Archive for Security
by Celine Roque
It’s well known that many employees have taken their social networking addiction to their offices. While loss in productivity is the biggest concern resulting from this trend, IT departments are quickly realizing that security is also an important issue.
Sophos conducted an online poll among system administrators last February, with 709 respondents from various companies. Asked whether they thought that employees’ activity on social networking sites endanger corporate security, two-thirds (66%) of them agreed this is a serious threat. With good reason, as popular sites like Facebook, MySpace, LinkedIn and Twitter seem to be the new favorite target for hackers. A third of the respondents said they have been spammed on social networking sites, while 21% have been the victim of targeted phishing or malware attacks.
Basically, it’s the same tricks, different media. According to the report, “A typical method of attack is for hackers to compromise accounts by stealing usernames and passwords – often using phishing or spyware – and then, use this profile to send spam or malicious links to the victims’ online friends and colleagues.”
Despite the dangers, Sophos doesn’t believe in imposing total lock downs (that is, banning all access). They argue that whatever barriers you install, employees will find a way to open up holes, in turn compromising security all the more. Instead, Sophos is recommending the following strategies:
- Educate your workforce about online risks – make sure all employees are aware of the impact that their actions could have on the corporate network
- Consider filtering access to certain social networking sites at specific times – this can be easily set by user groups or time periods for example
- Check the information that your organisation and staff share online – if sensitive business data is being shared, evaluate the situation and act as appropriate
- Review your Web 2.0 security settings regularly – users should only be sharing work-related information with trusted parties
- Ensure that you have a solution in place that can proactively scan all websites for malware, spam and phishing content
It’s interesting to note that in the survey, 7% of system administrators who limit access to social networking sites admitted to doing so without knowing why. Just following orders? Then that’s a glaring communications breakdown. How will employees understand and cooperate with policies when even the enforcers aren’t sure why they’re doing what they’re doing?
The full report can be accessed here.
by Celine Roque
Once again, when it comes to office Internet access, employees prove the old saying that “when there’s will, there’s a way.” Even with expensive enterprise security features in place, office workers inevitably circumvent them using proxies, encrypted tunnels, and remote desktop access applications. This is according to Palo Alto Network’s research covering nearly 900,000 users on 60 large corporate networks.
Peer-to-peer programs were monitored on 92% of these networks (BitTorrent and Gnutella the most common among them). Browser-based file-sharing and cloud-storage tools were also seen on 76% of the networks observed (like MegaUpload and YouSendIt). Some web apps are also being used, and while they are helpful to those who need to do off-site work, Palo Alto Networks says they are questionable in terms of security compliance and therefore pose a risk.
Another negative effect of these unwanted applications is that they gobble up a huge amount of bandwidth. The report found that 51% of the bandwidth being consumed by companies was due to 28% of the apps used, a majority of them consumer-oriented (media, social networking, P2P and browser-based file sharing, web-browsing and toolbars).
Today’s applications were designed to be greatly accessible, and so they navigate corporate firewalls easily (or would, with a little help from office techies). It’s difficult to block them permanently with users quickly adapting to barriers. Palo Alto Networks recommends filtering traffic by application type, content and user, as opposed to the traditional way of blocking ports, protocols and IP addresses. This strategy may be more effective, but perhaps it will only be a matter of time before it gets cracked as well.
An alternative would be to understand the reasons behind the popularity of these rogue apps. Needs drive demand. Some of them may have legitimate business usage, such as cloud storage tools. In this case, companies may opt to provide a suitable substitute to their employees that comply with its security standards. They might also want to work with the application developers of popular apps to ensure compliance, and perhaps doing some tweaks to their own networks. Completely eliminating unsecure activities on corporate networks may be a tall order, but minimizing them is definitely not impossible.
by Celine Roque
Policing employees to ensure network security is tough enough for IT, but when the risk is way up on top, it compounds the whole situation. Company executives usually hold the most sensitive data in an organization, and according to an article on New Scientist, they are also the most vulnerable to threats. One of the reasons for this is that it’s difficult to get them to adhere to IT policies, such as the prohibition of unauthorized software. As Pentagon expert Glenn Zimmerman put it, “But woe betide the lowly IT director that would inconvenience the CEO with such restrictions.”
Yael Shahar, a cyberwar analyst from Israel, suggested that IT personnel should hack these executive’s computers from within the network, if only to prove a point (desperate times call for desperate measures?). While this may, in theory, open the bosses’ eyes on how vulnerable their systems are, I highly doubt there are many would-be “white hat hackers” who would risk their jobs in this fashion, given the state of the economy. Although, with prior notice and other arrangements, it may actually work. In the end, an IT department’s best friend is an enlightened management.
As we’ve seen many times in the past, trouble arises when people in power think they’re above the law – or, in this case, their own company policies. One comment said it best: “I doubt seriously that there will ever be a technological solution to a sociological problem. The problem is with people, not their tools.”
by Celine Roque
A recent survey conducted by the Ponemon Institute [found via DataTheft.org] had some startling information about data loss during times when businesses are downsizing:
According to our findings, 59% of employees who leave or are asked to leave are stealing company data. Moreover, 79% of these respondents admit that their former employer did not permit them to leave with company data.
Source: “Data Loss Risks During Downsizing” by Ponemon Institute LLC, February 23, 3009
The respondents were chosen among employees who were fired, laid off, or who left their jobs voluntarily. Since we’re seeing more layoffs across several industries each month, it’s no surprise that many employees who were let go are feeling vindictive.
But what seemed more alarming to me was that 67% of those who stole corporate data from former employees used the stolen data to leverage their new jobs. While it’s natural to feel angry and vengeful towards an employer when you’re let go during tough economic times, acting on them is another matter.
Obviously, this is bad news for companies as data theft might lead to security risks as well as loss of revenue. More importantly, the clients of these companies are threatened as well, since most of the stolen data includes email lists, customer information, contact lists, and other business information.
It is evident that security policies, non-disclosure agreements, and other contracts referencing data security are inefficient when it comes to preventing data theft. The study recommends several solutions to this problem, including auditing an employee’s electronic and paper documents as part of their exit interview, as well as monitoring the employee’s access to the corporate network before they leave.
Does your business prevent data theft? How worried are you about disgruntled employees stealing company data?
by Celine Roque
A recent study commissioned by Fiberlink Communications showed the usual results that most studies on telecommuting tend to show – increased productivity, transportation costs lowered, and better work-life balance for employees. But one aspect of the study caught my eye in particular:
Remote workers admit to risky online behavior and insecure data practices with 24 percent altering security settings and 23 percent delaying security updates on devices. Even more, 43 percent, have download personal photos and videos and 31 percent cop to downloading software for personal use. About one quarter, 25 percent, admit to clicking on blacklisted or banned Web sites on company devices.
Source: “Employees Like Mobility Despite Extra Work Hours” by Judy Mottl, InternetNews.com
While the remote workers who commit these mistakes are the minority, over 20% for each offense is still an alarming figure – considering that almost every remote worker has sensitive business data in their devices. It may be easy to point one’s finger at the naughty telecommuter, but studies also show that the businesses themselves are lacking in providing adequate privacy and security measures.
In a survey conducted by the Center for Democracy and Technology, it was concluded that “many organizations today are not effectively managing the risks to personal information presented by the telecommuting workforce.” The results showed that only half of the 73 organizations surveyed developed telecommuting guidelines for their employees. If such a big percentage of organizations don’t have these guidelines, then it’s no surprise that these security leaks occur.
In the end, we can’t solely blame the employer nor the employee for poor security risk management. The truth is, without firm security policies that are discussed between employer and telecommuter, the latter wouldn’t know what the boundaries are. As for the telecommuters themselves, it’s about following company policy even if no one appears to be watching your back.
by Jim Ware
( This is a cross-post from the Future of Work blog.)
One of the real downsides of this “Age of Mobility” is the risk of losing your laptop – or, more likely, having it stolen from a coffee shop or even an office. It’s especially a problem as these devices get smaller and smaller, and we become more and more dependent on them
Well, today’s [July 31] San Francisco Chronicle included a short note about a new, free software package that you can install on your laptop to help you find it when it’s gone missing (“One Way to Keep Track of your Lost Laptop“).
I guess it works sort of like LoJack for cars – it reports the laptop’s Internet Protocol address and other locational information. And if your laptop is a Mac the software (called Adeona, after the Greek goddess who protected travelers and children and ensured their safe return) will even take a picture of the person using it. Makes that little built-in webcam really useful!
Anyway, I just downloaded the software and installed it on my MacBook. It’s a small package, doesn’t take up much room on the hard disk and seems like a great idea. Of course, it’s one of those things I hope I never have to use.
I believe there are also plans to develop similar kinds of security products for smaller mobile devices like cell phones and pda’s too.
Seems like an essential component of the future of work to me.
by Bill Ives
I wrote about WorkLight entering the enterprise Facebook market with their Workbook application on the Fast Forward blog. Last week I spoke with David Lavenda, their Vice President, Marketing and Product Strategy, about the range of products they offer. David said the company was founded by two executives from Amdocs (NYSE:DOX) and other hi-tech companies, who saw the well-documented trend of employees bringing consumer web products into work. This has caused concern with the IT folks and one of their main concerns is security. Many employees, especially the younger ones, are used to advanced features, transparency and networking enhancements found on the new web. In many cases, they are bringing these tools in whether or not IT sanctions them. WorkLight rightly saw a market here and started the company in 2006. The company’s flagship product, WorkLight for the Enterprise, is a secure and scalable server-based product that provides protected access to enterprise data and expertise through consumer web interfaces. They started with RSS feeds. Then moved to Ajax and gadgets, and now have their Facebook application.
Their tools allow for a secure connection between most any Web 2.0 front end, such as Facebook, to back end enterprise applications. The web tools include iGoogle Home pages, MS Live, Netvibes, Yahoo widgets, and others. They also offer gadgets for more tradtional enterprise web tools such as Sharepoint but their main focus is supporting secure connections with consumer web tools. This allows employees to get enterprise information anywhere with a consumer tool they are comfortable with. In addition, WorkLight partners with organizations, such as retail banks, to allow them to offer their customers the secure use of consumer web interfaces to their personal financial data. These customers can bypass the bank portal and just use RSS feeds and consumer web gadgets to get updates to their personal data. Needless to say the security concerns here are quite intense and the expectations are high, so this is a great demonstration of web security.
The most popular interface they support appears to be Facebook. They found that some of their customers tried to build their own social networking tool using Sharepoint or Lotus Connections and found this difficult and adoption was hard. The existing popularity and familiarity of Facebook made the adoption much easier once security was added through Workbook. The trend to sell to the business user within the enterprise who finds it hard to access information and online marketing people at banks for their customer tools.
One of their clients is a bank with over 60,000 employees working in locations across the world. The bank wanted to leverage employee expertise and encourage internal interactions, without compromising security and regulatory requirements. Through WorkBook, employees now connect with colleagues from other departments and locations, locate people with certain knowledge or common interest area, ask questions and get answers, create and join discussion groups, etc. The platform integrates with enterprise applications, e.g. to share and bookmark documents from the company’s document management system.
In another case, their client provides support and services to telecommunications operators around the world. These personnel must continuously report hours worked, in order to properly bill customers. Managers need to have an up-to-date view of the hours spent on specific projects and customers. They also need to be aware of missing and invalid time reporting. The WorkLight server, which resides in the company’s data center, is integrated with the ERP system. This makes the time reporting capabilities available to employees through the desktop and web-based gadgets that enable easy reporting of work hours. These Ajax-based mini-applications are resident on the employee’s desktop as part of Windows Vista, Apple Sidebar or Yahoo widgets. Alternatively, they are securely integrated into the employee’s personal home page in iGoogle, Microsoft Live or Netvibes. Employees can also define RSS feeds, such as: “My approved time reports”, “My employees’ missing reports” or “New reports for project X”. It is great to see examples like these two cases as they help to validate the promise of Enterprise 2.0, as well as provides additional implementation ideas.
WorkLight plans to continue to support the latest consumer web tools. They will let these tools makers such as Google provide the innovation and develop the audience. Then they offer the security to take the new tools safely behind the firewall.