Friday, January 16, 2009

19 Critical Security Updates

On a recent trip to Beijing, I put aside time to meet with a friend from the USA who recently relocated to Beijing to work for a MNC as the director of business development.
I was curious on how he was doing and I was looking forward to some fresh tips on how to sell to the Chinese.
We planned to meet at a hotel that was in a central location for both of us.
I arrived to the hotel first; traffic was bad that day so I knew I had some time to kill. I ordered a scotch, grabbed a copy of the China Daily Newspaper and settled into a large comfortable chair in the hotel lobby. I have always found hotel lobbies to be great places to seek shelter from the hustle and bustle of life in China.
I guess the site of me talking on my Palm Treo (with a China Mobile SIM card) and emailing with my Blackberry (with an AT&T SIM card) with the copy of the China Daily spread across my lap was humorous to the kind lady serving me the scotch from the big smile on her face and slight giggle.

About 20 minutes later my friend arrived, after our greetings he quickly pointed out that this hotel had free WiFi, this should have been the first red flag.
As he sat down he reached back into his bag for his laptop while saying “My IT dept can’t get my mobile phone to work with my laptop…Hey you’re an IT guy right?” As I tried to interject that I would not call myself an “IT Guy”, that I like to tinker with technology but that there are many great IT people out there and he quickly cut me off to say that his IT dept told him that the windows based phone did not work with the version of windows on his laptop, which was XP Pro and he asked me to have a look at it.
I thought well how hard could it be to sync his Windows based mobile phone with his Windows based laptop. After hooking up his mobile phone to his laptop via a USB cable, I thought before I start to play with the settings, that it might be wiser to run a Microsoft software update first.
To my slight surprise the update report came back with 19 Critical Security Updates! My friend was in complete shock and went on how his company prides itself on their security and blah blah blah, I semi jokingly told him I was impressed that it was a legit copy of Windows ha ha ha. He took my wisecrack way to seriously and went into this long story about how his company has very high standards and many other things I am sure he just learned about them from memorizing their Mission Statement. At this point I was almost willing to hand the laptop back and reconfirm what his IT dept had told him, it was on the tip of my tongue “ Yep, they are right it won’t work -wrong versions of Windows“ but then my need to solve problems won over my desire to escape.

After we laughed about the issue, I told him that this is a SERIOUS security issue and in China this issue must be on the forefront of every CIO’s mind.

So there I was STUCK in a hotel lobby that happened to offer free WiFi, updating and rebooting a laptop for over 45 minutes – before I could even get to the software up dates needed to make this guy’s mobile phone work with his laptop.

An hour and 5 minutes later, my reward was seeing the director of business development for a multi national company say, “Oh goody the phone is blinking I think it might be working now”, shortly afterwards he checked it and double checked and said WOW it is really working “ that is amazing” and my ego quietly padded myself on my back.

So there is a whole lot of blame to go around for this problem, but instead of pointing fingers, I would like to explore how to avoid this from ever happening to your company.

I tell my clients that communication is very important and having staff from HQ on the ground in China is also very important for many reasons.

Of course the simple solution is to have tighter domain security based in the home country of the MNC .The simple question is – why doesn’t the China based IT dept have their computers run automatic updates? I am sure many members of the staff come from an environment where every computer is not running a legitimate copy of software, so they simply overlooked this. The simple fix is to have them run automatic updates, but that isn’t the answer to the bigger problem, which is a communication failure. This failure more then likely bleeds over into other areas in the IT Dept as well as the company as a whole.

This serious security issue could have been avoided by having a standard operating procedure (SOP) for the IT Dept, providing structured training, having a routine rotation of Chinese IT staff going to the MNC’s HQ, as well as Senior Management from the IT dept going to China and performing an IT Audit on a semi annual bases, and monitoring the network from the HQ.
Rotating staff from your China office also helps in your retention of your local Chinese staff, but that subject will be covered in more detail in a different blog.
Clear constant communication and cultural understanding is vital to any company wishing to do business in China. I also suggest outlining performance standards and the consequences of underperformance and conduct audits on a regular basis.