Redmond, Washington-based Microsoft officially released Windows 11 on October 5, 2021. In a blog post, the lead project manager expects the operating system successor to nearly seven-year-old Windows 10 to be widely available by the middle of 2022. I’ll admit, the “geek” in me couldn’t resist the siren call of a shiny new object. So, I spent less than half an hour downloading the 5.1 gigabyte file and an equivalent amount of time creating a virtual machine environment (running under Hyper-V) on a test Windows Server.

The installation was speedy compared to previous versions of Windows, even though the source file was on a USB drive. The initial phase after installation, commonly referred to as the “out-of-box experience” (OOBE, pronounced “oo-bee”), was pleasant and easy. No muss and no fuss getting to the initial Windows 11 desktop.

Here is a brief overview of some of the new features in the latest iteration of the Windows operating system.

First and foremost is that the Windows Taskbar is now in the center of the screen. I’ll call this blatant effect mimicry (or stealing) of Apple’s Dock, found in all Mac devices since 2001. This change may not be creative, but it is certainly different. This is especially apparent when for more than two dozen years, ever since Windows 95, Windows users have been accustomed to moving their cursor to the lower, left-hand corner to access the Start menu. Now it is in the “home” position – meaning the left-most spot – on the Taskbar. Now when you click it, the Start menu opens in an entire window in the center of your screen instead of sliding up an extensive menu. According to Microsoft, this sleeker, more straightforward screen gives you a better overview of the available features and programs to make it easier to accomplish your work (or play). Over time, the apps you use most frequently will take their place in the Recommended section.

New to Windows 11 is the confluence of several individual components that Microsoft thought would be useful to consumers. This item is Widgets, which includes news headlines, weather, stock information, and sports. Each item displays current information based on your location. You can change the size of each widget and customize it by clicking the three-dot menu icon in the upper right corner. You can add more widgets based on your preferences to the display. The privacy implications of all the Widget telemetry exchanged between you and Microsoft is a discussion for another newsletter. Also, I don’t know the corporate equivalent of this feature, nor if Group Policy can eliminate it.

Another change is what Microsoft is calling Snap Layouts and Snap Groups. In Windows 7, you could snap one window on each side of the screen by clicking on the window’s Title bar and rapidly moving it to the right or left. Windows 10 maintains this capability, and Microsoft expanded the concept with the Task View (described in the August 2019 edition). The purpose of this new functionality is to let you design how many open windows you want at one time, what they should contain, and where you want them to be positioned. For instance, you might wish to have an Excel spreadsheet open on the right-hand side of the screen, and your email client and an internet browser open, stacked one above the other, on the left-hand side. You can then save this layout to a named group and call it up when you want all three apps to open at once. Windows 11 gives you the ability to resume where you were working when you click on the link to the layout.

As you might have guessed, having all these apps open simultaneously (never mind saving their condition to restore them quickly) is going to require more memory than ever before. Most of you have been very comfortable working with 8 GB of RAM (memory). In some cases, I have given “power users” 16 GB of RAM. If you plan to use this feature extensively, I may have to double the amount of memory in your computer. Only time – and practical usage – will let me know if this will be a problem in search of a hardware solution.

The last element of this first peek at Windows 11 is Microsoft Teams integration. Teams is Microsoft’s equivalent of Zoom or WebEx. Working from home – or from anywhere, really – will continue to be part of our culture for the foreseeable future. Microsoft fully believes that a dispersed workforce is inevitable, so it placed this icon in a prominent position. After all, what could be easier than clicking on an icon to launch a discussion with co-workers or colleagues? I expect that as time goes by, probably with the first annual Feature Update, Microsoft will provide more integration with the corporate version of Microsoft 365 and Teams.

Over the next two years, I’ll be giving you more information about this new operating system. But, as I’m sure you realize, it is still Windows. Most of you use the operating system for probably opening a browser to get your mail and see what’s going on with your friends, family, and organizations on Facebook. All the bells and whistles don’t mean much to you – I get it. It’s just that Microsoft doesn’t feel the same way.

An inside look at Heliotropic Systems’ operations.

I spend a significant amount of time every month learning about new and improved technology and products from the vendors with which I partner. These vendors include familiar names such as Lenovo, SonicWall, Xerox, APC by Schneider Electric, SentinelOne, and Microsoft. Most of the solutions I obtain from these vendors are designed to help keep you secure while using your computers and network devices.

In the middle of September, I took a mere moment to look up an existing part number. I ended up spending more than 12 hours consuming a ton of new information to offer a more secure business solution. Let me explain.

I keep extensive lists of all hardware components for each of my small business clients. One of those components is a Network Management Card (NMC) found in higher-end APC UPS battery backup devices. NMCs manage, maintain, and report on the condition of the UPS device to which they are connected. I program NMCs to send email alerts when conditions differ from normal (e.g., electrical issues, or battery problems). I also use them to update the device’s firmware with security enhancements.

I was adding new equipment to one client’s Excel spreadsheet, and in doing so, pulled up the corresponding page in another client’s spreadsheet to copy over as a template. I noticed I had not filled in one attribute on the existing spreadsheet, so I logged into that client’s server, pulled up the component in a browser, and highlighted the attribute to copy it to the clipboard. As I did, I noticed that I had not rebooted the network device for more than one year.

That was very strange because I thought I had an Outlook reminder to update the firmware of these devices annually. It should have kicked off at the start of June. But after I looked through Outlook and confirmed the calendar entry, I reviewed my daily activity logbook and discovered I had not done the work. Several issues interrupted my day, and I lost track of the task. (Yes, I admit, that was very sloppy, and I’m pretty embarrassed about it.)

Read More →

Imagine receiving an email, delivered to your business email address, offering a “Partnership Affiliate Offer.” Would you open it? Oh, come on, of course you would! Your curiosity invariably gets the better of you all the time. But when you read this email, you pause and then shudder. What the heck? Here’s the offer:

If you can install and launch our Demonware Ransomware in any computer, company main Windows Server, physically or remotely, (there’s) 40 percent for you, a million dollars for you in Bitcoin.

A researcher at Abnormal Security engaged with the bad actor behind this poorly written email offer for several days. The researcher documented how he tied the email back to a young man in Nigeria who acknowledged he was trying to save up money to help fund a new social network he was building.

Funny, right? Unfortunately, Business Email Compromise (BEC) or CEO Scams in which crooks, mainly based in Africa and Southeast Asia, spoof communications from executives at the target firm in a bid to initiate unauthorized international wire transfers are bigger business than the blitz of ransomware attacks that have made headlines recently.

The FBI’s Internet Crime Complaint Center (IC3) reports that BEC scams increased to more than $1.8 billion in 2020. These extortion attempts have proven to be highly profitable for cybercriminals.

And, of course, it is incredibly humorous that this latest cyber scam is authored by a Nigerian because the classic email scams began decades ago. Referred to as the “419 scam” (because of the area code), the “Nigerian prince” emails requested your assistance because of a will or lottery win. If you were willing to engage in helping the email author obtain the funds, you’d be rewarded with a percentage of the total amount.

What I found amazing while researching this article is that these 419 emails continue in only slightly modified formats to this very day. That someone has taken the initiative (albeit warped) to reboot this for the Bitcoin era is not surprising — but enterprising.

Bottom line: Be extremely careful of unsolicited email offers!

Kaseya had a bad July. The vendor, who sells solutions to Managed Services Providers (MSPs), learned over the July 4th holiday weekend that some servers running their software were taken over and distributing ransomware to the clients that were being managed. Kaseya has two offerings, on-premises (server-based) and cloud-based. Usually, MSPs who have the resources to run their own data centers employ server-based solutions. So that means the clients will be of high value to bad actors, which was precisely the case.

As I wrote in an email shortly after the attack became public knowledge, Heliotropic Systems does not use any Kaseya products (server- or cloud-based). We use products from ConnectWise for monitoring your computers and remotely accessing them. These are both cloud-based offerings, and ConnectWise has been very transparent in letting partners know what flaws have been identified and when they are corrected.

No software is exempt from bugs. After all, people code the programs and do not necessarily consider everything when designing and developing those programs. Yes, there are Quality Assurance teams that are supposed to test the programs — but they are only as good as the instructions they receive in terms of what the test cases should be. And not all possibilities are (or can be) tested.

The news is now filled with stories that malicious actors are targeting more and more small businesses because they think the “work from home” population is getting lax with their security consciousness. There is a movement within my industry to implement what’s called the “Zero Trust Initiative.” (Note, Marvel fans, this is not another Avengers movie). Zero Trust is not a product but a concept, and what it means is this: Every object in a network is identified, and every person with access to anything is identified. Then, rules are established to define what access level each person has to those objects — and when those rules are to be invoked.

Here is a simple example. Madeline and Roland are employees at Total Prepared Foods. She is an inside salesperson who is responsible for calling on existing clients. Her computer accesses the cloud-based Customer Relationship Management (CRM) system to perform her daily tasks. He is an accountant who works with the payroll system and handles the firm’s online banking.

In a Zero Trust environment, the hours that both employees work are known. The CRM software Madeline accesses has rules regarding what aspects of the program she’s allowed to see (e.g., client information but not payroll). Roland can access the payroll system but has no access to the CRM system. The network knows who logs in to which computer. It also knows which external Internet address is supposed to be used when she remotely connects from home. If someone — or something — tries to access her computer in hours when she is not authorized to use it, an alert is sent. More importantly, because Madeline’s computer requires two-factor authentication, a bad actor would not have access to the token on that device. Similarly, Roland does not have access to the payroll system except from his office computer, which is not authorized for remote access.

Previously, most believed that protecting a business had to occur from the outside in. Now, it is becoming evident that companies must be protected from the inside out. I am going to take two actions before the end of September to begin a journey toward zero trust. The first will be to ensure that no computer user at any client site has administrator privileges (meaning they can install programs). The second will be to add a new product to the SPF+ and SHADE subscriptions. This new product is a browser extension that should stop anyone from getting to a fake website if someone inadvertently clicks on a link in a phishing email. Combining a limited user desktop experience and a program to thwart potential problems, will make you much safer.

I received a phone call from a client who said that her laptop was running exceedingly slowly — even more so than usual. So I remoted in to take a quick look. I found a new icon on the taskbar that looked like a fat, folded Sunday newspaper. By way of definition, the taskbar contains the Start button, icons for pinned and running applications, and a system tray area that contains notification icons and a clock.

When I hovered my mouse over the icon, the tooltip said it was the Windows 10 News and Interests news feed. Once clicked, it opens a pane that displays various widgets that contain current news, weather, stock prices, and more based on your location. The initial download of all this “stuff” caused my client’s perception of slow response on her laptop.

I searched Google and after reading several articles, I learned how to eliminate this icon from appearing. Therefore, I am writing this article to teach you how to do the same thing when it “miraculously” appears on your computer.

But first, let’s be clear about one thing. Not one of you went and asked the folks at Redmond to install this. You didn’t explicitly agree to get the news, weather, and more on your desktop. And you certainly shouldn’t need to try — on your own — to figure out just how the heck to get rid of this intrusion. I don’t know what they were thinking. (Can you tell I’m annoyed by this nonsense?)

Here are the steps you can take to get rid of this and regain control of your taskbar:

  1. Right-click on any blank section of your taskbar. This will open the taskbar menu.
  2. Left-click the News and interests banner. This will open a fly-away menu.
  3. On the fly-away, left-click Turn off. This should disable this “feature.”

Now, I’ve read reports that the icon just shows up again after the computer is restarted. If you experience that, please let me know.

While you’re at it, if you see an icon that resembles a wristwatch, right-click that and select Hide. I don’t believe anyone needs the Meet Now function, a Skype quick meeting setup feature. If you still use Skype, you are usually talking to one person. When you need to engage with more people for discussions, you are most likely using Zoom (or Microsoft Teams).

I received an email from a client requesting help regarding a form his bank sent him to fill out because his bank detected a fraudulent attempt to access his account. They explained that the IP address of the failed attempt, which used his actual username, was located in Miami, Florida. My client lives in a town in Nassau County on Long Island.

It took a while before my client realized he had been locked out of his account for safety’s sake because of the fraudulent attempt. I get that. In a “normal world,” you’d ask that the password for the account be reset, you’d provide a new password, and you’d be back to online banking. But not with this bank. Nope, they wanted more — much more! They asked my client to acknowledge having taken one of the following options:

The hard drive of each computer was wiped clean and the operating system, as well as any software the Client utilizes was reinstalled. Thereafter, a scan utilizing proven effective anti-malware/anti-virus software was run on each of Client’s computers and no virus or other malicious software was found. [or]

Each computer was replaced with a cleaned computer. A scan utilizing proven effective anti-malware/anti-virus software was run on each of Client’s replacement computers and no virus or other malicious software was found. [or]

Client will access [bank name redacted] from a different computer/device and a scan utilizing proven effective anti-malware/anti-virus software was run on the computer and no virus or other malicious software was found.

The paragraph appearing before these options contained jargon that implied the computer itself had been compromised, thus warranting these extreme measures. But here’s the thing: that wasn’t the case here, and there isn’t any way to accurately determine when – or even if – this computer was the reason someone attempted to access the account.

I’ve written for years that name, email, and password information is readily available to anyone who wants it for nefarious means. Vast troves of data are inexpensive and they can pay off significantly if used maliciously. Anyone can go to to see if their email address is out in the wild. I found this client’s email address was in six data breaches.

With billions (yes with a “b”) of email addresses and passwords that can easily be cracked, less than honorable people miscreants then try to see if they can find other accounts that use the same credentials. Because, after all, most of us are creatures of habit (i.e., lazy) and don’t want to keep track of lots of different passwords.

After several discussions, I learned that my client used a specific construct for a username and password on different sites. It was an easy construct, something like joebob1823. While easily remembered, it is an awful security measure. How many sites was this used as a username? I didn’t ask. How many sites was this used as a password? Again, I don’t know. But if it was more than one, it was way too many.

Why? Because his email is associated with joebob1823, and joebob1823 is associated with a password for one of the compromised websites. Now, go to LinkedIn and see if this works to gain access to his account. Then go to Instagram, and Facebook, and all the social media sites. Next, try some common banks, like Citibank, Chase, or Wells Fargo. Then go after brokerage accounts, like Charles Schwab or Fidelity Investments. You see where this is heading. To a group of bad actors with nearly unlimited computing resources, this is child’s play. They set up scripts to run multiple iterations at various sites until they either gain access or the site stops them because of repeated violations.

What could help this client the most? That would be if his bank offered two-factor authentication (commonly referred to as 2FA). I explained it to him as follows:

You go to your bank’s website, supply your credentials, your username, and password, and click Enter or Next. Then, you must enter a code to continue. The bank can generate that code in several ways. For example, the back will call the phone number associated with your account, and an automated voice recites the numbers, one at a time. Or you can get an email sent to the email address associated with your account. You can then copy and paste that number into the field. Or you can use an app on your phone, such as the Google Authenticator. This app generates a series of random numbers every 45 seconds. Enter that number into the field, and you gain access to your account. The primary reason as to why this is a reasonably successful security measure is that this second form of confirmation is yours and yours alone.
Now there are known ways of spoofing every single one of those 2FA mechanisms. But they require more effort than most bad actors will use to hack an individual’s account. And using 2FA is much better than not having it. Surprisingly, my client’s bank does use 2FA, but it is not required. I am particularly livid about that when you consider what they want him to do to his computer because of the fraud attempt.

What else could help this client? The use of more sophisticated passwords. joebob1823 is not a rigorous or strong password. Using the University of Illinois at Chicago’s Password strength test (, it merits a complexity score of “Good” (although I disagree with that). There are many indicators on the results list that are red or yellow.

I suggested that he use a more complex formula to create a password, essentially using a phrase. For example, he has an adorable dog whose name is Lizzy. So, he could make a more complex password from the words, “Lizzy is a cute dog.” With minimal effort, this becomes Li##yI$@Cut3D06. Checking the complexity score, this received a “Very Strong” rating, and it only picks up some nits for repeating characters and numbers. But a simple dictionary attack is not going to discover this. And if it is used at only one website, then the likelihood of its being compromised is lowered exponentially.

Oh, and before you ask, yes, you can write these down if you are at home. Some of you may ask why I don’t recommend using a third-party product to keep track of passwords. That’s because I have yet to find one that has a sure-fire mechanism of preventing access to your account information if their database is breached.

Takeaway: Ask your financial institutions how to set up 2FA on your accounts, and start to use more sophisticated passwords everywhere.

Thanks, and safe computing!

I read an interesting article on in early April. The borough of Englewood Cliffs is suing its former IT company, claiming the owner failed to handle archived emails properly when it moved to the cloud. The borough started working with the IT company in 2012, but it seems some things were not handled properly after ten years.
Aside from the missing emails, the IT company was accused of negligence regarding the police department’s network security. The suit also accused the IT company of permitting old computers, and running obsolete software in the municipal building and the police department.

The borough has a new IT provider, having fired the old one in February 2021. After I read the article, I went to the old IT company’s website. I guess the owner didn’t want any further contact with the outside world while this lawsuit plays out because it no longer appears.

The situation that has the mayor upset is missing emails from three town council members from a specific time in 2019 when there was some rancorous debate about the 700 Sylvan Avenue property (Unilever’s building). But how can that be? There should have been back-ups from that time still available if the IT company used “infinite retention,” which is what I would have done for a borough and mayor that has proven to be highly litigious. And if those backups weren’t available, there should have been the email server’s stand-alone backup before the migration to Office 365. Either one would be able to provide any (or all the) missing correspondence. Of course, if the IT company didn’t use a trusted third-party vendor to perform the migration (there are less than a handful who are truly skilled at this), then I guess…

Because reputation is everything in this business, I don’t know how the IT company’s other clients will react to the lawsuit. I know that simply trying to explain the circumstances – if he’s even allowed to – will occupy the owner’s time for months, or possibly years, to come. Now, if any of those clients need someone to take a second look at their network and computer systems, I stand ready to see what is – or isn’t – being done to provide the best, most affordable monitoring, security, and backup solutions. (I’m looking at you, the borough of Leonia, because you engaged with this IT company too.)

A home user client forwarded an email requesting that I read it and advise him about the contents.

With the subject, “Important: Don’t lose access to your email account,” the email, purportedly from AOL Broadband Member Services, contained a reminder about a change in how the parent company, Verizon Media, was going to handle data. The email urged the recipient to review the new rules and went on to warn, “otherwise you will not [sic] longer have access to new email.” The center of the email contained a bold link to “Review and agree now.”

Of course, this email was a classic phishing attempt; however, anyone would have thought that the page was a legitimate AOL page upon clicking the link. The coding behind that web page was identical to AOL’s own. The only subtle difference would happen after a person entered an email address or user name and a password.

I didn’t take my experiment any further because I could see from the website URL that this was not a valid AOL page. The address was That was the final clue that convinced me this was not a legitimate email.

Weebly is a web-hosting service that lets you develop your own website. Because it is owned by Square, the payments processing company (Heliotropic Systems uses Square), it is designed to let people build e-commerce sites quickly and easily.

It did not take me long to discover the appropriate division to submit a complaint about this particular abuser’s website. I included a brief description of the problem and sent back a copy of the original email after receiving a confirmation of my case. The good news is, less than 24 hours after receiving the request from my client, the bogus website had been removed from Weebly.

Lesson to be learned: If you think the email you received is suspicious, don’t click anything. Forward it to me for review, and I’ll let you know if it is safe to proceed or delete. Please don’t think, for one minute, that you are bothering me when you do this. I’d rather take a few moments as a precaution than to take hours (or more) later to clean up a mess.

In this case, the consequences for someone who depends on AOL for email would have been a new “silent partner,” diligently reading their emails to harvest personal information — the first step towards identity theft.

In March 2019, Microsoft introduced the public preview of a new cloud-based form of the Windows Operating System. It is called Windows Virtual Desktop, or WVD. It is a desktop and application experience that runs in Microsoft’s Azure cloud. Now, after a full year of pandemic use, Microsoft has improved the overall aspects of building and maintaining the desktop for IT Solutions Providers. For those who use the desktop, that experience has been significantly overhauled as well. You wouldn’t know you are using a cloud-based virtual desktop if you didn’t click a unique icon to run it.

What does all this futuristic technology mean? Well, for one thing, by the end of this year, I hope to offer WVD as an alternative to full-fledged desktop solutions along with Azure as a server replacement. In a few years, the typical five-year desktop and seven-year sever hardware refresh may fall by the wayside for small businesses. That’s because it will no longer be about how much RAM or the version of the CPU in a physical computer. Instead, it will be about the number of IOPS (input-output operations per second) and the overall internet speed at your business location.

The primary advantage of WVD is that you can access your business desktop from any device with a web browser. The login process uses multi-factor authentication for security. You connect to your business’ Active Directory server, which contains your user profile information. You get access to the full range of Office applications via Microsoft 365 and standard desktop applications like Adobe Reader and even QuickBooks.

One of the primary tasks Microsoft had to face at the start of the pandemic was to provide a “near-desktop” experience for millions of people suddenly working from home. They implemented new technology to enable fast access to user profiles via a recently purchased company called FSLogix. At sign-in, a user profile container is dynamically attached to the computing environment. The user profile is immediately available and appears on the system exactly like a typical native user profile. (In English: your desktop, files, and favorites are all there, just the way you expect.)

The one drawback to deploying all this cloud-based functionality is, the smaller the business, the higher the monthly cost per person. That’s because to use WVD, you need an Azure server — and that cost is the same whether you have two people in your office or ten. However, the monthly cost for a two-person office could be $200 per person, while at a ten-person office, that cost could go down to $50 per person. Note these figures are examples, and actual prices require careful calculation.

There is a vast educational factor involved in implementing this new technology stack. Previously, I would go to the Dell web site, configure a server with minimal specifications and have it shipped to my office for about $1,000. I would then use my Windows Server licenses (courtesy of my Microsoft partnership) to load up a base system. I’d create virtual versions of the servers and desktops to develop various end-user scenarios, implement the appropriate security settings, and thoroughly learn how things worked before deploying any of them at any client site.

Microsoft will let me do something similar with Azure and WVD. Still, it requires using their facilities to spin up the environment, build the desktops, create the simulated users, and test how everything hangs together. I am already in contact with a leading vendor that is willing to assist building the requisite cloud structures in this new format and help me price and deploy environments to clients. I would much rather work with a Sherpa to climb a mountain like this than do it on my own.

Over time, I envision many small business owners who want to keep their staff working from home will switch to using WVD to provide Windows desktops in those remote locations.

In the evening during the last few weeks of a rapidly fading 2020, I sought some mindless solace watching the Discovery Network programs “Holmes on Homes” and “Holmes Inspection.” (Some of you may recall my writing about these shows in the Spring 2011 edition.) For those of you who are unfamiliar with this unique reality-show creation, I provide the following synopsis.

Mike Holmes is a licensed building contractor based in Canada. Over the years, he worked on numerous projects that increased his ire at the shoddy workmanship of Ottawa-based buildings, contractors, and home inspectors. He developed a TV series where he would work with victimized homeowners, review their problems, propose solutions, and, in his trademark phrase, “Make Things Right.”

Simply put, Mike Holmes is an entrepreneur. He developed a unique selling proposition, found a way to identify pain points common to the people in that niche, and provided a means to solve those problems. Similarly, I view a large aspect of my work at Heliotropic Systems in the same way.
Over the past ten years, I have met small business owners with computer systems that they purchased and supported on their own, some who have been helped by Staples or Best Buy employees, or (in rare instances) other IT solutions providers. Invariably the number of computer problems these business owners experience reaches a point where they cannot function properly, or they realize they require more experienced assistance. As a result, I get a call for help.

And yet, there are some calls for help that never result in an ongoing relationship. Looking back, I can recall one specific instance where the business owner was not interested in obtaining the requisite support needed to make their life – and their business – better. Mike Holmes only shows the successes on his TV programs, not the failures (although that might make for an exciting show on its own). But sometimes it is important for me to point out where I have dropped the ball – because that’s when I learn about how to be better.

In this case, a provider of health care solutions for older adults asked me about an anti-malware solution. I informed him that my answer to his question depended on whether he was using the consumer version or the business edition. He didn’t know which version he used, so we arranged for me to visit his office to conduct a network survey so that I could answer properly.

When I arrived, he explained how he had set up his office and his computers. He explained that the software he and his staff used was cloud-based. He showed me one of the computers and listed the software. He was certain everything was okay because he and his team had experienced very few problems.

What I saw was vastly different. Here was the owner of a healthcare-related business, which meant he was supposed to follow HIPAA guidelines. I started by asking about the results of his HIPAA Risk Assessment (the first step required for compliance) and his internal documentation. I learned he didn’t do the assessment and didn’t have any documentation. His network did not have a firewall. His computers ran the Home edition of Windows 7 and Windows 10, not the Professional version on which settings needed to be established for HIPAA compliance. His security software was a consumer version, as was his anti-malware software. He did not backup the files stored on the computers that were not associated with his cloud-based product. The computer hard drives were not encrypted (nor could they be on the Home version of Windows). In other words, his situation was a hot mess.

When I presented my findings to him a few days later – and spoke of what it would take to become compliant – I realized when his jaw dropped that I had failed in a significant way. You see, in the initial meeting, when I saw all those “red alerts” around the office, I got distracted and immediately slipped into my “tech support red shirt” mode. I neglected to take the time to ask him what his current and expected IT budget was. As it turned out, he didn’t even have an IT budget. Like the omnipresent Liberty Mutual commercials (as I said, I was watching a lot of TV), “he only paid for what he needed.” So, he couldn’t begin to fathom the amount of money I was proposing to upgrade this office’s computer network — an effort I call “technology stabilization.” Nor could he envision an ongoing, monthly expense to maintain that heightened managed security posture. And he certainly wasn’t willing to step up his game to comply with all necessary HIPAA regulations.

I tried – over the next year – to convince him that paying a HIPAA violation fine to the Office of Civil Rights (OCR) would be far more expensive than doing the right thing. But he had safely stayed beneath the radar for so long that he felt comfortable “saving money” by not doing anything. Eventually, I stopped sending him further entreaties to help him out.

What lessons did I learn from this experience? I always ask a prospect what their IT budget is, and what they think it should be. I always make sure to set appropriate levels of expectation afterward. I always follow my checklists faithfully so as not to forget important steps. I always aim to learn if a business owner places a high value on having reliable processes and procedures to manage their network and computers. The last thing I need is to have a constant fight each time I introduce a new feature to protect a business. And I always aim to “Make Things Right,” just like Mike Holmes.