How Do You Get Your Software Product Found?

Here are Noonmark, we have been producing excellent quality software products for the past 10 years. Originally, we were able to afford advertising on Google at maybe 5 or 10 cents per click. Now, for most of the keywords that would be used by people searching for our products, we would need to pay $2 - $10 per click! For a small company like ours, that is obviously not going to be possible because it might take 10 to 100 clicks before we even get an actual response (email, phone call) to our website.

Anyone out there willing to share how they built a following for their software product? I am not interested in hearing about SEO or email blasts as I have already tried those routes with no success. I am really interested in hearing about more grass roots types of approaches.

If you have the time to share about your success, drop me an email at: fjonas@noonmarktech.com.

Thanks in advance.

Fred

Data Breaches Are More Expensive And Serious Than Ever

The Ponemon Institute has released its annual study of data breaches at US companies entitled the “U.S. Cost of a Data Breach". According to the study, the average cost of a data breach increased almost 2 percent, from $6.65 million per organization in 2008 to $6.75 million in 2009.

Other key findings in the study:

• Organized crime is now going after corporate data.
• Data breaches are now being caused by malware.
• Increased use of mobile devices is leading to increasing data security issues.
• Third-party mistakes with outsourced data were involved in 42% of the breaches.

So, what should you be thinking about in your business to prevent data breaches?

• Make sure that all of your computers have anti-virus and anti-malware software installed and keep this software updated regularly with the latest virus/malware definitions.
• Make sure all of your laptops have encrypted hard drives.
• Create a policy about how you want your employees to handle sensitive company information and then train them on the policy. Do not allow sensitive information to be stored on mobile devices or on unencrypted laptops.
• Do not use email or ftp to share sensitive data. Use a secure file sharing system instead.
• Be very careful about outsourcing your sensitive data storage to third-party providers. Use reputable firms offering iron-clad service level agreements or store the data in-house under your complete control.

As always, feel free to contact me if you have any questions.

Cloud Computing: Are You Sick Of The Hype?

Almost every tech email that I get on a daily basis contains an article about Cloud Computing. I realize that the IT pundits have a job to do and that hyping technology is a big part of that job but enough is enough! Give it a rest! Cloud Computing is not the cure for all the world's ills. It's not even the cure for most of the IT world's ills.

• Badly developed software applications will not be made better or more scalable by deploying them to the cloud.
• Applications with security holes will not be made more secure by deploying them to the cloud.
• Applications that contain your company's sensitive or proprietary data will not be safer in the cloud.

Just because the pundits say that everyone needs to embrace and move to the cloud does not mean that you have to. Keep control of your data. Lease dedicated or virtual servers from a reliable data center and make your own cloud! Stay focused on backing up and securing the servers, applications, and data that you control and you will be providing a better service to your company then if you jump on the Cloud Computing bandwagon.

As always, feel free to contact me if you have any questions.

SQL Injection - Is Your Website Protected?

Two websites for NASA's Instrument Systems and Technology Division and Software Engineering Division were recently broken into by a researcher using a SQL Injection attack. The researcher was able to get the credentials of about 25 administrator accounts which he then could have used to add web pages containing phishing scams and other bad content to the web site.

The SQL Injection attack is a frequent way that the bad guys try to get onto your website and steal information. To use this attack, the hacker adds additional SQL commands to a page request and the web server then tries to execute those commands within the back end database.

So, what should you do to protect your website against SQL Injection attacks? There are a number of simple steps that you can take:

1. Make sure that your web developers are validating any input fields on the website. For example, on a Contact Us form, the fields that the website visitor fills out should be checked for script tags and other malicious code before the entries are passed to the database.
2. Make sure that your web developers use stored procedures (or at least parameterized queries) for all SQL database code used on the website. This type of SQL code does not allow hackers to insert their own code into the database logic.
3. Make sure that passwords are being stored encrypted in the database. In the NASA example, if the passwords had been stored encrypted, the effects from the researcher/hacker breaking into the site would have been minimized.
4. Make sure that the account used by the website to access the database has the least privileges that it needs. For example, if the account only has the ability to run SQL stored procedures that you have created, the hacker will be hard pressed to get more information out of the database then he should. Never allow an admin account to be used to connect your website to the database!

As always, feel free to contact me if you have any questions.

To Host Or Not To Host, That Is The Question

Most companies today outsource one or more of their IT functions to a third party provider. For example, a business may pay another company to run its Microsoft Exchange or web-based email system. In this example, the email system is "hosted" on one or more servers located at the data center of the provider.

As individuals, we are very used to "hosted" applications in our daily lives. Gmail, Facebook, and your online banking bill pay website are just three examples of applications that we use frequently. We need only a web browser to get at and make changes to our data. The provider of the service, e.g. Google in the case of Gmail, takes care of storing and securing our data and making sure that we can access service over the web.

You need to think carefully when deciding to use a third party company to provide one or more of the IT services that you need to run your business. Remember, once you start using an outsourced company, your proprietary and sensitive company data is being stored out on the web somewhere and it is no longer under your direct control. Who has access to look at your data? Is it really getting backed up? When and if the data does get backed up, who at the backup site has access to it? If you decide to change providers, how will you get your data back?

So what should you be thinking about before deciding to outsource one or more of your key IT services?

1. If you are storing files/data on the web, make sure that this data is going to be stored encrypted.
2. Make sure that the backups of your data are going to a facility separate from the primary one.
3. Reduce the risk of a single point of failure by splitting your IT service needs over multiple providers.
4. Think about providing your own web-based services that you control! Today, you can lease virtual or dedicated servers inexpensively. Most of these servers come with packages of free software including email, help desk, web analytics, etc.

As always, feel free to contact me if you have any questions.

Focus On The Data In Data Security

Generally, when IT Admins and business owners think about IT security, they focus on protecting their networks and computers. They protect these devices with anti-virus programs, anti-malware applications, and firewalls. They run anti-spam programs to protect their email servers. Those companies that have more money to spend will implement network access control systems to prevent unauthorized machines from getting on the network, etc.

All of the above technologies are good and necessary components of a sound data security plan. The problem is that most IT Admins and business owners have the wrong focus when thinking about IT security. They need to focus on protecting the data of their businesses in a more holistic manner. Viruses and malware certainly have the ability to steal sensitive data from your business, but your employees do too.

You can no longer protect your network and data like you could in the old days. With web-based email, secure web file sharing applications, SalesForce.com, etc., there really is no inside the network/outside the network boundary that you can protect anymore. Your company's data is everywhere: on laptops, cellphones, USB memory sticks, etc.

You can see why you have to keep the focus your data. Your business data is your key competitive advantage. Keeping your data secure should be your number IT security priority.

So, what should you be doing to protect your data?

1. Identify the data that you need to protect e.g. confidential files, sales proposals, customer information, employee information.
2. Determine who needs to have access to this sensitive information e.g. HR personnel for employee records, sales staff for sales proposals, etc.
3. Encrypt the hard drives on all of your laptops (desktops too!) so that if any machine is stolen the data will not be able to be accessed.
4. Minimize the sensitive data that is stored on non-secure devices in the first place by giving employees access to secure email, secure web file sharing systems, etc. that store the sensitive data. If you do this your employees will not have to store any sensitive data on their own devices at all.
5. Monitor who is accessing the sensitive data to detect unauthorized usage.
6. Train your employees what to do with the sensitive data. Technology alone can never prevent data from being stolen. You need your employees to use the technology that you give to them appropriately to prevent data loss.

As always, feel free to contact me if you have any questions.

Data Security As A Process

Keeping data secure in your business involves three key elements:

1. Finding and implementing good technology solutions to meet your security needs.
2. Communicating with employees about what data needs to be kept secure.
3. Training employees how to use your selected security technologies.

You need to do all three of these things to protect your data. Each one alone will not work. IT organizations tend to focus on finding technology solutions for data security issues because that is what they know and that is what they are comfortable with. Good technology is important but if you provide it and your employees do not use it, then these technical systems will obviously fail to do what they are designed to do.

You must communicate with and train your employees to use your selected security technologies. You have to get your employees to understand the importance of keeping data secure. You need them to be a part of the solution rather than being a part of the problem.

If your employees do not know that they are not supposed to copy confidential documents to an insecure USB drive, how can you blame them when they do? If you implement a web-based secure file sharing system but don't tell employees about it and don't show them how to use it, will you be surprised when they send sensitive files as unencrypted email attachments?

So what should you do to keep data secure in your business?

1. Identify the data that you need to protect e.g. confidential files, sales proposals, customer information, employee information.
2. Determine who needs to have access to this sensitive information e.g. HR personnel for employee records, sales staff for sales proposals, etc.
3. Find the appropriate technology to provide access to the data while also protecting it e.g. HR applications, secure email, secure file sharing systems.
4. Tell your employees what you are doing e.g. newsletters, weekly meetings, etc.
5. Train your employees on the technologies that you use e.g formal classroom training or informal one on one sessions.
6. Repeat all of the above on an ongoing basis. As your business changes so do your data security needs!

As always, feel free to contact me if you have any questions.