Let’s see—the only way I can think of is to never share any client data with your employees—ever. Even without computers, if an employee is privy to client data, they may “steal” that and use it for other purposes.

The goal is to protect private client data—and you may choose to never enter that into a computer system your employees can access—or never enter it into a computer at all.

If your employees do want to access client data, and you just do not want the employees to be able to easily take large amounts of information, the challenges increase dramatically. Even so, the possibilities are closer than you may realize. Thanks to application delivery and virtualization technologies, you can allow employees to work from home, or the office, without having information stay resident on their computer. You can also restrict them from being able to:

• Save to a local drive
• Print information
• Copy and paste outside your protected space
• Or otherwise retain any information

However, there is little to stop an e-savvy employee from using a digital camera to take a screenshot, or using a yellow sticky note to write down someone’s credit card information or social security number. At least these kinds of activities take “time,” so you are restricting the speed of stealing data.

For what technology cannot solve, your corporate legal advisors can step in. They can help you with non-disclosure agreements, acceptable usage policies, and other agreements for your workers to sign. The key point here is that these do not necessarily prevent the theft, but they do provide you some recourse if the employee is ever caught.

There is even IT data security insurance. If your insurance provider does not offer this service, or if you want to shop around, I know someone who does offer IT security insurance.

In some organizations, prevention is crucial. Once the data gets out, the organization may be damaged beyond repair.

To prevent an employee from e-mailing themselves a client list, there are Data Loss Prevention DLP tools available in the world. They watch for suspicious behavior and can quarantine such messages before sending them out. That delay gives the responsible person in your organization the opportunity to stop the data before it leaves.

There are other strategies as well:

• Provide people with only the information they need to know. A good book full of these examples is Blind Man’s Bluff: The Untold Story of American Submarine Espionage by Sherry Sontag and Christopher Drew.
• Rotate employees through specific duties so their time to do harm is limited.
• Force employees to take mandatory vacations during which time illegal behaviors may be detected.
• Have a separation of duties such that it would be difficult for one employee to commit fraud all by themselves.

While “total protection” may result in your employees not being able to function, there are strategies that can provide you with both productivity and security.

Please post your comments on the blog.

IT security is frustrating and gets in the way of productivity. IT security can be expensive—but less now thanks to all of the competition in the marketplace for IT security products and services. Heck—lots of IT security is built into the Microsoft Server operating systems—and even Windows 7 for that matter. One just has to “turn it on.”

To me, the key concept relating IT security and productivity is to get away from the “either, or” way of thinking. In other words, you CAN have BOTH security and productivity! If you feel you have to give up productivity to be secure, I feel confident there is a solution that will let you have lots of both.

Granted, almost always, there will be some compromise. You may have to choose between being:

• 90% secure and 100% productive, or
• 100% secure and 90% productive

The choice is up to whoever will be held responsible for a data breach—probably the owner, CEO, board etc for the organization. I generally lean to the first option in many cases.

Key point: This decision is NOT and I repeat NOT up to IT. I feel it is IT’s responsibility to alert executives to any such trade-offs so that the executives can make an informed decision since they have to live with the consequences of their choices.

I wonder just how much money in the purchase price of a new car has to do with the door locks and the key used to start the car? How much added frustration do we experience in our lifetimes due to having to lock, unlock, and start our cars with a key throughout our lives? Yet, our vehicles are productive and secure without having major conflicts between those two attributes.

On a tangent: If users could “see” someone stealing their data or borrowing their computer the way they could see someone borrowing their car, users would be more attentive to IT security.

Please post your comments on the blog.

If you suffer a data breach or lose a laptop, you may be required to send out letters notifying everyone who has ever done business with you of the possible loss of data.

One of my clients explained that the costs can soar to $5 per person to locate and notify people you’ve done business with. That’s $5,000 for every 1000 people you’ve served!

Additionally, there may be fines levied against you. For example,  in April 2010 the Financial Regulatory Authority fined the brokerage firm D.A. Davidson & Co. in Montana $375,000 after a hacker broke into their servers.

More and more, my clients and audience members are asking about IT security insurance to augment your protection. There is even IT data security insurance. If your insurance provider does not offer this service, or if you want to shop around, I know of an agency that does offer IT security insurance and can write coverage anywhere in the USA: Andy Burkart, CPCU, of Burkart-Heisdorf Insurance Agency. The phone number is 800-989-6174.

I am NOT an insurance professional, so I encourage you to post any information and comments on this blog.

I recently had a shocking conversation with an IT professional working as the sole IT professional at a company in the US. I encouraged him to apply patches to his network and his response was, “I do not need to patch the operating system or applications—I have anti-virus and that protects the network from all security risks.”

At first, I thought he was joking with me. He wasn’t! I asked, “What if a user writes the password on a sticky note and the cleaning crew logs in as them to access secure files—does anti-virus prevent that?” The IT pro said yes he was protected.  Several of his “IT advisors” told him anti-virus was all he needed.

I attempted to get through to him for almost 10 minutes with other examples, sent him links to articles on news sites showing reality, and he kept going back to “his trusted advisors told him not to worry about it.” I asked who the “trusted advisors” were and he didn’t want to divulge their identities but assured me “they are really smart.” I even offered to have a conference call with the IT professional and his advisors, but he felt that wasn’t necessary.

This poor IT professional totally believes his reality. He probably will until something bad happens—and at what expense?

I experience this to varying degrees fairly often with “IT professionals,” and frankly I find it unsettling because executives trust their IT professionals with the safety of their business. Executives need to trust their IT professionals.

Executives please make sure your IT department’s advisors are trustworthy as well!

These days, most organizations already own everything they need to increase their security dramatically higher than it is today. Microsoft servers include tools like event logs, Group Policy Objects, file permissions, user rights, patch management, disk encryption, authentication, certificates, IP Security, and other tools that, while they can be enhanced by add-on products, already have a huge amount of untapped potential in what your company has already invested in. You have already spent the money; please use what you have!

For expenses like corporate anti-virus, until the criminal hackers decide to use their skills for good rather than evil, this is something you budget for. Look at the ROI. Almost any company can justify a solid backup program, if not a full disaster recovery plan when you perform a risk assessment and calculate the amount you can lose without a backup. If you are investing more than $100 per year per user on IT security, perhaps you can reduce your spending and still be well protected. As one of my clients in Houston recently told me, “We don’t want to be as secure as the Pentagon.” Well said.

Additionally, I find many of my clients are moving to thin client technology and investing in virtualization. These moves do often take an initial investment, however the total cost of ownership over the next three years will sometimes be dramatically less than staying with the existing infrastructure. Even if the total cost of ownership will stay the same, there are often huge increases in security and user productivity. And, amazingly, often the transition to the new infrastructure can happen gradually over a few years to reduce the yearly investment and start realizing the ROI right away where the technology will have the most benefit—such as for remote users. Thin client computing and virtualization are addressed elsewhere in this blog. Please add your comments.

The problem with data breaches is that sometimes, after the breach, it is too late to save the company. Remember the company Fly Clear? I have earned, and spent, more than 6 Million Miles in my frequent flyer account at a major airline. Fly Clear allowed me to bypass the lines at airport security and added a huge amount of quality time back to my family. Then, Fly Clear lost a laptop at a Northern California airport, and I got a letter about the possible breach. In the letter, the CEO said he didn’t know why they were not encrypting all the hard drives at the company to protect client data, but they would from then on. Yeah, from then on until his company closed its doors. Who wanted to give all their private security information to a company that loses it? Fly Clear did close their doors—less than a year later. This closing, and others like it, is so sad because it was likely preventable.

The Fly Clear CEO seemed angry at his IT department for not telling him ahead of time about the importance of full disk encryption—a common feeling among executives who are angry at IT after a breach. Full disk encryption is just one of the many strategies companies can use to protect themselves.

It amazes me how few CEO’s and other executives have ever learned about full disk encryption—and sometimes their IT professionals have not heard of it either. I find that understandable since IT has so many specializations and, just like cardiologists do not necessarily know all about neurology, a company may not have an IT security professional on staff to make security recommendations. Come to think of it, my consulting business revolves around being that outsourced IT security specialist for companies.

For 2010, I encourage you to have some conversations with IT professionals, qualified in IT security, about the status of your IT security and what you can do to increase it.

Before I could catch them, these words spewed out of my mouth: “We need more government regulation of businesses.”  I immediately stopped, appalled at what I had just said, and stood there in disbelief.

The fact is, due to a number of problems in organizations, IT security too often gets pushed to the back burner. Next week’s blog entry will deal with those reasons. Do we need more laws to force companies to be secure? For the responsible companies I work with, I say “No! Enough regulation already!” I know they are taking steps to be more secure. But for those companies that send the rest of us letters notifying us of breaches, I think we all would have been happy if some regulation forced them to be more careful with private information. PCI-DSS standards for companies that accept payment cards is still a regulation—except in Nevada where it is now a law. Minnesota also has laws around the core requirements of PCI-DSS.

I used to be totally against some government regulations, but as I see some organizations being careless with your private data, I wonder if a little regulation might go a long way? Please respond with your comments on this blog.

That sounds like a good way to sum up things like “help protect the company from lawsuits, adhere to regulations, provide job security for employees, and protect our customer’s best interests.” Lots of people sleep better at night.

Think about it, look in the news at the latest breaches, and make sure to get secure ASAP!

The topic of employees working securely from a remote location comes up in almost every IT audit I do with companies. There are many methods for employees to work remotely, and with the potential threat of the Swine Flu looming, now is an important time to be sure your employees can work remotely.

The problem with allowing employees to connect through the VPN to your network from their home computer is that the computer could contain viruses and other malware. One solution many organizations are moving to is Citrix Xen to deploy applications to the home computers in a more secure fashion.

The crucial thing to remember for now is that whether or not the Swine Flu does kill a lot of people, the psychological reaction itself could cause major problems for your business if your employees refuse to come in to the office to work. For other non-IT related tips, check out  http://www.cdc.gov/h1n1flu/