Friday, March 23, 2007

Data Leakage: How can you prevent it?

Would it surprise you if I told you that far more than 50% of all security breaches stem from internal sources? It's true. At the end of the day, your employees pose far greater risks to your security than do any external risks.

If you are anything like most of the business owners I speak to, you're thinking, "Not MY employees. I can trust my team." Of course you can trust your team - to a point. But the fact of the matter is that security holes and breaches occur primarily due to lapses in good security practices by company employees.

Sometimes these are malicious acts, but most often, they are accidental. They come from the receptionist who leaves his password on a sticky-note under his mouse pad ... or the software engineer who leaves her laptop in the back of her unlocked car while she runs into the supermarket ... or the executive who emails files with sensitive information to her home email address so she can be productive over the weekend.

Now ask yourself again - could any of these situations happen to you?

"Data leakage" is the industry term that is used to describe these types of breaches. While you and your employees may not realize that you're doing anything dangerous, your company's and clients' data is exposed. As a business owner, you have a responsibility under law (and general ethical behavior) to adequately protect your sensitive data. So how can you prevent data leakage?

The most important aspect to preventing data leakage is training your employees regarding behaviors that could lead to leaks. Proper training will help employees to:
  • Understand how leaks occur
  • Internalize how those leaks create risk for the company, their clients and themselves
  • Accept responsibility for preventing leaks from their own behavior and helping other employees to avoid risky behavior as well
  • Alert appropriate management should they identify potential data leaks, whether malicious or accidental

This training is necessary for ALL employees - not just your IT team. Whether they work on the loading docks, in a cube or in the corner office, each of your employees can help protect the company from data leakage.

While training is the most important aspect of preventing data leakage, there are technology solutions that can help:

  • Email Controls. These solutions include limiting outgoing attachment sizes, lexicons that analyze outgoing email for confidential information and email encryption tools. The point is, most email traffic is inherently insecure. So the first step is to limit the sending of confidential data to a bare minimum, and second, to protect that data as it is sent.
  • Device Controls. Often times, malicious data leakage occurs when an employee downloads confidential data to an easily transportable device - like a USB key drive. Your IT administrators can regulate use of these devices to prevent such incidents from occurring.
  • Data Controls. Most importantly, your confidential data should only be accessible by employees who MUST have access to it - and then they should only have access to the specific data that they need. Too often, we discover databases and systems where people throughout the organization are given carte blanche permissions to access anything and everything. You should be regularly reviewing who has access to what resources and whether they still require such access.

Policies & Procedures
Finally, you need to establish a documented set of security policies and procedures. This should be a comprehensive collection of materials that establish the do's and don't's for how your employees treat confidential materials. Documenting these policies and making them available to your employees accomplishes several key goals:

  • You underscore to your employees how critical security issues are to the business and set a consistent expectation for employee behavior
  • You provide an easily accessible resource should an employee have a question - this is especially important following the awareness training described above
  • You create a document trail that protects you from some liability in the event that an incident occurs and provides a basis for employee discipline when necessary

Data leakage has injured many, many companies - from Fortune 500 enterprises to 5-person financial advisers and physician practices. It's not expensive to protect yourself - it just requires a commitment on your part, some hard work and, for many mid-size companies, the assistance of a knowledgeable advisor. If you feel your company may be at risk, send me an email and we can talk further about steps you can take to protect yourself.


Monday, March 19, 2007

Microsoft Exchange: In-house or hosted?

After my eDiscovery post, I received several emails asking questions about email archiving, email security and the eDiscovery requirements. However, the most intriguing of these questions was brought up by David Spark, a fellow blogger. David was interested in discussing the decision companies need to make regarding hosting their own Microsoft Exchange implementation or outsourcing it.

It's a great question. For many SMBs, their email system is an absolutely critical piece of their infrastructure. So, if it's that critical, it should stay inside, right? You should trust your own people to maintain it and make sure it is always available, right? Well, maybe not.

What do you need to make sure your Exchange environment supports your business needs and compliance requirements?
  1. It needs to be available.
  2. It needs to be secure.
  3. It needs to be redundant.
  4. It needs to be archived (to support eDiscovery requirements).

To reach these goals with a high degree of proficiency, it requires you to invest in hardware, software, backup and archiving systems and training for your team - not to mention the labor required to perform the maintenance, account changes, security, backups and troubleshooting.

On the other hand, if you outsource your Exchange, you look to your vendor to meet these requirements. But this should be their specialty. While in-hosting requires your team to be experts in something that is NOT your core business, outsourcing allows you to take advantage of your vendor's expertise - since this IS their business.

Moreover, when you in-source, you pay ALL of the costs associated with implementing and supporting the Exchange environment. When you outsource, the vendor is able to leverage the implementation and support costs across all of their clients, which should result in significant savings to you.

But these are vague arguments. Let's take a look at a specific example.

Exchange Hosting: A Total Cost Analysis

The following comparison is a real-world examination of the costs to implement and support a complete Microsoft Exchange environment for a 250-person health care organization.

In-house Exchange Hosting Costs (36 Month Analysis)

Server (HP LS385 Cluster - Dual Core) $14,700.00
Cluster pack software $140.00
24 X 7 service pack, on-site 4 hour $3,500.00

Backup software Upgrade $35,000.00
Backup software Install $14,000.00
Staff training for backup software $6,000.00

Windows 2003 Exchange Cluster edition $3,500.00
Windows 2003 Exchange CALs $18,750.00
Exchange upgrade, install, migration $8,000.00
Outlook upgrade licenses $37,500.00

Symantec Archive Evault $22,000.00
Archive server $9,700.00
Windows 2003 license $700.00
24 X 7 service pack, on-site 4 hour $1,200.00
Symantec Archive Evault install $3,000.00

Exchange training for network staff $6,000.00

.5 FTE for 3 years $120,000.00

Total $303,690.00

On the other hand, this same company was able to outsource their Exchange implementation, including archiving, email encryption (which wasn't even included in the above analysis), 24x7 support and greater redundancy than the above solution provides - all for less than $200,000!

While it's true that you have to be careful that you select the right vendor, you can take active steps to make a good choice. Your vendor should be able to guarantee specific up-time standards - at least 99.99%. Your vendor should be able to demonstrate significant security proficiency. And most importantly, your vendor MUST be able to give you at least five references who are using the same services you would be using. Make sure you speak with these references and ask them about their experiences with up-time and support issues.

So there it is. The numbers provided here scale pretty similarly, whether you are a larger or smaller organization. If you're an SMB and you're implementing Exchange internally - I strongly suggest that you consider looking into outsourcing.

This is admittedly a high-level analysis of this issue. I started this post by introducing you to David Spark. I'll finish it that way, too. Among his other act ivies, David is managing a Microsoft-sponsored wiki white paper on this very topic. Check it out:

If you have additional questions or thoughts, I'd love to hear them. Feel free to post comments or to email me at


Friday, March 16, 2007

Why your data is more likely to be stolen than your car

If you decided to shed your morals and take up a life of crime, how would you do it? Would you rob banks? Would you steal cars? If you're a reasonably intelligent crook, you're going to carefully consider all of the risk vs. reward data that you can find. If you are a computer-literate crook, I'll give you one guess where you'll find the greatest reward and the lowest risk of being caught.


It's just a fact. Last night, I attended a lecture given by George Kurtz, co-author of the book, Hacking Exposed, and currently SVP at McAfee, Inc. According to George, McAfee and the hundreds of researches they employ, cybercrime is now a $105 BILLION industry. And it makes absolute sense. The criminals have become so technically innovative in the way they launch attacks that it becomes nearly impossible to track them down and arrest them.

Countries like Russia, China, India and many others with lax industrial espionage and intellectual property laws also have large numbers of impoverished people. With little law enforcement, access to the world's networks via the internet, and a glut of how-to information freely available, organized crime is training cyber-criminals by the hundreds and making millions and millions of dollars every month.

When you combine high reward, low risk and abundant opportunity, you get a form of crime that is far safer, and more profitable, than traditional crime.

Why does this matter to you? Are you thinking, "OK, but I'm just a nobody" or "My 200 person company isn't big enough to attack" or "With all the computers on the web, what is the likelihood they're going to find me?" If you are, consider this:

Gartner research indicates that between 2007 and 2010, mid-market American companies will become the primary targets of a large percentage of cybercrime.

Again, the reasons are simple:

  1. Most network attacks are not targetted attacks against a particular business. Rather, they operate like a fishing net, thrown into the ocean to see what it catches.
  2. Enterprise-level organizations, generally, have spent the last several years improving their security infrastructure so that they don't get caught in these nets.
  3. The SMB sector lacks the resources and expertise to defend themselves. You may have an IT team, but unless you have at least one resource dedicated to security, I will guarantee you that your IT team is not adequately protecting you. They're just too overloaded and don't have the depth of security knowledge.
  4. Here's the clincher: The crooks know all these things. So if you're a crook and you know it will take you a lifetime to penetrate a Fortune 500 network, but you can breach 100 SMBs every WEEK, where is the quickest return on your investment?

That's why you should be concerned. Security threats are real. And if you aren't a target today, you'll be one soon. You need to be prepared.

One quick story - among other things, my company performs security assessments. In one such assessment at a mid-size hospital, our ethical hacking team was able to penetrate the network and access actual patient care devices in the infant ICU. These devices were keeping babies alive. And yet, our team COULD have crashed those machines with one keystroke. Had that been a real hacker ... as a father of three, I don't want to think about it.

Security is about more than protecting data. No matter what business you're in, you have information and systems whose breach could materially impact the lives and livelihoods of you, your employees and your clients. I encourage you to make certain you're doing everything you can to protect them.


Thursday, March 15, 2007

A quick word of caution regarding photocopiers...

Just in time for tax season, Sharp is preparing to notify the public that use of their digital copiers may pose ID theft risks. That's right - simply making copies can result in someone copying YOU. If you're copying documents that contain personal and private information, you could be at risk.

This concern stems from the technology used within almost all digital copiers. One of the great features of these machines in an office setting is their ability to store document images for future re-prints. However, that storage comes at a price. Those images are stored in an internal hard drive in the copier, unencrypted, often for long periods of time. These machines are also often connected to the network in a retail setting.

Usually retail store networks are protected by a simple firewall - a device that a good hacker can compromise in under 15 minutes. Once inside, if the hacker can gain access to the copier, they can read any of the images stored in the machine. This is particularly concerning since a large percentage of American taxpayers use public copiers to create duplicates of their tax filings.

There is hope. Most copier manufactures, including Sharp, are now including security packages as either standard or optional features with their machines. However, for the machines that have been in the marketplace for at least 12 - 24 months, they are very likely to be susceptible to this type of attack.

So my advice to you is to be careful and if at all possible, use your home scanner and printer to make copies of your tax returns. Or do what I do and file electronically. It's faster and safer.


Monday, March 12, 2007

How does eDiscovery impact your company?

We've been hearing a lot about the new eDiscovery rules lately. And as with any new legal standards, a lot of what we hear is conjecture, rumor or exaggeration. So I wanted to take a few minutes to help you understand what this new rule set is and how it impacts your company. Before that though, I want to recognize a friend who helped me understand eDiscovery and is available to help you, too. Her name is Susan Ippoliti and she is the President of Solutions in Litigation, LLC. I encourage you to visit her website for more information on her services.

What is eDiscovery?
To begin with, eDiscovery is NOT a law. It is in no way a piece of legislation that has been approved at any level of government. Rather, what is commonly known as eDiscovery is actually a set of changes to the Federal Rules of Civil Procedure. The FRCP is essentially the chapter and verse of how a legal proceeding is conducted. You might consider the FRCP to be a "judges bible". These particular updates specifically address the treatment of electronic data and documents in the period leading up to a lawsuit.

Simplified, the eDiscovery rules require all organizations (including governmental bodies) to immediately place a "litigation hold" on all document retention/destruction policies once the company has established a "reasonable anticipation of litigation". More simplified, eDiscovery tells you to stop destroying electronic records of any kind if you even THINK you might get sued. This point should be clearly understood: if you have a reasonable belief that your organization may become involved in a lawsuit, you are obligated to prevent the destruction of any electronic data from that moment forward.

For example, if you have a significant contract dispute with a vendor and it reaches a point where you feel it is possible that the vendor may file suit for payment, you must immediately cease the deletion of any electronic documents, data and email within your company. (Note that it is NOT ONLY once a suite has been filed - but AS SOON AS a reasonable person might anticipate a lawsuit) Further, all such electronic information must be made easily available to opposing attorneys for the purposes of discovery.

What happens if I don't comply with eDiscovery requirements?
The new rule set does not establish penalties for non-compliance with eDiscovery requirements. While this may initially sound like good news, it's not. The rules leave it up to the presiding judge to impose penalties for non-compliance. Here are four examples of actual penalties imposed so far:
  • Court ordered Nartron Corporation to pay $2.5 million and awarded General Motors Corporation attorney fees, costs and expert witness fees for failure to produce a database in response to General Motors’ discovery request.
  • Philip Morris deleted emails from the company system on a monthly basis for nearly 2½ years in violation of a Court Order and an internal document retention policy. The Court imposed a monetary sanction of nearly $3 million and fined individual corporate officers and managers $250,000 for violating the corporate policy.
  • UBS Warburg failed to retain and preserve emails relevant to the litigation. After an adverse inference, a jury awarded Laura Zubulake $29 million.
  • Morgan Stanley destroyed emails despite 1997 federal regulation and repeated court orders. The jury awarded the adversary $1.45 BILLION in damages.

The courts are clearly very serious about these requirements. And as evidenced above, the veil of liability does not restrict judges from imposing penalties on individuals. Therefore, it behooves every company and executive, no matter how large or small your enterprise, to be prepared.

What do you need to do?
To adequately protect yourselves and your organization, I would recommend the following steps at the very least:

  1. Document your document retention/destruction policy and see that it is followed.
  2. Document your procedure for halting your document retention/destruction policy should you identify a reasonable anticipation of litigation.
  3. Educate your employees and test the policies and procedures created in #1 and #2.
  4. Implement an email archiving process (see below).

In addition, I would strongly recommend consulting your attorney. While I believe this is useful info, it by no means should take the place of professional legal advice.

Why email archiving?
The challenge with email is that it can be deleted far too easily - even by accident. While it takes some conscious effort to delete data in a database or a contract off of a network drive, it is entirely possible that an employee may accidentally double-click the delete button - thereby deleting two emails instead of one. If that second email was of a material nature, you could be in hot water.

Email archiving, when done properly, captures every email as it is sent or received from each user in your organization. The archive is read-only and cannot be edited. Therefore, should you need to comply with a discovery request, you have one place to go for all email that your organization has sent or received - and you can easily demonstrate that email has neither been edited nor deleted.

Email archives can be expensive and can require continuous investment to maintain and expand as your email stores get larger. However, you can outsource this function - further protecting you because a third-party now has responsibility for your email archive. In fact, many of our clients are choosing to outsource their entire email function, saving them the cost of hardware, software, maintenance, updates and offering improved performance and reliability. Here is more information about email outsourcing and email archiving options.

I hope this has been helpful. If you have questions, please post them and I'll address them shortly.


Saturday, March 10, 2007

A scary story...

I don't have much time tonight, but I received an email yesterday that I just couldn't believe. The email was from a friend of mine who has a client that is a small technology company. This company recently decided to invest in a VOIP phone system. So they went out and looked for local providers of such systems, selected a vendor and conducted the implementation.

Pretty normal, right? People do this all the time, right? Well, when the vendor left, this company discovered that their brand new IPT server is actually sitting OUTSIDE the firewall! So they called up the vendor and asked, "Is this right?" And here are the responses they received from various vendor employees:

1) that's the way it works,

2) we have to be able to get to it to administer it,

3) malicious people are not likely to find it because there are so many systems out there on the internet

4) if someone trashes the application, it's easy for us to just install a new copy over the internet.

After the last argument, the client has just thrown up their hands. The vendor will neither correct the problem nor will they allow the system to be returned.

This blog is intended for small and medium business leaders, not IT folks. So let me explain why this is such an egregious problem (aside from the absolutely terrible customer service on the part of the vendor).

Whenever any device sits outside the firewall/permiter network defense, it's about as vulnerable to a security breach as if you were to leave a backpack overflowing with cash sitting in the middle of the softball fields in Central Park. In this case, by leaving their phone server vulnerable like this, hackers will likely find it inside of two weeks. Once they find it, any of the following is possible:

1) The server may be used to host pornography or illegal multimedia content

2) The server may be used to launch attacks against other networks

3) They may just put a listening device on the box and steal all ingoing and outgoing traffic from the server, looking to catch privacy or financial information that could be used for additional crimes.

4) The best case is probably that they crash the machine and leave this small business phoneless for at least a couple days.

This careless disregard for security by a vendor is rare but certainly not unheard of. So if you don't have a strong IT team that understands at least the basics about security, make absolutely certain that your vendor does. Ask the vendor which certifications their service staff maintain (specifically, make sure they have at least one CISSP). And above all, verify that everything they deploy is behind your firewall.

Have a good night!


Thursday, March 8, 2007

Welcome to Security & Compliance for the SMB...

Thanks for stopping by! This blog will be the home for advice, commentary and discussion regarding the information security and compliance landscape as it pertains to America's small and medium size businesses. I intend to discuss a wide variety of topics and hope that you will also contribute to the discussion.

Before we get started, a little about me...

I am a partner in the firm, Pervasive Solutions, LLC. Located in Rochester, NY, Pervasive Solutions provides information security and compliance services and solutions to the SMB world - particularly in the Healthcare, Banking/Financial Services, Legal and Government/Non-Profit industries. We are passionate about protecting our customers from the increasing threats that SMBs face and helping them find reasonable solutions to the mountain of legislation and regulation that seems to continue to proliferate.

Prior to joining Pervasive Solutions, I led several other organizations including a 300-person e-learning company and the strategic consulting division of an $800M publicly-traded enterprise. I also started a software company in 1999, but it wasn't exactly successful. :)

Over the last twelve years, my clients have included the largest of the large and the smallest of the small. But in the last few years, I continued to notice that while large companies were investing in protecting their businesses, systems and data, their smaller counterparts seemed oblivious to the very real threats to their businesses. As I would speak with these business leaders, it was clear - they ALWAYS fell into one of two camps:
  1. They didn't know that they needed protection and didn't understand the regulatory requirements facing them OR
  2. They didn't believe they were big enough to be a victim

Unfortunately, I also ran into business owner after business owner that had been burned by employee theft, data leakage and other such problems. Some lost their business. Some survived but experienced significant pain.

And thus, I jumped into security and compliance with two feet - my ultimate goal being to educate and protect as many small businesses as I can. I am a firm believer that the future of America is dependent upon a strong, innovative, growth-enabled SMB environment. But if they are going to succeed, they need to be protected and compliant. I hope this blog will help.