A Cheat Sheet to Translate InfoSecurity for Key Business Units

infosecAs a result of working with many different business units over the last decade, I’ve developed my ability to help companies by bridging the business and technology gap – and align technology strategies with business objectives. Toward that end, I have devised scenarios detailed below that translate infosecurity concepts into languages that team members can understand based on their specialty areas.

My goal is to initiate a dialogue between business unit managers so that we may work as a team to mitigate internal and external threats. The truth is, without awareness, buy-in, and participation by all business units, companies will not engage all employees in the company-wide objective of practicing infosecurity. Throughout this post, I talk about “IT departments,” but remember that this department encompasses a lot of different areas of expertise. The IT department of the old days no longer means simply fixing computers and setting up networks.

MARKETING & PUBLIC RELATIONS
Since this team is responsible for building brand equity, communicating competitive advantages, and interacting with members of the media, they speak a totally different language than those of us in the IT space. So, in order to train these folks to be smart computer users, I use this situation: You write a 20-page annual report, tweak all of the graphics, add all the financial data, and are ready to send the file to the printer. The IT department is called in to check the marketing files held on the shared server for the marketing department because at some point, someone in the marketing department found a graphic from an insecure website at home and transferred it via USB drive or BYOD device. Since that user did not have up-to-date malware protection on his/her own device when the image was uploaded to the document, the virus attached to the document. Now, not only is the file corrupted, files from other departments also have the potential to become corrupted. And, to add insult to injury, the entire project has to be re-done.

SALES
This is the group of team members who live on the road and in the field. They need their tech tools to work 24/7/365. A major challenge is the use of BYOD in today’s business environment. So not only do employees have work product on their laptops or other devices, but they also have personal information too. Because these devices have multiple purposes, there’s a better chance that they will either be, A) stolen or B) infected. The more time that those products spend in the open, the greater the possibility of theft. The more they are used for personal pleasure, the less their malware signatures may be kept up to date, the less vigilant the user may be. People tend to drop their guard when it comes to personal devices.

Finally, every device, especially those containing confidential sales data, should be encrypted. While encryption may be better tolerated in a business environment rather than on a personal device, that is no excuse not to use it on personal devices used for business. People tend to want to whip out their devices for taking pictures or sending texts and they don’t want to deal with having to input a password before gaining access to a device. As a result, people may try to disable password-protection, which defeats the reason that a password was added to a device in the first place.

So, here is a situation that they can easily understand: You are driving to an important meeting with a prospective customer, and upon arrival at the meeting, you get a phone call from a customer with a question. Still in your car, you turn on your device to check the customer’s account. But wait. Instead of starting normally, it shows a blue screen of death or its equivalent. What happened? Perhaps, all of those social media games or apps that you have been playing on your device opened a door to a virus or malware. Of course, there are countless other possibilities, but for employees who work on the road, their systems need to be as clean as possible.

CUSTOMER SERVICE
This is the group of team members who answer phones and respond to emails, for the majority of companies. Their job is to provide solutions to customer complaints or issues. So, their computers, phones, and all other tech tools ranging from smartphones to mobile devices need to be in top-notch condition. Here’s a situation that these team members would prefer to avoid at all costs: A customer calls and complains about a certain product or product feature. Now, while you (the customer service rep) are on the phone with the customer, your system crashes, and you cannot access your product spec list, your email – in order to communicate with your customer, or your CRM system. After the IT department checked out your machine, some unpleasant information was discovered. Your browser indicated that you spent a large amount of time logging into Facebook and other social media sites several times during the day, and unfortunately, these unsanctioned activities welcomed a virus or two or three.

ACCOUNTING
These team members deal with all aspects of a company’s financials, so all of their software must be virus-free. Here is a scenario that members of this department have nightmares about: In the middle of payroll preparations, the entire system goes down. The IT department doesn’t have a quick fix. The toll-free customer service department for the software doesn’t have a quick fix. And, if a solution is not reached soon, payroll will not happen. Now, while this scenario may have nothing to do with a company’s network, the IT department must jump on the problem immediately and intervene as a liaison and partner with the software customer service department. Of course, in the background, if the IT department is doing their job correctly, and the business unit has been working with IT, which is just as important, there should be backups and a disaster recovery plan that will get department back up and running quickly. But priority one in this situation is for the finance group and the IT department to work together and understand one another.

HUMAN RESOURCES/PERSONNEL
Whatever name you give this department, it is responsible for all personnel activities ranging from hiring to firing to team building to holiday parties, etc. One might think that the computers housed in this department would be kept under lock and key, since they house all employee records. But often, that is not the case. Here is a situation that really happened not too long ago: An employee from HR left for the day without closing and locking his office door. Some consultants that worked in another department entered the HR office and unplugged the laptop and then walked out of the building with it. While this seems like a simple theft, passwords to access the hard drive and encryption to scramble it could have stopped access to data. But there were no network passwords on the machine, and it was not encrypted. Identity theft occurred for the hundreds of employees whose files and performance reviews were housed on that specific machine.

PRODUCT DEVELOPMENT
Imagine you have a hot new product in the pipeline and it might possibly be the next technology game changer, for example, the next iPod. You have all of your tech specs, design info, and all of your manufacturing processes on a network that’s not airgaped. Someone in your department downloads a free game, which turns out to be a Trojan that creates a back door into your network, or in other words, a way to get into systems without the proper authorization. One day, you come into the office, and all of your data is corrupted, and nowadays even worse, it’s been disseminated on the Internet or stolen by a person or nation state. No regular backups were made, and poof, two years of your life as well as the next “product of the year” goes down the drain. This is an example of corporate espionage at its worst and the reason why no one should be allowed to download unauthorized materials from the Internet on any office computer. This is where the IT department needs to really shine by learning how to teach different business units about security awareness.

The bottom line is that we, as infosecurity professionals, must speak with other business units in their own languages. If we can achieve this, then employees in other business units will understand why security is important to them, how security relates to them, and how they will be affected when breaches happen. And once, all business units work as a team, the business is better protected.

Image Credit: David Castillo Dominici via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in BYOD, Data Breach, Data Security, Management and Technology, Network Security, Tech Equipment | Tagged , , , | 1 Comment

Cloud vs. Mobile: Can They Co-Exist?

cloud computing

IBM recently published an Infographic featuring the following statistics: “68% of top CISOs and security leaders see security in the cloud and data privacy as a critical business concern yet 76% are worried about the theft of mobile devices and the loss of sensitive corporate data.” These stats would indicate that cloud and mobile devices/mobile data cannot co-exist. Yet, for the small and medium business (SMB) market, cloud computing and mobile device management (MDM) have become synonymous with doing business.

Many businesses that comprise the SMB market have adopted, integrated, and even welcomed mobile devices into their day-to-day operations. Often, this is because leadership teams believe that the cost of doing business will go down if employees provide their own mobile devices. There is no denying that business is easier when employees can access their spreadsheets and other documents from off-site and non-business hours from their smartphones and tablets.

Some businesses have gone the extra mile and created and implemented mobile device management plans – or in other words, business continuity plans if and when something unforeseen happens. This means that the businesses are prepared if an employee’s device is lost or stolen, or if the worst case scenario happens and someone either sells the data to a competitor or the network gets hacked through the device.

But is cloud computing a fit for every business? Certainly, it’s important to consider what industry your business is in and what compliance issues your industry must face. Some industries are more appropriate for capturing data in the cloud, and some are not. For instance, medical patient data is still a relatively new area within the infosecurity arena, and there are too many ramifications if a single practitioner, for example, a psychiatrist, places all of her data in the cloud via her smartphone – and then loses her smartphone that isn’t encrypted. This falls under the HIPAA regulations which are becoming very strict. On the other hand, it may make sense for real estate firms to store data about their properties so that other agents can access property info.

Above all, if your business is contemplating using the cloud, answer these questions first and make sure your entire leadership team understands the answers:
•    What is your strategy for storing data in the cloud?
•    What data will be stored in the cloud?
•    Who will have access to the data in the cloud?
•    How long will data be stored and accessible in the cloud?
•    Will the business provide mobile devices?
•    What security procedures are in place to protect the data stored and/or accessed on employee devices?
•    What are the ramifications if data is hacked?
•    What procedures are in place to rectify the situation if data is hacked?
•    What compliance regulations must you follow?

What other questions would you add to this list? Please chime in.

View IBM’s Infographic here:
http://www.ibm.com/smarterplanet/global/files/us__en_us__cia__ciso_infographic_cloudmobile_v3.pdf

Image Credit: iprostocks via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in BYOD, Cloud Computing, Data Security, Mobile Computing | Tagged , , , , | 2 Comments

Is Privacy More Important to the Media, Businesses or Consumers?

cart

There is no denying that businesses need to be more diligent in protecting their customers’ data, but with all the data breaches publicized in the mainstream media, who cares more about privacy? What do you think: businesses or consumers?

Despite the many data breaches, consumers continue to provide their Personally Identifiable Information (PII) to medium size businesses. At the top of the list, this confidential information may include full name (first and last), home address, phone numbers, and email address. Depending on the business, requested information may also include social security number, date of birth, place of birth, gender, passport number, driver’s license number and state, vehicle registration plate, financial transactions, bank accounts, credit card numbers, criminal background, fingerprints, medical history, name of schools attended, and current employer or previous employers.

What is different about protecting PII compared to any other data and how should PII be protected? According to the “Guide to Protecting the Confidentiality of PII” published by the National Institute of Standards and Technology of the U.S. Department of Commerce:

“In many cases, protection of PII is similar to protection of other data and includes protecting the confidentiality, integrity, and availability of the information. Most security controls used for other types of data are also applicable to the protection of PII. For PII, there are several privacy specific safeguards, such as, anonymization, minimization of PII collection, and de-identification. In addition to protection requirements for PII, there are other requirements for the handling of PII. The Fair Information Practices provide best practice guidelines, such as, Purpose Specification, Use Limitation, Accountability, and Data Quality. Moreover, the factors for assigning a confidentiality impact level to PII are different than other types of data. Breaches to the confidentiality of PII harm both the organization and the individual. Harm to individuals should be factored in strongly because of the magnitude of the potential harm, such as identity theft, embarrassment, and denial of benefits.”

But, consider this, many – and some might argue too many – consumers willingly and without much thought to how their PII may be used and stored provide their PII to businesses. What happens every time someone visits a supermarket? Their rewards card gets scanned, and the store IMMEDIATELY knows who they are, where they live, what their phone number is, what their email address is, and most importantly, what they purchased. The same thing happens at gas stations, restaurants, and other brick and mortar venues – as well as online.

Does your business have a rewards or loyalty program? If yes, what PII do you request? Do you explain why you request specific PII? How do you communicate with consumers to let them know you value their privacy and data as much as they do? How often do you communicate with your consumers to update the information and update your review and/or purge of PII?

Answers to these and related questions should be a high priority and involve your entire leadership team. These discussions should not be delegated to the network admins of your IT department because when a breach happens, you, as a member of the leadership team, don’t want to be surprised. You will want to vividly recall all the protocols you put into place, the bullet points and/or press release drafts you wrote, and the key media people you want to reach out to.

Above all, you want your business to be proactive and transparent to consumers. Your decisions will allow your business to be in a better position to survive a breach.

Read More:

PII definition by Wikipedia:
http://en.wikipedia.org/wiki/Personally_identifiable_information

Guide to Protecting the Confidentiality of PII published by the NIST of U.S. Dept. of Commerce:
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

“Why Big Companies All Have Loyalty Programs”
http://blog.fivestars.com/big-companies-loyalty-programs

“Survey Shows You Don’t Care About Privacy As Much As You Think You Do” by Joshua Steimle (@donloper)
http://www.forbes.com/sites/joshsteimle/2014/11/07/survey-shows-you-dont-care-about-privacy-as-much-as-you-think-you-do

Privacy Rights Clearinghouse – to learn about the latest data breaches:
http://www.privacyrights.org/data-breach
Image Credit: Supertrooper via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Data Breach, Data Security, Management and Technology, Privacy Rights | Tagged , , , | Leave a comment

What Can Your Business Learn about #Privacy from the UK Direct Marketing Association?

dataIt seems as if a day doesn’t go by without notification by the media of a major data breach. If you’re a member of the C-Suite of a midsize business, you probably spend a good deal of time thinking about how to protect your data as well as your business reputation.

I recently read some surprising news from a British marketing group (1) and offer it as a lesson for all businesses – no matter where your corporate headquarters may be located and how many offices you may have. In August 2014, the UK Direct Marketing Association released a new privacy code of practice to address customer concerns about data privacy. The link for the entire code is provided below (2), but the code focuses on five key principles:

[1] Put your customer first
[2] Respect privacy
[3] Be honest and fair
[4] Be diligent with data
[5] Take responsibility

While we all receive too much direct mail, this attention to our privacy brings the discussion about customer data to the forefront. As a result, there can only be positive outcomes:

[1] Businesses will implement stricter protocols regarding data protection
[2] Businesses will implement quicker disaster recovery procedures
[3] Businesses will alert customers immediately upon learning of a breach – as opposed to having the media share the news
[4] Businesses will inform law enforcement agencies
[5] Businesses will call in third-party forensics teams to determine the size of the breach and develop protocols to mitigate future breaches

If you suspect a breach or just want to keep current on the latest breaches, visit the list provided by the Privacy Rights Clearinghouse, whose tagline is “Empowering Consumers. Protecting Privacy.” (3)

Lastly, here’s something else I found surprising: if a member of the UK’s Direct Marketing Association breaks this new privacy code, the member will be expelled from the association. Don’t you think all businesses would spend more time and money protecting their customers’ data if there were more significant ramifications than just the equivalent of a slap on the wrist by the media? I welcome you to chime in.
(1) UK Marketing Trade Body Unveils New Code to Address Privacy Concerns:
https://privacyassociation.org/news/a/uk-marketing-trade-body-unveils-new-code-to-address-privacy-concerns/

(2) UK DMA Privacy Code:
http://www.dma.org.uk/uploads/Interactive-code-for-web_sept-11_54119ad59a64b.pdf

(3) Privacy Rights Clearinghouse:
http://www.privacyrights.org/data-breach/

Image Credit: Courtesy of Stuart Miles via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Data Breach, Data Security, Management and Technology, Privacy Rights | Tagged , , , , | Leave a comment

Top 10 Tips to Share with Employees During Cyber Security Awareness Month (#NCSAM)

cybersecuritymonth

There is no dispute that data breaches are becoming more common, and as a result, online safety and the protection of personally identifiable information (PII) are hot topics in the mainstream media. Therefore, the month of October presents an excellent opportunity for all businesses, especially midsize businesses, to remind employees about their responsibilities when it comes to protecting corporate data.

Here are my top ten tips to share with employees during Cyber Security Awareness Month:

[1] Complex Passwords
All passwords should be at least 10 characters and include lower and upper case letters, numbers, and symbols. If your employees need assistance in creating complex passwords, share this password strength evaluator from Microsoft’s Safety and Security Center:
https://www.microsoft.com/security/pc-security/password-checker.aspx

[2] Browser Security
Make sure that employees use secure browsers when accessing company webmail from offsite and with mobile devices, which means that the browser is HTTPS and not HTTP. Also use a sandbox program that will keep viruses and malware from entering the computer through the browser. A few examples of sandboxing include Sandboxie, VirutalBox, and BitBox.

[3] Abbreviated Links
Before clicking on any abbreviated links, determine the entire URL. Here’s a site to assist your team: http://urlxray.com/

[4] Emails and Attachments
Make it a practice to NOT open emails and attachments (especially JPEGs) from unknown senders, and do not use Preview Pane, because it’s akin to opening emails.

[5] BYOD Policy
Implement a Bring Your Own Device (BYOD) policy and train employees on the why’s and why not’s. And, make sure that your leadership team also abides by the policy. In addition, the leadership team and IT Department should create the policy together.

[6] Social Media Policy
Implement a social media policy and train employees so that everyone understands who maintains the official voice of the company on all social media platforms. Make sure that departments understand who maintains the social platforms because you don’t want departments fighting it out in public. Also include a statement if employees are required to include “Views are my own” in their bios if they reference the company name in their profiles. Above all, remind employees that once they post something online, it takes on a life of its own and cannot be removed. Therefore, it’s critical that they abide by the mantra that they should not post anything that they would not want their boss or grandmother to see online.

[7] Disaster Recovery Plan
Implement a disaster recovery plan and train employees on a regular basis so that everyone knows how to access corporate data in the event of a disaster and the planned amount of time that data may not be accessible.

[8] Cloud Computing
In today’s era when everyone uses the cloud, develop a plan for what employees can store in the cloud. There should be a policy for storage and for access. For example, it may make sense for some documents to be stored in the cloud so that many employees can access the same document, but it may not make sense for entire departments to access the document or for some documents to even be stored in the cloud.

[9] Non-Approved Software
Seen any good games lately? I’m sure your IT Department has. Employees always try to circumnavigate sysadmin protocols and download unapproved software. Make sure that your company’s user permissions are not strong enough to allow any downloading of software before it is reviewed and approved by the IT Department. You certainly don’t want any mysterious software to cause havoc to your network.

[10] Back Up
Lastly, remember, it’s not if you lose your data, but when, so back up, back up, back up.

Here’s to a safe Cyber Security Awareness Month!
_____________________

To learn about how your team can participate in activities throughout October, visit the website of the Department of Homeland Security:
http://www.dhs.gov/national-cyber-security-awareness-month-2014

The National Cybersecurity Alliance’s mission is to educate and empower a digital society to use the Internet safely and securely at home, work, and school – protecting the technology that individuals use, the networks they connect to, and our shared digital assets. Learn more at:
http://www.staysafeonline.org/ncsam/

“A Penny for Your Privacy?” by Chris Taylor and Ron Webb via @HarvardBiz
http://blogs.hbr.org/2012/10/a-penny-for-your-privacy/

_____________________

Image Credit: ddpavumba via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Business Process, BYOD, Cloud Computing, Cybersecurity, Data Security, Disaster Recovery, Management and Technology, Mobile Computing, Network Security, Social Media | Tagged , , | 2 Comments

Are You Integrating Security into Your Celebration of #CXDay?

Security for CX DayIs the first Tuesday of October marked as a special date on your calendar? If not, the significance around social channels will alert you to this hashtag. The second Tuesday in October is #CXDay, and according to Annette Franz (@CXJourney on Twitter), “It’s a celebration of customer experience professionals, those folks who work tirelessly to design and deliver a great customer experience to their customers. The day is meant to continue to raise awareness of the importance of the customer experience.”

My grad school studies were in marketing, so while my professional focus may not be customer service or marketing, I am able to clearly see the alignment between the marketing and technology functions within a business. First, who are the IT Department’s customers? While we often don’t think about this, we in the IT world serve employees within other internal departments: Human Resources, Finance, Research and Development, Manufacturing, Marketing/PR, Sales, Customer Service, Legal, etc. On the other side of the coin, we also serve customers by maintaining the hardware and software to bring products or services to external customers since we maintain the web servers, websites, and networks that support them. So, when you think about it, we really are a piece of the pie that delivers service.

As a midsize business, how will you celebrate Customer Experience Day? Will you send your customers an email thanking them for their business? Will you send them a discount on a future purchase of your product or service? Will you hold a party or some other big function to recognize and thank your customers? Or, will you give your employees movie tickets or cash bonuses?

No matter how you recognize the customer experience that your business provides, don’t forget to integrate SECURITY. The core of recognizing your customers is showing them that you value them and their business – and the most important way you can do that is to protect their data. In today’s era of data breach announcements hitting the news almost on a daily basis, show that you truly value your customers. Let them know on Customer Experience Day how you protect their data – send them an email highlighting your data protection policies, your online privacy policy, and your data recovery policy. Knowledge is power, therefore, letting your customers know how you protect their data may keep them from suing you later.

Since it gets harder and harder to stand apart from the competition, use Customer Experience Day as a way to stand out. Integrate security into your celebration and let your customers know that their data protection is just as important to YOU as it is to THEM.

 
To see how you can participate in #CXDay, click here:
http://cxday.org/2014/online-events.html

Image Credit: Stuart Miles via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

 

Posted in Business Process, Data Breach, Data Security | Tagged , , , | Leave a comment

Don’t Forget Security When It Comes to E-Waste

ewasteWith school back in session and Halloween just around the corner, the December holidays will soon be here. And with December holidays quickly approaching, it’s time to start dreaming about all the new technology purchases on your holiday shopping list. But as you dream, what will you do with all your current devices? As you wonder where you’ll take your outdated smartphones, tablets, and desktops, either conduct a Google search for your nearest e-waste drop-off location or use a convenient app on your smartphone to find a location. But, whatever you do, take security precautions.

The term “E-Waste” applies to electronic equipment that is at the end of its useful life and cannot be thrown away by conventional means: TV’s, computers, laptops, monitors, printers, cell phones, VCR’s, copier machines, fax machines, scanners, DVD players, cameras, keyboards, mice, speakers, computer backup batteries, computer wire/cables, ink cartridges (empty or full), motherboards, servers, stereos, radios, and electronic games. TV’s and computer monitors cannot be thrown into landfills due to their lead content. In 2008, there was 4.6 billion pounds of e-waste in the United States, but less than 900 million pounds (19%) of that waste was recycled.

There are places where you can drop off your equipment. Goodwill is one option and offers e-waste drop-off sites throughout North America. Another option is All Green Electronics Recycling with locations throughout the United States – and is based in Southern California. All Green picks up electronics from homes and offices and also recycles the e-waste. All Green’s competitive advantage is that it offers data destruction options ranging from low-cost data wipes to certifications required for the U.S. Government and military.

But before you say goodbye to your equipment, here are five quick security wipe reminders:

[1] For hard-drives in desktop computers, laptops, or tablets: remove the hard-drives and use a screwdriver, pliers, and hammer to take them apart and break the disks inside the case – that’s the only way to completely destroy the data. For external hard drives, destroy or use a military-grade wiping software – but a truly dead hard drive is one that has been taken apart.

[2] For cell phones: break the inside chips.

[3] For smartphones: use the security wipe features already on the phones. See your product guide for details. There are also apps available for this purpose for iOS, Android, and Blackberry.

[4] For copy and fax machines: remove flash memory and destroy.

[5] For all other equipment, check manufacturers’ websites to find out recommended ways to purge the memory.

Security is a serious business whether you’re a tech professional, a midsize business, or a tech enthusiast. Since you don’t want any of your data ending up in the wrong hands, do whatever you can to protect yourself. Don’t let the holidays bring you an unwanted gift: either your data ending up in the wrong hands or a case of identity theft.

 

Image Credit: digitalart via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Data Security, Network Security, Tech Equipment | Tagged , , , | Leave a comment

Don’t Forget Security When Developing Corporate Mobile Apps

mobile appsWith the rise in mobile device usage, bring your own devices to work (BYOD), the Internet of Things (IoT), combined with the decline of personal computers, many corporate leaders believe that their businesses should develop a mobile application, or in tech lingo, an app.

An Appcelerator survey of enterprise leaders released in January 2013 reported that 73% of enterprises built fewer than five applications, and 39% built none or just one. (1) (2)

But does your business really need an app to be competitive, or do you simply want to be able to SAY you have one? Will an app fill a critical hole for your business, or will it add to the IT Department’s list of items to regularly maintain and upgrade? Will an app reduce down time for employees, provide a tool for customers to better interact with your business, or create an opportunity for innovation? Above all, what would be the security implications of a corporate mobile app?

The midsize market is blanketed by apps that allow industries to be more robust. For example, the real estate industry, the healthcare industry, and the entertainment industry are just a few of the many industries that use mobile apps to be more competitive and offer innovative ways for their customers to access their products or services.

But how does security fit? For purposes of this discussion, let’s assume that you’ve gone through your due diligence and research and developed an app for your business. Now, when someone downloads your app, what type of information are you gathering about your customer? Once the app is downloaded, will you require the app to need access to any of the following information: customer name and phone data, Wi-Fi data, location, call history, calendar, contacts, and browsing history? Your business will need a convincing explanation as to why you need any or all of these types of customer data. Since each of these touch points can be manipulated, what will you use the data for?

The question remains about your application code integrity (the computer coding used to build your app). Although this may not be a concern to the end user, do you have adequate change management in place to ensure code consistency and integrity? Since Android has become the biggest playground for hackers, your app must be as bullet-proof as possible before hitting the “market” whether internal or external. Your code must be checked on a regular basis and updated for flaws.

If developing apps is not your core competency, the process of continuously monitoring your app may not be your first priority. However, this may come back to bite you if the app becomes compromised and your customers’ data ends up on the black market for anyone to buy. And if the data is your internal corporate data, there may be intellectual property or confidential information that may wind up in the wrong hands.

So before you decide to write your first line of code, be sure you have the proper internal change management process in place to fix bugs and keep up with the latest vulnerabilities. Or, in the alternative, you can bypass the creation of a corporate mobile app for the short-term. Without proper policies and procedures, that wonderful idea you have for a corporate mobile app might just bankrupt your business.

_____________________

Image Credit: KROMKRATHOG via FreeDigitalPhotos.net

(1) Statistics from article, Why Your Enterprise Must Rethink Mobile App Development:
http://www.wired.com/2013/02/why-your-enterprise-must-rethink-mobile-app-development

(2) Appcelerator Developer:
http://www.appcelerator.com/customers/app-showcase

Here are some resources to check out before creating an app.

http://www.udemy.com/blog/making-an-app

http://experts.allbusiness.com/12-step-guide-to-building-your-first-mobile-app/11193

http://www.forbes.com/sites/allbusiness/2013/11/14/how-to-build-your-first-mobile-app-in-12-steps-part-2

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in BYOD, Cybersecurity, Internet of Things, Mobile Computing, Online Security | Tagged , , , | 2 Comments

Privacy, Security and Voice Search: Does Your Company Know What It’s Getting Into?

man with tape over mouth

These days, everyone is using the voice search function across all platforms on all devices. Look no further than an iPhone to an Android phone to the Windows tablet, and you’ll see most people speaking questions instead of typing them. Without a doubt, it’s much easier to speak a request or question rather than typing it on a small keyboard. But do you know the reason that your device gets more accurate?

The reason is because all of your voice commands are stored on servers that are owned by Microsoft, Apple or Google. As you speak, those servers are accessed and an algorithm is used to match your voice against words you have previously spoken. Everything from dialect to intonation is used to match words and recall them. Everything you have ever said with voice search is stored on those servers – and a transcript of all questions and answers are also kept on your device.

It was recently revealed that Apple keeps Siri data for two years. Here is an excerpt from the story as told by Apple’s spokesperson Trudy Muller to Wired.com’s Robert McMillan: “Apple generates random numbers to represent the user and it associates the voice files with that number. This number — not your Apple user ID or email address — represents you as far as Siri’s back-end voice analysis system is concerned…Once the voice recording is six months old, Apple “disassociates” your user number from the clip, deleting the number from the voice file. But it keeps these disassociated files for up to 18 more months for testing and product improvement purposes.”

Laws governing the right to privacy in this arena are still uncertain. This is another example of technology advancing quicker than legislation can be written and passed. Voice prints based on voice patterns (similar to finger prints) can be matched and files can be collected regardless of how voice files are associated with users. Computing power has advanced significantly where this type of data crunching is feasible.

Now why should companies care? The answer depends on the data that you’re trying to keep safe from prying eyes, even the government. What if you’re a law firm, an accounting firm, or some other form of financial services firm? Your confidential client data could be at risk by prying eyes. Since questions and answers are stored on your mobile devices as well as their servers, anyone who gets their hands on your devices can see what you’ve been asking and the answers that you’ve been receiving. By the same token, the information on those servers could be compromised by law enforcement – either by accident or intentionally – possibly bypassing attorney-client privilege or eventually by hacking.

On one hand, you may have nefarious individuals stealing your devices and discovering partial transcripts of questions you’ve asked, such as, directions to a specific location. This might include a client meeting on a regular basis. Or on the other hand, your data could be at risk by way of servers, which could be searched or even hacked – and your information could be compromised that way.

Where does BYOD fit when it comes to voice search? Consider the increasing use of personal devices for and at work, and after adding all the voice activity into the equation, your management team may think twice about the viability of BYOD. If employees ask questions that relate in some way to their work product, confidential data can easily be saved on servers where it should not be stored.

When it comes to technology, every time that something good is developed, someone evil tries to penetrate it, whether in the form of a hacker or by an abuse of power. All data is at risk in one way or another, but where voice search is concerned, remember what your parents told you, think before you speak.

Image Credit: Courtesy of stockimages via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in BYOD, Data Security, Management and Technology, Mobile Computing, Network Security, Search Technology | 1 Comment

Is Your Business Ready for the Cloud?

Cloud Computing Cartoon by Ted Goff

These days, wherever you go, there’s always someone extolling the virtues of cloud computing. How often has someone at your monthly C-Suite meeting said, “Cloud computing is the answer to XYZ?” But then the conversation takes an unintended turn, and the focus never returns to defining either the question or the answer.

According to Wikipedia, cloud computing is “the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet).”

Is your business ready to move to the cloud? Has your leadership team discussed all the benefits and ramifications of moving data to the cloud? How should your IT department get involved with managing your data in the cloud?

The integration of cloud computing as a one-stop solution (or in modern-day tech-speak similar to software as a service or platform as a service or infrastructure as a service, etc.) needs clearly-defined objectives and a plan of execution – in order for your business to benefit from the cloud.

Before moving to the cloud, there are five important issues you must consider:

PRODUCTIVITY:
How will cloud computing assist your employees to improve their productivity? Will you move email access to the cloud? Will you move data to the cloud so that employees can access their documents and work from various locations simultaneously?

COST:
Is moving data to the cloud a cost-effective option for your business? If you have separate budgets for software and hardware, do you have a line item for cloud computing? Prices change depending upon the type of cloud required and also based on your specific needs, depending on your industry and data. With some cloud services such as Infrastructure as a Service, you need to purchase more bandwidth than you need in order to allow for growth and/or heavy use periods. There are costs involved for quality products, and you need to understand the differences in the available options.

EASE OF USE and SECURITY:
Will all of your employees require access to the cloud? Also consider off-site employees. It’s a wonderful concept for employees to have access to their work product from anywhere, but what will happen if a virus or a hack happens and you experience catastrophic data loss? Do you have a disaster recovery plan? You need to know how your cloud provider will handle backups, or will your company be responsible for this? For critical infrastructure or data, it might be wiser to keep the hardware or data in-house. As it is getting easier to hack into networks, the cloud hacks will only get easier. Given that the “Cloud” is really nothing more than your data on someone else’s servers, albeit with better security (hopefully), you don’t have full control of your data. Finally, strict password policies should be in place for everyone. Keep in mind that it is going to be much easier to hack through your cloud data or infrastructure if it is located centrally as opposed to being spread out over many systems. And on the topic of security, what would happen if your data were breached in the cloud? Would you have a backup somewhere else that is easily accessible?

COMPLIANCE:
If your business must adhere to legal and other compliance regulations (such as, PCI Data Security Standard, Sarbanes-Oxley (SOX), and HIPAA), you may not legally be able to store data in the cloud. But if you are allowed to store in the cloud, you may only be able to store your data within state lines, so when you consider cloud venders, add the statement that your data must be kept in data centers within state lines to your SLA (Service Level Agreement). Check with your legal department before moving forward with any decisions about cloud computing.

OUTAGE:
You may recall a big story in the news back in October 2012. Amazon Web Services, a cloud computing provider, went down in the Southeastern part of the United States, and as a result, users who had stored their data with the company were unable to access their files. If something like this were to happen to your business, how long could you afford to “be down?” Do you have a business continuity plan in place? What would you do about an alternative to accessing your data and communicating with customers and/or prospective customers?

According to a recent study conducted by the IBM Center for Applied Insights, cloud’s importance to business users is expected to grow to 72%, exceeding its importance to IT users at a mere 58%. Click here to read more.

Now you’re ready to answer this question, is your business ready to move to the cloud?

__________________

To learn more about IaaS, PaaS, and SaaS:
http://en.wikipedia.org/wiki/Cloud_computing

Check out these cloud computing Pins on Pinterest:
http://www.pinterest.com/tips4tech/cloud-computing/

Click to see a comprehensive list of Cloud Computing Providers:
http://en.wikipedia.org/wiki/Category:Cloud_computing_providers

 

Image Credit: Thanks to Ted Goff for use of his cartoon with this post. Check out Ted’s work at http://www.tedgoff.com.

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Business Process, Cloud Computing, Data Security, Network Security, Telecommuting | Leave a comment