Business leaders with whom I speak are nervous about security. The recent report that the White House was breached by Chinese hackers doesn’t help their nerves. After all, the breach was characterized as a break into one of our most sensitive networks. The network is used by the White House Military Office for nuclear commands – this according to defense officials.
Many business folks think: “If they can hack the White House, for Gosh sake, they can break us too.”
Not necessarily (and I’ll resist the temptation to evaluate government “efficiency”). You see, this break was characterized as a “spear phishing attack.” Spear phishing relies less on sophisticated technical hacking, than on the simple fooling of e-mail-recipients into divulging confidential information, to include login credentials.
Officials characterize these types of attacks as “not infrequent” – thus you would think that staffers and officials would exercise extreme caution before divulging sensitive information. And yet, we know that human error and misjudgments are the larger part of breaches and loss. But what of you – and allied business?
Reinforce caution with all employees for use of electronic enablements: In-house systems; communications systems such as e-mail; social networks; info disseminated on blogs; live chat windows, and so forth. Ensure that all solutions partners – Vendors, visitors, solutions partners, associates, etc., understand your security posture and policy.
Keep training efforts regularized and up-to-date.
If the White House is listening: Please fix this fast. A former intelligence official who is familiar with the breached office says, “This is the most sensitive office in the U.S. government. A compromise there would cause grave strategic damage to the United States.”
Now Playing: Grateful Dead, Terrapin Station – vinyl, Nautilus SuperDisc. Carver C1; Carver M-500t; Thorens TD-125, Shure v15v xMR.
A business system recently came to my attention that had a number of ambiguous paths and choices – it was difficult to know what to click in order to proceed. The system is a core, mission-critical, business system at a “big box” retailer.
As to the ambiguities, consider this: When ordering a major product for a customer (in terms of size and cost), a model number is entered – after calling up an existing customer record or creating a new one. Once the product is added as a line to the order, the user is confronted with two buttons: “Order Product” at center-bottom of screen, and “Continue” at bottom-right. Hmmm…
Now, after undergoing a modicum of training, and with some acclimation to the system, a user knows to click “Continue” in order to complete the order; and knows to click “Order Product” to add another line item (another specific product) to the order. However, for new employees, the system can be cumbersome and arcane. Here, it would be an easy enough job for any business analyst to view the system through the user’s eyes: The “Order Product” button can just as easily be marked as “Add Another Item” or “Add Another Product.” Once all products are added, it is quite intuitive to click the “Continue” button to move the order along to completion. Much easier on the users, and a better match of easy-to-understand screens in match to training.
Another area of the system has a template for fill-in of very complex products. One example: Carpeting. Here, specifications (and fields) include Type (loop, pattern, texture, twist), Color, Brand, Fiber, and other qualifiers. However, a system anomaly exists here. the more comprehensively you fill the template, the more likely you are to receive a system error! In fact, it’s best to fill one field, and to proceed through a more cumbersome (and under usual circumstances, more inefficient) path to ultimate resolution of ordering carpet.
I see breakages and ambiguities like this all the time in the course of my consultations. I hear complaints from business people quite frequently. Here, IT needs to build applications and associated designs while imagining the business-class user’s negotiation of the system – to a business end. It’s really not that difficult.
To business folks: When participating as a stakeholder, and partnering with an IT counterpart, listen to what you’re saying through their ears, and be aware of what may be ambiguous to them. Smash ambiguity – be specific in how systems are to work, how systems are to look.
To IT folks: Design and exercise beta versions from business’ perspective, and watch for ambiguous and broken paths and procedures.
It’s easy to do with a little practice – and well worth it.
Now Playing: John Lee Hooker, Endless Boogie, original (commercial) open-reel tape, 3 ¾ IPS.
A social network user suffered a federal criminal prosecution in 2008 for violating the site’s terms of service. However, this prosecution was grounded in the assumption that a private company’s terms and conditions enjoyed a standing within, and were incorporated to, the federal criminal code (the assumption was made absent any formal ascertaining of that standing for terms/conditions of service/use, by any proper oversight authority – a relevant court).
The court, in this case where the prosecution was attempted, held that this interpretation could not withstand Constitutional challenge, and entered a judgment of acquittal. Further, the highest federal legal authority (short of the Supreme Court), the U.S. Justice Department, now holds that these sorts of prosecutions will not be attempted.
Commercial sites collect and analyze data about their customers for purpose of marketing, service, and sales. Mere visitors also may have data collected regarding them. Recognize that the sites must disclose types of data, and the purpose for its collection and associated use. On the federal level, the Federal Trade Commission (FTC) will pursue violators of consumer privacy rights, or ones that mislead consumers by stating uses of data and associated protections that are not true reflections of use and security. At the state level, attorneys general make these enforcements of consumer protection laws.
What of children? They are consumers of web services too – just by virtue of “surfing” the web. The Children’s Online Privacy Protection Act (COPPA) provides an extra measure of protection for them. When a website is “directed to children,” or whose operator knows that the site is collecting information from children, it must not do so without parental consent. There is no formal definition of “directed to children” by rule or statute; the enforcer of COPPA, the FTC, has been seen to interpret this as meaning “directed primarily to children.”
Now Playing: Brubeck, Time Out.
It may surprise some readers that the Federalist Papers were written anonymously; published and signed as “PUBLIUS.” James Madison, John Jay, and Alexander Hamilton (maybe others) utilized this pseudonym in the production of 85 essays supporting ratification of the U.S. Constitution.
More recently, the State of Ohio and its legislature attempted to ban anonymous political literature. The law was struck down by the U.S. Supreme Court, which stated: “The right to remain anonymous may be abused when it shields fraudulent conduct. But… in general, our society accords greater weight to the value of free speech than to the dangers of its misuse.”
That’s an important recognition and right. But recognize this too: There is no right to express one’s views anonymously online.
At the same time, a certain de facto anonymity can exist and is quite common. Many forums, blogs, news articles, etc., allow login and submission for anonymous posting. One can also submit pseudonymously through simple account/free-mail creation. Yet, a practical means of identification does still exist. For example, an entity can contact a forum’s host, checking the IP address of a user; the ISP can then be contacted, and various logs can at least narrow the search considerably. This can be employed upon discovery of violation of intellectual property rights, defamatory comments, criminal activity, and so on.
Fortunately, there are State and Federal laws that help to discourage invasions of privacy online. The Electronic Communications Privacy Act (ECPA) prohibits access to any computer absent proper authorization. The Computer Fraud and Abuse Act (CFAA) makes it illegal to access any “protected computer without authorization, or exceeding authorized access.” Then there is the CAN-SPAM Act. This law requires all unsolicited commercial e-mail to provide an ability to opt-out.
Fortunately, most states now have data breach notification laws. Companies that harbor the private information of individuals must notify them in the event of any breach of privacy.
We’ll continue in the coming days…
Now Playing: Josh White sings Ballads – Blues; original 1957 pressing of this LP on Elektra. Carver C-1; Carver M-500t; Thorens TD-125 w/ Shure v15v xMR. Peerless in Jensen cabs.
It’s rather interesting to monitor what’s happening in the UK right now. Data protection legislation is moving forward. And… business there supports data protection legislation.
A survey of 1200 businesses indicates that those businesses are concerned about the strength of laws: Nearly 50% feel that laws are weak and require revision, and 87% believe that organizations should be required to divulge breaches of sensitive content where information about the public is involved. [Source: Sophos].
Here in the U.S., I rather doubt business is keen on more legislative oversight. Generally speaking, I’m wary of new legislation – new laws must be thoroughly reviewed so as to guard against unintended – and negative – consequences, particularly where business is concerned. In today’s economy, we don’t want to impinge businesses’ opportunities for hearty conduct and growth.
However, I do like the breach notification idea. It serves a couple purposes that come readily to mind:
– Stakeholders (the public, customers, allied agencies…) are entitled to know about breaches that affect them, or ones that just have the potential to affect the general well-being of the business.
– Also, healthy exposure, and just that potential, help to motivate business in the currency of their ongoing security measures.
Particularly for small/medium business, and smaller government agencies such as those at county/municipality level: Do you have in-house security professionals who cast the horizon for new threats, with attendant posture of proactivity? And (or), do you have strong security partners in the form of vendors and allied security products?
How do readers here feel about it? Would you welcome new legislation? Are you confident regarding security in your organization?
The Washington Post recently reported that foreign hackers disabled a pump at an Illinois water plant last week, according to the preliminary state report.
If the source of the attack is confirmed as foreign, it will be the first known attack on a critical public (that is, societal) support: That of water, power, communications, and other essentials such as policing and communications.
There have been many hacks and harming incidents of various scope and harm in years past, of course. However, those were squarely within the realm of information’s availability or wellness: Incidents involving theft of content, destruction/corruption of it, or the interruption of availability to it by harming websites and their availability.
But now, there are entirely new vulnerabilities faced by our government, and subsequently you and your organization. Any org relies on the steady reliability of public infrastructures and enablements – and we’ve discussed those here in the past. But what of more mundane, and perhaps likely, concerns for the average organization?
Threats are becoming more sophisticated, and in many cases eclipsing the status of security in even the most “sophisticated” environments (relatively speaking). What your organization must do is to survey your entire “security bouquet” prior to something that is certain to happen: Hacktivists, and just general miscreants, are going to shop for companies, agencies, and groups that they can “take down.” It will be sport. It will be an attempt to gain mention on the daily news cycle.
Why? Because if people can do it, they generally will.
Begin with a review of your Acceptable Use Policy (AUP): Make certain people in your organization are not opening security vulnerabilities. Then review your Mobile Policy. Folks shouldn’t be using work resources to spend time on nefarious sites, nor should they correspond with strangers – new “friends” – outside of any business context – using domain credentials, to include their simple work e-mail address. If your org has a Bring Your Own Device (BYOD) Policy, ensure that it is updated to support the AUP, the MP, and all other security policies and documentation sets.
They also shouldn’t be posting comments to boards or articles with domain credentials – What is being done in the name of your domain? – that could bring the wrong kind of attention to your organization. Further, when they are on legitimate sites, such as professional support forums, they should take care not to run afoul of Terms of Service elements, nor should they be argumentative or abusive: There can be definite risk of recrimination from a forum member who decides to seek retribution by a “take-down” of some element of your domain.
Review all security policies, and establish a monthly or quarterly security refresher training. All actions and activities should be viewed through security’s prism.
Make everyone in the organization a virtual security officer.
Whether we wish it or not, our lives are becoming ever more open, and the most intimate details of our personal lives are being made available in a very public way. Apps capture and compile information about our likes and dislikes, our shopping habits, where we go and how, etc.
If you use social networking, such as the seemingly ubiquitous Facebook, it’s not just what you choose to share – it’s also what your friends post and discuss about you. Even if you eschew social networking, we’re on store cams – smartcams – which include facial recognition on an increasing basis. Even our property is not immune from a privacy intrustion of sorts: Entities such as Google are photographing that, from cars and satellites no less.
Imagine this: You’re walking through town, a smartphone at your waist – facing front. It scans, captures and processes the faces streaming past you. You not only capture who they are, their names, but where they live, and work. You can know their interests, their professional associates and friends, as well as their educational and any criminal background.
Consider this: It is thought that most under-30 police officers have Facebook pages. Does this inhibit undercover police work? What of the future?
In the coming days, we’ll explore areas where a certain anonymity may be granted (and therefore an expectation of online privacy), and conditions whereby anonymity may be broken. That is undergoing a bit of research on my part, and we’ll pick this “thread” back up in the coming days…
[Note: These are my present understandings regarding specific areas of internet law; you will want to vet this material to your own satisfaction, and will also need to monitor this ever-changing environment. – DS]
Many readers here will be aware of the internet’s beginnings: From research and development of the early ‘60s by the Advanced Research Projects Agency, yielding the ARPAnet, on through the Department of Defense’s work, giving rise to the DARPAnet (check here if interested), we eventually arrived at today’s Internet.
By 1991, a limited internet was operating beyond governmental development, and serving a degree of academic user body, and that infrastructure evolved into the large widespread commercial use we see today.
In examining the period comprising the early 1990s onward and the Internet’s associated use, we can realize that Internet law has had a generation to develop. Of particular interest to both individual users and business are National and International laws regulating the Internet’s use – here we’ll concentrate on two things: 1) Online contracts and 2) Privacy.
Changing Terms: An important principle to understand:
Hardcopy Contracts, Purchase Orders, Requests for Proposals (RFPs), etc.
Be aware of an emerging trend and practice: Increasingly, organizations are issuing hard-copy form contracts and other similar documentation that do not have all terms and conditions printed on them. Instead, they incorporate these by reference to the organization’s website. The date of the hardcopy item, with associated signatures, determines which version of the posted terms and conditions applies. Watch for this situation to supplant “fine print,” comprehensive, contracts and documents. Hardcopy forms don’t have to be changed as often when “offloading” the details to a web reference.
This sort of “Hybrid” documentation has been challenged on the grounds that specific terms and conditions are not sufficiently conspicuous. However, courts have already upheld the validity of these incorporations by reference; there only need be a clearly identified website in the document, and that website indicated as harboring the proper provisions.
Next Up: Online Privacy.
According to security firm Rapid 7, approximately 94 million personal files of Americans have been exposed by government agencies since 2009 – those that we know about, that is.
There are likely even more, given the fact that many states do not require agencies to report breaches.
As to the Feds: According to a recent Government Accounting Office (GAO) report, 18 of 24 surveyed Federal agencies had poor security controls, deemed not of sufficient standards for securing our personal information.
Private business has nothing to brag about either. Breaches were up 58% in 2011 over 2010, and 2012 will beat last year.
None of this surprises me: From a recent visit, I know for certain that a certain high-profile Fortune 100 firm simply does not enforce their policy requiring all users to log out of computer systems at end-of-day, or during extended absences from their desks/work areas. It’s rather extraordinary: People who are gone for the day remain logged in throughout the office, with a variety of proprietary, confidential, client, and personal information displayed. So much for systems that employ individual and group securities, and associated access/enablements. (Lest anyone wonder why automatic logouts are not employed, I wonder too).
IdentityForce ™ estimates that 86% of data breaches are not IT-related (that is, due to faults within IT systems, processes, or protections), but rather are due to remises of policy and training.
It has always been my view that matters of human error, and simple lack of care, are the better part of so-called “breaches” – and in those instances are better described as data exposures. Regardless, organizations seem to be at increasing risk, rather than decreasing, for allowing sensitive data to reach the wrong parties.
Is your organization at risk? It’s time for a survey – even if you feel you’re fairly tight. Survey your environment, and you can pretty much figure that your Acceptable Use, Security, and Disaster Recovery plans, policies and postures are due for modernization and updating.
Then train your personnel for appropriate behaviors and contingencies… essentially, today, everyone should be a virtual security officer…
Keep this important BTW tenet in mind: In the realm of risk, unmanaged possibilities become probabilities.
From Part I, our goal for the course of best business-IT outcomes is to gain the ready-agreement by both sides for fully sanctioned progressions, for delivery of best solutions, within best business and IT practices. And, all of this must be done in service to best ROI, TCO and TtV considerations. In getting to a best business-IT environment, an ability to sell will be key. In achieving this, we can use the Engage; Qualify; Overcome; and Close model. But first –
Most folks here are well-familiar with concepts and related goals, of best Returns-on-Investments (we want to maximize our returns [profits; efficiencies reinvestments, etc.], and Total Cost of Overhead (we want to drive those costs down as much as possible). But what of TtV – Time to Value?
In the matter of TtV, we want to serve the present as efficiently as possible through the delivery of timely projects, with on-target solutions, that serve business, as well as IT goals. Too, we want to plan our future effectively, with upcoming deliveries happening on-time – in fact, if we can get solving and serving things into place even faster than anticipated, so much the better.
However, a qualifier here is that we do things efficiently, and as rapidly as possible, within all legal, ethical, and safety-consideration elements, at all times. We also don’t want to stress people and projects in service to timelines and pressures that are unrealistic, or just too aggresive. Given those cautions, TtV is very important, and should always be “collapsed” to the shortest time possible, with associated prudency.
So – business needs deliveries from IT; short and long-term: Technical systems and enablements that grant effective conduct of business.
IT needs exposures from business stakeholders in order to deliver enabling things: What does business want/need? When? How will we (IT) deliver that? (What budget are we allowed? Who from business is available to engage?)
For both business and IT: How do we negotiate changes? How do we lobby for more resources? How do we adjust budgets (either up or down)? How do we lobby for time? We “sell” – and get the other party to “buy.”
Everything ultimately involves a sale.
So – how to sell? There are four basic steps:
1) Engage: Engagement in a business environment is formally achieved through meetings, both ad hoc and on schedules (such as regularized ones in service to any project’s general management, and others, such as Weekly Meetings, for example). There are also many one-on-one meetings, whereby a business stakeholder or IT person simply schedules a meeting, or “drops by” to discuss an issue or initiative. Engaging in a direct sense is not particularly challenging for readers here, but quality of engagement can be. Remember to engage with positivity, from an informed and ready posture, and bring solid contributions for the advancement of the organization’s initiatives and business.
2) Qualify: When either business or IT engages, for purpose of advancing an idea or specific initiative, one side must qualify the other (in order to “sell” the other side on cooperation, in service to the goal). Is the other side (party, group, individual, department, etc.) informed, or do we need to set fundamental understandings first? Are they qualified to hear and digest what I want to present (and sell)? If I’m asking them to make changes, to spec something up, to hold something back in prioritizing something else… are they able to do that? Do they have decision authority, or will they have to seek approval up the line? Qualify that. Will they need additional budget? Qualify that. Can they ramp up – do they have the people, knowledge, and time to do it? Qualify that. Will they need to lobby their management chain for additional budget, or do they have power and sanctioning authority within their group to direct dollars to the considerations under discussion? Qualify that. Qualify, and thus know.
3) Overcome: Whether it’s business or IT speaking within their respective discipline (one IT group to another, for example), or across to the other (business stakeholders delivering requirements to IT, as another example) – the “buying” party (hopefully) may have objections. “We can’t fund Initiative X this Quarter, because we have Initiative Y underway, and we’re experiencing cost overruns.” Here, assuming a meritorious case for progressing, overcoming the objection may involve something like this – IT: “Well, we have an extreme security vulnerability here; we need your department’s engagement in sewing this situation shut. Can we lobby for more budget this Quarter? We’ll help you to make the case with senior management.” A business department might respond: “Sure; let’s get all of the reasoning and documentation together; we’ll juggle priorities and get the necessary resources – obviously this is important.”
4) Close: Cement the agreements – the “buying” of the “sell” – by documenting all agreements and necessary actions. Make assignments, and agree to deliveries, standards, and dates.
Go into any business or IT discussion with a solid understanding of the process above. Have ready answers in service to the model.
Remember: to engage with positivity, for positive pursuits and positive results. Qualify the other side as being best positioned to receive your “pitch” upon that engagement. Be prepared to face objections, so that you can cite your case in overcoming those objections, for purpose of getting on the necessary path for progression to the goal(s).
Close the sale by securing and documenting all agreements, responsibilities, standards and deliveries.