August 19, 2011 2:21 PM
Posted by: Wendy Schuchart
, network security policy
, rogue employees
, security risk
Picture this scenario: Employee A leaves the company to take another position. Your network security policy demands that you kill his ids and passwords, right? What about if Employee B leaves the company in a way that isn’t entirely voluntary? You certainly kill his access, tout suite, but do you do anything else?
If you said no, you might want to revisit your network security policy. Case in point: The U.S. subsidiary of Japanese pharma company Shinogi laid off some of its IT staff. One rogue employee fought back and took advantage of a lax exit procedure — he was able to basically shut down the company’s operations for a “number of days,” as well as systematically delete its VMware host systems from a free McDonald’s hot spot in New Jersey. The actions of the ousted employee (who in November will be sentenced to up to 10 years in federal prison) cost the company almost a million dollars of hard cost, not to mention the immeasurable compounding loss of productivity and corporate reputation.
What I’m most curious about is whether the rogue IT worker used his own account or a commonly known group admin account? My guess is that he used the latter, if only to hold onto some level of plausible deniability and because I’d have to believe that Shinogi had the common sense to at least delete the employee’s own accounts.
Most exit procedures deal with the corporate employee’s personal accounts, but if your IT department is like most, you likely have admin accounts with a well-known password shared by numerous users. I could probably still log into my old IT admin account at my previous employer if I wanted to, and I’d bet you $10 that the password is still — are you ready for this? — password. What’s worse, in a previous role supporting users at hundreds of manufacturers around the country, I often was able to show the users how to hack into their own network and locked-down systems, either with the default of password or with a systems password that someone somewhere had noted in our client accounts years ago but was still working.
Are you breaking into a cold sweat right now? You should be.
We’re often fantastic at barring the doors against outside attackers but, historically, large and midmarket companies drop the ball when it comes to protecting themselves from their own workforces. What’s your exit procedure? Is it standard network security policy for admin accounts and entire teams to change their passwords whenever there is a staff change, whether voluntarily or not? What would stop a rogue IT worker from taking vengeance on your company in the event of a job separation? The comments are dying to discuss the problems you’ve faced with exiting employees.
August 16, 2011 6:12 PM
Posted by: Wendy Schuchart
, mobile workforce
It’s been a busy week in tech. Google’s acquisition of Motorola has everyone wondering how it will affect their mobile workforce. Here’s a tasting menu of the choicest bits around the Web, including Google’s acquisition of Motorola and how you’ll have to pry the smartphones from the cold dead hands of your mobile workforce.
• While smartphones continue to drive our mobile workforce, we’re becoming so accustomed to the convenience that a recent Pew study on smartphone use found almost a third of users had experienced difficulty living their lives in the past month when they didn’t have their smartphones handy.
• If you’ve been following the social experiment of Jonathan’s card, it’s a sad note that Starbucks has officially put its foot down after blogger Sam Odio transferred $625 of the community pot to his own card.
• The politics of employee salaries are often about a sense of fairness as well as compensation, but if you can’t afford to bump up the salary, an increase in personal autonomy can help keep your rock stars from jumping ship.
• When considering how to inject innovation into your teams, don’t underestimate the importance of fun. Wooga’s CEO feels that playing is a core human desire.
• What does Google’s acquisition of Motorola mean? Great news for an Android mobile workforce, but some wonder if this takeover might not force Microsoft to buy Nokia.
• Does your company use webinars? Bob Darabant uncovers tricks and tips for truly effective webinars, and it’s a lot more about your technique rather than technology.
• Your mobile workforce might be powered by iPhones and Androids but did you know that Wall Street runs on Linux?
August 12, 2011 3:50 PM
Posted by: Wendy Schuchart
, IT budget
Ah, yes, these are the heady days of Q3, which means that it’s time to start working on your 2012 budget. Is your IT department feeling like a panhandler these days?
CIOs today are certainly no strangers to tough economic times and working up IT cost reduction strategies, but when the economy doesn’t seem to be getting any better, and as they wait out the possibility of a double-dip recession, CIOs are finding themselves at the end of their technological rope. Delayed buying decisions have left them with geriatric server, storage and networking infrastructure that is no longer nice to replace but necessary to replace. But with every pundit in the universe screaming about cloud computing — and when you’re working with a budget as dry as the Sahara after six years without rain — how do you justify new capital expenses to the business?
If we lift our heads above the noise, confusion and discomfort of economic austerity, IT infrastructure investment can be a good dollar-and-cents move you can easily justify to the business.
Cloud computing is often presented as a sort of panacea when it comes to IT cost reduction strategies and eliminating IT complexities. There are IT cost reduction strategies that involve moving to the cloud that will save on capital expenses and maybe even improve reliability and remote access. For midmarket companies, email infrastructure can be handed off to a cloud/Software as a Service provider. Lots of companies offer Microsoft Exchange, Lotus Notes or more generic Web-based mail and calendaring, and our old pal Google even offers Gmail as a service for businesses. These services often have highly redundant infrastructure to protect your data and offer better access for remote users and branch offices. They come bundled with security and spam filtering as well, further reducing infrastructure needs in the data center.
Life without spam — doesn’t that sound like a dream come true? I read recently that as much as half of any company’s bandwidth is consumed by spam. It’s like the gift that keeps on giving.
But as with most things, moving services to the cloud has its complexities. One argument against shipping off crucial IT services is whether we aren’t also eliminating the need for IT roles in the future. Of course, there are many IT functions that simply cannot be shipped off to the cloud. In-house applications, sensitive data and low-latency applications must stay in the company data center, as should the ownership of the technological advances developed by the company.
Don’t buy into the fear and panic, folks — we live in the most technologically advancing time in world history, and CIOs are at the wheel driving the change.
Even if you wouldn’t know it by looking at your 2012 IT budget.
August 9, 2011 5:13 PM
Posted by: Lmartinek
, iPhone 5
I was with some friends last week when we landed on the topic of phones. The conversation began when one person said she was planning to buy a new phone within the next couple of weeks, but it wasn’t long before her brother interjected. He began adamantly telling her she should wait for the iPhone 5 and described why waiting a few months would be a better decision than buying a new phone now.
This conversation illustrates what more and more people are realizing — the iPhone is the best way to go. Recent studies show that 35% of consumers plan on buying the iPhone 5. If that isn’t enough to put fear into iPhone competitors, then maybe this will: Only 47% of Android users will buy another Android, with 42% switching to an iPhone; BlackBerry is speculated to lose 67% of users to the iPhone. Meanwhile, Apple has a 94% retention rate.
People are waiting and ready to switch to the iPhone 5, and some iPhone competitors may be showing their fear. Over in the U.K., Vodafone has dropped HTC’s Evo 3D from release. Although no official comment was made, it is widely speculated that they fear facing the iPhone 5. It makes you wonder what other companies are really thinking.
And all of this is occurring without an official release date. You can find plenty of speculations online, though — the most widely accepted being a September or October release date. Regardless, when the next iPhone does release, it will undoubtedly outsell any other brand with consumers. But what about businesses that have yet to dive in? Apple has been making strides to improve the iPhone in the business realm. When a newer model is released, people will be willing to accept the idea that the iPhone is ready for business use. And with the expected features in the iPhone 5, like improved security and the already large collection of business apps, you have to ask: How long before Apple dominates it competitors not only with consumers, but also with businesses?
August 8, 2011 8:16 PM
Posted by: Wendy Schuchart
CIO Careers and Staffing
, data privacy
, Risk management
Every week, we scour the wealth of information on the blog circuit and give you the finer talking points to help you score erudite points around the Twitter water cooler. Here’s the latest sampling from last week’s blog posts, including the latest from the Black Hat conference, lessons in personality and personal space, and why it might be a good time to give your hacker protection a checkup.
How is your hacker protection? Last week, the Black Hat 2011 conference in Las Vegas drew thousands of security professionals. Meanwhile, the hacker groups LulzSec and Anonymous broke into 70 law enforcement websites. Anonymous also hit Syria’s Ministry of Defense website. What a world, what a world.
Midmarket companies are dealing with significantly more IT risk, making safety measures crucial for the concerned CIO.
Forget about reviewing prospective job candidates’ résumés — ask to see a photo of their workspace instead.
We all know that the best communicators use nonverbal communication, including using body language and personal space to their advantage. Some think it’s part of the reason that women and men have different styles in the boardroom.
For all those CIOs who use Gmail either personally or professionally, your life just got a little better — Gmail now supports a preview pane. Aw, yeah.
Seth Godin looks at the Palm example as a lesson about when a company needs to make the giant leap — or fall flat on its face.
Watch Google Chrome get hacked in real time. Lest you think hacker protection is all about information security, think again. Between the text hacking of Subaru Outback cars, this 10-year-old hacker, and this guy who claims he can hack into insulin pumps and kill people long-distance, just who is going to rock us to sleep tonight?
August 4, 2011 11:17 PM
Posted by: Wendy Schuchart
, security risk
Back in the ’90s and early 2000s, I had two acquaintances who called themselves “hackers.” Being a burgeoning geek girl myself, I kind of figured that they were affecting the moniker to be cool. Back then, the image of a hacker was different, more like the Robin Hoods of the Internet age. It was before we really knew how destructive those forces could be regarding the loss of identity information and the carnage inflicted across the globe by nefarious groups bent on destruction or collapsing infrastructures. Think only back to the Sony security breach or the nightmare with Epsilon data loss, and you know that the popular opinion is that hackers seem less like Robin Hood and more like Freddy Krueger.
Flash forward to today: One of those hackers has his own security firm and consults with companies on vulnerability testing and intrusion testing, highlighting their weaknesses and blind spots and helping them do network security audits.
In this capacity, for instance, he foiled a large corporate system by tricking one of the company’s own employees into holding a door open for him. Then he set up shop in an unused conference room, logged into the network and spent two days downloading gigabytes of proprietary and confidential data. No one ever even questioned him about what he was doing there.
When thinking about security and intrusion testing, you have to think like a bad guy. Law enforcement does it all the time, hiring criminal informants and infiltrating crime syndicates by going undercover (at least, this is what my years of watching Dexter and The Wire tell me). Speaking of crime shows, not all hackers are that altruistic. That other guy with whom I was acquainted? He’s currently incarcerated for terrorist-like activities.
Have you engaged in third-party vulnerability testing of your network defenses? What was the outcome? Is intrusion testing worthwhile? How frequently do you perform a network security audit? The comments are eager to hear about how you defend your company against the dark arts.
August 2, 2011 5:02 PM
Posted by: Scot Petersen
, data backup
In my spare time I run a little PC service repair business, mostly for friends and family. It’s mostly cleaning computer viruses, installing wireless networks and sometimes building gaming systems.
No matter what the job is, however, I always end up lecturing the owners about security and data backup. I recently worked on a system that had years of digital photos on it, gigabytes worth, and none of them were backed up. The machine caught a virus and put all of those memories at risk.
Back up your data, encrypt your Wi-Fi, and keep your OS and security software updated. And here’s another tip about file sharing. This is the kind of common-sense stuff that every person who owns or operates technology, from servers to smartphones, should do. It rarely gets done.
Is it any wonder that we see the same security issues in the enterprise? As I’ve noted before, security is a major risk factor, and it should be everybody’s business. If you want to hear it from the experts, log on to our free online seminar next week, Enterprise Risk Management: Mitigation Strategies for Today’s Global Enterprise
August 1, 2011 3:35 PM
Posted by: Wendy Schuchart
, women in IT
Whatever happened to the lazy days of summer? Things are smoking around the blogosphere, thanks to the impending new iPhone 5 release, the U.S. debt ceiling compromise and the general malaise of the U.S. economy. We’ve scoured the headlines and are giving you an executive summary of what happened last week in 60 seconds or less:
• Did you ever wonder what your life would be like if you moved to the IT version of the Emerald City? Check out this infographic from Focus for the brutal truth on salaries versus cost of living in the Silicon Valley.
• We’ve wondered aloud why there aren’t more women in IT, but the tide may be turning, thanks in part to the social network revolution and the urgings of Google Vice President Marissa Mayer.
• While the news of the U.S. debt ceiling was everywhere last week, President Obama urged Twitter users to tweet to members of Congress to urge them for a bipartisan compromise. White House communications director Dan Pfeiffer confirmed that emails and Tweets did indeed influence the course of this weekend’s events.
• Is the government tracking our physical location via our Androids and iPhones? The possibility was discussed at a confirmation hearing in the Senate Select Committee on Intelligence last Tuesday. Forget RFID-proof wallets, it might be time for aluminum foil pants to be back in style.
• Hope you wrote that new iPhone 5 release date on your calendar in pencil rather than ink, as sources say that you’ll have to wait until October for the new iPhone 5 release rather than September, as was first rumored.
July 29, 2011 1:21 PM
Posted by: Wendy Schuchart
How are you feeling today? Lonely? Upset? Vaguely withdrawn from society? If so, quick — check your Twitter stream on your smartphone. Better now?
We’ve all heard BlackBerry jokingly referred to as a “CrackBerry,” but according to a recent study of 1,000 U.K. workers, 53% of technology users experience real psychological trauma when disconnected from the Internet, whether it’s checking email or their social media sites or just checking the news of the world. Research indicates that the feeling really is like getting a bit of an addictive fix.
This explains so much. I have many friends and acquaintances whose employers have a “locked down” Internet usage policy, preventing them from going to certain websites like Google+, Gmail, Facebook and YouTube. Those same people rarely have much good to say about their job. Let’s not fool ourselves: They’re still getting to those websites while at work — they’re just doing it much more creatively, either by finding proxy sites or by using their mobile devices. If a well-meaning executive thought that she could prevent productivity loss by Internet surfing, she’s completely mistaken because people will do anything, even defy corporate policy to get their Twitter fix. Instead of the risk of losing data, the policy has guaranteed a loss of employee satisfaction and risks them heading over to Monster.com with their resumés in hand.
I’ve heard CIOs remark that a strict Internet usage policy is meant to prevent data theft or proprietary information being broadcast on social networks, but just as employees will find a way to get to their email, if they really wanted to take home proprietary information, they will. There’s always the ever-handy USB drive, not to mention the old-fashioned printer room, with its convenient fax machine.
So tell me, CIO Symmetry readers, do you block some portion of the Internet on the corporate network? If so, is it just obviously inappropriate sites, or do you also prevent employees from accessing their personal email or places where proprietary data could leave the building, places like Google Docs and Dropbox? If you are selective, which kinds of websites are considered safe? Wikipedia, for instance, allows users to upload content but has a huge benefit — is that kind of website prohibited? And is your Internet usage policy a point of contention? Can you explain your strategy behind this practice?
The comments are eager to hear your theories on the perfect Internet usage policy.