Stephanie Jordan's blog

The Securities and Exchange Commission set a new annual record with its filing of 147 enforcement actions against investment advisors and investment companies this year. In his blog, Adam Bullock of Smarsh reports that “broker-dealers also saw the impact of SEC oversight more in 2012 than in 2011, with 134 enforcement actions (a 19 percent increase year-over-year). The SEC totaled 734 enforcement actions, one short of the record set in 2011.” The penalties resulting from the record-setting 735 enforcements last year came in at $2.8 billion.

It is not surprising that compliance professionals in the financial services industry are increasingly focused on establishing policies to mitigate risks. Included in those policies are best practices for electronic recordkeeping that encompasses not only email, but also other forms of messaging like social media.

If Bullock is correct in his assumption that the SEC will continue the trend toward more enforcement activities in 2013, then beginning the year off with an exercise to prepare for a SEC examination might be time well spent.

According to Smarsh Founder and CEO, Steve Marsh, the company’s 2012 Electronic Communications Compliance Survey found that the top message types requested during SEC examinations were (in order) email, website pages (including RSS feeds, blogs, wikis),Bloomberg or Reuters messages, and instant messages (IMs).

One of the top concerns for compliance professionals is the growing use of smartphones and tablets. Mobile-specific communications, like text messaging, has potential to be outside the scope of current compliance practices. Of the compliance professionals that participated in the survey, 72 percent were concerned about new communication channels (including text messaging and social media) and 63 percent were concerned about new communication devices.

This year the SEC published guidelines for investment advisors that use social media that included Facebook, Twitter and LinkedIn. This recognition by the SEC that social media adoption is happening within the financial services industry signals a possible addition in typical message types during an exam in the future.

As Marsh says, “It is the content of the communication that determines its status as a business record, not the communication channel itself.”

Marsh’s Navigating the New Regulatory and Compliance Landscape: Electronic Recordkeeping offers a quick review of key SEC electronic recordkeeping requirements. The New Year might be good time to establish an annual review of messaging compliance practices and policies. If the SEC does come to call, Bullock notes that firms should expect just five to 10 days advance notice.

Bring your own device (BYOD) has changed the IT landscape, and some companies are handling the new world better than others. This week I came across a November blog from Sheila Jordan, senior vice president of the Communication and Collaboration IT organization for Cisco, that shares how Cisco handles mobility.

With the love of devices only growing stronger and new models and products arriving in time for the holidays, Jordan (no relation) gives six steps in the Cisco policy and practices for managing the mobile devices that have permeated the workplace. A few gems stood out.

More Access. More Security.

“The more network access the user wants, the more security we apply to the device,” writes Jordan. She also says Cisco IT has the right to wipe a device if it is lost or stolen.

Create An App Center

Jordan says Cisco offers employees an easy way to access apps and services that can simplify business processes and increase productivity. “Consider creating your own app center where you can house a combination of your own and third-party applications. The corporate store will give employees easy access to Cisco-recommended applications–so they can submit business trip expenses from an airport, take a Jabber video call from the sidelines of a soccer game, or continue that WebEx meeting as they shift from one location to another.” Jordan is quick to point out that the corporate app store is not the only employee-accessible app repository and the intention is not to micromanage the employees.

Get Ahead of the Hype

Around the holidays, Jordan notes, many employees will receive “shiny new devices as gifts, so we proactively email instructions to ease the device-setup experience” She says this is to allow Cisco to avoid overtaxing its global IT support team, which operates with a skeleton crew during the holiday break. Similarly, when a new device will be making a debut, Jordan says Cisco sends communications to employees BEFORE the device is on the shelf. “Our IT team created a series of communications to share with employees as soon as the official announcement [for Apple iPhone 5] hit,” reveals Jordan. “The communication addressed common questions including how to order and provision new iPhone 5s. As a result, we were able to painlessly add 2,500 of them onto the corporate network within three weeks.”

Speaking of Apple’s iPhones, there appears to be a shift in mobile preferences happening. A recent trending report from Zscaler ThreatLabZ shows “current Android use at 45.23 percent and iOS at 49.6 percent (compared to 36.88 percent and 55.36 percent respectively in Q2), the gap between the two continued to narrow—decreasing by 76 percent this quarter over last. Accounting for that gap, Android use increased by 22 percent over Q2, and iOS decreased by 10 percent.”

Jordan’s full six steps blog, even with a few Cisco product plugs, is a quick, yet insightful read.

Users lose control of Facebook, email, Gmail, Yahoo!, Twitter and other online accounts frequently. agreed representatives from Microsoft, Twitter, Yahoo!, Responsys and Dropbox during a breakout session at the Online Trust Forum 2012 held earlier this month. While all the companies actively patrol for anomalies and conduct behavior analysis, breaches still happen, and while no one on the panel (nor among the who’s who in the audience) wanted to stake out a firm number, they agreed it was in the ballpark of hundreds of thousands each day. That number is plausible if you stop to recall this summer’s Yahoo! breach where over 450,000 accounts were hacked in one go.

Ramses Martinez, director of security at Yahoo! did not talk specifically to the breach, but talked in general terms noting that the impact of such a breach is really on the brand more than the infrastructure, admitting that it can “indirectly affect revenue.”

The impact of account takeovers at Dropbox, notes Cory Louie, head of trust, safety and security for the company, is that customer’s expectations of being protected by Dropbox are not met. “You lose trust immediately. The blame comes on you as a service provider, whether you are responsible or not.”

Over at Twitter, Bob Lord, head of information security, explained that due to the nature of Twitter that a Twitter name is a personal brand, and that followers follow that brand. “When you lose control of the account, it is anguish to the people affected.” But Lord observes that while “many people act like they know security, their behavior online says otherwise.”

The group discussed how passwords are key to tighter security, but that users, even after much education and recommendations provided, are still re-using passwords, or have very weak passwords.

At the time of the Yahoo! break-in, the top password, representing 38%, was 123456. Here is the other top nine:

• password = 18%
• welcome = 1%
• ninja = 08%
• abc123 =.06%
• 123456789 =.05%
• 12345678 =.05%
• sunshine =.05%
• princess =.05%
• qwerty =.04%

Lord made an interesting point, for Twitter and many other social media sites, an email address acts as an anchor of trust. When email users lose control of their email accounts, it can impact Twitter and other sites.

So what are people losing when accounts are hijacked? “There is not necessarily a financial impact,” says Martinez. “But the contacts in your network, the ecosystem, that is the concern.”

The entire panel agreed with Lord in that patrolling for break-ins is more art than science. Even the people who have their accounts hijacked usually have no idea anything has happened until their contacts start asking questions about the spam coming into their inbox from their trusted friend.

The bottom line, protect your email accounts. Use a password tool, or develop a password strategy that allows multiple passwords to be used rather than reusing the same one for many different sites, and change passwords often. In today’s messaging world, keep in mind that email is the anchor of trust and doorway into many other channels, like Facebook, Twitter, Dropbox and LinkedIn.

Apple pre-orders for its iPhone 5 topped two million in just 24 hours, more than double the previous record of one million held by iPhone 4S. During the product launch address last week, Philip Schiller, senior vice president Worldwide Marketing for Apple, reminded listeners that at the time of the original iPhone launch in 2007, Time Magazine called the product, “The phone that has changed phones forever.” Last week, at the company’s special event, Schiller introduced the iPhone 5 calling it, “The most beautiful product that we have ever made.”

The phone, made of glass and aluminum is the lightest and thinnest smartphone to date and weighs just 112 grams. With a 326 pixels per inch (PPI) display and 44 percent more color saturation, it is, according to Schiller, “The world’s most advanced display.” Schiller walked through key features from its thinner, lighter design, Retina display, and performance and speed, to its camera, improved battery life and new iOS 6 platform.

The announcement that might be less enthusiastically received is the iPhone 5’s charging connector. Schiller explains that the current connector design was launched in 2003 and says, “So much has changed since then. It is time for the connector to evolve.” Schiller announced that the new connector is called “Lightning” and is “a connector for the next decade.” Schiller goes on to describe its all-digital, 8-signal design, that it has improved durability, that it is reversible, making it easier to use and is 80 percent smaller. This translates to accessory makers needing to alter product designs to accommodate the change. It also means users that already own connectors, speakers, and devices, will need to purchase adapter accessories from Apple to convert the old style connector devices to the new connector design or purchase all new speakers, clock radios and the like. If the reaction of the two million placing pre-orders on Friday in the opening 24-hour period is any indication, Apple iPhone enthusiasts don’t seem to mind.

One online company has tried to gauge the extent iPhone fever runs by polling nearly 2,000 U.S. visitors to its CouponCodes4u site. Respondents were asked whether they could afford to purchase the latest Apple gadgets and whether or not they have gone into debt to do so. Eighty-one percent of respondents admitted that they could not afford to “keep up with the latest” Apple releases and have purchased gadgets on “credit”. More than half, 51 percent, of respondents said they had used a credit card or got a loan out in the last three years so they could be amongst the first to buy the latest iPad and iPhone.

During the iPhone 5 event last week, Apple’s CEO, Tim Cook, took advantage of the gathering to comment on Apple’s other device darling, the iPad. According to Cook, from April to June 2012 figures show 68 percent of the worldwide tablet market share belongs to Apple. He further cited the usage statistic claiming 91 percent of all tablet web traffic. Cook also stated, 94 percent of Fortune 500 companies are testing or deploying the iPad and believes, “The enterprise is also investing in custom apps at a high rate.”

Cook told the audience that last quarter the company sold its 400 millionth iOS device (through June 2012), exclaiming, “No one could have predicted this.”

I doubt anyone predicted two million pre-orders on the first day of advanced sales, either.

iPhone 5 carries a suggested retail price of $199 (U.S.) for the 16GB model and $299 (U.S.) for the 32GB model and $399 (U.S.) for the 64GB model. While a shortage is now predicted, the device is scheduled to be available in the U.S., Australia, Canada, France, Germany, Hong Kong, Japan, Singapore and the U.K. on Friday, Sept. 21. iPhone 4S will now be available for just $99 (U.S.) and iPhone 4 will be available for free with a two-year contract for most carriers. iOS 6 software is available as of today as a free software update.

With the recent broadening of messaging channels (social media, collaboration, text, etc.) it might be easy to believe the oft-made claim that “email is dead,” but a number of marketers said this month that email beats social media when you look at the stats.

While all believe social media has an important role, none think email is losing its place as the cornerstone of emarketing efforts. Message Systems, a provider of messaging technology solutions, conducted a survey during its annual user conference this month and found that 97 percent of respondents leverage email for marketing campaigns. The survey also found social media rising in popularity, with 70 percent of respondents indicating that they market through social networks. But regardless of its popularity, social media is outperformed by email marketing when it comes to driving sales and delivering return on investment (ROI).

“Despite recent reports that the return on investment with email marketing has been declining over the past few years, our survey found that email is thriving, and driving more revenue and conversions than any other channel,” observes George Schlossnagle, CEO of Message Systems. “In fact, nearly 70 percent of our customers reported that their email marketing returns have actually trended upwards in the past five years.”

The findings of Message System’s survey were echoed in Monetate’s E-commerce Quarterly Report published mid-month. This report claims that when it comes to ecommerce, email still rules.

The report authors said, “Although social media is referring traffic to online shopping sites 77 percent more than last year, few users actually buy anything. E-commerce sites may be rushing to fill the Internet with their social banter and engagement, but the real winners are those emails campaigns reminding us of sales, previewing new items, and offering free shipping. At a rate of 4.25 percent, email deals are converting people to sales eight times better than social and four times (4x) that of search.”

Experian CheetahMail published its Q2 email trends report this week also shows email to be a solid marketers channel.

“For Q2 2012, overall email volume increased 10 percent while open rates were slightly above the 2011 Q2 rates, as more than 55 percent of brands had statistically significant increases in open rates for Q2 2012,” summarizes Regina Gray, vice president of strategic services for Experian CheetahMail. “While click rates continued to show a year-over-year decline, there is some evidence that the rates are stabilizing. Email is still the most effective channel to connect with customers as we’ve seen a growing trend of brands utilizing social capabilities to acquire and engage consumers and fans across these new media channels.”

Social clearly does have a place, however. According to the Message System benchmark survey, “Social marketing is growing, especially for engaging customers. Although most customers prefer to be contacted via email, marketers are increasingly using social media to engage with customers and interact in a two-way dialogue—64 percent of respondents said they added social media in the past year to obtain greater engagement.”

Overall, nearly half—47 percent—of all survey respondents disclosed that their companies have adopted social media (Facebook, LinkedIn and Twitter specifically) as a channel for two-way customer dialogue, trailing only phone and email.

The email trends discussed by these vendors seem to fly in the face of an earlier study conducted by the Direct Marketing Association that found that email marketing had dropped by 25 percent and was likely to continue to decline.

New discoveries were recently reported as a continuation of a March report on observed maliciousness in Alexa top-ranked domains. Barracuda Labs has intentionally been mimicking typical web browsing behavior to review the most popular websites as listed by Alexa Internet, Inc, which offers information about websites including top sites, Internet traffic stats and the like. I wrote about the initial report in Popular Web Sites Found to Host Malicious Content.

According to researcher Paul Royal, the Lab continued to look at some of the same items from the March study, but this time went further into the data to examine recurring maliciousness for a given domain, the use of ad networks as entry points to drive-by downloads, and the use of Java in exploited sites.

The latest observations validate the March findings. In this report, top sites served malicious content for 26 days per month, up from 23 days last report. The sites involved showed no geographic borders, with malicious content served across 13 countries this time and 18 last time. Also observed again was that the sites are not new: Over 97 percent of the affected sites were a year or more old, in both this report and the earlier one.

For this report period, 39 of the Alexa top 25,000 websites, when visited, served drive-by downloads for at least one day. Royal says this time the researchers examined how, beginning with a visit to a popular website, malicious content was served to the browser. “Given that almost all of the sites were long lived, we expected most instances of malicious content to arrive via the sites’ use of ad networks, which are a frequent target of criminals,” Royal explains. “However, to our surprise, malicious content originated from [ad servers in] only 18 (or 46.1 percent) of the 39 sites. The remainder were, in one form or another, the result of directly compromising the website.”

This latest report also examined the the use of Java among browser-based exploits. Royal notes, “Of the 39 sites, 34 (or 87.1 percent) served malicious content (usually targeting multiple software components) that included one or more exploits for Java (e.g., CVE-2012-0507). This finding supports the widely held belief that Java is one of the most ubiquitous targets of drive-by download attacks.”

Disabling Java when it’s not needed is recommended by Barracuda Labs for this reason. Go to New Insights on Maliciousness in Top-ranked Domains for more on this study.

One of the most talked about trends in messaging today is BYOD (Bring Your Own Device), which began about the time iPhone mania really took hold. After 2007, when third-party developers were encouraged to develop apps for the iPhone, users started to abandon corporate issued BlackBerrys in favor of their own phones and apps. Shortly thereafter, Android, iPad and a host of other devices with roots in consumer product design were streaming through corporate doors. The BYOD trend has put IT in a tough spot, and has captured the attention of vendors responding to the new need for mobile device management (MDM). Initially, we had on premises MDM offerings from companies like Good Technology, Sybase and MobileIron. Now, with the rise of “the cloud,” we see MDM cloud services, which have lower price points and can leverage the managed services approach.

One such recent offering, announced last week, is from Azaleos Corporation,  known for managed Exchange and managed SharePoint. The Azaleos Managed Mobile Device Management Service enables enterprises to centrally secure and control all leading mobile devices, including employee owned smartphones and tablets. The Azaleos Managed MDM service is based on technology from market leading MDM provider AirWatch and provides proactive 24x7 monitoring and management of company-issued and employee-owned mobile devices.

The need for MDM appears to be growing. A recent study conducted by Osterman Research revealed that full-time employee staff requirements to manage smartphones increased from a median of 2.9 per 1,000 mobile devices in 2011 to 3.6 today and is expected to reach 4.0 in 2013. The corresponding annual IT labor cost per user was $229 in 2011, $294 in 2012, and is projected to rise to $339 in 2013.

“Organizations that do not address MDM properly face a growing set of risks, including an inability to adequately secure and retain data on mobile devices, greater downtime, higher IT costs, regulatory compliance violations and reduced employee productivity,” believes Michael Osterman, president of Osterman Research.

A key area of BYOD concern to Osterman is content retention and management. In a recent research paper entitled Putting IT Back in Control of BYOD he wrote: “Smartphones and tablets contain a significant proportion of corporate data. Osterman Research has found that more than five percent of corporate data is stored just on users’ smartphones—we expect this figure to soar during the next 24 months as iPads and other tablets are employed in much larger numbers. Employee-owned and controlled devices make access to this data by corporate IT or compliance departments much more difficult, such as during an eDiscovery exercise. This is not only because of the difficulty that might be encountered in physically accessing these devices, but also because of the potential privacy and other legal issues that are raised by companies accessing their employees’ personal property.”

At this point, the BYOD trend is so entrenched that trying to control what device employees may use is likely to fail, Osterman predicts. He believes that employees, if faced with such restrictions, will use their device of choice secretly. Another reason he does not advise trying to restrict users from making their own choices is productivity. “The vast majority of employees do not use their own devices or applications simply for the fun of it,” he says. “They are doing so to be more productive, and to bypass IT restrictions (e.g., email file-size limits) that prevent them from being effective in their work.”

The simplicity of the cloud services converging with the increased number of mobile device platforms coming into corporate environs makes MDM increasing of interest to IT. In a MDM survey, Osterman found among organizations that have not yet deployed an MDM solution, 32 percent will deploy one in 2013 and an additional 24 percent plan to deploy one in 2014.

The highly regulated financial services industry has been given another set of social media guidelines. Most well known might be FINRA’s (Financial Industry Regulatory Authority) two notices (published January 2010 and August 2011) to try to assist with the use of social media within regulatory standards. More recently, the DFI (California Department of Financial Institutions) has offered guidance to financial institutions towards developing social media plans and policies, portions of which can be applied toward any industry.

The use of social media is a hot topic for all industries, with most embracing the channel as an important way to stay connected to customers. A short DFI survey published in the December issue of DFI’s Monthly Bulletin proved very revealing. The survey asked three questions:

1. Do you have a social media plan?
2. Do you have a social media policy? And
3. Does someone look at public websites, e.g., Yelp, Twitter, Google search, etc., for reviews and postings on your financial institution?

The answers: 96 financial institutions or 28 percent responded “yes” to a social media plan and 245 financial institutions or 72 percent responded “no.” To having a social media policy, 140 institutions or 41 percent responded “yes” and 202 institutions or 59 percent responded “no.” As for reviewers, 133 institutions or 39 percent responded “yes,” 85 institutions or 25 percent responded “no” and 124 institutions or 36 percent responded “not applicable.”

With only 28 percent of the survey respondents saying, “we have a plan” the February issue of the DFI’s Monthly Bulletin offered the following to be considered before embarking on social media activity:

1. What does your financial institution expect to gain from using social media?
2. How will the plans be implemented and over what period of time?
3. Who are the “target” viewers?
4. What types of bank activities/postings are planned?
5. What types of social media do you plan on using and how do you plan to use them?
6. How will the social media activities be managed and by whom – internal and/or external?
7. Who will the social media staff report to within your financial institution?
8. Who and how will these activities be reviewed/audited?

The DFI also recommends that a “financial institution should perform a risk assessment based on the complexity of your goals and objectives prior to implementation.” In addition the assessment should identify “all key risks (e.g., reputational, legal and operational) for which risk mitigation strategies should be developed and incorporated into the social media plan.”

Sounds like a good exercise for any industry, doesn’t it? But how many of us take that time before leaping into execution mode?

As a follow up, the DFI offered another social media installment in its March Monthly Bulletin, this time aimed at the 59 percent of responders that did not have a social media policy.

The DFI recommended financial institutions address these key elements within a policy framework for social media:

• Description of the approved Social Media Activities (e.g. Facebook, LinkedIn, Twitter, Yelp, etc.)
• Establishment of responsibility for the social media program oversight.
• Establishment of the appropriate reporting authority.
• Designation of staff members authorized to manage and respond to social media inquires and postings.
• Specification of type of use for social media (business use only?)
• Guidelines for personal use, if allowed.
• Definition of permitted content (e.g., communications, product promotions or advertisement, customer education, etc.)
• If advertising products and services, inclusion of applicable consumer protection laws and regulations requirements (e.g. FDIC insurance, Truth in Lending, etc.)
• Employee training program.
• Social media procedures to detail how activities are to be performed.
• Description of reporting metrics to monitor the social media program’s goals and objectives.
• Regular review and updates for the policy and procedures.

Again, this is a really good list to be included in anyone’s social media policy.

With so many social media mediums out there, it’s important for all businesses to establish a social media plan and a social media policy. Having them will prove more important as employee adoption (and perhaps abuses) grow.

Last week security researchers were buzzing with news and opinions about possible (and soon after confirmed) stolen LinkedIn passwords. Whenever security breaches such as this one happen—and in the online world in which we find ourselves intrusions to our online privacy is not uncommon—it serves as a reminder that we need to proactively protect ourselves, as we would walking down a darkened street, by staying alert and taking steps to prevent negative situations.

A key social media site for professionals, LinkedIn’s network (as of March this year) has 161 million members in over 200 countries and territories. The news of the breach of over 6 million password hashes was caught not by LinkedIn, but steadfast security experts vigilantly on patrol looking for activity such as this. Called to LinkedIn’s attention, the company quickly sprung into action with blogs notices, internal investigations into the compromised accounts and direct communication with those affected by the breach. The recommendations sent from LinkedIn to those breached account holders are good for all of us to hear - again, as they are not new best practices. Their recommendations appear at the end of this post and are worth sharing with your users.

Others also had advice to share, like Cisco’s Seth Hanford, one of the first to report on the suspected breach. Hanford noted safety tips that users should do, as well as things not to do, such as: do not input passwords into sites on the Internet offering to compute hashes or check for exposure, saying “Determining if your password hash was exposed is interesting, but giving your password away to strangers is never a good idea.” He also recommends that users not rely on common patterns in an effort to improve password security. As evidence, Hanford offered recent research (PDF) that suggests sets like possible day / month combinations (4 digits starting with “19″ or “20″, or combinations which can be interpreted as day/month values like 0501) are particularly weak.

Close to a year ago today, I wrote a piece, National Internet Safety (and Security?) Month, MAAWG, and Passwords, that passed along a theory of how to make a strong, memorable password. Seems like a good time to repeat that portion. Here is what I wrote after hearing a talk by Dr. Markus Jakobsson, principal scientist, consumer security with PayPal:

“A key point Dr. Jakobsson makes is that users should make passwords from what he calls “fastwords” that boil down a story into three words. These words on the surface seem very random, but to the user these select words are meaningful because they tell a tale, which aids in password recall success.

Another password memory recommendation, similar to Dr. Jakobsson’s advice of telling a story, is to come up with a password with which you can make clear associations or phrases. Traditionally, a strong password is one that contains both uppercase and lowercase letters, numbers and symbols. So the example would be if you have this password: Hmkw?Aba4g! A user could remember it by: How many kids won? A boy and 4 girls! These kinds of tricks make remembering passwords much easier, as Dr. Jakobsson points out people hate passwords, mostly because good passwords are hard to remember.”

An almost unanimously agreed upon password tip: don’t use the same password in multiple places, even strong passwords are weakened through over use and if compromised, can open up even more information to thieves. One of the priory points given to the compromised LinkedIn members is if the same password used on the social media site is being used elsewhere, change it right away.

While the damage of the breach is not fully certain at this point, one thing is known, damage has been done to LinkedIn’s reputation.

Password Recommendations from LinkedIn:

Here are some account security and privacy best practices that we recommend for our members:

Changing Your Password:

• Never change your password by following a link in an email that you did not request, since those links might be compromised and redirect you to the wrong place.
• You can change your password from the LinkedIn Settings <http://www.linkedin.com/settings> page.
• If you don’t remember your password, you can get password help <http://help.linkedin.com/app/answers/global/id/1167/ft/eng>  by clicking on the Forgot password? <http://www.linkedin.com/passwordReset?>  link on the Sign in <file://localhost/secure/login>  page.
• In order for passwords to be effective, you should aim to update your online account passwords every few months or at least once a quarter. 

Creating a Strong Password:

• Variety—Don’t use the same password on all the sites you visit. 
• Don’t use a word from the dictionary.
• Length—Select strong passwords that can’t easily be guessed with 10 or more characters.
• Think of a meaningful phrase, song or quote and turn it into a complex password using the first letter of each word.
• Complexity—Randomly add capital letters, punctuation or symbols.
• Substitute numbers for letters that look similar (for example, substitute “0″ for “o” or “3″ for “E”.
• Never give your password to others or write it down. 

A few other account security and privacy best practices to keep in mind are:

• Sign out of your account after you use a publicly shared computer.
• Manage your account information and privacy settings <http://help.linkedin.com/app/answers/global/id/66/ft/eng>  from the Profile and Account sections of your Settings <http://www.linkedin.com/settings> page.
• Keep your antivirus software up to date.
• Don’t put your email address, address or phone number in your profile’s Summary.
• Only connect to people you know and trust.
• Report any privacy issues to Customer Service <http://help.linkedin.com/app/ask/path/pi> .

As legislators try to address cybersecurity threats through various bills, the White House yesterday promoted a voluntary set of principles developed by the Industry Botnet Group (IBG) to help reduce botnets. The White House event was held to discuss the risk botnets pose to Internet security.

In January, IBG was formed as a multi-industry organization to collaborate and encourage efforts to reduce the effectiveness of botnets. Bots are malicious programs installed on a users’ system, usually without their knowledge, that are used by criminals to steal personal identity information, send spam, launch attacks against Web sites and other malicious activities.

“Bots are a serious concern for end-users, the economy and the nation,” Michael O’Reirdan, M3AAWG co-chairman for malware, recently stated. “Looking at the significant reduction in spam over the years, we know that cooperative industry action is effective against online abuse.” M3AAWG serves on the IBG steering committee.

The new principles are intended to significantly improve cooperation among network operators, vendors, trade associations and other nonprofits working against the malware. At today’s event, everyone in the Internet ecosystem was encouraged to implement the Principles for Voluntary Efforts to Reduce the Impact of Botnets in Cyberspace. The principles include:

• Share cyber responsibilities by employing reasonable technologies to thwart the effectiveness of botnets across all phases of the mitigation lifecycle: prevention, detection, notification, remediation, and recovery;
• Coordinate across sectors in order to better analyze, prevent, and combat threats;
• Confront the problem globally through cross-border collaboration;
• Report lessons learned with partners in the Internet ecosystem;
• Educate users by making information and resources available to them;
• Preserve flexibility for responses by different entities to an ever-evolving threat environment;
• Promote innovation to foster technological advances;
• Respect privacy; and
• Navigate the complex legal environment.

“It takes a global village, with all the suppliers involved, to fight bots,” believes O’Reirdan. “The only way to effectively protect consumers is for the operators, vendors and other participants serving the Internet ecosystem to recognize their shared responsibility in addressing the problem and then integrate the appropriate defenses into their daily business practices. The IBG principals encourage the industry to be assertive and acknowledge the problem, cooperate, coordinate and be flexible in their responses.”

While not a new approach to the botnet battle (other calls for collaboration and joint-industry efforts have been done) IBG’s public-private partnership strategy underscores the need for experts from a variety of disciplines to work collaboratively together to address today’s ever-increasingly complex cyber threats.