Wednesday, June 6, 2007

Back from the dead ... and more concerned than ever!

So this blogging is harder to keep up with than I expected. I can't believe it's June already. Let me catch you up quickly on the last month:
  • My company has gone through significant growth - our unique approach to security and risk assessments has really caught on and we're hiring people as quickly as we can find them. If you're a CISSP or have a similar background, please call me!
  • I have attended several regional trade shows and conferences over the past month. Some were security related, but most were not. As a result, I have spent a lot of time talking with people who are not "security experts".
  • I have also spent significant time speaking with IT directors and leaders in local and regional government bodies.

And after a month of talking and listening, listening and talking, here's what I see:

  • Everyone seems to accept that security issues are real and that they are at risk.
  • If you haven't been breached, the risk you're under is acceptable. I would be a rich man if only I had a dollar for every version of, "it won't happen to me" that I have heard.
  • The security threats - particularly in the area of social engineering - are becoming more prevelent and are attacking smaller and smaller organizations. I recently ran into the president of a company in rural Pennsylvania - Amish country - whose A/R person was deceived into giving away banking information. They are a 24 person company.

Folks - what's it going to take?!?! At some point, this is going to become irresponsible behavior to keep ignoring these issues. (In fact, California is currently considering forcing companies who have been breached to cover all costs for consumers and businesses who have to deal with their information being compromised)

This blog REALLY isn't intended to be a commercial for my company. But it drives me crazy that we have the resources and ability to help protect you, your company and your customers - but you won't let us. (obviously, I don't direct that to our customers - you guys I love!) :-)

I know this sounds like a rant - and it is - but it's also a plea. As a business owner, you have a responsibility to protect your customers. Do the right thing. Your I.T. people don't have the depth - trust me - they don't. It's not their fault - I'm sure they do a great job keeping the business running. But security is a full time job and they just don't have the time.

So bring in a professional organization. If you don't like me or Pervasive Solutions - no problem. I'll even recommend some others for you if you want. But find someone you can trust and have them help you. At a minimum, here are the things you should be doing every 9 - 12 months:

  • End-user security awareness training: help your employees understand the importance of security and the threats that they may face.
  • External network vulnerability assessment: find out what risks exist on your network
  • Network and server configuration assessment: help your I.T. team build security into your infrastructure instead of trying to bolt it on afterwards
  • Policy & procedure review: establish and review your security policies and procedures, both for your I.T. team and your company as a whole, to set expectations and protect the company from compliance and litigation risks

I know these may sound like a lot. But I assure you, they aren't. For only a few thousand dollars per year, you can cover 80% of your risk with just these four steps. Certainly, I would suggest that you eventually conduct complete, thorough security and compliance risk audits which will dig deep. But don't worry about that now. Just do the basics. If you do, you'll be ahead of your peers who are still burying their head in the sand.

It's like the old joke, "if we get chased by a bear, I don't have to outrun the bear - I just have to outrun you." Make your company a smaller target - sure, you'll still be a target - but there will be bigger targets all around you.

Saturday, April 21, 2007

Insurance Industry Apathy

So I attended and exhibited at I-Day this week. Buffalo, NY! Woo-hoo! Over 1,500 members of the insurance industry from upstate NY, northern Ohio and western Pennsylvania. And do you know what I came away with? The biggest lesson I learned was that the average insurance agent isn't the slightest bit concerned with the privacy and security of their clients' information. These were agents and brokers of MAJOR insurance companies - and they were neither aware of requirements like GLBA and breach notification laws, nor were they interested in learning about them.

As a consumer of both business and individual insurance policies of all sorts, I was mortified that there was such apathy concerning whether my personal information was safe.

I suppose it shouldn't be that surprising. Agents are sales people and they have one thing in mind. But they make most of their money from recurring revenue - policies that continue to renew without the agent lifting a finger. If that's the case, you would think (or at least, I would think) that the privacy of their clients' information would be important to them. Well, at least on that day, it wasn't as important to them as the bloody mary station down the hall.

During the event, I have to admit, I was more than a little annoyed by these people who seemed to care so little about their clients. But a day removed from it now, my frustration has moved from the individual agents to the companies and brokerages that they work for. It is the employer who has the responsibility to build this awareness and concern into their employees. Yes, I want my sales people spending their time selling. But there is no excuse for a large insurance company who doesn't regularly address security and compliance issues with their employees, brokers and agents.

So I petition all of you, whether you're Allstate, Farmers, Liberty Mutual, AIG, Progressive, State Farm, Nationwide, The Hartford or Geico - PLEASE take awareness more seriously. Your agents have NO IDEA what their responsibilities are. Shoot, they don't even know what threats are out there and what regulatory requirements apply to them. PLEASE help them to protect our data. PLEASE help them to CARE about protecting our data. And PLEASE do it soon. Because right now, they are prime targets for security breaches. After what I saw this week, if I was a social engineering criminal, your agents would be my first stop.


Friday, April 13, 2007

You've been breached!

My last post described the typical requirements of the various breach notification acts that your business is likely subject to, and some of the steps you should take to avoid a breach. But what if you've already had a breach? Perhaps you're reading this today and tomorrow you'll get a call from your IT director with some bad news. What are you going to do?

Your first reaction is probably to call your lawyer. And I certainly can't argue against that. However, I do want to caution you - legal council is important in these situations - but if they are allowed to drive your response to the breach, it will almost certainly be at the cost of customer relationships.

Your lawyers will be able to advise you on your responsibilities and liabilities. But they will likely advise you in ways meant to protect your company from any possible legal ramifications. They probably won't try to view the breach from your customers' eyes, with consideration for how you can best save those relationships.

If my company suffered a breach, my first call would be to the team at Identity Safeguards. Identity Safeguards was founded by John Davidson & Rick Kam. John experienced ID theft first hand some years ago. It was such a terrible experience that he decided to build a company that would be dedicated to helping individuals recover from such situations.

The company has evolved over the years and now spends most of their time helping companies and institutions deal with data breaches. They help your management team establish a comprehensive plan for assessing the breach, alerting your customers and helping the impacted individuals protect themselves. Their work is conducted from your customers' point of view - and as a result, they help you to tell your clients about the breach without losing their confidence in you. If you have had a breach, I strongly recommend that you contact them immediately.

Once you have a trusted advisor on your side who can help you address the breach without losing your customers, the rest of your work is relatively elementary. You'll need to take active steps to make sure that such a breach can't happen again. You'll need to be sure your responses are in compliance with all applicable legislation (this is really where your legal team can be helpful) and you'll need to engage the authorities to see if they can identify and prosecute the criminals (don't get your hopes up - less than 10% of these types of cases are ever prosecuted).

But saving those client relationships is absolutely job #1. And for that, hiring an expert like Identity Safeguards is worth every penny.


Friday, April 6, 2007

What you Need to Know about Breach Notification and Privacy Laws

Have you ever heard of California law SB 1386? Chances are good that if you do business in the United States, whether you have heard of it or not - and even if you're not in California - this law impacts you.

SB 1386 was a groundbreaking statute that first took effect July 1, 2003. You can find the actual bill here, but boiled down, it exists to protect the personal privacy information of all California residents. If your business has acquired such personal information (which includes SSN, driver's license number, account or credit card numbers, etc.), and you realize that at some point, you did not have complete control over that data, you must alert each individual in writing of the potential breach of their information.

The law also establishes provisions for civil suits by impacted residents, creating a basis for class action suits against your company should such a breach occur.

To date, well over 50 companies and institutions have been required to alert individuals of the risk of identity theft due to this law.

"So what?", you say, "I don't do business in California". Since SB 1386 took effect, 33 other states have approved similar legislation and several others are considering it - as is the Federal Government. The University of Georgia has put together some great resources, including a map of the states with approved legislation.

What are the REAL Impacts of Breach Notification Acts?
So chances are pretty good that at least one of these laws impacts your business. But what are the real impacts? Let's look at an example. A financial services firm with 3,000 clients obviously stores protected data. One day, they realize that a laptop with client records was stolen from the back seat of a car. The likely impacts of this event include:
  • Written notification to each client at a cost of approximately $3,000.
  • To try to maintain their clients' confidence, they elect to provide 1 year of credit reporting services for each of their clients (this is becoming the norm). At a cost of $50 per client, that will run them $150,000.
  • Depending on their state, they may be subject to fines reaching as high as $150,000.

So that creates the potential for over $300K of hard costs. But what about the soft costs? How many clients are going to leave because of this event? How many clients are going to file suit? If this company only lost $300K, it would be a miracle. In reality, an event like this could cripple a small company.

Now, what happens if you're a local or regional retailer? Do you know whether your systems record the credit card numbers that you take? Do they store them unencrypted? You might easily have 100,000 consumers' information. Can you imagine the cost should you be breached?

What Should You Do?
So clearly, the impacts of these laws are real and they are significant. The question then becomes, what do you need to do to protect your company?

For starters, you need to take data security seriously. This starts with security policies and procedures. For example, you probably have back-up tapes of servers and databases. What is your policy for handling and storage of those tapes? Is that policy followed by your IT organization? What about password management? Do you have employees that share passwords? Or do you have systems whose administrative password is left blank? These are common issues for SMBs but it is precisely these issues that could result in a breach of your data. Establishing a thorough set of information security policies and then training your team to follow them is a critical step in protecting your data and your company.

In addition, you do need to make sure your networks, servers, workstations, desktops, mobile devices, etc. are all protected from breach and inappropriate access. If you're a mid-size company with just a handful (or less) of IT people, you probably don't have the security expertise needed to evaluate and implement a sufficient level of security around your technology. Bringing on a consultant to help this process will be money well spent. However, be warned - if the consultant you hire works for a company that sells security appliances or other network devices, they may have an agenda when they walk in the door (to sell you expensive technology).

Ideally, you'll find a security consultancy that is vendor-neutral. Ask them if they resell hardware and whether the company receives any income from such sales. If they do, my advice is to keep looking. This is exactly why my company doesn't resell hardware at all. We want to be completely neutral and be able to advise our clients strictly based on what is in their best interest. I don't want this to be a commercial about Pervasive Solutions - I just want to underscore that if you bring in a hardware reseller to audit your security, don't be surprised when their recommendations come back with six figures worth of equipment that is "mandatory".

Admittedly, this is a really high-level glance at this subject. The implications of the various Breach Notification Acts and Privacy Laws vary by state. But in the end, the message is clear - if you have a breach, you must publicly disclose it. Regardless of the hows and the direct costs, that type of disclosure can have such a detrimental impact on customer confidence that you really need to do everything you can to protect yourself. Get serious about security NOW.

If you have questions or would like my help, please feel free to give me a call or shoot me an email. I look forward to hearing from you.


Sorry for the silence...

I can't believe it has been almost two weeks since my last post. I need to apologize to those of you who keep tabs on this blog. The last two weeks have been great for business, but it has kept me running nearly non-stop. Some highlights:
  • We have added clients in three more states bringing out total coverage to 21 states.
  • We have solidified designs for a new product/service offering that will significantly improve the security of SMBs at a very low cost to them. Stay tuned for more on that...
  • I have been selected to write a monthly column for Business Strategies magazine. My section will be titled, "Risk Management".
  • We were featured in the Rochester Democrat & Chronicle's business section. You can see the article here.

There are a few other highlights, but I think you get the gist. Anyway, no excuses. I do apologize and will work to ensure these hiatuses don't happen in the future.

Thank you for your patience.


Friday, March 23, 2007

Data Leakage: How can you prevent it?

Would it surprise you if I told you that far more than 50% of all security breaches stem from internal sources? It's true. At the end of the day, your employees pose far greater risks to your security than do any external risks.

If you are anything like most of the business owners I speak to, you're thinking, "Not MY employees. I can trust my team." Of course you can trust your team - to a point. But the fact of the matter is that security holes and breaches occur primarily due to lapses in good security practices by company employees.

Sometimes these are malicious acts, but most often, they are accidental. They come from the receptionist who leaves his password on a sticky-note under his mouse pad ... or the software engineer who leaves her laptop in the back of her unlocked car while she runs into the supermarket ... or the executive who emails files with sensitive information to her home email address so she can be productive over the weekend.

Now ask yourself again - could any of these situations happen to you?

"Data leakage" is the industry term that is used to describe these types of breaches. While you and your employees may not realize that you're doing anything dangerous, your company's and clients' data is exposed. As a business owner, you have a responsibility under law (and general ethical behavior) to adequately protect your sensitive data. So how can you prevent data leakage?

The most important aspect to preventing data leakage is training your employees regarding behaviors that could lead to leaks. Proper training will help employees to:
  • Understand how leaks occur
  • Internalize how those leaks create risk for the company, their clients and themselves
  • Accept responsibility for preventing leaks from their own behavior and helping other employees to avoid risky behavior as well
  • Alert appropriate management should they identify potential data leaks, whether malicious or accidental

This training is necessary for ALL employees - not just your IT team. Whether they work on the loading docks, in a cube or in the corner office, each of your employees can help protect the company from data leakage.

While training is the most important aspect of preventing data leakage, there are technology solutions that can help:

  • Email Controls. These solutions include limiting outgoing attachment sizes, lexicons that analyze outgoing email for confidential information and email encryption tools. The point is, most email traffic is inherently insecure. So the first step is to limit the sending of confidential data to a bare minimum, and second, to protect that data as it is sent.
  • Device Controls. Often times, malicious data leakage occurs when an employee downloads confidential data to an easily transportable device - like a USB key drive. Your IT administrators can regulate use of these devices to prevent such incidents from occurring.
  • Data Controls. Most importantly, your confidential data should only be accessible by employees who MUST have access to it - and then they should only have access to the specific data that they need. Too often, we discover databases and systems where people throughout the organization are given carte blanche permissions to access anything and everything. You should be regularly reviewing who has access to what resources and whether they still require such access.

Policies & Procedures
Finally, you need to establish a documented set of security policies and procedures. This should be a comprehensive collection of materials that establish the do's and don't's for how your employees treat confidential materials. Documenting these policies and making them available to your employees accomplishes several key goals:

  • You underscore to your employees how critical security issues are to the business and set a consistent expectation for employee behavior
  • You provide an easily accessible resource should an employee have a question - this is especially important following the awareness training described above
  • You create a document trail that protects you from some liability in the event that an incident occurs and provides a basis for employee discipline when necessary

Data leakage has injured many, many companies - from Fortune 500 enterprises to 5-person financial advisers and physician practices. It's not expensive to protect yourself - it just requires a commitment on your part, some hard work and, for many mid-size companies, the assistance of a knowledgeable advisor. If you feel your company may be at risk, send me an email and we can talk further about steps you can take to protect yourself.


Monday, March 19, 2007

Microsoft Exchange: In-house or hosted?

After my eDiscovery post, I received several emails asking questions about email archiving, email security and the eDiscovery requirements. However, the most intriguing of these questions was brought up by David Spark, a fellow blogger. David was interested in discussing the decision companies need to make regarding hosting their own Microsoft Exchange implementation or outsourcing it.

It's a great question. For many SMBs, their email system is an absolutely critical piece of their infrastructure. So, if it's that critical, it should stay inside, right? You should trust your own people to maintain it and make sure it is always available, right? Well, maybe not.

What do you need to make sure your Exchange environment supports your business needs and compliance requirements?
  1. It needs to be available.
  2. It needs to be secure.
  3. It needs to be redundant.
  4. It needs to be archived (to support eDiscovery requirements).

To reach these goals with a high degree of proficiency, it requires you to invest in hardware, software, backup and archiving systems and training for your team - not to mention the labor required to perform the maintenance, account changes, security, backups and troubleshooting.

On the other hand, if you outsource your Exchange, you look to your vendor to meet these requirements. But this should be their specialty. While in-hosting requires your team to be experts in something that is NOT your core business, outsourcing allows you to take advantage of your vendor's expertise - since this IS their business.

Moreover, when you in-source, you pay ALL of the costs associated with implementing and supporting the Exchange environment. When you outsource, the vendor is able to leverage the implementation and support costs across all of their clients, which should result in significant savings to you.

But these are vague arguments. Let's take a look at a specific example.

Exchange Hosting: A Total Cost Analysis

The following comparison is a real-world examination of the costs to implement and support a complete Microsoft Exchange environment for a 250-person health care organization.

In-house Exchange Hosting Costs (36 Month Analysis)

Server (HP LS385 Cluster - Dual Core) $14,700.00
Cluster pack software $140.00
24 X 7 service pack, on-site 4 hour $3,500.00

Backup software Upgrade $35,000.00
Backup software Install $14,000.00
Staff training for backup software $6,000.00

Windows 2003 Exchange Cluster edition $3,500.00
Windows 2003 Exchange CALs $18,750.00
Exchange upgrade, install, migration $8,000.00
Outlook upgrade licenses $37,500.00

Symantec Archive Evault $22,000.00
Archive server $9,700.00
Windows 2003 license $700.00
24 X 7 service pack, on-site 4 hour $1,200.00
Symantec Archive Evault install $3,000.00

Exchange training for network staff $6,000.00

.5 FTE for 3 years $120,000.00

Total $303,690.00

On the other hand, this same company was able to outsource their Exchange implementation, including archiving, email encryption (which wasn't even included in the above analysis), 24x7 support and greater redundancy than the above solution provides - all for less than $200,000!

While it's true that you have to be careful that you select the right vendor, you can take active steps to make a good choice. Your vendor should be able to guarantee specific up-time standards - at least 99.99%. Your vendor should be able to demonstrate significant security proficiency. And most importantly, your vendor MUST be able to give you at least five references who are using the same services you would be using. Make sure you speak with these references and ask them about their experiences with up-time and support issues.

So there it is. The numbers provided here scale pretty similarly, whether you are a larger or smaller organization. If you're an SMB and you're implementing Exchange internally - I strongly suggest that you consider looking into outsourcing.

This is admittedly a high-level analysis of this issue. I started this post by introducing you to David Spark. I'll finish it that way, too. Among his other act ivies, David is managing a Microsoft-sponsored wiki white paper on this very topic. Check it out:

If you have additional questions or thoughts, I'd love to hear them. Feel free to post comments or to email me at


Friday, March 16, 2007

Why your data is more likely to be stolen than your car

If you decided to shed your morals and take up a life of crime, how would you do it? Would you rob banks? Would you steal cars? If you're a reasonably intelligent crook, you're going to carefully consider all of the risk vs. reward data that you can find. If you are a computer-literate crook, I'll give you one guess where you'll find the greatest reward and the lowest risk of being caught.


It's just a fact. Last night, I attended a lecture given by George Kurtz, co-author of the book, Hacking Exposed, and currently SVP at McAfee, Inc. According to George, McAfee and the hundreds of researches they employ, cybercrime is now a $105 BILLION industry. And it makes absolute sense. The criminals have become so technically innovative in the way they launch attacks that it becomes nearly impossible to track them down and arrest them.

Countries like Russia, China, India and many others with lax industrial espionage and intellectual property laws also have large numbers of impoverished people. With little law enforcement, access to the world's networks via the internet, and a glut of how-to information freely available, organized crime is training cyber-criminals by the hundreds and making millions and millions of dollars every month.

When you combine high reward, low risk and abundant opportunity, you get a form of crime that is far safer, and more profitable, than traditional crime.

Why does this matter to you? Are you thinking, "OK, but I'm just a nobody" or "My 200 person company isn't big enough to attack" or "With all the computers on the web, what is the likelihood they're going to find me?" If you are, consider this:

Gartner research indicates that between 2007 and 2010, mid-market American companies will become the primary targets of a large percentage of cybercrime.

Again, the reasons are simple:

  1. Most network attacks are not targetted attacks against a particular business. Rather, they operate like a fishing net, thrown into the ocean to see what it catches.
  2. Enterprise-level organizations, generally, have spent the last several years improving their security infrastructure so that they don't get caught in these nets.
  3. The SMB sector lacks the resources and expertise to defend themselves. You may have an IT team, but unless you have at least one resource dedicated to security, I will guarantee you that your IT team is not adequately protecting you. They're just too overloaded and don't have the depth of security knowledge.
  4. Here's the clincher: The crooks know all these things. So if you're a crook and you know it will take you a lifetime to penetrate a Fortune 500 network, but you can breach 100 SMBs every WEEK, where is the quickest return on your investment?

That's why you should be concerned. Security threats are real. And if you aren't a target today, you'll be one soon. You need to be prepared.

One quick story - among other things, my company performs security assessments. In one such assessment at a mid-size hospital, our ethical hacking team was able to penetrate the network and access actual patient care devices in the infant ICU. These devices were keeping babies alive. And yet, our team COULD have crashed those machines with one keystroke. Had that been a real hacker ... as a father of three, I don't want to think about it.

Security is about more than protecting data. No matter what business you're in, you have information and systems whose breach could materially impact the lives and livelihoods of you, your employees and your clients. I encourage you to make certain you're doing everything you can to protect them.


Thursday, March 15, 2007

A quick word of caution regarding photocopiers...

Just in time for tax season, Sharp is preparing to notify the public that use of their digital copiers may pose ID theft risks. That's right - simply making copies can result in someone copying YOU. If you're copying documents that contain personal and private information, you could be at risk.

This concern stems from the technology used within almost all digital copiers. One of the great features of these machines in an office setting is their ability to store document images for future re-prints. However, that storage comes at a price. Those images are stored in an internal hard drive in the copier, unencrypted, often for long periods of time. These machines are also often connected to the network in a retail setting.

Usually retail store networks are protected by a simple firewall - a device that a good hacker can compromise in under 15 minutes. Once inside, if the hacker can gain access to the copier, they can read any of the images stored in the machine. This is particularly concerning since a large percentage of American taxpayers use public copiers to create duplicates of their tax filings.

There is hope. Most copier manufactures, including Sharp, are now including security packages as either standard or optional features with their machines. However, for the machines that have been in the marketplace for at least 12 - 24 months, they are very likely to be susceptible to this type of attack.

So my advice to you is to be careful and if at all possible, use your home scanner and printer to make copies of your tax returns. Or do what I do and file electronically. It's faster and safer.


Monday, March 12, 2007

How does eDiscovery impact your company?

We've been hearing a lot about the new eDiscovery rules lately. And as with any new legal standards, a lot of what we hear is conjecture, rumor or exaggeration. So I wanted to take a few minutes to help you understand what this new rule set is and how it impacts your company. Before that though, I want to recognize a friend who helped me understand eDiscovery and is available to help you, too. Her name is Susan Ippoliti and she is the President of Solutions in Litigation, LLC. I encourage you to visit her website for more information on her services.

What is eDiscovery?
To begin with, eDiscovery is NOT a law. It is in no way a piece of legislation that has been approved at any level of government. Rather, what is commonly known as eDiscovery is actually a set of changes to the Federal Rules of Civil Procedure. The FRCP is essentially the chapter and verse of how a legal proceeding is conducted. You might consider the FRCP to be a "judges bible". These particular updates specifically address the treatment of electronic data and documents in the period leading up to a lawsuit.

Simplified, the eDiscovery rules require all organizations (including governmental bodies) to immediately place a "litigation hold" on all document retention/destruction policies once the company has established a "reasonable anticipation of litigation". More simplified, eDiscovery tells you to stop destroying electronic records of any kind if you even THINK you might get sued. This point should be clearly understood: if you have a reasonable belief that your organization may become involved in a lawsuit, you are obligated to prevent the destruction of any electronic data from that moment forward.

For example, if you have a significant contract dispute with a vendor and it reaches a point where you feel it is possible that the vendor may file suit for payment, you must immediately cease the deletion of any electronic documents, data and email within your company. (Note that it is NOT ONLY once a suite has been filed - but AS SOON AS a reasonable person might anticipate a lawsuit) Further, all such electronic information must be made easily available to opposing attorneys for the purposes of discovery.

What happens if I don't comply with eDiscovery requirements?
The new rule set does not establish penalties for non-compliance with eDiscovery requirements. While this may initially sound like good news, it's not. The rules leave it up to the presiding judge to impose penalties for non-compliance. Here are four examples of actual penalties imposed so far:
  • Court ordered Nartron Corporation to pay $2.5 million and awarded General Motors Corporation attorney fees, costs and expert witness fees for failure to produce a database in response to General Motors’ discovery request.
  • Philip Morris deleted emails from the company system on a monthly basis for nearly 2½ years in violation of a Court Order and an internal document retention policy. The Court imposed a monetary sanction of nearly $3 million and fined individual corporate officers and managers $250,000 for violating the corporate policy.
  • UBS Warburg failed to retain and preserve emails relevant to the litigation. After an adverse inference, a jury awarded Laura Zubulake $29 million.
  • Morgan Stanley destroyed emails despite 1997 federal regulation and repeated court orders. The jury awarded the adversary $1.45 BILLION in damages.

The courts are clearly very serious about these requirements. And as evidenced above, the veil of liability does not restrict judges from imposing penalties on individuals. Therefore, it behooves every company and executive, no matter how large or small your enterprise, to be prepared.

What do you need to do?
To adequately protect yourselves and your organization, I would recommend the following steps at the very least:

  1. Document your document retention/destruction policy and see that it is followed.
  2. Document your procedure for halting your document retention/destruction policy should you identify a reasonable anticipation of litigation.
  3. Educate your employees and test the policies and procedures created in #1 and #2.
  4. Implement an email archiving process (see below).

In addition, I would strongly recommend consulting your attorney. While I believe this is useful info, it by no means should take the place of professional legal advice.

Why email archiving?
The challenge with email is that it can be deleted far too easily - even by accident. While it takes some conscious effort to delete data in a database or a contract off of a network drive, it is entirely possible that an employee may accidentally double-click the delete button - thereby deleting two emails instead of one. If that second email was of a material nature, you could be in hot water.

Email archiving, when done properly, captures every email as it is sent or received from each user in your organization. The archive is read-only and cannot be edited. Therefore, should you need to comply with a discovery request, you have one place to go for all email that your organization has sent or received - and you can easily demonstrate that email has neither been edited nor deleted.

Email archives can be expensive and can require continuous investment to maintain and expand as your email stores get larger. However, you can outsource this function - further protecting you because a third-party now has responsibility for your email archive. In fact, many of our clients are choosing to outsource their entire email function, saving them the cost of hardware, software, maintenance, updates and offering improved performance and reliability. Here is more information about email outsourcing and email archiving options.

I hope this has been helpful. If you have questions, please post them and I'll address them shortly.


Saturday, March 10, 2007

A scary story...

I don't have much time tonight, but I received an email yesterday that I just couldn't believe. The email was from a friend of mine who has a client that is a small technology company. This company recently decided to invest in a VOIP phone system. So they went out and looked for local providers of such systems, selected a vendor and conducted the implementation.

Pretty normal, right? People do this all the time, right? Well, when the vendor left, this company discovered that their brand new IPT server is actually sitting OUTSIDE the firewall! So they called up the vendor and asked, "Is this right?" And here are the responses they received from various vendor employees:

1) that's the way it works,

2) we have to be able to get to it to administer it,

3) malicious people are not likely to find it because there are so many systems out there on the internet

4) if someone trashes the application, it's easy for us to just install a new copy over the internet.

After the last argument, the client has just thrown up their hands. The vendor will neither correct the problem nor will they allow the system to be returned.

This blog is intended for small and medium business leaders, not IT folks. So let me explain why this is such an egregious problem (aside from the absolutely terrible customer service on the part of the vendor).

Whenever any device sits outside the firewall/permiter network defense, it's about as vulnerable to a security breach as if you were to leave a backpack overflowing with cash sitting in the middle of the softball fields in Central Park. In this case, by leaving their phone server vulnerable like this, hackers will likely find it inside of two weeks. Once they find it, any of the following is possible:

1) The server may be used to host pornography or illegal multimedia content

2) The server may be used to launch attacks against other networks

3) They may just put a listening device on the box and steal all ingoing and outgoing traffic from the server, looking to catch privacy or financial information that could be used for additional crimes.

4) The best case is probably that they crash the machine and leave this small business phoneless for at least a couple days.

This careless disregard for security by a vendor is rare but certainly not unheard of. So if you don't have a strong IT team that understands at least the basics about security, make absolutely certain that your vendor does. Ask the vendor which certifications their service staff maintain (specifically, make sure they have at least one CISSP). And above all, verify that everything they deploy is behind your firewall.

Have a good night!


Thursday, March 8, 2007

Welcome to Security & Compliance for the SMB...

Thanks for stopping by! This blog will be the home for advice, commentary and discussion regarding the information security and compliance landscape as it pertains to America's small and medium size businesses. I intend to discuss a wide variety of topics and hope that you will also contribute to the discussion.

Before we get started, a little about me...

I am a partner in the firm, Pervasive Solutions, LLC. Located in Rochester, NY, Pervasive Solutions provides information security and compliance services and solutions to the SMB world - particularly in the Healthcare, Banking/Financial Services, Legal and Government/Non-Profit industries. We are passionate about protecting our customers from the increasing threats that SMBs face and helping them find reasonable solutions to the mountain of legislation and regulation that seems to continue to proliferate.

Prior to joining Pervasive Solutions, I led several other organizations including a 300-person e-learning company and the strategic consulting division of an $800M publicly-traded enterprise. I also started a software company in 1999, but it wasn't exactly successful. :)

Over the last twelve years, my clients have included the largest of the large and the smallest of the small. But in the last few years, I continued to notice that while large companies were investing in protecting their businesses, systems and data, their smaller counterparts seemed oblivious to the very real threats to their businesses. As I would speak with these business leaders, it was clear - they ALWAYS fell into one of two camps:
  1. They didn't know that they needed protection and didn't understand the regulatory requirements facing them OR
  2. They didn't believe they were big enough to be a victim

Unfortunately, I also ran into business owner after business owner that had been burned by employee theft, data leakage and other such problems. Some lost their business. Some survived but experienced significant pain.

And thus, I jumped into security and compliance with two feet - my ultimate goal being to educate and protect as many small businesses as I can. I am a firm believer that the future of America is dependent upon a strong, innovative, growth-enabled SMB environment. But if they are going to succeed, they need to be protected and compliant. I hope this blog will help.