Blog

Please Steal This Password
Data security

steal this password If you read the title of this post and think I’m crazy, you’re probably right.  On the other hand, most people seem to be saying this by their actions.  How many times have you been in an office and seen passwords attached to monitors on sticky notes?  How about people who use the password “password”?

We’ve all read stories about using strong passwords and how easy it is to guess people’s passwords.  The fatal flaw in the system is that we need something that isn’t obvious, but something that we can remember.  Some of the simplest methods of creating a more complex password is to use upper and lower case alphanumerics plus a symbol.

There is a great site that can help you understand this.  Go to http://howsecureismypassword.net/ and type in combinations of letters, numbers and symbols to see what it tells you.  This is not a foolproof method of choosing a password, but it will give you a good idea of what is secure and what’s not. 

The Case of the Killer Fax
Data security

faxing confidential information I was recently discussing the 2004 revelation that Canadian Imperial Bank of Commerce (CIBC) had been faxing confidential information about hundreds of its customers to a scrap yard operator in West Virginia for more than three years.  The problem was eventually traced to an error in the instruction documents that had been distributed to branch offices and individuals.  The slight chance that an incorrect phone number just happened to be another fax machine cost CIBC millions in legal costs and damage to their brand.

It’s hard to know how often confidential files continue to be sent to incorrect destinations or unsecure areas.  The individual that I was speaking with mentioned that he was recently working in one of their regional offices.  When he went to the copier to pick up his work he found payroll information that had been mistakenly faxed to their public fax machine from a local law firm!  The nature of analog and digital fax technology lends itself to human error; errors that can have a devastating impact on a company’s image.

Government poised to profit from data leaks
Data security

I just returned from a business trip to Miami, Florida. When I arrived I noticed there were an unusually high number of speed traps around the speed trapcity. I was speaking with one of our clients who lives in the Miami area and she mentioned that the local and state police were no longer giving anyone the usual 9 MPH buffer before they would give you a ticket. She went on to explain that there was a recent news article that focused on how the government was clamping down on everything so they can generate more revenue from existing and new laws.

So I immediately began to think about the new Data Breach laws that are now going into effect throughout the United States. Florida enacted their Data Breach notification law in 2009.

Cloud Security is not an Oxymoron
Data security Secure collaboration

Cloud Security is not an OxymoronA few interesting news items made me think about security and cloud computing.  There are many naysayers who state “I would never put anything important in the cloud.  It’s not secure.”  Yet they have no problem putting important, mission critical data in on-premise systems, which as we see from the constant data breach headlines are not very secure.  There are a number of governments who have major cloud initiatives and somehow think it’s secure enough for them.

In his presentation this week at the RSA Conference in San Francisco Amazon Web Services (AWS) evangelist Steve Riley asked what people would think of an encryption service in the cloud.  This managed encryption service, he called it Simple Encryption Service, would encrypt all data going into or out of Amazon’s cloud.  Riley was proposing a standard of encryption that would make it easier to securely move data around the Internet and between clouds.

The challenge of protecting copyright materials
Data security

Organizations that purchase copyrighted material are legally bound to protect the content from unauthorized use. When purchased in a physical format, libraries take precautions to ensure that copiers are not used to illegally reproduce content. When content is purchased in a digital form the ability to make one unauthorized copy could mean there are thousands of unauthorized copies. This exposes organizations to significant liability if the content owners determine that there was a violation of the copyright.

Higher education at risk by security problems
Data breach Data security

Another day, another data breach at a university.  Eastern Washington University discovered this week that more than 130,000 current and former students may have had their personal information stolen by a hacker sometime in the past year.  This is just the latest in a string of universities that were attacked.  The scary thing is that the universities are not sure when the breach happened.  
   
Officials think that people are targeting research universities because there is a lot of sensitive, hence profitable, information available.  Are these related, are they insiders, are they coordinated?  No one knows or would talk if they knew.  If this continues, higher education and students could be severely compromised.  

Clouds, Security and the End of the Naughties
Data security

A few days ago I heard someone refer to the years 2000 – 2009 as “The Noughties”, derived from the English word nought which means zero.  I prefer calling this last decade the naughties because of both improper and mischievous behavior I have seen in the business world.  The improper behavior has resulted in scandals and security breaches.  I view the mischievous behavior as something positive.  People who are mischievous have a twinkle in their eye and dare to take on conventional wisdom.  A lot of the progress in human history came from someone who thought differently and wanted to shake things up.
  
Two of the biggest items to illustrate both sides of naughty in the last 10 years are the emergence of cloud computing and the abuse of information security.  The former will become the way of the world for computing and information access.  The latter has become a continuous scourge of scandals and security problems.

Do you know where your important content lives?
Data security

The answer is everywhere you can imagine.  Most organizations think their important data is only in word processing documents, spreadsheets, presentations or databases.  What about a concept sketch for your new product?  What about training videos?  How about information shared by teams in an internal wiki or blog?
  
There is just as much important information in those as in a traditional word processing document or spreadsheet.  Whether you are an insurance company that has photographs from an accident scene or an attorney who has a video deposition, the contents of these files are critical to your business.  And they also may be private and confidential.  If a private picture made its way onto Flickr or Facebook, it might cause monetary and legal problems for you.  Social networking programs are fantastic for engaging customers, employees and partners, but can wreak havoc if the wrong thing gets up there.

Pandora’s Box
Data security

I just finished reading a book called Pandora’s Star.  In the book an envelope is placed around a star system, presumably to keep someone or something inside.  When the envelope is removed, humans discover that the beings inside (the Primes) are very hostile and want to destroy anyone and anything that is not their species.  The humans want to coexist with these beings, but the Primes are single minded and want to destroy everything.

Security Whack-a-Mole
Data security

Everyone has played whack-a-mole at sometime in their lives.  If you haven’t played it in an arcade or at an amusement park, I’m sure you played it online.  It’s a great way to get out your frustrations.  Unfortunately it can also be a metaphor for certain things in business.
  
One of the challenges of data and document security is that you are dealing with people, process and technology.  They all pop up just like in whack-a-mole.  With all the data breaches today, most organizations are focusing on the breakdown in their technology.  You also need to think about security policies for employees, vendors, contractors, visitors, etc.  What are the legal and financial processes you must follow if you have a breach?  What are the risks to your business, its officers and your customers?