Tag: information management

Posted on

4 Rules of Thumb for Better Mobile Device Security

Security threats are everywhere, lurking in alley ways and around corners and even in your favorite coffee shop. Yet mobility is in demand, and people will use their smartphones and other mobile devices because it’s convenient, even if company policy suggests against it.

This is a big deal for IT and security professionals and CIOs, which is why it took a while for IT to recognize the need to address mobile device security rather than simply deny mobile device use. With data breaches, ransomware attacks, hacks and information leaks happening on an almost daily basis, businesses must find ways to protect their valuable applications and data from loss or misuse while at the same time enabling mobile device use.

The following 4 rules of thumb are not comprehensive but are four essential rules of thumb to help guide business owners in addressing mobility management and security within their organizations.

Rule 1: Make sure there are clear mobile device use policies and support them with ongoing administration and strict enforcement.

I can’t say enough about having good security and mobile device policies and keeping them modernized, relevant, and actually enforcing them. Too many businesses say they have a “security and use” policy in place, yet it is outdated and doesn’t reflect the actual tools or processes currently in use.  Even more frequently a business will develop a policy just to say it has one, but won’t actually train workers or enforce compliance.

Rule 2: Require and enforce strong passwords, manage access in real time, and force password changes with some frequency.

It is essential that all user access to applications or data be controlled at minimum by password-protected logins to the device and corporate resources coupled with periodic forced password changes. Users often prefer to not require passwords or other authentication for device access, but corporate policy should not only require them but also enforce their use.  Also, user access should be managed in real time, meaning that any aspect relating to access should be disabled or revoked immediately upon employee termination or reassignment. Too often these forgotten chores are relegated to after-the-fact IT administration, which allows users to access resources beyond their rightful boundaries.

Rule 3:  Do something to contain the applications and data on the device.

Whether the approach is with containers, cloud hosting, server-based computing or something else, it is really important to try to “contain” the applications and data accessed from the mobile device. Risk is created when users sync data directly to the device’s storage or install applications directly on the device to access corporate data. Password and other security measures prevent unauthorized access, but allowing applications, credentials or data to be stored directly on the mobile device allows those things to interact with other things on the device.  Containers, hosting and server-based computing models keep the applications and data within secured spaces, often not even storing essential items on the device but only accessing them via the device. This allows the business to provide users with the access and functionality they need to do their jobs, but also reduces the vulnerability of applications and information assets.

Rule 4: Keep device software up to date and download fewer apps.

Updating mobile device operating system versions and release levels is important to make sure the device has the most current security patches and threat protection.   Some mobile OSes even have capabilities which can help keep personal and work apps separated.  Limiting the number of apps users can download to their devices should also be considered. Users may randomly download and install applications to their devices with little regard for the quality or security of the app, and often accept terms of use without really reading them. Consumer apps from app stores may pose risks to data and the device, so IT should check regularly for problematic apps if the device is used to access the corporate network, applications or data.

Mobile and wireless are in demand

Just about every business has people who use their phones and tablets for some business use, and every one of those mobile devices and the apps running on them could open the door for a hacker, ransomware, data theft or compromise. While there are many benefits to be gained by enabling remote and mobile devices in the business workflow, unrestricted access only creates risk.

Keeping mobile devices secure for business use takes multiple approaches, as there is no single method or solution that works for every situation. Our 4 rules provide a basic foundation for business mobility management, offering a starting point for developing a more thorough and detailed plan.

Make sense?

J

Posted on

Payment Card Roll Call: “Not Present” fraud likely to increase as EMV takes hold

Payment Card Roll Call: “Not Present” fraud likely to increase as EMV takes hold

rollingballNo retailer wants to become the next Target (pun intended).  Payment card fraud costs businesses and consumers billions of dollars every year.  What’s even more frightening, many of the breaches in the news are the result of innocent participants inadvertently granting access to the bad guys.  The Target breach in 2013 exposed the data of 110 million payment cards.  Hackers got into the network using perfectly good credentials of the HVAC company.  Sometimes password security just isn’t enough, which might bring in to question the security of all those SaaS subscriptions and online shopping sites folks use these days.

EMV chip technology, the standard around the world which has just recently become a standard in the United States, has done a lot to stem the tide of credit card fraud in other countries.  As it was implemented in various countries, guess where it pushed the fraudsters?  Where the anti-fraud technology wasn’t, of course! The United States was among the laggards in requiring EMV chip technology for payment cards, opening the door for bad guys and turning the US into a veritable haven for credit card fraud, “accounting for nearly 50% of global fraud losses, according to the Nilson Report[1]”.

EMV chip (or chip and pin) technology will go a long way to prevent credit card fraud for businesses accepting payment cards… in-person and counterfeit card fraud, anyway. Online retail, on the other hand, not so much.  A chip on the card doesn’t really help when the transaction is completed with the card not present (CNP).  Some industry analysts suggest that CNP fraud losses will exceed $6 billion within the next few years, making e-commerce and online payment security a high stakes game for even the smallest of retailers.  As it gets more difficult to hack the payment system when the card is presented, bad guys will fall back in even greater numbers to the card-not-present model to find their victims.

Online retailers and service providers must take additional steps to secure their systems and protect customers and business partners, and face the challenge with the understanding that effort must be ongoing as new threats emerge. Tokenization is a prime method of layering the system with security, making the merchant system somewhat less of a worthy target by not storing the card data in the system.  Even if the system becomes compromised, the bad guys wouldn’t find customer payment card information.  There are numerous other steps a business can take to secure the CNP sales, including applying behavioral analytics which might identify rogue activities, or using 3D Secure to authenticate a cardholder’s identity at the time of purchase.   The point is that CNP fraud is likely to spike as EMV technology takes a firm hold in the US.

Card fraud is already escalating rapidly for ecommerce retailers and other card not present channels – it didn’t take EMV to start on that roll but it will surely give it a push.  Paperless payment systems, SaaS subscription services and online application service usage are increasing dramatically and there’s no chip to get in the way of these transactions.  Sellers of any and every service utilizing online payments need to now pay particular attention to system and information security.  The risk has always been there, and EMV chips and other shifts in pay card technology simply give it a push.

jmbunnyfeetMake Sense?

J

 

[1] Chipping away at Credit Card Fraud with EMV; Information Week Tech Digest powered by Dark Reading, Nov 2015; NilsonReport http://www.nilsonreport.com/publication_newsletter_archive_issue.php?issue=1071

Posted on

EMV and Retail – Your Trusted Advisor Should Be Advising You about This

EMV and Retail – Your Trusted Advisor Should Be Advising You about This

EMVChipCardThere is ‘big change a comin’ for retailers, merchants and any business that accepts credit cards for payments, and there are a great many businesses that are completely unprepared for it.  The change, what is being referred to as the “Payment Networks’ Liability Shift”, goes in to effect in October 2015 and places the burden of liability for fraud squarely on the shoulders of the merchants and card issuers who are not compliant with certain payment system security standards.  Accounting professionals and Trusted Advisors – here’s one of those things you should be helping your clients with.  Help them get informed, trained, and prepared.  Help them to understand the risk and decide on a course of action.  This is part of what makes a trusted advisor: they got your back.

The way things generally work in the US today, a fraudulent charge on a credit card is likely to end up being covered by the credit card company (the issuer). Starting in October, retailers are supposed to be able to accept payment cards with EMV chips (named for the founders of the standard: Europay, MasterCard and Visa), and must process those cards using the compliant technology that takes advantage of what the chip processing and security offers.  If these conditions aren’t met – like having a POS or payment terminal not capable of reading the EMV chip – the merchant is on the hook for the fraudulent transaction.  Given the volume of credit card and payments fraud in the country you’d think that most merchants would already be ready for this, but replacing all the POS and terminal equipment could be pretty costly.  It may take a bit of analysis to understand the real risk and compare that to the cost of compliance.  Certainly it makes sense to always be in compliance, but there are always factors which influence how quickly (or how completely) compliance may be met.

The liability shift is part of the influence being leveraged to get businesses to adopt newer and more secure models of electronic payment acceptance and processing.  It is simply the case that the magnetic strip on a credit card isn’t good enough any longer.  The new EMV Chip reading payment terminals require that the card be inserted and processed by the terminal rather than simply swiping the magstrip across a reader.  Over 40 years of using the magstrip approach has helped to earn the United States a top spot on the leaderboard for credit card and financial fraud, and we seem to be lagging behind in adoption and implementation of the EMV technology even though it has been shown to seriously curtail fraud even as payment card usage increases.  The EMV chip process, which encrypts information about the card so that even the local POS system doesn’t get access to it, is far more secure and is being widely adopted and used in Europe, Canada, Latin America and the Asia/Pacific regions.  Now the clock is ticking for US businesses to get ready to either update their systems or accept the liability for not doing so.

The shift in how payment cards are made and processed is simply one of many changes which will continue to occur as technology and human ingenuity continue to be applied in both good and not-so-good ways.  Recognizing that the pace of change is increasing, businesses must find ways to remain informed and prepare for those changes which will impact the business operation and sustainability.  This is among the essential roles the trusted advisor plays, and the current imperative simply underscores the growing need for such advisors by business large and small.

jmbunnyfeetMake Sense?

J

Posted on

Trusted Advisor is About the Work, Not the Title

Trusted Advisor is About the Work, Not the Title

Many accounting professionals believe they are THE trusted advisor the client comes to for advice and guidance on business financial matters.  Having fully bought into the messaging about the value of the accounting and tax work, these professionals are feeling pretty relaxed about their client engagements.  They believe the client will come to them with questions and provide the opportunity to deliver advice or work.  And each year  many clients return to get their taxes prepared or financial statements produced, and even new clients may appear.  But the work remains largely the same – financial statements and tax returns, and addressing additional needs only when the client brings it up, which isn’t all that frequently.

happy_clientOn the other hand, there are professionals who recognize that a proactive approach to helping clients results in better and richer client engagements and better-performing client businesses.  These professionals are truly the business advisors to the client – the trusted partners who understand the variety of conditions which impact business performance and care to make sure they are properly addressed.  This advisor not only reports but makes recommendations and provides guidance on certain situations or processes which are essential in the business model.  These professionals recognize that the bookkeeping and operational information collection is not simply a means to an end; these professionals understand that these foundational processes and the information they encompass are the important details which reflect the true performance of the business… details which no summary report can fully describe.

Having more direct participation in clients’ financial systems is a highly successful component of practice building, helping the firm to mine opportunities that may be hidden in current or new client engagements.  This does not mean that the accounting professional becomes part of client operations or workflows.  Rather, it suggests that the accounting professional understand these aspects of client operations and assist in the development of necessary controls and processes involving data collection or validation.  It may include the implementation of KPI and benchmarking solutions to help identify problems and map improvements, or it may involve the installation of a solution to improve the importing of orders and other transactions into the system, improving the efficiency in processing the information while at the same time reducing the potential for manual data input errors.

Regardless of the depth of direct involvement in client systems, professionals can more fully benefit from every client engagement by providing some level of training, consulting or supporting service in addition to compliance and reporting work.  Services may be aligned toward helping clients set up or support their own in-house bookkeeping and controllership responsibilities, or they may be more suited to providing real-time guidance and review of client business performance data. Either way, the quality of the financial information derived is generally far better and requires less work to adjust and report on.

The key is recognizing that the work involved – whether it is through training, regular process and data reviews, or more direct participation – is not intended to simply streamline reporting on outcomes.  The work the trusted advisor performs is intended to help the client save money and improve business and financial performance, and the practice is rewarded with higher value billable services and a much increased opportunity to engage the clientele in other efforts.

jmbunnyfeetMake Sense?

J

Posted on

Confusing Value Propositions: Cloud Platforms and Hosted Applications

it-balancing-actConfusing Value Propositions: Cloud Platforms and  Hosted Applications

When a service provider is in the business of selling computing resources – like bandwidth, processors and memory, and disk storage – it makes a lot of sense to also leverage the value of software products and systems which drive consumption of computing resources.  In short, they market and sell software that runs on the platform in order to get folks to buy the platform, no different from selling desktop and server software in order to sell the hardware to run it.  It’s just that these days the hardware and networking components are often referred to as the “platform” or maybe “the cloud”.

Let’s face it… cloud computing platforms are just no fun if there’s nothing to run on them, and a hard drive has little value when there isn’t anything stored on it.  Once there is something there – an application, data… something – then the part has actual value in terms of driving revenue.  This is the difficulty and the basis for confusing value propositions when it comes to offering and delivering services in the form of a hosting platform.  Once again: platforms are just no fun if there’s nothing to run on them.  Is the value is really about the applications, not the platform? Or is the value in the platform, because it’s necessary for running the applications?

The truth is that both are essential parts of the entire “solution”, and the value of how the solution is packaged and offered is purely up to the purchaser to determine in terms of applicability to the business.  When it comes to hosted application offerings for businesses, there isn’t a single one-size-fits-all approach that will work.  Sometimes people want to purchase from different vendors and put their own solutions together, and sometimes folks want turnkey delivery of whatever they need.  Even channel partners and value-added resellers are finding that, with diminishing margins and aggressive competition prevalent in the market, removing the time-consuming aspects of solution delivery becomes paramount to achieving some level of profitability on the work.

What this means is that providers are looking for ways to increase the overall value and usability of their solutions, and when it comes to platform services there are only two directions to look: automation to support self-service, and application software delivery to drive consumption and usage on the hosting platform.

So now we’re back to the applications again.  There’s no way to avoid them, but there’s no great way for platform companies to engage with them, either.  Working with business application software is sometimes complicated, often annoying, and can be exceptionally time-consuming and resource intensive. And there are few licensing models which make it really easy for hosts and ISVs (Independent Software Vendors) to work together.  Then, of course, there is the desire for exclusivity on one side or the other.

Software companies don’t generally want to select a single platform provider for their software for a very simple reason: they don’t want to limit their potential user base.  Now that Windows platform is available just about anywhere – on local computers, on mobile devices, from platform and infrastructure hosting providers – how does the ISV make a decision on a single delivery channel or model or provider?

Some lean towards working with hosting providers to create branded, point-deliveries of the application.  Too often, however, this approach removes the ability for customers to benefit from other applications or integrations, eliminating some of the value of the solution and certainly curtailing benefits for integrating partners of the ISV.

Host it themselves?  The last thing most software developers want is to be responsible for hosting and maintaining some other guys’ software products; they have enough to worry about with their own offerings.  If the solution is standalone, maybe this approach works.  But there are few solutions made for the desktop which don’t have some strange integration point with MS Office apps, Adobe reader, Internet browsers or other things prevalent on the user desktop.

There isn’t any proven or easy path for software developers, IT suppliers or small business customers looking to create mobility and managed subscription service around desktop and server applications, and there is likely never going to be a single story line that all will follow.  This is among the reasons for the popularity of the “hybrid” cloud approach and growing importance of managed application hosting and ISV-authorized delivery models.  Yet even key providers in those areas have a tough time really communicating what they do in a way that is meaningful to the buyer.  Are they selling a platform, applications, or both? Folks in the industry know the jargon and how to use it, and are often skilled at adjusting their language in order to obfuscate or confuse certain sticky issues regarding software licensing in the cloud and other similar aspects of hosting.  It’s no wonder that many customers remain confused as to what, exactly, they’re being asked to buy, and where the lines of flexibility and responsibility are drawn.

The applications justify the platform, and there are possibly multiple platform approaches to delivering the app. It is a confusing situation for business buyers of IT as well as for their resellers and suppliers, and the increasing number of options for how businesses approach purchasing and using information technology makes it unlikely that the process will become as simple as some suggest.

jmbunnyfeetMake Sense?

J

Posted on

State of the Union: The Irrelevance of Good Accounting?

State of the Union: The Irrelevance of Good Accounting?

financeI’m a little concerned, and any professional in accounting and finance who works with small businesses should be just a little concerned, too.  Why?  Because there is a belief out there that some nifty software and Internet Of Things (IoT) approach to finance will ultimately eliminate the need for a small business to work with skilled, trained accounting professionals.  Remember the marketing slogan introduced by Intuit with QuickBooks – the one that suggested that, “if you can write a check, you can do your own books”?  Most accountants will tell you that it is not true, and the ability to operate a product like QuickBooks does not magically turn poor accounting and bookkeeping information into good business data.  In fact, it most frequently enables bad information to turn into bad business decisions – quickly.

DIY bookkeeping solutions have been around for a while, so why the distress about it now? Up until this point, it hadn’t been so overtly stated to small business owners that having less-than-great accounting data is very much OK, and that the role accounting professionals play in small business finances is more of a burden than benefit.  Consider the statement made by President Obama in his recent State of the Union address:

“Let’s simplify the system and let a small business owner file based on her actual bank statement, instead of the number of accountants she can afford”

If I’m an accounting professional, I am pretty steamed up about that statement because I know how screwy business accounting data gets when the work is done by folks without the proper training.  Incorrect or improper accounting treatment can make a big difference when it comes to filing those taxes mentioned…. and not in a good way.  That transaction on the bank statement… Is it a cost of goods sold or a regular business expense? Is it an asset or supply item? Is it a reimbursement or revenue?  Is the payroll deduction before or after taxes?  Is that even a viable payroll deduction item?  These questions and more arise frequently in a small business, and the treatment for these items is improper as often as not.

There is a big value in what a trained accounting professional can offer a small business owner, and the value often translates to eliminating unnecessary tax burdens and the delivery of accurate reporting – both of which are really important when it comes to actually trying to grow a healthy and sustainable business.

Small businesses are often considered to be the fuel powering our economy.  Doesn’t it make sense for us all to recognize that smarter businesses are likely to be more successful, and that more successful small businesses means growth in the economy?  The importance of good fiscal and financial management and reporting – in business and in government – is not something to minimize, and suggesting that it takes no intervention or skill to do the job properly reflects poorly not only on the person saying it, but on the entire establishment.

jmbunnyfeetMake Sense?

J