Tag: data loss

Posted on

Business Data Loss is a Growing Problem

The portable computer was the secret business weapon of yesterday and is today’s essential business tool. The processing power, portability, storage, and connectivity available with laptops, tablets and smartphones has created a seamless extension to the office. Business users can work with their applications and data from just about anywhere. While mobile devices are valuable when it comes to conducting business, they also pose additional security risks. Increased efficiency, mobility, and accessibility can also mean an increased potential for a data breach or business data loss.

The workforce of today is mobile enabled. Business users, owners and managers, accounting advisors and business consultants can access all the information and analytical capability they need to perform their jobs and make informed business decisions, capturing and collecting important information while keeping productivity at the highest levels no matter where they are.

“87% of businesses rely on their employees to use their personal mobile devices to access company apps”, according to a post by Perillon. Some studies have estimated that as much as 80% of the data a company has (like customer files, contracts, financial data, product specifications) might be stored on portable devices. This means that mobility comes with risk, which is why Mendelson Consulting and Noobeh cloud services utilize cloud-based platforms and services to keep data safe and secure.

According to business data loss statistics compiled by Businessdit.com, the two most common causes of data loss are hardware failure (40%) and human error (29%). Overall, malware causes 35% of all data loss, taking advantage of the 21% of files that businesses are not protecting at all.

The stats show that it takes approximately 206 days on average to even detect a data breach, the costs of downtime and losses average around $1,410 per minute for small businesses, and 22% of SMBs close after a ransomware attack.

Data loss or theft can create big business and legal problems, too. Customer or client privacy may be compromised, sensitive information may be exposed, and confidential plans may be made public if a business doesn’t take steps to secure mobile data.

“The average cost of a data breach in 2021 was $4.24 million. That’s a huge increase from the $3.86 million cost in 2020. And it’s only going to get more expensive in the future. Companies need to be prepared to deal with the fallout from a data breach, which can include everything from legal costs to damage to their reputation.”

Businessdit.com

There’s an old saying that there are only two types of businesses: those who have lost their data and those who will. Imagine the potential chaos, risk exposure, reputation damage and the expense of losing your valuable business data or having it exposed to unauthorized parties.

While computing mobility delivers a host of advantages to the business and the user, care must be taken to ensure security, privacy, and confidentiality of the business information and protecting against business data loss.

Increased exposure to liability is a reality for any mobile business, and the risk is only multiplied by the number of systems a company has in the field. Smart businesses reduce risk by deploying secure yet versatile platforms for their workers that allow data to be stored and protected in centralized environments rather than on individual computing devices.

Via the cloud, businesses of all kinds are reaping the benefits of new and innovative service delivery, achieving the freedom and functionality a mobile working model demands. Mendelson Consulting and Noobeh cloud services have the cloud solutions and managed IT services that provide the mobile capability businesses need, but with the additional protection, additional security, and ongoing management that the value of the data demands.

jm bunny feetMake sense?

J

Posted on

4 Rules of Thumb Regarding Passwords and Authentication

Many people believe passwords are dumb.  They store their credentials for easy login, or maybe even leave the password blank if the app allows. For IT managers, forcing users to come up with a strong, unique password is definitely not an easy task.  Resting on convenience over security, many people would prefer to use familiar names and dates or simple phrases they can remember.  Even when IT departments try to enforce best practices there is often a struggle between honoring those standards and influencing user behavior.

Relaxed password standards allow users to set passwords that may be as easy to guess as they are to remember, and very strict requirements for strong and complex passwords often results with users storing passwords in document files or on post-it notes on the monitor. Setting password standards and managing the policy implementation requires a balance between usability and security, but more often than not the balance skews toward simplicity. Yet passwords aren’t going away any time soon, even while biometrics and multi-factor authentication methods grow in prominence.

It is most likely that new technologies and standards will be combined with passwords to protect critical data. Using only a password to protect information may not be the ultimate in security, but it is important to recognize that passwords remain as a key element in any security model. For now, passwords should be as strong and unguessable as possible.  As technologies and standards rise up to meet the demands of users as well as enterprises, there are likely to be changes in how passwords are used. Here are 4 rules of thumb to consider regarding passwords and where authentication technologies are going.

1. Your face might be your password.

Biometrics won’t fully replace passwords right away, but the use of biometric data for authentication is growing rapidly. Face recognition, fingerprinting and voice identification are all being employed as authentication mechanisms and users are embracing the technology because it is easier to use than a remembered password.  Smartphones and PCs have sensors for reading fingerprints and cameras for seeing faces, and microphones for hearing your voice.  Many systems are also now able to use geodata with the biometric data (matching person to place), making it harder to compromise an identity while also being less disruptive to the user. While the technology isn’t foolproof, it represents a major step towards creating more secure systems without placing the responsibility strictly on the user.

2. Two pieces of ID are better than one.

The point of multi-factor authentication is that there are two different pieces of evidence a user must present in order to gain access. For example, a password may be the first piece of evidence presented, with a pass code sent to a mobile device as a second. Even as biometric authentication grows in prominence, industry participants recognize that no single method covers all the bases all the time. Multi-factor authentication is gaining in prominence as users become more familiar with the methods and the implementations become less intrusive. AI may also influence how these systems are applied. As user behavior and transaction parameters are “learned”, systems can identify activities that fall outside of normal routines and additionally prompt users for single-use pins or passwords sent to their mobile device.

3. Businesses should learn from past mistakes.

With news of hacking, ransomware and malware being daily fare, companies and their users are realizing that password security really is important and are stepping up their security efforts. The information is available to help prevent businesses from making the same mistakes that others have, offering worst case scenarios a’plenty to learn from.  Using default passwords and recycling passwords across work and personal accounts, using unsecured network connections, not encrypting files that contain password information and failing to patch or update systems and software are entirely preventable situations that put information at risk. Taking the reports seriously and identifying mistakes to avoid is highly useful in designing security for the business.

4. There’s a growing ecosystem for authentication.

With the number and type of systems requiring authentication – from industrial control systems to dating websites – there is a great and growing need to find highly secure methods of authentication that are actually usable for the user. Even in the world of blockchain there is a need for “identity assurance” and confirmation when documents or biometrics are captured via smartphone. Fast IDentity Online (FIDO) is a set of security specifications for strong multi-factor authentication, developed by the FIDO Alliance. The FIDO Alliance includes members such as Google, Aetna, Amazon, Microsoft, Bank of America and Samsung, and developed the spec as an initial basis for standardizing authentication across platforms and systems at the client and protocol layers.  

Technology is changing rapidly and solutions once reserved for government and large enterprise are now entering mainstream consumer use. You’ve probably already noticed that banking and other apps are employing the use of fingerprint and other biometric data with increased frequency as users demand easier access to applications and features from their smartphones and other mobile devices.

These technologies sometimes replace traditional password entry as the primary means of authentication or augment password use in some manner. Even MasterCard has announced a component in its payment card solutions that allows users of next-gen payment cards to register their fingerprint data on their credit card.

The push is to allow users to interact with their tasks without putting up barriers to access.

A combination of usability and enhanced protection, the new standards are developing to address not just system security but identity verification for various purposes. Corporate information must be secured and so must personal identity information; simply read the news to understand what can happen when digital identity information gets compromised.

Whether the data is business or personal, keeping hackers and bad actors away from it isn’t easy, so strengthening the most basic first layer of protection – the password – is the best place to start.

Make Sense?

J

Posted on

4 Rules of Thumb for Better Mobile Device Security

Security threats are everywhere, lurking in alley ways and around corners and even in your favorite coffee shop. Yet mobility is in demand, and people will use their smartphones and other mobile devices because it’s convenient, even if company policy suggests against it.

This is a big deal for IT and security professionals and CIOs, which is why it took a while for IT to recognize the need to address mobile device security rather than simply deny mobile device use. With data breaches, ransomware attacks, hacks and information leaks happening on an almost daily basis, businesses must find ways to protect their valuable applications and data from loss or misuse while at the same time enabling mobile device use.

The following 4 rules of thumb are not comprehensive but are four essential rules of thumb to help guide business owners in addressing mobility management and security within their organizations.

Rule 1: Make sure there are clear mobile device use policies and support them with ongoing administration and strict enforcement.

I can’t say enough about having good security and mobile device policies and keeping them modernized, relevant, and actually enforcing them. Too many businesses say they have a “security and use” policy in place, yet it is outdated and doesn’t reflect the actual tools or processes currently in use.  Even more frequently a business will develop a policy just to say it has one, but won’t actually train workers or enforce compliance.

Rule 2: Require and enforce strong passwords, manage access in real time, and force password changes with some frequency.

It is essential that all user access to applications or data be controlled at minimum by password-protected logins to the device and corporate resources coupled with periodic forced password changes. Users often prefer to not require passwords or other authentication for device access, but corporate policy should not only require them but also enforce their use.  Also, user access should be managed in real time, meaning that any aspect relating to access should be disabled or revoked immediately upon employee termination or reassignment. Too often these forgotten chores are relegated to after-the-fact IT administration, which allows users to access resources beyond their rightful boundaries.

Rule 3:  Do something to contain the applications and data on the device.

Whether the approach is with containers, cloud hosting, server-based computing or something else, it is really important to try to “contain” the applications and data accessed from the mobile device. Risk is created when users sync data directly to the device’s storage or install applications directly on the device to access corporate data. Password and other security measures prevent unauthorized access, but allowing applications, credentials or data to be stored directly on the mobile device allows those things to interact with other things on the device.  Containers, hosting and server-based computing models keep the applications and data within secured spaces, often not even storing essential items on the device but only accessing them via the device. This allows the business to provide users with the access and functionality they need to do their jobs, but also reduces the vulnerability of applications and information assets.

Rule 4: Keep device software up to date and download fewer apps.

Updating mobile device operating system versions and release levels is important to make sure the device has the most current security patches and threat protection.   Some mobile OSes even have capabilities which can help keep personal and work apps separated.  Limiting the number of apps users can download to their devices should also be considered. Users may randomly download and install applications to their devices with little regard for the quality or security of the app, and often accept terms of use without really reading them. Consumer apps from app stores may pose risks to data and the device, so IT should check regularly for problematic apps if the device is used to access the corporate network, applications or data.

Mobile and wireless are in demand

Just about every business has people who use their phones and tablets for some business use, and every one of those mobile devices and the apps running on them could open the door for a hacker, ransomware, data theft or compromise. While there are many benefits to be gained by enabling remote and mobile devices in the business workflow, unrestricted access only creates risk.

Keeping mobile devices secure for business use takes multiple approaches, as there is no single method or solution that works for every situation. Our 4 rules provide a basic foundation for business mobility management, offering a starting point for developing a more thorough and detailed plan.

Make sense?

J

Posted on

Small Business IT Governance: You really need it now

it-balancing-actBig changes are going on in the world of information technology and business.  Where social computing and  mobility are no longer purely consumer concerns, enterprise IT departments face a growing requirement to embrace user devices and access in environments which were once strictly and closely controlled.  Enterprise IT may be challenged when presented with user personal devices and demands for remote access to enterprise data, yet the governance of systems is generally well-defined and strictly performed.  In small business, however, the people, policy and process issues (collectively incorporated into “governance”) tend to be more organic, and the use of personal devices and open access is more frequently considered to be a normal part of the overall business IT profile.

It is a focus on defining controls and processes, and influencing the activities and attitudes of the people involved, which has become an essential requirement in small business.  Where management of information technology resources was not of great concern to the small business owner before, increased device and information mobility (removal of physical boundaries) and erosion of logical boundaries around personal and business computing have become a really big deal for everyone in business. Small businesses just don’t often have departments of people working on the problem.

Technology use in business has always come at a price, and as various influences continue to change how users interact with devices, applications and systems, business owners and IT managers will continue to face difficult choices between balancing security of information resources and providing a productivity-enhancing user experience.   Too many security barriers result in avoidance of security protocols, slow or immobile company computers result in users working on their own machines and portables, and restricting access for mobile users results in “shadow IT” implementations of mobile sync and other data access approaches.

Yet “shadow IT” tends to be the norm with many small businesses, where there are often fewer barriers to implementing solutions which address individual user issues or problems.  Lacking the resources or understanding to develop a strong plan for managing information systems and technology within the business, small business owners often consider the computer systems and computerized data to be tools to get jobs done rather than strategically valuable assets to be strictly controlled and protected.  These business owners are not recognizing the ever-increasing need to not simply secure business information, but to establish processes and rules which will govern how users and devices access and interact with the information and systems.

Enterprise IT departments have often viewed their small business counterparts (customers, suppliers, etc.) as potential points of vulnerability, an attitude which was once considered to be centered not on real assessments of the risk but more in terms of ego, level of sophistication, and hierarchy in the food chain.  In today’s world of real risk introduced by myriad technological and human elements in every link in the supply chain, enterprise IT conclusions regarding the risk potential of doing business with anyone – including small businesses – may not be entirely unfounded.  Whether it be commentary and information distributed by individuals via social media or malware or corruption introduced inadvertently (or not) via computerized interaction, there is the possibility of risk introduced with every system, person and process involved.  Enterprise to enterprise, these issues may be more often recognized and remediated; where the SMB is involved, not always so much.

This is a brave new world of computing, and there is truth in that even the smallest of businesses can “compete with the big guys” when the right mixture of technology and process is applied – for good or bad.  Technology enables businesses to be more productive, get more done with fewer resources and perform at higher levels. IT Governance in small business is no longer an optional area of focus, addressed only during infrequent discussions with the local contract IT guy when he comes in to defrag the hard drive on a slow computer.  Establishing the proper processes and controls to wrap around IT use in the business has become an imperative; a necessarily specific and considerate approach to how information technology is used within the business, who uses it, and what IT is composed of.

Just about every business, and most individuals, are connected in some manner via some type of network, representing a dramatic and dynamic change to the traditional composition of business IT and the landscape of vulnerabilities which threaten it.  The increased connectedness, capability and complexity of systems and networks requires a greater focus on overall IT governance – exercising authority and controls – as the impact (just like the information) can easily and unintentionally reach far beyond the boundaries of the individual business.

jmbunnyfeetMake Sense?

J

“People are nothing more than another operating system”, says Lance Spitzner, training director for the Securing The Human Program at SANS Institute.  “Computers store, process and transfer information, and people store, process and transfer information,”  How Hackers Fool Your Employees

Posted on

The Business Cloud: Hype versus Reality

The Business Cloud: Hype versus Reality

There is no doubt that cloud and mobile computing models are driving technology adoption as well as changing the landscape of how consumers and businesses purchase and use IT.  Accompanying any great shift – which in this case is fueled not simply by cloud technologies but by social computing – are the purveyors of propaganda and hype.  Cloud computing and social media won’t make you popular, is not always safe or free, and it doesn’t whiten your teeth. What it can do is help businesses increase agility, collect and use information better and reduce the cost of change. There are many benefits to be achieved with cloud computing models, yet many providers continue to play on the hype rather taking the more difficult road of communicating how their solution actually solves real business problems.

Gartner research tracks this type of activity, producing reports offering assessments of the “maturity, business benefit and future direction of over 1,900 technologies”.  In the Gartner 2011 Hype Cycle Special Report, entries were grouped into 76 different “Hype Cycles”, revealing the similar patterns of “over-enthusiasm, disillusionment, and eventual realism” that comes with every new technology or innovation.  Hoping to provide guidance business IT decision makers, the report intends to inform businesses about when they should consider adopting technologies or IT models in order maximize the value of the approach.

Yet the market is bursting with definitions for “cloud computing”, and services providers offer their wares with varying levels of service and capability.  It’s really difficult to compare one private cloud solution to another, as they are all seemingly offering the same value proposition described in the same language – and none of it really describing what the solution is, how the business takes the greatest advantage of it, and what disruption can be expected along the way. Layer on top of that confusion a big heap of expectation, and the belief that cloud computing technologies are somehow different from “real” on-premise systems in that they are not subject to the same potential for breakage, failure, or unexpected cost.

elastic-2

For example, even though Amazon may use the term “elastic”, cloud computing does not automatically create a stretchy and eternally-dynamic resource that can grow without end.   There are still limitations and costs associated with growth.

There is also a great deal of hype around applications and their performance in cloud environments.  When a piece of software is poorly designed and crashes frequently on a local computer or network, it is just as likely that the application will perform poorly in the cloud. It’s simply a reality of software that even great products that are designed to run exactly the way they are being run don’t have a guarantee that nothing will ever go wrong. With cloud computing models, however, there may be a service provider working in the background to manage the systems and keep things running.  You simply might not notice the failures and hiccups as much, but they are still there.

And not all cloud services mean everyone is sharing servers and infrastructure.  While the term cloud generally applies to multiple scaled systems, it doesn’t mean that everyone shares everything and benefits from tremendous levels of redundancy and fault tolerance. In most cases, a solution described as a “private” cloud means that the service has been customized for the unique needs of the organization, and that there are resources of certain types allocated exclusively to the use of that customer. On the other hand, a private cloud may mean that the system elements are all contained within the business infrastructure, providing “cloud” type of services but being delivered from company resources.  There are a wide variety of ways to describe these configurations and approaches, and quite a bit of inconsistency in use of terminology.

The best thing for a business owner to do now is to just ignore the term “cloud” and simply consider how the business might leverage resources from service providers to gain more IT capability at reduced costs, and how outsourcing certain technology needs allows a greater focus on internal innovation and improvement.  Centralized management, improved security, disaster recovery, and increased mobility are all benefits to be realized with the right business cloud implementation.  Just because it is to be an outsourced solution does not mean that the business organization should not still architect and understand the solution they will depend on.  If this level of participation and understanding is not in place, the solution is unlikely to deliver the resulting benefits expected and hoped for.

Outsourced IT service, remote access and server-based computing aren’t new concepts.  It still requires using common sense and reasoning when considering any change in business technology and the innovative application of IT in a business – this cannot be outsourced.  When it comes to cloud computing… to put it bluntly, just avoid the hype and stay away from unrealistic marketing and sales messaging.  If it sounds too good to be true… it probably is.  Technology hasn’t come that far.

Joanie Mann Bunny FeetMake Sense?

J

Posted on

Migrating Business Data to the Cloud

Migrating Business Data to the Cloud

When businesses elect to have their desktop applications hosted in the cloud with a hosting service provider, they are also electing to have their data hosted with the provider.  This point is not always obvious to non-technical users and those unfamiliar with the hosted application concept.  Many business owners have adopted an online or hosted application solution and then realized after-the-fact that their data was no longer present on their computer.  At least, no current data was present, and it was quite a surprise the day they wanted some information but could not get it because they were not connected to the Internet at the time.  An important thing to remember, and the essential factor in measuring risk associated with use of cloud services and hosted solutions, is that adopting online applications in almost any form means that the data associated with (and possibly even data remotely associated with) the application will also migrate to the cloud.

mobile cloud data

Migrating on-premises servers – and the applications and data residing on them – to the cloud makes sense for many businesses.  Particularly as network and internet threats increase in number and as system vulnerabilities are more frequently introduced with remote and mobile access technologies, cloud solutions can significantly assist a business in mitigating the risks of being connected.  Yet business owners and IT managers must be diligent in terms of understanding the measures their service providers take to protect and preserve as confidential the customer’s business data.  And it becomes more than essential that any and all tools or services implemented be part of a strictly controlled information management and data protection plan.

Where applications are simply interfaces and logic; the value for a business is in the data used by the applications – data containing information about the company, how and with whom it does business, and how it makes money.  It is critical that the business consider how and where users need access to applications and data, so that any cloud deployment does not wind up hindering productivity rather than facilitating it to a greater level.  It is when the user becomes disenfranchised, unable to perform their work due to lack of access to information or tools, that “shadow IT” deployments appear, and data sharing solutions are introduced outside of the governance of management or IT.

The vast number of offerings for hosting applications and managing business data in the cloud makes finding and implementing the right business solutions a complicated and often frustrating process.  Even large providers that specialize in delivering from a menu of business cloud solutions often forget that their target customers may not be particularly tech-savvy, and will fail to recognize the nuances in service delivery or protection that could make big differences to the business down the line – like in the case of a system failure or outage.

Among the keys to a successful cloud solution deployment, particularly when critical and frequently used applications and data are to be migrated off-premises, is a thorough understanding of how users currently work with the tools provided, ensuring that processes and utilization can be fully adapted to the new IT model.

As long as users are able to retain their productivity and efficiency, and when improvements in workflows and information access become additional benefits, the security and protection of the business data is more likely, as users will feel less compelled to find alternative and less secure means for making the business data available from the cloud.  You may want to migrate your business data to the cloud, but you don’t want your data to migrate further than you can reach.

Joanie Mann Bunny FeetMake Sense?

J