Let’s see—the only way I can think of is to never share any client data with your employees—ever. Even without computers, if an employee is privy to client data, they may “steal” that and use it for other purposes.

The goal is to protect private client data—and you may choose to never enter that into a computer system your employees can access—or never enter it into a computer at all.

If your employees do want to access client data, and you just do not want the employees to be able to easily take large amounts of information, the challenges increase dramatically. Even so, the possibilities are closer than you may realize. Thanks to application delivery and virtualization technologies, you can allow employees to work from home, or the office, without having information stay resident on their computer. You can also restrict them from being able to:

• Save to a local drive
• Print information
• Copy and paste outside your protected space
• Or otherwise retain any information

However, there is little to stop an e-savvy employee from using a digital camera to take a screenshot, or using a yellow sticky note to write down someone’s credit card information or social security number. At least these kinds of activities take “time,” so you are restricting the speed of stealing data.

For what technology cannot solve, your corporate legal advisors can step in. They can help you with non-disclosure agreements, acceptable usage policies, and other agreements for your workers to sign. The key point here is that these do not necessarily prevent the theft, but they do provide you some recourse if the employee is ever caught.

There is even IT data security insurance. If your insurance provider does not offer this service, or if you want to shop around, I know someone who does offer IT security insurance.

In some organizations, prevention is crucial. Once the data gets out, the organization may be damaged beyond repair.

To prevent an employee from e-mailing themselves a client list, there are Data Loss Prevention DLP tools available in the world. They watch for suspicious behavior and can quarantine such messages before sending them out. That delay gives the responsible person in your organization the opportunity to stop the data before it leaves.

There are other strategies as well:

• Provide people with only the information they need to know. A good book full of these examples is Blind Man’s Bluff: The Untold Story of American Submarine Espionage by Sherry Sontag and Christopher Drew.
• Rotate employees through specific duties so their time to do harm is limited.
• Force employees to take mandatory vacations during which time illegal behaviors may be detected.
• Have a separation of duties such that it would be difficult for one employee to commit fraud all by themselves.

While “total protection” may result in your employees not being able to function, there are strategies that can provide you with both productivity and security.

Please post your comments on the blog.

IT security is frustrating and gets in the way of productivity. IT security can be expensive—but less now thanks to all of the competition in the marketplace for IT security products and services. Heck—lots of IT security is built into the Microsoft Server operating systems—and even Windows 7 for that matter. One just has to “turn it on.”

To me, the key concept relating IT security and productivity is to get away from the “either, or” way of thinking. In other words, you CAN have BOTH security and productivity! If you feel you have to give up productivity to be secure, I feel confident there is a solution that will let you have lots of both.

Granted, almost always, there will be some compromise. You may have to choose between being:

• 90% secure and 100% productive, or
• 100% secure and 90% productive

The choice is up to whoever will be held responsible for a data breach—probably the owner, CEO, board etc for the organization. I generally lean to the first option in many cases.

Key point: This decision is NOT and I repeat NOT up to IT. I feel it is IT’s responsibility to alert executives to any such trade-offs so that the executives can make an informed decision since they have to live with the consequences of their choices.

I wonder just how much money in the purchase price of a new car has to do with the door locks and the key used to start the car? How much added frustration do we experience in our lifetimes due to having to lock, unlock, and start our cars with a key throughout our lives? Yet, our vehicles are productive and secure without having major conflicts between those two attributes.

On a tangent: If users could “see” someone stealing their data or borrowing their computer the way they could see someone borrowing their car, users would be more attentive to IT security.

Please post your comments on the blog.

If you suffer a data breach or lose a laptop, you may be required to send out letters notifying everyone who has ever done business with you of the possible loss of data.

One of my clients explained that the costs can soar to $5 per person to locate and notify people you’ve done business with. That’s $5,000 for every 1000 people you’ve served!

Additionally, there may be fines levied against you. For example,  in April 2010 the Financial Regulatory Authority fined the brokerage firm D.A. Davidson & Co. in Montana $375,000 after a hacker broke into their servers.

More and more, my clients and audience members are asking about IT security insurance to augment your protection. There is even IT data security insurance. If your insurance provider does not offer this service, or if you want to shop around, I know of an agency that does offer IT security insurance and can write coverage anywhere in the USA: Andy Burkart, CPCU, of Burkart-Heisdorf Insurance Agency. The phone number is 800-989-6174.

I am NOT an insurance professional, so I encourage you to post any information and comments on this blog.

This is a concern for identity theft and also a source for other private information falling into the wrong hands. Organizations that fall under HIPAA compliance, Gramm-Leach-Bliley Act, PCI-DSS, and other regulations are sometimes more sure of the risk.

Earlier this month while I was performing an audit on a client’s network, he explained that he refuses to allow his staff to “outsource” making copies even to their CPA firm. He does this in order to “isolate” the area he needs to protect. He has a strict policy that documents can only be copied using copy machines in their office.

One of my readers is in contact with an organization that processes used copiers and they make sure to erase the hard drives before the copiers go to new owners.

If any of you are specifically seeking a copy machine security specialist, the CBS video interviews John Juntunen and it appears his web site is www.copiersecurity.com. The phone number on the web site is 530-672-9300 if you want to explore his services. The web site shows they offer a service that will remove your copier’s hard drive, destroy the drive, and replace the destroyed drive with a new drive formatted for use with that copier. They also offer anti-tampering kits to help you monitor your copiers to at least know if someone has accessed the data on the hard drives.

One point he made in the interview is how many companies do not seem to care about security until they have a breach—and then it is too late. I’ve felt the same frustration in the past. Security, be it in your computers, servers, or copy machines, is an important issue!

Please post any of your experiences or additional ideas about copy machine security here on this blog.

Some IT professionals tell me that their “boss” came down and said, “Give company such and such access into our network to access our data files so they can provide such and such service.” If the IT professional was brave enough to object to the “order,” they often got shot down.

If your IT professional knows anything about security, they get some pretty sweaty palms when opening up access to other companies. Their nights of restful sleep are probably over at that point too. And so should the executives be terrified!

Please do NOT open up your network for access by third party companies. I run into this at four or five companies a month and it has to stop!  Do you realize that:

• If the other company catches a virus, you probably will too?
• If an employee at the other company wants to steal your data, destroy your information, and even store illegal information at your office, they can?
• If you have a security problem, the other company may come after you for damages you cause on their network?

Indeed, it is feasible to outsource some of your services and functions into the “cloud.” More and more organizations are doing this.

The important part is to connect to the other entity in a responsible way! Allowing them unfettered access into your network is often a reckless choice.

I recently had a shocking conversation with an IT professional working as the sole IT professional at a company in the US. I encouraged him to apply patches to his network and his response was, “I do not need to patch the operating system or applications—I have anti-virus and that protects the network from all security risks.”

At first, I thought he was joking with me. He wasn’t! I asked, “What if a user writes the password on a sticky note and the cleaning crew logs in as them to access secure files—does anti-virus prevent that?” The IT pro said yes he was protected.  Several of his “IT advisors” told him anti-virus was all he needed.

I attempted to get through to him for almost 10 minutes with other examples, sent him links to articles on news sites showing reality, and he kept going back to “his trusted advisors told him not to worry about it.” I asked who the “trusted advisors” were and he didn’t want to divulge their identities but assured me “they are really smart.” I even offered to have a conference call with the IT professional and his advisors, but he felt that wasn’t necessary.

This poor IT professional totally believes his reality. He probably will until something bad happens—and at what expense?

I experience this to varying degrees fairly often with “IT professionals,” and frankly I find it unsettling because executives trust their IT professionals with the safety of their business. Executives need to trust their IT professionals.

Executives please make sure your IT department’s advisors are trustworthy as well!

A strategy that keeps gaining ground is the concept of “white listing” applications. In plain English, this means your computers have a list of programs that are on the “approved” list to run, such as Word, Firefox, Acrobat, Excel, etc.

Then, any other program cannot run. Period. That means virus 1, virus 2, virus 999, etc. is not allowed to run. This solves the whole problem of needing anti-virus. In theory, even if a virus does come into your network through e-mail, web site drive by download, or Ernie in shipping carrying in an infected memory stick, it doesn’t matter. The virus cannot run anyway!

The challenge lies in your IT department being able to keep an organized white list of “approved” programs. When an update to a program arrives, the new update has to be listed too or it will not run.

Many providers are offering solutions including Bit9 Parity and Lumension Application Control and there are constant advancements in making administration even easier.

Yes, some day anti-virus may be old news and never used again.

The primary reason we perform vulnerability assessments as parts of security assessments is to generate an inventory of all the computers currently alive on the network and a list of vulnerabilities those computers have.

The challenge is that the human brain loves a “list of what’s wrong.”  Most of the IT professionals at organizations go immediately to work solving the identified problems thereby “killing alligators.”

We always implore executives and IT professionals alike to focus on “draining the swamp” in addition to, and sometimes instead of, “killing alligators.”

In our ongoing effort to help IT professionals and organizations focus on strategic, as well as tactical, plans to take IT to the next level, I sometimes feel like a dentist who hands out new toothbrushes as well as a gift certificate to the local candy store in the same visit.

Vulnerability assessments are wonderful—just remember to focus on the one or two strategic changes that can fix one hundred or more tactical issues.

You can watch the short video on this story. Keep in mind that more and more social media tools are offering a service, sometimes turned on by default without your knowledge, to broadcast your GPS position.

Choose your friends online wisely. Watch two videos that demonstrate this principle:

• Facebook Identity Theft: Office Romance Goes Wrong When Facebook Profile is Hacked
• Car Wreck Car Crash and Social Internet Safety

For suggestions on how to be safe online using social media, visit www.learntobesafeonline.com

Without getting into the technical details, robust virtualization technology exists today that allows your operating systems and applications to be easily portable from one computer to the next, and even delivered to a machine quickly through the Internet.

This means that if a disaster strikes your main office—even a power failure that exceeds the capabilities of your standby power generator—your servers can basically migrate themselves to servers operating in one of your other offices or a safe data center of your choosing.  Keeping this in plain English: your users will still be able to get their work done as if nothing happened.

In the past, this kind of protection was very expensive, and now the prices are spiraling down. Some of the technologies you put in to save money on servers today, like server virtualization, come with this DRP advantage as a “side benefit” if you use it.  As you add technology to support remote users or simplify the IT management in your organization, like Terminal Services or Citrix Xen, also add the possibility for robust DRP.

As you upgrade your systems—be sure to get advice from a qualified professional about getting your Disaster Recovery Plan in order!