• Provide 60 minutes maximum to help avoid losing attention.
• You can lose attendees’ attention before the meeting even starts.
• Attendees may choose to multi-task during the presentation anyway.
• If you have a qualified presenter, then videotaping a live presentation is generally better than recording a web meeting. Viewers often feel the presenter’s recorded presentation is more interesting than a web meeting.
• Experience with other organizations strongly suggests that your ROI will be better via a live presentation. Users “get it.”
• If you do choose to present a web meeting and/or video recorded live presentation, I suggest you notify the remote attendees ahead of time that they will be required to fill out an answer form (basically a test) afterwards. This may encourage them to pay even more attention during the presentation.

Next time I will focus on using a live presenter as the delivery method.

Please post your comments on this blog.

These days, some viruses can “morph” at regular intervals—keeping their same dangerous functionality and avoiding the signature matching. An analogy would be someone being able to change their thumbprint one or more times each day.

Over the years anti-virus has evolved to include new ways to stop viruses. One way is to watch for dangerous behavior. The problem here is for the anti-virus tool to be able to discern if the dangerous behavior is being performed by a legitimate process or a virus.

Anti-virus vendors are constantly playing the “cat and mouse” game of keeping up with new virus strategies. This is one more reason to always stay current with the latest anti-virus offerings available.

Please post your comments on this blog.

As some of my consulting clients move towards the cloud, others are digging their heels in and refusing to turn loose of their security. They do not want to trust the security of their private data to services, nor are they sure their data will be available when they need it.

Still, some very large organizations are moving to the cloud.

What are your feelings? What applications do you use in the cloud?

Please post your comments on this blog.

Please post your comments on this blog.

1. Insecure providing wide open access to whoever wanted to attach and
2. unknown to the IT professionals at the facility.

There are many problems with WiFi security.

I’ve discovered access points that were set up by a previous IT professional that new IT professionals had no idea existed. Sometimes, when large new equipment is purchased, the installers set up WiFi access points without notifying your IT professionals. Once I even encountered a WiFi access point that an employee set up under their desk so they didn’t have to look at “that ugly blue Ethernet cable!”

Beware of unknown data leaks to the outside world.

Please post your comments on this blog.

To me, one of the most shocking facts is that companies do not control their Internet access. There are wonderful web tools out there that will allow you to:

• Track who’s going to what sites
• Log employee activity in case you ever need evidence in a lawsuit
• Selectively block groups and/or individual users from accessing specific categories of sites

I find that the main reason companies do not use these tools is that the blocking scenario makes executives choose between yes to allow or no to block. Deciding between yes and no is easy when you’re thinking about some categories of sites. But there will always be several sites that are difficult to come to agreement about.

In order to get over the hump, it is important to start blocking the sites that everyone can agree to block. And if you have final say at your company, then you can decide which site you want to block. The point is, if you can’t decide on specific categories, you don’t have to block them right now. Just by setting up these tools, they increase your security. More and more websites are being infected with malware and that can result with you and your users becoming infected to something known as a drive-by download. These tools will do their very best to protect you from drive-by downloads.

Contact your IT department today and ask them to enable Internet blocking, logging, and tracking.

Please post your comments on this blog.

Let’s see—the only way I can think of is to never share any client data with your employees—ever. Even without computers, if an employee is privy to client data, they may “steal” that and use it for other purposes.

The goal is to protect private client data—and you may choose to never enter that into a computer system your employees can access—or never enter it into a computer at all.

If your employees do want to access client data, and you just do not want the employees to be able to easily take large amounts of information, the challenges increase dramatically. Even so, the possibilities are closer than you may realize. Thanks to application delivery and virtualization technologies, you can allow employees to work from home, or the office, without having information stay resident on their computer. You can also restrict them from being able to:

• Save to a local drive
• Print information
• Copy and paste outside your protected space
• Or otherwise retain any information

However, there is little to stop an e-savvy employee from using a digital camera to take a screenshot, or using a yellow sticky note to write down someone’s credit card information or social security number. At least these kinds of activities take “time,” so you are restricting the speed of stealing data.

For what technology cannot solve, your corporate legal advisors can step in. They can help you with non-disclosure agreements, acceptable usage policies, and other agreements for your workers to sign. The key point here is that these do not necessarily prevent the theft, but they do provide you some recourse if the employee is ever caught.

There is even IT data security insurance. If your insurance provider does not offer this service, or if you want to shop around, I know someone who does offer IT security insurance.

In some organizations, prevention is crucial. Once the data gets out, the organization may be damaged beyond repair.

To prevent an employee from e-mailing themselves a client list, there are Data Loss Prevention DLP tools available in the world. They watch for suspicious behavior and can quarantine such messages before sending them out. That delay gives the responsible person in your organization the opportunity to stop the data before it leaves.

There are other strategies as well:

• Provide people with only the information they need to know. A good book full of these examples is Blind Man’s Bluff: The Untold Story of American Submarine Espionage by Sherry Sontag and Christopher Drew.
• Rotate employees through specific duties so their time to do harm is limited.
• Force employees to take mandatory vacations during which time illegal behaviors may be detected.
• Have a separation of duties such that it would be difficult for one employee to commit fraud all by themselves.

While “total protection” may result in your employees not being able to function, there are strategies that can provide you with both productivity and security.

Please post your comments on the blog.

IT security is frustrating and gets in the way of productivity. IT security can be expensive—but less now thanks to all of the competition in the marketplace for IT security products and services. Heck—lots of IT security is built into the Microsoft Server operating systems—and even Windows 7 for that matter. One just has to “turn it on.”

To me, the key concept relating IT security and productivity is to get away from the “either, or” way of thinking. In other words, you CAN have BOTH security and productivity! If you feel you have to give up productivity to be secure, I feel confident there is a solution that will let you have lots of both.

Granted, almost always, there will be some compromise. You may have to choose between being:

• 90% secure and 100% productive, or
• 100% secure and 90% productive

The choice is up to whoever will be held responsible for a data breach—probably the owner, CEO, board etc for the organization. I generally lean to the first option in many cases.

Key point: This decision is NOT and I repeat NOT up to IT. I feel it is IT’s responsibility to alert executives to any such trade-offs so that the executives can make an informed decision since they have to live with the consequences of their choices.

I wonder just how much money in the purchase price of a new car has to do with the door locks and the key used to start the car? How much added frustration do we experience in our lifetimes due to having to lock, unlock, and start our cars with a key throughout our lives? Yet, our vehicles are productive and secure without having major conflicts between those two attributes.

On a tangent: If users could “see” someone stealing their data or borrowing their computer the way they could see someone borrowing their car, users would be more attentive to IT security.

Please post your comments on the blog.

If you suffer a data breach or lose a laptop, you may be required to send out letters notifying everyone who has ever done business with you of the possible loss of data.

One of my clients explained that the costs can soar to $5 per person to locate and notify people you’ve done business with. That’s $5,000 for every 1000 people you’ve served!

Additionally, there may be fines levied against you. For example,  in April 2010 the Financial Regulatory Authority fined the brokerage firm D.A. Davidson & Co. in Montana $375,000 after a hacker broke into their servers.

More and more, my clients and audience members are asking about IT security insurance to augment your protection. There is even IT data security insurance. If your insurance provider does not offer this service, or if you want to shop around, I know of an agency that does offer IT security insurance and can write coverage anywhere in the USA: Andy Burkart, CPCU, of Burkart-Heisdorf Insurance Agency. The phone number is 800-989-6174.

I am NOT an insurance professional, so I encourage you to post any information and comments on this blog.

I recently had a shocking conversation with an IT professional working as the sole IT professional at a company in the US. I encouraged him to apply patches to his network and his response was, “I do not need to patch the operating system or applications—I have anti-virus and that protects the network from all security risks.”

At first, I thought he was joking with me. He wasn’t! I asked, “What if a user writes the password on a sticky note and the cleaning crew logs in as them to access secure files—does anti-virus prevent that?” The IT pro said yes he was protected.  Several of his “IT advisors” told him anti-virus was all he needed.

I attempted to get through to him for almost 10 minutes with other examples, sent him links to articles on news sites showing reality, and he kept going back to “his trusted advisors told him not to worry about it.” I asked who the “trusted advisors” were and he didn’t want to divulge their identities but assured me “they are really smart.” I even offered to have a conference call with the IT professional and his advisors, but he felt that wasn’t necessary.

This poor IT professional totally believes his reality. He probably will until something bad happens—and at what expense?

I experience this to varying degrees fairly often with “IT professionals,” and frankly I find it unsettling because executives trust their IT professionals with the safety of their business. Executives need to trust their IT professionals.

Executives please make sure your IT department’s advisors are trustworthy as well!