the wrong way.

Referral Marketing and Lead Generation:  Ardea Coaching actually started as a life-coaching service, and it was almost entirely built on referrals.  (Thanks, Jeff!)  Some industries have ethics rules that govern how they advertise or market.  Others just recognize that having a bunch of leads and others referring good business to you is a really useful thing to have.

Website/Conversion Optimization and Analytics:  Oh, the things you can learn from the people who visit your website!  This is, in many respects, the purest science of marketing.  You’re actually finding the things that are mathematically better for your business.  You may really like that picture on that page, but our A/B test shows that the picture you don’t care for as much is 18.3% more likely to result in a sale.  Now you can choose what you want to do from a more informed position.

(One organization I worked with found a surprising amount of its traffic came from a neighboring city’s government website, and that website traffic in general accounted for the majority of their new clients.  I recommended that they explore collaborating with city, and doing events there more frequently.  Clearly, the data showed there was interest there!)

Summary (or TL;DR)

I don’t really like throwing around jargon.  If you’re unfamiliar with it, “TL;DR” stands for “Too Long; Didn’t Read” and is sometimes used as the short summary and takeaways of a longer article.

A digital strategist, or digital marketing strategist, is a professional who utilizes strategic thinking to narrow client options down to the most useful approaches that are right for achieving their business goals.  It draws on multiple disciplines of online marketing, business development, coaching, skills assessment, psychology, and education.  And done right, will make you more money.

Interested in exploring the possibilities or in getting started right away?  Contact me to get your business a digital strategy!  Or have comments or question?  Please leave them in the comments below!

I’ve been in quite a few discussions about definitions of the term “entrepreneur” in particular, and how it relates to the term “small business owner.”  Of course there is a constellation of other related terms that get thrown about in these discussions, like “solopreneur” and “micropreneur” and so forth.  But those first two are the main ones that get discussed.  And here’s what I’ve found.

Some people differentiate (often with very strong and clear opinions and definitions), and others couldn’t be bothered.

I’m in the latter camp…which is strange because I usually have pretty strong opinions when it comes to linguistic things.  (Ask me about the Oxford comma, for example, or why you should put two spaces after a period.)  But I am aware that there are those out there who do see “entrepreneur” and “small business owner,” which I’ll call E and SBO from here on out, as two clearly and distinctly different things. Now, since it’s important to understand how people are using words if you’re going to understand them, so here’s how most of the people who care seem to break it down.

E represents the sexier, daring, and glitzy risk-taker side of things.  An E is someone who gets a business idea, develops it, plans it (sometimes), and launches it.  This is the key bit of the definition.  Notice there’s nothing there about running the business.  To those who differentiate, an E is a creator of something new, like a poet or an inventor.

A SBO, on the other hand, doesn’t necessarily need to have created anything new at all.  A person who buys a car-repair franchise shop can be a SBO but not an E.  A SBO is someone who is a maintainer not an inventor; a person who sells a product or service for money, not the engine of innovation and economic development.

Now, you may note that I’ve worked in a bit of judgement into those paragraphs about which of the two it’s better to be.  This is on purpose.  I’ve found that those who make the distinction seem to clearly prefer E, and see it as a superior role than SBO.

But that’s not my take.

I see these two things as intertwined.  That’s why image I used for this post comes from a poster for Dr. Jekyll and Mr. Hyde—they’re different and yet the same. Sure, one person may come up with the idea and someone else carries it out.  But that’s simply because those tasks require different skills.  As Michael Gerber describes it in The E-Myth Revisited, there are three skills needed to start and run a business: the Technician (the person who can do the service or make the product), the Manager (the person who can keep the ship running efficiently), and the Entrepreneur (who maintains shared vision and makes long term strategy decisions).  He says the ideal business person has all three in roughly equal proportion.  But that’s pretty rare—often times people are predominantly one.

The point, however, is that these are skills, and they’re skills that are needed.  Which is why I use the terms E and SBO more or less interchangeably.  Because I define them both as “someone who has some responsibility for and vested interest in the success of a business.”  I don’t get too precious about which contribution is more or less important.  Frankly, a mediocre idea with great execution can sometimes be more successful than a great idea with mediocre execution (think Chia Pets, for example).

What is important, though, is the success, and that depends on doing everything at least well enough.

What are your thoughts?  Do you differentiate?  Do you define things differently than I have here?  Let me know in the comments.  Thanks!

Well, here we are in a brand-new website! It’s a little empty, so I realize I may be talking to myself for a little bit until things get up and running, but you can help (if you see this)! Here’s a link to tweet the news—just click the Twitter bird image below and it will bring up a suggested tweet that you can send:

And if you’re interested in having something like this on your site, it was made with the tool at ClickToTweet.com. I’ve added it here to see how it works.