Is Privacy More Important to the Media, Businesses or Consumers?

cart

There is no denying that businesses need to be more diligent in protecting their customers’ data, but with all the data breaches publicized in the mainstream media, who cares more about privacy? What do you think: businesses or consumers?

Despite the many data breaches, consumers continue to provide their Personally Identifiable Information (PII) to medium size businesses. At the top of the list, this confidential information may include full name (first and last), home address, phone numbers, and email address. Depending on the business, requested information may also include social security number, date of birth, place of birth, gender, passport number, driver’s license number and state, vehicle registration plate, financial transactions, bank accounts, credit card numbers, criminal background, fingerprints, medical history, name of schools attended, and current employer or previous employers.

What is different about protecting PII compared to any other data and how should PII be protected? According to the “Guide to Protecting the Confidentiality of PII” published by the National Institute of Standards and Technology of the U.S. Department of Commerce:

“In many cases, protection of PII is similar to protection of other data and includes protecting the confidentiality, integrity, and availability of the information. Most security controls used for other types of data are also applicable to the protection of PII. For PII, there are several privacy specific safeguards, such as, anonymization, minimization of PII collection, and de-identification. In addition to protection requirements for PII, there are other requirements for the handling of PII. The Fair Information Practices provide best practice guidelines, such as, Purpose Specification, Use Limitation, Accountability, and Data Quality. Moreover, the factors for assigning a confidentiality impact level to PII are different than other types of data. Breaches to the confidentiality of PII harm both the organization and the individual. Harm to individuals should be factored in strongly because of the magnitude of the potential harm, such as identity theft, embarrassment, and denial of benefits.”

But, consider this, many – and some might argue too many – consumers willingly and without much thought to how their PII may be used and stored provide their PII to businesses. What happens every time someone visits a supermarket? Their rewards card gets scanned, and the store IMMEDIATELY knows who they are, where they live, what their phone number is, what their email address is, and most importantly, what they purchased. The same thing happens at gas stations, restaurants, and other brick and mortar venues – as well as online.

Does your business have a rewards or loyalty program? If yes, what PII do you request? Do you explain why you request specific PII? How do you communicate with consumers to let them know you value their privacy and data as much as they do? How often do you communicate with your consumers to update the information and update your review and/or purge of PII?

Answers to these and related questions should be a high priority and involve your entire leadership team. These discussions should not be delegated to the network admins of your IT department because when a breach happens, you, as a member of the leadership team, don’t want to be surprised. You will want to vividly recall all the protocols you put into place, the bullet points and/or press release drafts you wrote, and the key media people you want to reach out to.

Above all, you want your business to be proactive and transparent to consumers. Your decisions will allow your business to be in a better position to survive a breach.

Read More:

PII definition by Wikipedia:
http://en.wikipedia.org/wiki/Personally_identifiable_information

Guide to Protecting the Confidentiality of PII published by the NIST of U.S. Dept. of Commerce:
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

“Why Big Companies All Have Loyalty Programs”
http://blog.fivestars.com/big-companies-loyalty-programs

“Survey Shows You Don’t Care About Privacy As Much As You Think You Do” by Joshua Steimle (@donloper)
http://www.forbes.com/sites/joshsteimle/2014/11/07/survey-shows-you-dont-care-about-privacy-as-much-as-you-think-you-do

Privacy Rights Clearinghouse – to learn about the latest data breaches:
http://www.privacyrights.org/data-breach
Image Credit: Supertrooper via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Data Breach, Data Security, Management and Technology, Privacy Rights | Tagged , , , | Leave a comment

What Can Your Business Learn about #Privacy from the UK Direct Marketing Association?

dataIt seems as if a day doesn’t go by without notification by the media of a major data breach. If you’re a member of the C-Suite of a midsize business, you probably spend a good deal of time thinking about how to protect your data as well as your business reputation.

I recently read some surprising news from a British marketing group (1) and offer it as a lesson for all businesses – no matter where your corporate headquarters may be located and how many offices you may have. In August 2014, the UK Direct Marketing Association released a new privacy code of practice to address customer concerns about data privacy. The link for the entire code is provided below (2), but the code focuses on five key principles:

[1] Put your customer first
[2] Respect privacy
[3] Be honest and fair
[4] Be diligent with data
[5] Take responsibility

While we all receive too much direct mail, this attention to our privacy brings the discussion about customer data to the forefront. As a result, there can only be positive outcomes:

[1] Businesses will implement stricter protocols regarding data protection
[2] Businesses will implement quicker disaster recovery procedures
[3] Businesses will alert customers immediately upon learning of a breach – as opposed to having the media share the news
[4] Businesses will inform law enforcement agencies
[5] Businesses will call in third-party forensics teams to determine the size of the breach and develop protocols to mitigate future breaches

If you suspect a breach or just want to keep current on the latest breaches, visit the list provided by the Privacy Rights Clearinghouse, whose tagline is “Empowering Consumers. Protecting Privacy.” (3)

Lastly, here’s something else I found surprising: if a member of the UK’s Direct Marketing Association breaks this new privacy code, the member will be expelled from the association. Don’t you think all businesses would spend more time and money protecting their customers’ data if there were more significant ramifications than just the equivalent of a slap on the wrist by the media? I welcome you to chime in.
(1) UK Marketing Trade Body Unveils New Code to Address Privacy Concerns:
https://privacyassociation.org/news/a/uk-marketing-trade-body-unveils-new-code-to-address-privacy-concerns/

(2) UK DMA Privacy Code:
http://www.dma.org.uk/uploads/Interactive-code-for-web_sept-11_54119ad59a64b.pdf

(3) Privacy Rights Clearinghouse:
http://www.privacyrights.org/data-breach/

Image Credit: Courtesy of Stuart Miles via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Data Breach, Data Security, Management and Technology, Privacy Rights | Tagged , , , , | Leave a comment

Top 10 Tips to Share with Employees During Cyber Security Awareness Month (#NCSAM)

cybersecuritymonth

There is no dispute that data breaches are becoming more common, and as a result, online safety and the protection of personally identifiable information (PII) are hot topics in the mainstream media. Therefore, the month of October presents an excellent opportunity for all businesses, especially midsize businesses, to remind employees about their responsibilities when it comes to protecting corporate data.

Here are my top ten tips to share with employees during Cyber Security Awareness Month:

[1] Complex Passwords
All passwords should be at least 10 characters and include lower and upper case letters, numbers, and symbols. If your employees need assistance in creating complex passwords, share this password strength evaluator from Microsoft’s Safety and Security Center:
https://www.microsoft.com/security/pc-security/password-checker.aspx

[2] Browser Security
Make sure that employees use secure browsers when accessing company webmail from offsite and with mobile devices, which means that the browser is HTTPS and not HTTP. Also use a sandbox program that will keep viruses and malware from entering the computer through the browser. A few examples of sandboxing include Sandboxie, VirutalBox, and BitBox.

[3] Abbreviated Links
Before clicking on any abbreviated links, determine the entire URL. Here’s a site to assist your team: http://urlxray.com/

[4] Emails and Attachments
Make it a practice to NOT open emails and attachments (especially JPEGs) from unknown senders, and do not use Preview Pane, because it’s akin to opening emails.

[5] BYOD Policy
Implement a Bring Your Own Device (BYOD) policy and train employees on the why’s and why not’s. And, make sure that your leadership team also abides by the policy. In addition, the leadership team and IT Department should create the policy together.

[6] Social Media Policy
Implement a social media policy and train employees so that everyone understands who maintains the official voice of the company on all social media platforms. Make sure that departments understand who maintains the social platforms because you don’t want departments fighting it out in public. Also include a statement if employees are required to include “Views are my own” in their bios if they reference the company name in their profiles. Above all, remind employees that once they post something online, it takes on a life of its own and cannot be removed. Therefore, it’s critical that they abide by the mantra that they should not post anything that they would not want their boss or grandmother to see online.

[7] Disaster Recovery Plan
Implement a disaster recovery plan and train employees on a regular basis so that everyone knows how to access corporate data in the event of a disaster and the planned amount of time that data may not be accessible.

[8] Cloud Computing
In today’s era when everyone uses the cloud, develop a plan for what employees can store in the cloud. There should be a policy for storage and for access. For example, it may make sense for some documents to be stored in the cloud so that many employees can access the same document, but it may not make sense for entire departments to access the document or for some documents to even be stored in the cloud.

[9] Non-Approved Software
Seen any good games lately? I’m sure your IT Department has. Employees always try to circumnavigate sysadmin protocols and download unapproved software. Make sure that your company’s user permissions are not strong enough to allow any downloading of software before it is reviewed and approved by the IT Department. You certainly don’t want any mysterious software to cause havoc to your network.

[10] Back Up
Lastly, remember, it’s not if you lose your data, but when, so back up, back up, back up.

Here’s to a safe Cyber Security Awareness Month!
_____________________

To learn about how your team can participate in activities throughout October, visit the website of the Department of Homeland Security:
http://www.dhs.gov/national-cyber-security-awareness-month-2014

The National Cybersecurity Alliance’s mission is to educate and empower a digital society to use the Internet safely and securely at home, work, and school – protecting the technology that individuals use, the networks they connect to, and our shared digital assets. Learn more at:
http://www.staysafeonline.org/ncsam/

“A Penny for Your Privacy?” by Chris Taylor and Ron Webb via @HarvardBiz
http://blogs.hbr.org/2012/10/a-penny-for-your-privacy/

_____________________

Image Credit: ddpavumba via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Business Process, BYOD, Cloud Computing, Cybersecurity, Data Security, Disaster Recovery, Management and Technology, Mobile Computing, Network Security, Social Media | Tagged , , | 2 Comments

Are You Integrating Security into Your Celebration of #CXDay?

Security for CX DayIs the first Tuesday of October marked as a special date on your calendar? If not, the significance around social channels will alert you to this hashtag. The second Tuesday in October is #CXDay, and according to Annette Franz (@CXJourney on Twitter), “It’s a celebration of customer experience professionals, those folks who work tirelessly to design and deliver a great customer experience to their customers. The day is meant to continue to raise awareness of the importance of the customer experience.”

My grad school studies were in marketing, so while my professional focus may not be customer service or marketing, I am able to clearly see the alignment between the marketing and technology functions within a business. First, who are the IT Department’s customers? While we often don’t think about this, we in the IT world serve employees within other internal departments: Human Resources, Finance, Research and Development, Manufacturing, Marketing/PR, Sales, Customer Service, Legal, etc. On the other side of the coin, we also serve customers by maintaining the hardware and software to bring products or services to external customers since we maintain the web servers, websites, and networks that support them. So, when you think about it, we really are a piece of the pie that delivers service.

As a midsize business, how will you celebrate Customer Experience Day? Will you send your customers an email thanking them for their business? Will you send them a discount on a future purchase of your product or service? Will you hold a party or some other big function to recognize and thank your customers? Or, will you give your employees movie tickets or cash bonuses?

No matter how you recognize the customer experience that your business provides, don’t forget to integrate SECURITY. The core of recognizing your customers is showing them that you value them and their business – and the most important way you can do that is to protect their data. In today’s era of data breach announcements hitting the news almost on a daily basis, show that you truly value your customers. Let them know on Customer Experience Day how you protect their data – send them an email highlighting your data protection policies, your online privacy policy, and your data recovery policy. Knowledge is power, therefore, letting your customers know how you protect their data may keep them from suing you later.

Since it gets harder and harder to stand apart from the competition, use Customer Experience Day as a way to stand out. Integrate security into your celebration and let your customers know that their data protection is just as important to YOU as it is to THEM.

 
To see how you can participate in #CXDay, click here:
http://cxday.org/2014/online-events.html

Image Credit: Stuart Miles via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

 

Posted in Business Process, Data Breach, Data Security | Tagged , , , | Leave a comment

Don’t Forget Security When It Comes to E-Waste

ewasteWith school back in session and Halloween just around the corner, the December holidays will soon be here. And with December holidays quickly approaching, it’s time to start dreaming about all the new technology purchases on your holiday shopping list. But as you dream, what will you do with all your current devices? As you wonder where you’ll take your outdated smartphones, tablets, and desktops, either conduct a Google search for your nearest e-waste drop-off location or use a convenient app on your smartphone to find a location. But, whatever you do, take security precautions.

The term “E-Waste” applies to electronic equipment that is at the end of its useful life and cannot be thrown away by conventional means: TV’s, computers, laptops, monitors, printers, cell phones, VCR’s, copier machines, fax machines, scanners, DVD players, cameras, keyboards, mice, speakers, computer backup batteries, computer wire/cables, ink cartridges (empty or full), motherboards, servers, stereos, radios, and electronic games. TV’s and computer monitors cannot be thrown into landfills due to their lead content. In 2008, there was 4.6 billion pounds of e-waste in the United States, but less than 900 million pounds (19%) of that waste was recycled.

There are places where you can drop off your equipment. Goodwill is one option and offers e-waste drop-off sites throughout North America. Another option is All Green Electronics Recycling with locations throughout the United States – and is based in Southern California. All Green picks up electronics from homes and offices and also recycles the e-waste. All Green’s competitive advantage is that it offers data destruction options ranging from low-cost data wipes to certifications required for the U.S. Government and military.

But before you say goodbye to your equipment, here are five quick security wipe reminders:

[1] For hard-drives in desktop computers, laptops, or tablets: remove the hard-drives and use a screwdriver, pliers, and hammer to take them apart and break the disks inside the case – that’s the only way to completely destroy the data. For external hard drives, destroy or use a military-grade wiping software – but a truly dead hard drive is one that has been taken apart.

[2] For cell phones: break the inside chips.

[3] For smartphones: use the security wipe features already on the phones. See your product guide for details. There are also apps available for this purpose for iOS, Android, and Blackberry.

[4] For copy and fax machines: remove flash memory and destroy.

[5] For all other equipment, check manufacturers’ websites to find out recommended ways to purge the memory.

Security is a serious business whether you’re a tech professional, a midsize business, or a tech enthusiast. Since you don’t want any of your data ending up in the wrong hands, do whatever you can to protect yourself. Don’t let the holidays bring you an unwanted gift: either your data ending up in the wrong hands or a case of identity theft.

 

Image Credit: digitalart via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Data Security, Network Security, Tech Equipment | Tagged , , , | Leave a comment

Don’t Forget Security When Developing Corporate Mobile Apps

mobile appsWith the rise in mobile device usage, bring your own devices to work (BYOD), the Internet of Things (IoT), combined with the decline of personal computers, many corporate leaders believe that their businesses should develop a mobile application, or in tech lingo, an app.

An Appcelerator survey of enterprise leaders released in January 2013 reported that 73% of enterprises built fewer than five applications, and 39% built none or just one. (1) (2)

But does your business really need an app to be competitive, or do you simply want to be able to SAY you have one? Will an app fill a critical hole for your business, or will it add to the IT Department’s list of items to regularly maintain and upgrade? Will an app reduce down time for employees, provide a tool for customers to better interact with your business, or create an opportunity for innovation? Above all, what would be the security implications of a corporate mobile app?

The midsize market is blanketed by apps that allow industries to be more robust. For example, the real estate industry, the healthcare industry, and the entertainment industry are just a few of the many industries that use mobile apps to be more competitive and offer innovative ways for their customers to access their products or services.

But how does security fit? For purposes of this discussion, let’s assume that you’ve gone through your due diligence and research and developed an app for your business. Now, when someone downloads your app, what type of information are you gathering about your customer? Once the app is downloaded, will you require the app to need access to any of the following information: customer name and phone data, Wi-Fi data, location, call history, calendar, contacts, and browsing history? Your business will need a convincing explanation as to why you need any or all of these types of customer data. Since each of these touch points can be manipulated, what will you use the data for?

The question remains about your application code integrity (the computer coding used to build your app). Although this may not be a concern to the end user, do you have adequate change management in place to ensure code consistency and integrity? Since Android has become the biggest playground for hackers, your app must be as bullet-proof as possible before hitting the “market” whether internal or external. Your code must be checked on a regular basis and updated for flaws.

If developing apps is not your core competency, the process of continuously monitoring your app may not be your first priority. However, this may come back to bite you if the app becomes compromised and your customers’ data ends up on the black market for anyone to buy. And if the data is your internal corporate data, there may be intellectual property or confidential information that may wind up in the wrong hands.

So before you decide to write your first line of code, be sure you have the proper internal change management process in place to fix bugs and keep up with the latest vulnerabilities. Or, in the alternative, you can bypass the creation of a corporate mobile app for the short-term. Without proper policies and procedures, that wonderful idea you have for a corporate mobile app might just bankrupt your business.

_____________________

Image Credit: KROMKRATHOG via FreeDigitalPhotos.net

(1) Statistics from article, Why Your Enterprise Must Rethink Mobile App Development:
http://www.wired.com/2013/02/why-your-enterprise-must-rethink-mobile-app-development

(2) Appcelerator Developer:
http://www.appcelerator.com/customers/app-showcase

Here are some resources to check out before creating an app.

http://www.udemy.com/blog/making-an-app

http://experts.allbusiness.com/12-step-guide-to-building-your-first-mobile-app/11193

http://www.forbes.com/sites/allbusiness/2013/11/14/how-to-build-your-first-mobile-app-in-12-steps-part-2

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in BYOD, Cybersecurity, Internet of Things, Mobile Computing, Online Security | Tagged , , , | 2 Comments

Privacy, Security and Voice Search: Does Your Company Know What It’s Getting Into?

man with tape over mouth

These days, everyone is using the voice search function across all platforms on all devices. Look no further than an iPhone to an Android phone to the Windows tablet, and you’ll see most people speaking questions instead of typing them. Without a doubt, it’s much easier to speak a request or question rather than typing it on a small keyboard. But do you know the reason that your device gets more accurate?

The reason is because all of your voice commands are stored on servers that are owned by Microsoft, Apple or Google. As you speak, those servers are accessed and an algorithm is used to match your voice against words you have previously spoken. Everything from dialect to intonation is used to match words and recall them. Everything you have ever said with voice search is stored on those servers – and a transcript of all questions and answers are also kept on your device.

It was recently revealed that Apple keeps Siri data for two years. Here is an excerpt from the story as told by Apple’s spokesperson Trudy Muller to Wired.com’s Robert McMillan: “Apple generates random numbers to represent the user and it associates the voice files with that number. This number — not your Apple user ID or email address — represents you as far as Siri’s back-end voice analysis system is concerned…Once the voice recording is six months old, Apple “disassociates” your user number from the clip, deleting the number from the voice file. But it keeps these disassociated files for up to 18 more months for testing and product improvement purposes.”

Laws governing the right to privacy in this arena are still uncertain. This is another example of technology advancing quicker than legislation can be written and passed. Voice prints based on voice patterns (similar to finger prints) can be matched and files can be collected regardless of how voice files are associated with users. Computing power has advanced significantly where this type of data crunching is feasible.

Now why should companies care? The answer depends on the data that you’re trying to keep safe from prying eyes, even the government. What if you’re a law firm, an accounting firm, or some other form of financial services firm? Your confidential client data could be at risk by prying eyes. Since questions and answers are stored on your mobile devices as well as their servers, anyone who gets their hands on your devices can see what you’ve been asking and the answers that you’ve been receiving. By the same token, the information on those servers could be compromised by law enforcement – either by accident or intentionally – possibly bypassing attorney-client privilege or eventually by hacking.

On one hand, you may have nefarious individuals stealing your devices and discovering partial transcripts of questions you’ve asked, such as, directions to a specific location. This might include a client meeting on a regular basis. Or on the other hand, your data could be at risk by way of servers, which could be searched or even hacked – and your information could be compromised that way.

Where does BYOD fit when it comes to voice search? Consider the increasing use of personal devices for and at work, and after adding all the voice activity into the equation, your management team may think twice about the viability of BYOD. If employees ask questions that relate in some way to their work product, confidential data can easily be saved on servers where it should not be stored.

When it comes to technology, every time that something good is developed, someone evil tries to penetrate it, whether in the form of a hacker or by an abuse of power. All data is at risk in one way or another, but where voice search is concerned, remember what your parents told you, think before you speak.

Image Credit: Courtesy of stockimages via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in BYOD, Data Security, Management and Technology, Mobile Computing, Network Security, Search Technology | 1 Comment

Is Your Business Ready for the Cloud?

Cloud Computing Cartoon by Ted Goff

These days, wherever you go, there’s always someone extolling the virtues of cloud computing. How often has someone at your monthly C-Suite meeting said, “Cloud computing is the answer to XYZ?” But then the conversation takes an unintended turn, and the focus never returns to defining either the question or the answer.

According to Wikipedia, cloud computing is “the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet).”

Is your business ready to move to the cloud? Has your leadership team discussed all the benefits and ramifications of moving data to the cloud? How should your IT department get involved with managing your data in the cloud?

The integration of cloud computing as a one-stop solution (or in modern-day tech-speak similar to software as a service or platform as a service or infrastructure as a service, etc.) needs clearly-defined objectives and a plan of execution – in order for your business to benefit from the cloud.

Before moving to the cloud, there are five important issues you must consider:

PRODUCTIVITY:
How will cloud computing assist your employees to improve their productivity? Will you move email access to the cloud? Will you move data to the cloud so that employees can access their documents and work from various locations simultaneously?

COST:
Is moving data to the cloud a cost-effective option for your business? If you have separate budgets for software and hardware, do you have a line item for cloud computing? Prices change depending upon the type of cloud required and also based on your specific needs, depending on your industry and data. With some cloud services such as Infrastructure as a Service, you need to purchase more bandwidth than you need in order to allow for growth and/or heavy use periods. There are costs involved for quality products, and you need to understand the differences in the available options.

EASE OF USE and SECURITY:
Will all of your employees require access to the cloud? Also consider off-site employees. It’s a wonderful concept for employees to have access to their work product from anywhere, but what will happen if a virus or a hack happens and you experience catastrophic data loss? Do you have a disaster recovery plan? You need to know how your cloud provider will handle backups, or will your company be responsible for this? For critical infrastructure or data, it might be wiser to keep the hardware or data in-house. As it is getting easier to hack into networks, the cloud hacks will only get easier. Given that the “Cloud” is really nothing more than your data on someone else’s servers, albeit with better security (hopefully), you don’t have full control of your data. Finally, strict password policies should be in place for everyone. Keep in mind that it is going to be much easier to hack through your cloud data or infrastructure if it is located centrally as opposed to being spread out over many systems. And on the topic of security, what would happen if your data were breached in the cloud? Would you have a backup somewhere else that is easily accessible?

COMPLIANCE:
If your business must adhere to legal and other compliance regulations (such as, PCI Data Security Standard, Sarbanes-Oxley (SOX), and HIPAA), you may not legally be able to store data in the cloud. But if you are allowed to store in the cloud, you may only be able to store your data within state lines, so when you consider cloud venders, add the statement that your data must be kept in data centers within state lines to your SLA (Service Level Agreement). Check with your legal department before moving forward with any decisions about cloud computing.

OUTAGE:
You may recall a big story in the news back in October 2012. Amazon Web Services, a cloud computing provider, went down in the Southeastern part of the United States, and as a result, users who had stored their data with the company were unable to access their files. If something like this were to happen to your business, how long could you afford to “be down?” Do you have a business continuity plan in place? What would you do about an alternative to accessing your data and communicating with customers and/or prospective customers?

According to a recent study conducted by the IBM Center for Applied Insights, cloud’s importance to business users is expected to grow to 72%, exceeding its importance to IT users at a mere 58%. Click here to read more.

Now you’re ready to answer this question, is your business ready to move to the cloud?

__________________

To learn more about IaaS, PaaS, and SaaS:
http://en.wikipedia.org/wiki/Cloud_computing

Check out these cloud computing Pins on Pinterest:
http://www.pinterest.com/tips4tech/cloud-computing/

Click to see a comprehensive list of Cloud Computing Providers:
http://en.wikipedia.org/wiki/Category:Cloud_computing_providers

 

Image Credit: Thanks to Ted Goff for use of his cartoon with this post. Check out Ted’s work at http://www.tedgoff.com.

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Business Process, Cloud Computing, Data Security, Network Security, Telecommuting | Leave a comment

Does Your Business Conduct Regular Security Audits? Here Are 3 Tips

Security Audits

Thanks to the numerous security breaches in the news, the C-suite members of your business should be thinking about regular security audits. While size does matter, the more employees you have and the more data you generate, security audits are critical to the long-term stability of your business. And remember, no one is immune to a data breach.

Wondering where to start? Check physical security first. Then work your way in. The simplest way to steal data is to steal the device where it’s stored. You would be surprised by the number of businesses that don’t do the easy things. They forget to lock their windows or doors. They forget to set alarms, and if they have cameras, they forget to check to see if they’re in working order. These are all easy fixes.

Train your staff to question any stranger they don’t know who walks around your offices unescorted. You should have a plan in place that might include the distribution of an email to all employees to alert employees of new additions and also include details as to the location of a new employee’s desk/cubicle/office so they don’t get hassled.

Most employees assume – often incorrectly – that someone else will take action. I’ve heard stories of employees noticing strangers walking around, the employees do nothing, and laptops went missing. This could have been stopped.

Now let’s move to the inside – into COMPUTER NETWORKS:

For those of you who do not know what active directory is, according to Wikipedia, an Active Directory is “a directory service that Microsoft developed for Windows domain networks and is included in most Windows Server operating systems as a set of processes and services. An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network – assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user.”

Active Directory is a powerful tool that any size business can run on a client/server environment to update who has access to what and to keep employees from accessing files and folders and other network objects that they should not have access to. This is referred to as “Least Privilege.”

Auditing Active Directory takes the team effort between HR and IT. The reason for this collaboration is so that the IT Department knows who has been fired, demoted, and/or promoted. These situations allow the IT Department to use Active Directory to make changes to file access or to delete employee accounts. One of the biggest problems that businesses encounter is when people leave. Too often, IT is unaware of the employee status change, and as a result, the accounts remain active – thereby allowing former employees to access files or a business Intranet after their departure/termination.

Now let’s look at something that requires almost daily attention: PASSWORD POLICIES:

Do you have a policy that forces employees to change their passwords on a monthly or quarterly basis? Depending on your business, your industry, your compliance requirements, and the type of data that your employees access, you might want to have them changed every thirty, sixty, or ninety days. This also can be achieved through Active Directory. You can force them to change their passwords. Changing passwords is also important for your vendors.

Another thing that’s easy to do and often overlooked is changing the default password settings that come on many (if not all) hardware devices. In all my years of working in the security industry, you’d be surprised by the number of times I’ve encountered devices that still have their default passwords active. Manufacturers do this as an ease-of-use issue. They would rather you be able to set up your new device easily – than force you to devise a complex password before you install it.

Don’t overlook PENETRATION TESTING:

Lastly, something that’s overlooked but should be done is to close all of the unused ports on your firewalls. With unused ports open, attackers have easy access to your network. They can start an attack through a routine called port scanning. They look for vulnerabilities through open ports. Port scanning is part of the “routine” to gather information about your company. This is called penetration testing. Attackers (although hopefully your business and tech experts first) try to penetrate the defenses of your business. Of course, there are many more complex ways to develop pen-testing programs, and in fact, some businesses specialize in pen-testing, but as a midsized business, tackle these areas either by yourself or with professional help — so that you’re better prepared for a possible data breach.

__________________
Image Credit: Ambro via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Business Process, Data Security, Management and Technology, Network Security | Tagged , , | Leave a comment

Address Books, Webmail and the Cloud

Emails in the Cloud

To All businesses Who Use Address Books on Webmail: stop and learn why your data may be at risk. Instead of Webmail, use a third-party email client such as Outlook or Thunderbird.

Recently, I was hacked. No one is immune – even those of us in the infosecurity field can get hacked. The situation occurred in an email account that I use for professional correspondence outside of my day job.

I have a client in the medical profession who uses Gmail for his email correspondence, and recently, the doctor was hacked. He keeps all of his patient email addresses as well as friends and family in the same account. One day, I received an email from him. There was nothing in the subject line, no salutation, and no content in the email whatsoever. The only thing in the body of the email was a link to a website.

The other items I noticed that caused immediate concern were in the TO line: all of the email addresses that received the email were visible. I had access – anyone had access for that matter – to every address in my client’s address book. And of course, there was a link to some unknown website.

Hopefully, no one fell for the ruse and clicked the link. At that time, the HIPAA compliance regulations had not fully taken effect because the doctor did not report the breach. But since he was a medical professional, there may have been penalties involved. I immediately emailed him and told him he’d been breached, and then, I called and also left a voice message – in the event that he could not access his email. A few days later when he returned from vacation, he called me and confirmed my diagnosis: yes, he had been breached.

I use a third-party application, Thunderbird. I do not include any addresses in my Webmail account. When my ISP discovered the breach, they shut down my account and notified me. Since none of my contacts were accessible as a result of the breach, none received the bogus email, and my personal brand remained intact.

It’s a lot easier for hackers to break into cloud-based email systems because there are far more vulnerabilities in them. Also, the ROI for breaking in is much higher due to the quantity of potential targets. The more people who visit the same place (for example, Yahoo! website to access Yahoo! mail or Google to access Gmail) to access their information, the more chances a hacker has of breaching an account and causing severe damage to a large number of users.

These days, everyone keeps some form of personal and professional data in the cloud. It makes life easier, and it makes access to data quicker. And you can access it from anywhere. But, as a midsize business, isn’t data protection more important than easier access to data? Add extra layers of protection to your data. Generate complex passwords for employees to use, and change them regularly. Also, make sure that the employees who have access to the data are the appropriate employees to access your data.

Society tends to take the ease-of-use path when it comes to security – making our jobs more difficult for those of us who work in security. While we’ve taken a giant leap backward in both security and privacy, one way to beat the hackers is to keep your email contacts off of Webmail…it will be one less worry if your webmail account gets breached.

____________
Image Credit: digitalart via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Business Process, Cloud Computing, Data Security, Disaster Recovery, Email | Tagged , , , , | Leave a comment