Years ago, conversations about keeping employees safe meant providing them with technical advice about the use of hard hats, goggles and other safety equipment, or training in safe lifting techniques, parking lot safety and sexual harassment policies.
“Today, physical safety ranks at the top the list of required training in most companies as our workplaces become ever more dangerous,” says Laurie Bradley, president of ASG Renaissance and Blue Force Services.
Recent active shooter events in Colorado, Wisconsin and Alabama, for example, bring attention to the complexities of physical safety.
“This leads us to the question of whether or not we are doing all that is possible to mitigate unwanted physical intrusion into our workspace,” she says.
Smart Business spoke with Bradley about how a company can protect itself against physical threats.
How does a company establish a physical safety program?
Safety programs are not one size fits all. They need to be tailored to reflect the presumed risks of a business in a given industry. For example, banks and financial institutions need a different safety program than a car rental business. However, generically, the process is typically initiated by performing a risk assessment. This entails mapping the physical facility and identifying the areas and entry points that may need different rules of access.
As you map your facility, determine and highlight the exit and escape routes, and define areas that would be sensitive to catastrophes such as fires, floods, earthquakes, bombings and utility failure. Review your procedure for the identification of authorized personnel and critique the systems used to do so, such as key card readers, biometric devices and cameras, to determine the possible vulnerabilities.
Consider the environment around your business, local crime rates, the interior and exterior of your building, and the perimeter of your space where public access is permitted. Develop a checklist as you examine poorly lit areas, trash areas that may present arson opportunities, the condition of walls and fences, and what tools or supplies that, left unattended, could be used to access the facility.
Who should be involved in the assessment?
Internal personnel, such as your security staff, may be utilized to determine and detail a current state report. Third-party security experts are often used to identify weakness or vulnerability to your operation and may be engaged to attempt to breach the security to illuminate risk areas.
Generally, annual third-party audits with corresponding training programs help ensure physical safety programs reflect the risks brought on because of current business and political environments. Security consultants can also make certain you are aware of the latest technology developments that may enhance physical security.
Companies wanting to launch and monitor a more robust program can access information through the Federal Emergency Management Agency. Additionally, the Private Sector Preparedness Council has select program standards leading to certification. The process provides a framework for businesses to assess whether they comply with voluntary preparedness standards. Many of the program’s components align with the Support Anti-Terrorism by Fostering Effective Technologies Act, which mitigates legal and liability concerns for users of anti-terrorist technologies and products.
Can we ever really be safe?
No system or security program can guarantee absolute safety. Consider that HVAC systems are not normally equipped with detection devices and can be easily accessed — a fast way to hinder a worksite would be through the air ventilation system. Preparedness is the best defense and mitigation tactic. Focus on removing the temptation to commit a crime and monitor, enforce, educate and train your staff in the procedures necessary to reduce the possibility of a physical threat.
What if a business doesn’t have a robust physical safety program already in place?
Begin the discussion on safety during general staff meetings to help raise awareness within your employee population. Walk your employees through situations and the best responses to them, such as what to do when gunshots are fired, who should call 911, what the alternate routes out of the office are, etc.
Establish a crisis management team to involve key business leaders in evaluating risk, designing and conducting on-site training, coordinating public communications, assuming command roles in an emergency and providing assistance post incident. Security programs need to be holistic and embedded in all operations of a company, not assigned to a security department.
Safety and security should begin in an employee onboarding process and carry through the lifecycle of employment as part of the corporate identity. When safety and security are closely aligned with your corporate identity, it removes some of the anxiety that can be associated with safety training. Your goal is to have informed, alert and confident employees who willingly participate in the program.
What liability might a company face for not having procedures to deal with a physical threat?
Following the Sept. 11 terrorist attacks, property managers, security firms and security and safety device manufacturers all faced lawsuits. However, there are no defining standards to evaluate disaster recovery and business continuity programs.
In a litigious environment, we create an economic disincentive to expand safety- and security-focused services. The SAFETY Act was passed to give some protection and guidelines to mitigate these concerns for providers of products or services that are used to detect, identify and defend against terrorism. Companies developing security programs should consider adopting products that follow these voluntary guidelines, demonstrating ‘best efforts’ to implement a safety program that represents ‘best in class’ as defined by the act.
Laurie Bradley is president of ASG Renaissance and Blue Force Services. Reach her at (248) 477-5321 or email@example.com.
Insights Staffing is brought to you by ASG Renaissance
The laws, technology and science regarding your business’s exposure to cyber liability are evolving rapidly. Privacy breach laws passed in other states may apply to your company if you’re a downstream service provider, or your business could fall under federal requirements for protecting personal identifiable information. And with stricter rules in place for consumer privacy, a breach could cost you and your company far more than damage to your reputation, says James Misselwitz, CPCU, vice president for ECBM.
“The average cost to notify a record holder of a breach is now $350,” says Misselwitz. “Part of the restoration costs can require continued monitoring and biennial privacy audits for as long as 20 years, in some cases.”
In the health care and financial services industries, the average breach costs more than $2.4 million, according to Net Diligence.
Smart Business spoke with Misselwitz about what steps employers can take to decrease exposure to cyber liability.
What is cyber liability?
Cyber liability exists because companies collect, store and share information about consumers. The Federal Trade Commission has been charged with safeguarding privacy for consumers. As a result, there is an emerging group of federal regulations in the form of laws such as the Gramm-Leach-Bliley Act, HITECH Act and Health Insurance Portability and Accountability Act, along with guidance from the Securities and Exchange Commission for publicly traded companies that force disclosure on their 10Q reports.
In addition, most states now have passed their own version of privacy breach laws; only Alabama, Kentucky, New Mexico and South Dakota do not have laws on the books. Of these, the biggest game changer came from Massachusetts, which requires all downstream service providers to comply with its law and have a signed contract addendum certifying that they meet the requirements for all customers.
What cyber liability exposure do employers often fail to consider?
It’s obvious the financial, health care and retail segments face exposure. But when you take a closer look at cyber liability regulations, they easily encompass law offices, accountants, nonprofits and any Internet storage provider. Think about the following when trying to determine your cyber liability exposure.
- Do you collect in your files the name, address, date of birth and Social Security number of your customers?
- Do you have more than 500 customers with this information on file?
If so, you need to urgently consider cyber protection.
What are the particular dangers for mid-sized businesses?
Mid-sized business owners need to take steps now to create self awareness of their data. What data do you store? How many files do you have and what information is contained in those? Where and how is it stored? Do those files have back ups and who has access to the data? What controls are in place? Is the data kept on portable devices? As employers go through these questions, they start to get an understanding of what data they have and whether they could be subject to a significant breach.
Employers may believe that if they don’t do business over the Internet, there’s nothing to worry about. However, cyber liability laws cover data, not the way that data is obtained.
How can employers safeguard their businesses and prioritize the protection they put in place?
You need an assessment process to recognize potential breaches. You also can seek expert help in establishing formal polices and procedures while ensuring that portable devices are not loaded with information that would trigger a breach if lost or stolen.
However, the first basic step should be encrypting the data. Encryption is cheap, readily available and usually easy to install. It also provides a great defense.
When prioritizing protection, use a knowledgeable broker and a detailed analysis of risk to review which insurance coverage is available and at what price as an integral part of your cyber liability business strategy. At that point, you’ll need to put in place testing, an audit and a timetable to re-evaluate your exposure. The laws, the technology and the science are changing too rapidly to just buy an insurance policy and leave it alone.
What risk drivers cause business owners to obtain cyber liability coverage?
Usually it takes an event, such as a missing laptop or a disgruntled employee, to get the owner to focus on what just happened and what could have just happened. At that point, they start to think about risks and how to transfer them to an underwriter. More important, they start to consider the steps they need to take to ensure that if this event happens again, they have eliminated or significantly reduced risk.
Cyber liability insurance is at approximately 15 percent of the market and growing. Larger health care providers, credit card companies, social network providers and banks have been the first big purchasers of the coverage.
What do employers need to know about their cyber liability coverage?
You need to understand the amount of limits; how much coverage is in first-party and third-party benefits; whether the legal expense is inside or outside the limits, and does that portion of the policy have limits; and whether your lawyers, accountants and crisis management teams are acceptable to the underwriter. If you are dealing with a knowledgeable broker, these will be part of the due diligence and product design.
Although some 16 million confidential records were exposed through more than 662 security breaches in 2010, according to the Identity Theft Resource Center, if you consider your liabilities carefully you could minimize your risk of joining that number.
James Misselwitz, CPCU, is a vice president for ECBM. Reach him at (888) 313-3226, ext. 1278, or firstname.lastname@example.org.
Insights Risk Management is brought to you by ECBM Insurance Brokers and Consultants
Smart Business spoke to Matt Yonchak of Hurricane Labs about protecting your personal information online.
One of the most common responses I get from your everyday user when I bring up the topic of securing your personal information is “Who cares about my e-mail address? It’s not like anybody is going to call me or stalk me or something.” I’ll ask them why the level of caring about their e-mail address is so low and again I’ll get a flippant response such as, “So what if I get spam? I just delete it anyway.”
We all understand that we need to keep our Social Security numbers and credit card numbers safe. We know not to give out the login credentials to our online banking site. These are common knowledge, but what about your e-mail address or the contact information that exists in your mobile phone? How closely do you guard that information? My guess is not as closely as you should.
The fact of the matter is that all aspects of your personally identifiable information (PII) are valuable to someone. Remember the Storm worm? Back in 2008, spam e-mail from Storm was analyzed and was found to be generating 3.5 million dollars of yearly revenue from pharmaceutical spam alone. Trust me, as throwaway as you feel your Gmail address is, someone wants it and is devising a way to get it. Like most illicit activity, it is money that is driving the theft of your information. You may not think about it but your personal information is valuable to someone out there.
How your information gets out
So how is your PII being gathered? Believe it or not you’re giving it away. Yup. You are willingly giving your information to spammers and sometimes worse. I’ve done it the same as you and didn’t think twice about it. Ever sign up for a perks card at your grocery store of choice and give them your e-mail address along with your name and address? I have. How about a loyalty card at your pharmacy? You get money off your prescriptions and save on everyday purchases, right? It makes sense because you’re affecting your personal bottom line positively, but let’s think for a second about how the pharmacy is offsetting that discount you’re receiving. Not only are they gaining a loyal customer who is less likely to shop around for better discounts, but they are also taking your information and correlating that with your shopping habits. Then they take that information and turn around and sell it to a marketing company so that they can construct more targeted marketing efforts for you. Buy a lot of protein bars? Check your e-mail more closely next time and you’ll probably notice that you have advertisements and spam for things like protein shakes and weight loss drugs. Your buying trends are valuable and how is it all correlated? Your e-mail address.
How’s your Facebook page these days? Ever get a friend request from someone you didn’t even know existed? That’s because they don’t; they’re a bot. A fake person created for the sole purpose of gathering the personal information from your profile. Pretty devious huh? Not really, you’ve probably seen that and chose to decline the request because a) you don’t know them and b) their name is Akdjrsk Smith (doesn’t seem like a real name to me either, you would think that they could be a little more clever with their name generator). While that attempt to steal your information is pretty overt there are more crafty ways that Facebook attempts to get a hold of your PII. Playing games on Facebook is a pretty good way to ensure that your e-mail address ends up on some spammers list. It has been well documented that games like Farmville, Mafia Wars, and that game where you have to keep your fish tank clean (never understood that one, seems like more of a chore than a way to have fun) are nothing more than information harvesting vehicles. This is just a reminder that while you may have friends on Facebook, Facebook is not your friend.
The other very common way to get a hold of your personal information is through your mobile phone. If you have a smart phone you’re vulnerable to attempts at gathering your PII. The easiest way to have this happen to you is for you not to pay attention to the permissions on the apps that you’re downloading. If you ever see a permission on an app that says “Read Contact Data” or “Read Calendar Data, Write Calendar Data”, I would suggest taking a good, hard look at what that app does and ask why it would need access to that information. Again we see games as an easy attack vector for the uninformed mobile user. Games often have so many permissions associated with them that people accept and install without adequately reviewing what the game is doing in the background. The easiest way to protect yourself is to make sure that you are smarter than your smart phone.
How your information is valuable
Now that we know how the information is being disseminated to those trying to profit from it, let’s examine how valuable it actually is. We’ve talked about how spammers are using your information, but how profitable is it? I did some research to see how I could acquire mass amounts of e-mail addresses and I found a site where I could purchase bulk e-mail addresses for marketing purposes. There I found that I can buy more than 50 million e-mail addresses for $3,499. I found other options as well. I can purchase business e-mails by state. For example, I can buy more than 2 million e-mail addresses for businesses located within the state of Ohio for only $499. For those of you within the state of Ohio, what do you want to bet that I will find e-mail addresses for people within your company? Five hundred dollars is a drop in the bucket compared with either a targeted marketing effort or, worse, an actual attempt to get sensitive information from within said company. Spam is big business. It wouldn’t exist if it didn’t work and, unfortunately, it does.
How about your identity as a whole? How much is your life worth to an identity thief? According to Symantec, the black market value of my life is $22.22. Personally I’m underwhelmed. I thought I would be worth more than that. What they’re taking into account is your age, sex and the amount of data you work with online (bank accounts, 401(k), credit cards, etc.). If that is all that I’m worth do you think it’s really that difficult to purchase that information? The higher the worth the more difficult it is to obtain the information. According to an article by ComputerWorld if I were a 60-year-old male who has more than $10,000 in my checking account, I would only be worth a whopping $32.29. Realizing that it is that cheap for someone to purchase your identity should make you think twice about how much and the method in which you access your financial information online.
OK, lets forget for one second my own personal net worth, how about my company? Can my PII be a liability to my place of employment? Your info can provide a useful attack vector into your business. If I’m a hacker and I want to get into a company, what is the most vulnerable attack vector? The employees, of course. If I know more about you I can construct a clever phishing attempt or I can just call you on the phone and say that I’m from HR and I need XYZ. If I can provide you with your SSN or employee ID, chances are that you are going to be more likely to talk to me and provide me with what I want — a way in. All it takes is one weak link and someone with malicious intent can exploit it to their advantage.
How do I stop it?
As with most issues, knowledge is power. The power the hacker needs to penetrate your defense or the power a user needs to repel such an attack. By knowing what you should be wary of you’ve increased the level of difficulty exponentially that a criminal has to deal with. Chances are if it is too difficult for the criminal then they will move on to an easier target. People are targets of opportunity. Remove the opportunity and the threat will sometimes pass you by. Know what social media is after — YOU. How do these sites stay in business? Ads and your PII. You are fueling social media. This is not to say that you shouldn’t use Twitter, Facebook or LinkedIn. Just use them wisely. The same applies for your mobile devices. Use them wisely. The biggest thing that you can do is to have a healthy level of paranoia about your personal information. Even the things that seem innocuous to you can be valuable to someone. What you really need isn’t software to protect your PII, what you really need is constant vigilance!
Matt Yonchak is a Sales Engineer at Hurricane Labs. Reach him at email@example.com.
If your company’s computers are still using the last generation of network technology, it might be time to consider an upgrade — especially if you are planning to virtualize any of your processes or data.
“The previous standard for most companies has been traditional T1 lines, which were not cost effective and had limited bandwidth,” says Carlos F. Olortegui, manager of the Enterprise Metro Ethernet Division with Comcast Business Services. “Metro Ethernet technology is more cost effective, reliable, robust and scalable, and it allows you to adjust bandwidth measurements with ease.”
Smart Business spoke with Olortegui about how this technology could benefit businesses and what kind of return companies should expect on their investment.
Why is Metro E technology important and how can it impact a business?
Today, everyone from small, medium to enterprise-level and multi-national corporations can use Metro E technology to improve their telecommunications.
For instance, a franchise using point of sale (POS) transactions and replicating that data could use the Metro E technology to have the option to measure and adjust its bandwidth as necessary.
One major benefit of Metro E is that the connectivity from the customer to the service provider is simplified. It’s just router to router. The main focus of Metro E is the Ethernet connectivity. It’s called Metro E because you are literally plugging in an Ethernet connection. The handoff from service provider to the customer is just an Ethernet plug — pure simplicity.
In the past, companies needed a lot of capital expenses and operating expenses for databases, hardware, larger UNIX servers, even your exchange servers for e-mail. Today, everyone uses e-mail, so the need for archiving and data warehousing is huge.
What is virtualization and how can it benefit businesses?
Virtualization is the process of contracting an amount of space on a large server that is housed by a provider and storing your data there. If you virtualize, you do not have to purchase all the computer hardware and manpower to handle your data and processes. You don’t have the large operating expense and headcount necessary to maintain the high-cost hardware and ensure uptime.
There are two scenarios in which companies can benefit from virtualization. First is disaster recovery. Second is by making a virtual version of your databases or e-mail, which are utilized on a daily basis — you have the ease of connectivity for the transport of all that information to a virtualization footprint via Metro Ethernet.
Here is where your ROI comes into play. You get a bigger bang for your business dollar and the products and services you sell, other than payroll and real estate, the IT budget is the largest budget for most enterprise customers. If you can drop those operating and capital expenses, your ROI and profitability increase.
How can Metro E technology improve the virtualization process?
You need connectivity to that virtualization footprint .That’s where Metro E comes into play, because of its service ability, and the ability to have bandwidth on demand. Companies can consult 30-, 60-, or 90-day bandwidth utilization reports. If you need more bandwidth, it’s just a turn of the dial.
Virtualization provides much more bandwidth than traditional T1 lines can. If you are virtualizing your back-office environment, it is critical that you have no downtime as these applications are considered ‘high availability.’ That is another advantage of Metro E — it is very stable.
How does the ability to adjust bandwidth impact businesses?
Let’s say you are a corporate entity that owns a chain of retail stores. You have peak seasons: different times of the year where you have huge mail distributions or promotions. Your business is very seasonal, so November and December are the peak sales months. There are a lot of promotions, and your website gets hit more at those times. With Metro E, you can adjust your bandwidth to be higher during those peak times, because you want to make sure people can access the website and that all their transactions are being replicated and archived correctly, hence making the customer experience a positive one.
When there is greater demand, the company simply notifies its provider, which increases the bandwidth. They can watch bandwidth utilization reports to see trends, so they can monitor their expenses. Business owners can see that they’re utilizing X amount at a certain time of the year and budget accordingly.
It also ties into virtualization, because one of the main components of virtualization is on-demand storage.
What kind of cost reduction or ROI can businesses expect from using this technology?
First, businesses can expect lower capital expenses from not having to purchase all that computer hardware or enterprise server hardware for their back office databases and e-mail. Second, less manpower is needed because you have that virtual environment, so you have the reduction of overhead payroll. Third is the stability of Ethernet technology. You don’t have to utilize T1 lines or ‘leased-lines,’ those clear-channel point-to-point lines, which are very high in cost because you have to have a certain type of hardware that resides at the customer’s site. With Metro E, you have a simplified device on the back end of the service provider, which is lower cost equipment because it is plug-and-play Ethernet. Together, those three components can reduce expenses 20 to 40 percent.
Carlos F. Olortegui is manager of the Enterprise Metro Ethernet Division with Comcast Business Services. Reach him at (305) 770-5941 or firstname.lastname@example.org.
It is — or at least it should be — a given that you are backing up your company’s critical data. However, as you may have already found out, conducting those backups can be a costly and time-consuming process.
According to EMC, Avamar was developed to solve the challenges associated with traditional backup. They state that EMC Avamar backup and recovery software, equipped with integrated global, client-side data deduplication technology, facilitates fast, daily full backups for VMware environments, remote offices, enterprise applications, LAN/NAS servers and desktops/laptops.
Smart Business spoke with McCullough about Avamar, how it has helped them and what it can do for your business.
What challenges were you experiencing that led you look for a next generation, backup solution?
For us, it was all about getting rid of tapes. Managing the tape library we had for backups was expensive and time-consuming. We were spending $5,000 to $10,000 every six months just to replace the tapes. Not only that, we don’t have a dedicated IT staff at all of our locations, so if anything went wrong at those locations, we’d have to spend the time and money to travel to those locations to address the problem. It just wasn’t feasible to do it that way anymore.
Besides protecting our data and cutting down on the cost of tapes, we wanted a backup solution that would protect our virtualization endeavors without putting a strain on the backup infrastructure. We also needed a solution that would allow us to utilize the backups from one central location. Another factor was the timing. As we all know, timing is critical. With multiple locations and data that’s constantly being moved around, we needed a consistent, reliable backup system. EMC Avamar addressed all those concerns and then some.
Another benefit that we didn’t even consider was deduplication. Why back something up if it’s already backed up and stored? This has reduced our backups and saved us a lot of time.
What were the factors that made the EMC Avamar solution the best choice?
This solution allows us to have a zero sum game — we can add more applications anytime we want without increasing space or bandwidth. It’s a very well rounded solution. Plus, it’s an instant solution. Before, if something went wrong, our backups were down for days. Now, there is no downtime. And, you can find exactly what you need almost instantaneously. Recovery is fast and amazing. A restore that used to take an upwards of 18 hours can now be done in under two. Also, there is no need for client licenses to backup and restore.
What cost savings and ROI were you able to realize by implementing EMC Avamar?
We really didn’t realize just how much we were spending to maintain and store our tape library. That cost saving alone has made it all worthwhile. When you factor in the time we’re saving as well, the ROI is very strong.
How did the EMC Avamar solution reduce the cycles your IT staff was spending to perform backup or recovery tasks?
This was the biggest benefit for us. Before we were spending five to eight hours a week managing and troubleshooting our backups. Needless to say, it was incredibly time consuming. Now, we maybe touch it a couple hours a month!
What guidance would you give to other companies with similar backup concerns and challenges?
EMC Avamar can be a costly solution, but it’s definitely worth the investment. Don’t just look at the price — look at how much this solution will help you. It has amazing features that will save you a lot of money in the long run, more than offsetting the initial cost.
Shawn McCullough of Ulmer & Berne LLP can be reached at email@example.com.
For more information on Black Box Network Services, visit their website at www.blackbox.com.
Smart Business spoke to Bill Mathews of Hurricane Labs about what happens when the cloud fails, and how to not panic when it does.
I’ve written quite a bit on why I think business should cautiously embrace the cloud and see what happens. I promise it is not as terrible as a lot of folks are telling you but it does have its faults.
Many folks seem to think that I sing the cloud’s praises and speak nothing of its many faults. This is patently untrue. As anyone who knows me will tell you, I pretty much dislike almost everything and find fault in nearly everything — the cloud is no different. A lot of applications in the cloud have many, many issues. For instance Twitter, which runs in the “cloud,” has its own share of documented issues. From being over capacity (hello fail whale) to just simply being down, cloud failures do happen and it is not a nirvana. Gmail has developed quite a reputation (unfairly some would say) for being down. Here’s the challenge I have for you though: Measure your network and application uptime against theirs. Let me know the results.
One question I am asked: what do you do when the cloud breaks?
Lots of prayer if you’re into that sort of thing; then you really dig in. If it’s a software or infrastructure as a service you really have no choice but to wait, it’s not your code or your servers, so waiting it out is really the only option. I know that sounds terrible (and it is, believe me) but no one is more motivated to keep their systems up than these providers. Every minute they’re not up is a minute they’re not billing you, they don’t want that. Economically speaking it’s in their best interest to keep their stuff running. This may sound like common sense but there are a lot of FUD spreading folks out there basically claiming that Google and Amazon just throw things up there and put no thought into it. I’m not going to go so far as to say they put the stuff up there and never under-think anything, but chances are, if they’re putting something up for you to pay for, then they’re going to want to make sure it is available as much as possible. Availability is a big issue in the cloud, and it should be.
My advice is to measure their uptime (the amount of time a given system is available) with yours and see what the difference is. If yours is significantly higher than theirs, congratulations, you’re better than some of the biggest tech companies in the world (and you should be proud). But, if not, you should investigate it a little further. If you’re not measuring your uptime then we should have a separate conversation. The point is, don’t be dismissive. You might actually be able to increase your service and decrease your cost, and that sort of thing is truly rare.
What improvements would I like to see from these sorts of providers?
Logs, logs and more logs. Let me know what’s going on with my instance of the application — a little more truth in monitoring. If something is down, let me know so I can work around it. Don’t make me find out by hitting refresh and waiting until you timeout. Every cloud provider should have both a truthful status dashboard and an emergency broadcast Twitter account (that maybe sends to Facebook and Google+ too for good measure), when there’s an outage. The guys over at 37signals do this very well with their Twitter account whenever their Basecamp or related services are down or have other issues. It wins with their customers because they’re being up front and honest about it. We’ll be launching a few cloud based services very soon and, believe me, this sort of approach will be baked in.
My overall point isn’t to be a giant cheerleader for the cloud — it doesn’t need me to do that — but to get smart and good people to lay down their fears and try something new. A lot of these folks can bring a lot to the various realms of cloud security and can help make massive improvements. Instead of saying “No, no, no,” I’m just looking for an “Okay, let’s try it out and see what happens.” Is that too much to ask?
Bill Mathews is Lead Geek of Hurricane Labs, an IT security services firm founded in 2004. He has nearly 20 years experience in IT, 13 of that in information security, and has been interested in security ever since C3P0 told R2D2 to never trust a strange computer. He can be reached at @billford or @hurricanelabs on Twitter, and other musings can be read on http://blog.hurricanelabs.com.
Smart Business spoke to Bill Mathews of Hurricane Labs about not letting an irrational fear of the new keep you from using cloud solutions for your IT dilemmas.
We have an expression at my company, “Everything in the cloud!” Basically it means, if you’re asking for infrastructure then have you considered the cloud? If not, why not? We tend to get very wrapped up in the security of things so we shy away from putting anything out of our control, but lately we’ve come out of our shell a bit and moved some things to the cloud that made some sense. This is the story of those decisions and their reasoning.
We host a download site for our customers, which is basically a large (approaching 105 GB at this writing) software repository that houses the software we need to do our jobs for our customers. While cost was definitely a factor — the site costs a few dollars a month to host — the biggest issue was speed. When we hosted the download site ourselves it was slow, especially overseas. Basically there was nothing we could do about that other than — you guessed it — everything the cloud! Now customers are able to download things fast with really little regard to their geographic location, and it’s been great.
Obviously our download site isn’t what you would call “confidential” or “private” information so it was a pretty easy decision to move it to the cloud and be happier campers. Of course, we took all the necessary security precautions. For instance publicly available links can be made to expire after a certain amount of time, which is great. An increase in customer happiness plus less infrastructure to purchase made the business owner in me very happy. Cloud: 1, Irrational Fear of the New: 0.
We need to be able to keep A LOT of log files around for various reasons. These can get very large very quickly; buying the infrastructure up front is expensive and it can be cumbersome to maintain. What should we do? That’s right, everything the cloud! This one was a little trickier because logs can contain very sensitive data, so we dug into our brains and came up with a pretty simple solution: encryption. Encryption is cheap and, if you do it right, it’s easy. I ended up writing a tool called “logsup” (Log Secure Upload) and basically it does exactly what it says. First we generate a private key (which stays on our site), compress the data, encrypt the data and then upload the encrypted data to our cloud storage. The cloud storage then implements the rest of our security. We never make the files “public” and we provide no other interface into it. Secondarily, logsup writes out a receipt for the log file so we can better keep track of what file is where. No system information or other identifying information is ever stored with the encrypted file. Really it’s a simple and novel solution to what, on the surface, appears to be a big problem.
This one hasn’t gone into production yet but it will soon. It should cut our storage costs significantly and actually increase the security of our long-term stored log files. This is another instance of a practical application of old principles to supposedly new technologies. Encrypt early, encrypt often, I always say. Cloud: 2, Irrational Fear of the New: 0.
The moral of these two stories is that new technologies do not have to be scary. We didn’t have a large learning curve to implement this stuff (all done on Amazon Web Service, by the way) and while it did require a small coding effort, it was just that, a small effort. New things can be scary but you should always be willing to give it a shot with the appropriate amount of caution, of course. Security matters, performance matter, just make sure you’re worried about the right ones in the right order.
Will you be increasing the cloud’s score?
Bill Mathews is Lead Geek of Hurricane Labs, an IT security services firm founded in 2004. He has nearly 20 years of experience in IT, 13 of that in information security, and has been interested in security ever since C3P0 told R2D2 to never trust a strange computer. He is also not a cloud fanboy, but likes to apply new technology where it makes sense. He can be reached at @billford or @hurricanelabs on Twitter, and other musings can be read at http://blog.hurricanelabs.com.
For two hours, Tom Reilly sat with Secretary Janet Napolitano, head of the Department of Homeland Security, to discuss the importance of cyber security and how to protect citizens from cyber attack. Today, the threat of cyber attack is an issue that affects more than just big business and government entities, but everyone.
“You read every week about another breach in the industry, whether it’s enemy nation states attacking our power grid, it’s a bank undergoing cyber fraud, credit cards getting stolen or identities,” says Reilly, who is the former CEO of the $181.4 million security and compliance solutions company ArcSight LLC, which was acquired by technology giant HP in 2010. “It’s happening. Clearly the traditional approach to solving security has not worked.”
In light of more high-profile security breaches at companies such as Google and Sony, it is also a problem for which new solutions are plainly needed.
“I talk to a lot of customers who have been investing in security technology for 20 years, spending a lot of money, and yet they still don’t feel secure,” Reilly says.
With technology advancing and changing exponentially, it’s important for companies of all sizes to reevaluate the security measures that they are using to protect their most valuable information, data and possessions.
“What’s interesting is cyber criminals do not distinguish between company sizes,” Reilly says. “They don’t distinguish between industry and they don’t distinguish between countries or public and private sector. They go after the softest target.”
Smart Business spoke with Reilly about how the security landscape is changing for the next decade and what business leaders can do to defend their companies from imminent cyber threats.
For companies that don’t have a risk management strategy, what is the first step in creating one?
I think the first thing is to know, based on your business, what is critical to protect. So if you are a healthcare provider, it’s patient records. If you are utility, it’s keeping up the power grid or protecting customer records. If you are a bank, it’s definitely protecting accounts from account takeover. So you need to identify what is critical to your business that you need to protect. Don’t take just a generic position ? let’s protect everything equally. Protect your crown jewels. Understand where that data, those systems reside and make sure that that data or those systems are well-protected, much more than the rest of your organization needs to be protected.
Which industries are at high risk for cyber crime?
The opportunity in cyber security is a global opportunity, affects companies that are small right up to the largest and it touches many verticals. In every vertical, I can tell you what it is that they want to protect, whether it be intellectual property, it could be financials, it could be customer data, it could be health records or it could be services like the power grids that have to keep power up and phone companies that want to keep phones working.
What are biggest cyber threats?
The most serious risk and the one that can have the most significant impact is one that is called ‘the insider threat.’ And the insider threat is not an attack from outside but it’s an employee in your organization who for one reason or another is a disgruntled employee. Yet you’ve trusted that employee with access to systems and sensitive data. The employee could be disgruntled because they are a poor performer and then they get fired. They could be compromised because somebody is bribing them externally for data, which we come across a lot. Or they could be getting blackmailed, which is also quite common. The insider threat is not only that they have access to the most sensitive information and they can do the most damage, but they are the hardest to detect.
The second area is the theft of intellectual property, and a lot of this is sponsored by enemy nation states who are trying to access intellectual property within companies that have leadership. By stealing intellectual property, you can gain a competitive advantage effectively. Intellectual property could be the designs of a new electric vehicle. It could be the designs of a new plant that’s being built. It could be the spreadsheets that rationalize a bid for a big mining project.
What can companies do to prepare employees for cyber risks?
Continual education is always needed. The reason it’s continual education is cyber criminals are always evolving. They are always introducing new techniques and new capabilities, and they are very, very patient. So they may take six months to a year targeting a specific company to penetrate that company’s network, to get code on there and to have basically sweeper agents that are monitoring what’s happening within a company.
When you start understanding some of these sophisticated things, you suddenly realize that you have to have continual training around what our security policies are, how you provision people to access systems, how you de-provision people when they leave the business. You have to have good rigor in enforcing those policies. You are only as secure as your weakest link. Unfortunately, now the weakest link is not technologies or computers, it’s employees often making inadvertent mistakes and bringing in malicious code into the environment.
How do risk management tools identify cyber security threats differently for businesses than other approaches?
It allows them to measure the amount of risk that they are taking or that they have in their IT environment. And once you can measure risk, you can invest money wisely to reduce or mitigate risk. So we’re changing the discussion from ‘Are you secure?’ to ‘What’s your risk posture?’ You can now look to a chief security officer and say, ‘What’s your risk posture? What’s your risk policy?’ and they can answer that concretely rather than ‘Are you secure?’ which is usually a yes or no. So risk deals with the gray.
What about security intelligence?
One of the assumptions you have to make to really effectively use security intelligence tools is you have to assume that you have been breached and that your network has malicious code or malicious users on it. Your job is to go discover them.
So if you assume that your perimeter has been breached and that either you have a malicious user inside or you have malicious code on your network and you say now I have to go find it, then that’s how you use security intelligence tools. You start listening and monitoring network activity. You start modeling how users use the system for the normal course of business, so that when anomalous use is occurring, it stands out.
How to reach: HP Enteprise Security, (888) 415-2778 or www.hpenterprisesecurity.com
Hackers don’t play favorites. Whether your business is big or small, if you have people’s personal information, someone may be trying to get it.
And if someone succeeds, are you prepared to deal with the consequences?
“Hackers are not selective,” says Todd Winter, a partner at SeibertKeck. “It doesn’t matter if you’re a retailer, bank, manufacturer, health care company, educational institution, insurance agency or a government entity; they don’t discriminate against who they are hacking.”
Smart Business spoke with Winter about how privacy and security liability insurance can protect your company if personal information is stolen.
What kinds of companies should be concerned about the loss of personal information?
Any company that retains this information should be concerned. And it’s not just companies that do business electronically. Companies that have paper files containing personal information are subject to breaches, as well.
Small business owners often think that their risk of a security breach is small and don’t believe that they will be targeted, but it can be faster and simpler for a hacker to access personal information from a small business than it would be to crack the system of a corporate giant with several layers of security.
A July article in the Wall Street Journal cites examples of small business owners who never thought they would be targeted but were crippled by cyber attacks. In one example, a Chicago area magazine shop owner found software on his cash registers that was sending credit card information to Russia. In another case, a Kansas car dealership found that a hacker had added nine employees to its payroll through its bank account and transferred $63,000 to them.
As a result of the risks, businesses of all sizes need to financially protect themselves against a claim. Lawsuits resulting from breaches can come from vendors, employees, business associates and other third parties. And it’s not just the company that is at risk; directors and officers have a duty to make sure that systems are in place to make sure a breach doesn’t happen, and, if it does, they could be held responsible as well.
How can privacy and security liability insurance help protect a company if a breach occurs?
Privacy and security liability insurance provides coverage for the theft or loss of personal information and for the alteration, corruption, destruction, deletion or damage of data assets. It also provides protection for security-related events and gives a company a layer of protection above and beyond its IT systems and internal management control.
Not having coverage can prove costly in the event of a breach, if a laptop containing personal information is stolen, or a company’s electronic backup of paper records is hacked.
The average cost of a data breach is $210 per lost customer record; if your company stores 20,000 customer records, that could mean a possible loss of $4.2 million. Business leaders need to consider whether that is a hit that their business can afford to take.
What should a business owner look for in privacy and security liability coverage?
If you buy privacy and security coverage, make sure you have protection within your policy for regulatory defense and penalties that could be imposed as a result of a breach at your company.
Also consider including crisis management and public relations coverage. If your company experiences a breach and personal information is accessed, that can create a big hit to your reputation. Once customers are aware of the breach, they may no longer feel comfortable turning over personal information to your business. Public relations coverage can help you repair your reputation and create a campaign to let the public know that you are still a good company to have as a business partner.
Some carriers may not provide certain types of coverages, so with the help of an outside adviser, identify those that have broader protections for your business. That would include crisis management, network business interruption insurance, cyber extortion and event management, all coming together under one policy.
What is the cost of privacy and security liability insurance?
It can be expensive because the coverage is still fairly new and carriers aren’t yet sure how much risk is out there. And when they don’t know what the potential risk could be, they typically charge more until they get more experience in writing the coverage. However, the coverage is well worth the premium, as the potential costs of a breach not covered could prove catastrophic for an organization.
What is a business’s responsibility if a breach occurs?
Because breaches previously sometimes went unreported, states have enacted laws requiring that if personal information has been breached that a business must promptly notify those who are potentially affected. That is where notification coverage comes into play, covering the cost of notifying those affected by the breach. This privacy breach response service can offer protection for as many as two million affected individuals.
What would you say to business owners who believe that they have strong IT departments and don’t need to worry about coverage?
Often businesses feel that their IT department has done an excellent job of providing protection, that because they’ve installed firewalls and done everything possible to protect the information, they are fully protected. Larger companies, especially, may feel like they don’t need the protection of an insurance policy because they have proper controls.
But no company is ever really fully protected, and if you don’t take steps to make sure you are covered, the results for your company could be catastrophic.
Todd Winter is a partner at SeibertKeck. Reach him at (330) 865-6572 or firstname.lastname@example.org.
As social media moves to the forefront of the information security industry, many bloggers and information systems analysts have been working around the clock to promote what should be understood about the problems social media may pose.
Smart Business spoke to Chris Crane, a project manager with Hurricane Labs, about the threats involved in using social media.
What are the inherent risks in using social media?
Social media in itself encompasses all major forms of communication and ways to provide information, and in an incredibly easy way. It is available for use by anyone, with extreme portability, and welcomed by all. This may not appear to be a problem to the random users who finds its ability to make and keep connections as a very handy tool, but what is missed underneath the surface are the doorways to intrusion that it carries along with it.
Attacks such as the Zeus Trojan or the evolving Koobface can be easily be manipulated and provided to others via social networking sites. Information provided ‘at will’ can be gathered and used for social engineering purposes. I do not promote myself to be someone who can socially engineer information, but even I have learned about aspects of people’s lives and their jobs (remote user accounts that just happen to form ironical humor) that should have never reached the pages of regularly used social networking sites.
How can users protect themselves?
Social media exploitation will continue to pose threats to the IT community, but when an evolutionary threat presents itself, knowing a good stance or having the right mindset from an individual user’s perspective is a good starting point. This should be a good base to implement a solid policy that can be watched and reacted to. From there, gather what information is needed to re-evaluate the policies that you want to enforce.
Here are some ideals that every user should be acquainted with to better secure themselves:
Self censorship. Know what it is that is being posted when it is posted. To be aware of any potential threats this information may cause to the user or to the user’s place of employment. This is in no way a means to destroy individuality. The user must be aware of the ease of access to anything that is posted via the Web. The information being spread, no matter the depth, can be used by anyone willing to spend the time gathering a personal database against the user or the company the user works for. For example, think of the security questions answered while setting up a personal e-mail account. Answering with the name of a favorite pet and then flooding a Facebook page with pictures and posts of ‘Socrates’ does not leave too much of a challenge to those interested. Especially if the personal e-mail address you answered that question for is listed as a means of contact on a blog/Facebook/etc.
This may be thought of as a long shot towards affecting a company, but how many times does one recycle personal passwords? How often is personal e-mail used in the workplace as a work-around when accomplishing a task involving sensitive material?
Trust. Create a personal social networking cloud and understanding the threats they may offer. These are the people that will be reading all of the data that is provided by the user. Outside of the information that will be shared out, these are the people that will be providing the information coming in. Not everyone has malicious intent, but everyone is vulnerable to malicious attacks. Common attacks to social media are intended to spread easily and quickly, so that by the time it is noticed as a threat, a significant amount of damage has been done. This means understanding what is being offered as a link, what the intent of a message is, and what may be offered as something beneficial, but in turn is potentially harmful. Just because it comes from a picture of your mother doesn’t mean that it is necessarily her behind the wheel.
Become a super-user. Know what the application or site can offer. Know what can be done with the application or site to tailor it to provide what is intended. What social media offers is not something to be afraid of. Like all things, there needs to be a level of control, and these sites and applications provide the tools and configurations necessary to maintain a level of privacy. It is always a best practice to fully understand the capabilities of any application, website, or communications tool.
Training and understanding of the social media landscape should not be overlooked. It is something that will have to be dealt with as this landscape moves and reshapes itself. To quote a former instructor of mine, ‘They asked me what would be the No. 1 thing I would do to help secure their network. I told them: remove the users.’ As comical as that sounds, it holds truth. Hopefully educating everyone on social media security will allow for some ‘give’ to that statement.
Chris Crane is a project manager with Hurricane Labs. Reach him at (216) 923-1330, ext. 3.