The next time I get a phone call to go over hacker clean up, server hardening, server administration where the prospective customer is more concerned over the $100.00 per hour rate than the problem costing them customers and potentially their business, I hope remember to share with them this article.

Imagine reading Service Suspension – Ongoing unanswered abuse complaints thinking to yourself, the person is in a jamb…. I hope they get someone who can really help them (maybe we could, not sure), then later on reading the person who initiated the post also runs a “All you can Eat” (i.e. unlimited support tickets, unlimited labor time) server administration business where they advertise a long list of what they can do for you for just $15.00 per month. I guess, they are so packed with work they could not solve their own problems.

Imagine, for just $15.00 per month you “24/7/365 USA-Based Technical Support” plus “24/7/365 Server Monitoring (5 Minute Intervals)” of your servers plus “Guaranteed 15 Minute Response On Monitoring Alerts” and so much more… sounds like a great deal? Right?

Now, I’m sure if you did a study of people who have heard and even believe in the quote, “you get what you pay for,” or variations of it, the percentage would be high.

Yet, how many actually do their homework to determine if something is really to good to be true?

For example, would you know right away that $15.00 per month for 24×7 coverage 365 days per year with a guaranteed response time of 15-minutes and unlimited administrator work (i.e. unlimited hours of work per month) was a deal too good to be true?

What if they removed the word, “unlimited,” and only included one hour per month? Would it then be more realistic?

In order to answer that question, what’s the going hourly rate for a server administrator? For a security administrator?

In the United States, for a server administrator, the going hourly rate ranges from $30.00 per hour to $52.00 per hour; for security administrators, the hourly rate ranges from $38.00 per hour to $56.00 per hour. In both cases, that doesn’t include benefits.

If a company is saying you get just even one hour for $15.00 when the going rate for an experienced party is $30.00 to $38.00 at a minimum….. get the picture?

You might get marketing speak that the employees multi-task and can work on many tasks at the same time… but isn’t that like someone who worked 2,000 real hours putting down 6,000 billable hours?

What are your thoughts on this subject? Did you purchase time thinking the rate was good or even average only to find out you were taken in by a “too good to be true” event? Let us know your thoughts below.

Just after ceremony of our daughter’s graduation from culinary school, I was paged with the message the Internet connectivity was down to the facility.

I was able to verify the loss of Internet connectivity as we drove home; and then it became the dance between getting updates from the co-location facility in Lancaster, PA and providing updates to our customers.

This was the very first major outage the co-location facility has had in years; and, the very first outage that we experience since becoming their customer a little over two years ago.

The outage started shortly after 5:00 PM Eastern Time, and as it started to head past 11:00 PM, we had were faced with the following issues:

1. Off site backups would fail (as the backup server in Lancaster, PA could not reach out to the servers for which backup is scheduled).
2. Email to our customers that go through the anti-spam appliance would bounce.

Thank Jesus, we did have a Plan B for the mail appliance.

We would redirect the MX (mail exchange) record to point directly to our mail servers rather than the anti-spam appliance. While there would be an increase in spam delivered, at least mail delivery would have minimal impact.

While we did wait as long as possible to see if we had to implement plan b, we ended up doing so shortly before 3 AM Eastern Time.

Thankfully, connectivity with the local co-location facility was restored around noon time the next day; and we were able to shift gears back to the anti-spam appliance… and we only lost one day of not backing up.

While we had Plan B planned out, we got to experience the hick ups (oh, we forgot about customer abc that routes to a different mail server); and we updated our documentation if Plan B is ever needed again.

Please share yours in the comment section below.

I really appreciate being on both ends of giving and receiving as each encounter is an opportunity to learn, to adapt, to change, and to improve.

Part of that picture is hearing and seeing something you know makes sense and is true, and then growing into it (i.e. I know, I know… but don’t do… then ah ha… put it in action, silly).

One of the customer service 101 lessons involves being technically correct, but presenting the situation in a way that devalues the relationship.

In every relationship, you have choices. You can chose to always be right (i.e. technically correct), or you can choose to be in a relationship. If you value long term relationships like me, you will do your best to focus on the relationship rather than who is right and how often.

Every encounter you have with your customers, your employees, your partners is an opportunity for you to establish (or re-establish) relationship values or diminish them. The more they are diminished, the more likely the relationship will end.

Let me give you two examples. First is on the giving end, the second on the receiving end.

A customer puts in a support ticket about Spam Assassin incorrectly tagging valid email as being suspected as spam. In the email, the customer also complains about higher than normal real spam getting through.

A technically correct response might go into explaining Spam Assassins scoring mechanism, about white listing and how white listing only lowers the chance about tagging, etc. as well as just telling the customer to forward the actual spam that got through to the anti-spam appliance engineers.

A customer relationship response is to call the customer on the phone to go over the Spam Assassin settings, ask if it is ok to outright disable Spam Assassin (duplication of anti-spam — and in the particular case only tagging incorrectly), as well as go over the differences between the anti-spam appliance and Spam Assassin, the benefit of training the system. Plus empathizing with the customer for the spam that does get through by both disliking spam as well as sharing no system is perfect including our own anti-spam system.

The phone call also allowed a check in on an upcoming trip the client is looking forward to taking along with making sure the customer understands how much they are valued as a customer.

On the receiving end, I tend to perform backups more than the average person knowing the value of having a recent backup over an old backup or no backup at all. Some of the backups I take cover plan B and plan C for data recovery (do you have multiple plans for recover in case your primary plan doesn’t work as intended?).

One of the backup methods started failing, and I opened a ticket with the data center whose private network I was using to do the backup to see if they could help.

All of the initial responses were technically correct. Yet, all of them ended with, if you don’t respond within four days, the ticket will close. The problem still existed. I persisted and literally asked for a hero to step up to the plate (I’m sharing this because my personal feelings is that not all customers will be patient and ask for a hero when there appears to be no hero; they may just move on). The partner did step it up several notches, and moved from being technically correct to providing alternatives, in depth responses as well as viable alternatives and a phone call.

They were also open to passing along to the entire team about the differences between being right (technically correct) and being right plus promoting the relationship.

Please consider the following thoughts:

• You are in various relationships between family, friends, work, et al.
• Those relationships do matter.
• Does it matter who is right how often or does it matter more to have a long lasting relationship?
• As you respond to parties in your relationship is your focus about keeping and improving the relationship because the other party matters?
• What can you do daily to step up to the plate and be a hero?

What are your thoughts? Please share in the comments below.

Some of this companies do so from a referral fee basis, some from a business exchange business (you scratch my back, and I’ll scratch your back), and some as a reseller (this part can be interesting because it is possible to be a reseller of a reseller of a reseller).

Extremely few of them have their own (direct) hosting company.

I would like to encourage you to apply that when your IT, SEO, Web designer / developer tells you to use them for hosting.

Here are some questions you should ask them prior to making your decision:

• Is this your hosting company or are you a reseller?
• If this is your hosting company, does that mean you own the data center?
• (If they answer yes to owning the data center), If I look up ownership of this data center, are you saying you and your firm will be listed as being the principal owner of the data center?
• (If they switch gears stating they are an investor rather than an owner), then if I look up who has stock with the data center company, they will find stock certificates under your name or that of your firm?
• (If they switch gears and state they are a partner with the data center), then if I call them and ask if you and your firm are a certified partner, they will answer yes?
• (If they answered they are a reseller), what level of reseller are they (common answers are alpha, master, reseller, don’t know; alpha has a direct relationship with the provider, master has a direct relationship with the alpha, and reseller has a direct relationship with the master — each level below the alpha typically increases the time to resolve questions and problems)?
• (If they are a reseller) who owns the hosting company (note: If the hosting company is owned by the Endurance International Group (EIG), then expect throttling and limiting of the resources to your account as a matter of course)?; is the hosting company is part of a larger holding company (EIG)?
• What is the service level agreement (SLA) for hosting? If my web site is down for 30 minutes due to a fault with the hosting provider, what then?
• How does the hosting provider deal with overselling?
• Do I contact you or the hosting provider if there are problems with my site? Whom do I contact if I have questions about my site and my hosting?
• If I put in a phone call for help with hosting, what’s the average time before someone starts to help me?
• If I put in a support ticket for help with hosting, what’s the average time before someone starts to help me?
• Where is the hosting provider located?
• How long has the hosting provider been in business?
• How long have you had this relationship with this hosting provider? Did you use other hosting providers? Why did you switch?
• Has the hosting provider had any recent security breeches? If yes, when and where does it stand now?
• What information is available on the security practices the data center has in place?
• If I’m going to do ecommerce, is the data center SSAE 16 Certified?
• Does the hosting provider regularly help customers become PCI Compliant? Where can I find out more about the process?
• Do you have any limits on CPU, RAM, # of processes, inodes, or other resources outside of disk space and bandwidth that my account might use in the course of a given moment of any given day? If you have limits, how are they controlled? Do I get notified when I’m approaching a limit? When I’m at the limit? What happens if I have an application on my site that goes over a limit? What do my visitors see or don’t see?
• May I have the direct contact information for the hosting provider? I would like to call them to flesh out some of your answers (then be sure to do so).
• If I go directly with this hosting provider or another of my choosing, how will that impact our relationship?

Web hosting is day in and day out.

If you are going to do any form of ecommerce whether collecting donations to selling products and services, you should want a hosting provider who will be there for you (the more direct the relationship, typically the greater level of service you will receive).

Resellers are not necessarily a bad deal. Some designers, IT, SEO, etc. firms will pick extremely high quality hosting provider with whom to resell.

If you have experiences with designers, developers, IT, SEO, etc. firms and using their hosting or talking to them about their hosting that you would like to share, please use the comment form below.

I’m hoping to encourage you to review the documentation standards you have set forth for your small business; and potentially to do an in-house audit to ensure critical areas are covered.

In late August 2012, we received a call from the CEO of a small business whose web development person left their employment. They found out about our server administration services from SoftLayer as we are a SoftLayer certified partner.

They needed to update their web site for which they did not have the FTP login credentials; and they needed to generate a CSR (Certificate signing request) in order to renew the secure certificate for their web site so that https would continue to work.

Together, we hoped that given the server login credentials (which they did have on hand) that we could locate the FTP user, reset the FTP user password, and test FTP access with that information; and then use the server-based tools to generate the CSR for the secure certificate, and install it when they received it from the digital ID provider.

To keep the story short without going into the server administration details, the information they had on file was for a Citrix XenServer which was running multiple virtual machines. The web site for which they needed the FTP reset and a CSR generated was on one of the virtual machines.

There was no documentation as to which virtual machine other than a public IP address of the web site.

The non virtual equivalent is that you are given the keys to a safe. You open the safe and find several other safes within; and while you might be able to guess which safe is the right one within the safe, you don’t have the means to open it.

SoftLayer, whose extremely well automated portal, provided one of several means available to document the server environment; but notes were not put into the notes area for which private IP address belonged to which virtual machine which may also have helped.

While we were able to narrow down which virtual machine (aka safe) was most likely the correct one, ssh (remote access) appeared to be filtered by IP address… and you needed to access the virtual machine in order to tell it which IP addresses to allow.

The bottom line for this small business is potentially rebuilding everything from the ground up for costs in the double digit thousands of dollars (if not more).

• Employee handbook – ensuring it covers documentation expectations and requirements.
• Web site(s) – login credentials for every application, control panel, FTP, email, statistics / analytics along with daily, weekly, biweekly, monthly, etc. processes and procedures along with application names, versions, etc.
• Server(s) – specifications, login credentials, public IP, private IP. If there are virtual machines, the same — do you know where your servers are located? Names and contact information of responsible parties having what responsibilities?
• Change log – what installations, deletions, changes have been taking place — date, time, where, what, who, why, how, notes, etc?
• Contact information – name, company, mailing address, physical address, phone numbers, email, and when or why would they be contacted.
• Other? — What’s necessary for someone to take over your responsibilities if you are the last one standing, and need to pass on the baton?

As you do the audit, ask yourself (and hopefully check your thought process with trusted other parties) — if the responsible person for jobs a, b, and c were inaccessible tomorrow, would someone be able to take over quickly just based on the documentation that we have in place?

If the answer is “no,” then a level of priority should be given to making sure there is enough documentation (that is reviewed and tested for quality assurance) so the processes, procedures, tasks, and related responsibilities can be easily picked up by a new party.

Lastly, who knows where the documentation is located, and how to use the documentation?

Have you run into any nightmares in your business that proper documentation beforehand could have prevented or made less costly? Please share in the comments below.

Melinda, who hosts the Small Business Chat on twitter every Wednesday night from 8 PM to 9 PM Eastern Time, focuses on helping people become entrepreneurs and for the small businesses they create to grow and succeed.

Whether you have been in business for many years, or are just starting up… did you know that if you properly plan and prepare for your ecommerce store you greatly increase your opportunity to succeed?

If you are nodding your head, do you know how many business managers just leave this decision to their “Web” person or “IT” person?

Over the past 17 years in business, we’ve seen, read, or heard about the above two issues so often, we’ve lost count.

As you take ownership and responsibility of the decision for picking a shopping cart / ecommerce system, I encourage you to ask the following questions:

1. Is the ecommerce system PCI DSS certified (if the answer is no, attaining payment card industry (PCI) compliance runs from impossible to expensive)?
2. When was the last security bug (problem, issue, report, etc.) filed for the system on Secunia’s Vulnerability Database?
3. How many times per year is there a security bug reported over the last 15 years (the more frequently published, the higher degree there are unreported security bugs)?
4. How long has the ecommerce company that created the ecommerce system been in business (unfortunately a lot of business five years old or less fail)?
5. Does the ecommerce shopping cart provider list certified technology partners that can assist you if you run into problems using the system?
6. Is the ecommerce system fully portable should you need to move to a different hosting provider?
7. Will the ecommerce system work on the smallest of shared hosting plans?
8. How well does the shopping cart system scale? How long can you stay in a shared hosting environment to keep your monthly hosting investment to a minimum?

While you do need to trust the people with whom you are working, if you are the steward / manager of the business, the buck stops with you; and, I would encourage you to double check against any bias which may cost you your business.

I would like to share with you why you should consider ShopSite from ShopSite.com as the only ecommerce shopping cart you will need.

ShopSite is VISA PA DSS Certified. Since 1998 (when we started using and offering ShopSite as a ShopSite certified technology partner), any customer of ours using ShopSite who has a PCI Compliance Scan has ShopSite passing with flying colors.

In all of the years ShopSite has been available, they’ve only had one (1) security issue back in 1996. Compared to any other cart, that is outright amazing!!!

ShopSite has been in business for almost two decades. Very few other companies compare.

ShopSite has certified designers and certified technology / hosting partners. Dynamic Net is a certified technology / hosting partner; and we maintain relationships with certified ShopSite designers.

ShopSite is extremely portable especially if you purchase the license vs. renting (it is still portable with renting; but you want to assure that with the hosing provider from whom you rent the software prior to renting it — for us, it is 100% portable).

ShopSite is extremely fast (it is compiled code vs. interpreted PHP, Perl CGI, etc.); and ShopSite scales extremely well in a shared hosting environment.

ShopSite ecommerce stores have handled massive floods of traffic when the business is featured on national media in a shared hosting environment.

ShopSite is relatively web server agnostic; you don’t have to worry about a down ecommerce store because your hosting provider updated the operating system, the web server software, or the database software.

Please contact us if you have questions as to why ShopSite would be the only ecommerce system / shopping cart software your small to medium business will ever need.

Please share your thoughts and questions about this article below in the comment area.

Welcome back! Last week’s article, There are no wallflowers at the security dance! Get to know your dance partners covered getting to know your security dance partners:

If you are the business steward or a part of the management team, you already know the burden of responsibility for having a secure web site where your reputation, customers, sales, and business can be won or lost due to a defacement or other forms of security breaches.

While it is easy to say, “my web person handles that for me” or “I outsource it to so and so,” that does not mitigate the risk or otherwise make your life any easier if what you believe was going on, was not taking place.

Below is a check list you can use to help you take charge, and be the boss in the area of site security:

Verify that each dance partner is on the same page with you; and that they are doing their job.

You are the boss, and there will be times the partners need to be educated to pickup the pace, do their job, or be replaced.

In case you are wondering where we find in, here’s how the check list above looks for Dynamic Net, Inc.:

The overwhelming majority of our customers are small businesses who want peace of mind in knowing their hosting provider and the data centers used by their hosting provider are doing their job.

If you are not 100% happy that your hosting provider and their data center is doing their job in keeping your web site secure and safe, then contact us. We will be happy to talk with you or have an email conversation with you.

If you have your business on the Internet, you are a part of a line dance.

You can chose to be a wallflower, and face the consequences of doing nothing.

Or you can get to know your fellow dance partners (maybe picking replacements for ones that no longer fit), and be an active member of the security dance.

I have the privilege of communicating with small business stewards on an almost daily basis.

Some of the common things I read and hear concerning security are as follows:

• Don’t hackers just go after big companies?
• There’s nothing special about my web site that hackers would want.
• My hosting provider handles all of the security.

Unfortunately, all of the above statements have the business steward and their team being wallflowers rather than active participants in a perpetual dance that only ends when they stop having their business on the Internet.

Now, you might be ok being a wallflower at a social dance. Maybe you just go to sit and watch the other people dance. Maybe you just go for the music and the food. For a social dance, there’s little impact.

The impact for being a wallflower with a business on the Internet can lead to poor reputation, lost customers, lost income, and having to spend a lot of time to fix one or more situations that could have been prevented.

What does that mean?

While targeted hacking exists, the majority of hacking deals with vulnerabilities. Think of it like a gang going through the parking lot to see who was apathetic enough to leave their vehicle unlocked or that plus the keys still in the car.

This makes every single resource — web site, email, DNS, servers, routers, etc. — a target for hackers.

Now, let’s get back to dancing. I’m talking about old fashion slow dancing where you and your dance partner are close, hold hands, and watch out for one another on the dance floor.

Let’s relate that to a security dance, except rather than just two people dancing together, you have several in the form of a line dance.

Each dance partner needs to take as much responsibility in an active manner as they can to help and protect one another.

In this security dance, you have the following partners when you are looking specifically in the area of web hosting (including email, database and DNS):

• The business steward and their team.
• The web site designer and their team (if applicable — some small businesses do this in-house).
• The vendors of the applications installed by the above parties.
• The payment gateway(s) used by the above parties.
• The hosting provider.
• The data center(s) used by the hosting provider (if they don’t own their own; most do not).

Each dance partner plays a specific part in the dance; and, if the dance partner is not watching what they are doing, it will hurt more than having your foot stepped on, or falling off the ledge into a pool (like in It’s a Wonderful Life).

Now, let’s go over the responsibilities of each party in the security dance.

The data center should maintain SSAE 16 certification showing the data center management cares about quality assurance, processes, and procedures for maintaining quality.

The hosting provider should themselves have and maintain PCI Compliance. The hosting provider should also have each server secured (hardened against hackers) along with plans, policies, and procedures that keep the security up to date. The hosting provider should have plans, policies, and procedures in place to review server log files and reports throughout the day; and take appropriate action as necessary based on the daily review of those reports.

The payment gateway provider should have and maintain PCI Compliance, and have a history of taking security seriously including full disclosure of any past security breaches; and if there were any breaches, a written statement of what was done to prevent breaches of a similar nature from occurring in the future.

The application (content management systems like WordPress, Drupal, Joomla along with shopping carts etc) vendor is responsible for providing the business management team and their designer (in-house or external) with access to up to date software. They are responsible for writing secure code, and taking reports of vulnerable code seriously. Any vulnerability reports should be promptly handled by the application vendor development team providing patches and updates to their application in a timely manner.

The web site designer and their team (in-house or external) are responsible for applying application vendor provided updates and patches in a timely manner. This team should also be reviewing the site logs to see who is visiting the site, and how the site is being used.

The business steward — the buck stops here! — has the responsibility to check that each dance partner is doing their job.

In my next article, I plan to cover steps you can take as a business steward to make your life easier in being a part of this security dance; and in making sure your dance partners are dancing to the same tune for your benefit.

Please contact us if you have any questions.

What does it really mean when a data center provider states they offer managed servers?

Most of the time, especially when the statement is coming from a company that owns multiple data centers, “managed servers” means the servers are managed when you ask for management within the limits of their terms of service.

Business owners and managers may be in for a rude awakening when they find out their server or sites on their server have been hacked; then when they ask their provider about it, find out that hardening the server was not included, or they only did an initial server hardening but no follow up to keep the server hardened.

Server management falls into two categories: proactive and reactive.

If you want peace of mind for your hosting experience, you want proactive management.

If you are not sure what your proactively manages or does not manage, ask them.

Ask them what they proactively do at what frequency through what period of time. Get specific with questions such as when is a server hardened? How often are operating system updates checked and applied? How often are logs reviewed? What are your procedures for notifying me if I have a near full hard drive partition? If you notice one of my sites being aggressively attacked? If you see an error from one of my sites in an error log? … and so on.

Dynamic Net, Inc. is a full managed hosting provider of proactive managed dedicated servers, proactive managed vps servers, proactive managed shared hosting, and proactive managed reseller hosting.

Contact us if you have questions on our proactive managed hosting services.

The hard part when it comes to choosing a hosting provider when you have approximately 32,000 hosting providers in the United States alone tied to various groups saying, I’m using so and so for web hosting is commonly falling into the lull of not reading the fine print, not taking the time to do one’s homework.

You might be a member of the LinkedIn WordPress group or a similar business or hobby group; and ten or more people share to go with so and so provider; they’ve been with them for x period of time, and they are happy.

You check out so and so providers site, it looks clean, and they advertise so much disk space and bandwidth… wow, you are really going to get your money’s worth… so you think.

Your site starts off small, and everything appears to be working well. You might even join the band wagon sharing with others, use my host; look at all I’m getting for just $ per month.

Now for some house keeping… almost all businesses fall into one of two categories for how they choose to compete against others in their field of business.

The majority of the hosting providers in the world compete on price. And that way of competing involves a number of dirty little secrets.

One of the dirty little secrets you may never run into if your site stays small — small in traffic usage, small in CPU usage, small in disk usage, and so on.

If your site does grow, you may find yourself in a bind with the provider for whom you thought you were getting so much value for the dollar just looking at all of the resources they advertise for such a cheap price.

Yet, as your site grows you are most likely going to face problems you would not have thought about in advance.

inode limit – WOW, I thought I had so much available disk space.

Cheap hosting providers, to keep their costs low, will place limits on the number of inodes they allow per hosting plan.

Value hosting providers such as Dynamic Net, Inc. provide unlimited inodes.

CPU limit, RAM limit, process limit — what happened to my online store? Why are my online sales down?

On March 7, 2012 there was a post in web hosting discussion forum about a popular, cheap hosting provider titled, Issues with ____________ Throttling? (hosting provider name removed to respect their privacy).

Cheap hosting providers, to keep their costs low, will use either home grown operating systems and tools or operating systems like CloudLinux to severely limit the amount of CPU, RAM, and processes available to a site.

Value providers such as Dynamic Net, who do use CloudLinux, will have limits high enough to allow any normal site usage including being on the home shopping club and various TV shows like QVC; and what limits are in place are high enough ceilings to catch only misuse.

If you were hunting for physical office space, a home, an apartment, etc. you would want to see the place, look at the neighborhood, check out the surrounding businesses. You would carefully review any lease or rental agreement. You would leave very little (if anything) to chance.

Why not take a more serious, proactive approach to your hosting needs?

While you may not be in a position to visit a facility or the office of the provider (not all providers own the data center where the equipment is located), you could call or email; and dig deep with questions that go beyond what’s advertised as being a part of a particular hosting plan.

The bottom line is will the hosting provider allow you to grow your business easily without ever holding you hostage? Will they be there for you over the years whether your business is growing, or sad to say down sizing?

Contact us if you have any questions about our managed hosting services. We compete on value because we know you and others like you matter far more as human beings than wanting to be the cheapest or among the cheapest provider around.