Keeping Data Secure In Your Business

How Do You Get Your Software Product Found?

2011-07-26T15:18:00.003-04:00

Here are Noonmark, we have been producing excellent quality software products for the past 10 years. Originally, we were able to afford advertising on Google at maybe 5 or 10 cents per click. Now, for most of the keywords that would be used by people searching for our products, we would need to pay $2 - $10 per click! For a small company like ours, that is obviously not going to be possible because it might take 10 to 100 clicks before we even get an actual response (email, phone call) to our website.

Anyone out there willing to share how they built a following for their software product? I am not interested in hearing about SEO or email blasts as I have already tried those routes with no success. I am really interested in hearing about more grass roots types of approaches.

If you have the time to share about your success, drop me an email at: fjonas@noonmarktech.com.

Thanks in advance.

Fred

Data Breaches Are More Expensive And Serious Than Ever

2010-01-31T08:56:00.003-05:00

The Ponemon Institute has released its annual study of data breaches at US companies entitled the “U.S. Cost of a Data Breach". According to the study, the average cost of a data breach increased almost 2 percent, from $6.65 million per organization in 2008 to $6.75 million in 2009.

Other key findings in the study:

Organized crime is now going after corporate data.
Data breaches are now being caused by malware.
Increased use of mobile devices is leading to increasing data security issues.
Third-party mistakes with outsourced data were involved in 42% of the breaches.

So, what should you be thinking about in your business to prevent data breaches?

Make sure that all of your computers have anti-virus and anti-malware software installed and keep this software updated regularly with the latest virus/malware definitions.
Make sure all of your laptops have encrypted hard drives.
Create a policy about how you want your employees to handle sensitive company information and then train them on the policy. Do not allow sensitive information to be stored on mobile devices or on unencrypted laptops.
Do not use email or ftp to share sensitive data. Use a secure file sharing system instead.
Be very careful about outsourcing your sensitive data storage to third-party providers. Use reputable firms offering iron-clad service level agreements or store the data in-house under your complete control.

As always, feel free to contact me if you have any questions.

Cloud Computing: Are You Sick Of The Hype?

2010-01-05T16:52:00.002-05:00

Almost every tech email that I get on a daily basis contains an article about Cloud Computing. I realize that the IT pundits have a job to do and that hyping technology is a big part of that job but enough is enough! Give it a rest! Cloud Computing is not the cure for all the world's ills. It's not even the cure for most of the IT world's ills.

Badly developed software applications will not be made better or more scalable by deploying them to the cloud.
Applications with security holes will not be made more secure by deploying them to the cloud.
Applications that contain your company's sensitive or proprietary data will not be safer in the cloud.

Just because the pundits say that everyone needs to embrace and move to the cloud does not mean that you have to. Keep control of your data. Lease dedicated or virtual servers from a reliable data center and make your own cloud! Stay focused on backing up and securing the servers, applications, and data that you control and you will be providing a better service to your company then if you jump on the Cloud Computing bandwagon.

As always, feel free to contact me if you have any questions.

SQL Injection - Is Your Website Protected?

2009-12-12T08:27:00.005-05:00

Two websites for NASA's Instrument Systems and Technology Division and Software Engineering Division were recently broken into by a researcher using a SQL Injection attack. The researcher was able to get the credentials of about 25 administrator accounts which he then could have used to add web pages containing phishing scams and other bad content to the web site.

The SQL Injection attack is a frequent way that the bad guys try to get onto your website and steal information. To use this attack, the hacker adds additional SQL commands to a page request and the web server then tries to execute those commands within the back end database.

So, what should you do to protect your website against SQL Injection attacks? There are a number of simple steps that you can take:

Make sure that your web developers are validating any input fields on the website. For example, on a Contact Us form, the fields that the website visitor fills out should be checked for script tags and other malicious code before the entries are passed to the database.
Make sure that your web developers use stored procedures (or at least parameterized queries) for all SQL database code used on the website. This type of SQL code does not allow hackers to insert their own code into the database logic.
Make sure that passwords are being stored encrypted in the database. In the NASA example, if the passwords had been stored encrypted, the effects from the researcher/hacker breaking into the site would have been minimized.
Make sure that the account used by the website to access the database has the least privileges that it needs. For example, if the account only has the ability to run SQL stored procedures that you have created, the hacker will be hard pressed to get more information out of the database then he should. Never allow an admin account to be used to connect your website to the database!

As always, feel free to contact me if you have any questions.

To Host Or Not To Host, That Is The Question

2009-11-30T06:59:00.003-05:00

Most companies today outsource one or more of their IT functions to a third party provider. For example, a business may pay another company to run its Microsoft Exchange or web-based email system. In this example, the email system is "hosted" on one or more servers located at the data center of the provider.

As individuals, we are very used to "hosted" applications in our daily lives. Gmail, Facebook, and your online banking bill pay website are just three examples of applications that we use frequently. We need only a web browser to get at and make changes to our data. The provider of the service, e.g. Google in the case of Gmail, takes care of storing and securing our data and making sure that we can access service over the web.

You need to think carefully when deciding to use a third party company to provide one or more of the IT services that you need to run your business. Remember, once you start using an outsourced company, your proprietary and sensitive company data is being stored out on the web somewhere and it is no longer under your direct control. Who has access to look at your data? Is it really getting backed up? When and if the data does get backed up, who at the backup site has access to it? If you decide to change providers, how will you get your data back?

So what should you be thinking about before deciding to outsource one or more of your key IT services?

If you are storing files/data on the web, make sure that this data is going to be stored encrypted.
Make sure that the backups of your data are going to a facility separate from the primary one.
Reduce the risk of a single point of failure by splitting your IT service needs over multiple providers.
Think about providing your own web-based services that you control! Today, you can lease virtual or dedicated servers inexpensively. Most of these servers come with packages of free software including email, help desk, web analytics, etc.

As always, feel free to contact me if you have any questions.

Focus On The Data In Data Security

2009-11-25T09:46:00.003-05:00

Generally, when IT Admins and business owners think about IT security, they focus on protecting their networks and computers. They protect these devices with anti-virus programs, anti-malware applications, and firewalls. They run anti-spam programs to protect their email servers. Those companies that have more money to spend will implement network access control systems to prevent unauthorized machines from getting on the network, etc.

All of the above technologies are good and necessary components of a sound data security plan. The problem is that most IT Admins and business owners have the wrong focus when thinking about IT security. They need to focus on protecting the data of their businesses in a more holistic manner. Viruses and malware certainly have the ability to steal sensitive data from your business, but your employees do too.

You can no longer protect your network and data like you could in the old days. With web-based email, secure web file sharing applications, SalesForce.com, etc., there really is no inside the network/outside the network boundary that you can protect anymore. Your company's data is everywhere: on laptops, cellphones, USB memory sticks, etc.

You can see why you have to keep the focus your data. Your business data is your key competitive advantage. Keeping your data secure should be your number IT security priority.

So, what should you be doing to protect your data?

Identify the data that you need to protect e.g. confidential files, sales proposals, customer information, employee information.
Determine who needs to have access to this sensitive information e.g. HR personnel for employee records, sales staff for sales proposals, etc.
Encrypt the hard drives on all of your laptops (desktops too!) so that if any machine is stolen the data will not be able to be accessed.
Minimize the sensitive data that is stored on non-secure devices in the first place by giving employees access to secure email, secure web file sharing systems, etc. that store the sensitive data. If you do this your employees will not have to store any sensitive data on their own devices at all.
Monitor who is accessing the sensitive data to detect unauthorized usage.
Train your employees what to do with the sensitive data. Technology alone can never prevent data from being stolen. You need your employees to use the technology that you give to them appropriately to prevent data loss.

As always, feel free to contact me if you have any questions.

Data Security As A Process

2009-11-24T07:28:00.003-05:00

Keeping data secure in your business involves three key elements:

Finding and implementing good technology solutions to meet your security needs.
Communicating with employees about what data needs to be kept secure.
Training employees how to use your selected security technologies.

You need to do all three of these things to protect your data. Each one alone will not work. IT organizations tend to focus on finding technology solutions for data security issues because that is what they know and that is what they are comfortable with. Good technology is important but if you provide it and your employees do not use it, then these technical systems will obviously fail to do what they are designed to do.

You must communicate with and train your employees to use your selected security technologies. You have to get your employees to understand the importance of keeping data secure. You need them to be a part of the solution rather than being a part of the problem.

If your employees do not know that they are not supposed to copy confidential documents to an insecure USB drive, how can you blame them when they do? If you implement a web-based secure file sharing system but don't tell employees about it and don't show them how to use it, will you be surprised when they send sensitive files as unencrypted email attachments?

So what should you do to keep data secure in your business?

Identify the data that you need to protect e.g. confidential files, sales proposals, customer information, employee information.
Determine who needs to have access to this sensitive information e.g. HR personnel for employee records, sales staff for sales proposals, etc.
Find the appropriate technology to provide access to the data while also protecting it e.g. HR applications, secure email, secure file sharing systems.
Tell your employees what you are doing e.g. newsletters, weekly meetings, etc.
Train your employees on the technologies that you use e.g formal classroom training or informal one on one sessions.
Repeat all of the above on an ongoing basis. As your business changes so do your data security needs!

As always, feel free to contact me if you have any questions.

Cloud Computing: Is Your Data Really Safe?

2009-11-23T07:05:00.004-05:00

You may have been hearing about Cloud Computing. Apparently, it is the next big thing according to IT industry pundits. The basic idea is that your business can pay for computing power and storage by the minute or hour by using the processors and hard drives of machines out on the Internet.

But wait! Aren't you already doing this by using Gmail, Salesforce.com, web-based email, online file sharing services, etc. Yes, of course you are. Also, if you have your website hosted by a third-party provider or you are leasing a dedicated or virtual server from a server hosting company, you are already using cloud computing.

So, it turns out that the average business is already using cloud computing. The newest cloud technologies that you may hear about are merely an extension of what you are already doing. IT marketers and industry research companies always need to be hyping the next big thing so that is why you will be hearing about the cloud in a big way for the foreseeable future.

Two important questions about cloud computing:

How secure is your data out on the web? Can some random server administrator read your sensitive files?
How will your business survive a brief or an extended outage of a web-based service that you are using?

Businesses tend to be very complacent when it comes to web-based services. For most people, once they see on a website that the company offering the service has a data center that is secure and that offers 99.999% uptime, they feel like everything is going to be okay, their eyes glaze over, and they do not want to think about data security/service availability anymore.

Unfortunately, we hear about major data losses and service outages all the time in the news like the recent one involving T-Mobile Sidekick where thousands of people were not able to access their data for extended periods of time.

So, what should you be thinking about in terms of data security/availability when it comes to using web/cloud based services?

Forget the claims of 99.999% uptime. Think about how your business would be affected by a service outage of 1 hour or 1 day or 1 month. Then, create a plan to handle this situation.
If you are storing files/data on the web, make sure that this data is stored encrypted.
Don't put all your eggs in one basket. Think about splitting your data storage over multiple providers. Or get your own dedicated or virtual server and provide your own web-based service that you control!

As always, feel free to contact me if you have any questions.

Massachusetts Personal Information Protection Regulation

2009-11-20T07:34:00.003-05:00

The Massachusetts requirement regarding the "standards to be met by persons who own or license personal information about a resident of the Commonwealth of Massachusetts must be met by businesses and organizations starting on 3/1/2010.

In summary, the regulation, 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth, defines the minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records.

The point of the regulation is to prevent identity theft. If your business stores any records for Massachusetts residents that contain the first name and last name or first initial and last name plus any of the following:

Social Security Number
Driver's License or State-Issued Identification Card Number
Financial Account Number
Credit or Debit Card Number

then you are subject to the regulation regardless of whether your business is located in Massachusetts or not.

So what do you need to do to comply with the regulation?

Identify where the Personally Identifiable Information (PII) is stored e.g. paper files, computers, laptops, external hard drives, etc.
Identify how the PII is at risk e.g. internal or external theft, hacking, etc.
Document in a Written Information Security Plan (WISP) how you will protect the PII
Carry out the WISP e.g. train your employees about how to handle sensitive data, encrypt your hard drives, use a secure online file sharing system instead of email for getting PII to customers, etc.

Another Stolen Laptop, Another Business In Trouble

2009-11-19T09:11:00.004-05:00

This past summer, Blue Cross/Blue Shield in Connecticut had a laptop stolen. On the laptop was highly confidential information, including tax identification and Social Security numbers for 800,000 healthcare providers nationwide.

Now the company is being investigated by Connecticut Attorney General Richard Blumenthal. "We are vigorously investigating this appalling data loss, needlessly exposing more than 18,000 Connecticut doctors and professionals to devastating identity theft," Blumenthal said in a statement. "Failing to promptly notify providers of the breach is inexcusable -- and a possible violation of state law. Waiting two months left providers severely at risk -- needlessly and irresponsibly exposing them to financial mayhem."

You can guess what the outcome of the investigation will be: fines, statements of apology, agreements to make changes in the way information is kept secure, etc.

Blue Cross/Blue Shield will survive because it is a large company. Your business, on the other hand, might not survive such an incident. Can you afford the legal fees necessary to defend your company against a lawsuit? Your insurance will not cover theses expenses if it can be demonstrated by your insurer that you are not protecting your sensitive data in the industry standard manner. More importantly, what will your customers think when they hear about your loss of sensitive data? They will probably drop your business like a rock.

Laptops, cell phones, Blackberrys, IPhones, etc. are constantly being stolen. It is a fact of life. So, what should you do to protect your sensitive company data?

Encrypt the hard drives on all of your laptops (desktops too!) so that if any machine is stolen the data will not be able to be accessed.
Minimize the sensitive data that is stored on non-secure devices in the first place by giving employees access to secure online systems that store the sensitive data. If you do this your employees will not have to store any sensitive data on their own devices at all. And you will be able to monitor who is accessing the sensitive data to detect unauthorized usage.
Train your employees what to do with the sensitive data. Technology alone can never prevent data from being stolen. You need your employees to use the technology that you give to them appropriately to prevent data loss.

Cyber Crime And Your Business

2009-11-18T08:22:00.003-05:00

Yesterday the Government Accountability Office (GAO) released a new report that took a critical look at US federal information system security. The GAO report outlined the groups and individuals that it considers to be key threats to our nation's information systems:

Foreign Nations
Criminal Groups
Hackers
Hacktivists (politically motivated hackers)
Disgruntled Insiders
Terrorists

So what impact do the GAO report findings have on data security in your business? Most businesses do not have to worry about Foreign Nations, Hackers, Hacktivists (unless the business is a political organization), and Terrorists.

Criminal Groups are a legitimate concern for any size business. Almost every business has some exposure to the Internet. Your website, particularly if you sell goods or services over the Internet, and your use of email are the common ways that Criminal Groups can attack you. Cyber criminals are looking for credit card and bank information, Social Security numbers, etc. to steal online.

Disgruntled Insiders, both employees and contractors, are also a definite legitimate concern for any business. These individuals frequently have extensive access to the software systems (financial, payroll, human resources) where your key data is stored. These people can easily steal from you and cover their tracks.

Actions should you take to counter these threats:

Figure out whether your website is exposing any sensitive information e.g. do you have a "private area" of the website that you use to share information with others? Is this part of the website really secure? Strengthen the security of this private area or replace it with an online secure web file sharing system.
Do not use email to send and receive sensitive data or files. Email is not secure. Install secure file sharing software or use an online secure file sharing system to protect this data.
Set up your internal computer systems to keep track of all user actions in a log. Review these logs regularly to detect and stop data information theft.
Reduce the access levels of your employees and contractors on your internal computer systems to the level that they really need to do their jobs. An employee rarely needs to be set up as a System Administrator to do his/her job.
Encrypt your stored files to prevent employees and contractors from having access to information that they should not be able to see. Laptops need to have full-disk encryption because they are frequently stolen.

Plan For Data Security Now, Rather Than Cleaning Up The Mess Later

2009-02-04T17:28:00.005-05:00

Earlier this year, the Veterans Affairs Department agreed to pay $20 million to settle a class action lawsuit over the 2006 loss of a laptop containing records with personal information of up to 26.5 million veterans and active duty personnel.

Your business may not be nearly as big as the Veterans Affairs Department but what happened to them can happen to you. How many laptops do you have in your company? What sensitive customer data is, right at this moment, on those laptops? Do the laptops have encrypted hard drives? Do all the laptops at least require a user to login to gain access to the system?

You should be thinking about the issue of sensitive data on laptops as well as on PCs, CD's, and flash memory drives. Here's how to get started:

Determine what sensitive data you have in your company. Where are the customer records kept? Where are the contract documents, software code, sales spreadsheets, etc. stored?
Determine which employees really need to have access to the various data sources.
If the above data is stored in multiple places, maybe now is the time to think about consolidating some of those locations and putting all of the data into one or a small number of easily secured and accessible online systems.
Make sure that all laptops are, at a minimum, protected by an user name/password combination.
Look into making sure that all laptops have full disk encryption. Flash drives can be encrypted as well.
Inform your employees, contractors, and partners of your data security policies and train them in how to handle sensitive data properly. If the people associated with your business do not know what your expectations are regarding sensitive data, they will not use the technology that you give them correctly. Training and sharing of expectations are key in the ongoing process of securing your company's data.

If you think about securing your data before it gets lost or stolen, you can avoid the kind of financial loss that the Veterans Affairs Department is currently facing. Even more importantly, you will be protecting the good reputation of your business.

Data Loss Prevention 101

2009-01-30T09:51:00.007-05:00

Introduction

You should be thinking about protecting your company against the loss or theft of customer data and intellectual property. If your business has sensitive data lost or stolen, you could be subject to fines, lawsuits, and, maybe most importantly, a severely damaged reputation. To help prevent these dire situations from occurring, you need to create and implement a data loss prevention plan.

What Data Needs To Be Protected?

Personally identifiable customer data (names, addresses, credit card and social security numbers, banking information, etc.).

The intellectual property of your business (proprietary plans, software code, sales spreadsheets, etc.).

Where Does The Data Need To Be Protected?

Data in motion (emails, ftp and web traffic - all data going into and out of your network and off-site computers).

Data at rest (on your file servers, pcs, laptops, and pdas and in your SQL Server, Oracle, DB2, and MySQL databases).

Data in use (being copied to CDs, DVDs, and Memory Sticks).

The Data Loss Prevention Plan

Start by identifying the data at your business that needs to be protected.
Determine where the data that needs to be protected is located. You should think about centralizing the location of sensitive data for ease of protection.
Determine which employees need to have access to the protected data. Some employees may not need to have any access, some may need selective access, and others may need full access.
Determine what regulatory requirements your business must meet in regards to sensitive data.
Discuss the need to protect sensitive data with your employees. Explain to them the importance of keeping data protected. Train employees how to keep data safe.
Assign someone to be responsible for continuing to think about data loss prevention at your company.

Only after you have completed the above steps should you start to think about the specific technical systems that you will use to prevent data loss. There are many different kinds of systems available to prevent the loss of data in motion, data at rest, and data in use. Some systems can help to prevent all three types of data loss and others may be specialized in preventing only one of the three.

No single system can truly prevent all data loss. You will need to employ a combination of easy to use systems plus employee training to protect your business from data loss on an ongoing basis. The most important aspect of any Data Loss Prevention plan is to keep the focus on the data that needs to be protected rather than on the systems that you use to do the protecting.