Does Your Business Have a Cloud Computing Usage Policy?

cloud and rainMany businesses have a Bring Your Own Device (BYOD) to Work policy, a risk management policy, and some businesses are even tech-savvy enough to have a social media policy. Some businesses go one step further and introduce and review all these policies during the onboarding process for new employees. But while many businesses expect employees to collaborate on work either while in the same office or remotely, they are placing their data at risk if they don’t have a cloud computing usage policy.

In simple terms, cloud computing is the process of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than using a local server or a personal computer.

According to Wikinvest, “Cloud computing allows consumers and businesses to use applications without installation and access their personal files at any computer with Internet access. This technology allows for much more efficient computing by centralizing data storage, processing, and bandwidth. A simple example of cloud computing is Yahoo email, Gmail, or Hotmail. All [the user needs] is an Internet connection [to] start sending emails. The server and email management software is all on the cloud (Internet) and is totally managed by the cloud service provider Yahoo, Google, etc. The consumer gets to use the software alone and enjoy the benefits. The analogy is, ‘If you need milk, would you buy a cow?’”

What should you consider as you create a cloud computing usage policy? Here are five key items:

[1] PERSONNEL
Which members of your team should access the documents stored in the cloud? If you grant universal access to the stored documents, you may be giving away keys to your data. Think about your data as if it were in a vault. How much you spend on the vault is determined by how much your data is worth. There are different levels of need for access – for example, some Vice Presidents may have greater need than IT managers, or vice-versa. You are not obligated to provide the same level of access to all employees. It’s called “least privilege.”

[2] USAGE
How often do your employees add documents to the cloud? If your team uploads data on a daily or weekly basis, then the cloud may be an important way for your team to interact and work. But if your team only accesses the cloud once a month, you need to reconsider the cloud as an efficiency tool. Is it really worth the cost?

[3] TRAINING
Have you decided on the parameters of using the cloud? For example, there may be specific types of documents that should reside in the cloud rather than others. Do employees store Word documents, Excel spreadsheets, pie charts, PowerPoint presentations, photos, etc.? For your employees to understand the benefits of using the cloud and to be proactive in protecting your business’ confidential data, they need training. Maybe you use a hybrid system where your confidential documents, such as intellectual property, are kept in-house and your other documents are kept in the cloud. Unfortunately, there are too many businesses that allow their employees to store whatever they wish in the corporate cloud. This can become a sticky legal issue if it is found that the employee is using it to store illegal information, other companies’ intellectual property, or any type of data that can place your company in a position to be sued.  Establish rules that must be followed and let the employee know that any wavering from the acceptable use policy will be grounds for termination. Be sure to have your attorney approve the document and make sure all employees read it and sign it. A part of an employee’s training is to educate him or her on the use of public cloud sites. Train employees to understand that uploading corporate data into their public cloud site is unacceptable. And finally, you must establish a password policy that everyone must follow: at least 10 characters comprised of uppercase, lowercase, numbers, and special characters – or use biometrics. Run this policy through active directory so it is enforceable. Don’t leave it up to individual users.

[4] TIMING
How necessary is it to keep your documents in the cloud and do they remain there indefinitely? If it is a team project and the project is finished, does it really need to remain in the cloud? There should be a defined lifespan for the data to reside in the cloud. Maybe confidential docs should only reside there as long as they are being worked on – and non-confidential docs can remain indefinitely. But the one thing to remember is that the cloud is never permanent. Very few providers will last for years – or the fees that your company will be charged will become exorbitant. Think about a guest in your home: that person stays for a limited amount of time (hopefully) and then leaves. The same rule should apply with the cloud – store your documents there, work on them, and then do what your cloud policy says to do.

[5] BACKUPS
Did you know that most cloud based companies do not back up your data? They will do it for themselves, but if you want to retrieve your data, especially from a long time ago, you may be out of luck. You may be able to retrieve it, but it will cost you a lot of money. If you need to recover deleted data, such as, purged email from a long time ago, you might find your SaaS or PaaS providers like Salesforce.com, Google Apps, Microsoft Office 365, Amazon Web Services, etc., unable or unwilling to help. Recently, a new use for “the cloud” has come about. It is called cloud to cloud backup and recovery. It is automatic and saves all of your data from whatever PaaS or SaaS you are using. My mantra of “It is not if you lose your data, but when” has unfortunately rung true many times for many people. Using cloud to cloud backup and recovery might just make that saying obsolete. That is of course, if it is set up and managed correctly.

Remember, clouds can burst, and you don’t want your data raining down somewhere it doesn’t belong.

Image Credit: Stuart Miles via FreeDigitalPhotos.net.

This post was brought to you by IBM for MSPs. Dedicated to providing valuable insight from industry thought leaders, PivotPoint offers expertise to help you develop, differentiate, and scale your business.

wordpress blog stats
Posted in Business Process, BYOD, Cloud Computing, Cybersecurity, Data Breach, data protection, Data Security, Management and Technology, Network Security, Telecommuting | Tagged , , , | Leave a comment

Don’t Forget Security When Developing Corporate Mobile Apps – Time for Another Look

mobileapps

About a year ago, I wrote a post about the importance of security when developing mobile device apps. As part of the post, I also discussed the importance of security when evaluating the “bring your own device” to work (BYOD) phenomenon and the growth of the Internet of Things (IoT). Today, a year later, it’s time for another look.

If you’re creating an app, are you using tools provided by a managed service provider (MSP) allowing multiple people in multiple places to work on it? Does the MSP charge by the seat for the tools to be used, or is it a group license? Today, businesses try to offer apps on both the Android and iOS platforms, so you need to make sure that tools for both platforms are available. Most importantly, before launch, test your app over a wide range of devices and employ as many testers as possible.

Now, how many businesses have apps specifically designed for their industry? Recent developments, especially in the healthcare sector, require customized apps to better serve the needs of their stakeholders, in their case, patients and medical care professionals. In addition, healthcare organizations are also finding that off-the-shelf apps don’t always meet their needs. A side benefit to creating a customized app is that a business can release it in the general marketplace and create another revenue stream.

As the BYOD phenomenon further evolves, businesses are finding that apps may not exist that work both for their organization’s devices and their employees’ devices. This propels businesses to develop apps to perform on a myriad of devices.

Of course, this leads us to the elephant in the room: users’ privacy concerns. What information does your app require in order to download it? In an industry with compliance issues, one must be sure that the requirements for regulatory environments are met.

If you’re putting your app into the open market, how is cost determined? Is user information more carefully guarded if the app has a cost associated with it (data saved to the cloud) or some usability is deactivated if the app is offered for free? For example, apps that track your health and well-being: if the app is paid for, is the data being used offering real-time health status versus a free version of the app that may only provide limited use.

If your business has created an app, how do you measure its success? By the number of downloads? By the number of reviews? By the number of in-app purchases? Or by some other metric? However, don’t ever forget that you have an obligation to your users to protect their confidential information – regardless of if they paid for the app or got it for free.

Lastly, consider this scenario. What if your app is hacked? What measures are in place to protect your users’ information? Do you have a protocol in place to notify users of the breach? Do you have a procedure in place that will take the app down and rebuild it? Don’t enter the app market if these questions aren’t answered first.

Image Credit: KROMKRATHOG via FreeDigitalPhotos.net.

This post was brought to you by IBM for MSPs. Dedicated to providing valuable insight from industry thought leaders, PivotPoint offers expertise to help you develop, differentiate, and scale your business.

wordpress blog stats
Posted in BYOD, Data Breach, Data Security, Internet of Things, MSP, Privacy Rights | Tagged , , , , | Leave a comment

The Managed Service Provider (MSP) Quandary: They’re Only as Good as You Allow Them to Be

mspWhen I hear of managed service providers (MSPs), I think of services in a compartmentalized box or a box of Legos. While that may be a simplistic view of what a MSP is, it actually fits because that’s how companies tend to use them. They take parts that they want from a box and leave others that they don’t want. And as an end-user chooses a product or service from the box, the pieces are attached together to form an organization’s total service solution. This process is used whether it is a small company or a Fortune 500 company.

After an organization’s needs have been met, and after the service level agreements (SLAs) have been signed by the appropriate departments within an organization, then the work begins. But, the relationship can become problematic even when the relationship begins under the best of circumstances. A business relationship can spiral out of control very quickly because the organization may not believe that the MSP is doing its job correctly, or even worse, the organization blocks the MSP from doing its job.

There’s an old saying in the tech industry: “Working with computers would be great if it weren’t for the clients.”

When a business is paying for services, you would think that it would listen to its hired service provider, but that is not always the case. This is sometimes the case for services that cost above and beyond the price of the MSP. For example, through monitoring, it is determined that more cloud storage is needed, or a system critical server is about to fail. The organization says, “We don’t need that right now.” Translation: “We don’t want to pay for that right now.”

So the MSP team has issued the warning and laid out the evidence to support its findings, but the organization fails to act. So what happens when systems fail? You guessed it. The organization blames the MSP for not being adamant about the problem before the crisis erupted.

Or, the organization fails to listen to the MSP for no apparent reason. For example, a major organization receives a call from its MSP that monitors security. This MSP calls the security manager at the organization and tells the main contact that there’s a high probability of a major breach. Instead of taking immediate action, which might include checking the security infrastructure and searching for holes, the security manager ignores the warning. So what happens? A breach happens, and it causes millions and millions of dollars in damages.

But, let’s not forget. The MSP did the job that it was paid to do – a job that cost this organization a lot of money per year, and a major breach happened because the organization failed to act on intelligence that the MSP had provided. This error in judgment not only cost the organization money – but most likely, its reputation as well.

So before hiring an MSP, consider this. How much is its advice worth to you? Are you going to listen when the MSP gives advice, or will you listen ONLY when you want to? Granted, there are some MSPs that just want to take your money and provide lousy service, but for the most part, MSPs are honest. MSPs offer important services that your organization cannot handle due to manpower, space, equipment, or infrastructure issues such as the inability to manage disaster recovery, backup, and other infrastructure limitations.

The right MSP that’s the right fit for your business can help make your business run smoother and recovery much quicker.

Image Credit: Pakorn via FreeDigitalPhotos.net.

This post was brought to you by IBM for MSPs. Dedicated to providing valuable insight from industry thought leaders, PivotPoint offers expertise to help you develop, differentiate, and scale your business.

wordpress blog stats
Posted in Business Process, Cloud Computing, corporate data, Data Breach, data protection, Data Security, MSP, Network Security | Tagged , , , | Leave a comment

5 Must-Ask Questions Before Adding the Cloud to Your Infrastructure

cloudcomputingIn a previous post, I asked, “Is Your Business Ready for the Cloud?” Five key issues were detailed to assist midsize businesses before making the decision to move to the cloud.

But once your leadership and IT teams make the decision to move data to the cloud, your next step should be to sign a vendor agreement with your cloud provider. Don’t move forward without having your leadership and IT teams review the agreement in its entirety, and even better, include your legal team in the review process.

According to the IBM Center for Applied Insights:
“By 2016, cloud computing will matter more to business leaders than to those in IT. According to a recent study conducted by the IBM Center for Applied Insights, cloud’s importance to business users is expected to grow to 72 percent, exceeding its importance to IT users at a mere 58 percent.

While it may not generate the same breathless excitement it once did when the technology first emerged, “The Cloud” has undoubtedly become ubiquitous. As the technology matures and lingering security concerns dissipate, even the most conservative businesses have jumped on the cloud bandwagon. According to a study released in 2013 by the IBM Institute for Business Value, 64 percent of CIOs plan to invest in cloud over the next few years.

And as cloud technology continues to mature, how companies use cloud will also continue to evolve. What was once primarily used for cutting costs is growing into so much more. Today’s companies are increasingly looking to the cloud to not only improve efficiency, but also to innovate and create.”

What was once only for storage now includes the following technologies:

[1] SaaS = Software-as-a-Service: using a product such as an Office-like suite of software in the cloud environment.

[2] IaaS = Infrastructure-as-a-Service:  a form of cloud computing that provides virtualized resources over the Internet. The definition includes such offerings as virtual server space, network connections, bandwidth, IP addresses, and load balancers.

[3] PaaS = Platform-as-a-Service: a service that can be defined as a computing platform that allows the creation of web applications quickly and easily.

[4] DRaaS = Disaster-Recovery-as-a-Service: businesses that do not have the time or resources to manage a disaster recovery plan and regular service can outsource this process.

As you review a cloud computing agreement, also known as the service level agreement (SLA), make sure to ask these five critical questions and listen, really listen to the responses:

[1] What happens if there is a data breach?

[2] What procedures are in place to mitigate a data breach?

[3] How quickly do you handle credential changes, for example, when an employee is promoted, hired, or fired?

[4] Do the terms of the SLA reflect an understanding of compliance regulations when it comes to physical data storage requirements? For example, depending on industry and regulations (healthcare, financial, etc.), data may sometimes have to be stored within the state where business is conducted.

[5] What security measures does the cloud vendor put in place to protect its data and data centers? This means physical security as well as internal, electronic, and web facing.

So, has your business moved to the cloud yet, and if yes, what was your best cloud story, good or bad? Since others can learn from your experiences, please chime in.

Image Credit: digitalart via FreeDigitalPhotos.net.

This post was brought to you by IBM for MSPs. Dedicated to providing valuable insight from industry thought leaders, PivotPoint offers expertise to help you develop, differentiate, and scale your business.

wordpress blog stats
Posted in Cloud Computing, corporate data, Data Breach, data protection, Data Security | Tagged , , , | Leave a comment

12 Timeless Password Tips for Improved Security

password

According to Splashdata, the #1 and #2 most commonly used passwords are “123456” and “password,” so the creation of strong passwords is one way that users can be proactive in fighting security breaches. Since passwords are the core of an overall security plan, here are my favorite password-related tips. When using a managed service provider, it’s just as critical to follow these guidelines because any time data travels to a third party, it can become more vulnerable.

PASSWORD TIP 1

Make sure your passwords are complex. Use lower case and upper case letters, numbers, spaces, and symbols. Make sure the password length is longer than eight characters – Microsoft recommends at least 14 characters. Don’t use common or uncommon words from the dictionary or real names. Don’t spell your name backwards, use words with common spelling errors, or repeated sequences of the same numbers or letters. Create a phrase or sentence. If you are curious how strong your password is, check it out at How Secure Is My Password or use the Microsoft Password Checker. You can also learn how your password stacks up with the Password Strength Checker – this site evaluates the strength of your upper and lower case letters, numbers, symbols, etc.

PASSWORD TIP 2

Create a different password for each website you use or wherever you access your data. Don’t use the same password for Facebook, Twitter, LinkedIn, Google+/YouTube, Pinterest, Instagram, etc., because if someone gains access to one account, the hacker could then gain access to all of your social networking sites – contact information, photos, family member names, etc. Also, if you use passwords to access online banking, medical data, or other confidential information, create unique passwords to access each site.

PASSWORD TIP 3

If you don’t want to remember your passwords because they are too long and complex (hopefully), or if you would like an online site to generate passwords for you, check out LastPass. With LastPass, you will only need to remember one master password to log onto the site. LastPass automatically saves your log-ins and passwords for all sites that you visit – after you enter them both the first time, they are saved and encrypted in LastPass. Once you return to the website, LastPass will enter your password and user name automatically, which will serve as protection against keyloggers (software that records keystrokes when a user logs on to a specific website with the intent to steal information). There is a free version as well as a premium version – and the download is available for Windows, Mac, and Linux. While there have been security breaches on LastPass, LastPass remains the leader in the web password manager space.

PASSWORD TIP 4

If you store important documents on your home computer with bank account information, tax information, and social security numbers, make sure to add a password to them. If your computer ever gets stolen, the passwords will add another layer of security to your information.

PASSWORD TIP 5

If you are asked security questions as an additional component of password creation, don’t use easy answers. For example, don’t use your birthday, spouse’s first name, mother’s maiden name, your car license plate, or city where you live. For many hackers and even those who know the right websites to search, these pieces of data can be easy to find.

PASSWORD TIP 6

Whenever you sign up on a new site or get assigned a new site to access, there is often a default password. Often, we are so busy that we forget to change the default password – not a good idea. Before you do anything on the site, go first to the settings area and create a new password.

PASSWORD TIP 7

Since most businesses require users to change their passwords every 90 days, changing your personal passwords several times a year is a good idea.

PASSWORD TIP 8

Always be sure to log off of the site that you’re accessing because bad guys can steal your passwords. Even if you close your browser, your visit is still active. Logging off from the site will immediately end your session on the site. While you should always delete your cookies, history, and cache, you can either manually do this or set your browser settings to automatically delete when you close your browser.

PASSWORD TIP 9

Don’t give your IT Department a heart attack and write your passwords on a Post-It note attached to your monitor, under your keyboard, in a drawer, etc. While this sounds obvious, people think no one will notice or that the note will just be placed on the screen for a few moments. If you do this, you are handing your data to a thief on a silver platter – don’t do it.

PASSWORD TIP 10

Does your business have a password policy? If your business is progressive, you will read and sign harassment, privacy, BYOD, and social media policies. But due to the importance of passwords, make friends with your IT department. Go the extra mile: always change passwords when asked and always set up your password according to company policy. If corporate policy allows, set up a screensaver to activate after a short period of inactivity to protect anything on the screen.

PASSWORD TIP 11

Don’t use your email address as a username (unless corporate policy dictates that you must) – and don’t make your password the same as your username. If you are accessing a business-owned account, then access is terminated once you leave your position. And if you use a personal email address, once you leave the position, the business has no way to access the account. Personal email addresses are easier to hack.

PASSWORD TIP 12

Don’t ever click on the “remember password” option in your browser. Unlike passwords saved in LastPass, they are not protected by encryption and are open for bad guys to see if they get ahold of your browser. To quote Dana Molina of SureTech, “If your device is ever stolen, you’ve just invited a thief into your home, removed their shoes, and given them a foot massage.”

Do you have a tip to add to the list?

Image Credit:  digitalart via FreeDigitalPhotos.net.

This post was brought to you by IBM for MSPs. Dedicated to providing valuable insight from industry thought leaders, PivotPoint offers expertise to help you develop, differentiate, and scale your business.

wordpress blog stats
Posted in Business Process, Data Security, Network Security, Tech Equipment | Tagged , , , | 1 Comment

Television’s Role in the Conversation about Cybersecurity

TV

Have you noticed all the recent storylines about cybercrime on television? Several episodes of “The Good Wife” focus on technology issues ranging from hacked emails to online privacy to ransomware (a type of malware that restricts access to the computer system it infects and demands a ransom paid to the creator of the malware in order for the restriction to be removed). And of course, the latest version of the CSI franchise is titled “CSI: Cyber,” whereby all episodes focus on online crime.

This increased attention on cybercrime and resulting emphasis on cybersecurity are definitely a positive move in the right direction. The attention is much appreciated by the technology industry overall, but specifically by professionals in the infosecurity arena, who talk about cybersecurity awareness on a daily basis. This is because a large part of our jobs has become alerting leadership teams and Boards of Directors about the consequences of data breaches and the importance of implementing security awareness programs and business continuity programs.

With a spotlight shining on cybercrime, Twitter conversations and Facebook posts increase around these TV shows and actors. And with an increase in interest in these important matters, the result may be that your business may be just a little safer – thanks to television.

You never know when an employee will receive an email from an unknown source, and in a split second will make a decision NOT to open the email because he/she doesn’t recognize the sender. The employee recalls an episode from a TV show that showed how an entire company’s email system was hacked and customer database was breached from a virus in a single email. Your employee made a decision based on a TV show.

Of course, a possibility of so much cybercrime on TV may be that the bad guys get some ideas. What TV starts, sometimes, the bad guys will finish.
Image Credit: Digitalart via Freedigitalphotos.net

Posted in Cybersecurity, Data Breach, Data Security, Disaster Recovery, Email, Management and Technology, Network Security, Online Security | Tagged , , , , | 1 Comment

A Cheat Sheet to Translate InfoSecurity for Key Business Units

infosecAs a result of working with many different business units over the last decade, I’ve developed my ability to help companies by bridging the business and technology gap – and align technology strategies with business objectives. Toward that end, I have devised scenarios detailed below that translate infosecurity concepts into languages that team members can understand based on their specialty areas.

My goal is to initiate a dialogue between business unit managers so that we may work as a team to mitigate internal and external threats. The truth is, without awareness, buy-in, and participation by all business units, companies will not engage all employees in the company-wide objective of practicing infosecurity. Throughout this post, I talk about “IT departments,” but remember that this department encompasses a lot of different areas of expertise. The IT department of the old days no longer means simply fixing computers and setting up networks.

MARKETING & PUBLIC RELATIONS
Since this team is responsible for building brand equity, communicating competitive advantages, and interacting with members of the media, they speak a totally different language than those of us in the IT space. So, in order to train these folks to be smart computer users, I use this situation: You write a 20-page annual report, tweak all of the graphics, add all the financial data, and are ready to send the file to the printer. The IT department is called in to check the marketing files held on the shared server for the marketing department because at some point, someone in the marketing department found a graphic from an insecure website at home and transferred it via USB drive or BYOD device. Since that user did not have up-to-date malware protection on his/her own device when the image was uploaded to the document, the virus attached to the document. Now, not only is the file corrupted, files from other departments also have the potential to become corrupted. And, to add insult to injury, the entire project has to be re-done.

SALES
This is the group of team members who live on the road and in the field. They need their tech tools to work 24/7/365. A major challenge is the use of BYOD in today’s business environment. So not only do employees have work product on their laptops or other devices, but they also have personal information too. Because these devices have multiple purposes, there’s a better chance that they will either be, A) stolen or B) infected. The more time that those products spend in the open, the greater the possibility of theft. The more they are used for personal pleasure, the less their malware signatures may be kept up to date, the less vigilant the user may be. People tend to drop their guard when it comes to personal devices.

Finally, every device, especially those containing confidential sales data, should be encrypted. While encryption may be better tolerated in a business environment rather than on a personal device, that is no excuse not to use it on personal devices used for business. People tend to want to whip out their devices for taking pictures or sending texts and they don’t want to deal with having to input a password before gaining access to a device. As a result, people may try to disable password-protection, which defeats the reason that a password was added to a device in the first place.

So, here is a situation that they can easily understand: You are driving to an important meeting with a prospective customer, and upon arrival at the meeting, you get a phone call from a customer with a question. Still in your car, you turn on your device to check the customer’s account. But wait. Instead of starting normally, it shows a blue screen of death or its equivalent. What happened? Perhaps, all of those social media games or apps that you have been playing on your device opened a door to a virus or malware. Of course, there are countless other possibilities, but for employees who work on the road, their systems need to be as clean as possible.

CUSTOMER SERVICE
This is the group of team members who answer phones and respond to emails, for the majority of companies. Their job is to provide solutions to customer complaints or issues. So, their computers, phones, and all other tech tools ranging from smartphones to mobile devices need to be in top-notch condition. Here’s a situation that these team members would prefer to avoid at all costs: A customer calls and complains about a certain product or product feature. Now, while you (the customer service rep) are on the phone with the customer, your system crashes, and you cannot access your product spec list, your email – in order to communicate with your customer, or your CRM system. After the IT department checked out your machine, some unpleasant information was discovered. Your browser indicated that you spent a large amount of time logging into Facebook and other social media sites several times during the day, and unfortunately, these unsanctioned activities welcomed a virus or two or three.

ACCOUNTING
These team members deal with all aspects of a company’s financials, so all of their software must be virus-free. Here is a scenario that members of this department have nightmares about: In the middle of payroll preparations, the entire system goes down. The IT department doesn’t have a quick fix. The toll-free customer service department for the software doesn’t have a quick fix. And, if a solution is not reached soon, payroll will not happen. Now, while this scenario may have nothing to do with a company’s network, the IT department must jump on the problem immediately and intervene as a liaison and partner with the software customer service department. Of course, in the background, if the IT department is doing their job correctly, and the business unit has been working with IT, which is just as important, there should be backups and a disaster recovery plan that will get department back up and running quickly. But priority one in this situation is for the finance group and the IT department to work together and understand one another.

HUMAN RESOURCES/PERSONNEL
Whatever name you give this department, it is responsible for all personnel activities ranging from hiring to firing to team building to holiday parties, etc. One might think that the computers housed in this department would be kept under lock and key, since they house all employee records. But often, that is not the case. Here is a situation that really happened not too long ago: An employee from HR left for the day without closing and locking his office door. Some consultants that worked in another department entered the HR office and unplugged the laptop and then walked out of the building with it. While this seems like a simple theft, passwords to access the hard drive and encryption to scramble it could have stopped access to data. But there were no network passwords on the machine, and it was not encrypted. Identity theft occurred for the hundreds of employees whose files and performance reviews were housed on that specific machine.

PRODUCT DEVELOPMENT
Imagine you have a hot new product in the pipeline and it might possibly be the next technology game changer, for example, the next iPod. You have all of your tech specs, design info, and all of your manufacturing processes on a network that’s not airgaped. Someone in your department downloads a free game, which turns out to be a Trojan that creates a back door into your network, or in other words, a way to get into systems without the proper authorization. One day, you come into the office, and all of your data is corrupted, and nowadays even worse, it’s been disseminated on the Internet or stolen by a person or nation state. No regular backups were made, and poof, two years of your life as well as the next “product of the year” goes down the drain. This is an example of corporate espionage at its worst and the reason why no one should be allowed to download unauthorized materials from the Internet on any office computer. This is where the IT department needs to really shine by learning how to teach different business units about security awareness.

The bottom line is that we, as infosecurity professionals, must speak with other business units in their own languages. If we can achieve this, then employees in other business units will understand why security is important to them, how security relates to them, and how they will be affected when breaches happen. And once, all business units work as a team, the business is better protected.

Image Credit: David Castillo Dominici via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in BYOD, Data Breach, Data Security, Management and Technology, Network Security, Tech Equipment | Tagged , , , | Leave a comment

Cloud vs. Mobile: Can They Co-Exist?

cloud computing

IBM recently published an Infographic featuring the following statistics: “68% of top CISOs and security leaders see security in the cloud and data privacy as a critical business concern yet 76% are worried about the theft of mobile devices and the loss of sensitive corporate data.” These stats would indicate that cloud and mobile devices/mobile data cannot co-exist. Yet, for the small and medium business (SMB) market, cloud computing and mobile device management (MDM) have become synonymous with doing business.

Many businesses that comprise the SMB market have adopted, integrated, and even welcomed mobile devices into their day-to-day operations. Often, this is because leadership teams believe that the cost of doing business will go down if employees provide their own mobile devices. There is no denying that business is easier when employees can access their spreadsheets and other documents from off-site and non-business hours from their smartphones and tablets.

Some businesses have gone the extra mile and created and implemented mobile device management plans – or in other words, business continuity plans if and when something unforeseen happens. This means that the businesses are prepared if an employee’s device is lost or stolen, or if the worst case scenario happens and someone either sells the data to a competitor or the network gets hacked through the device.

But is cloud computing a fit for every business? Certainly, it’s important to consider what industry your business is in and what compliance issues your industry must face. Some industries are more appropriate for capturing data in the cloud, and some are not. For instance, medical patient data is still a relatively new area within the infosecurity arena, and there are too many ramifications if a single practitioner, for example, a psychiatrist, places all of her data in the cloud via her smartphone – and then loses her smartphone that isn’t encrypted. This falls under the HIPAA regulations which are becoming very strict. On the other hand, it may make sense for real estate firms to store data about their properties so that other agents can access property info.

Above all, if your business is contemplating using the cloud, answer these questions first and make sure your entire leadership team understands the answers:
•    What is your strategy for storing data in the cloud?
•    What data will be stored in the cloud?
•    Who will have access to the data in the cloud?
•    How long will data be stored and accessible in the cloud?
•    Will the business provide mobile devices?
•    What security procedures are in place to protect the data stored and/or accessed on employee devices?
•    What are the ramifications if data is hacked?
•    What procedures are in place to rectify the situation if data is hacked?
•    What compliance regulations must you follow?

What other questions would you add to this list? Please chime in.

View IBM’s Infographic here:
http://www.ibm.com/smarterplanet/global/files/us__en_us__cia__ciso_infographic_cloudmobile_v3.pdf

Image Credit: iprostocks via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in BYOD, Cloud Computing, Data Security, Mobile Computing | Tagged , , , , | 2 Comments

Is Privacy More Important to the Media, Businesses or Consumers?

cart

There is no denying that businesses need to be more diligent in protecting their customers’ data, but with all the data breaches publicized in the mainstream media, who cares more about privacy? What do you think: businesses or consumers?

Despite the many data breaches, consumers continue to provide their Personally Identifiable Information (PII) to medium size businesses. At the top of the list, this confidential information may include full name (first and last), home address, phone numbers, and email address. Depending on the business, requested information may also include social security number, date of birth, place of birth, gender, passport number, driver’s license number and state, vehicle registration plate, financial transactions, bank accounts, credit card numbers, criminal background, fingerprints, medical history, name of schools attended, and current employer or previous employers.

What is different about protecting PII compared to any other data and how should PII be protected? According to the “Guide to Protecting the Confidentiality of PII” published by the National Institute of Standards and Technology of the U.S. Department of Commerce:

“In many cases, protection of PII is similar to protection of other data and includes protecting the confidentiality, integrity, and availability of the information. Most security controls used for other types of data are also applicable to the protection of PII. For PII, there are several privacy specific safeguards, such as, anonymization, minimization of PII collection, and de-identification. In addition to protection requirements for PII, there are other requirements for the handling of PII. The Fair Information Practices provide best practice guidelines, such as, Purpose Specification, Use Limitation, Accountability, and Data Quality. Moreover, the factors for assigning a confidentiality impact level to PII are different than other types of data. Breaches to the confidentiality of PII harm both the organization and the individual. Harm to individuals should be factored in strongly because of the magnitude of the potential harm, such as identity theft, embarrassment, and denial of benefits.”

But, consider this, many – and some might argue too many – consumers willingly and without much thought to how their PII may be used and stored provide their PII to businesses. What happens every time someone visits a supermarket? Their rewards card gets scanned, and the store IMMEDIATELY knows who they are, where they live, what their phone number is, what their email address is, and most importantly, what they purchased. The same thing happens at gas stations, restaurants, and other brick and mortar venues – as well as online.

Does your business have a rewards or loyalty program? If yes, what PII do you request? Do you explain why you request specific PII? How do you communicate with consumers to let them know you value their privacy and data as much as they do? How often do you communicate with your consumers to update the information and update your review and/or purge of PII?

Answers to these and related questions should be a high priority and involve your entire leadership team. These discussions should not be delegated to the network admins of your IT department because when a breach happens, you, as a member of the leadership team, don’t want to be surprised. You will want to vividly recall all the protocols you put into place, the bullet points and/or press release drafts you wrote, and the key media people you want to reach out to.

Above all, you want your business to be proactive and transparent to consumers. Your decisions will allow your business to be in a better position to survive a breach.

Read More:

PII definition by Wikipedia:
http://en.wikipedia.org/wiki/Personally_identifiable_information

Guide to Protecting the Confidentiality of PII published by the NIST of U.S. Dept. of Commerce:
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

“Why Big Companies All Have Loyalty Programs”
http://blog.fivestars.com/big-companies-loyalty-programs

“Survey Shows You Don’t Care About Privacy As Much As You Think You Do” by Joshua Steimle (@donloper)
http://www.forbes.com/sites/joshsteimle/2014/11/07/survey-shows-you-dont-care-about-privacy-as-much-as-you-think-you-do

Privacy Rights Clearinghouse – to learn about the latest data breaches:
http://www.privacyrights.org/data-breach
Image Credit: Supertrooper via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Data Breach, Data Security, Management and Technology, Privacy Rights | Tagged , , , | Leave a comment

What Can Your Business Learn about #Privacy from the UK Direct Marketing Association?

dataIt seems as if a day doesn’t go by without notification by the media of a major data breach. If you’re a member of the C-Suite of a midsize business, you probably spend a good deal of time thinking about how to protect your data as well as your business reputation.

I recently read some surprising news from a British marketing group (1) and offer it as a lesson for all businesses – no matter where your corporate headquarters may be located and how many offices you may have. In August 2014, the UK Direct Marketing Association released a new privacy code of practice to address customer concerns about data privacy. The link for the entire code is provided below (2), but the code focuses on five key principles:

[1] Put your customer first
[2] Respect privacy
[3] Be honest and fair
[4] Be diligent with data
[5] Take responsibility

While we all receive too much direct mail, this attention to our privacy brings the discussion about customer data to the forefront. As a result, there can only be positive outcomes:

[1] Businesses will implement stricter protocols regarding data protection
[2] Businesses will implement quicker disaster recovery procedures
[3] Businesses will alert customers immediately upon learning of a breach – as opposed to having the media share the news
[4] Businesses will inform law enforcement agencies
[5] Businesses will call in third-party forensics teams to determine the size of the breach and develop protocols to mitigate future breaches

If you suspect a breach or just want to keep current on the latest breaches, visit the list provided by the Privacy Rights Clearinghouse, whose tagline is “Empowering Consumers. Protecting Privacy.” (3)

Lastly, here’s something else I found surprising: if a member of the UK’s Direct Marketing Association breaks this new privacy code, the member will be expelled from the association. Don’t you think all businesses would spend more time and money protecting their customers’ data if there were more significant ramifications than just the equivalent of a slap on the wrist by the media? I welcome you to chime in.
(1) UK Marketing Trade Body Unveils New Code to Address Privacy Concerns:
https://privacyassociation.org/news/a/uk-marketing-trade-body-unveils-new-code-to-address-privacy-concerns/

(2) UK DMA Privacy Code:
http://www.dma.org.uk/uploads/Interactive-code-for-web_sept-11_54119ad59a64b.pdf

(3) Privacy Rights Clearinghouse:
http://www.privacyrights.org/data-breach/

Image Credit: Courtesy of Stuart Miles via FreeDigitalPhotos.net

This post was brought to you by IBM for Midsize Business and opinions are my own. To read more on this topic, visit IBM’s Midsize Insider. Dedicated to providing businesses with expertise, solutions and tools that are specific to small and midsized companies, the Midsize Business program provides businesses with the materials and knowledge they need to become engines of a smarter planet.

wordpress blog stats
Posted in Data Breach, Data Security, Management and Technology, Privacy Rights | Tagged , , , , | Leave a comment