IT security is frustrating and gets in the way of productivity. IT security can be expensive—but less now thanks to all of the competition in the marketplace for IT security products and services. Heck—lots of IT security is built into the Microsoft Server operating systems—and even Windows 7 for that matter. One just has to “turn it on.”

To me, the key concept relating IT security and productivity is to get away from the “either, or” way of thinking. In other words, you CAN have BOTH security and productivity! If you feel you have to give up productivity to be secure, I feel confident there is a solution that will let you have lots of both.

Granted, almost always, there will be some compromise. You may have to choose between being:

• 90% secure and 100% productive, or
• 100% secure and 90% productive

The choice is up to whoever will be held responsible for a data breach—probably the owner, CEO, board etc for the organization. I generally lean to the first option in many cases.

Key point: This decision is NOT and I repeat NOT up to IT. I feel it is IT’s responsibility to alert executives to any such trade-offs so that the executives can make an informed decision since they have to live with the consequences of their choices.

I wonder just how much money in the purchase price of a new car has to do with the door locks and the key used to start the car? How much added frustration do we experience in our lifetimes due to having to lock, unlock, and start our cars with a key throughout our lives? Yet, our vehicles are productive and secure without having major conflicts between those two attributes.

On a tangent: If users could “see” someone stealing their data or borrowing their computer the way they could see someone borrowing their car, users would be more attentive to IT security.

Please post your comments on the blog.

If you suffer a data breach or lose a laptop, you may be required to send out letters notifying everyone who has ever done business with you of the possible loss of data.

One of my clients explained that the costs can soar to $5 per person to locate and notify people you’ve done business with. That’s $5,000 for every 1000 people you’ve served!

Additionally, there may be fines levied against you. For example,  in April 2010 the Financial Regulatory Authority fined the brokerage firm D.A. Davidson & Co. in Montana $375,000 after a hacker broke into their servers.

More and more, my clients and audience members are asking about IT security insurance to augment your protection. There is even IT data security insurance. If your insurance provider does not offer this service, or if you want to shop around, I know of an agency that does offer IT security insurance and can write coverage anywhere in the USA: Andy Burkart, CPCU, of Burkart-Heisdorf Insurance Agency. The phone number is 800-989-6174.

I am NOT an insurance professional, so I encourage you to post any information and comments on this blog.

This is a concern for identity theft and also a source for other private information falling into the wrong hands. Organizations that fall under HIPAA compliance, Gramm-Leach-Bliley Act, PCI-DSS, and other regulations are sometimes more sure of the risk.

Earlier this month while I was performing an audit on a client’s network, he explained that he refuses to allow his staff to “outsource” making copies even to their CPA firm. He does this in order to “isolate” the area he needs to protect. He has a strict policy that documents can only be copied using copy machines in their office.

One of my readers is in contact with an organization that processes used copiers and they make sure to erase the hard drives before the copiers go to new owners.

If any of you are specifically seeking a copy machine security specialist, the CBS video interviews John Juntunen and it appears his web site is www.copiersecurity.com. The phone number on the web site is 530-672-9300 if you want to explore his services. The web site shows they offer a service that will remove your copier’s hard drive, destroy the drive, and replace the destroyed drive with a new drive formatted for use with that copier. They also offer anti-tampering kits to help you monitor your copiers to at least know if someone has accessed the data on the hard drives.

One point he made in the interview is how many companies do not seem to care about security until they have a breach—and then it is too late. I’ve felt the same frustration in the past. Security, be it in your computers, servers, or copy machines, is an important issue!

Please post any of your experiences or additional ideas about copy machine security here on this blog.

I recently had a shocking conversation with an IT professional working as the sole IT professional at a company in the US. I encouraged him to apply patches to his network and his response was, “I do not need to patch the operating system or applications—I have anti-virus and that protects the network from all security risks.”

At first, I thought he was joking with me. He wasn’t! I asked, “What if a user writes the password on a sticky note and the cleaning crew logs in as them to access secure files—does anti-virus prevent that?” The IT pro said yes he was protected.  Several of his “IT advisors” told him anti-virus was all he needed.

I attempted to get through to him for almost 10 minutes with other examples, sent him links to articles on news sites showing reality, and he kept going back to “his trusted advisors told him not to worry about it.” I asked who the “trusted advisors” were and he didn’t want to divulge their identities but assured me “they are really smart.” I even offered to have a conference call with the IT professional and his advisors, but he felt that wasn’t necessary.

This poor IT professional totally believes his reality. He probably will until something bad happens—and at what expense?

I experience this to varying degrees fairly often with “IT professionals,” and frankly I find it unsettling because executives trust their IT professionals with the safety of their business. Executives need to trust their IT professionals.

Executives please make sure your IT department’s advisors are trustworthy as well!

Spouses and children tend to engage in online behavior that can lead to infections on your home computer. They visit many web sites, participate in instant messaging and social media, and may even share files with “friends.” Spouses and children may sometimes ignore important system messages and also sometimes “fall for” bogus system messages designed to allow a virus, worm, or Trojan to infect your computer.

Then, when you sit down to do your online banking, your account may be compromised.

Maybe now is a good time to treat yourself, or your family, to a separate computer. Here are 7 quick tips to perform on any new computer to help keep it safe: http://www.fosterinstitute.com/blog/7-quick-tips/

A strategy that keeps gaining ground is the concept of “white listing” applications. In plain English, this means your computers have a list of programs that are on the “approved” list to run, such as Word, Firefox, Acrobat, Excel, etc.

Then, any other program cannot run. Period. That means virus 1, virus 2, virus 999, etc. is not allowed to run. This solves the whole problem of needing anti-virus. In theory, even if a virus does come into your network through e-mail, web site drive by download, or Ernie in shipping carrying in an infected memory stick, it doesn’t matter. The virus cannot run anyway!

The challenge lies in your IT department being able to keep an organized white list of “approved” programs. When an update to a program arrives, the new update has to be listed too or it will not run.

Many providers are offering solutions including Bit9 Parity and Lumension Application Control and there are constant advancements in making administration even easier.

Yes, some day anti-virus may be old news and never used again.

The problem with data breaches is that sometimes, after the breach, it is too late to save the company. Remember the company Fly Clear? I have earned, and spent, more than 6 Million Miles in my frequent flyer account at a major airline. Fly Clear allowed me to bypass the lines at airport security and added a huge amount of quality time back to my family. Then, Fly Clear lost a laptop at a Northern California airport, and I got a letter about the possible breach. In the letter, the CEO said he didn’t know why they were not encrypting all the hard drives at the company to protect client data, but they would from then on. Yeah, from then on until his company closed its doors. Who wanted to give all their private security information to a company that loses it? Fly Clear did close their doors—less than a year later. This closing, and others like it, is so sad because it was likely preventable.

The Fly Clear CEO seemed angry at his IT department for not telling him ahead of time about the importance of full disk encryption—a common feeling among executives who are angry at IT after a breach. Full disk encryption is just one of the many strategies companies can use to protect themselves.

It amazes me how few CEO’s and other executives have ever learned about full disk encryption—and sometimes their IT professionals have not heard of it either. I find that understandable since IT has so many specializations and, just like cardiologists do not necessarily know all about neurology, a company may not have an IT security professional on staff to make security recommendations. Come to think of it, my consulting business revolves around being that outsourced IT security specialist for companies.

For 2010, I encourage you to have some conversations with IT professionals, qualified in IT security, about the status of your IT security and what you can do to increase it.

Before I could catch them, these words spewed out of my mouth: “We need more government regulation of businesses.”  I immediately stopped, appalled at what I had just said, and stood there in disbelief.

The fact is, due to a number of problems in organizations, IT security too often gets pushed to the back burner. Next week’s blog entry will deal with those reasons. Do we need more laws to force companies to be secure? For the responsible companies I work with, I say “No! Enough regulation already!” I know they are taking steps to be more secure. But for those companies that send the rest of us letters notifying us of breaches, I think we all would have been happy if some regulation forced them to be more careful with private information. PCI-DSS standards for companies that accept payment cards is still a regulation—except in Nevada where it is now a law. Minnesota also has laws around the core requirements of PCI-DSS.

I used to be totally against some government regulations, but as I see some organizations being careless with your private data, I wonder if a little regulation might go a long way? Please respond with your comments on this blog.

Businesses focus on IT security, especially after they experience a breach.

Consumers also bombard me with questions after my presentations saying they want their home and family to be secure.

I built a not-for-profit web site (www.LearnToBeSafeOnline.com) with short instructional videos to help consumers be safe online. To date, only 500 visitors in 3 months have viewed videos on the site.

Maybe there is less traffic because the site does not answer their needs, the videos are confusing or boring, or is it just that our demanding lives in 2010 push IT security way down the list below other more pressing matters at home?

In my own family, we focus on school, homework, after school events, doctor appointments, the pets, and pretty much everything else we feel will provide the best possible upbringing for the family. And, yes, that includes weekly dates for my wife and me away from the kids.

IT security is a big priority at our household, although it is largely “hands off” since the processes are automated and the systems take care of themselves. Maybe that is the disconnect—many families don’t know where to start, fear they will be confused, so they decide, consciously or unconsciously, to deal with computer security “first thing tomorrow” and focus on more pressing issues instead.

If nothing else, I sleep better at night being able to send people to www.LearnToBeSafeOnline.com when they ask questions like, “How do I stay safe on Facebook?” or “How do I make my WiFi wireless networking secure at home?” I’m also happy to give you a place to send people who ask you the same questions.

If you want to, please respond on this blog with your ideas on how we can help consumers realize the importance of IT security before they experience a problem of some kind.

The theory is that, if the “online banking only” computer is only used for online banking and nothing else, the computer is less likely to be infected with viruses, key loggers, and other malicious software.

Having two computers comes at a huge cost to convenience for the people in your office that need to perform online banking. That means they need to have two computers at their desk. They could use a KVM switch to use their same keyboard, monitor, and mouse to switch back and forth between the computers.

Your IT professional might be willing to set up a virtual machine on the regular machine to use for online banking, but IT will still need to keep that virtual machine current with patches and protected with anti-virus. The end-user may become confused using the virtual machine and reject the idea completely.

Controls would probably need to be put in place to limit access to banking web sites to the single machine so no employees ever “cheat” and use their own workstation to access online banking.

On a positive note, an inexpensive computer would be more than enough to handle the online banking, and there are tools like Microsoft’s Microsoft Steady State and Deep Freeze (http://www.faronics.com/html/deepfreeze.asp) that can help lock the machine down to a single purpose and help protect from infections.

Do you dedicate a single computer for your online banking tasks? What is your response to the ABA’s advice? Please add your comments to the blog.