Data Breaches Are More Expensive And Serious Than Ever

The Ponemon Institute has released its annual study of data breaches at US companies entitled the “U.S. Cost of a Data Breach". According to the study, the average cost of a data breach increased almost 2 percent, from $6.65 million per organization in 2008 to $6.75 million in 2009.

Other key findings in the study:

• Organized crime is now going after corporate data.
• Data breaches are now being caused by malware.
• Increased use of mobile devices is leading to increasing data security issues.
• Third-party mistakes with outsourced data were involved in 42% of the breaches.

So, what should you be thinking about in your business to prevent data breaches?

• Make sure that all of your computers have anti-virus and anti-malware software installed and keep this software updated regularly with the latest virus/malware definitions.
• Make sure all of your laptops have encrypted hard drives.
• Create a policy about how you want your employees to handle sensitive company information and then train them on the policy. Do not allow sensitive information to be stored on mobile devices or on unencrypted laptops.
• Do not use email or ftp to share sensitive data. Use a secure file sharing system instead.
• Be very careful about outsourcing your sensitive data storage to third-party providers. Use reputable firms offering iron-clad service level agreements or store the data in-house under your complete control.

As always, feel free to contact me if you have any questions.

Cloud Computing: Are You Sick Of The Hype?

Almost every tech email that I get on a daily basis contains an article about Cloud Computing. I realize that the IT pundits have a job to do and that hyping technology is a big part of that job but enough is enough! Give it a rest! Cloud Computing is not the cure for all the world's ills. It's not even the cure for most of the IT world's ills.

• Badly developed software applications will not be made better or more scalable by deploying them to the cloud.
• Applications with security holes will not be made more secure by deploying them to the cloud.
• Applications that contain your company's sensitive or proprietary data will not be safer in the cloud.

Just because the pundits say that everyone needs to embrace and move to the cloud does not mean that you have to. Keep control of your data. Lease dedicated or virtual servers from a reliable data center and make your own cloud! Stay focused on backing up and securing the servers, applications, and data that you control and you will be providing a better service to your company then if you jump on the Cloud Computing bandwagon.

As always, feel free to contact me if you have any questions.

SQL Injection - Is Your Website Protected?

Two websites for NASA's Instrument Systems and Technology Division and Software Engineering Division were recently broken into by a researcher using a SQL Injection attack. The researcher was able to get the credentials of about 25 administrator accounts which he then could have used to add web pages containing phishing scams and other bad content to the web site.

The SQL Injection attack is a frequent way that the bad guys try to get onto your website and steal information. To use this attack, the hacker adds additional SQL commands to a page request and the web server then tries to execute those commands within the back end database.

So, what should you do to protect your website against SQL Injection attacks? There are a number of simple steps that you can take:

1. Make sure that your web developers are validating any input fields on the website. For example, on a Contact Us form, the fields that the website visitor fills out should be checked for script tags and other malicious code before the entries are passed to the database.
2. Make sure that your web developers use stored procedures (or at least parameterized queries) for all SQL database code used on the website. This type of SQL code does not allow hackers to insert their own code into the database logic.
3. Make sure that passwords are being stored encrypted in the database. In the NASA example, if the passwords had been stored encrypted, the effects from the researcher/hacker breaking into the site would have been minimized.
4. Make sure that the account used by the website to access the database has the least privileges that it needs. For example, if the account only has the ability to run SQL stored procedures that you have created, the hacker will be hard pressed to get more information out of the database then he should. Never allow an admin account to be used to connect your website to the database!

As always, feel free to contact me if you have any questions.

To Host Or Not To Host, That Is The Question

Most companies today outsource one or more of their IT functions to a third party provider. For example, a business may pay another company to run its Microsoft Exchange or web-based email system. In this example, the email system is "hosted" on one or more servers located at the data center of the provider.

As individuals, we are very used to "hosted" applications in our daily lives. Gmail, Facebook, and your online banking bill pay website are just three examples of applications that we use frequently. We need only a web browser to get at and make changes to our data. The provider of the service, e.g. Google in the case of Gmail, takes care of storing and securing our data and making sure that we can access service over the web.

You need to think carefully when deciding to use a third party company to provide one or more of the IT services that you need to run your business. Remember, once you start using an outsourced company, your proprietary and sensitive company data is being stored out on the web somewhere and it is no longer under your direct control. Who has access to look at your data? Is it really getting backed up? When and if the data does get backed up, who at the backup site has access to it? If you decide to change providers, how will you get your data back?

So what should you be thinking about before deciding to outsource one or more of your key IT services?

1. If you are storing files/data on the web, make sure that this data is going to be stored encrypted.
2. Make sure that the backups of your data are going to a facility separate from the primary one.
3. Reduce the risk of a single point of failure by splitting your IT service needs over multiple providers.
4. Think about providing your own web-based services that you control! Today, you can lease virtual or dedicated servers inexpensively. Most of these servers come with packages of free software including email, help desk, web analytics, etc.

As always, feel free to contact me if you have any questions.

Focus On The Data In Data Security

Generally, when IT Admins and business owners think about IT security, they focus on protecting their networks and computers. They protect these devices with anti-virus programs, anti-malware applications, and firewalls. They run anti-spam programs to protect their email servers. Those companies that have more money to spend will implement network access control systems to prevent unauthorized machines from getting on the network, etc.

All of the above technologies are good and necessary components of a sound data security plan. The problem is that most IT Admins and business owners have the wrong focus when thinking about IT security. They need to focus on protecting the data of their businesses in a more holistic manner. Viruses and malware certainly have the ability to steal sensitive data from your business, but your employees do too.

You can no longer protect your network and data like you could in the old days. With web-based email, secure web file sharing applications, SalesForce.com, etc., there really is no inside the network/outside the network boundary that you can protect anymore. Your company's data is everywhere: on laptops, cellphones, USB memory sticks, etc.

You can see why you have to keep the focus your data. Your business data is your key competitive advantage. Keeping your data secure should be your number IT security priority.

So, what should you be doing to protect your data?

1. Identify the data that you need to protect e.g. confidential files, sales proposals, customer information, employee information.
2. Determine who needs to have access to this sensitive information e.g. HR personnel for employee records, sales staff for sales proposals, etc.
3. Encrypt the hard drives on all of your laptops (desktops too!) so that if any machine is stolen the data will not be able to be accessed.
4. Minimize the sensitive data that is stored on non-secure devices in the first place by giving employees access to secure email, secure web file sharing systems, etc. that store the sensitive data. If you do this your employees will not have to store any sensitive data on their own devices at all.
5. Monitor who is accessing the sensitive data to detect unauthorized usage.
6. Train your employees what to do with the sensitive data. Technology alone can never prevent data from being stolen. You need your employees to use the technology that you give to them appropriately to prevent data loss.

As always, feel free to contact me if you have any questions.

Data Security As A Process

Keeping data secure in your business involves three key elements:

1. Finding and implementing good technology solutions to meet your security needs.
2. Communicating with employees about what data needs to be kept secure.
3. Training employees how to use your selected security technologies.

You need to do all three of these things to protect your data. Each one alone will not work. IT organizations tend to focus on finding technology solutions for data security issues because that is what they know and that is what they are comfortable with. Good technology is important but if you provide it and your employees do not use it, then these technical systems will obviously fail to do what they are designed to do.

You must communicate with and train your employees to use your selected security technologies. You have to get your employees to understand the importance of keeping data secure. You need them to be a part of the solution rather than being a part of the problem.

If your employees do not know that they are not supposed to copy confidential documents to an insecure USB drive, how can you blame them when they do? If you implement a web-based secure file sharing system but don't tell employees about it and don't show them how to use it, will you be surprised when they send sensitive files as unencrypted email attachments?

So what should you do to keep data secure in your business?

1. Identify the data that you need to protect e.g. confidential files, sales proposals, customer information, employee information.
2. Determine who needs to have access to this sensitive information e.g. HR personnel for employee records, sales staff for sales proposals, etc.
3. Find the appropriate technology to provide access to the data while also protecting it e.g. HR applications, secure email, secure file sharing systems.
4. Tell your employees what you are doing e.g. newsletters, weekly meetings, etc.
5. Train your employees on the technologies that you use e.g formal classroom training or informal one on one sessions.
6. Repeat all of the above on an ongoing basis. As your business changes so do your data security needs!

As always, feel free to contact me if you have any questions.

Cloud Computing: Is Your Data Really Safe?

You may have been hearing about Cloud Computing. Apparently, it is the next big thing according to IT industry pundits. The basic idea is that your business can pay for computing power and storage by the minute or hour by using the processors and hard drives of machines out on the Internet.

But wait! Aren't you already doing this by using Gmail, Salesforce.com, web-based email, online file sharing services, etc. Yes, of course you are. Also, if you have your website hosted by a third-party provider or you are leasing a dedicated or virtual server from a server hosting company, you are already using cloud computing.

So, it turns out that the average business is already using cloud computing. The newest cloud technologies that you may hear about are merely an extension of what you are already doing. IT marketers and industry research companies always need to be hyping the next big thing so that is why you will be hearing about the cloud in a big way for the foreseeable future.

Two important questions about cloud computing:

1. How secure is your data out on the web? Can some random server administrator read your sensitive files?
2. How will your business survive a brief or an extended outage of a web-based service that you are using?

Businesses tend to be very complacent when it comes to web-based services. For most people, once they see on a website that the company offering the service has a data center that is secure and that offers 99.999% uptime, they feel like everything is going to be okay, their eyes glaze over, and they do not want to think about data security/service availability anymore.

Unfortunately, we hear about major data losses and service outages all the time in the news like the recent one involving T-Mobile Sidekick where thousands of people were not able to access their data for extended periods of time.

So, what should you be thinking about in terms of data security/availability when it comes to using web/cloud based services?

1. Forget the claims of 99.999% uptime. Think about how your business would be affected by a service outage of 1 hour or 1 day or 1 month. Then, create a plan to handle this situation.
2. If you are storing files/data on the web, make sure that this data is stored encrypted.
3. Don't put all your eggs in one basket. Think about splitting your data storage over multiple providers. Or get your own dedicated or virtual server and provide your own web-based service that you control!

As always, feel free to contact me if you have any questions.