Archive for September, 2011
Senator to businesses: Protect data or pay
As George Hulme recently wrote, the vision of Senator Richard Blumenthal’s data breach legislation is simple enough: Protect individuals’ personally identifiable information from data theft, and penalize firms that don’t adequately secure their customers’ information.
Clearly, there’s a need for organizations to better secure confidential and private customer information. It seems that a week rarely passes without a new high-profile data breach in the news. In fact, 2011 is trending to be the worst-ever year for data breaches. And that is despite many U.S. states introducing legislation that expands the scope of state laws, sets stricter requirements related to notification of data breaches involving personal information, and increases penalties for those responsible for breaches.
The need to protect customer data is unanimously shared by honest people worldwide…. The issue is HOW to effectively govern and enforce the various data protection requirements and laws?
I agree with Senator Blumenthal’s concept of establishing “appropriate minimum security plans”…. But color me skeptical on the government’s ability to appropriately monitor and enforce those plans, especially after witnessing the mighty struggles at effectively governing the dozens of state laws already on the books.
My skepticism is shared by many, including Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation: “The devil is in the details with these laws. We’ve had regulations, from Gramm-Leach-Bliley to HIPAA, that purport to help protect consumer data. Companies are already victims in these attacks, so why are we penalizing them after a breach? I think that’s because it’s easier to issue fines than it is to track down the criminals and go after them.”
In my opinion, business leaders need to prioritize their own internal efforts to properly protect sensitive information rather than wait on the government to catch up. First order of business is to identify where confidential files and data live in your organization and ensure visibility of that info (after all, how can you protect what you don’t know about?). Fortunately, there are technology solutions available to help organizations better manage and govern their critical files and data as they are being moved and consumed both internally and with business partners and across people, systems and various business applications.
Many customers today expect ‘WAN acceleration’ technology (sometimes referred to as WAN Optimization) as part of their MFT vendor’s solution offering. In general this is a useful addition to the MFT feature set, and can certainly reduce file transfer times in a wide variety of scenarios. However, customers should have realistic expectations of what these acceleration technologies can offer, and be cognizant of the limitations and constraints imposed by the carrier network itself.
Join us on September 29 at 1:00 p.m. ET for our latest webcast, Top Tips for Managing File Transfer & Application Integration.
More and more, organizations are beginning to realize that their old batch-file-and-script methods of file transfer and application integration don’t work. They’re unwieldy, primitive, difficult to manage, and often not 100% reliable – not to mention less scalable than the organization might wish. Don Jones, Principal Technologist at Concentrated Technology, and Andre Bakken, Director of Product Management at Ipswitch, will provide the top tips for managing file transfer and application integration in a more modern way. You’ll learn about the key failings in most organizations’ existing techniques, and look at the core capabilities you should be looking for as you move to improve your organization’s treatment of these critical tasks.
Register Now for the webcast!
What: Webcast – Top Tips for Managing File Transfer & Application Integration
When: September 29 at 1:00 p.m. ET
Who: Don Jones, Principal Technologist at Concentrated Technology and Andre Bakken, Director of Product Management at Ipswitch
It was a beautiful, warm day last Saturday, September 10th when 40 Ipswitch employees headed to the Bank of America Pavilion in Boston’s Seaport District to spend the day with almost 200 area children and families.
As a part of the 9/11 national day of service, we donned our Ipswitch iCare t-shirts to take part in a luncheon and day of fun organized by the Foundation To Be Named Later (FTBNL), a Red Sox affiliate, to support Room To Grow, a charity which helps infants in poverty. Other beneficiaries and invitees to the luncheon included the West End House Boys and Girls Club and Horizons for Homeless Children. Parents raising babies in poverty face many challenges including isolation and lack of resources, say organizers of the event. A special social gathering over lunch can provide meaningful social connections and much-needed respite.
The day began with setting up the arts and crafts tables, decorating the dining tables with fun baseball-inspired centerpieces, and assisting the six Boston-area restaurants who generously catered the event.
When the children and their families arrived, the fun really began! Ipswitchers mingled with the wonderful families, Theo and Paul Epstein (brothers and co-founders of FTBNL), and supporters of the charities. Balloon animals and temporary tattoos were the biggest hits, while the children also enjoyed face painting, coloring, bubbles, and decorating picture frames.
When lunch was served, it became clear that it would be a special treat for volunteers and invitees alike. Six Boston-area restaurants created some seriously delicious gourmet treats, including chicken tacos, macaroni & cheese, mini pastrami sandwiches, and sophisticated “PB&J” sandwiches with fig and blue cheese!
This was truly a special event in which Ipswitch was fortunate to participate. We each enjoyed meeting the inspirational families and children from Room to Grow, Horizons for Homeless Children, and the West End House Boys and Girls Club. A big thank you goes out to the Foundation to Be Named Later for organizing this luncheon!
To see more of the pictures from the event, check out our Facebook Album!
Recently, Cisco published a blog post on an interview with a former Anonymous hacker who offered his top security tips for the enterprise. Some of the suggestions were fairly obvious, while others were intuitive and absolutely on point. For example:
#5: Teach your staff about information security
Take note, he didn’t refer to just security staff; he was referring to the entire staff – from the administrative assistants to the most critical of security analysts. In fact, a recent Ipswitch survey shows that even the most stringent security professionals break protocol when it comes to the transfer and collaboration of information. And these folks have tons of acronyms behind their names!
What chance does the layman have? Establishing the groundwork for the dissemination and adherence to corporate policies around information security is a positive set of actions to better protect companies.
There needs to be a general awareness around information security and data and a clear understanding of the security and risk issues associated with physical media, such as DVDs and memory sticks, and outside services, like Gmail, which allows employees to ‘easily’ send large files. This combination can be the best deterrent to data breaches.
#6: Teach your staff about social engineering
The use of technology to interact and collaborate – and how that collaboration can involve unknown third parties – is the very reason your staff should have an understanding around social engineering. Let’s face it, anyone can get an e-mail address and register on any social site. Hackers, thieves, con artists, and scammers aren’t the only ones that want access to
your personal information.
Employees who use shareware or free cloud service are exposing sensitive information and risking an unintentional data breach. Employees who work from home, on a personal machine late at night or on an unapproved smart phone (at any hour) are the biggest targets for hackers and breaches. How many corporate iPhone users are there anyway?
#13: Keep an eye on what information you are letting out into the public domain
In many cases, all information about major IT purchases and deployments by publically traded companies is public record. A move to incorporate MySQL databases, a content management system based on open source technology or even portal technologies can give a hacker everything they need to exploit your system.
Again, this is an issue of determining risk associated with information and mitigating that risk. Laying out your architecture and your infrastructure blueprints for the world to see may not be the best idea for your company…
#14: Use good physical security. What good is all the [security] software if someone could just walk in and take your “secure” system?
Stop everything you’re doing and walk from the front entrance of your office to the mailroom.
Is that door of the mailroom locked? How hard is it to just pick up a backup tape or CD and slip it into a bag? For that matter, how hard is it to just walk into the office without proper credentials? And when you walk into your office, are there secure terminals? Maybe someone in human resources went to the break room for coffee and neglected to lock their computer?
A simple, misplaced memory stick or an unsecured PC are potential recipes for disaster. There is never any excuse for leaving a terminal unsecured in a public or semipublic setting. My rule of thumb: if you can’t leave your purse or wallet opened with hundred dollar bills in plain view, you cannot keep your desktop, laptop, smart phone or a terminal unsecured.
All in all, I think the suggestions make sense. Looking at a few of the tips allows you to take a few steps in the mind of a hacker. A few seconds of non-diligence equals a career of regret.
