Somebody fell asleep at the switch — or server, as it were — allowing hackers in Eastern Europe to slip right into the state’s Medicaid database. They slipped out with hundreds of thousands of birthdates, names, addresses and social security numbers, among other useful tidbits. It’s believed that, by exploiting an unchanged default password on the user-authentication layer of the system, they were able to bypass multiple layers of security controls. Yes, a default password cost at least one person his job, more than half a million people their privacy and millions in taxpayer dollars to clean up the mess.
Herbert said he sought the CIO’s resignation because Fletcher lacked “oversight and leadership.” Ouch. Maybe this wouldn’t sound so bad if, as several accounts suggest, Fletcher weren’t so good. Since he was named the state’s CIO in 2005, Utah has emerged as a leader in government tech and innovation, and Fletcher has been credited with leading the state to successful enterprise-wide IT consolidation and centralization. He’s a past president of the National Association of State Chief Information Officers and a past recipient of Government Technology‘s “Top 25 Doers, Dreamers and Drivers” award. But now a default password overshadows all of that.
Fletcher told Government Technology that the incident was preventable and is an example of why more funding is needed to protect government IT systems. In just the past four months, he said, cyberattacks on the state’s technology system have spiked 600%. But Fletcher also bemoaned the fact that this would overshadow all of the good work done by his department — the cost savings, the consolidation, the presence of more than 1,000 online services for residents.
Whether Fletcher is personally at fault is still under investigation, but he certainly has taken the fall. One would hope security protocols at least existed — if not, the blame surely lies at his feet. If they were in place and employees simply didn’t follow them — well, the blame still falls on Fletcher. In the end, he is the leader in this scenario, and unless it can be proved his team members maliciously left the server vulnerable, it’s his job to make sure they do theirs.
Certainly, this is an extreme example of what can go wrong when security protocols are not adhered to (or are possibly nonexistent), but nonetheless one worthy of every CIO’s attention. Handling security and compliance is a balancing act and a team effort. Stories like this one are sobering reminders that, while it isn’t easy, steadfast attention to managing information risk has value beyond measure.]]>
• From the “don’t tell your teenager” file, sometimes a GPA ain’t nothin’ but a number. There’s book smart, there’s street smart and there’s Steve Jobs smart.
• How well do you know your colleagues in marketing? If you haven’t taken the time to get to know them, you’re going to want to, because, well, it just makes good business sense for everyone. (And Gartner predicts that in five years, your CMO will be spending more on IT than you do.)
• In Forbes, Erica Dhawan, writer, speaker, leadership consultant and Wharton grad, asserts that business schools don’t prepare women for leadership roles. Do you think the same is true in IT?
• Up in the sky, it’s a bird! It’s a plane! It’s – Oracle CEO Larry Ellison trying to buy the cloud?
• Is there room for one more in the C-suite? Pondering the creation of the Chief Collaboration Officer role.
• The storm clouds are gathering. According to Michael Chertoff, former secretary of homeland security, Europe and the U.S. are on the verge of a global-scale clash on privacy laws.]]>
Facebook, the social network credited with the collaborative oomph needed to galvanize dissent, is one of the most popular cloud computing services, with more than a half billion users worldwide. Will it someday become the engine for a smarter planet, used to distribute food, water and other vital resources equitably?
As Facebook has shown, cloud computing makes the world an even smaller place. Yet global cooperation could be hamstrung by unnecessary regulations regarding data location, according to the cloud computing vendors who flocked to Washington, D.C., this week for a meeting of the Congressional Internet Caucus. In Canada, for example, the government has already forbidden Canadian citizens’ personal information to be taken out of the country.
Dan Burton, executive vice president of global public policy for Salesforce.com, a provider of cloud services for customer relationship management, urged lawmakers not to enact such hurdles to cloud adoption by U.S. companies, saying that if they do, they will forestall momentum in the cloud computing market, which is led by such U.S.-based companies as Amazon.com, Google, IBM and Hewlett-Packard.
Burton said the existing Safe Harbor certification program for data security seems to be doing the trick for vendors, as well as for users of cloud computing services, by following data protection principles established by the European Union. At the very least, the Obama administration is backing a new Commercial Privacy Bill of Rights, which would give consumers more control over their personal data and how it is collected and shared among third parties.
Perhaps today’s science fiction writers can take it from here, and craft stories about how various governments came together by 2015 to establish common laws surrounding cloud commerce, and how that eventually led to a single global government with the United Nations as its council. These stories would go on to describe a consolidated and green global data center infrastructure; better resource allocation; development of solar, wind and geothermal energy; space exploration — and peace.
Back on Earth, cloud computing is moving at such a rapid pace that everyone in the enterprise is being forced to catch up with the mobile technologies that are transforming the workweek into a more flexible, integrated, 24/7 lifestyle.
Stamford, Conn., consultancy Gartner Inc. expects the market for cloud-based infrastructure services alone to nearly triple in the next three years, from the current $3.7 billion to $10.5 billion in 2014. That doesn’t count the Software as a Service market, which is becoming a mainstream part of enterprise IT architecture, according to Julie Smith David, a professor at Arizona State University and a co-author of a report about integrating SaaS with legacy systems that was commissioned by the Society for Information Management’s Advanced Practices Council.
Look for a SaaS reality check on SearchCIO.com next week.]]>
You’re probably well aware of the benefits of social media in the workplace. They can function as excellent recruiting tools for HR, serve as user-friendly collaboration platforms for staff and boost a company’s customer outreach (McDonald’s, for instance, hired its first social-media chief this week.).
But CIOs must also consider social media’s pitfalls, especially if they haven’t drafted social media policies to guide their staff. According to Senior News Writer, Linda Tucci, IT consulting firm Burton Group Inc. pointed to these risks associated with compromised social media accounts in the workplace:
Meanwhile, over on our sister site, News Writer Jessica Scarpati zeroed in on compliance concerns. According to the survey “Usage Trends, End User Attitudes and IT Impact“ from FaceTime Communications Inc., a unified communications security and compliance vendor, when asked if they could reproduce social network communications if required by an attorney, 65% of IT managers said they could not.
And although 77% of enterprises said they archive emails, only a fraction (19%) logs communications via social networks; 13% reported archiving tweets, the survey found.
The story also cites several good examples of social media gone wild in the workplace, as well as the fallout. Perhaps most shocking? Two nurses were fired from a Wisconsin hospital last year following allegations they had taken pictures of a patient’s X-ray — which showed an object lodged in his rectum — with their cell phone cameras. One nurse was accused of posting the photo to her personal Facebook page (she later deleted it).
Now, tell me whether you’ve seen the phrase “lodged in his rectum” in any other IT story you’ve read this week. (Actually, please don’t tell me, as I’m not sure I’d want to know the details.)
Do you have your own social media horror story to share? Or has your company established social media policies to clamp down on security and compliance concerns?]]>
OK, now somebody please explain this to me, because I am so unimpressed. I’ve been able to chat through Gmail through years, so how is this much different? I guess the fact that you can hold a multi-person chat is cool, as is the ability to embed videos and photos directly into the chat stream (when it works). But I don’t see anything revolutionary in here. Moreover, I find it cluttered and confusing to navigate, whereas Google is usually so intuitive. (Also, a friend and I each experienced an unwanted person from our past popping up on our contact list – come on, Google, you’re supposed to be smarter than that!)
My experience has made me question Google’s long-term strategy with regard to enterprise collaboration and Google Wave. Google likes to be the standard by which other Software as a Service applications judge themselves. More and more, Google is trying to market its services, like Gmail, to enterprise organizations. From all of the hype surrounding it, I had the impression that Google Wave would make me feel like my colleague in the Midwest is sitting at the next desk over. Alas, it hasn’t, and I can’t see Google Wave, in its present iteration anyway, taking on any kind of foothold in the enterprise.
Moreover, would enterprise audiences want so much pertinent communication taking place on a platform that they do not oversee? In a new and somewhat untested Web 2.0 environment, security and privacy issues are likely to emerge, and I would anticipate compliance headaches aplenty for CIOs who have employees communicating on this platform about work-related matters.
Despite the rocky start to our relationship, I’m trying to give Google Wave a second shot, and envision ways it could carry an enterprise forward. Have you tried using Google Wave in the workplace yet? What’s your experience been? Can you see a CIO sanctioning its use as an enterprise collaboration platform in the distributed workforce?]]>
Yes, the original legislation set such a high benchmark that it would place an enormous burden on businesses to comply: encrypting all personally identifiable information, designating one person to oversee a company’s privacy program (a big burden for smaller businesses where there’s not even one person dedicated to security). So I understand the hue and cry about legislators not getting the implications of what they are putting in place because they don’t understand the technology, or IT, or the economics of risk management for the business world. That is all true.
But what is also true is that data protection is changing, and needs to change, in the U.S. Even as the Massachusetts law would defer to federal law in many places, the fact is we don’t yet have a tough federal law on the order of what is commonplace in some other parts of the world. Americans, as capitalists, often roll their eyes at many European conventions (think: six-week vacations, nationalized health care, controls on greenhouse gas emissions) but in fact the U.S. could end up emulating some EU practices because they work. Privacy and data protection should be no different.
As a resident of Massachusetts, I’m disappointed that my state might not end up with the toughest data protection law in the nation. But I hope the feds will soon pick up the ball and take care of that for us. Unlike legislation like SOX, where the sins of the few brought the burden to the many, a federal data protection act would be one for all of us. With nothing less than the integrity of our identities at stake, creating such electronic border controls should involve federal funding just as any aspect of national security does. And on the global stage in the electronic age, this is indeed a national security issue.
Yes, many states have data protection laws on the books now. But that doesn’t satisfy the Europeans, who view our data protection as weak without a federal law. Now’s the time for the feds to step in and give us a united stand.]]>