Compliance

The Element of Trust in Cloud Messaging

Michael Osterman — Wed, 09 Jan 2013 10:09:37 +0000

The traditional model of deploying email, security, archiving, backup and related solutions using on-premise servers and software (or appliances) requires a certain amount of trust—trust in the technology offered by the hardware and software vendors, trust in the quality of the ways these technologies have been implemented, trust in the responsiveness of their support when things go wrong, trust in the patches and upgrades that are offered, and so forth.

However, for those charged with managing these capabilities in the cloud, an almost quantum leap increase in the level of trust is required of the providers offering these services for the simple reason that data is now in the hands of a distant third party. Not only must decision makers place trust in the quality of the hardware and software deployed in the cloud providers’ data centers, the ways their technologies have been implemented, the responsiveness of support staff, etc., but now trust must be placed in several other attributes of the provider(s). These include the quality of the technical team managing the cloud data center, the quality of the management team that runs the business, the overall financial health of the cloud provider’s business, their integrity in managing sensitive and confidential customer data, and their responsiveness in migrating data back to their customers for any reason.

Fundamentally, this creates four primary responsibilities—two for prospective customers of cloud providers and two for the providers themselves:

Customers must carefully define the service levels, migration strategy, archiving strategy, messaging policies and every aspect of their communication and collaboration capabilities that might move to the cloud. Many organizations have not yet established detailed and thorough messaging policies, for example, and so are simply not ready to migrate capabilities to the cloud.
Due diligence is extraordinarily important in selecting cloud providers because of the high stakes involved. Cloud vendors must be vetted on a number of parameters, including their business model, financial health, uptime, backup strategies, and redundancy. While due diligence is important when selecting on-premise solutions, an order of magnitude more care must be applied when vetting cloud providers.
Cloud providers must implement a range of technologies and best practices to ensure that customer data is maintained securely, it can be migrated from and back to customers with a minimum of time or pain, and they must be sufficiently capitalized to ensure that the business keeps running even in difficult economic times.
Finally, cloud providers must offer a level of transparency into their operations that will satisfy decision makers charged with evaluating them.

It’s important to note that I’m not arguing against the use of small and/or startup cloud providers. Many of them have solid business models, provide excellent service and have a good record of uptime. Large does not necessarily imply that superior service will be offered, nor does small necessarily imply the opposite.

The bottom line is trust: successful use of the cloud to run critical business operations demands it.

Improve Employee Awareness, Training in 2013

Stephanie Jordan — Thu, 20 Dec 2012 10:38:24 +0000

In a new research report by Ira Winkler and Samantha Manke from Internet Security Advisors Group (ISAG), Fortune 500 information security officers discuss employee education challenges and share practical advice about how to improve employee awareness and education programs. The intent of the report is to help information security departments build effective security awareness and training programs with practical insights on how creative and interactive training methods can be used to increase participation and improve employee behavior modification rates.

One of the author’s recommendations in Habits of Highly Successful Security Awareness Programs: A Cross-Company Comparison is to consider re-structuring the typical one-year security awareness plan. The approach of such plans that attempt to cover one topic a month is ineffective says Winkler and Manke because it “does not allow for feedback or account for ongoing events”. Instead, they found programs that had 90-day implementations and that conducted reevaluation of the program and its goals every 90-days to be the most effective. “The most successful program focuses on three topics simultaneously that are reinforced regularly throughout the 90 days. Every 90 days, the program is reevaluated to determine what topics need to be addressed moving forward.”

Other areas where the Fortune 500 companies are using new approaches to security awareness training that are covered in the new ISAG report include:

How to obtain C-level support and budget for training programs
Which departments are critical partners for program success
How to use metrics to demonstrate positive results
How to creatively disseminate materials to improve engagement
What types of training materials and tools are most effective

For more, download a free copy of Habits of Highly Successful Security Awareness Programs: A Cross-Company Comparison from the sponsor of the report, Wombat Security Technologies.

More on how to do a 90-day plan can be found by directly contacting Winkler and Manke via whitepaper [at] isag [dot] com

SEC Enforcement Actions Nearly Beat Record in 2012, Anticipated Higher Still in 2013

Stephanie Jordan — Thu, 20 Dec 2012 10:29:36 +0000

The Securities and Exchange Commission set a new annual record with its filing of 147 enforcement actions against investment advisors and investment companies this year. In his blog, Adam Bullock of Smarsh reports that “broker-dealers also saw the impact of SEC oversight more in 2012 than in 2011, with 134 enforcement actions (a 19 percent increase year-over-year). The SEC totaled 734 enforcement actions, one short of the record set in 2011.” The penalties resulting from the record-setting 735 enforcements last year came in at $2.8 billion.

It is not surprising that compliance professionals in the financial services industry are increasingly focused on establishing policies to mitigate risks. Included in those policies are best practices for electronic recordkeeping that encompasses not only email, but also other forms of messaging like social media.

If Bullock is correct in his assumption that the SEC will continue the trend toward more enforcement activities in 2013, then beginning the year off with an exercise to prepare for a SEC examination might be time well spent.

According to Smarsh Founder and CEO, Steve Marsh, the company’s 2012 Electronic Communications Compliance Survey found that the top message types requested during SEC examinations were (in order) email, website pages (including RSS feeds, blogs, wikis),Bloomberg or Reuters messages, and instant messages (IMs).

One of the top concerns for compliance professionals is the growing use of smartphones and tablets. Mobile-specific communications, like text messaging, has potential to be outside the scope of current compliance practices. Of the compliance professionals that participated in the survey, 72 percent were concerned about new communication channels (including text messaging and social media) and 63 percent were concerned about new communication devices.

This year the SEC published guidelines for investment advisors that use social media that included Facebook, Twitter and LinkedIn. This recognition by the SEC that social media adoption is happening within the financial services industry signals a possible addition in typical message types during an exam in the future.

As Marsh says, “It is the content of the communication that determines its status as a business record, not the communication channel itself.”

Marsh’s Navigating the New Regulatory and Compliance Landscape: Electronic Recordkeeping offers a quick review of key SEC electronic recordkeeping requirements. The New Year might be good time to establish an annual review of messaging compliance practices and policies. If the SEC does come to call, Bullock notes that firms should expect just five to 10 days advance notice.

Financial Services and Other Industries Turn to Managed File Transfer and Email Attachment Management to Meet Compliance Regulations

Stephanie Jordan — Wed, 19 Dec 2012 17:34:57 +0000

Managed File Transfer (MFT) continues to gain favor over basic email attachment or simple FTP practices for many companies that must comply with regulations that require a certain level of security and confidentiality. Organizations that have policy requirements for messaging encryption, tracking, and secure sending have found products tailored to specific industry needs, such as financial services, healthcare, legal and government.

Last week Red Earth Software, developer of email management software, released Policy Patrol MFT, a new Managed File Transfer solution that helps companies ensure that large files are delivered instantly and confidential files are delivered securely. Through its integration with Exchange Server, Policy Patrol MFT allows companies to set central email policies and automatically direct certain email attachments via Managed File Transfer without requiring user intervention.

The company says that while many Managed File Transfer solutions require the sender to make the conscious decision to send a file via Managed File Transfer, its Policy Patrol MFT applies Managed File Transfer according to company policies without requiring users to change the way they work. Since Policy Patrol MFT operates at the Exchange Server level, email attachments can automatically be uploaded and delivered through Managed File Transfer without the need for any user intervention and without having to install client software.

Before You Develop That App, Make Sure It's FTC Compliant

Stephanie Jordan — Wed, 19 Dec 2012 17:19:40 +0000

Today there is an app for just about anything and everything. In recognition of this trend, this fall, the Federal Trade Commission (FTC) produced guidelines to assist developers of mobile apps to be in compliance. According to a the most recent edition of Socially Aware, the journal of social media and legal issues produced by Morrison & Foerster, this is just a signal of more to come.

The FTC guide briefly outlines best practices that developers need to adhere to in order to remain in compliance with “truth-in-advertising, privacy, and data security principles.” Says the Socially Aware authors, “The guide, called Marketing Your Mobile App: Get it Right from the Start, explains general consumer protection principles, and applies them to the context of mobile applications. Although the title of the guide suggests that the advice is primarily about marketing the apps, the FTC also gives advice about the design and implementation of apps.”

Essentially, the FTC wants app developers to be aware that mobile apps are included in its policing, under Section 5 authority, against unfair or deceptive acts or practices.

According to the guidelines on the FTC site, apps must:

Tell the Truth About What Your App Can Do. “Whether it’s what you say on a website, in an app store, or within the app itself, you have to tell the truth,” the publication advises.
Disclose Key Information Clearly and Conspicuously. “If you need to disclose information to make what you say accurate, your disclosures have to be clear and conspicuous.”
Build Privacy Considerations in From the Start. Incorporate privacy protections into your practices, limit the information you collect, securely store what you hold on to, and safely dispose of what you no longer need. “For any collection or sharing of information that’s not apparent, get users’ express agreement. That way your customers aren’t unwittingly disclosing information they didn’t mean to share.”
Offer Choices that are Easy to Find and Easy to Use. “Make it easy for people to find the tools you offer, design them so they’re simple to use, and follow through by honoring the choices users have made.”
Honor Your Privacy Promises. “Chances are you make assurances to users about the security standards you apply or what you do with their personal information. App developers—like all other marketers—have to live up to those promises.”
Protect Kids’ Privacy. “If your app is designed for children or if you know that you are collecting personal information from kids, you may have additional requirements under the Children’s Online Privacy Protection Act.”
Collect Sensitive Information Only with Consent. Even when you’re not dealing with kids’ information, it’s important to get users’ affirmative OK before you collect any sensitive data from them, like medical, financial, or precise geolocation information.
Keep User Data Secure. Statutes like the Graham-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act may require you to provide reasonable security for sensitive information. The FTC has free resources to help you develop a security plan appropriate for your business. One place to start: Protecting Personal Information: A Guide for Business.

Morrison & Foerster believe that the publishing of the guidelines signals that more enforcement actions should be expected in the near future, citing that in August 2011, the FTC reached a settlement with W3 Innovations, LLC, for alleged violations of the COPPA rule in its apps directed at children.

The entire Morrison & Foerster article can be found here [PDF].

Verizon Asserts First Amendment Right to Edit the Internet

Stephanie Jordan — Thu, 29 Nov 2012 17:17:33 +0000

A lawsuit brought by Verizon and MetroPCS is challenging the Open Internet Rules issued by the FCC in December 2010 to enforce the principle of Internet neutrality. The companies argue that they have a First Amendment right to exercise “editorial discretion” over the content they transmit; a right they argue renders unconstitutional the FCC’s requirement that they not block or interfere with their customers’ access to lawful Internet content.

“Internet providers are claiming they have a First Amendment right that trumps their users’ free speech rights,” says Center for Democracy & Technology (CDT) Senior Policy Analyst Andrew McDiarmid. “If they’re successful, they get the power to decide what all of us get to say, see, and hear online. That would undermine the key feature of the Internet—the ability of users and services at the edges of the network to communicate and innovate without having to seek permission from gatekeepers.”

CDT, working with Yale Law School’s Information Society Project and joined by over a dozen law professors expert in the First Amendment, telecommunications and Internet law, filed a friend-of-the-court https://www.cdt.org/brief/amicus-brief-cdt-legal-scholars-matter-verizon… “>brief on November 15 in the case of Verizon v. FCC. Oral argument in the case has not yet been scheduled, but is likely to be in early to mid-2013; briefing is scheduled to conclude in January.

Using the Intelligence Locked away in Email

Michael Osterman — Wed, 28 Nov 2012 17:29:59 +0000

For most organizations, the largest single source of information about what’s going on in their business is the collection of user mailboxes and email archives distributed across the company. These data stores contain information about who communicates with whom, what employees say, the files they’re sending, how they spend their time, etc. This rich source of content can provide valuable business intelligence to decision makers, but few extract even a fraction of the valuable content contained therein.

To address this problem, Dell Quest announced MessageStats Business Insights, a feature of the new release of its MessageStats offering. Business Insights provides a number of useful features, including the ability to identify email and social media usage trends by individual users, whether or not sensitive content is being distributed outside of the organization in violation of corporate policies, how email volumes are changing over time, how email is being used as a file transport system, whether or not employees or others are sending harassing or offensive messages, etc. You can find more information about MessageStats here.

Although MessageStats and other tools that offer a deep dive into the business intelligence contained in email systems are extremely valuable, they require a change in the way that many think about email. For example, an Osterman Research survey found that there is wide variability in the way that senior managers view email content. Our research found that 18% of senior managers consider email content to be transitory and that there is no need to retain it, while another 46% believe that while email records are important, they are the responsibility of employees—not IT—to manage properly. Only 35% believe that records in email are important AND should be managed by IT according to corporate policies.

We recommend two things: first focus on email as the incredibly valuable source of business intelligence that it is. Don’t purge email stores without archiving the business content from them, don’t treat email as just a transitory source of information, and manage email according to a set of detailed and thorough corporate policies. Second, implement tools that will give managers proper insight into what is happening in email and how it impacts their business.

Electronic Communication Can Get Your Company in Trouble, but Organizations Are Not Doing Enough to Protect Themselves

Michael Osterman — Thu, 01 Nov 2012 18:26:54 +0000

A woman’s boss overheard that she had purchased a new dress and decided to send her an email late at night telling her “I’m sure you’ll look amazing in it.” After a half-hearted apology for sending her the email, he then sent her an instant message that she felt was “completely inappropriate.”

Two women were fired from PNC Bank for forwarding an email of Hillary Clinton’s head superimposed on a pornographic image. These women then sued PNC for wrongful termination, claiming that PNC had not previously enforced its policies prohibiting such behavior.

A trial lawyer for the Securities and Exchange Commission (SEC) was fired for sending three emails expressing his political views, demeaning support staff, and for mailing a confidential report in violation of SEC policies. The case went to arbitration.

A 17-year-old high school student allegedly received highly inappropriate emails and text messages from a now former Crown Point Community School Corporation employee and filed an 11-claim lawsuit in response.

A collection of a few tweets I found as I’m writing this include:

“(important meeting tomorrow morning but it’s alright my boss is also drunk right now)”
“Sometimes I think my boss is drunk. Not always. Just when he’s drunk.”
“I swear I am going to sock my boss one of these days!! He’s such an idiot!!!! Incompetent!! How he is my boss, I don’t know!!!”
“My customer is like… Stupid or something”

The Carson Medlin Company was censured and fined $20,000 by FINRA for, among other things, it “.…failed to retain all business-related electronic communications…”.

A court found that Samsung, in its recent litigation with Apple, had a duty to impose a legal hold on relevant email beginning in August 2010. However, Samsung did not disable its email system’s auto-delete capability and so was not able to produce relevant email that Apple had requested, resulting in an adverse inference instruction to the jury in the case.

However, most organizations have not addressed the issue adequately according to a study that we published in August:

While 99% of mid-sized and large organizations have an email policy, only 38% report that it is a detailed and thorough policy—61% report that their email policy is basic and covers only general use of email.
Only 34% have a detailed and thorough policy covering use of employer-supplied smartphones.
Only 33% have a detailed and thorough policy covering use of the Web.
Only 31% have a detailed and thorough policy covering use of personally owned smartphones.
Only 21% have a detailed and thorough policy covering use of Facebook.
Only 17% have a detailed and thorough policy covering use of Twitter.

The message here is that organizations are vulnerable to a variety of negative consequences arising from inappropriate or malicious use of electronic communication, but relatively few are taking the proactive steps necessary to prevent or minimize these risks.

Should Twitter Be Considered a Common Carrier?

Michael Osterman — Wed, 17 Oct 2012 19:38:24 +0000

The concept of a “common carrier” is one that has been applied to transport companies for centuries—the first such case on record in English common law dates back to 1348—although in more recent times the concept has been applied to telephone companies, Internet service providers and others that transport electronic content, not just physical goods.

Should this concept apply to Twitter, Facebook and other social media companies that provide transport of information? In other words, should social media companies simply transport all content sent by their users without applying any sort of filtering to this content to prevent transport of things it determines to be offensive, illegal or otherwise not in their best interests?

At issue here is the significant number of tweets from a small handful of Twitter account holders that contain inflammatory content or direct threats against others. As just a few recent examples, there have been a large number of anti-Semitic posts from French-speaking twitter users, Mitt Romney has received a significant number of death threats via Twitter, and numerous athletes have received death threats after making mistakes in big games, not to mention the enormous problem with cyberbullying that victimizes large numbers of young people.

The technology or practice of censoring tweets is not the issue: Twitter can and does censor content already on a country-by-country basis. The much bigger issue is should Twitter filter its content to prevent this type of content from being transported on its network? A common carrier generally cannot do so unless the service is being used for an illegal purpose [Movietime Inc v. NY Telephone Co., 277 App Div 1057, 101 NY Supp.2d 71 (2d Dept 1950)]. However, a common carrier must be certain of the illegal activity and have evidence that its services are being used for illegal purposes [Nadel v NY Tel., 170 NYS2d 95 (1957)] before it is permitted to deny access to its network.

Your thoughts?

A Useful Solution for Document Collaboration

Michael Osterman — Wed, 17 Oct 2012 07:26:28 +0000

One of the fundamental tasks for an information worker is creating and revising documents based on the feedback of multiple users. In my own case, I am frequently working on documents with multiple reviewers, such as white papers that are sent to several clients for feedback. We normally go through several review cycles on the typical document, sending each draft via email, with the need to incorporate feedback—sometimes on the same sentences or paragraphs—from several different people. While there are some useful tools available in Microsoft Word to facilitate the review process, the tools are fairly basic and lots of work is required to ensure that all of the feedback we receive is accurately integrated into each new draft.

I recently was briefed by PleaseTech, a UK-based firm that focuses on solutions specifically designed to address these types of problems. The company offers two products:

PleaseReview is a document review tool that manages the process of reconciling multiple reviewers’ changes, comments and annotations. The solution enables multiple reviewers to work on the same documents simultaneously, both online and offline, using a browser-based interface.
PleaseAuthor is a component-based authoring tool that enables the creation of documents using pre-authored blocks of content.

PleaseReview offers a number of useful features, such as confidential review, in which each reviewers’ comments and changes are not available to other reviewers; and the ability to limit particular users’ edits to specific “zones” within a document. Because the review process tracks changes in a database and not in the native document application (Word, PDF, etc.), an independent audit trail can be established for all changes to a document. This is particularly important in compliance-focused environments.

The fundamental benefits of tools like those offered by PleaseTech are time and cost savings for those who create and review documents—PleaseTech claims that the use of its tools can reduce review cycles by up to 65%, and that it can deliver savings of 35% in the cost of producing documents. Moreover, the ability to create, review and publish documents more quickly can provide a number of less tangible benefits, such as faster delivery of proposals, an enhanced ability to comply with specific legal requirements, eliminating at least some of the disconnect that can occur when collaborators are separated by geography, better version control, and less reliance on emailing documents to collaborators.

Forget Paris—There Is Now Teeth in Reverse Domain Name Hijacking Claims

Stephanie Jordan — Thu, 11 Oct 2012 01:41:18 +0000

Brands used to bully owners of domain names that the brands did not like, without any real legal basis. A new reverse domain name hijacking (“RDNH”) case may prevent this bullying from happening again and cause brands to think twice before initiating suspect legal claims creating a seismic shift in the bargaining powers between domain name owners and trademark owners.

Trademark owners, brands and celebrities often file Uniform Domain Name Resolution (“UDRP”) complaints knowing they have nothing to lose, other than the cost of the filing, to force domain name holders to give up domain names without real legal justification—the definition of RDNH. Because of a recent ruling against the City of Paris, the domain owner can now bite back and recover up to $100,000 in fines, plus actual damages and attorneys’ fees.

RDNH occurs when a trademark owner files legally deficient arbitration complaints or lawsuits against a domain name’s lawful owner to try and scare them into turning over the domain name. If the first threatening letter from the brand’s lawyer did not work, the brand could easily file a UDRP complaint. The UDRP is an arbitration process where the rights to the domain name are decided based only on the papers submitted by the parties. Brands had no risk because no damages could be awarded through a UDRP arbitration for either side. Yes, the arbitrator could rule a trademark owner overreached and engaged in RDNH, but the result was akin to merely having to write your name on the board back in elementary school.

Even if litigation got filed in the U.S. under the Anti-Cybersquatting Consumer Protection Act, and the judge found there was RDNH, the court would only award actual damages and attorneys’ fees. In most cases, the actual damages were small because, while the case was pending, the domain name could still be used, there would just be a lock to prevent its transfer. So what domain name owner would pay thousands of dollars to defend a case just to hope for an award that would result in the payment of his fees and whatever little actual damages he suffered? It was usually easier to transfer the domain to the better-funded brand and move on.

Meanwhile, the trademark owner could seek its actual damages, attorneys’ fees, but also ask the court to grant it a statutory award ranging from $750 to $100,000 if he won. The theory is that the brand name may not suffer much actual damage when a domain name owner takes advantage of a common misspelling or other abuse, so the statutory penalties are in place to deter cybersquatting. As a result, not only did the economics lean in favor of the trademark owner, but all the risk was placed on the owner of the challenged domain name with little upside. Of course, many domain name holders would rather settle than fight that uphill battle—until the City of Paris went too far and the court said enough.

A federal judge in Houston, for the first time, allowed the domain name holder to receive the same statutory damages previously only available to the trademark owners in a RDNH case. The court found the same policy that supported statutory damages applied to victims of RDNH. Along with attorneys’ fees and the maximum statutory award of $100,000, the judge ordered the City of Paris, France to transfer the rights to the domain name parvi.org to a California man. Without the statutory award, the victorious domain name holder would have only received his attorneys’ fees, which would not have been a wise economic gamble.

It all started when Jeffrey Walter registered “parvi.org” as a conjugated form of the Latin word parvus, meaning small, which appealed to Mr. Walter who was providing a software “kernel”, or small core of programming at the heart of a computer operating system. A few years later, the City of Paris filed a UDRP complaint because Paris obtained a French trademark for PARVI for services related to its Wi-Fi services.

The effort was part of an all out war by the City of Paris over domain names held by U.S. citizens such as WifiParis.com, Wifi-Paris.com, paris.com and paris.tv. The fight for parvi.org was the only one where the City of Paris was successful at the UDRP level—at least at first. By filing the complaint, as with all UDRP filers, the City of Paris agreed to be subject to a court action in the jurisdiction of the registrar. In this case, Mr. Walter registered his domain name with GKG.net of Bryan, Texas. Despite agreeing to be subject to jurisdiction in Texas, the City of Paris refused to appear and defaulted.

At the hearing, Mr. Walter’s team put on evidence of Paris’s abusive efforts to take away domain names from U.S. citizens. For years, Paris has been sending threatening cease and desist letters to holders of domain names containing the word “paris” hoping the underfunded individuals would capitulate. Despite the registration of French trademarks, the City of Paris would have no rights to many of those names under U.S. law. Before formal arbitrations were filed, a couple of domain name holders preemptively sued in U.S. courts, but the City of Paris would claim immunity and nothing of lasting precedent would come from those suits. Much like bullies, when truly confronted and forced to defend themselves under U.S. law, the City of Paris refused to show up and defaulted.

The case has garnered attention because of the international intrigue associated with a federal court in Texas claiming the City of Paris, France, behaved improperly. The court faulted Paris for taking advantage of immunity defenses when challenged by U.S. domain name holders and then ignoring its agreement to resolve disputes in the jurisdiction of the registrar.

More important than the novelty of a penalty against the City of Lights, this ruling may provide the precedent for other domain name holders to fight back under the Anti-Cybersquatting Consumer Protection Act. If the domain name holders can prove the trademark owners acted in bad faith under the circumstances of their own case, they, too may put some teeth into a RDNH claim. Until now, it was nothing more than a growl.

About Travis Crabtree:
Travis Crabtree is a lawyer with the law firm of Looper Reed of McGraw, P.C. who worked on the team representing the Mr. Walter in Cause No. 09-3939; Walter v. The City of Paris, In the Southern District of Texas. Mr. Crabtree focuses his practice on internet and marketing law, and you can read about this case and other legal issues dealing with emerging media and the internet on his blog www.emedialaw.com.

Under Attack - The Future of Online Trust

Stephanie Jordan — Mon, 17 Sep 2012 18:54:33 +0000

As businesses look to implement innovative new cloud services and support multiple platforms and devices, they are faced with the daunting task of maintaining security, data, privacy and the identities of the users and customers they support. Unfortunately, data loss incidents, misguided privacy policies, grievous data collection practices and ineffective planning and communication responses are becoming commonplace. We are at risk of becoming causalities in what is shaping up to be a never-ending war against cybercriminals, politically-charged hactivsts, data thieves and data saboteurs. Online trust and user confidence are becoming daily casualties. To help address these threats and protect the online ecosystem, the Online Trust Alliance is hosting its annual educational Forum in San Jose, October 1–4.

As recent experiences by Zappos and others have recently proven, trust is an asset which takes a long time to build, but a millisecond to lose. The level of trust or distrust impacts business and government efficiency, effectiveness and relevancy to those they serve. All too often efforts to enhance and protect trust are an afterthought or a short-lived initiative.

New levels of sophisticated spear phishing and whaling fueled by resilient botnets, social networking abuse and malicious advertising, are putting every business at risk. The impact is both direct and indirect. Employees of cloud service providers and critical infrastructure are increasingly being targeted, diverting resources which could be used to innovate or serve customers.

With this onslaught of threats it is imperative for both the private and public sectors to renew a commitment to implementing a security- and privacy-by-design discipline. While there is no silver bullet or absolute guarantee of protection, the following simple steps can reduce the risk of security issues by upwards of 80 percent:

Implement comprehensive email authentication with BOTH SPF and DKIM for all domains and subdomains; incorporate authentication checks into all inbound email.
Upgrade all users to the most current browsers, with integrated protection from phishing and drive-by downloads. Consider activating privacy controls and tracking controls from unknown third-party sites.
Support and publish a DMARC record (Domain-based Message Authentication, Reporting & Conformance), providing ISPs and receiving networks enhanced ability to block spoofed email.
Review and test your server’s SSL implementation. Site scores less than 80 require immediate attention.
Revisit your data collection, retention polices and data encryption methods. The less data retained, the less data can be lost. As observed with the recent breach by Yahoo! Mail, data encryption has evolved significantly and practices deployed just a few years ago are proving to be ineffective today. Data in-use, in-transit and archived should all be encrypted.
Continually test all client applications for known vulnerabilities. Consider such tools such as Secunia’s PSI (Personal Software Inspector).
Upgrade your site to Always-On SSL, (AOSSL). AOSSL is a best practice to secure sensitive data, especially for users of public Wi-Fi hot spots. Criminals can snoop or “sidejack” cookies and data packets from unsuspecting users. Sidejacking allows hackers to intercept cookies (typically used to retain user-specific information such as username, password and session data) when they are transmitted without the protection of SSL encryption.
Data Loss Incident Planning—Develop tests and refresh data incident response plans. It is incumbent for all businesses to have a plan in place. Not only will this help minimize the impact from a breach, having a plan in place with an effective communications and remediation strategy in place will protect the trust and confidence of your users.
Revalidate user access controls for both internal and external systems and services. Access should be limited and contained for business purposes based on employees’ roles. Ensure processes are in place to revoke user privileges with vendors and service providers upon termination and/or job change.

To learn best practices to implementing these and other best practices, attend the upcoming OTA Online Trust Forum in San Jose Oct 1-4. Over 50 speakers, 25 sessions and compelling full-day trainings on email authentication/DMARC, Mobile Security & Privacy or botnets. Save 25 percent by registering by September 20 with code mnews25.

About Craig Spiezle
Craig Spiezle is the executive director and president of the Online Trust Alliance, and is recognized as an advocate for consumer trust, brand protection and the need for innovation. Spiezle serves on the Board of the Identity Theft Council, and is an active member of AWPG, IAPP and InfraGard. He will be chairing the Seventh Annual Online Trust Forum this fall, Oct. 1-4, 2012, in San Jose. For more information visit: https://otalliance.org/forum.html. To reach Craig Spiezle directly, contact him at craigs [at] otalliance [dot] org .

League Formed to Defend the Open Internet

Stephanie Jordan — Tue, 31 Jul 2012 04:31:37 +0000

A loose coalition of Internet companies, advocacy groups and individuals that helped defeat SOPA/PIPA have launched the Internet Defense League (IDL). The group is looking to enlist millions of people around a shared set of values, namely “defending an open and innovative Internet and making it better.”

According to Brock Meeks of the Center for Democracy & Technology (CDT), the new movement, of which CDT is a member, is still defining itself and is cultivating relationships. The IDL founders want to take the tactics that defeated SOPA and PIPA and create a permanent force. The IDL website describes it this way, “Think of it like the Internet’s Emergency Broadcast System, or its bat signal!”

The IDL movement is described as being in “beta mode,” but it appears to have some big names behind it like Mozilla, WordPress, EFF, Fight for the Future, among many others. Of the current stage of development, Meeks says “New relationships will be formed, strategies will be tightened, new muscles flexed and the adrenaline of advocacy will be channeled into a skill set that’s ready and willing to step up and defend the Internet, whenever that call goes out.”

The goal of IDL is to essentially become a center for mobilization against perceived threats to Internet freedoms. Members will be alerted to situations and given action recommendations, but members can pick and choose which of those recommendations to adhere to. Learn more about becoming a member of IDL by visiting its website.

The Politics of Security

Michael Osterman — Thu, 26 Jul 2012 19:34:34 +0000

I spent some time at Black Hat this week and was both impressed and scared by the tenor of the discussions around security—or the lack of it—in our national infrastructure, our computer systems, and even our smartphones. For example, Trustwave SpiderLabs has published some disturbing statistics: 84% of organizations that have been hacked or victimized by malware were not able to detect the breach themselves, the average attack goes on for 173.5 days—nearly six months—inside a victim’s IT environment before being detected, and 89% of breach investigations focus on customer records.

Why is security so poor despite the tens of billions that have been spent on it over the past couple of decades? Other than the obvious answer of the bad guys getting smarter, another explanation that explains at least part of the problem is the lack of proactivity with regard to security inside many organizations. The founder of a leading security company with whom I spoke at the conference (I’m not sure he’d want me to use his name) attributes it to a combination of politics, passing the buck and incompetence in many organizations. In government organizations, the lack of accountability and repercussions (you can’t sue the government) is an additional factor.

For example, the CISO will often view security as painfully and unnecessarily impacting his or her budget and so won’t take the necessary steps to combat the problem. The CFO who could approve the necessary budget often does not understand the issues or risks involved. Many in IT believe that being proactive about security is “above their pay grade,” and so they don’t work to improve security. For those in IT that do understand the problem and are willing to do the work necessary to apply patches to improve security, senior management will sometimes call them on the carpet for the increased downtime that results from the increased number of security patches.

As much as organizations may not be proactive about security, they certainly are reactive—for at least six to 12 weeks—following a major data breach. Wallets are opened immediately following the breach or other security intrusion and spending to remediate the problem abounds. However, after the shock of the breach has worn off, the status quo reemerges until the next major security problem. The individual with whom I spoke has seen organizations breached up to five times in a year because of this cycle of no proactivity followed by temporarily intense reactivity.

One of the keys to solving the security problem is to fight the natural human tendency to address problems only after they have occurred. But is overcoming human nature in the quest to protect our infrastructure and our data assets even possible? I’d appreciate hearing your thoughts about this.

BYOD's Downside: Higher IT Costs, Data Security and Compliance Concerns

Stephanie Jordan — Mon, 23 Jul 2012 21:32:54 +0000

One of the most talked about trends in messaging today is BYOD (Bring Your Own Device), which began about the time iPhone mania really took hold. After 2007, when third-party developers were encouraged to develop apps for the iPhone, users started to abandon corporate issued BlackBerrys in favor of their own phones and apps. Shortly thereafter, Android, iPad and a host of other devices with roots in consumer product design were streaming through corporate doors. The BYOD trend has put IT in a tough spot, and has captured the attention of vendors responding to the new need for mobile device management (MDM). Initially, we had on premises MDM offerings from companies like Good Technology, Sybase and MobileIron. Now, with the rise of “the cloud,” we see MDM cloud services, which have lower price points and can leverage the managed services approach.

One such recent offering, announced last week, is from Azaleos Corporation, known for managed Exchange and managed SharePoint. The Azaleos Managed Mobile Device Management Service enables enterprises to centrally secure and control all leading mobile devices, including employee owned smartphones and tablets. The Azaleos Managed MDM service is based on technology from market leading MDM provider AirWatch and provides proactive 24x7 monitoring and management of company-issued and employee-owned mobile devices.

The need for MDM appears to be growing. A recent study conducted by Osterman Research revealed that full-time employee staff requirements to manage smartphones increased from a median of 2.9 per 1,000 mobile devices in 2011 to 3.6 today and is expected to reach 4.0 in 2013. The corresponding annual IT labor cost per user was $229 in 2011, $294 in 2012, and is projected to rise to $339 in 2013.

“Organizations that do not address MDM properly face a growing set of risks, including an inability to adequately secure and retain data on mobile devices, greater downtime, higher IT costs, regulatory compliance violations and reduced employee productivity,” believes Michael Osterman, president of Osterman Research.

A key area of BYOD concern to Osterman is content retention and management. In a recent research paper entitled Putting IT Back in Control of BYOD he wrote: “Smartphones and tablets contain a significant proportion of corporate data. Osterman Research has found that more than five percent of corporate data is stored just on users’ smartphones—we expect this figure to soar during the next 24 months as iPads and other tablets are employed in much larger numbers. Employee-owned and controlled devices make access to this data by corporate IT or compliance departments much more difficult, such as during an eDiscovery exercise. This is not only because of the difficulty that might be encountered in physically accessing these devices, but also because of the potential privacy and other legal issues that are raised by companies accessing their employees’ personal property.”

At this point, the BYOD trend is so entrenched that trying to control what device employees may use is likely to fail, Osterman predicts. He believes that employees, if faced with such restrictions, will use their device of choice secretly. Another reason he does not advise trying to restrict users from making their own choices is productivity. “The vast majority of employees do not use their own devices or applications simply for the fun of it,” he says. “They are doing so to be more productive, and to bypass IT restrictions (e.g., email file-size limits) that prevent them from being effective in their work.”

The simplicity of the cloud services converging with the increased number of mobile device platforms coming into corporate environs makes MDM increasing of interest to IT. In a MDM survey, Osterman found among organizations that have not yet deployed an MDM solution, 32 percent will deploy one in 2013 and an additional 24 percent plan to deploy one in 2014.