From our latest CIO Matters column on Marissa Mayer’s new role at Yaoo: “Being a female CEO at all is kind of like being a zebra in a rodeo, but being a woman in technology leadership is like being a unicorn.”

The Cybersecurity Bill is alive and well in Congress. New regulations proposed will promise tougher protection of privacy and also authorizes the Department of Homeland Security to set “mandatory standards for critical infrastructure.”

Get your tinfoil hats out: WiFi can be used to detect human presence in a room, even if that person isn’t carrying a WiFi device. Can you say “creepy”?

Note to businesses and politicians: Don’t buy your Twitter followers. People will and do notice.

“When I was your age, portable computers weighed 55 pounds and cost more than a car! You didn’t put them on your lap unless you wanted a broken femur.”

Oh Microsoft. Thanks for making women in technology feel even more objectified.

The majority of U.S. mobile users now own smartphones, according to Nielsen Wire, and of them, the most popular mobile operating system is the Android.

Happy birthday to SMS technology, which turned 20 this week. Seems like only yesterday we were writing out “you are” instead of “ur”.

John Herrman is terrified of Samsung’s latest Android news for several reasons, one of which is that it’s a little overinvested in its mobile users.

If you find typing on the slick iPad 2 keyboard annoying, you’re not alone. Check out this technique for speeding up text editing on the iPad’s native keyboard (via Subtraction).

Infamous torrent site The Pirate Bay has officially scolded the hacker group Anonymous for cyberattacks on its behalf. That’s saying something when a very sketchy torrent site takes the high road.

The latest Android news that you can’t afford to miss: IRCbot malware has joined the party and is targeting the most popular mobile device. How’s your mobile device security policy looking these days?

The tiny memory sticks did not contain malicious material — only tips and information on health IT — but practically everyone had a story to tell of how they had been burned in the past by the innocuous-looking swag.

One CIO of a midsized pharmaceutical company told me that he had just gone through a memory stick nightmare the day before. A USB stick he had been expecting from one of his vendors arrived in the mail and no one thought twice about using it. “You’re supposed to trust these people,” he said.

Turns out, the stick was infected. The infection (he declined to share exactly what it was) soon spread through part of his company’s network and cost four hours of cleanup time that day.

“I will never trust these things again,” the CIO said, “especially the ones you get at conferences, because you really have no idea where it’s been or what’s on it.”

Another suspicious passerby told me that he had recently completed some internal security training in his company and was told simply not to use them, period.

While the concern isn’t new (the risks of USB storage devices have been highlighted for a while), I have to admit I was surprised by the number of people who had something to say about it. Of the 25 or so people I interacted with firsthand on this topic, I would say at least 20 of them questioned the security of the small handout.

More surprisingly, however, was the number of the people who had a horror story (or knew of someone who did) and still took the drive. In fact, I only saw one person refuse it.

Companies that do not have a mobile payment solution will be attracted to this appealing offer. Using an iPhone, iPad or even an Android device, credit cards can be swiped and signed off on anytime, anywhere. But there is always a tradeoff, right?

Square is PCI Level 1 compliant and, like all companies that handle credit card processing, must go through an audit every six months. However, a security breach could kill an SMB, so smaller companies that have more to lose with every transaction should proceed with caution.

It’s happened already: Last month, Blippy, a social networking site that allows users to post their purchases online, suffered a serious security issue when some users’ credit card numbers surfaced in Google’s cache results. According to a post on the Blippy Blog, due to a technical oversight, “some raw transaction data appeared within the HTML code on some Blippy pages for about half a day.”

Of course, there is always a risk — brick-and-mortar credit card transactions also have their security issues. But it’s up to IT to push back and weigh the pros and cons when excited users are ready to jump in on the hot new trend.

What do you think? Is Square a breakthrough for your business (think: the ability to close a deal at a local conference or meet and greet), or will you be treading lightly when it comes to the startup — at least for the time being?

This type of data loss is pretty common, no matter how serious you are about security. Just ask Apple.

Apple Inc.’s next-generation iPhone prototype was reportedly left behind at a bar last month by an Apple software engineer and just recently returned to the company (after a revealing stay with Gizmodo), providing an unprecedented first look at the newest version well before the expected launch date.

A few weeks ago, I interviewed Larry Ponemon, founder and chairman of the Ponemon Institute LLC, a privacy and information management research center, for a story I was writing about data recovery. One of the points Ponemon stressed was paying attention to the chain of custody — the journey your data takes whenever it leaves the organization — because it’s not as closely watched as we may think.

Ponemon said he knows of one company that sent a senior executive’s laptop out for data recovery services and never got it back. “It was lost in the cab on the way back,” he said. “No one questioned the chain of custody.”

So maybe we can’t prevent human error when it comes to lost devices, but we should keep our eyes wide open to the possibility. Keep close track of your company’s devices and mitigate the risks of data loss via encryption.

This week, I wrote a story for SearchCIO-Midmarket.com on the importance of performing vendor risk assessments on your data recovery service providers — something not many organizations regularly do today. According to Paul Reymann, CEO of security consulting firm Reymann Group Inc., the importance of vetting third-party data recovery providers is just not on the radar screen of many organizations.

While it’s crucial to know how secure your data recovery providers are, it’s equally important to have this security information for all of your (IT and non-IT) vendors and service providers. When it comes to protecting sensitive data, all outsiders are potential threats.

“Everyone that has access to your data, the network, the facilities and your devices poses a threat,” Reymann said. “I’m talking about the janitor, the painters you hire during your renovations, the dumpster removal company — everyone — and not just the ones that you’re directly outsourcing your data to.”

I started wondering how many small to midsized companies actually assess vendors, even those not related to IT, in regards to overall security. As I mentioned in my story, a recent survey showed that of the 636 IT security and IT support professionals surveyed, when asked if data security was a major criterion for selecting a data recovery provider, only 20% said that it was currently part of the process. And that’s data recovery providers! What about those providers that you aren’t handing over your data to — what do you know about them?

According to Reymann, you’re better safe than sorry, especially when you consider what you’re risking by not properly vetting service providers.

“If you have a data breach, [organizations] are vulnerable to class action lawsuits and lost customers,” Reymann said. “And when that happens, smaller companies will not survive.”

Although this new generation of smartphones seems to be a tech geek’s dream, IT might actually be most resistant to new technology when it will impact the business. IT has to decide early on if it’s going to support yet another new smartphone. The BlackBerry was once the standard, and RIM paid a lot of extra attention to enterprise IT support capabilities. IT spent a lot of time getting applications to work on BlackBerry, only to be faced with the iPhone a few years down the road.

The executives (interestingly not the Gen Xers) were the big iPhone purchasers. The C-level brought these new devices in as primary work phones and expected IT support. And since IT is ultimately there to support the users, if the decision makers want Exchange on their iPhones, well, they’re going to get it. IT would have to manage iPhone support costs and risk exposure while working around hardware and OS limitations.

The problem is, IT then has to worry about a new set of security policies (last year Apple’s iPhone and Google’s Android OS both had exposed flaws). Are there remote wipe capabilities? Is there encryption available? Further, the apps the sales team needs to use — for example, Salesforce.com, CRM, etc. — have to work on these new devices.

Although Verizon is offering some Exchange support for an additional fee ($15), recent reports state this will just be a software feature and won’t actually be in the same league as corporate network integration.

Do you really want to manage four sets of the same application (one for each potential device) and four different security policies, five times over?

You have to decide where to draw the line on device support – balancing user needs with business realities.

And what better time to raise awareness than on the heels of the Gmail/Hotmail/email phishing scam that compromised thousands of accounts. On Oct. 6, news broke that at least 10,000 Hotmail addresses and passwords had been leaked online. The next day, it was revealed that 20,000 addresses and passwords for email accounts from Hotmail, Gmail, Yahoo, AOL, Gmail, EarthLink and Comcast had also shown up on the Web.

Just barely into October, the news reinforces the theme of this year’s security awareness month, “Our Shared Responsibility,” in showing that we have to promote cybersecurity education and best practices to all users – down to the weakest links. Everyone on your network needs to understand the risks (and be aware of any warning signs) when online.

The need for that education was made clear by a statistical analysis of the 10,000 leaked Hotmail accounts, which showed that the top two most commonly used passwords were 123456 and 123456789.

With that in mind, here are some resources to guide you in continued online safety and security in your organization:

Small to medium-sized businesses are prime targets for cybercriminals because they often don’t have the resources to update their security programs. The National Cyber Security Alliance has some information on risk assessment and security plan implementation for SMBs to protect their brands, their customers and their employees.

Our recently published “10 must-have steps for an effective SMB information security program” highlights security information for small businesses from a soon-to-be-finalized guide from the National Institute of Standards and Technology. The guide includes information on steps to an effective information security program and common trouble spots to be cautious of, such as:

• Opening email attachments from unknown senders and responding to emails asking for sensitive information.
• Clicking on Web links in emails and instant messages.
• Clicking OK on pop-up windows and other hacker tricks.

The California Office of Information Security and Privacy Protection provides information and recommendations on data security – from online privacy tips (resources on bugs, hackers and more) to information protection practices for businesses.

Does the Red Flags Rule apply to your business? The Federal Trade Commission has provided some information on the fraud protection rule for businesses, including a how-to guide and a DIY template to help you identify red flags in advance and avoid data breaches.

Capital One and the National Cyber Security Alliance have come up with a top five list of cybersecurity tips for SMBs. Risk assessments and employee education were among the suggestions.

The National Association of State Chief Information Officers (NASCIO) has partnered with the Department of Homeland Security’s National Cybersecurity Division, the Multi-State Information Sharing and Analysis Center, and the National Cyber Security Alliance to promote cybersecurity awareness. Each organization has provided extensive awareness tools and resources, a list of which can be found on the NASCIO cyber security awareness page.

Good online security should be practiced 365 days a year – but take advantage of the added awareness this month to get your employees up to speed.

But the malware that surreptitiously burrowed into Heartland Payments Systems Inc. months ago and was just now discovered to have stolen a massive amount of credit and debit card data?

“I don’t think that would happen at an SMB,” says Rick Caccia, a VP of product marketing at security vendor ArcSight Inc. SMBs see their share of “smash and grab” attacks, where some malware breaks through a firewall and steals a bunch of information or infects a bunch of computers. “It’s a big pain for awhile, but then you clean up afterwards.”

But the type of “low and slow” attack perpetrated on Heartland, where intruders plant a bit of malware that quietly collects information, wakes up and spits back credit card numbers to some domain, is not a top risk item for SMBs, contends Caccia, who ran the email and security products for SMBs and large companies at Symantec prior to joining ArcSight.

Never say never, says Caccia, but size matters in data breaches. “That’s a kind of attack you wouldn’t put in a law firm. You’re going to get like, 50 credit card numbers.” Where’s the criminal return on investment? In contrast, Heartland processes more than 100 million credit card transactions per month.
But there is a “low and slow” attack that SMBs do need to worry about, he says.

“The [Heartland] attack is similar to these botnet infections where users go to a bad website and pick up a new bot.” Like the low-and-slow attacks, the bots are hard to catch, says Caccia.

“They just don’t send much traffic, so the antivirus vendors can’t create signatures for them. They sort of lay there quietly, wake up and spit out some spam,” he said.

The data breaches most likely to affect SMBs, he contends, bubble up from within, from malicious or ignorant users accessing data they shouldn’t.

“Despite the flash, I am not sure all these credit card harvesting [schemes] are actually something they have to worry about,” Caccia says.

Do you agree that you don’t have to worry about the Heartland-type data breach? Do you go after bots — and if so, how is it part of your SMB security strategy?