Top 10 Tips to Share with Employees During Cyber Security Awareness Month (#NCSAM)

cybersecuritymonth

There is no dispute that data breaches are becoming more common, and as a result, online safety and the protection of personally identifiable information (PII) are hot topics in the mainstream media. Therefore, the month of October presents an excellent opportunity for all businesses, especially midsize businesses, to remind employees about their responsibilities when it comes to protecting corporate data.

Here are my top ten tips to share with employees during Cyber Security Awareness Month:

[1] Complex Passwords
All passwords should be at least 10 characters and include lower and upper case letters, numbers, and symbols. If your employees need assistance in creating complex passwords, share this password strength evaluator from Microsoft’s Safety and Security Center:
https://www.microsoft.com/security/pc-security/password-checker.aspx

[2] Browser Security
Make sure that employees use secure browsers when accessing company webmail from offsite and with mobile devices, which means that the browser is HTTPS and not HTTP. Also use a sandbox program that will keep viruses and malware from entering the computer through the browser. A few examples of sandboxing include Sandboxie, VirutalBox, and BitBox.

[3] Abbreviated Links
Before clicking on any abbreviated links, determine the entire URL. Here’s a site to assist your team: http://urlxray.com/

[4] Emails and Attachments
Make it a practice to NOT open emails and attachments (especially JPEGs) from unknown senders, and do not use Preview Pane, because it’s akin to opening emails.

[5] BYOD Policy
Implement a Bring Your Own Device (BYOD) policy and train employees on the why’s and why not’s. And, make sure that your leadership team also abides by the policy. In addition, the leadership team and IT Department should create the policy together.

[6] Social Media Policy
Implement a social media policy and train employees so that everyone understands who maintains the official voice of the company on all social media platforms. Make sure that departments understand who maintains the social platforms because you don’t want departments fighting it out in public. Also include a statement if employees are required to include “Views are my own” in their bios if they reference the company name in their profiles. Above all, remind employees that once they post something online, it takes on a life of its own and cannot be removed. Therefore, it’s critical that they abide by the mantra that they should not post anything that they would not want their boss or grandmother to see online.

[7] Disaster Recovery Plan
Implement a disaster recovery plan and train employees on a regular basis so that everyone knows how to access corporate data in the event of a disaster and the planned amount of time that data may not be accessible.

[8] Cloud Computing
In today’s era when everyone uses the cloud, develop a plan for what employees can store in the cloud. There should be a policy for storage and for access. For example, it may make sense for some documents to be stored in the cloud so that many employees can access the same document, but it may not make sense for entire departments to access the document or for some documents to even be stored in the cloud.

[9] Non-Approved Software
Seen any good games lately? I’m sure your IT Department has. Employees always try to circumnavigate sysadmin protocols and download unapproved software. Make sure that your company’s user permissions are not strong enough to allow any downloading of software before it is reviewed and approved by the IT Department. You certainly don’t want any mysterious software to cause havoc to your network.

[10] Back Up
Lastly, remember, it’s not if you lose your data, but when, so back up, back up, back up.

Here’s to a safe Cyber Security Awareness Month!
_____________________

To learn about how your team can participate in activities throughout October, visit the website of the Department of Homeland Security:
http://www.dhs.gov/national-cyber-security-awareness-month-2014

The National Cybersecurity Alliance’s mission is to educate and empower a digital society to use the Internet safely and securely at home, work, and school – protecting the technology that individuals use, the networks they connect to, and our shared digital assets. Learn more at:
http://www.staysafeonline.org/ncsam/

“A Penny for Your Privacy?” by Chris Taylor and Ron Webb via @HarvardBiz
http://blogs.hbr.org/2012/10/a-penny-for-your-privacy/

_____________________

Image Credit: ddpavumba via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Business Process, BYOD, Cloud Computing, Cybersecurity, Data Security, Disaster Recovery, Management and Technology, Mobile Computing, Network Security, Social Media | Tagged , , | 1 Comment

Are You Integrating Security into Your Celebration of #CXDay?

Security for CX DayIs the first Tuesday of October marked as a special date on your calendar? If not, the significance around social channels will alert you to this hashtag. The second Tuesday in October is #CXDay, and according to Annette Franz (@CXJourney on Twitter), “It’s a celebration of customer experience professionals, those folks who work tirelessly to design and deliver a great customer experience to their customers. The day is meant to continue to raise awareness of the importance of the customer experience.”

My grad school studies were in marketing, so while my professional focus may not be customer service or marketing, I am able to clearly see the alignment between the marketing and technology functions within a business. First, who are the IT Department’s customers? While we often don’t think about this, we in the IT world serve employees within other internal departments: Human Resources, Finance, Research and Development, Manufacturing, Marketing/PR, Sales, Customer Service, Legal, etc. On the other side of the coin, we also serve customers by maintaining the hardware and software to bring products or services to external customers since we maintain the web servers, websites, and networks that support them. So, when you think about it, we really are a piece of the pie that delivers service.

As a midsize business, how will you celebrate Customer Experience Day? Will you send your customers an email thanking them for their business? Will you send them a discount on a future purchase of your product or service? Will you hold a party or some other big function to recognize and thank your customers? Or, will you give your employees movie tickets or cash bonuses?

No matter how you recognize the customer experience that your business provides, don’t forget to integrate SECURITY. The core of recognizing your customers is showing them that you value them and their business – and the most important way you can do that is to protect their data. In today’s era of data breach announcements hitting the news almost on a daily basis, show that you truly value your customers. Let them know on Customer Experience Day how you protect their data – send them an email highlighting your data protection policies, your online privacy policy, and your data recovery policy. Knowledge is power, therefore, letting your customers know how you protect their data may keep them from suing you later.

Since it gets harder and harder to stand apart from the competition, use Customer Experience Day as a way to stand out. Integrate security into your celebration and let your customers know that their data protection is just as important to YOU as it is to THEM.

 
To see how you can participate in #CXDay, click here:
http://cxday.org/2014/online-events.html

Image Credit: Stuart Miles via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

 

Posted in Business Process, Data Breach, Data Security | Tagged , , , | Leave a comment

Don’t Forget Security When It Comes to E-Waste

ewasteWith school back in session and Halloween just around the corner, the December holidays will soon be here. And with December holidays quickly approaching, it’s time to start dreaming about all the new technology purchases on your holiday shopping list. But as you dream, what will you do with all your current devices? As you wonder where you’ll take your outdated smartphones, tablets, and desktops, either conduct a Google search for your nearest e-waste drop-off location or use a convenient app on your smartphone to find a location. But, whatever you do, take security precautions.

The term “E-Waste” applies to electronic equipment that is at the end of its useful life and cannot be thrown away by conventional means: TV’s, computers, laptops, monitors, printers, cell phones, VCR’s, copier machines, fax machines, scanners, DVD players, cameras, keyboards, mice, speakers, computer backup batteries, computer wire/cables, ink cartridges (empty or full), motherboards, servers, stereos, radios, and electronic games. TV’s and computer monitors cannot be thrown into landfills due to their lead content. In 2008, there was 4.6 billion pounds of e-waste in the United States, but less than 900 million pounds (19%) of that waste was recycled.

There are places where you can drop off your equipment. Goodwill is one option and offers e-waste drop-off sites throughout North America. Another option is All Green Electronics Recycling with locations throughout the United States – and is based in Southern California. All Green picks up electronics from homes and offices and also recycles the e-waste. All Green’s competitive advantage is that it offers data destruction options ranging from low-cost data wipes to certifications required for the U.S. Government and military.

But before you say goodbye to your equipment, here are five quick security wipe reminders:

[1] For hard-drives in desktop computers, laptops, or tablets: remove the hard-drives and use a screwdriver, pliers, and hammer to take them apart and break the disks inside the case – that’s the only way to completely destroy the data. For external hard drives, destroy or use a military-grade wiping software – but a truly dead hard drive is one that has been taken apart.

[2] For cell phones: break the inside chips.

[3] For smartphones: use the security wipe features already on the phones. See your product guide for details. There are also apps available for this purpose for iOS, Android, and Blackberry.

[4] For copy and fax machines: remove flash memory and destroy.

[5] For all other equipment, check manufacturers’ websites to find out recommended ways to purge the memory.

Security is a serious business whether you’re a tech professional, a midsize business, or a tech enthusiast. Since you don’t want any of your data ending up in the wrong hands, do whatever you can to protect yourself. Don’t let the holidays bring you an unwanted gift: either your data ending up in the wrong hands or a case of identity theft.

 

Image Credit: digitalart via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Data Security, Network Security, Tech Equipment | Tagged , , , | Leave a comment

Don’t Forget Security When Developing Corporate Mobile Apps

mobile appsWith the rise in mobile device usage, bring your own devices to work (BYOD), the Internet of Things (IoT), combined with the decline of personal computers, many corporate leaders believe that their businesses should develop a mobile application, or in tech lingo, an app.

An Appcelerator survey of enterprise leaders released in January 2013 reported that 73% of enterprises built fewer than five applications, and 39% built none or just one. (1) (2)

But does your business really need an app to be competitive, or do you simply want to be able to SAY you have one? Will an app fill a critical hole for your business, or will it add to the IT Department’s list of items to regularly maintain and upgrade? Will an app reduce down time for employees, provide a tool for customers to better interact with your business, or create an opportunity for innovation? Above all, what would be the security implications of a corporate mobile app?

The midsize market is blanketed by apps that allow industries to be more robust. For example, the real estate industry, the healthcare industry, and the entertainment industry are just a few of the many industries that use mobile apps to be more competitive and offer innovative ways for their customers to access their products or services.

But how does security fit? For purposes of this discussion, let’s assume that you’ve gone through your due diligence and research and developed an app for your business. Now, when someone downloads your app, what type of information are you gathering about your customer? Once the app is downloaded, will you require the app to need access to any of the following information: customer name and phone data, Wi-Fi data, location, call history, calendar, contacts, and browsing history? Your business will need a convincing explanation as to why you need any or all of these types of customer data. Since each of these touch points can be manipulated, what will you use the data for?

The question remains about your application code integrity (the computer coding used to build your app). Although this may not be a concern to the end user, do you have adequate change management in place to ensure code consistency and integrity? Since Android has become the biggest playground for hackers, your app must be as bullet-proof as possible before hitting the “market” whether internal or external. Your code must be checked on a regular basis and updated for flaws.

If developing apps is not your core competency, the process of continuously monitoring your app may not be your first priority. However, this may come back to bite you if the app becomes compromised and your customers’ data ends up on the black market for anyone to buy. And if the data is your internal corporate data, there may be intellectual property or confidential information that may wind up in the wrong hands.

So before you decide to write your first line of code, be sure you have the proper internal change management process in place to fix bugs and keep up with the latest vulnerabilities. Or, in the alternative, you can bypass the creation of a corporate mobile app for the short-term. Without proper policies and procedures, that wonderful idea you have for a corporate mobile app might just bankrupt your business.

_____________________

Image Credit: KROMKRATHOG via FreeDigitalPhotos.net

(1) Statistics from article, Why Your Enterprise Must Rethink Mobile App Development:
http://www.wired.com/2013/02/why-your-enterprise-must-rethink-mobile-app-development

(2) Appcelerator Developer:
http://www.appcelerator.com/customers/app-showcase

Here are some resources to check out before creating an app.

http://www.udemy.com/blog/making-an-app

http://experts.allbusiness.com/12-step-guide-to-building-your-first-mobile-app/11193

http://www.forbes.com/sites/allbusiness/2013/11/14/how-to-build-your-first-mobile-app-in-12-steps-part-2

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in BYOD, Cybersecurity, Internet of Things, Mobile Computing, Online Security | Tagged , , , | 2 Comments

Privacy, Security and Voice Search: Does Your Company Know What It’s Getting Into?

man with tape over mouth

These days, everyone is using the voice search function across all platforms on all devices. Look no further than an iPhone to an Android phone to the Windows tablet, and you’ll see most people speaking questions instead of typing them. Without a doubt, it’s much easier to speak a request or question rather than typing it on a small keyboard. But do you know the reason that your device gets more accurate?

The reason is because all of your voice commands are stored on servers that are owned by Microsoft, Apple or Google. As you speak, those servers are accessed and an algorithm is used to match your voice against words you have previously spoken. Everything from dialect to intonation is used to match words and recall them. Everything you have ever said with voice search is stored on those servers – and a transcript of all questions and answers are also kept on your device.

It was recently revealed that Apple keeps Siri data for two years. Here is an excerpt from the story as told by Apple’s spokesperson Trudy Muller to Wired.com’s Robert McMillan: “Apple generates random numbers to represent the user and it associates the voice files with that number. This number — not your Apple user ID or email address — represents you as far as Siri’s back-end voice analysis system is concerned…Once the voice recording is six months old, Apple “disassociates” your user number from the clip, deleting the number from the voice file. But it keeps these disassociated files for up to 18 more months for testing and product improvement purposes.”

Laws governing the right to privacy in this arena are still uncertain. This is another example of technology advancing quicker than legislation can be written and passed. Voice prints based on voice patterns (similar to finger prints) can be matched and files can be collected regardless of how voice files are associated with users. Computing power has advanced significantly where this type of data crunching is feasible.

Now why should companies care? The answer depends on the data that you’re trying to keep safe from prying eyes, even the government. What if you’re a law firm, an accounting firm, or some other form of financial services firm? Your confidential client data could be at risk by prying eyes. Since questions and answers are stored on your mobile devices as well as their servers, anyone who gets their hands on your devices can see what you’ve been asking and the answers that you’ve been receiving. By the same token, the information on those servers could be compromised by law enforcement – either by accident or intentionally – possibly bypassing attorney-client privilege or eventually by hacking.

On one hand, you may have nefarious individuals stealing your devices and discovering partial transcripts of questions you’ve asked, such as, directions to a specific location. This might include a client meeting on a regular basis. Or on the other hand, your data could be at risk by way of servers, which could be searched or even hacked – and your information could be compromised that way.

Where does BYOD fit when it comes to voice search? Consider the increasing use of personal devices for and at work, and after adding all the voice activity into the equation, your management team may think twice about the viability of BYOD. If employees ask questions that relate in some way to their work product, confidential data can easily be saved on servers where it should not be stored.

When it comes to technology, every time that something good is developed, someone evil tries to penetrate it, whether in the form of a hacker or by an abuse of power. All data is at risk in one way or another, but where voice search is concerned, remember what your parents told you, think before you speak.

Image Credit: Courtesy of stockimages via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in BYOD, Data Security, Management and Technology, Mobile Computing, Network Security, Search Technology | 1 Comment

Is Your Business Ready for the Cloud?

Cloud Computing Cartoon by Ted Goff

These days, wherever you go, there’s always someone extolling the virtues of cloud computing. How often has someone at your monthly C-Suite meeting said, “Cloud computing is the answer to XYZ?” But then the conversation takes an unintended turn, and the focus never returns to defining either the question or the answer.

According to Wikipedia, cloud computing is “the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet).”

Is your business ready to move to the cloud? Has your leadership team discussed all the benefits and ramifications of moving data to the cloud? How should your IT department get involved with managing your data in the cloud?

The integration of cloud computing as a one-stop solution (or in modern-day tech-speak similar to software as a service or platform as a service or infrastructure as a service, etc.) needs clearly-defined objectives and a plan of execution – in order for your business to benefit from the cloud.

Before moving to the cloud, there are five important issues you must consider:

PRODUCTIVITY:
How will cloud computing assist your employees to improve their productivity? Will you move email access to the cloud? Will you move data to the cloud so that employees can access their documents and work from various locations simultaneously?

COST:
Is moving data to the cloud a cost-effective option for your business? If you have separate budgets for software and hardware, do you have a line item for cloud computing? Prices change depending upon the type of cloud required and also based on your specific needs, depending on your industry and data. With some cloud services such as Infrastructure as a Service, you need to purchase more bandwidth than you need in order to allow for growth and/or heavy use periods. There are costs involved for quality products, and you need to understand the differences in the available options.

EASE OF USE and SECURITY:
Will all of your employees require access to the cloud? Also consider off-site employees. It’s a wonderful concept for employees to have access to their work product from anywhere, but what will happen if a virus or a hack happens and you experience catastrophic data loss? Do you have a disaster recovery plan? You need to know how your cloud provider will handle backups, or will your company be responsible for this? For critical infrastructure or data, it might be wiser to keep the hardware or data in-house. As it is getting easier to hack into networks, the cloud hacks will only get easier. Given that the “Cloud” is really nothing more than your data on someone else’s servers, albeit with better security (hopefully), you don’t have full control of your data. Finally, strict password policies should be in place for everyone. Keep in mind that it is going to be much easier to hack through your cloud data or infrastructure if it is located centrally as opposed to being spread out over many systems. And on the topic of security, what would happen if your data were breached in the cloud? Would you have a backup somewhere else that is easily accessible?

COMPLIANCE:
If your business must adhere to legal and other compliance regulations (such as, PCI Data Security Standard, Sarbanes-Oxley (SOX), and HIPAA), you may not legally be able to store data in the cloud. But if you are allowed to store in the cloud, you may only be able to store your data within state lines, so when you consider cloud venders, add the statement that your data must be kept in data centers within state lines to your SLA (Service Level Agreement). Check with your legal department before moving forward with any decisions about cloud computing.

OUTAGE:
You may recall a big story in the news back in October 2012. Amazon Web Services, a cloud computing provider, went down in the Southeastern part of the United States, and as a result, users who had stored their data with the company were unable to access their files. If something like this were to happen to your business, how long could you afford to “be down?” Do you have a business continuity plan in place? What would you do about an alternative to accessing your data and communicating with customers and/or prospective customers?

According to a recent study conducted by the IBM Center for Applied Insights, cloud’s importance to business users is expected to grow to 72%, exceeding its importance to IT users at a mere 58%. Click here to read more.

Now you’re ready to answer this question, is your business ready to move to the cloud?

__________________

To learn more about IaaS, PaaS, and SaaS:
http://en.wikipedia.org/wiki/Cloud_computing

Check out these cloud computing Pins on Pinterest:
http://www.pinterest.com/tips4tech/cloud-computing/

Click to see a comprehensive list of Cloud Computing Providers:
http://en.wikipedia.org/wiki/Category:Cloud_computing_providers

 

Image Credit: Thanks to Ted Goff for use of his cartoon with this post. Check out Ted’s work at http://www.tedgoff.com.

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Business Process, Cloud Computing, Data Security, Network Security, Telecommuting | Leave a comment

Does Your Business Conduct Regular Security Audits? Here Are 3 Tips

Security Audits

Thanks to the numerous security breaches in the news, the C-suite members of your business should be thinking about regular security audits. While size does matter, the more employees you have and the more data you generate, security audits are critical to the long-term stability of your business. And remember, no one is immune to a data breach.

Wondering where to start? Check physical security first. Then work your way in. The simplest way to steal data is to steal the device where it’s stored. You would be surprised by the number of businesses that don’t do the easy things. They forget to lock their windows or doors. They forget to set alarms, and if they have cameras, they forget to check to see if they’re in working order. These are all easy fixes.

Train your staff to question any stranger they don’t know who walks around your offices unescorted. You should have a plan in place that might include the distribution of an email to all employees to alert employees of new additions and also include details as to the location of a new employee’s desk/cubicle/office so they don’t get hassled.

Most employees assume – often incorrectly – that someone else will take action. I’ve heard stories of employees noticing strangers walking around, the employees do nothing, and laptops went missing. This could have been stopped.

Now let’s move to the inside – into COMPUTER NETWORKS:

For those of you who do not know what active directory is, according to Wikipedia, an Active Directory is “a directory service that Microsoft developed for Windows domain networks and is included in most Windows Server operating systems as a set of processes and services. An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network – assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user.”

Active Directory is a powerful tool that any size business can run on a client/server environment to update who has access to what and to keep employees from accessing files and folders and other network objects that they should not have access to. This is referred to as “Least Privilege.”

Auditing Active Directory takes the team effort between HR and IT. The reason for this collaboration is so that the IT Department knows who has been fired, demoted, and/or promoted. These situations allow the IT Department to use Active Directory to make changes to file access or to delete employee accounts. One of the biggest problems that businesses encounter is when people leave. Too often, IT is unaware of the employee status change, and as a result, the accounts remain active – thereby allowing former employees to access files or a business Intranet after their departure/termination.

Now let’s look at something that requires almost daily attention: PASSWORD POLICIES:

Do you have a policy that forces employees to change their passwords on a monthly or quarterly basis? Depending on your business, your industry, your compliance requirements, and the type of data that your employees access, you might want to have them changed every thirty, sixty, or ninety days. This also can be achieved through Active Directory. You can force them to change their passwords. Changing passwords is also important for your vendors.

Another thing that’s easy to do and often overlooked is changing the default password settings that come on many (if not all) hardware devices. In all my years of working in the security industry, you’d be surprised by the number of times I’ve encountered devices that still have their default passwords active. Manufacturers do this as an ease-of-use issue. They would rather you be able to set up your new device easily – than force you to devise a complex password before you install it.

Don’t overlook PENETRATION TESTING:

Lastly, something that’s overlooked but should be done is to close all of the unused ports on your firewalls. With unused ports open, attackers have easy access to your network. They can start an attack through a routine called port scanning. They look for vulnerabilities through open ports. Port scanning is part of the “routine” to gather information about your company. This is called penetration testing. Attackers (although hopefully your business and tech experts first) try to penetrate the defenses of your business. Of course, there are many more complex ways to develop pen-testing programs, and in fact, some businesses specialize in pen-testing, but as a midsized business, tackle these areas either by yourself or with professional help — so that you’re better prepared for a possible data breach.

__________________
Image Credit: Ambro via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Business Process, Data Security, Management and Technology, Network Security | Tagged , , | Leave a comment

Address Books, Webmail and the Cloud

Emails in the Cloud

To All businesses Who Use Address Books on Webmail: stop and learn why your data may be at risk. Instead of Webmail, use a third-party email client such as Outlook or Thunderbird.

Recently, I was hacked. No one is immune – even those of us in the infosecurity field can get hacked. The situation occurred in an email account that I use for professional correspondence outside of my day job.

I have a client in the medical profession who uses Gmail for his email correspondence, and recently, the doctor was hacked. He keeps all of his patient email addresses as well as friends and family in the same account. One day, I received an email from him. There was nothing in the subject line, no salutation, and no content in the email whatsoever. The only thing in the body of the email was a link to a website.

The other items I noticed that caused immediate concern were in the TO line: all of the email addresses that received the email were visible. I had access – anyone had access for that matter – to every address in my client’s address book. And of course, there was a link to some unknown website.

Hopefully, no one fell for the ruse and clicked the link. At that time, the HIPAA compliance regulations had not fully taken effect because the doctor did not report the breach. But since he was a medical professional, there may have been penalties involved. I immediately emailed him and told him he’d been breached, and then, I called and also left a voice message – in the event that he could not access his email. A few days later when he returned from vacation, he called me and confirmed my diagnosis: yes, he had been breached.

I use a third-party application, Thunderbird. I do not include any addresses in my Webmail account. When my ISP discovered the breach, they shut down my account and notified me. Since none of my contacts were accessible as a result of the breach, none received the bogus email, and my personal brand remained intact.

It’s a lot easier for hackers to break into cloud-based email systems because there are far more vulnerabilities in them. Also, the ROI for breaking in is much higher due to the quantity of potential targets. The more people who visit the same place (for example, Yahoo! website to access Yahoo! mail or Google to access Gmail) to access their information, the more chances a hacker has of breaching an account and causing severe damage to a large number of users.

These days, everyone keeps some form of personal and professional data in the cloud. It makes life easier, and it makes access to data quicker. And you can access it from anywhere. But, as a midsize business, isn’t data protection more important than easier access to data? Add extra layers of protection to your data. Generate complex passwords for employees to use, and change them regularly. Also, make sure that the employees who have access to the data are the appropriate employees to access your data.

Society tends to take the ease-of-use path when it comes to security – making our jobs more difficult for those of us who work in security. While we’ve taken a giant leap backward in both security and privacy, one way to beat the hackers is to keep your email contacts off of Webmail…it will be one less worry if your webmail account gets breached.

____________
Image Credit: digitalart via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Business Process, Cloud Computing, Data Security, Disaster Recovery, Email | Tagged , , , , | Leave a comment

Does Your Business Fail the Customer Privacy Test?

online banking buttonI had a recent experience where my privacy was compromised, and based on the inaction by the company, I wonder how many experiences I encounter that are not as obvious.

I visited a local branch of a national financial institution to make a deposit (yes, I still walk into banks every now and then), and after I gave my endorsed check and deposit slip to the teller, he placed them face down into a clear plastic box that was in front of him. The box was in clear view of the customer opposite him (me). If the next customer did not make a deposit, no papers would go into the box to cover my items. Therefore, the next customer would be able to clearly see my endorsed signature AND my account number. Anyone with a good memory could leave the bank with my financial information.

I told the teller that I could see my signature and account number (important elements of my PII, or in other words, my Personally Identifiable Information) and that the next customer would also be able to see them, and the teller shrugged and said, “That’s the way we do things. Go see the manager.” So after my transaction, I found the manager and voiced my concern, and he said, “No one has ever complained before.” Well, I complained and said, do something now. The manager asked the teller to move the box to a different place in his work area, but the next time I visited the branch, the clear box was back in plain view.

Unfortunately, it does not surprise me that there is no widespread concern for privacy, not to mention security. But for a BANK, of all types of businesses to place a customer’s data on display is nearly criminal. I thought to myself, one customer may have his identity stolen and never realize that it was due to the bank’s procedure. But isn’t one person’s identity theft due to negligence even one person too many?

The craziness of this situation is that the solution is simple: either move the plastic box, or make it a solid color on three sides and leave it open facing the teller. At the very least, cover it after every customer interaction.

As anyone who works in the information security industry knows, it always comes down to ease-of-use versus security procedures. The process of creating and implementing security procedures and then training employees on those security procedures takes time, money, and expertise. Many businesses refuse to do any of it.

The branch’s top management could easily have fixed the issue before anything bad happened. What makes this situation scary is that the top management team knows (thanks to my comments), but they don’t care. The chance that someone MIGHT get their data stolen from this behavior may not be astronomical. But it IS possible.

How many complaints must there be before the bank takes any action? Five? Ten? One hundred, or more? Perhaps, there should be a #servicefail campaign on Twitter to get the bank’s corporate office to take notice.

So, as a midsize business, do you care about how your customer data is handled? Do you make sure that ONLY those who are supposed to access it, both internally and externally, can? Based on stories in the mainstream media, too many businesses turn a blind eye toward customer privacy because they think a breach won’t happen to them. Do you regularly check and see if your customer data is safe?

Let’s take this discussion into the online arena. What happens when data is not protected when conducting online banking? The heartbleed virus has made security socket layer (SSL) protection less secure than it used to be. Now, even though users see a small lock in the browser, the credentials (password user name) may still be at risk. Online banking has never been completely safe, and as long as people open email and click on links, there’s always the possibility for credential theft – that’s how a major retailer’s breach started.

If you’re not considering these issues and related solutions on a regular basis, you’re doing both your customers and your business a disservice. Don’t fail the customer privacy test.

Image Credit: Stuart Miles via FreeDigitalPhotos.net

 

IBM
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Business Process, Data Security, Online Security | Tagged , , , | Leave a comment

5 Ways to Prepare for Data Breaches – Before It’s Too Late

data breachI read a recent post that has stuck with me. The question raised was how do businesses, especially midsize businesses, budget for insider threats: “Midsize firms simply cannot afford data breaches, no matter what the cause. [But] a company that considers insider threats can take preventive steps. Employees may require access to sensitive information to remain productive, but ensuring that appropriate security steps are taken is KEY to keeping a firm running as smoothly as possible.”

While applying policies such as “least privilege” or “implicit deny” may help keep the accidental data breach from happening, these policies will not prevent internal personnel or vendors who are intent on breaching your network from doing so. This is why it’s critical that you conduct business with the mindset that a data breach could be right around the corner. It’s always better to be prepared rather than surprised, or put another way, proactive rather than reactive.

Here are five ways your business can approach day-to-day operations with this perspective in mind:

[1] BYOD
The reality is that you probably cannot do business without BYOD, or Bring Your Own Device to work. This means that employees are accessing sensitive corporate data on their smartphones, laptops, and tablets. The best way you can be proactive is to develop and distribute a BYOD policy and train employees on the policy. Police your employees because the data they’re accessing is your corporate gold. Have them sign an agreement that their device can be wiped or better yet, only allow access through a web portal. Don’t allow email or documents on devices.

[2] COMPLIANCE
Compliance issues should be on your mind. Is your company covered under Gramm-Leach Bliley Act (GLB), Sarbanes-Oxley (SOX), Payment Card Industry Data Security Standards (PCI DSS), Health Insurance Portability & Accountability Act (HIPAA), or California Senate Bill 1386 (SB1386)? Does your company capture Personally Identifiable Information (PII)? Each requires compliance with different types of accountability, and each has its own set of stringent steps that a company must follow after a breach occurs. Be sure you’re up-to-date on the latest laws and rules so that your business is in compliance and not subject to a penalty or fine.

[3] SOCIAL MEDIA
Most employees use social networking sites for their personal use, but more and more are using their sites to talk about company business. Put your legal team to work and develop an easy-to-understand Social Media Policy. Distribute to your employees and train them with acceptable and unacceptable examples. In today’s social era, the best brand advocates are your employees, so give them social media tools to promote your brand – but educate them on how to use these tools that will benefit everyone without any surprises. You don’t want to wake up one morning only to discover that a Tweet, Facebook post, or Instagram image could put you out of business.

[4] TRANSPARENCY
If and when a breach happens, first alert law enforcement, if required. Then alert your customers, stakeholders, and the media – and do so immediately. Don’t sugarcoat the situation. Above all, don’t ignore the situation hoping that no one finds out. You know someone will discover the breach, and you certainly don’t want that individual to run to the nearest media outlet without your knowledge. It’s never a good surprise when you find your company featured on page one of a newspaper or on an online news site with a headline similar to “XYZ Company Knew About Its Breach Three Months Ago.”

[5] PRACTICE GOOD PATCH MANAGEMENT
Believe it or not, patch management is important for both internal and external threats. Vulnerabilities eventually evolve in software. The older a piece of software becomes, the greater the chance that hackers will discover vulnerabilities. Patch management helps alleviate this issue because as vulnerabilities are found, they are patched by the developer. An internal threat can bring a payload in-house through USB, DVD, or other bootable media that can attack a particular vulnerability. If a vulnerability is patched, there is one less attack surface for the hacker to try in his/her attempt to gain a foothold.

To quote Nick Bradley, “Success hinges upon promoting and supporting a risk-aware culture, where the importance of security informs every decision and procedure at every level of the company. That means secure procedures need to become second nature, much like locking the door behind you when you leave home.”

What else would you add to this list? Please chime in.

Inspiration for this post:
“Budgeting for Insider Threats” By Fellow IBM Blogger Marissa Tejada
http://www.midsizeinsider.com/en-us/article/budgeting-for-insider-threats

Image Credit: jscreationzs via FreeDigitalPhotos.net
IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

wordpress blog stats
Posted in Business Process, BYOD, Data Security, Disaster Recovery, Management and Technology, Network Security, Social Media | Tagged , , , | 1 Comment