Oh Oh – Facebook Suffers Breach

How does the biggest social networking site suffer a data breach?

Breaches are so mundane, and I expect better from facebook:  I mean, I rely on banks, universities, government agencies, restaurants, etc.…  for breach of data.  (Cheesecake Factory, anyone?!?  Gosh, how’d you like to be on the same level of security as the Cheescake Factory?). 

Once again, I refer you to the Privacy Rights Clearinghouse’s Chronology of Data Breaches for a little perspective.

But facebook?  C’mon.  You do almost nothing but handle personal details of people.  You don’t have much additional challenge – it’s not like you’re balancing our bank accounts, handling sophisticated things like mortgages or something.  For that matter, you don’t even have to serve cheesecake.  It’s all about sending “winks,” or “pokes,” saying “hello” and slamming teachers, or something like that (so they tell me). 

I just noticed something else:  facebook is not FaceBook.  It’s all lower case.  Hmmm.  Anyway, just so you know it’s not me that’s driving literacy and solid writing skills down.  And – in the interest of full disclosure – I do have a facebook account.

But you know, I can empathize with facebook:  Good help is hard to find.  Maybe they just don’t have the staff, with the right chops, to keep things secure in a world of “hacktivists” and other ne’er-do-wells. 

Which gets me to thinking:  I experienced something at Starbucks the other day that was quite surprising.  Very surprising.  It was what I consider to be a total breach of common sense, sound business practice, and security. 

I’ll have a three-part series beginning with my next post, along with a nice letter I sent to their corporate headquarters (After all, Starbucks says right there on their corporate website:  “We want to hear from you”).

Until then – stay safe.

October 18^th:  On this day in 1892, the first commercial long-distance phone line opened, Chicago to New York (and that, my friends, was a milestone in the business-technology weave).

Education and Qualification in the Weave – Pt. II

Education and Qualification in the Weave

Way back in my youth, I was enamored of qualification by way of “rubber meets the road” experience.  I was a lack-luster student and formal education was a bit of a challenge for me, so I was convinced that formal education didn’t need to be too heavily weighted in establishing a nice foundation of knowledge, paired with experience.

At one point, someone told me that I was “anti-education.”  No so… not even then.  I waz educated gooder than most any body around me.  (Ok, that was a little obvious, but if I made just one person laugh today, it was worth it).

However, many miles down the road, well-educated and well-qualified (I hope), I am now starting to notice something around me:  A difficulty in finding talented, educated, qualified, IT folks.  People possessing good judgment paired with sound skills.  I can’t afford to be picky regarding the ratio of education vis-à-vis actual experience:  Just send me someone who can do the job.

A campus of a major university where I’ve been doing some IT consulting doesn’t even have an IT program.  That’s very disappointing. 

And now, an Obama administration official has gone on record as saying that unemployment is exacerbated by people’s lack of education and skills.  My own political leanings might normally have me countering someone like this person:  However, I think she has a point.  In my local surroundings, I’m hearing innumerable business leaders lament the dismal talent pool.  I don’t have a formal survey or empirical figures, but it’s not their imagination, nor mine.  Things are changing, and not for the better.

How do you feel about it?  What are the challenges for you in an increasingly technical environment – for both business and IT?

I have a few ideas for improvement which I’ll share over the next few days…

Exponential Threats to Security

Well here’s a twist to security.  It seems a law firm, specifically ACS: Law, was targeting certain owners of internet accounts.  These accounts were alleged to have accessed and downloaded music and videos that are copyrighted.  ACS:Law sought compensation from the owners for remuneration to clients, with ACS:Law keeping up to a third of the payments.

But ACS:Law has its own problems now…

Some of the folks targeted claimed to be innocent – and indeed, it is possible for nefarious online entities to hijack any of our IP addresses.  Thus, it can look like a hijacked party is the perpetrator of illegal file sharing, when indeed they are not.

But it seems “hacktivists,” unhappy with ACS:Law’s activity, have attacked their servers, first creating a denial-of-service situation, and subsequently exposing over 13,000 records containing sensitive personal information of the folks targeted; names, addresses, internet activity (yikes), and – in cases where people paid up, bank details.

Bank details.

ACS:Law now faces its own huge fine.  And of course, if it is found that they targeted innocent users indiscriminately, that is going to present huge problems of credibility and common business sense.

The lesson?  Whether you’re a company mounting action against others (or on behalf of others, for that matter) – or you’re an individual traipsing across the ‘net, enjoying your day – be very careful in what you do, how you do it, and in the actions you take.

Stay safe out there…

October 8^th:  On this day in 1860, the telegraph line between Los Angeles and San Francisco opened.

Budget Cuts Impacting Cybersecurity

It’s being reported that state budgets, increasingly in the red, are impacting cybersecurity – and not in a good way, as you may have suspected.

A NASCIO/Deloitte survey finds that many Chief Information Security Officers are reporting increased reliance on outsourced services – with a resultant difficulty in securing state data environments and associated content, including personal information. 

However, the problem is not funding alone:  Some of this risk is being engendered by an associated lack of control as experienced by these CISOs:  A lack of “visibility and authority to effectively drive security down to the individual agency level” according to Deloitte.

There is something that CISOs can do, in the absence of their ability or direct authority in leveraging security – we’ll get to that.  But first, in my own fact-finding and consulting, I’ve discovered something rather interesting:  Most organizations’ Acceptable Use policies have a security hole (You may wish to visit, or revisit, “Check Your Acceptable Use Policy:  Is this missing?”.  They do not make mention of social networking liabilities; after all, many people avail themselves of social networking from organizational resources (workstations, connectivity, company time, etc.).  It is definitely inappropriate and counter to any AU policy to make damaging remarks on company time, but personnel should understand that doing that at any time is counter to their good standing – work problems and conflicts have sanctioned channels for disposition:  supervisory, supervisory chain, and Human Resources.  ALSO:  Ensure personnel understand to not post aggregious material elsewhere:  Comments to blogs, news articles, professional sites such as LinkedIn, Monster, and entertainment areas such as YouTube, and so on.  It’s a Wild (Cyber) World out there – move abreast of and ahead of potentials.

Further, there is no “Watch what you do in the name of our domain” type of warning in any of these policies I’ve looked at.  In other words, don’t post internal proprietary information, inflammatory opinions, rants, etc., under the aegis of JohnQPublic@OurCompanyName.com.”  (Check “Social Networking and the Blended Environment:  What is Being Done in the Name of Your Domain?”).

There is an alarming number of policies that don’t even address data’s portability, with associated best practices for securing that data against loss:  portable drives, flash drives, CDs, laptops – even the carrying of official data on personal phones, etc!

Perhaps the biggest liability:  Absense of a User Agreement form at the end of these policies.  The form should indicate that personnel  a) understand the policy,  b) agree to adhere to the policy, and  c) are willing to sign their name, indicating understanding and intention of complying.  As importantly, this forces an opportunity to ask questions so as to be fully informed and qualified to at least know how to adhere to policy:  Expectations and requirements are fully understood by a fully educated and informed employee, contractor, outside solutions partner, value-added remarketer, etc. 

Back to those CISOs that are feeling vulnerable and what they can do:  They should get the ear of their governance.  Establish a protocol:  Everyone should read and sign an AU policy, and any other cautionary/controlling policies as appropriate, in ensuring a united security front.  A regularized schedule of training should also be considered, for necessary updates to security awareness and practices.

One area that many organizations may wish to check today:  Call your insurer.  Data breaches are estimated to cost many organizations between $100 and $180 per record.  Ask about protections should your organization suffer a data breach, with resultant lawsuits and loss to the business.  Make sure you understand your organization’s obligation under relevant policies so as to be qualified for reimbursement should you ever file a claim.  Recognize too; money that you consider spending on an insurance plan might be better directed toward security itself.  Today’s organizations must qualify themselves for evolving practices and discussions.

But first priority, and as stated before:  Most organizations enjoy security as a matter of luck;   everyone must be a mini-security officer these days.  Evaluate every action and activity through security’s prism. 

Stay secure!

September 30^th:  On this day in 1960, The Flintstones premiers.  It is the first prime-time animation show.

Customer Service and Associated Quality = IT Success

Best IT success rests on what IT can deliver to customers.  Customers can be internal; those allied people and business elements relying on technical enablements and supports – and customers can be those who purchase and rely on whatever business delivers to the outside:  Products, goods, and services. 

In the case of the latter, IT generally has more of a tangential role – granting and constantly improving business’ tools and opportunities for the doing of business, be it production and manufacturing, marketing, advertising, communicating, researching, educating… and so on.

When delivering enablement in service to business aims, the higher the quality and reliability of tools and services, the better the standing of the IT department and its associated personnel within their business berth.

As importantly, by bringing consistency and quality, IT can build a stock of good will “capital” in terms of credibility and sincerity.  When a particularly hard project comes along, or something unforeseen happens such as the absence of critical key personnel, or perhaps an extreme crimp of budget that impacts go-live dates or scale of solution, the organization knows full well IT’s commitment to quality, speed-of-deliveries, accuracy of solutions, and sincere good will and good faith commitment to delivering excellence.

An important concept to remember:  When vetting any suspect effort, ask the simple question:  “How does this move business forward?”  All activity in service to business, whether direct or tangential, must serve business and move it forward.  The question is an effective puncture to suspect activity or conversation and in any specific moment, helps to refocus all involved, leading them back to the business of doing business.

September 29^th:  On this day in 1951, CBS broadcasts the first American football game in color – between the University of California and the University of Pennsylvania, at Philadelphia.

U.S. Education: Technology Lag?

I happened to catch Dr. Eric Haseltine, Ph.D., on television the other day.  He’s formally trained as a neuroscientist, but was presented as a CTO – a position he held recently.  You can examine his bio under this link to his article, “Why our economy is on the brink of going down the tubes…forever.”  That’s a pretty dire title, but there is some very real danger - the article relates to the topic he discussed in his TV appearance, and to my concerns here.

While he covers a few different issues – all of interest to me – today I’m concerned with his assertion that only 1/5^th the number of American students are entering the fields of science, math, engineering and technology, as in decades past. 

Dr. Haseltine calls this a “Silent Sputnik” moment.  He quotes Harvard Business School Professor, John Kao.  Professor Kao, author of Innovation Nation:  How America is Losing Its Innovative Edge, Why It Matters and How We Can Get it Back, says “Fifty years ago the Soviet satellite Sputnik burst the nation’s bubble of complacency and challenged America’s sense of global leadership.  But we rose to the challenge with massive funding for education, revamped school curricula in science and math, created NASA and put a man on the moon.”  [Emphasis added – DS].  Thus, the Space Race.

Today, both men are concerned that we are facing a Brain Race.  However, there appears to be no American training for this race on the horizon.  They make the point that American science, technology and math education has been in steep decline over the course of decades – with careers in business, law and media taking priority over high tech jobs.  Beyond that…

I frequently make the point that it’s not only the reduced numbers going into these disciplines that is dismaying:  Individuals inhabiting technical education programs and career fields comprise a troubling population.   They are the product of sliding standards and social promotions.  There seems to be a “rounding of corners” regarding empirical measures for qualifications, and in-turn what any specific individual can actually deliver – for fields that are themselves highly empirical.  This lack of quality impacts the sustaining of systems and a simple ability to keep environments “whole” and reliable.  Now consider that nothing is static:  We’ve got to mount and sustain progressions and competitiveness – something quite impossible absent the creation of “better brains.”

Meanwhile China, India, and others are becoming much more “tech savvy.”  China measures very favorably against the U.S. and Europe regarding patents and technical publications.  No wonder:  According to the Paris-based Organization for Economic Cooperation and Development, American teens trail their peers in 23 countries as concerns math, and behind 16 countries in science  (“U.S. Teens Trail Peers Around World on Math-Science Test,” Washington Post, Maria Glod).

I’ve noticed a slide in quality of personnel even in Fortune 500 environments.  What alarms me in those regards is that these companies, presumably, can attract the best candidates and workers, due to supremacy of salaries and benefits and, I would hope,the attraction of  interesting and fulfilling work. 

I would be interested in what you are experiencing:  Is it becoming more difficult to staff your departments?  Do you have to solicit outside expertise more often?  Are you providing training to staff for knowledge that used to be considered basic “upon arrival” stuff – basic training that is now pushing back the critical “progression training” for new systems, evolving disciplines,  and ever-more sophisticated environments?   

______________

September 25^th:  On this day in 1934, Lou Gehrig played in his 1500th consecutive game.

BEWARE: Errors Can Be Efficient Too

Being efficient, reducing cost, leveraging effort, doing more with less… ever faster -  this is all a part of intelligent business design, and properly sized and executed technology design.  In fact, it is an all-important concept within the proper weave of business and technology.  Things must be mutually reinforcing, mutually enabling, mutually protected, and must thrust the business of doing things forward.

But what of an efficiency of errors?  Oh, that happens too.

What of the IT department that images a PC for propagation to dozens, or hundreds, of PCs… but that original image contains a significant error?  Now that error manifests across entire domains, environments…  quite efficient…  and quick.

What of the higher corporate headquarters I heard about recently:  They created a budget template for dissemination to all branches and subordinate business offices and units.  It was to bring uniformity and wholeness to the budget process and rollup.  Control.  Efficiency.  Completeness.  Except – oh oh:  Some critical elements were left out of the template.  And, more than a few “local” budget wrinkles were not accommodated in this glorious “uniformity.”  A blizzard of notes,  requests for special accommodations, and exceptions to policy came back, making the original budget process look like a walk in the park.

Quickness and efficiency here did not serve the realization and finalization of the budget; quickness and efficiency served error and its spawn of negative impacts to the process.

Keep a concept firmly in mind when planning anything; when creating new processes; when writing associated instruction sets:

Errors frequently have efficiencies.  Take action with care.

September 21^st:  On this day in 1957 “Perry Mason,” with Raymond Burr, premiers on CBS-TV.

IT Horror Stories

I was perusing a genre online that I hadn’t really thought to peruse prior to this:  IT Horror Stories.

I was employing Google and my imagination (a dangerous combo for sure) – in scaring up topics for The Business-Technology Weave.  A recent conversation about a very bad Biz-IT outcome led me to wonder about other horror stories.  There’s some goodies out there, and you can Google and read any number of them for yourself.  (Although for some and maybe most of us… enough real-world horror might make an online revisit masochistic).

But I got to thinking about a certain horror story that I’ve not yet seen chronicled; or perhaps I just didn’t stumble on this particular IT horror twist:  an increasing difficulty in holding people accountable – even in a demanding field like IT.

A Fortune 100 environment had a new IT director, who promptly surveyed his new domain:  Staff, enterprise, related assets, areas of liability and lag, state of content and backups… Whoa!  No backups had been done for three months!  But, that’s not the real horror of the story. 

The person responsible, “Franklin,” the Network Manager merely said that the drive had failed, and he had been “unable to get it working.”  (Names have been changed).  What’s a new IT director to do?  He made his governance aware of what had happened – and they were sufficiently shaken.  HR was also apprised at this general lack of ethics, and specific, stunning, lack of routine IT practice.  However, no one in IT’s governance wanted to impose dismissal or any penalty regarding this negligence.  They did indicate that this was “Strike 2” against this individual.  Three strikes and you’re out.

Fast forward a year:  Franklin has been stumbling along this whole time.  A phonecall comes in to the Director on a Friday afternoon – it’s “Susan” (names have been changed), a senior executive with the firm: 

“My laptop won’t boot; I need it for working at home this weekend.”  The Director assures Susan that Franklin (who assists the HelpDesk) will be right down to fix the problem.  The Director sends him down, telling him to fix the person’s problem for critical weekend work from home.  Toward the end of the day, prior to leaving, the Director asks Franklin if everything went okay with Susan’s laptop.

Franklin:  “Yes, everything is ok.”

Everyone departs for the weekend. 

On Monday, the Director has a nasty phonecall on his voicemail:  It’s Susan, quite irate, complaining that the laptop wouldn’t boot at home, and that she’d had to drive to the office several times during the weekend.  The long and short of it?  To his utter amazement, when the Director asked Franklin about the status of the laptop Friday afternoon – instead of hearing “Gosh, it was working when I finished with it…” or some such variant, what he heard was this:

“I wasn’t able to get it working; I’m not very proud of myself right now.”

Huh?  No amount of querying as to why Franklin hadn’t asked for assistance, or turned the problem over to another HD person, or the Director himself, yielded a response beyond “I’m not proud of myself right now.”

The real horror to this story hasn’t been divulged yet:  When the Director, his governance, and HR all uniformly agreed that this was “strike 3,” when the incident was all written, and when the meeting for dismissal was scheduled – a call came from the organization’s higher headquarters in New York, putting the brakes on the dismissal.  That’s the horror.

Higher headquarters’ explanation was that there had been too many lawsuits regarding dismissals, and that all such actions were “on hold” – including several at headquarters.  Meantime, IT had to carry a worthless employee. 

It’s one thing to lack skills – it’s quite another to lie and deceive about statuses and fixes – and customer service, and critical support to business.

Guard your environment:  Get rid of hapless people.  You do them no favor in carrying them, you do business no favor in carrying them, and they can damage reputations:  Yours, and your place of employment’s.

September 20^th:  On this day in 1519, Magellan begins the 1^st successful circumnavigation of  the world.  I’ll take their word for it…   :^ )

Business-Technology Convergence vs. a Business-Technology Weave

Ah, it’s so gratifying when thought leaders catch up to something you’ve known and espoused for 5 or more years.

There’s a very interesting, and quite good, article that I stumbled upon:  Living Up to Technology’s Promise.

The article is well worth reading and I enjoyed it.  However, I do take some issue with the idea of their “business-technology convergence” concept.  Business and technology have not converged – they have become interwoven:  There is a weave of business and technology. 

You may well ask:  Convergence…. Weave – what’s the difference?  The difference is both subtle and stark.  Convergence is a uniting and joining, but there’s an implication that if a convergence never happened, or if there was a disengagement, either side would survive – at worst, there’d be a missed opportunity for efficiencies and advance of mutual interests.

However, kick out a business’ technical enablements, and it might sustain 5% productivity – if you’re lucky.  (Note:  I’m speaking  of the kind of businesses that the article targets).  Therefore, there is a mutual survival at stake here:  Business and technology are woven together – and the sooner any business and allied technology element(s) understand this interwoven relationship, the better.

But the “convergence” article excited me.  I’ve read very little elsewhere that approaches an understanding regarding the  modern – and accelerating evolution of – empowerments and vulnerabilities in the business-technology relationship. 

Today I’d like to say:  Don’t converge:  Weave.  As but one recent example from this blog:  Security is every person’s business in the organization.  Every person is a stakeholder and must be a mini-security officer.  That is, they must view every action and activity through security’s prism.  Technology – the IT  department – must emplace the technical protections – and lead business; bringing awareness, updates, and education regarding proper activity, to the table.  That is weaving business’ awareness,  ownership, and appropriate doing, into technical and related business security.

Recognize that The BTW does not attempt to make Business and IT one unit, nor does it attempt to overlap discreet duties, talents, and highly specified jobs beyond a point of diminishing returns.  Rather, it weaves the common organizational appreciations for the main levers and liabilities, so that everyone brings the proper use, awareness and activity to the shared stakeholder elements. 

That is a weave, and that is how you will thwart threats to today’s example – security:  unauthorized access; data breach and theft; ID theft; exposures, impacts to business reputation, impacts to trust, and so on. 

If there’s enough interest in this subtle yet powerful difference between convergence and the Weave, we can examine it against other areas in the coming days; Budget comes immediately to mind.

September 15^th:  On this day in 1904 Wilbur Wright makes his 1^st airplane flight.