Tag Archives: Cisco

Small business data security

Here are 7 steps to protecting your small business’s data and and intellectual property in 2011 in the era of the Obama Presidency and rising government regulation.

Some of these steps are about not drinking consultant coolade (like Step # 1- Do not be tempted into an expensive business process mapping project) and others are adopting best practices that work for big business (like Step #5 – Monitor your business partners)

Most of all, the 7 steps are about thinking through the threats and potential damage.

Step # 1- Do not be tempted into an expensive business process mapping exercise
Many consultants tell businesses that they must perform a detailed business process analysis and build data flow diagrams of data and business processes. This is an expensive task to execute and extremely difficult to maintain that can require large quantity of billable hours. That’s why they tell you to map data flows. The added value of knowing data flows between your business, your suppliers and customers is arguable. Just skip it.

Step #2 – Do not punch a compliance check list
There is no point in taking a non-value-added process and spending money on it just because the government tells you to. My maternal grandmother, who spoke fluent Yiddish would yell at us: ” grosse augen” (literally big eyes) when we would pile too much food on our plates. Yes, US publicly traded companies are subject to multiple regulations. Yes, retailers that  store and processes PII (personally identifiable data)  have to deal with PCI DSS 2.0, California State Privacy Law etc. But looking at all the corporate governance and compliance violations, it’s clear that government regulation has not made America more competitive nor better managed.  It’s more important for you to think about how much your business assets are worth and how you might get attacked than to punch a compliance check list.

Step #3 – Protecting your intellectual property doesn’t have to be expensive
If you have intellectual property, for example, proprietary mechanical designs in Autocad of machines that you build and maintain, schedule a 1 hour meeting with your accountant  and discuss how much the designs are worth to the business in dollars. In general, the value of any digital, reputational, physical or operational asset to your business can be established fairly quickly  in dollar terms by you and your accountant – in terms of replacement cost, impact on sales and operational costs.  If you store any of those designs on computers, you can get free open-source disk encryption software for Windows 7/Vista/XP, Mac OS X, and Linux. That way if there is a break-in and the computer is stolen, or if you lose your notebook on an airport conveyor belt, the data will be worthless to the thief.

Step #4 – Do not store Personally identifiable information or credit cards
I know it’s convenient to have the names, phone numbers and credit card numbers of customers but the absolutely worst thing you can do is to store that data. VISA has it right. Don’t store credit cards and magnetic strip data. It will not help you sell more anyway, you can use Paypal online or simply ask for the credit card at the cash register.  Get on Facebook and tell your customers how secure you are because you don’t store their personal data.

Step #5 – Don’t be afraid of your own employees, but do monitor your business partners
Despite the hype on trusted insiders, most data loss is from business partners. Write a non-disclosure agreement with your business partners and trust them, and audit their compliance at least once a year with a face-to-face interview.

Step #6 – Do annual security awareness training but keep it short and sweet
Awareness is great but like Andy Grove said – “A little fear in the workplace is not necassarily a bad thing”. Have your employees and contractors read, understand and sign a 1 page procedure for information security.

Step #7 – Don’t automatically buy whatever your IT consultant is selling
By now – you are getting into a security mindset.  Thinking about asset value, attacks and cost-effective security countermeasures like encryption. Download the free risk assessment software and get a feel for your value at risk.  After you’ve done some practical threat analysis of your business risk exposure you will be in an excellent position to talk with your IT consultant. While most companies don’t like to talk about data theft issues, we have found it invaluable to talk to colleagues in your market and get a sense of what they have done and how well the controls perform.

Tell your friends and colleagues about us. Thanks!
Share this

Is your DLP project a failure?

Are we in the same valley of death that held  content management applications in the 90s?  Where companies spent 6-7 figures on content management from companies like Vignette and over 50% of the projects never got off the ground?

Tell me what you think in this Linked In poll – DLP success or failure

Tell your friends and colleagues about us. Thanks!
Share this

Data loss prevention from inside out

I love how this Cisco video clip on Blip TV starts with examples of DDOS attacks and then uses shots of incoming content filtering and then dramatizes with a cop not allowing a visitor into the booth –  what is going on here?  Cisco didn’t have budget for an editor who knows the difference between incoming and outbound traffic? (funny stuff around 1 minute 35 seconds)

Tell your friends and colleagues about us. Thanks!
Share this

Is data loss prevention possible?

I recently saw an article on Computerweekly that asks – “Is data loss prevention possible?”

I think that a more relevant question is “Is information protection possible?”

The  author correctly identifies that it’s easier to access data (and leak it) than to modify or delete data.  However, the notion that data is out of control in the corporate world is an over-reaction and does a mis-justice to most businesses.

Data is out of control in the corporate world…I think… the only way that we can have influence on the likelihood of (data loss) occuring is through a couple of fundamental controls, namely

1. Reduce and limit access to data

2. Control the “copyability” of data

Companies already manage access and control “copyability”. This is not new, nor is it effective against the threat of a major data loss event.

Organizations from SME and up to Global 2000 use Microsoft networks based on Active Directory with planned (not always well executed) group policies and permissions management.  Controlling access and copyability in the service of business objectives is precisely the objective of these systems.

If you need finer-grained copy protection – there are dozens of endpoint security products – from Checkpoint, Mcafee and Symantec to Controlguard.

If you need finer-grained rights management, there are products like Microsoft DRM and Oracle IRM. Personally, I don’t think that DRM is effective for enterprise information protection. DRM changes the user experience and depends on user behavior, it can be broken and or bypassed and DRM systems are difficult to deploy on a large scale because of the above constraints.

However – permissions and rights access management and lately, removable device management have not prevented major data loss events like Heartland or Hannaford. The reason for this is that once rights are granted – the user is trusted and can move the data anywhere he  or she wants.

We need information protection,  not copy protection; and in a way and at a cost that is a good fit for the business.

Information protection is possible by taking a value-based approach that integrates with the business operation.   Analyze your business requirements and threat scenarios – and only then – consider data loss prevention solutions like  enterprise information protection from Verdasys, agent DLP from Mcafee or a gateway DLP solution from  Fidelis Security.

Tell your friends and colleagues about us. Thanks!
Share this

Data loss prevention for SME

Is a SME like the old German expression – Kleine Kinder kleine Sorgen, große Kinder große Sorgen? “Small children, small problems, big children, big problems”?

I wanted to call this post “The need to understand operational risk of information security” – but I realised that op risk is a concept used by big banks and that a SME with 40 employees is not even thinking in that direction and may not even have an IT manager, let alone an IT security and compliance group. Yet – a small payment processor,  or customer service outsourcing provider can be destroyed by a  single data loss event.

The impact of a data loss event on an SME can be proportionally much greater than for a large, globally dispersed organization.  An SME has all their eggs in one basket – outsourcing manufacturing to the Far East and providing sales and support using the Internet from offices in New York, Tel Aviv and Mumbai.

A typical SME buys network access from the ISP and installs standard network security in the office: like a SOHO firewall (Checkpoint or Cisco do fine), anti-virus on the workstations and anti-spam from the ISP.

The problem with firewall/anti-virus/anti-spam is that they are defensive means against known signatures rather than proactive means of mitigating the next attack launched from inside the network.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Ex-Intel worker charged with $1B data theft

Big time data theft event, this time by an employee leaving Intel to go to work for AMD. A Worcester, Mass. man has been charged with stealing trade secrets worth more than $1 billion.

Biswamohan Pani, 33, was indicted for allegedly stealing trade secrets from Intel’s Hudson, Mass. facility and downloading confidential documents from Intel offices in California.

According to the indictment, Pani gave notice to leave Intel and told his superiors he was using up about a week of vacation while looking for a job at a hedge fund.

In reality, according to the indictment, he had taken a job at Intel rival AMD and, while using up vacation time at Intel, was downloading documents marked by Intel as confidential. Without going into the entire discussion of Intel’s management of intellectual property, there are some interesting  questions:

Why was an employee, who had announced he was leaving, and was running down vacation at home – even allowed to have access to Intel file servers?

How did Intel discover that confidential documents were being downloaded? Does Intel use data loss prevention technology? were they tipped off by another employee? or did the investigation start once Intel discovered that the employee was going to work for a competitor and then they started checking download logs?

Full article on the Sacremento Business Journal

Tell your friends and colleagues about us. Thanks!
Share this

Industry indicators

Are test equipment sales  a bellwether of the telecommunications and technology industry prospects?

I have been looking for macro indicators of what will happen in the telecommunications industry. We specialize in  data  security for telecommunications. Data security is a big issue for companies in flux – firing employees, turning more to outside contractors and merging operations. The question is whether or not data security is getting slashed out of 2009 budgets.

One macro indicator is sales forecasts of technology vendors to the telecom industry – Cisco, which is regarded as being very good at forecasting, predicts a sales drop of 10 percent in the next quarter. However – the supply chain doesn’t stop with telecom equipment and  network security manufacturers like Cisco, Nortel. HP. Juniper, IBM, Alcatel and Nokia.   These vendors  need test equipment to test their products on telco and corporate networks.

Amid the telecom industry storm of warnings and worries, test equipment vendor Spirent Communications plc (NYSE: SPMmessage board; London: SPT) believes it’s on-target for 2008 and a capable of maintaining a similar level of sales during 2009.

The crash of Lehman Brothers , in September 2008 caused widespread financial woes by companies of all shapes and sizes and also caused a blip for Spirent. But – Spirent sales bounced back in October. Telco equipment firms continue to spend in areas that are core to their strategies: wireless, carrier Ethernet, data center developments, and the automation of lab-based testing processes. “Customers are aiming for better utilization of their resources,” says the Sprient CEO.

Since customers need better utilization of their resources, that means that we need to show how our data security solutions will not only help protect telecom digital assets but also reduce the cost of ownership and do the job with less head-count.

I suppose I didn’t really need Spirent for that insight.

See  the full article on Light Reading

Tell your friends and colleagues about us. Thanks!
Share this

The credit crunch, Cisco and Nortel

I was talking with my friend Gennady Weizman yesterday about medium term (as in the next 6-18 months) impact of the current financial markets crisis on the tech market.   Most of our business is in the telecom industry – so I have an interest in whether our clients will have money to spend.

it appears to me that there is a significant difference in the threat surface for telecom business today than 8 years ago when the dot.com bubble burst.   Back in 2000, the telecom service providers and their technology suppliers were living off the bubble, overpriced products and services and an over-supply of fiber and network infrastructure.  It took the the telecom industry 7 years to recover but today the industry is healthy with multiple growth drivers in VOD, IPTV, broadband, triple-play, VoIP, HDTV, 3G cellular, WiMax and mobile data.

Cisco is my personal indicator – if their orders (many from telecom service providers) drop then it’s a sign that the consumer credit crisis is trickling back up the supply chain to the equipment vendors.

Cisco shares declined in Nasdaq trading after John Chambers forecast the first revenue drop in five years because of the financial crisis. Sales may fall as much as 10 percent in the second quarter, which ends in January

The business took a hit  with the credit crunch, driving October 2008 orders for Cisco products down 9 percent. Chambers said that his comfort level with the forecast was the lowest since the dot-com bubble burst in 2000. Cisco plans to save $1 billion in costs over the next three quarters by freezing hiring, business travel and relocation expenses.

Chambers is usually an optimistic fellow – so should we be worried?

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this