Blog | Jason Palmer, CPA, CITP

Securing your Digital World with Passwords

August 15, 2012 By Jason Palmer Leave a Comment

This is a test: Grab your nearest digital device that has your personal information on it. That would be your cell or Smartphone, iPad or Android Tablet, notebook or desktop computer or iPod/mp3 player. Touch the screen or tap the keyboard to wake it up.

Does it ask you for a Password to proceed before you can access it?

If “Yes”, congratulations, you passed and understand the importance of taking as many precautions as possible to keep prying eyes out of your personal data and digital world.

If “No”, then the next question to you is “Why does your digital device not have a Password set?” Would you leave your car unlocked on the Street? Would you leave the front door of your house or apartment open so that anyone could just walk in and look around? Well, would you?

If you secure every aspect of your physical world with locks, keys, and combinations, why would you not think to do the same for your digital world?

Password security is not just for your online web accounts. Password security should be engaged and used everywhere it is supported.

I am sure that some of you have lost your cell or Smartphone. Without a Password set on the device, whoever found it immediately had access to your entire address book: every name, every phone number, perhaps full addresses, possibly birthdates. In this address book list there are probably sensitive contacts like your Doctor’s, Financial Advisors, and Attorney’s. If you are like many people, in the NOTES section, some contacts may have Account Number and (hopefully not) Password and access information to these accounts. But we are just getting started as we are only considering the wealth of information in the Address Book/Contact List. In the wrong hands, this is an identity thief’s dream.

If you have a Smartphone, every text message sent and received and every email for approximately the past two weeks is fully visible. If the person who just found your phone is a criminal or identity thief, he or she might send an email or text message that appears to come from you fraudulently asking for “assistance” to one or more of your contacts. (A popular scam is to claim that “you” are in a bad cell zone and can only text, have lost your wallet, and can “your friend” please send $100 via a wire service or mobile payment service.)

Your Smartphone most likely connects to an App Store – either the iTunes store or the Google Play store. This person may now be able to obtain additional personal information about you from Apple or Google and possibly credit card information which can then be used to break in to other accounts at other web sites discovered from your Contact/Address Book list.

The above scenarios hold true for most iPads, Android Tablets, iPods, and mp3 Players that have a contact list, email capability, and connect to any kind of App Store.

With a Notebook Computer it only gets worse: Your portable computer has all of the above and plenty of bonus content for the person who finds it. The computer will most likely contain sensitive documents. If you only have a notebook computer and no desktop computer, then it will contain your entire body of digital knowledge: Every letter, proposal, memo, spreadsheet (i.e. Expense Report, Income Information), Business Plan, poem – just about every piece of digital content you have every created will be on this one device. But wait, there’s more: Every picture you have ever downloaded from your phone or camera: you, your family members, places you have been, all of your friends, and pets. This may seem innocuous but for professional thieves, the photos may reveal additional physical targets for burglaries. (Fluffy might become pet-napped and held for ransom.)

If you are a person who accesses a corporate network, which probably does use and require a Password, and that Password is stored in the access application, DING, DING, DING – it is the Mother of all Pay Days for the unscrupulous individual who is now in possession of your notebook. That person potentially has full, unrestricted access to all of your company’s sensitive information. This time it includes not only documents but may include corporate financial information and detailed personal information about clients of the company.

Finally for the Lightening round: I am virtually positive that many of you have your Apps set for “auto-login” where your User Name along with your Password are stored in the App. (If a web site, the user name and password are stored in the Web Browser.) You have just given the person in possession of your digital device the “Keys to the Kingdom” of your Digital World. He or she is now capable of viewing (and manipulating) your Social Media, WebMail, eCommerce accounts and any other web site that has stored access information.

As you can see, for lack of taking a few extra seconds to enter a Password every time you pick up one of your digital devices, you could be needlessly exposing your entire digital world and putting yourself and those around you at extreme risk.

You lock your physical world. Lock your digital world too.

Set a Password on every device that supports the use of a Password.

For some guidelines on setting strong passwords, read my articles, “Strengthening Common Passwords” and “A Complex Password may not be a Strong Password.”

Technical Tip: If your device supports the use of a Swipe Pattern instead of entering a combination of numbers and letters as a Password, definitely use a Swipe Pattern. (A Swipe Pattern allows you to use your finger to draw a series of lines across the screen in a specific order to unlock the device.) Hackers can use automated programs to guess at the number and letter combinations which make up a Password. As of this writing, similar programs do not yet exist to crack a Swipe Pattern on a digital device. Although if a program did exist, most phones would still lock out all further attempts after a certain number of failures. It was reported in March of 2012 that even the FBI could not get in to a phone that used a Swipe Pattern to lock it. See more on that story here.

A Complex Password may not be a Strong Password

August 14, 2012 By Jason Palmer 2 Comments

Just because your password meets complexity requirements does not necessarily make it a strong password. It is a given that many sites require you to have a password of a minimum length of at least six or eight characters. Some go so far as to require the addition of a number and at least one upper case letter. At first glance, this gives the appearance of a complex password that, in theory, should be harder to crack. If we consider a blind brute force attack that starts at six characters with “000000” and cycles through every combination of upper and lower case letters and numbers through “zzzzzz”, this is essentially true.

The problem is that automated password attacks have become intelligent in the sense that hackers have added “Pattern Matching” and LEET algorithms. (LEET refers to the substitution of a character in a word with a corresponding number or special character. Read more about LEET in Wikipedia here.)

In my article, “Strengthening Common Passwords”, I discuss that Hackers will look first to the most common passwords. For example, “123456” is first and “Password” is fourth on the list of common passwords. This fact reduces the need to even begin a brute force attack on your Password until thousands of common words, phrases, and numbers such as Sports Teams, Birth Years in the 1900’s, Popular Baby Names, Movie Titles, and Fictional Characters have been tried first through a pattern match attack.

This is just the tip of the iceberg in breaking a password that appears to be complex.

If we start with a common password, “yankees” and modify it to meet complexity requirements, it might become “Yankees1” which is not necessarily any more secure than if it were all lower case without the addition of the number. Applying “Pattern Matching”, what would be the most obvious “Pattern” modification to any common word (password) to meet complexity requirements? Answer: The capitalization of the first letter, which follows standard English Grammar rules and the addition of the number 1 or even 12. Even adding LEET so the password becomes “Y@nK33s1” is not really a significant improvement because the next “pattern” applied in the attack to the well-known password list will be LEET substitutions.

How many of you just realized that your own password that properly met complexity requirements is not nearly as strong as you thought is was sixty seconds ago?

A pattern match attack program will first try making common pattern modifications to its’ list of well-known passwords before it starts a brute force sequential search. This will significantly increase the chances of success with minimal increase in the time required to crack your password.

Some of you are thinking, my password is really strong, it’s “1234qwerUIOP”. “No one could possibly guess that password, right? Again, on a pure sequential, brute force attack, to break a twelve character, non-dictionary password is a very long time. If we look closely at this password we see that it is three groups of four sequential characters from a standard computer keyboard: “1234” are the first four numbers of the numeral row, “qwer” are the first four characters of the top row, and “UIOP” are the last four letters of the top row. In short, a common pattern used for a password.

In order for a Password to be strong, it needs to be more than complex. It needs to be sufficiently long and suitably random to be truly effective.

Before you decide to abandon all on-line banking and social media activity for fear that almost no password you could create could ever be strong enough to protect your digital accounts, keep in mind a few key issues: The above discussion applies to a hacker making a concerted specific effort to crack your password to gain access to one of your digital accounts. The likelihood that you will be a specific “high value” target is minimal. Again, I go back to my analogy that car thieves look for unlocked cars with the keys in the ignition.

The key take away is to make it as difficult as possible so that the hacker gives up after trying obvious well-known Passwords with or without Pattern Matching algorithms applied and moves on to someone else.

Follow best practices by trying to make your passwords sufficiently long with at least eight characters, use upper and lower case letters (if recognized as different by your particular web site account), always include a few numbers either as substitutions for letters (LEET) or as additional characters added at random places in the Password (do not just put at the beginning or end), and where permitted, try to do the same with special characters such as @ $ %! # by placing them at random locations in the Password.

As a closing example looking back to “yankees”, we can even make it reasonably strong by applying all of the techniques so that it becomes “y@!nk3#3s”. (Note that it uses LEET and adds in two special characters in random locations.) Even though we start with a very common password, “yankees”, a pattern match attack will most likely fail and the only option for the hacker will be to use a brute force sequential search.

Finally, you can also use “Patterns” to your advantage. (The Patterns which just capitalize the first letter, add a number 1 at the end or only use LEET on a well-known common password or dictionary word should not be used.)

In an effort to be able to remember your passwords you can create a non-obvious pattern to strengthen your common passwords: Perhaps you always add a # after the third letter and an ! before the last letter or instead of using a U in your spelling, you always use a V.

Anything you can do to be non-standard and appear random in creating your Password will afford you a reasonably high degree of protection from hackers who use common, pattern match and brute force password attacks.

Technical Note: The ability of a brute force sequential attack to succeed in cracking your Password depends largely on who is behind the attack and the amount of computer power brought to the task. A Hacker with a single computer may take months or centuries to crack your sufficiently long complex random password. A Hacker who has tens of thousands of zombie PC’s coordinating an attack will take significantly less time to be successful. If a Government Security Agency is behind the attack, with that amount of computer power, it might be a matter of hours or days to crack your password.

As scary as this all sounds, the provider of your digital account can go a long way to slow these attacks to a crawl. Many web sites will not allow another login attempt for a certain period of time after three to five login failures or will lock the account completely after five or ten login attempts. No automated attack can proceed if the web site will not allow a login due to failed attempts – human or automated.

Strengthening Common Passwords

August 13, 2012 By Jason Palmer 1 Comment

Raise your hands. How many of you are still using one of the following as your Password:

First Name Birth Date
Kids Name
Dogs Name
First Name Date of Hire
Password
123456
Yankees
Mets

You get the idea. A Password so incredibly obvious that you really don’t even need to write it down and stick it to the underside of your keyboard for a co-worker or family member to find it. (What? You think you’re the only person in the world who would think to hide their password under their keyboard?)

Since you refuse to make a genuinely strong password as discussed in my article, “Have YOU changed your Password recently?” let’s see if we can take your existing, incredibly obvious password and make it stronger.

Let’s start with the ever popular First Name and Birth Date. WALT1901 Yes, you do get partial credit for using both Letters and Numbers but fail because these are two pieces of information that many people who might want to get in to your digital accounts already know. I understand that it is very easy to remember. We can make is stronger with just a few minor improvements.

Let us combine the First Name with the Birth Date so that we take one letter from the first name then one number from the birth date: WALT1901 becomes W1A9L0T1 .

We can make this a little stronger still by changing the Letter “L” to a Number “1” so the new password would be W1A910T1 . Changing a letter to a number in this particular manner is a form of simple letter/number substitution called LEET. (Read more about LEET at Wikipedia here.)

A determined hacker who knows your name and birth date would figure this out fairly quickly as one of the few dozen combinations and possibilities. However, the simple modification above will keep out most nosey co-workers and family members who try the incredibly obvious first. (A brute force computer program could figure this password out in a matter of minutes because it is just letters and numbers.)

Almost any Password can immediately be strengthened by using LEET – substituting numbers or special characters for letters. LEET works well as a starting point.

Password becomes P@ssw0rd or P@55w0rd
Yankees becomes Y@nk335
Mets becomes M3t5

Unfortunately, these passwords are still very easy for anyone who knows what Sports Teams you follow to figure out. LEET substitution patterns are fairly well known. (I am ignoring for the moment if you are one of the tens of thousands who still use the word “password” as your actual “password” – LEET or not, you deserve to be hacked.)

In order to throw off those who might know that you like Baseball and may use Sports Team names as your password series, we need to add a special character and mix things up a bit.

If we take our LEET version of Yankees – Y@nk335 – and add an Exclamation point – Y@nk!335 – this makes the password extremely strong from a human attack and reasonably strong from an automated attack.

Going one step further: If we move the numbers to the front: Y@nk!335 becomes 335Y@nk! – this password is even stronger and again could most likely only be broken by a brute force automated attack. (A brute force automated attack is where the computer will keep trying every letter, number, special character combination until it is successful.)

I have demonstrated that you can hang on to your common, weak Password, so you can remember it, and apply a few simple techniques to make it significantly stronger. At the bare minimum, it is will certainly keep out noisy co-workers and family members. At best, it will make the brute force hacker’s work extremely hard to break in to your digital accounts.

A few thoughts on the selection of a Password and Strength:

Understand that every password, given enough time, will be found.

As discussed, someone trying to gain entry in to your digital account is going to try the easy, common passwords first. For example, “123456” is the most common password and “Password’ is the fourth most common password. A hacker is not going to have to use any fancy brute force attack to break in to an account with either of these two passwords. In fact, they will be the first and fourth passwords that the hacker tries to use to gain entry in to your account.

The point is that any hacker will have a list of well know common passwords that include Sports Teams, Movies, Celebrities, Comic Book Characters, Seasons, Fictional Characters, Playwrights, Composers, etc. All of these well know possible passwords will be tried first and in too many cases, will be successful.

Once you start to use Passwords that are not common and have the above techniques applied to them, you will force the hacker to use a “brute force” method of attack which can take an incredible amount of time to succeed.

Thieves like to take the cars with the doors left unlocked and the keys in the ignition.

Make sure to lock your digital accounts with a good quality password.

With a few simple modifications to your Password, you can put up enough of a challenge that most hackers will give up and move on (unless you are a specific target of an attack.)

The sites below have a combination of Password Quality Meters and the theoretical amount of time it would take for a brute force, automated attack to succeed.

NOTE: There are significant differences in the assumptions used to determine the difficulty level in cracking your Password.

DO NOT RELY SOLELY ON THESE TOOLS FOR GUIDANCE WITHOUT UNDERSTANDING THEIR METHODOLOGIES!

The three sites below take entirely different approaches to determining the quality of a Password.

Password Quality Test Tools

The Password Meter – Traditional Analysis based on Traditional Policy Theory
http://www.passwordmeter.com/

Pass Fault – Patterns Make Passwords Easy to Crack
http://www.passfault.com
Pass Fault – Analysis based on Pattern Theory
https://passfault.appspot.com/password_strength.html

Needle in a Hay Stack Theory by Steve Gibson and Test
https://www.grc.com/haystack.htm

Have YOU changed your Password recently?

August 12, 2012 By Jason Palmer Leave a Comment

Account Security is not like the Weather. You can do something about it. Almost weekly, someone reports that a Social Media Site, Content Provider, or Financial Institution has had a breach and that customer account information “may” have been compromised.

The absolute best defense against this insane level of carelessness is a good offense.

CHANGE YOUR PASSWORDS EARLY AND OFTEN.

This is an aspect of digital account security that is completely within your control.

The sites that care most about the security of your data force you to change your password on a periodic basis of no less than ninety days. If they do not force a periodic password change, take it upon yourself to change your password at least monthly. If they really care, they force you to use a “strong” password which generally means it is more than eight alphanumeric characters, must include at least one letter, one number, one special character, and is case sensitive.

Unfortunately, most sites feel that forcing you to change your password, even if for your own protection, is too invasive and not very customer service friendly.

Be honest. How many of you have NEVER changed your password on your email account? Facebook? Gmail? AOL? AIM? AppleID? Your bank account? Seriously? Never? Need I go on?

Stop reading this right now and GO CHANGE YOUR PASSWORDS. I will wait… Hmmm… still reading? Well then the least I can do is to give you some advice on creating a strong password.

As amazing as it seems, some Banks do not allow special characters as part of the password. (Special characters are punctuation marks like # @ $ ! % * . – anything that is not a letter or number.) Even without special characters, you can still make a strong password that will be difficult to guess and withstand a good number of basic hacking techniques.

Let us start by creating a password not from a word but from a phrase. Take the first letter from each word in the title of this article as a starting point. “Have You Changed Your Password Recently” would translate to HYCYPR. This is absolutely not a word in any dictionary which eliminates the possibility of a dictionary based hacking attempt. To anyone who is not you, the password looks like complete gibberish. (A dictionary attack uses an English Dictionary or a list of common words and tries thousands of them until it succeeds.)

Now, let us make it even stronger. We are going to substitute the some of the letters with their numeric position in the Alphabet. HYCYPR is going to become 8Y3YPR. H is the eighth letter and C is the third letter of the Alphabet. To keep with my own statement that a strong password should be at least eight characters, I will pad this with some extra numbers. The final password will be “ 8Y3YPR42 ” (Ignore the quote marks.) This password is now virtually impossible to guess and it is definitely impervious to a dictionary attack. By the way, I chose 42 as that is the answer to “Life, the Universe, and Everything” from “Hitch Hikers Guide to the Universe.”

Which bring up another point: Try to use a sentence, phrase or quote that is not common or attributable to your personality, likes, or habits. If someone knows you like Douglas Adams (Author of the Hitch Hikers Series) and has figured out how you assemble your passwords, this gives that person a starting point if you are being specifically targeted.

Now that you know how to make strong passwords, GO DO IT NOW for all of your accounts.

Take this opportunity to get one giant step ahead of the hackers.

Business Process Consulting – The Never Ending Development Event Horizon

August 10, 2012 By Jason Palmer Leave a Comment

“Life is what happens while you are making other plans.” In the same manner, Projects and System Implementations occur in phases that are subject to available staff resources, the seasonal workload, and budgetary constraints. Any of these issues can affect the event timeline to completion. The more granular the tasks and milestones, the lesser the impact of any one issue. It is expected that some delay will be introduced because of the number of people involved or because of unforeseen circumstances.

The Never Ending Development Event Horizon refers to what I call the Breeder Reactor Effect: As Staff start to use the System, new efficiencies in processes will occur. The System will introduce a new set of resources for the Staff to use in completely new processes. This will lead to the Evolutionary effect on the Business Process culminating in the realization of “I could never do that before” coupled with “I wonder if we can to this, too?”

As Staff start to discover and utilize the new capabilities, Staff will come up with brand new ways to continue to expand and extend the System. Each of these will create a new Project Event. Hence, the System is never truly finished as there will be constant improvements and enhancements.

For example, until the Smartphone was invented, it was not common to be able to send email unless you were at a computer physically attached to the Internet. So the ability to send email using the cellular data network was the planned feature of the Smartphone ecosystem. (Think Blackberry.) Then someone noticed that the Smartphone had a built in GPS (Global Positioning System) and developed a mapping and “directions” application. A completely new use that was never possible before the introduction of the GPS capability in the phone. One need only look at the Google Android and Apple IOS iPhone Smartphone operating systems to see that hundreds of thousands of new uses and applications have been developed proving my point of the “Never Ending Development Event Horizon.”

Projects and System Implementations take on an organic nature and continue to grow and evolve over time. If properly managed, they are constantly refined and enhanced so they never truly end their development life-cycle.

Business Process Consulting – Utilizing People Resources Effectively

August 9, 2012 By Jason Palmer Leave a Comment

Nothing is more of a mystery to me than the relationship between Management and Staff. It absolutely amazes me how Management and Staff will verbalize their criticism of each other among themselves but not to each other – at least not intentionally. The most interesting part is the view that either Management or Staff are incompetent, cannot be trained, and will not change. Building on a prior theme, I pose the question: “Is this perception or reality?”

My response to this dysfunctional environment, which I encounter more often than not, is to eliminate the Managerial preconceived notions of Staff capabilities by demonstrating their inherent abilities and value to the Project.

Fact: Everyone is doing their job at some level or they would be fired.

Fact: These are the Staff resources available for this project.

Management’s impression of Staff should not automatically be my impression of Staff.

When questioned about my “Get it done” attitude, I like to use this example: “I am behind enemy lines with this crew. Safety is twenty miles away through hostile territory. This is what I have to work with.” I will improvise adapt, and overcome – just like the US Marines.

Everybody has some level of talent, skill, and creativity. Everyone likes to feel like they are part of the process and that their opinion and efforts are valued. This is where Management mostly fails. It is what I call “Managerial Insanity” – working with Staff the same way, day in and day out, and expecting a different result. Management rarely wants input from Staff and certainly does not want to hear from Staff about how Management could do their job better.

As the Consultant, the key is to engage the Staff as part of the process which then motivates them in to action. The easiest way to get Staff involved and excited is to ask, “What is the problem (we are trying to solve) and how would you do it differently?” Even if the Staff are not creative thinkers, recognizing each person’s capabilities and using them within the limit of their abilities is perfectly fine – and gets the job done.

My Dad and I used to have deep discussions about people’s abilities. He always said that if the Student did not learn or could not perform the task, it was the Teacher’s fault. (You can substitute Staff for Student and Management for Teacher.) I always said, that there is a reason the Peter Principle exists, “Everyone rises to his level of incompetency.” Not everyone is infinitely capable. Understanding this fine line between the likelihood of being able to effect immediate change in the level of Staff capabilities (not very practical) vs. utilizing the current abilities of Staff to their maximum potential is the entire key to success and what I specifically try to do.

Unlike Management, the Consultant should be able to take inventory of the available skill sets of Staff and use them appropriately thereby maximizing all of the resources available to complete the Project.

With rare exception, every Staff person has something to contribute.

Recognizing that all people have value is critical to utilizing all Managerial and Staff resources effectively.

Business Process Consulting – Reviewing the Inputs and Outputs

August 8, 2012 By Jason Palmer Leave a Comment

When performing a Business Process Review, think of the Software System as a Black Box. There are usually a number of similar software products from multiple vendors available to resolve most operational problems. The specific vendor is not necessarily a factor as most offer comparable levels of service and support and are competitively priced.

The most important issue to consider is the usability of the system.

Considerations regarding the User Interface include: Are the screens in a modern Graphical form or are they more “Green Screen” Text Entry like? Are keyboard shortcuts available or must everything be done with the mouse? Are there Macros available for repetitive keystroke sequences? Will the software pre-fill fields with default information based on data entered in preceding fields? (If I enter in a Utility Bill, will the system pre-fill the remainder of the form by recalling the prior months’ transaction?) How many mouse clicks are required to perform various tasks? If frequent lookups are performed, what fields support lookup and which fields are indexed? Does the system support lookup by both Customer Name and Customer Number? Can you do a lookup/search in any field?

The ability to navigate the data entry screens quickly and efficiently is absolutely critical to productivity. Every time the user has to take his or her hands off the keyboard to reach for the mouse, time is lost. There needs to be a proper use of real estate on the screen balancing the number of fields presented vs. layout and readability. Confusing and crowded screens lead to data entry errors.

When searching for data, does the program use a “Word Wheel” so that as letters are entered, the lookup field starts to populate with possible choices? (This is similar to auto-fill when typing in to a Google Search box. As you type, Google makes suggestions.)

The most important aspect of Search: Does the software program organize the information in a manner similar to the process that it is designed to automate or replace? Many Companies organize records by Customer Account Name. Some software systems only support lookup on a Customer Number. If the software does not support searching by Customer Name, then it is not the right software package for our process. We want a software system that adapts to our way of data organization and not the other way around. Even if we need to create Customer Numbers for other purposes, the system should work the way we work.

It is easy to define the Inputs and Outputs.

We need only look at our Source Documents – Phone Orders, Order Forms, Bills, Payments, Customer Service Registration Information, Sales Leads, etc. to determine what it is our new software system needs to accommodate for the Inputs. Then, for the Outputs, we look at every Report and Document created or printed – Financial Reports, Checks, Packing Lists, Statements, Invoices, etc. (and any manual processes to get our Report Data.) A Review of the Operational Analysis will tell us what “wish list” Data and Reports are missing.

The key to a successful software selection and implementation is for each Department to define their ideal set of inputs (source data) and outputs (reports) and to make sure they are accounted for in the new system.

Since the desired Outputs represent a definite, tangible milestone for sign-off and acceptance, a positive outcome is virtually guaranteed.

Business Process Consulting – Mainstreaming Exceptions

August 7, 2012 By Jason Palmer Leave a Comment

Frequently when performing a Business Process Review I see that I am documenting multiple, recurring exceptions. In speaking with the employees I am told, “This is an exception because our present system does not allow me to do this process without…” and then they proceed to tell me all of the additional steps required to accomplish the task.

If everything is an exception, it becomes the norm and needs to be included in the new system.

Exceptions are really just shortcomings in current processes that do not allow for the required procedure. In some cases, exceptions are the result of not being aware of current system capabilities. Or, there may be new enhancements and features included in a recent system update that have not been communicated to the Staff.

Another exception is the frequent creation of Data Exports and Spreadsheets due to failures on the Reporting capabilities of the current system.

Data exports should only be created if they pass data to another system for additional processing. For example: After processing orders, a Data Export of Shipping Address information might be passed directly to a UPS/FedEx manifest system to create shipping labels or way-bills.

Spreadsheets should only be created for unique customized analysis events like litigation support or specialized one-time financial reports. If system data is frequently exported to a Spreadsheet for further analysis or customized reporting, those reports should become standard reports in the new system.

Exporting data either for transfer to another software program or to a Spreadsheet has the potential to destabilize the integrity of the data. While the data is in the system, it is 100% standardized. Formulas are set and calculations have been tested for accuracy. Once the data leaves the system and is placed in a Spreadsheet, Formula and Calculation errors can creep in. A row or column of data can be left out of one of the formulas or can be accidentally deleted entirely throwing off the accuracy of the result. (Where possible, rather than exporting data out and importing data in to another system, a real-time link should be created between the two systems so that data integrity is properly maintained.)

The most detrimental aspects of exporting data are that it localizes the analysis and reporting process to one individual or team and it may be difficult to reproduce the output/result with certainty by another individual or team due to lack of proper documentation. Once the data leaves the original system, it immediately becomes stale and out-of-date. Any change to the original data will not be reflected in the analysis and reporting process unless a new data export is performed.

When reviewing the Business Process, watch for exceptions, document the shortcomings of the existing system which require the work-around reporting, and make sure they are provided for in the new system.

To put the concept of an exception in context: We may think of something that has a “One in a Million Chance of Happening” as being a rare exception. However, something that has a one in a million chance of happening happens twenty times day at McDonald’s based on the volume of customers served. Twenty of something happening means that it can be identified and accounted for in the design and implementation of the new system.

The goal of good system design is to standardize any repetitive tasks so that predictable, consistent results can be obtained every time.

Business Process Consulting – Managing Expectations and Defining Goals

August 6, 2012 By Jason Palmer 1 Comment

Managing expectations and defining the goals of a Business Process Review with the intention of implementing a new system implementation is easy if you can separate perception from reality. Although Management and Staff must each give their own impressions and expectations of the current system as a starting point, this must be translated to tangible deliverables and goals.

Many times someone will vent, “The system we use is absolutely terrible”, (perception), when on closer questioning, (reality) “I cannot get one type of report”, is the specific issue that caused the blanket statement. It is easy for people to make gross generalizations. It requires digging and careful questioning to get to the root cause of the generalization and determine the specific issues – good or bad.

The mission is to line up impressions and issues in the current system against expectations and actual deliverables in the new system.

The easiest way to manage the implied expectations and define the Goals of the new system is to define the outputs, for example in these systems, the goals are fairly clear:

Phone System – Can I answer and make telephone call?
Accounting System – Can I produce a full set of Financial Statements
Inventory Control – Do I have real-time stock visibility?
Point of Sale – Do all items scan with minimal key code entry for bar code errors?

An underlying requirement is that the Project must be fully funded. Running out of money during an implementation or going over budget is a sure fire way to not meet Management’s expectations (on-time, on-budget implementation) and goals (a working system that meets the specification.) During the Operational Analysis, the issues raised need to be prioritized and evaluated. In some cases, the cost of a “perfect system” may be too high and certain solutions may be excluded from the new system.

The expectation and goal of any new system is that Management and Staff will be able to obtain the desired reporting from the data entered. In short, if the new system has a space for all of the different types of inputs (i.e. Order Entry, Bills, Customer Service Records, Cash Receipts, etc.) and can generate all of the desired outputs and reporting, (i.e. Invoices, Financial Statements, Sales Reports, Checks, etc.) then usually both the expectations and goals will have been met.

By meeting with each Department and making sure that their current and desired reporting requirements are met in the new system, you will have met their expectations (hope) and goals (actual deliverable.)

The failure of many system implementations is the extreme disconnect between what Management and Staff perceived the New System could do vs. what the Vendor actually disclosed that it would do.

In a real world example, I was brought in as a System Implementation Consultant. Contracts had been signed and significant payments were made to the Software Vendor prior to my arrival. In reviewing Management’s expectations and specifications, I determined that the new software could not meet three of the critical requirements that the Vendor had given the perception of being able to do in the proposal. In more direct terms: The Vendor flat out lied about the capabilities of the Software.

This was not fully acknowledged by the Vendor until the “checks had been cashed” and the only recourse for the client was to move forward or commences legal action. Not only did expectations have to be reset to a lower bar, but to work-around the issues, required tens of thousands of dollars of custom programming. (This caused an additional problem in that any future upgrades to the main system would require significant additional expense to upgrade the custom programming. The client could never install any new release without paying thousands in fees.)

Needless to say, this project was doomed from the start and only a marginal improvement over the existing previously, failed system implementation.

Make sure that the perceived capabilities of any new system line up with the realities of its’ actual capabilities.

If you properly align the expectation with the goal and reality with perception, the System Implementation Project will succeed.

Business Process Consulting – Technology Requirements Planning

August 5, 2012 By Jason Palmer Leave a Comment

One of the most important aspects of any System Implementation is the configuration of the computer hardware required to properly run the software.

The Software Vendor will provide minimum specifications to run the System but will usually offer little guidance on the optimal specifications. For example: The Vendor may state that the software runs on Microsoft SQL (or similar database), Windows Server, and a current Microsoft desktop operating system. As long as your systems are able to run those Microsoft products, the Vendors’ software will run properly. The Vendor will prefer that you look to Information Technology Professionals to determine the best configuration.

The Vendor shirking their responsibility to help you properly determine the best hardware configuration for their Software is a potential for failure of adoption and long term use of the new system. If the hardware is underpowered and that causes performance and usability issues, productivity will suffer.

There is a significant difference between “minimum” and “optimal.” You can watch a movie on a Smartphone (minimum), a Tablet (better), or a 60” Flat Panel TV (optimal.) The experience is completely different.

It is critical that the Software Vendor provide real world computer configuration recommendations based on the number of transactions expected for your Organization instead of just “minimum requirements.” Even selecting the right infrastructure software can have a big impact on the equipment portion of the budget. For example, Microsoft SQL comes in a variety of flavors: Express, Workgroup, Standard, and Enterprise. If your company is doing just a few hundred or even a few thousand transactions a month, the free version of SQL Express may be more than sufficient and requires significantly less computer horsepower than if you are processing tens of thousands of transactions per month. If the volume of activity requires one of the higher end versions of Microsoft SQL, that could add thousands of dollars of computer equipment, “infrastructure” expense.

The hardware vendor will only submit a proposal based on the minimum requirements provided by the Software Vendor. Understand that hardware vendors like to sell built in obsolescence to insure faster computer replacement cycles. There is no incentive for the hardware vendor to do otherwise since they only make money by selling more equipment, more often.

The Software Vendor may purposely specify minimal hardware requirements to keep the overall budget as low as possible or so that more of the budget is available to spend on Software, Options, or additional consulting.

This is where a Business Process/Systems Implementation Consultant plays an important role. Unlike the software and hardware vendors which take a myopic view of “just enough equipment to make the sale,” the Consultant will have the long term “Big IT Picture.” This includes the planned growth rate of the System and the desired lifespan of the computer equipment. The Consultant will insure that any budget considerations are not at the expense of long term performance.

In summary, when considering the Technology Requirements for the System, it is critical that all parties be at the table: Software Vendor, Hardware Vendor, Internal or External IT Staff that will be responsible for the on-going maintenance of the System, with the Business Process/Systems Implementation Consultant as the moderator of the Conversation.

Remember, the Business Process/Systems Implementation Consultant is the only truly independent person whose sole mission is to represent the best interests of you, the Client.

« Previous Page