The Business-Technology Weave


March 1, 2012  12:28 PM

Leveraging Knowledge Requires… Knowledge



Posted by: David Scott
best practice, business risk, data breach, data theft, IT knowledge, IT risk, IT security, IT training, IT Wars, security policy, the business-technology weave

Leaders must have the skill to recognize skills in others. 

 

The IT field, like any, is rife with people who talk a good game.  Some walk like they talk – some don’t.  The average candidate for your IT department will appear conversant in technical matters, they will profess a belief in quality of service principles, and of course they are brought on board with high expectations.  We know that many people fall short of these expectations – in all fields and areas of endeavor.  But in cases of flat-out bad IT hires, we have an enormous drain on resources.  In the IT department, a sub-optimal hire compounds across the organization in a very detrimental way, since IT supports virtually the entire organization and almost every effort within. 

 

We also know how much time and effort it takes to dismiss an employee.  Often an employee must be left within a performance arena in order for us to record and document poor performance.  For IT, this is a cruel irony and a ticklish game – trying to maintain security and solid support while leaving job duties in the hands of a poor performer.  The associated inefficiencies brought about by increased oversight, double-checking, and counseling are their own drain – in addition to the lack of results.  There is also the impact to staff morale.  For these reasons, you need an IT leadership that can smoke out the true candidates worthy of hire, investment, and promotion.  

 

These things make it imperative for your IT leader to understand something about most areas of IT technical endeavor.  This person does not need to have a deep background in all areas or even specific areas. This person just needs to have a solid understanding of the principles that guide areas, and a good familiarity with the higher-level best practices for managing each area.  Much of the vetting of personnel falls to the managers just under the top leadership.  Therefore, top leadership needs to qualify in making those managers the best possible investment that your organization can make, as those managers groom the rest of the department.

 

Image credit:  digitalart

December 13, 2011  9:53 AM

View EVERY Action through Security’s Prism



Posted by: David Scott
content, content handling, content security, data security, e-mail, e-mail mistake, e-mail security, reply, reply all

 

A  British recruitment executive making over $300,000 a year is out of a job after accidentally doing a “Reply All” by mistake to an e-mail.

 

Gary Chaplin was a top executive at a “headhunting” firm (emphasis on “was”) when he received an e-mail from Manos Katsampoukas.  Katsampoukas had e-mailed, rather incredibly, 4,000 people a copy of his curricula vitae (CV) in seeking a finance or marketing position.

 

Unfortunately, Mr. Chaplin was less than professional in his response, telling Mr. Katsampoukas to “Please f*** off – you are too stupid to get a job, even in banking.”  There were a few other choice words, but you get the idea.  That response is enough to get sacked, in my opinion, but the reply went back to all 4,000 people Katsampoukas e-mailed initially.  (Source:  The Sun, UK).  Oops.

 

Gone is Mr. Chaplin’s job of 5 years for Stark Brooks, which would seem to be a top destination for any recruiter.  They handle the needs of the largest firms, such as Heinz, Kellogg’s and Bentley, in recruiting and delivering top executive talent.

 

And that brings us to some sage advice that’s been profiled here in the past:  View every activity through a security prism.  Here specifically today, consider carefully what you’re saying in an e-mail, and be sure to read it through the recipient’s eyes before hitting Send.  Also, review the recipient list:  Are you accidentally invoking Reply All when you really only mean to send as a Reply?  Are there folks you’re copying who might be bettered served with a BCC?

 

Beware of BCC too:  Sometimes people, particularly senior ones, view a BCC as something furtive on the part of the sender.  Be certain you’re using discretion for positive communications in service to the betterment of something.  Don’t junk up the inboxes of folks with BCCs that are relatively low-level beefs or petty issues.  Where possible, wait a day on some e-mails – if it still seems important next-day – send it then.

 

When in a professional setting, be professional and remain professional.  It’s hard some days (I know), but secure your job.

 

Security includes appropriate communications:  In securing your organization’s reputation, in securing your own personal business reputation, and in securing your very job.

 

View every activity through security’s prism.

 

NP:  I Hear You Knocking, Smiley Lewis, original Imperial 78rpm (on an Esoteric Sound Restoration turntable).


December 7, 2011  10:28 AM

Looming Liability: Non-Work Apps in the Workplace



Posted by: David Scott
business productivity, content management, data security, employee monitoring, employee training, enterprise security, IT productivity, IT training, non-work applications, Non-work apps, small-to-medium business security, SMB security, workplace security

 

Small-to-Medium Business (SMB), and in many cases large enterprise environments, faces a burgeoning challenge.  Namely, how to train, monitor, discipline and, in some cases, make allowance regarding employees’ use of non-work applications.

 

First, the plethora of temptations:  Gmail (and other free-mail); Facebook (and other social networking sites); instant chat agents/direct messaging; Dropbox and other fileshares; 3G cards, Flickr, Skype, Youtube, comment areas, unauthorized websites, smartphones, and on and on…

 

While these and other elements can have some measure of sanction in some organizations, there is also a “Wild West” situation in others, whereby unregulated use leads to unbridled time-wasting, and the opening of avenues of risk.

 

In fact, some employees labor to skirt all manner of domain policies, inhibiting anti-virus/malware controls, and flaunt Acceptable Use policies where utilized.

 

As far as avenues of risk and temptation:  It’s only going to get worse, with ever-more extraneous endeavors available, and plenty of employees will inhabit non-productive, risky, activies.

 

It’s important to set expectations right up front.  Policies for security and the acceptable use of systems should be published quarterly, and again upon significant update.  All new employees must be apprised of the organization’s position regarding non-work applications and areas.

 

In many cases, there will be outright bars to use of social networking or random surfing.  However, in many cases there will be official work accounts for Facebook, as example.  Here, it’s important to state whether there is allowance as well for personal Facebook time.  Be aware that employees have been documented as forgetting which social networking account they’re inhabiting, and have made inappropriate communications/postings regarding either work or personal statements to the wrong account.

 

No matter your organization’s mission, size, or tolerance of various non-work items:  State a policy for all areas of concern.  Educate employees so they know what they may and may not do.  Discipline those who break rules.

 

Don’t wait for the inadvertent, or even deliberate, exposure of sensitive company assets to the wrong forum.  Don’t wait for a debilitating decline in productivity.  Make certain that HR and IT address the “do”s and “don’t”s in your regular staff meetings, and that those departments are current and questing in the case of managing non-work apps and enablements.  Maintain policies with a forward eye.

 

JOTD:  Two horses and a dog are in a barn.  The older horse says to the younger horse, “Hey, tomorrow is my last race, and if I win, my owners are likely to put me to pasture and I’ll enjoy my last days in the sun.  However, if I lose, they may be unhappy enough to send me to the glue factory.  I think I can best all the other horses with the exception of you.  Will you let me win tomorrow?  It’s only one race, after all…”.

The younger horse thinks for a moment, and says, “Well, I don’t know.  I’ve won all my races thus far, and I have an unblemished record.  I don’t want to ruin that – plus, if I lose the race to an older horse like you, I may never recover my reputation.  No, I don’t think I can do it.”

Just then the dog, who has been listening in, speaks up and says to the younger horse, “Listen to yourself!  Your friend has asked you for one simple favor:  To lose to him tomorrow, in order to possibly save his life.  You only have to come in second for one race; you can still beat all the other horses.  How about it?”

The younger horse turns to the older horse and says, “Hey, look at that… a talking dog!”


December 5, 2011  8:26 AM

PC Magazine’s “The 25 Worst Passwords of 2011”



Posted by: David Scott
authentication, computer password, content security, data breach, data security, data theft, identity theft, online credentials, online security, password security, user ID, worst passwords, worst passwords of 2011

 

We’ve discussed password liabilities before:  Consider that many people use the same password (and often User ID) for multiple accounts.  This can include online bank credentials, work accounts, social networking sites, other critical sites such as ebay and PayPal…

 

A breaching entity can hack one account, gain credentials, and then spin them through all other associated user accounts they identify.

 

Of course, password liabilities also include easy-to-guess things, which are subsequently hacked – either by manual human activity, or password-breaking softwares that simply tumble random words/characters, through authentication mechanisms.  This morning, while having my auto serviced, I tried “password” in trying to gain access to a couple wireless networks in the vicinity – alas, no luck – but worth a try.  Consider:  About 5 years ago, Slovak hackers gained access to Slovakia’s National Security Bureau (NBU).  The NBU maintains a huge body of classified information, which is supposed to enjoy strong security.  However, the hack and breach wasn’t particularly sophisticated:  The respective login ID and password was nbu/nbu123.  

 

Might want to put a little thought into your organization’s passwords and their associated strength:  Set a minimum amount of characters, and consider making some measure of required special characters (!@%, etc.).  Also, see the four basic requirements at the bottom of this article for maintaining a solid password security posture.

 

Here are PC Magazine’s worst passwords of 2011:

 

  1.  password

  2.  123456

  3.  12345678

  4.  qwerty

  5.  abc123

  6.  monkey

  7.  1234567

  8.  letmein

  9.  trustno1

10.  dragon

11.  baseball

12.  111111

13.  iloveyou

14.  master

15.  sunshine

16.  ashley

17.  bailey

18.  passw0rd

19.  shadow

20.  123123

21.  654321

22.  superman

23.  qazwsx

24.  michael

25.  football

 

Finally, remember to employ four basic, yet critical, practices for maintaining secure passwords:

 

1)      Use unique passwords for each account.

2)      Change your passwords on a schedule.  How frequently is up to you, but anything from monthly to semi-annually.

3)      Don’t share your passwords.

4)      Avoid common passwords.

 

NP:  Hi Lili, Hi Lo, Bill Evans, jazz24.org


December 1, 2011  12:21 PM

Cyber Crime to Invade Public Cloud… and more…



Posted by: David Scott
cloud security, content management, cyber crime, data breach, data security, data theft, Hacker, hacking, hacktivism, hacktivist, IT governance, security policy

 

Well, I guess it already has.  But an interesting opinion was rendered recently regarding the United States’ position regarding cyber crime.  According to Trend Micro’s global CTO, Raimund Genes,  the US’ lax security standards are facilitating cyber crime in the public cloud.

 

Cloud adoption and loose standards regarding online banking show serious security flaws, according to Genes.  In fact, he states, “The US has no sense about data security, and I could be very brutal there.”

 

This isn’t particularly good news for those individuals and organizations who harbor their content, and even processing, in the cloud, by virtue of various solutions providers.  Often, these folks have no idea exactly where their information is – relying on the providers’ discretion and standards… and whether those standards comport with current and best practice can be anyone’s guess.

 

When security lags in one area, it often creates a lax situation in evolving and debuting areas.  For example, a looming vulnerability involves Near Field Communication (NFC) – a brief description about NFC and then an example:

 

NFC allows simple transactions and data exchanges between wireless devices in close proximity.  It will likely support regular use of smartphones for making payments.  Already many of the smartphones on the market contain NFC chips; the chips are capable of containing credit card information, and a simple wave of your phone near a retail cash register’s reader, for example, will be a fast and effective way of making payment.  No more digging for, and swiping of, a credit card.

However, Genes warns of this arena too:  The use of NFC by credit card companies, again in view of lax security standards and measures, is a “security disaster,” in his words.

 

As individuals and organizations grapple with rapidly changing IT issues, such as cloud computing and storage, and NFC communications, be certain to examine and qualify your providers and procedures.  Update security policies, and update your security checks.  Remember:  You must lead threats, in closing vulnerabilities, and in thwarting crime.

 

When hiring service providers and solutions partners, be certain they’re on the most responsible security edge possible.

 

NPSoul Burnin’, Red Garland, jazz24.org


November 22, 2011  12:01 PM

Cyber-terror, Hacktivism, etc.: New thoughts on security for the modern organization



Posted by: David Scott
acceptable use, content management, cyber security, cyber terrorism, data breach, data security, data theft, hack, hacking, hacktivism, hacktivists, Illinois water plant, security policy

 

The Washington Post is reporting that foreign hackers disabled a pump at an Illinois water plant last week, according to the preliminary state report.

 

If the source of the attack is confirmed as foreign, it will be the first known attack on a critical public (that is, societal) support:  That of water, power, communications, and other essentials such as policing.  

 

There have been many hacks and harming incidents of various scope and harm in years past, of course.  However, those were squarely within the realm of information’s availability or wellness:  Incidents involving theft of content, destruction/corruption of it, or the interruption of availability to it by harming websites and their availability.

 

But now, there are entirely new vulnerabilities faced by our government, and subsequently you and your organization.  Any org relies on the steady reliability of public infrastructures and enablements – and we’ve discussed those here in the past.  But what of more mundane, and perhaps likely, concerns for the average organization?

 

Threats are becoming more sophisticated, and in many cases eclipsing the status of security in even the most “sophisticated” environments (relatively speaking).  What your organization must do is to survey your entire “security bouquet” prior to something that is certain to happen:  Hacktivists, and just general miscreants, are going to shop for companies, agencies, and groups that they can “take down.”  It will be sport.  It will be an attempt to gain mention on the daily news cycle.

 

Why?  Because if people can do it, they generally will.

 

Begin with a review of your Acceptable Use policy:  Make certain people in your organization are not opening security vulnerabilities.  They shouldn’t be using work resources to spend time on nefarious sites, nor should they correspond with strangers – new “friends” – outside of any business context – using domain credentials, to include their simple work e-mail address.

 

They also shouldn’t be posting comments to non-work-related boards or articles with domain credentials – What is being done in the name of your domain? – that could bring the wrong kind of attention to your organization.  Further, when they are on legitimate sites, such as professional support forums, they should take care not to run afoul of Terms of Service elements, nor should they be argumentative or abusive:  There can be definite risk of recrimination from a forum member who decides to seek retribution by a “take-down” of some element of your domain.

 

Review all security policies, and establish a monthly or quarterly security refresher training.  All actions and activities should be viewed through security’s prism.  Make everyone in the organization a security officer.

 

NP:  Purple Passages, Deep Purple.


November 17, 2011  11:26 AM

Security Expert Eugene Kaspersky Warns of Cyber-Terror



Posted by: David Scott
acceptible use, CMS, content management, cyber crime, cyber espionage, cyber terror, cyber terrorism, cyberterror, data breach, data theft, Eugene Kaspersky, hacktivism, ID theft, Kaspersky, security breach, security policy

 

Today, any organization is dead without its technical supports.  Even an attack on content – information, business intelligence, data – can put business at risk. 

 

By “business,” we mean the doing of the doing – your “busy-ness” in furthering and delivering within your mission:  Whether you’re a for-profit private-sector endeavor; a non/not-for-profit org; a government agency; or sole-proprietor.  You have business that needs to be conducted on a daily, ongoing, basis.

 

Any business can go out of business if it loses any measure of its technical enablements, and/or corresponding content.  Lose it all, and it most definitely will go out of business.

 

And now comes word of cyber-terror.  What the heck does the local organization do about that??  Eugene Kaspersky is a Russian math genius who founded an internet security apparatus that has been characterized as having a global reach.  He’s a thought leader as regards emerging perils.  According to Sky News, Kaspersky believes “…we are close, very close, to cyber terrorism.  Perhaps already the criminals have sold their skills to the terrorists – and then… oh, God.”

 

That doesn’t sound too hopeful.  Further, Kaspersky, while attending the London Cyber Conference, told Sky that he believes cyber-terror to be the biggest threat to nations such as China and the U.S.

There is already cyber espionage, cyber crime, hacktivism (whereby activists attack systems and content for political ends) – soon we will be facing cyber terrorism,” he said.

So – what’s the local organization to do?  There is a need to protect yourself.  With ever-more power and knowledge being available to individuals and small groups, imagine:  Imagine a disgruntled ex-employee wiping out your organization’s assets, for example.  But further:  Can the average organization make a contribution to the larger, surrounding, public security?

I propose a business/tech roundtable in given locales, that meet semi-annually, or perhaps quarterly in high-risk areas (Washington, DC, for example).  Here, business and technology folks, from all levels of diverse organizations, can brainstorm and share ideas of protection, prevention, and where necessary – recoveries.

It’s going to become a necessity:  Already, the Pentagon is on record to state that the U.S. reserves the right to retaliate with military force against any cyber attack.  In a 12-page report to Congress, made public, the Pentagon said:

When warranted, we will respond to hostile attacks in cyberspace as we would to any other threat to our country.  We reserve the right to use all necessary means – diplomatic, informational, military and economic – to defend our nation, our allies, our partners and our interests.”

The vulnerability is large, being that the Defense Department alone operates more than 15,000 computer networks, with 7 million computers worldwide.

But, again, what of your locale?  What if simple everyday “hacktivists” decided to take down some service providers that were key to you?  It would be awfully uncomfortable to live without e-mail, your online presence, and the services of any other providers such as Cloud hosting, processing, storage, and communications.

It’s something worth thinking about… at least start to think about it –  and where effective, efficient, contributions by your org might be made.

NP:  Black Sabbath, We Sold Our Soul for Rock ‘n’ Roll, original vinyl LP.

 


November 16, 2011  12:45 PM

Help Propagate “The Business-Technology Weave” – and a bonus!



Posted by: David Scott
BTW, CMS, content management, cyber terror, cybersecurity, cyberterror, data security, futilitycloset.com, IT governance, the business-technology weave

“Human history becomes more and more a race between education and catastrophe.”

     — H.G. Wells

 

Dear Readers:  The Business-Technology Weave blog has 800+ readers at present.  I’d like to increase readership and thought I’d ask if you’d be willing to forward BTW’s URL

 

(http://itknowledgeexchange.techtarget.com/business-technology/)

 

- to a few colleagues and friends.  They can also simply Google “The Business-Technology Weave.”

 

As thanks, I’d like to recommend one of the coolest sites I’ve stumbled upon in a long time:  FutilityCloset.com.  This site is a treasure trove of fun and interesting things. In their own words, “…a collection of entertaining curiosities in history, literature, mathematics, language, art, and philosophy. Each item is self-contained and written as concisely as possible…”.  Their database has almost 6,000 items.

 

Check out the video “Both Sides Now,” (scroll down to it) where a Bach piece is rendered as a Möbius strip. It’s just over 3 minutes – let it get to the 1:45 minute mark – here’s where it gets really interesting.

 

The Quotations page is fun too.  I’ve poked through Technology, and there are more than a dozen other sections.  There’s plenty of Archives too.

 

Have fun!  And… if you could blast out a recommendation for The Business-Technology Weave (only to those you’d feel would benefit, of course), I would much appreciate it – how about to 10 of your closest friends and associates?

 

Tomorrow:  Back to business with an article regarding a top security expert’s warning about cyber-terror.  To close, here’s a great quote I picked up from FutilityCloset:

 

“I have never thought much of the courage of a lion tamer. Inside the cage he is at least safe from other men. There is not much harm in a lion. He has no ideals, no religion, no politics, no chivalry, no gentility; in short, no reason for destroying anything that he does not want to eat.”

 

       — George Bernard Shaw

 


November 14, 2011  3:06 PM

Google Says Government Requests for User Data on the Rise



Posted by: David Scott
CMS, content management, content security, data security, google government requests, google report, Google Transparency Report, government request for data, government request for information, government request for user data, government requests for data, user content

 

Google releases a semi-annual report, The Google Transparency Report, which details requests by the government for private user data.  There can be effects to local organizations, too.

 

The U.S. Government made 5,950 requests on 11,057 user accounts, according to the most recent report:  In comparing to last year’s corresponding report, we can note an increase of 4,600 requests – or, a 29% increase.  Users should know that Google complied with 93% of these requests “wholly or partially.” 

 

The government also makes requests to remove content:  There were 92 such requests involving 957 items.  Google complied with 63% of these requests.  For comparison:  The Canadian government made 50 requests involving 75 accounts; the Mexican government made 48 requests involving 73 accounts – of course, the populations of these countries, volume of content, and nature of the computing population, does not provide for a uniform comparison other than raw numbers.

 

Most of the requests involve a desire to take down info that is incorrect – at least in the government’s view – or offensive.  Some requests are for personal info that the government would like to use in criminal investigations.  As a matter of policy, Google complies with requests that comport with legalities, and its own Terms of Service.  You can see the reports here.

 

Companies should be on the lookout for what individual users are doing with company resources:  In some environments, there is a loose mix of “friending” while “businessing.”  Users hop between personal accounts (while utilizing company resources of equipment and time) and official business accounts.  There have been many instances of people posting negative items to an official company marketing Facebook account, for example, while believing they were yet in their personal Facebook account.

 

Mainly, organizations of all types need to make certain that employees are not engaged in illegal or questionable activities on work time, on work resources.  Organizations face their own regulatory burdens and adherence to business ethics, of course, but now here is a door whereby an employee in a conventional, personal, “user” status can bring potential harm to the org.

 

Update Acceptable Use policies and other relevant policies for the environment we’re in.

 

NP:  Led Zeppelin III, on original first-issue vinyl LP:  Thorens TD-125 turntable; Shure v15v xMR cartridge; Carver C-1 pre-amp; B&K ST-202 amp.  Peerless speakers.


October 31, 2011  12:28 PM

The Human-Technology Weave Revisited



Posted by: David Scott
future of business, future of technology, human-technology weave, integration of business and technology, man with phone in arm, new technology, nokia phone, Trevor Prideaux

 

Regular readers may recall this article from February.  It was a bit of whimsy… something a little different.

 

But now there’s an interesting story about a man with a smartphone dock in his arm.  Well, it’s a prosthetic arm – but this is an exciting application of imagination for sure.  And, some would say, it’s a start to a much more personal integration of technology to human beings.

 

The man in question is Trevor Prideaux and he was born without a left arm.  With his Nokia C7 comfortably and handily docked in his fiberglass/laminate forearm, he has the ready ability to text and call.  He’s had a prosthetic arm since he was three years old.  Trevor believes his phone-in-arm solution is the first time this has been done in the world.

 

You can see how it might be difficult for him to hold the phone with the prosthetic hand, and text with the other.  But with the phone securely in his forearm, he can text with ease.  Also, when he receives a call, he can put his forearm up to his ear, or undock the phone and hold it.

 

Technicians at The Exeter Mobility Centre in England built a prototype arm in 5 weeks time – they made a fiber cast of the phone, and then built a cradle into the limb. 

 

Amazingly, when he contacted Apple to see if he could get a blank iPhone casing to test out his idea, Apple refused his request, according to the Daily Mail.  Folks at his local phone shop agreed to help him, and he was ultimately put in touch with Exeter.

 

In considering Trevor’s forward posture, consider this too:  As processing power is able to be put into smaller and smaller components, and as data densities increase – thus also occupying smaller spaces – there will come a point of diminishing return in the normal application of technology:  The ability to build devices that are too small to hold, too small to type on, and too small to keep track of. 

 

But that threshold is exactly what is leading to a Human-Technology Weave – the integration of circuits and content repositories that may tether directly to the body and brain.

 

And that is a whole ‘nother Weave.

 

NP:  Oh, Mother, I’m Wild!  Jack Kaufman, original Victor 78rpm record on a 1912 Red Mahogany Victrola.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: