Wednesday, June 6, 2007

Back from the dead ... and more concerned than ever!

So this blogging is harder to keep up with than I expected. I can't believe it's June already. Let me catch you up quickly on the last month:
  • My company has gone through significant growth - our unique approach to security and risk assessments has really caught on and we're hiring people as quickly as we can find them. If you're a CISSP or have a similar background, please call me!
  • I have attended several regional trade shows and conferences over the past month. Some were security related, but most were not. As a result, I have spent a lot of time talking with people who are not "security experts".
  • I have also spent significant time speaking with IT directors and leaders in local and regional government bodies.

And after a month of talking and listening, listening and talking, here's what I see:

  • Everyone seems to accept that security issues are real and that they are at risk.
  • If you haven't been breached, the risk you're under is acceptable. I would be a rich man if only I had a dollar for every version of, "it won't happen to me" that I have heard.
  • The security threats - particularly in the area of social engineering - are becoming more prevelent and are attacking smaller and smaller organizations. I recently ran into the president of a company in rural Pennsylvania - Amish country - whose A/R person was deceived into giving away banking information. They are a 24 person company.

Folks - what's it going to take?!?! At some point, this is going to become irresponsible behavior to keep ignoring these issues. (In fact, California is currently considering forcing companies who have been breached to cover all costs for consumers and businesses who have to deal with their information being compromised)

This blog REALLY isn't intended to be a commercial for my company. But it drives me crazy that we have the resources and ability to help protect you, your company and your customers - but you won't let us. (obviously, I don't direct that to our customers - you guys I love!) :-)

I know this sounds like a rant - and it is - but it's also a plea. As a business owner, you have a responsibility to protect your customers. Do the right thing. Your I.T. people don't have the depth - trust me - they don't. It's not their fault - I'm sure they do a great job keeping the business running. But security is a full time job and they just don't have the time.

So bring in a professional organization. If you don't like me or Pervasive Solutions - no problem. I'll even recommend some others for you if you want. But find someone you can trust and have them help you. At a minimum, here are the things you should be doing every 9 - 12 months:

  • End-user security awareness training: help your employees understand the importance of security and the threats that they may face.
  • External network vulnerability assessment: find out what risks exist on your network
  • Network and server configuration assessment: help your I.T. team build security into your infrastructure instead of trying to bolt it on afterwards
  • Policy & procedure review: establish and review your security policies and procedures, both for your I.T. team and your company as a whole, to set expectations and protect the company from compliance and litigation risks

I know these may sound like a lot. But I assure you, they aren't. For only a few thousand dollars per year, you can cover 80% of your risk with just these four steps. Certainly, I would suggest that you eventually conduct complete, thorough security and compliance risk audits which will dig deep. But don't worry about that now. Just do the basics. If you do, you'll be ahead of your peers who are still burying their head in the sand.

It's like the old joke, "if we get chased by a bear, I don't have to outrun the bear - I just have to outrun you." Make your company a smaller target - sure, you'll still be a target - but there will be bigger targets all around you.

Saturday, April 21, 2007

Insurance Industry Apathy

So I attended and exhibited at I-Day this week. Buffalo, NY! Woo-hoo! Over 1,500 members of the insurance industry from upstate NY, northern Ohio and western Pennsylvania. And do you know what I came away with? The biggest lesson I learned was that the average insurance agent isn't the slightest bit concerned with the privacy and security of their clients' information. These were agents and brokers of MAJOR insurance companies - and they were neither aware of requirements like GLBA and breach notification laws, nor were they interested in learning about them.

As a consumer of both business and individual insurance policies of all sorts, I was mortified that there was such apathy concerning whether my personal information was safe.

I suppose it shouldn't be that surprising. Agents are sales people and they have one thing in mind. But they make most of their money from recurring revenue - policies that continue to renew without the agent lifting a finger. If that's the case, you would think (or at least, I would think) that the privacy of their clients' information would be important to them. Well, at least on that day, it wasn't as important to them as the bloody mary station down the hall.

During the event, I have to admit, I was more than a little annoyed by these people who seemed to care so little about their clients. But a day removed from it now, my frustration has moved from the individual agents to the companies and brokerages that they work for. It is the employer who has the responsibility to build this awareness and concern into their employees. Yes, I want my sales people spending their time selling. But there is no excuse for a large insurance company who doesn't regularly address security and compliance issues with their employees, brokers and agents.

So I petition all of you, whether you're Allstate, Farmers, Liberty Mutual, AIG, Progressive, State Farm, Nationwide, The Hartford or Geico - PLEASE take awareness more seriously. Your agents have NO IDEA what their responsibilities are. Shoot, they don't even know what threats are out there and what regulatory requirements apply to them. PLEASE help them to protect our data. PLEASE help them to CARE about protecting our data. And PLEASE do it soon. Because right now, they are prime targets for security breaches. After what I saw this week, if I was a social engineering criminal, your agents would be my first stop.


Friday, April 13, 2007

You've been breached!

My last post described the typical requirements of the various breach notification acts that your business is likely subject to, and some of the steps you should take to avoid a breach. But what if you've already had a breach? Perhaps you're reading this today and tomorrow you'll get a call from your IT director with some bad news. What are you going to do?

Your first reaction is probably to call your lawyer. And I certainly can't argue against that. However, I do want to caution you - legal council is important in these situations - but if they are allowed to drive your response to the breach, it will almost certainly be at the cost of customer relationships.

Your lawyers will be able to advise you on your responsibilities and liabilities. But they will likely advise you in ways meant to protect your company from any possible legal ramifications. They probably won't try to view the breach from your customers' eyes, with consideration for how you can best save those relationships.

If my company suffered a breach, my first call would be to the team at Identity Safeguards. Identity Safeguards was founded by John Davidson & Rick Kam. John experienced ID theft first hand some years ago. It was such a terrible experience that he decided to build a company that would be dedicated to helping individuals recover from such situations.

The company has evolved over the years and now spends most of their time helping companies and institutions deal with data breaches. They help your management team establish a comprehensive plan for assessing the breach, alerting your customers and helping the impacted individuals protect themselves. Their work is conducted from your customers' point of view - and as a result, they help you to tell your clients about the breach without losing their confidence in you. If you have had a breach, I strongly recommend that you contact them immediately.

Once you have a trusted advisor on your side who can help you address the breach without losing your customers, the rest of your work is relatively elementary. You'll need to take active steps to make sure that such a breach can't happen again. You'll need to be sure your responses are in compliance with all applicable legislation (this is really where your legal team can be helpful) and you'll need to engage the authorities to see if they can identify and prosecute the criminals (don't get your hopes up - less than 10% of these types of cases are ever prosecuted).

But saving those client relationships is absolutely job #1. And for that, hiring an expert like Identity Safeguards is worth every penny.


Friday, April 6, 2007

What you Need to Know about Breach Notification and Privacy Laws

Have you ever heard of California law SB 1386? Chances are good that if you do business in the United States, whether you have heard of it or not - and even if you're not in California - this law impacts you.

SB 1386 was a groundbreaking statute that first took effect July 1, 2003. You can find the actual bill here, but boiled down, it exists to protect the personal privacy information of all California residents. If your business has acquired such personal information (which includes SSN, driver's license number, account or credit card numbers, etc.), and you realize that at some point, you did not have complete control over that data, you must alert each individual in writing of the potential breach of their information.

The law also establishes provisions for civil suits by impacted residents, creating a basis for class action suits against your company should such a breach occur.

To date, well over 50 companies and institutions have been required to alert individuals of the risk of identity theft due to this law.

"So what?", you say, "I don't do business in California". Since SB 1386 took effect, 33 other states have approved similar legislation and several others are considering it - as is the Federal Government. The University of Georgia has put together some great resources, including a map of the states with approved legislation.

What are the REAL Impacts of Breach Notification Acts?
So chances are pretty good that at least one of these laws impacts your business. But what are the real impacts? Let's look at an example. A financial services firm with 3,000 clients obviously stores protected data. One day, they realize that a laptop with client records was stolen from the back seat of a car. The likely impacts of this event include:
  • Written notification to each client at a cost of approximately $3,000.
  • To try to maintain their clients' confidence, they elect to provide 1 year of credit reporting services for each of their clients (this is becoming the norm). At a cost of $50 per client, that will run them $150,000.
  • Depending on their state, they may be subject to fines reaching as high as $150,000.

So that creates the potential for over $300K of hard costs. But what about the soft costs? How many clients are going to leave because of this event? How many clients are going to file suit? If this company only lost $300K, it would be a miracle. In reality, an event like this could cripple a small company.

Now, what happens if you're a local or regional retailer? Do you know whether your systems record the credit card numbers that you take? Do they store them unencrypted? You might easily have 100,000 consumers' information. Can you imagine the cost should you be breached?

What Should You Do?
So clearly, the impacts of these laws are real and they are significant. The question then becomes, what do you need to do to protect your company?

For starters, you need to take data security seriously. This starts with security policies and procedures. For example, you probably have back-up tapes of servers and databases. What is your policy for handling and storage of those tapes? Is that policy followed by your IT organization? What about password management? Do you have employees that share passwords? Or do you have systems whose administrative password is left blank? These are common issues for SMBs but it is precisely these issues that could result in a breach of your data. Establishing a thorough set of information security policies and then training your team to follow them is a critical step in protecting your data and your company.

In addition, you do need to make sure your networks, servers, workstations, desktops, mobile devices, etc. are all protected from breach and inappropriate access. If you're a mid-size company with just a handful (or less) of IT people, you probably don't have the security expertise needed to evaluate and implement a sufficient level of security around your technology. Bringing on a consultant to help this process will be money well spent. However, be warned - if the consultant you hire works for a company that sells security appliances or other network devices, they may have an agenda when they walk in the door (to sell you expensive technology).

Ideally, you'll find a security consultancy that is vendor-neutral. Ask them if they resell hardware and whether the company receives any income from such sales. If they do, my advice is to keep looking. This is exactly why my company doesn't resell hardware at all. We want to be completely neutral and be able to advise our clients strictly based on what is in their best interest. I don't want this to be a commercial about Pervasive Solutions - I just want to underscore that if you bring in a hardware reseller to audit your security, don't be surprised when their recommendations come back with six figures worth of equipment that is "mandatory".

Admittedly, this is a really high-level glance at this subject. The implications of the various Breach Notification Acts and Privacy Laws vary by state. But in the end, the message is clear - if you have a breach, you must publicly disclose it. Regardless of the hows and the direct costs, that type of disclosure can have such a detrimental impact on customer confidence that you really need to do everything you can to protect yourself. Get serious about security NOW.

If you have questions or would like my help, please feel free to give me a call or shoot me an email. I look forward to hearing from you.


Sorry for the silence...

I can't believe it has been almost two weeks since my last post. I need to apologize to those of you who keep tabs on this blog. The last two weeks have been great for business, but it has kept me running nearly non-stop. Some highlights:
  • We have added clients in three more states bringing out total coverage to 21 states.
  • We have solidified designs for a new product/service offering that will significantly improve the security of SMBs at a very low cost to them. Stay tuned for more on that...
  • I have been selected to write a monthly column for Business Strategies magazine. My section will be titled, "Risk Management".
  • We were featured in the Rochester Democrat & Chronicle's business section. You can see the article here.

There are a few other highlights, but I think you get the gist. Anyway, no excuses. I do apologize and will work to ensure these hiatuses don't happen in the future.

Thank you for your patience.


Friday, March 23, 2007

Data Leakage: How can you prevent it?

Would it surprise you if I told you that far more than 50% of all security breaches stem from internal sources? It's true. At the end of the day, your employees pose far greater risks to your security than do any external risks.

If you are anything like most of the business owners I speak to, you're thinking, "Not MY employees. I can trust my team." Of course you can trust your team - to a point. But the fact of the matter is that security holes and breaches occur primarily due to lapses in good security practices by company employees.

Sometimes these are malicious acts, but most often, they are accidental. They come from the receptionist who leaves his password on a sticky-note under his mouse pad ... or the software engineer who leaves her laptop in the back of her unlocked car while she runs into the supermarket ... or the executive who emails files with sensitive information to her home email address so she can be productive over the weekend.

Now ask yourself again - could any of these situations happen to you?

"Data leakage" is the industry term that is used to describe these types of breaches. While you and your employees may not realize that you're doing anything dangerous, your company's and clients' data is exposed. As a business owner, you have a responsibility under law (and general ethical behavior) to adequately protect your sensitive data. So how can you prevent data leakage?

The most important aspect to preventing data leakage is training your employees regarding behaviors that could lead to leaks. Proper training will help employees to:
  • Understand how leaks occur
  • Internalize how those leaks create risk for the company, their clients and themselves
  • Accept responsibility for preventing leaks from their own behavior and helping other employees to avoid risky behavior as well
  • Alert appropriate management should they identify potential data leaks, whether malicious or accidental

This training is necessary for ALL employees - not just your IT team. Whether they work on the loading docks, in a cube or in the corner office, each of your employees can help protect the company from data leakage.

While training is the most important aspect of preventing data leakage, there are technology solutions that can help:

  • Email Controls. These solutions include limiting outgoing attachment sizes, lexicons that analyze outgoing email for confidential information and email encryption tools. The point is, most email traffic is inherently insecure. So the first step is to limit the sending of confidential data to a bare minimum, and second, to protect that data as it is sent.
  • Device Controls. Often times, malicious data leakage occurs when an employee downloads confidential data to an easily transportable device - like a USB key drive. Your IT administrators can regulate use of these devices to prevent such incidents from occurring.
  • Data Controls. Most importantly, your confidential data should only be accessible by employees who MUST have access to it - and then they should only have access to the specific data that they need. Too often, we discover databases and systems where people throughout the organization are given carte blanche permissions to access anything and everything. You should be regularly reviewing who has access to what resources and whether they still require such access.

Policies & Procedures
Finally, you need to establish a documented set of security policies and procedures. This should be a comprehensive collection of materials that establish the do's and don't's for how your employees treat confidential materials. Documenting these policies and making them available to your employees accomplishes several key goals:

  • You underscore to your employees how critical security issues are to the business and set a consistent expectation for employee behavior
  • You provide an easily accessible resource should an employee have a question - this is especially important following the awareness training described above
  • You create a document trail that protects you from some liability in the event that an incident occurs and provides a basis for employee discipline when necessary

Data leakage has injured many, many companies - from Fortune 500 enterprises to 5-person financial advisers and physician practices. It's not expensive to protect yourself - it just requires a commitment on your part, some hard work and, for many mid-size companies, the assistance of a knowledgeable advisor. If you feel your company may be at risk, send me an email and we can talk further about steps you can take to protect yourself.


Monday, March 19, 2007

Microsoft Exchange: In-house or hosted?

After my eDiscovery post, I received several emails asking questions about email archiving, email security and the eDiscovery requirements. However, the most intriguing of these questions was brought up by David Spark, a fellow blogger. David was interested in discussing the decision companies need to make regarding hosting their own Microsoft Exchange implementation or outsourcing it.

It's a great question. For many SMBs, their email system is an absolutely critical piece of their infrastructure. So, if it's that critical, it should stay inside, right? You should trust your own people to maintain it and make sure it is always available, right? Well, maybe not.

What do you need to make sure your Exchange environment supports your business needs and compliance requirements?
  1. It needs to be available.
  2. It needs to be secure.
  3. It needs to be redundant.
  4. It needs to be archived (to support eDiscovery requirements).

To reach these goals with a high degree of proficiency, it requires you to invest in hardware, software, backup and archiving systems and training for your team - not to mention the labor required to perform the maintenance, account changes, security, backups and troubleshooting.

On the other hand, if you outsource your Exchange, you look to your vendor to meet these requirements. But this should be their specialty. While in-hosting requires your team to be experts in something that is NOT your core business, outsourcing allows you to take advantage of your vendor's expertise - since this IS their business.

Moreover, when you in-source, you pay ALL of the costs associated with implementing and supporting the Exchange environment. When you outsource, the vendor is able to leverage the implementation and support costs across all of their clients, which should result in significant savings to you.

But these are vague arguments. Let's take a look at a specific example.

Exchange Hosting: A Total Cost Analysis

The following comparison is a real-world examination of the costs to implement and support a complete Microsoft Exchange environment for a 250-person health care organization.

In-house Exchange Hosting Costs (36 Month Analysis)

Server (HP LS385 Cluster - Dual Core) $14,700.00
Cluster pack software $140.00
24 X 7 service pack, on-site 4 hour $3,500.00

Backup software Upgrade $35,000.00
Backup software Install $14,000.00
Staff training for backup software $6,000.00

Windows 2003 Exchange Cluster edition $3,500.00
Windows 2003 Exchange CALs $18,750.00
Exchange upgrade, install, migration $8,000.00
Outlook upgrade licenses $37,500.00

Symantec Archive Evault $22,000.00
Archive server $9,700.00
Windows 2003 license $700.00
24 X 7 service pack, on-site 4 hour $1,200.00
Symantec Archive Evault install $3,000.00

Exchange training for network staff $6,000.00

.5 FTE for 3 years $120,000.00

Total $303,690.00

On the other hand, this same company was able to outsource their Exchange implementation, including archiving, email encryption (which wasn't even included in the above analysis), 24x7 support and greater redundancy than the above solution provides - all for less than $200,000!

While it's true that you have to be careful that you select the right vendor, you can take active steps to make a good choice. Your vendor should be able to guarantee specific up-time standards - at least 99.99%. Your vendor should be able to demonstrate significant security proficiency. And most importantly, your vendor MUST be able to give you at least five references who are using the same services you would be using. Make sure you speak with these references and ask them about their experiences with up-time and support issues.

So there it is. The numbers provided here scale pretty similarly, whether you are a larger or smaller organization. If you're an SMB and you're implementing Exchange internally - I strongly suggest that you consider looking into outsourcing.

This is admittedly a high-level analysis of this issue. I started this post by introducing you to David Spark. I'll finish it that way, too. Among his other act ivies, David is managing a Microsoft-sponsored wiki white paper on this very topic. Check it out:

If you have additional questions or thoughts, I'd love to hear them. Feel free to post comments or to email me at