December 28, 2009

Practicing What You Preach

Earlier this fall, I gave a short presentation on how the GraVoc News Blog had become a useful marketing tool for our organization because it helped show prospects, customers, and even competitors that GraVoc was a legitimate company with its finger on the pulse of its customers’ interests and concerns.

Shortly after the presentation the GraVoc News Blog had gone radio silent.  This is evidenced by the quantity of blog posts available in our archives for the month of November.  This illustrates that in order for the blog to continue as a useful tool, it requires constant nurturing, time, and attention.  My attention during this time shifted to other matters at hand, and the credibility of the blog suffered.

However, improvement is possible.  I wrote the last three blog posts, including this one, while snowed in earlier this month and unable to travel to work.  There was a limited amount of work I could do at the time, and I used my time effectively by going back and maintaining the blog by putting future posts into the draft section to be published later.  If I can juggle my responsibilities and maintain this space, a member of your organization can do that as well.  Roughly one hour a week is all it takes to turn your opinion or observations into a valuable marketing asset.

GraVoc Associates, Inc., a full-service technology consulting firm located in Peabody, MA, has served Greater Boston, New England, and beyond for over fifteen years in a wide variety of technology-related services, including the fields of information security, information systems, and professional services.  One of the services offered, is consulting on making media such as a blog work for your business’s marketing plan by proving your firm’s expertise and by enhancing your search engine optimization.  For more information, please see http://www.GraVoc.com or http://www.divergingsoul.com.

Also, please stay tuned to this blog on Thursday for a major announcement.

December 24, 2009

Warm Holiday Wishes from GraVoc

The entire GraVoc organization would like to take this time to send the best holiday wishes to all of our customers, vendors, families, and friends. 

December 21, 2009

GraVoc On Facebook

For those who do not personally institute a “No Facebook At Work” or even a “No Facebook At All” policy, GraVoc invites you to visit the company’s new Facebook fan page.  From the page, you will soon be able to view basic information about the company, connect with fellow customers/fans/well-wishers of the business, and have current posts of the GraVoc News Blog show up on your news feed.

Despite our expansion into this form of social media, GraVoc will not spam fans’ inboxes and will make all possible efforts to avoid the use of poor grammar, nonexistent punctuation, and web-speak acronyms.  The GraVoc Associates Facebook Fan Page is available here.

GraVoc Associates, Inc, based in Peabody, MA, specializes in providing technology-based solutions to small-to-midsized businesses in the fields of information systems, professional services, and information technology.  One of the services provided includes establishing your business’s web presence.  It is celebrating over fifteen years of business serving companies in a wide range of industries in Greater Boston, New England, and beyond.  For more information regarding the company, please visit GraVoc.com.

December 17, 2009

Northeast Ice Storm Anniversary (Part 2)

Note:  This is the second installment of a reflection on last year’s ice storm that devastated northern Massachusetts, southern New Hampshire, and southern Maine.  For the first installment, please refer to this link.

While many employees of a firm see a snowy day or a loss of power such as the loss of power due to the 2008 ice storm as an unexpected and welcomed day off, it is a burden on the company at large.  It means lost revenue, customers without service, and still the same expenses:  Those very same employees celebrating the day off are still expected to get paid their salaries.  This is why it is so important to have a plan both written and ready to launch to minimize disaster-related downtime.  Customers, like those waiting for power in New Hampshire last year, won’t “just understand” that a business they are relying on doesn’t have their act together in the face of disaster.

Just as important if not moreso is the lesson unfortunately learned by Unitil.  The utilities company suffered irreversible reputational damage as a result to the slow response to the 2008 ice storm disaster.  Unitil is now either a punch line or a swear word in those areas of New Hampshire and Massachusetts that lost power for so long last year.  The business will now have to continue to dig themselves out of a hole to survive.  There is no doubt that the state of New Hampshire will be investigating Unitil’s past BCP to find out what went wrong last year, as well as its new one to determine whether there will be provisions in place to prevent a repeat of this week last year. 

GraVoc Associates, Inc. is a full-service technology consulting firm located just outside of Boston in Peabody, MA.  GraVoc has served Greater Boston, New England, and beyond for over fifteen years in the fields of information systems, information security, and professional services.  GraVoc’s disaster recovery/business continuity consulting has served, among other clients, many clients in the highly-regulated financial services industry, which provides a high standard for business continuity compliance.  For more information, please visit the GraVoc website at www.GraVoc.com.

December 14, 2009

Northeast Ice Storm Anniversary (Part 1)

It’s been a year since a historically-devastating Thursday night ice storm gripped northern Massachusetts, southern New Hampshire, and southern Maine.  Though the ice eventually melted, down trees and damaged power infrastructure robbed several thousand individuals and businesses of power—and customers of these businesses still demanded adequate and prompt service.

Just as pandemic planning may have seemed abstract, vague, and useless until enterprises needed to amend human resources policies and supply chain procedures in response to this year’s H1N1 flu outbreak, traditional business continuity/disaster recovery planning is similarly abstract until it is actually tested in a live environment.  A case in point is the now-notorious utility company Unitil, who, according to a (N.H.) Union Leader article, will be investigated by the public sector for its inability to restore power to residents for over half a month in some cases.

Your enterprise’s disaster recovery plan must be contingent on what is most crucial to your business and what services you must provide immediately to your customers.  If your business is dependent on having adequate staffing in times of disaster, the plan should include how to cope with extreme circumstances by adding and dispatching additional staff quickly so that business can be delivered.  If your business relies largely on the available of technology, like many of our customers, the restoration of that technology in a timely fashion is a top priority.  This priority should be reflected explicitly and appropriately in your business continuity plan.  This should take into consideration leveraging current technology and outsourcing relationships, both of which are outlined in more detail in this IBM whitepaper.

GraVoc Associates, Inc. is a full-service technology consulting firm located just outside of Boston in Peabody, MA.  GraVoc has served Greater Boston, New England, and beyond for over fifteen years in the fields of information systems, information security, and professional services.  GraVoc’s disaster recovery/business continuity consulting has served, among other clients, many clients in the highly-regulated financial services industry, which provides a high standard for business continuity compliance.  For more information, please visit the GraVoc website at www.GraVoc.com

More information on the anniversary of the 2008 ice storm will be made available on the GraVoc News Blog, http://gravoc.blogspot.com, on Thursday December 17th.

November 6, 2009

ERP Investment: A Good Idea in a Recession?

A recent whitepaper by the folks at SAP outlined a variety of mistakes made by companies in challenging economic times.  While the whitepaper is a thinly-veiled prod to urge readers to invest in an enterprise resource planning (ERP) system such as their own, it illustrates management errors and how investing in an ERP system during a recession results in better transparency and efficiency, fostering faster growth when the economy gets back on track.

The document outlines six mistakes being made by businesses.  The first is “taking existing customers for granted.”  Existing clients who already trust and appreciate a business’s product are the lifeblood of the business, especially when everyone else is hesitant to buy anything.  Customer relationship management is crucial because staying “in tune” with customer needs is impossible without staying “in touch” with the customer.  Another mistake is “failing to capitalize on market opportunities.”  A company will miss out during times of economic growth if they do not recognize the need to introduce a new product and use tools to project the estimated revenues and costs associated with the product. 

The paper identifies “allowing operational efficiencies” and “driving the wrong behavior in the organization” as two more mistakes being made that can be solved by an ERP product.  Administrative tasks can take a fraction of the time with an ERP system.  As wasted time costs companies money, time efficiency can help businesses cut costs.  Furthermore, metrics that are easily visible within the system can prompt managers to create the most effective sales incentives.

Perhaps the two most important aspects of the paper are the mistakes of “letting problems go undiagnosed and uncorrected” and “failing to offer transparency to stakeholders.”  By tracking all aspects of the company’s operations, decision-makers can find and eliminate issues and make more informed decisions in a timely manner. 

An effective ERP system can solve all of these problems.

GraVoc Associates, Inc, located near Boston in Peabody, MA, is a Microsoft Gold Certified partner with operations in the practices of information systems, professional services, and information technology.  The information systems practice, among other things, helps customers choose the correct ERP system that fits their needs and enhances their operational efficiency.  Last year, GraVoc climbed from 15th to 2nd in New England among Microsoft Business Solutions (Microsoft Dynamics) resellers.  For more information about GraVoc’s custom utilities that can work hand-in-hand with ERP systems to create more transparency within your organization, please visit gravocsoftware.com.  For more information regarding the information systems practice in general, please visit GraVoc.com.

October 28, 2009

GraVoc Showcases Health & Recovery Application at Tradeshow

ghr2008(small)

On Friday, GraVoc sent three representatives to the Association for Behavioral Healthcare (formerly the Mental Health and Substance Abuse Corporations of Massachusetts) 10th Anniversary Provider Celebration.  At the ABH expo, GraVoc promoted GHR, a comprehensive bed management software designed for inpatient health and recovery service providers similar to many attendees of the event.

Like many of the GraVoc Software products, this solution was designed based on customer input regarding their needs and which key processes must be streamlined with this software.  This was GraVoc’s first time attending this event, and many representatives of health and recovery organizations from throughout Massachusetts were impressed by GHR’s functionality.  The application was designed with the goals of a quick learning curve and ease of use.

GHR handles occupancy management, admission processing, management of billing processes (including care that falls under health insurance and care that does not fall under health insurance), discharge management, client history inquiry, and reporting.  With GHR, a behavior health facility will be able to waste less time on administrative tasks and instead spend that time caring for their patients.  More information about GHR, including screen shots of the application, are available on the GraVoc Software website.

GraVoc Associates, Inc, based in Peabody, MA, is a consulting firm specializing in information systems, professional services, and information security.  The information systems practice encompasses the development of several internally-developed GraVoc Software solutions, all of which are profiled on the gravocsoftware.com.  For more information on GHR or the company, please visit GraVoc.com or call the GraVoc offices at 978-538-9055.

October 24, 2009

GraVoc Attends PACC Business Expo

GraVoc Associates, Inc. featured their information security services at the 2009 Peabody Area Chamber of Commerce Business Expo on Thursday.  Additionally, GraVoc’s Dan Vassallo delivered a presentation about blogging and how the GraVoc News Blog improved the company’s web presence, credibility, and search engine optimization.

GraVoc shared a booth at the tradeshow with marketing consultant Divergingsoul Media Production, who also impressed attendees with its variety of digital media service offerings.  Attendees were encouraged to visit the GraVoc booth by the chance to win a portable media player.  Congratulations to Colleen Derrivan of Phil Richard & Associates Insurance, who won the raffle.

At the conclusion of the event, the Chamber of Commerce presented a panel of seven members who used non-traditional techniques to market their products or services.  Dan Vassallo represented GraVoc on the “7 Experts, 7 Tips, 7 Minutes” panel, explaining how the GraVoc News Blog has heightened GraVoc’s web presence and search engine optimization.  It is now easier for businesses looking for a Boston-area, North Shore, or Peabody technology consulting firm or Microsoft Dynamics partner to find GraVoc and learn more about the services the business provides.  Dan has received comments from competitors, vendors, and customers about how the blog has made the firm appear to really be on top of relevant issues.  It also lets customers know what is new with the business. 

GraVoc Associates, Inc., based in Peabody, MA, is a seventeen-person consulting firm specializing in the areas of professional services, information systems, and information security.  For more information on GraVoc and the services the company provides, please visit GraVoc.com or check out the archives of the GraVoc News Blog.

October 20, 2009

Catch GraVoc at Upcoming Tradeshows

GraVoc Associates, Inc. will be attending the following tradeshows this week:

  • Peabody Area Chamber of Commerce Business Expo, Thursday October 22, 2-7 PM
  • MHSACM’s 10th Anniversary Provider Celebration - “Enduring Mission, United In Purpose,” Friday October 23, 8AM-2PM.

The PACC Business Expo is taking place at the Holiday Inn in Peabody, MA, and GraVoc will be sharing a booth with DivergingSoul Media Production.  At the expo, GraVoc will be sharing information mainly about its information security services, which are explained in further detail on the GraVoc website.  GraVoc is looking to help businesses who need guidance as the March 1 deadline for compliance with the Massachusetts Data Protection Law closes in.

Also at the PACC Expo, GraVoc’s Dan Vassallo will be featured in the “7 Experts, 7 Tips, 7 Minutes” discussion, where he will explain how regular updates of the GraVoc News Blog has helped GraVoc’s marketing efforts.  This segment will take place at 4:00 PM on Thursday.

At the MHSACM tradeshow, to be held at the Westin Waltham Hotel in Waltham, MA, several members of GraVoc’s staff will be on hand exhibiting the GraVoc Health Recovery Management System (GHR) application.  This user-friendly, easy-to-use software helps medical organizations easily track which rooms/beds are occupied and how long.  It also keeps track of patient history and streamlines medical service to billing insurance companies. 

Eliminating time spent on administrative tasks enables medical professionals to dedicate their precious time and energy on helping patients’ recovery.  GraVoc was invited to this tradeshow by a satisfied GHR customer, and the company is excited about the opportunity to demonstrate how the GHR application can help health and recovery organizations improve their service process, cut down on wasted time, and improve their bottom lines.

GraVoc Associates, Inc, located in Peabody, MA is a full-service consulting firm that specializes in information security, information systems, and professional services.  A versatile organization, GraVoc’s client base, as evidenced above, has spanned from medical organizations to financial institutions, to manufacturers, distributors, and commercial clients in a wide range of fields.  For more information about the company, please visit the new GraVoc.com.  If you happen to be in the area, GraVoc would love to see you at one of the tradeshows this week!

October 5, 2009

Marsh Leads Team at JDRF Walk

GraVoc senior associate Stefanie Marsh led a tremendous fundraising effort at the Juvenile Diabetes Research Foundation (JDRF) Seacoast Walk held Sunday September 27th.  An active member of the foundation’s New Hampshire Seacoast chapter, Marsh joined over 500 other walkers in the event, which was held despite a second consecutive year of foul weather.

Marsh’s team, “Zack’s Pack,” is named for her son Zachary, who is affected by diabetes.  Over 15,000 children are diagnosed annually with juvenile diabetes, and while treatment for the condition has improved substantially in the past decade or so, there is no cure.  Due to the generous support of family and friends, Zack’s Pack alone raised over $4,000 for diabetes research.

GraVoc Associates, Inc, a Peabody, MA-based consulting firm specializing in the practices of information systems, professional services, and information security, is proud of Stefanie’s achievements and her dedication toward community service and the JDRF.  For more information about GraVoc, visit www.GraVoc.com, and for more information about the Juvenile Diabetes Research Foundation, please visit jdrf.org.

October 1, 2009

Congratulating One Employee, Welcoming Another

Part of the buzz surrounding GraVoc Associates’ fifteenth anniversary party last month was the fact that the company was celebrating its first retirement.  Yesterday it became official, as office manager Patricia Kulakowski stepped down from her post at the front of the GraVoc building.

Pat had worked in this capacity at GraVoc since 1996, and she will be celebrating her retirement by taking a trip to Aruba with her husband next week.  The entire GraVoc staff congratulates Pat on her milestone and sincerely appreciates her many years of service and contributions while at the company.

Pat will be replaced by fellow Peabody native Connie Leaver, who began working full-time at GraVoc last week.  Having previously worked in both the insurance and in the banking industries, Connie is eager to bring a unique view to the consulting firm.  The GraVoc organization warmly welcomes Connie and encourages customers to greet her kindly the next time they call or stop by.

GraVoc Associates, celebrating fifteen years on the North Shore, is dedicated to increasing customers’ efficiency and profitability through technology.  GraVoc provides services in the three practices of professional services, information systems, and information security.  For more information regarding the business, please visit www.gravoc.com.

September 23, 2009

GraVoc Joins Mass. Bankers Association

GraVoc is happy to announce that recently they joined the Massachusetts Bankers Association.  The membership will give the company access to resources that will enable them to better serve clients in the financial services sector.  As part of this association, GraVoc will be able to better keep abreast of issues that concern financial institutions.  GraVoc hopes to use this knowledge to continuously improve existing information security services and create new offerings to fit the needs of their bank and credit union customers in a rapidly-changing business environment.

The organization has a membership of over 200 financial institutions in Massachusetts, as well as an additional 200 vendors that provide products and services to the banking industry.  GraVoc provides services to banks and credit unions throughout New England in the areas of information security and information technology.  Massachusetts-based financial institutions especially have a daunting challenge ahead with the dawn of the Massachusetts Data Security Law in March 2010.

Peabody, MA-based GraVoc Associates is celebrating fifteen years of business in the areas of information systems, information security, and professional services.  GraVoc offers a wide array of services to regional financial institutions, both on the network infrastructure, design, and maintenance side as well as information security, network security, and business continuity services.  GraVoc also extends services to commercial accounts in all three practices.  For more information about GraVoc and the versatility of services provided, please visit www.GraVoc.com.

September 18, 2009

GraVoc Celebrates Milestone

On Wednesday night, GraVoc Associates, Inc. hosted a get-together with staff members, customers, and friends at the Lyceum Bar and Grill in Salem.  The event marked the celebration of GraVoc’s fifteen-year anniversary serving businesses in Greater Boston, New England, and beyond in the fields of information systems, information security, and professional services.

The event featured a video (courtesy of DivergingSoul) featuring the company’s evolution over the last fifteen years and a speech by President/CEO David Gravel introducing the staff.  Customers had the chance to interact with each other and with staff members, and GraVoc greatly appreciates its guests taking the time out of their Wednesday evening to travel to the event. 

The party was held as a gesture of appreciation toward GraVoc’s customers and how, while the company’s slogan is “our business is your success,” that it is also true that “your business is our success.”  The milestone would not have been reached without the confidence of GraVoc’s customers.  Moving forward, GraVoc looks forward to continuing to help clients achieve efficiency, maintain compliance, and improve profits through technology for many years to come.

For more information about GraVoc Associates, Inc, based in Peabody, MA, please visit www.GraVoc.com.

September 11, 2009

Social Engineering: Are There Rules?

A very interesting alert came from the National Credit Union Administration last month regarding a fraudulent letter and accompanying CD.  The letter and CD were sent to an unnamed credit union, indicating they were from the NCUA when in actuality they were not.  An employee of the credit union told the NCUA about it, prompting the alert.

It was very quickly learned that the letter and CD were sent by a consulting firm contracted by the credit union in question to conduct penetration testing and social engineering testing.  The consulting firm, MicroSolved, owned up to it and praised the client credit union for doing exactly what they should be doing:  Reporting suspicious activity to the appropriate authority.  In his blog, MicroSolved CEO Brent Huston expressed his admiration for the whistleblower, the NCUA, and the multiple media and Internet outlets who made this incident into an inadvertent “awareness campaign” regarding the dangers of social engineering.

MicroSolved got a considerable amount of heat for impersonating the NCUA and for using the NCUA’s logos, names, and likenesses.  Whether this is ethical or not, it is probably more effective if not necessary to use those likenesses.  Are real-life attackers going to be following the rules of “we don’t use logos to impersonate agencies?”  Of course not.  And the most effective tests are the ones that most closely resemble the real-life scenarios.  Unless real fraudsters have the ethics to not use the agency’s likenesses, the people complaining about this firm’s ethics using them should really be complaining about something else.  The priority should be keeping businesses’ information safe, not the proper use of names and logos. 

Social engineering is a tactic employed by malicious attackers that instead of targeting weaknesses in computer systems, targets human beings as a way to gain unauthorized access to confidential information.  Social engineering preys upon trust, curiosity, and authority in a variety of different ways, including bogus emails, phone calls, letters, CDs, or other means.

GraVoc Associates, Inc. is celebrating fifteen years of business serving Greater Boston, New England, and beyond in the fields of information security, information systems, and professional services.  With three CISMs on staff, GraVoc brings a high skill level to its information security consulting practice.  As a service to its clients, GraVoc posts items of note such as the one above to increase awareness of constant changes in the information security landscape.  For more information about GraVoc’s offerings in information security consulting, please visit www.gravoc.com or speak to a representative at 978-538-9055.

September 8, 2009

Government Provides Pandemic Guidance

While there is little new to report on the H1N1 (swine flu) pandemic, other than the fact that flu season is coming soon, the vaccine will be released shortly, the flu as it currently stands is not as deadly as it was initially projected to be, and the 2009 H1N1 is now the dominant human flu on the planet, the United States government has a slew of resources available for businesses to plan for widespread employee absence, slowdowns in the supply chain, and public fear about the spread of illness.  Highlights include the following:

  • Supply Chain Planning:  Banks may have to wait longer for cash shipments.  Manufacturers may have to wait longer to receive raw materials.  Vendors and service providers may have slower customer service as their employees may be out sick.  Businesses must plan accordingly for this as well as planning for the absenteeism of their own employees.
  • Absenteeism Threshold:  How many people can your business afford to lose to absenteeism at the same time before business operations are adversely affected?  If the number of absent employees exceeds this number, does the company have plans to adjust accordingly?  Are there policies and technologies in place so that absent employees (if they are not sick themselves but are caring for a sick family member) can work from home?
  • Sick Time Policies:  Has your HR department considered revising policies regarding sick time so that sick employees are not showing up to work and spreading the disease just because they have a limited number of sick days?  Businesses must take the health of other employees into account, as well as the probability that employees may have to care for children who are home from school as a result of a school closure or a child becoming ill.
  • Extended Hours:  Social distancing will be a technique used to prevent the spread of the flu.  Many companies will stagger their hours of operation so that employees will have less contact with other employees, decreasing the probability that a virus will be spread.
  • Screening:  Companies should consider whether employees will be asked if they have had symptoms of the flu (i.e. fever, headache, sore throat) in the last day, and whether they should be mandated to leave the workplace if they have.

More advice from the United States Government, including a useful pandemic planning checklist, are available here.

GraVoc Associates, Inc, based in Peabody, MA, are celebrating fifteen years of serving customers in many industries in the practices of information security, information systems, and professional services.  Encompassed in the information security field is business continuity and pandemic event planning, and GraVoc has many years’ experience helping businesses plan for a disaster or a pandemic event.  With the onset of the swine flu pandemic in April, the GraVoc News Blog has provided additional guidance and updates regarding how to plan so that business operations are not interrupted.  For more information about GraVoc’s business continuity services, as well as its other products and services, please visit www.gravoc.com

September 3, 2009

GraVoc Staff Earns Certifications

In response to the business environment becoming more competitive, several GraVoc Associates professionals have demonstrated their competence in GraVoc’s three practices of information systems, information technology, and technology and professional services.  Several staff members have earned certifications over the course of the summer, and the organization is using this space to congratulate them:

  • Nate Gravel has achieved the CISM (Certified Information Security Manager) certification from the Information Systems Audit and Control Association (ISACA).  There are only about 10,000 CISMs worldwide, and Nate, 24, is likely one of the youngest to earn this certification.  A CISM demonstrates experience in the fields of information security governance, information risk management, information security program development and management, and incident response.  Nate also earned a Microsoft Certified Professional (MCP) certification in the Microsoft Dynamics CRM software.
  • Eric Hannabury has added his seventh MCP distinction, as he successfully earned certification in the installation and configuration of Microsoft Dynamics GP 10.0.  Eric already holds the Microsoft Certified Systems Engineer (MCSE) certification, one of the premiere validations of technical capabilities in designing and implementing Microsoft network infrastructure.
  • Ron Smoller, also an MCSE, has earned his sixth MCP distinction in the installation and deployment of Microsoft Dynamics CRM 4.0.
  • Doug Tilley earned an MCP in the field of Microsoft Dynamics GP 10.0 Financials.
  • Matt Wilkins earned an MCP in the area of the customization and configuration of Microsoft Dynamics CRM 4.0.

GraVoc Associates, Inc, located in Peabody, MA, has served Greater Boston, New England, and beyond in the three practices of information systems, information security, and technology and professional services.  Like any company, GraVoc relies on the strength of its employees, as knowledgeable employees help GraVoc better serve its clients.  For more information about the range of services offered by GraVoc, please visit www.gravoc.com.

August 31, 2009

Mass. Law: No Longer Strongest In Country?

Last week, the Massachusetts Office of Consumer Affairs and Business Regulation decided to issue a revised version of 201 CMR 17.00, the regulation that outlines and enforces compliance to M.G.L. 93H.  Not only did the OCABR delay the effective date for a third time, but saying the changes in the language have “softened” the aggressive nature of the law would be an understatement.

While this is good news for the smaller enterprises, such as a business that only stores personal information of its six employees or small businesses that don’t have thousands upon thousands of dollars to spend on some of the physical and technical safeguards prescribed by the old version of the regulation, information security experts (such as the ones who wrote scathing indictments of the changes here and here) argue that this regulation has been softened to the point that is rendered worthless.  One of the authors wrote that retail firm TJX would have been compliant with this regulation when they experienced the data breach that inspired it.

Highlights from the changes:

  • Perhaps the most significant change is the removal of the personal information inventory piece.  This may have been the most cumbersome and unrealistic part of the regulations, but also may have been the most important.  It is difficult to protect information if you don’t know where it is.  Other states already do require the personal information inventory in their data protection laws.
  • Words like “reasonable” and “technically feasible” permeate the new version of the document, while they were used very sparingly in the old version.  Information safeguards, including encryption password strength, and the installation of virus definitions, security patches, and firewall protection, previously had specific standards to be in compliance with the law.  The new standards use the “reasonable” and “technically feasible” terminology.  As it may ease small businesses’ financial burden, these words are certainly vague and open to interpretation.
  • The Frequently Asked Questions that accompany the document on the Massachusetts OCABR website further illuminate the problems with the use of these terms.  The FAQs state that email messages with personal information do not need to be encrypted if the process is not “technically feasible,” for example.  A noncompliant business can readily answer to authorities simply by saying “I did not find this safeguard to be technically feasible.”  
  • The language of the regulation removes accountability for those who “store or maintain” personal information.  This would suggest that if a company keeps its records at a hosted storage facility or with a service bureau, the vendor is no longer responsible for this information.  Other provisions regarding vendor management are similarly weakened or taken out completely—a contract including compliance is required but enforcement of a vendor’s compliance is no longer documented.
  • Compliance as an ongoing process is also put into question with the changes.  There is no longer language regarding assessing risk associated with information, processes, or applications and putting in appropriate safeguards.  Language requiring monitoring the effectiveness is also removed. 
  • Similarly, thorough investigation of any network intrusions were previously mandated by the regulation.  They are no longer explicitly required unless unless they result in a data breach.  A business no longer has to report or document any unauthorized physical access to computer systems.  Restricting access to systems, such as server rooms, is also completely eradicated from the document.
  • Language regarding employee access to personal information is substantially less stringent.  Language regarding limiting access to those with a “need to know” is eradicated and the word “immediately” has been removed from the part requiring companies to revoke physical and electronic access to records when an employee leaves the organization.

There are six months left before the revised compliance deadline.  With the revised provisions in the regulations, compliance is much more achievable.  However, compliance with these weakened regulations might not be enough to keep information safe anymore.

GraVoc Associates, Inc, located in Peabody, MA, is celebrating fifteen years in the practices of information security, information systems, and technology and professional consulting.  For more information on GraVoc’s compliance services aligned with the Massachusetts Data Protection Law, please contact GraVoc at 978-538-9055 or visit the GraVoc website at http://www.gravoc.com.  More information on this law has been covered in the GraVoc News Blog, so by clicking “Massachusetts Data Protection Law” below is also a useful source of information.

August 25, 2009

Data Breach Lessons Learned: Part 2

Continued from Friday’s post, here is more information regarding how the indictment of hacker Albert Gonzalez in connection with the biggest credit card number heist in history is significant to your business and protecting its information assets:

  • As difficult as it is to announce a data breach, companies not only have the responsibility to their customers to alert authorities of a data breach, but they will also be helping the efforts of law enforcement to catch criminals like Gonzalez by announcing in a prompt manner.  Companies already implicated in highly-publicized breaches have lost immeasurable, irreparable damage to their reputations.  However, as this story develops, there has been news that Heartland may have known more about the scope of the breach than what they reported.  This may be a serious problem for the company.
  • While Gonzalez is the malicious intruder in this case, the corporate victims also take a piece of the blame, whether rightfully so or not.  Securing a network is like locking your doors when you leave your house—except it takes a lot more time, effort, and money.
  • With so much attention being paid lately to social engineering techniques such as phishing and the threat posed by malicious “insiders” in rough economic times, this massive data breach was executed using somewhat-traditional network hacking.  Hackers have not abandoned this tactic.
  • As cumbersome as laws like the GLBA, HIPAA, PCI, and the Massachusetts Data Protection Law are, they may very well be necessary to keep individuals safe from identity fraud.

GraVoc Associates, Inc, located in Peabody, MA, serves customers in Greater Boston, New England, and beyond in the practices of information systems, information security, and professional and technological services.  The GraVoc News Blog is updated frequently to provide free information and tips to help your company’s bottom line.  For more information regarding GraVoc’s services and how they can help your company’s efficiency and security, please visit http://www.gravoc.com.

August 21, 2009

Mass. Data Protection Law Delayed, Softened

Earlier this week, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) made the decision to delay the effective date of the Massachusetts Data Protection Law (also known as MGL 93H or 201 CMR 17.00) for the fourth time.  Businesses are expected to be in compliance with this law, which is designed to protect Massachusetts residents from identity theft, by March 1, 2010.

The original effective date of this law was January 1, 2009.  It was delayed until May 1, 2009 late last year, and in February it was moved back to January 1, 2010. 

The provisions and standards of data protection have also been amended.  While the law is still perhaps the most aggressive in the country, compliance is much more attainable with the revised provisions.  The amended law can be read in PDF format here.

This announcement can be interpreted many ways.  A pessimist may look at it in a way that the effective date may never come and that Massachusetts is writing this law for a public relations purpose.  Optimists may view the four separate delays and significant amendments to the regulation as a gesture by the state saying that they are listening and they understand the needs and limitations of small businesses.  It could possibly be indicative that the state and the OCABR are serious about enforcing compliance, so they are making changes so that compliance is actually a possibility for businesses.

This news will be covered in more depth on the GraVoc News Blog towards the end of next week.

GraVoc Associates, Inc., based in Peabody, MA, is celebrating fifteen years in Greater Boston.  GraVoc works with a variety of different clients in several sectors, providing services in the practices of information security, technology and professional services, and information systems.  GraVoc’s information security team has several years’ experience serving the highly-regulated financial services industry, and is committed to helping clients from any industry comply with the Massachusetts Data Protection Law.  For more information about GraVoc and its M.G.L. 93H compliance services, please visit GraVoc.com.

Lessons Learned in Data Breach Indictment

The indictment of Albert Gonzalez and two other co-conspirators in connection with data breaches resulting in 130 million credit card numbers stolen is massive news.  This is the largest breach of credit card numbers ever recorded, and the fact that someone was caught speaks volumes about the efforts of law enforcement officials.  However, this indictment doesn’t change the fact that the numbers were still compromised and the corporate victims—the businesses that had data stolen off of their networks—have suffered irreparable damage both in terms of regulatory compliance and corporate reputation.  There are many lessons to be learned about this incident.  The GraVoc News Blog will outline this information in a two-part series.

  • Albert Gonzalez is already currently in prison for his involvement of a previous high-profile data breach involving TJX, Dave & Buster’s, BJ’s, and other companies.  In his career as a hacker, he very well may have stolen 200 million credit card numbers!  Each of these operations, while certainly sophisticated, were reasonably small.  This news shows how readily available credit card numbers can be if a network is violated.
  • This attack was well-planned and well-researched.  The scope of this group’s “research and development” included driving with a computer to evaluate the security (or lack thereof) of potential victims’ networks using a variety of tools, many of which may also be used by companies like GraVoc to help companies identify vulnerabilities in a network’s perimeter.  Potential victims were also qualified by researching the means of payment processing.
  • The attack was carried out with a SQL injection and installation of malware, exploiting network vulnerabilities that were previously identified and documented.  These attacks typically exploit “poorly-coded” applications, and when these vulnerabilities are initially found, they are documented and resolved in an updated version of the application.  In other words, many of these vulnerabilities are the result of a company’s lack of diligence regarding updating software versions.
  • Experts agree that despite the diligent preparation for this attack, an SQL injection is not a difficult exploit to execute.  While Albert Gonzalez may be behind bars, he is hardly the only hacker in the world who can exploit the same vulnerabilities in this manner.

GraVoc Associates, Inc. of Peabody, MA, is dedicated to ensuring its clients in Greater Boston, New England, and beyond are aware of the ever-changing environment of information security.  The GraVoc News Blog will continue documenting four other “lessons learned” early next week.  For more information regarding GraVoc’s services in information security, information systems, and technological and professional services, please visit http://www.gravoc.com.

August 19, 2009

GraVoc Adds Stefanie Marsh to IS Practice

GraVoc Associates Inc. is proud to announce the hiring of Stefanie Marsh as a Senior Associate in their Information Systems practice.  Stefanie will add her experience and strong work ethic to GraVoc’s information systems practice. 

The hiring of Stefanie is to respond to the needs of a rapidly-growing customer base in ERP systems implementation.  Last year, GraVoc was recognized as the second-largest Microsoft Business Solutions reseller in New England in terms of sales, up from fifteenth the year before.

Stefanie, a resident of Dover, NH, has fifteen years of experience in consulting and in operations experience in a diverse environment of manufacturing and distribution companies.  Her previous work has spanned the medical manufacturing, high-technology, and retail fields.  With Stefanie’s experience comes a high level of understanding of these business processes as well as the difficulties and challenges encountered by firms in the market for enterprise resource planning (ERP) solutions.

A graduate of the University of Rhode Island and a mother of two, Stefanie enjoys spending time with her family, visiting Disney World, and outdoor recreation.  She also devotes much of her free time to community service, as she is active in the JDRF Seacoast Committee to benefit juvenile diabetes research.

GraVoc Associates, Inc. extends a sincere welcome to Stefanie.  As they celebrate fifteen years of business in the practices of information systems, information security, and technology and professional services, GraVoc has added three full-time staff members in the last year.  GraVoc has maintained Microsoft’s Gold Certified Partner status for several years through their efforts in a challenging re-certification process and through their competence and ability to outfit enterprises in Greater Boston, New England, and beyond with appropriate and robust ERP, CRM, and other solutions.  For more information about GraVoc’s offerings, including software products developed by GraVoc’s programmers, please visit GraVoc.com

August 14, 2009

Vacation Over?

As the summer begins to wind down and many executives and employees return from their well-deserved vacations, just over the horizon lies a great deal of challenges in the fields of information security.  Perhaps two of the largest information security-related challenges facing almost every business in New England include the specter of a pandemic event taking full grasp of the entire world and the January 1st effective date of the Massachusetts Data Protection Law.

As far as the H1N1 (swine flu) virus goes, the effects of many people becoming ill, the potential of the flu becoming more potent, and public fear surrounding the outbreak will undoubtedly have a noticeable impact on virtually every business.  This goes well beyond encouraging your employees to wash their hands for twenty seconds and putting hand sanitizer in places of business interaction.  Executives will have to ask themselves:  “What do I have to do if 40% of my staff—and 40% of everyone else’s staff—is out sick?”  With employees sick or taking care of families if schools are closed for social distancing purposes, this is a distinct possibility.  It presents a wide range of challenges regarding your ability to continue business operations.

The Massachusetts Data Protection Law, going into effect on January 1st, presents an equally-daunting challenge.  This law requires an aggressive standard of logical and physical controls to protect every piece of personal identifiable information pertaining to a Massachusetts resident in an enterprise.  The enterprise doesn’t have to be in Massachusetts to be subject to this regulation if it has a Massachusetts resident’s name with a social security number, government-issued ID number, financial account number, or credit/debit card number.

Both of these issues are bound to give businesses across all sectors a fair share of headaches.  As evidenced by past posts on the GraVoc News Blog, GraVoc Associates has devoted time and effort to stay on top of both of these impending challenges.  For many years, GraVoc has helped clients design pandemic event plans and has helped these plans remain effective through testing.  The GraVoc information security practice is built on the foundations of achieving compliance with strict regulations and keeping clients’ information safe from both outsiders and malicious insiders.

GraVoc Associates, Inc, celebrating 15 years on the North Shore outside of Boston, is committed to helping clients in their three practices of information systems, information security, and professional and technological services.  The information security practice historically has worked extensively in the highly-regulated financial industry.  For more information on the products and services provided by GraVoc, please visit GraVoc.com.

August 3, 2009

Flip Flop Friends Complete Walk

GraVoc Vice President Cathy Gravel and her “Flip Flop Friends” teammates successfully completed the Breast Cancer 3-Day event last weekend.  This event included approximately sixty miles of walking throughout the greater Boston area over three days, and its proceeds went to benefit Susan G. Komen for the Cure.

Thousands of walkers braved unfavorable conditions, including rain on Friday and heat on Saturday as they trekked from as far west as Framingham and as far north as Woburn before finishing at the University of Massachusetts-Boston.  In addition to the physical challenge of the walk, each participant raised over $2300 for breast cancer research.

Cathy, as well as teammates Gina Braz-Rocha, Karen Braz, Terri Garofano, and Jean Hallinan, were extremely grateful to all their supporters, and the GraVoc organization is proud of the team’s accomplishments.

July 20, 2009

GraVoc Team Wins Softball Championship

Congratulations to the GraVoc Associates girls’ softball team (pictured above).  Last week, the GraVoc team reached the league championship for the second consecutive year.  The GraVoc ladies went undefeated throughout the playoff run, so they had two chances to clinch the title.  It only took one game, and the team was crowned champions of the 13-16 year old division of the Peabody Youth Girls Softball League.

Their sponsors at GraVoc Associates are proud of the team’s accomplishments all season long.

July 16, 2009

Massachusetts Data Protection Law: Encryption Standards

As the deadline for compliance with the Massachusetts Data Protection Law (MGL 93H & 201 CMR 17.00) rapidly approaches, many companies will be looking for information on what they have to do in order to achieve compliance with the regulations that are more aggressive than the “game-chang[ing]” law passed in Nevada.

The part of the law that has garnered the most attention is its emphasis on encrypting personal information.  For the sake of reference, the encryption-related requirements are printed below:

  • “To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.”
  • “Encryption of all personal information stored on laptops or other portable devices.”

Source:  Mass.gov

Simply stated, encryption is a technical provision that makes it very difficult for an unauthorized individual to access electronic information.  Encryption is especially important with email transmission (in the case that the email is intercepted over a public network) and with portable devices such as laptops, PDAs, and flash drives (which are easily lost or stolen).

Peabody, MA-based GraVoc Associates, celebrating fifteen years of business in Greater Boston, New England, and beyond, understands that the encryption standard especially is an unusual burden for businesses that don’t typically have to concern themselves with detailed information security governance.  GraVoc’s information security personnel have been following the evolution of the Massachusetts Data Protection Law for several months, demonstrating their commitment to help both new and existing clients comply with this challenging law with appropriate procedures and products.  For more information about MGL-93H services, as well as more information about GraVoc’s services in their other practices of information systems and financial and professional consulting, please visit GraVoc.com.

July 13, 2009

Mass. Data Protection Deadline: Less than Six Months Away

The Massachusetts Data Protection Law, sometimes referred to as Massachusetts General Law 93H & I or 201 CMR 17.00, goes into effect on January 1, 2010, and the general consensus is that the effective date is NOT going to be delayed for a third time. This law requires all companies with “personal information” pertaining to a Massachusetts resident to have a comprehensive written information security policy. It also requires companies with any personal information to undergo reasonably-daunting efforts to protect both paper and electronic files to prevent a data breach.

“Personal information” is defined as a person’s name or first initial and last name in conjunction with a social security number, a government issued ID number, a driver’s license number, or a financial account number (including credit and debit card number). This covers both customer information and employee information, so virtually every business in the state will have to comply with this law.

The many provisions required by this aggressive law include procedural controls, physical controls, and technological controls. Among the more challenging measures to be mandated under this law are the following:

  • A comprehensive, written information security policy regarding the protection of information both in physical and electronic forms.
  • A vendor management program that ensures that all vendors, service providers, and contractors with access to personal information are also taking adequate measures to curb identity theft and data breaches and to become compliant with this law.
  • Higher levels of physical information protection, such as the use of locked containers and the employment of locked facilities.
  • Challenging standards for electronic data protection, including the encryption of hard drives and portable devices like laptops, PDAs, and flash drives that contain personal information.

As this law sets very high standards and expectations and threatens to levy strict fines against noncompliant businesses, small and midsized businesses may not know where to turn. GraVoc’s information security team has been monitoring the law’s provisions and its evolution over the past year.  GraVoc is committed to helping clients comply with this law and proactively quell the risk of data breaches and identity theft.

GraVoc Associates, Inc, a full-service consulting firm based in Peabody, MA, is celebrating 15 years of business in Greater Boston and throughout New England. GraVoc offers a wide range of services in the fields of information security, information systems, and technology and financial services, including Massachusetts Data Protection Law compliance services. For more information on GraVoc’s information security work in the highly-regulated financial industry or more information about 93H compliance services, please visit GraVoc.com.

July 10, 2009

Jason Vlacich Celebrates 10 Years at GraVoc

GraVoc Associates is pleased to announce a significant milestone for Director of Information Systems Jason Vlacich.  This month, Jason will be celebrating ten years with the company.  The former controller of Netsuite Development Corporation, Jason has brought knowledge in both the fields of information systems and finance to catalyze GraVoc’s rapid growth in the market of ERP system implementation as well as the growth of the GraVoc Software branch of the company.

““From the time he joined GraVoc in 1999, Jason has been the ‘go to’ guy for most of our new projects and new information systems,” said David Gravel, President and CEO of GraVoc Associates.  “Jason truly sets the bar for commitment to both our customers and the company – I am proud to have him as both an employee and a friend.”

Thanks to the efforts of Jason and the rest of the GraVoc staff, the company has climbed from fifteenth to second in New England in terms of Microsoft Business Solutions resellers in New England, and the GraVoc Software branch has produced a vast line of products available, including the robust GraVoc Field Service application.  For more information about the company, which is celebrating fifteen years of business in Greater Boston in the fields of information systems, information security, and technology and financial consulting, please visit GraVoc.com.

July 7, 2009

Cathy Gravel Receives Rotary Honors

GraVoc vice president Cathy Gravel knew going into last week’s Rotary banquet that she would be named the club’s president for 2009-2010.  What she did not know is that she would be named the club’s Rotarian of the Year, as well as awarded the prestigious Paul Harris Fellow distinction.

Cathy received this award undoubtedly as a result of her tremendous efforts on several of the Peabody Rotary’s project committees.  Cathy served as the chairperson of the scholarship committee, which awarded $11,000 of scholarships to Peabody students.  She also served as chairperson and grant writer of the Safe 2 Pedal Day program, which organized an event encouraging health and bicycle safety.  During her one-year term as president, she will now oversee all of the club’s community involvement projects. 

Rotary International’s slogan is “Service Above Self,” and they are recognized worldwide as an organization that undertakes local projects as well as international efforts, such as funding surgery for children with facial deformities in the third world and eradicating polio worldwide.  Locally, the Peabody Rotary Club has received recognition for programs such as the Y It Matters program, which provides extended-day school activities for elementary school students.

The Paul Harris Fellow distinction is perhaps the highest distinction awarded to a Rotary member, as it rewards the recipient for “outstanding contributions to the ideals of Rotary.”  The award also typically involves a contribution to the international Rotary Foundation in honor of the award recipient.

The entire GraVoc organization is proud of Cathy and her contributions to the community and her embodiment of Service Above Self.

June 23, 2009

Gartner: Dynamics AX a “Leader”

In a twenty-page review released at the beginning of June, IT research firm Gartner evaluated thirteen different enterprise resource planning (ERP) systems for “product-centric midmarket companies” between 100 and 1000 employees.  The review, including many pros and cons of each system, is available here.  The only solution that received the accolade of being in the “magic quadrant” of high “completeness of vision” and “ability to execute” was Microsoft Dynamics AX.  Please refer to the image below to see a graphic layout of where Gartner evaluated each solution in respect to industry trends:

gartnerax 

Dynamics AX was deemed a “leader” due to the product’s functionality, its wide network of partners and resellers around the world that makes global implementation less of a burden, its scalability and customizability to tailor the product to customer needs, and its ease of use, as it resembles the Microsoft Office products that are popular among the mid-market and it readily integrates with these Office programs.

The criteria for evaluating “ability to execute” included the product’s capabilities, the company’s financial viability and capacity to meet its commitments and continue a valuable relationship with a customer, and its ability to execute sales.  The criteria for “completeness of vision” included the understanding of the industry’s needs, the company’s sales, marketing, and product development strategy, and a clear business model that outlined the product’s growth goals.

Notable from the Gartner review is that while many mid-market companies have recently moved towards Software as a Service (SaaS) solutions, their findings indicated that the total cost of ownership of a SaaS option is “not necessarily” lower than that of an on-premise ERP option.

Epicor Vantage also received high marks due to its position as a “visionary” with defined plans of the product’s evolution, updates, and development.  Vantage did, however, lose some points due to its financial viability and its perceived candidacy for being bought out.

GraVoc Associates, located in Greater Boston in Peabody, MA, is a Microsoft Gold Certified Partner dedicated to implementing ERP solutions, including Microsoft Dynamics AX, to commercial clients.  The Gartner report indicated a “concern” in the Dynamics AX evaluation is that much of the product’s effectiveness is contingent on the efforts and competence of the partner helping the customer with the system.  A very small number of Microsoft partners have achieved the highest certification level.  GraVoc, however, has reached the highest certification level, maintaining the Gold Certification for several years through competence and rigorous ongoing re-certification efforts.  GraVoc is celebrating fifteen years of business in the fields of information systems, information technology, and technological and professional services.  For more information about the wide range of services offered, as well as more information on whether Dynamics AX might be the right solution for you, please visit GraVoc.com.

June 18, 2009

GraVoc Brings Peabody Chamber Website Live

Late last week, the Peabody Area Chamber of Commerce (PACC) website was re-launched with a new design and enhanced functionality. GraVoc, a member of the Chamber, undertook the project of designing the new website using a layout from Expressive Web Solutions.  Features of this project included:

  • Designing the website’s content.
  • Allowing a visitor to access information provided to PACC by ChamberMaster without losing access to information on PACC’s website.
  • Creating an easy way for Chamber personnel to edit content without changing the entire website.
  • Streamlining the website’s front page with its Twitter feed.
  • Communicating with the web hosting company to bring the new website live and functional on Thursday, June 4th.

Below, you can see the old website on the left contrasted with the new one on the right.

The new peabodychamber.com is available here.

Among the web-related services offered by GraVoc are website design, development, and hosting.  GraVoc can design the look and feel of your website, ensure that its links and features work correctly, and host it on GraVoc’s servers for World Wide Web availability.

GraVoc Associates, Inc, located outside of Boston in Peabody, MA, is celebrating fifteen years of providing services to Greater Boston, New England, and beyond in the fields of professional and technology services, information systems, and information technology.  To learn more about how GraVoc can help your website accomplish your goals, or to see more information about the products and services offered, we encourage you to visit GraVoc.com and gravocsoftware.com, or to call the GraVoc offices at 978-538-9055.

oldchamber2     newchamber

June 15, 2009

Highlights from Presidential Cybersecurity Plan

Much has been made of President Obama’s “ten-point” information security plan, some good, some bad.  It gained front-page news last month as information compromises seem to be spiraling out of control.  This initiative has largely been praised by those in the information security community, as the government is placing a high priority at keeping electronic information safe.  A few observations from Obama’s plans:

  • Perhaps the most celebrated point of this plan is to appoint one person in charge of the national cybersecurity program.  This way, there is one so-called “cyber-czar” with chief accountability to ensure that actions are being executed.
  • The ten-point plan describes cybersecurity as, in the words of GovInfoSecurity.com, a “key management priority” that will utilize performance metrics.  It will be especially interesting to see how the success of this undertaking will be measured.
  • The plan prioritizes public awareness and education toward information security over the internet.  Currently, many cybercriminals are realizing the easiest way to compromise data is not through the weakness in the technological infrastructure, but the weakness and ignorance by the people using the information systems through social engineering tactics. 

An educated and aware populace will ideally be one of the keys to securing data online.  For example, this week Australia promoted “Change Your Password Day” with a self-explanatory call to action.  It is also notable to add that in a recent study, a high percentage of systems users had very simple passwords for them to remember—and for others to guess.  Sixteen percent of users, according to a Cyber-Ark study had the user’s first name as their password.

  • The plan also emphasized the United States to reach out internationally for these initiatives, which is important.  Several major cyber-fraud plots have been perpetrated overseas, and some Russian and Ukrainian hackers are hailed as heroes for usurping money from wealthy Westerners.  This incentive to steal can be counteracted by harsher penalties by their own country.  Though they certainly will not completely eliminate the problem, strong global measures against cyber-fraud will help create a disincentive to carry out intricate hacking and social engineering activities.

GraVoc Associates, Inc, celebrating fifteen years of business in Peabody, MA, is committed to serving clients in three areas:  Information systems, technology and professional services, and information security.  GraVoc occasionally uses the GraVoc News Blog to alert information security clients on certain items of interest.  To learn more about GraVoc’s products and services, please visit GraVoc.com.

June 11, 2009

Phase 6

Today it was announced that the World Health Organization (WHO) has assessed the current swine flu (H1N1 virus) situation and confirmed that it is the first full-blown pandemic in 41 years. The WHO has declared a pandemic Phase 6 for the first time since the advent of the alert system.

Now is a reasonable and prudent time for your business to evaluate its pandemic plans to ensure that operations will be able to continue as normally as possible in the case of a widespread pandemic. Organizations must plan to cope with public fear, people exercising social distancing instead of interacting in a normal face-to-face marketplace, and, perhaps most importantly, widespread absenteeism and illness.

It has been speculated that in the height of a pandemic event’s severity, up to 40% of employees at an organization may be absent due to illness, their family’s illnesses, or children staying home from school or day care as a result of social distancing measures. This does not only significantly impair your business internally, but vendors and service providers may also be working at 60% capacity. As Phase 6 is declared, your organization must ask itself what needs to be done?

It is also worth considering how public demand for goods and services may change upon the onset of a pandemic event. Many of GraVoc’s information security customers work in the banking industry, and it is safe to say that in times of public fear, members and customers may want to carry cash at a higher rate.

Other items to consider as pandemic fears escalate can be found in past posts on the GraVoc News Blog by clicking here.

GraVoc Associates, Inc, based in Peabody, MA, is celebrating fifteen years of business serving greater Boston, New England, and beyond in the fields of information security, information systems, and technological and professional services. One of the services offered by GraVoc’s information security practice is helping organizations design business continuity plans so that a business can continue operations in the event of a disaster. Pandemic planning is a keystone element of business continuity planning. If you believe your business needs planning or training on how to cope with the onset of a pandemic, please feel free to explore the GraVoc.com website or to call GraVoc’s offices at 978-538-9055.

June 8, 2009

Insiders Play Role in Major Fraud

A highly-sophisticated bank fraud plot was discovered in New York City last month, leading to eighteen indictments.  This plot, which involved some bank employees conspiring with the alleged ringleaders, further indicates that even if a company’s computer systems and technological infrastructure are 100% hacker-proof, information can still be compromised.

An earlier post in the GraVoc News Blog illustrated the rising “insider threat” predicted while the recession continues.  Companies’ employees, with slumping bank accounts and fear for their job security, have less to lose by defrauding the organization for which they work for their own monetary gain.  The insiders at several New York banks who decided to become co-conspirators in this crime were likely in this situation.  Due to their jobs and their access to copious information, they were an indispensible part of the puzzle, and the crime would not have been possible without their roles.

While insiders turning on their own business is never fully preventable, some measures that could be taken for a financial institution would be to implement a rigorous evaluation process in hiring new employees, tightly restricting access to sensitive information only to those who have a specific business reason to use or even see it, and take measures to curtail the possibility of any of this information to be duplicated either in paper form or electronically.

GraVoc Associates, Inc. is committed to offering advice to its information security clients on how to protect their information from both internal and external threats.  Located in Peabody, MA, GraVoc is celebrating fifteen years of business in the practices of information security, information systems, and technology and professional services.  GraVoc works with several dozen regional banks and credit unions thoughout Greater Boston and New England in the realm of information security.  For more information about services being offered, please visit GraVoc.com or contact the GraVoc offices at 978-538-9055.

June 4, 2009

Budgeting Your ERP Project (Part 2)

Earlier this week, the GraVoc News Blog documented the challenges that make it difficult to gauge the price of implementing an ERP solution. The previous post was based off of an informative whitepaper available here.

Many of the challenges illustrate why GraVoc may be the best company to implement an ERP solution for your business, both in terms of receiving top-quality products and consulting services, but also in terms of avoiding unnecessary costs.

The diversity of the services offered by GraVoc is clearly an asset when it comes to ERP projects, as an ERP client only needs to work with one firm for a great deal of these services. GraVoc’s professionals have several years’ experience implementing the right ERP solution that meets a client’s needs. GraVoc also offers blocks of pre-paid hours at a lower rate for implementation services, project management capacities, training, and later support.

GraVoc’s ERP clients don’t need to go elsewhere if they need specific integration with other programs, as GraVoc has developed a large handful of custom utilities linking ERP products to other applications. The GraVoc Software website will illustrate that GraVoc’s programmers have a prolific history in enhancing the functionality of ERP solutions.

What may differentiate GraVoc the most, however, is the firm’s hardware and technological infrastructure services. GraVoc handles technological infrastructure design and hardware procurement for several commercial clients as well as banks and credit unions, where the integrity and the security of data is an urgent priority.

A way to cut down on the costs associated with implementing an ERP solution is through vertical integration. By engaging GraVoc, your project manager, your trainer, and, perhaps most importantly, your technology consultant will already be very familiar with your company’s processes because they are the very same people who are implementing the solution. This would cut down on miscommunication, possible errors, and lost time. Cutting down on lost time is another way to reduce costs on what is already a daunting project.

GraVoc Associates, Inc, based in Peabody, MA, is a Microsoft Gold Certified partner specializing in the practices of information systems, professional and technology services, and information security. GraVoc is celebrating fifteen years of business serving Greater Boston, New England, and beyond in this wide range of consulting services. For more information regarding how GraVoc can help your business achieve its goals in operational efficiency, please visit www.gravoc.com or www.gravocsoftware.com.

June 2, 2009

Budgeting Your ERP Project (Part 1)

Investing in an enterprise resource planning (ERP) solution, while it is proven to help businesses streamline processes and become more efficient and profitable, is a very lofty and complicated undertaking. Unlike basic accounting software, there is not a specific price for ERP solutions. CAL Business Solutions, a Connecticut-based Microsoft Dynamics GP partner, wrote a detailed and helpful whitepaper explaining the elements of formulating a price for an ERP implementation. This whitepaper is available at the CAL website.

Over two blog posts this week, the GraVoc News Blog will examine the elements that go into the price of an ERP project and why, as the CAL whitepaper explained, choosing an appropriate vendor may be even more important than choosing the right software.

You cannot find a specific price for any kind of ERP software, and that is just the nature of the business. Launching an ERP solution is more similar, in terms of pricing, to building an addition to your house than it is to buying QuickBooks or Microsoft Office. The following elements, as described in the 28-page document, can all drive up—or drive down—the price of an ERP project:

  • Software Licenses: As the CAL whitepaper described, the price of software licenses is variable depending on the number of licenses, the amount of modules being used, and the scope of maintenance plans, that typically include upgrades, support, and access to a searchable knowledge base. A good way to minimize costs is to ensure that you are not paying for things that aren’t necessary, such as too many licenses or access to modules that will not be used.
  • Consulting Services: The whitepaper asserted that for every dollar you spend on software licenses, you will spend another $1.00-1.50 on consulting services. These services include implementation, setup, and data conversion, if necessary. Consulting services also could include custom development, tailoring the ERP solution so that it integrates with other programs, or project management tasks so that the efforts being put forward have a clear goal and direction. Here especially, it is necessary to ensure that the prospective partner/reseller has the requisite expertise to help guide your business through this project.
  • Training: A massive ERP project’s value is greatly diminished if the users do not know how to use the software. A central theme throughout the CAL whitepaper is finding a partner who can handle the appropriate procurement, perform the necessary services to make the system work, and train users how to use it. Needing to work with different third-party service providers is more difficult logistically, and the right vendor would be able to handle this.
  • Hardware: ERP systems, including Microsoft Dynamics ERP systems, typically run best on a server dedicated specifically to running the solution’s processes. This often involves selection of the correct server and installing licenses to server operating systems for each license of the ERP purchased.
  • Support: Inevitably, challenges may arise with the use of a new system. Therefore, a business should consider some quantity of support services as part of its ERP project. The CAL whitepaper outlines eight questions that should be taken into consideration in regards to support and whether a vendor being considered provides the necessary care and support.

Later this week, the GraVoc News Blog will analyze these elements, choosing the right vendor, and why we hope your business seriously considers GraVoc as a candidate for implementing your ERP project.  GraVoc, based in Peabody, MA, is a Microsoft Gold Certified Partner specializing in implementing a wide variety of ERP products and business solutions, including Microsoft Dynamics AX, GP, and CRM.  This year, they are celebrating fifteen years of business serving Greater Boston, New England, and beyond for consulting services in the areas of information systems, information security, and technological and professional services.  For more information about GraVoc and its diversity of services, please visit www.gravoc.com and www.gravocsoftware.com.

May 19, 2009

GFS Web-Ex Wednesday

gfs2008(small)

GraVoc is demonstrating the use of the GFS field service management system in a Web-Ex Wednesday morning.  Several businesses are already participating in the event, which begins promptly at 9:00 AM and will last for about an hour.

GFS is a powerful, easy-to-use business process management system built specifically for the service industry, as it manages the entire lifespan of a service call from entry and dispatch to billing and history.  Due to GFS’s ease of use and rapid accessibility of information, clients are wasting less time tracking hours and inventory, increasing customer service capacity, financial transparency, and profitability.

Jason Vlacich and Michael Roma from GraVoc Associates will demonstrate the use of the software, its features, and most importantly, what problems it can potentially solve for your business.  There is still availability for this free informational webinar.  You can register for this event online at the following link:  http://www.gravocsoftware.com/gfswebinar.html.  On the form, you have input on what questions you would like answered in Wednesday’s event.

GraVoc Associates, Inc, celebrating fifteen years of business, is a full-service consulting firm located in Peabody, Massachusetts. GraVoc prides itself on its ability to outfit clients in the Greater Boston area, New England, and beyond with quality software solutions that result in better business decisions, more productivity, and a prompt ROI. For more information about the GFS application, please visit gravocsoftware.com, and for more information about GraVoc, please visit GraVoc.com.

May 7, 2009

The “Year of the Insider Threat?”

What typically comes to mind when a person thinks of information security breaches is a sophisticated hacker maliciously using his or her technological manipulation skills to gain access to an organization’s information systems.  For the banking industry, this is similar to someone putting a mask on and robbing the bank.

However, perhaps partially due to the weakened economy and widespread concerns about job security, the threat of insiders—i.e. employees, vendors, or consultants—is a threat that is growing at an alarming rate.  This is similar to an employee pocketing money from a vault or from a cash register.

Statistics indicate that in 2008, the number of insider threats being realized skyrocketed.  Endpoint Security reports that out of all data breaches in 2008, insiders were responsible for 15.7% of them.  This is more than double the 2007 figure.  Logic would indicate that employees or consultants, fearing layoffs or due to other conditions of economic uncertainty, have more of a motive to compromise their own company’s systems and data.  BankInfoSecurity wonders if 2009 is the “Year of the Insider Threat” while offering advice on how to prevent insider threats from being realized.  In a whitepaper by Kevin Prince of Perimeter eSecurity, malicious insiders are identified as a “rising threat” and the biggest “network security threat of 2009.”

The threats are there and are largely unavoidable.  Every organization will have trusted insiders who have access to information and therefore have the capabilities to compromise that information.  However, there are many ways to control the risks associated with malicious insiders. 

Limiting access to information to those with a clear need-to-know is a generally-accepted best practice, and making sure insiders are following this “need-to-know” as well as information security policies is also a simple but crucial mitigating control.  It may be worth considering software that inhibits a user’s ability to use data storage devices such as PDAs, flash drives, or CD-ROMs.  But constant attention and diligence towards information systems, including upgrading technologies in a timely manner and monitoring access logs for suspicious activity is necessary.

Preventing insider threats must be an enterprise-wide effort.  Background checks should be considered before hiring a person with access to sensitive information, and procedures regarding issuing and removing access should be written and followed.  Policies should be drafted about responding to an insider threat.  With information more portable than ever, enterprise-wide decisions should consider the feasibility of a data breach caused by a malicious insider, and trying to minimize the likelihood and impact of such an event happening should be a consideration in these decisions.

GraVoc Associates, Inc., based outside of Boston in Peabody, MA, is celebrating fifteen years of providing consulting services in the practices of information security, information systems, and professional and technical services.  GraVoc is committed to informing clients about the latest information security threats, and their information security team is willing to help your business achieve your compliance with regulations and keep your information safe.  For more information about the company, please visit www.gravoc.com or call the GraVoc offices at 978-538-9055.

May 4, 2009

If It Blows Over…

The latest reports of the swine flu outbreak indicate that the virus is not as bad as first feared, and it is starting to wane in its epicenter of Mexico.  Of course, this is very good news, but it is important to note that the world is certainly not “out of the woods.”  The WHO has not downgraded the alert phase from 5, and it is unlikely they will do so anytime soon.

This is partially because historically, many flu pandemics do indeed start in the spring, then wane, but come back even stronger during the traditional flu season that starts around December.  The H1N1 virus may follow that trend.  Luckily, that gives scientists time to develop a vaccine for the virus so that the impact of it will more closely resemble the impact of the seasonal flu instead of a catastrophic event.  It also gives businesses that may have been panicking about swine flu more time to plan for a pandemic event.

If the crisis does indeed blow over, it serves as a very relevant wake-up call.  If you saw your business start to panic due to lack of preparedness for a pandemic, GraVoc continues to be here to help.

GraVoc Associates, based just outside of Boston in Peabody, Massachusetts, is celebrating fifteen years of business in information security, information systems, and technology and professional services.  With years of experience in business continuity and pandemic event planning, GraVoc is committed to minimizing the impact of any flu outbreak on its clients’ business operations.  For more information, please visit the new GraVoc.com or call the GraVoc offices at 978-538-9055.

May 1, 2009

CNN: Companies Preparing For Worst

There is a useful article available currently on CNN.com regarding some of the largest companies in the country preparing for the worst by starting to implement their pandemic contingency plans.  This is a good sign, as these businesses represent a significant portion of the economy.  A disruption in business operations for firms and institutions of all sizes significantly decreases the affected business’s income.  Therefore, it is important for businesses of all sizes to begin instituting pandemic plans similar to the ones being activated by these large companies.

The article relies on analysis by the Gartner research firm, including vice president Ken McGee.  From the article:

For companies that already have contingency plans in place, he says that they need to halt all other activities and direct all their resources to activating their plans. He suggests testing home networks of critical employees to make sure they are working. He also suggests talking with vendors to see their level of preparedness.

"This is not a snow day," he said. "Companies need to review their plans and find their weaknesses and gaps readiness. And then they need to fill them immediately."

For companies that do not have a plan in place already, McGee says they need to be aware of hotspots where the virus is already infecting people, and they should be preparing to set up home networks and possibly shut down their offices in those regions.

The CNN article also refers to the blog of Gartner analyst Nick Jones, where Jones outlines how companies must consider exploiting technology to minimize business disruption while keeping employees safe from a pandemic.  Thanks to technology like telecommuting/remote access from employees’ homes, wireless broadband, and high-capacity mobile devices, it is certainly possible to keep people working while closing an office location.  It is, however, essential that your organization would not be technologically overwhelmed by a significant increase of telecommuting.

GraVoc Associates, based in Peabody, MA, is willing to help your business design contingency plans for pandemic events and other disasters that put business continuity in jeopardy.  As GraVoc celebrates fifteen years of business in greater Boston, the GraVoc information security team has many years’ experience in business continuity and pandemic planning.  Please don’t hesitate to browse past posts regarding the swine flu outbreak in the GraVoc news blog.  For more information about the company, please visit the website at www.gravoc.com.  Also feel free to call GraVoc at 978-538-9055 if you need assistance in planning and preparing for a pandemic.

April 29, 2009

Swine Flu Update – April 29

For the first time since the advent of the rating system, the World Health Organization (WHO) has raised the pandemic alert phase to Phase 5.

According to the WHO, Phase 5 is characterized by “widespread human infection” and is described as a “strong signal that a pandemic is imminent and that the time to finalize the organization, communication, and implementation of the planned mitigation measures is short.”

With worldwide travel significantly more common than it was in 1968, the date of the last worldwide influenza pandemic, this pandemic may spread across the globe more quickly than ever before.  However, as the WHO’s director-general pointed out, the world is more prepared for a flu pandemic than ever before due to medical technology and rapid electronic communication so that more information is readily available about the pandemic situation.

In the last two days, GraVoc has made an attempt to reach out to customers and the public to alert them about taking appropriate measures in accordance to pandemic event response policies.  With the alert level raised to Phase 5, the urgency of pandemic planning becomes more critical.

Organizations must plan very quickly how to cope with public fear, how to assist customers prevent the spread of influenza by offering services and products in locations, and means of communication without face-to-face contact.  Plans should be in place for communication with public officials, service providers, the media, employees, and customers so that business can continue interrupted despite a crisis that could result in a significant economic impact.

Furthermore, organizations should be in the process of finalizing their pandemic response plans, because the threats are no longer theoretical, but very real.  Avenues should be in place for immediate activation of a pandemic response procedure, and organizations should consider the costs and benefits of whether the procedures should indeed be activated.

GraVoc Associates, Inc, based in Peabody, MA, has substantial experience in helping organizations design business continuity and pandemic event response planning.  In this time of crisis, we are frequently updating the GraVoc News Blog (http://gravoc.blogspot.com) as we aim to help.  If you would like further assistance in preventing business disruption in the event of a disaster or a pandemic event, we strongly encourage you to contact GraVoc’s information security team at 978-538-9055.  We are committed to helping our customers’ bottom lines, and making sure businesses continue their processes as normally as possible is a crucial part of enhancing long-term profitability.