Internet of Things image

How the Internet of Things Is Changing Cybersecurity

/in /by

Over the next few years, companies will be connecting billions of unconventional devices to the Internet. Find out how this wave of web-connected devices will affect the security of your business’s data.

The Internet has radically changed society over the last few decades. It will continue to shake things up in the years to come as consumers are starting to connect thermostats, lights, refrigerators, and other unconventional devices to the web. This phenomenon is known as the Internet of Things (IoT).

The IoT is not limited to consumer devices. Companies are also beginning to connect devices such as security cameras and heating, ventilation, and air conditioning (HVAC) systems. Gartner predicts that 26 billion devices will be online by 2020.

Some devices have IoT technology built into them, whereas other devices have the technology added to them. Either way, the IoT technology collects data about the devices and sends it to applications by means of the Internet. People often use the applications to not only monitor devices but also control them.

Using IoT devices has its advantages, but it also exposes companies to security risks. Hackers are already beginning to exploit IoT devices.

The Advantages

Both business owners and home owners can benefit from IoT technology. They can control IoT devices from just about anywhere using their smartphone or tablet. They can lock doors, turn off lights, check appliances, dial down the thermostat, and monitor areas when no one is around.

Business owners can also benefit from outfitting crucial equipment and systems with IoT technology. The data returned from them is priceless. It can give business owners early warnings about problems before they turn into costly mechanical and system failures. The data can also help business owners make better decisions about equipment and energy usage.

The Security Issues

Using IoT devices can expose companies to security problems. IoT-ready devices often have security vulnerabilities such as default passwords that are easy to crack and firmware updates that are easy to spoof. Plus, unauthorized users can often bypass the security measures in the devices’ web applications.

Just as troublesome is that many users do not realize they need to protect their IoT devices. After all, when the average person thinks of cybersecurity, they are usually picturing computers, not web-connected refrigerators. As a result, they do not use anti-malware programs and network security tools to protect their IoT devices. These insecure devices can put a company at risk since they are usually connected to the network that hosts the company’s critical data and applications.

To protect your IoT devices and your network, you need to make sure that:

  • Each IoT endpoint in your network is a legitimate device and not one being run by a hacker
  • The data being sent over the Internet is not being spied on, changed, or stolen
  • Personal and sensitive data remains hidden from prying eyes, even if those eyes belong to authorized users

In short, you must authenticate your IoT devices, ensure data integrity, and set users’ permission levels in way that preserves confidentiality. The massive scope of the IoT phenomenon makes managing these issues especially challenging.

How Bad Actors Exploit IoT Devices

As the number of IoT devices increases in a network, so does the likelihood that a hacker will be able to find one with weak security. After taking over one IoT device, the hacker can access the rest of the network. At that point, the hacker is free to steal information or install malware.

Hackers can also use IoT devices as part of a botnet. A botnet consists of a large number of computers and other devices under a hacker’s control. Hackers use botnets to send large amounts of spam and malware. The cybersecurity firm ProofPoint discovered one of these attacks in January 2014. The botnet included more than 100,000 devices, including routers, televisions, multimedia centers, and at least one refrigerator. Over a two-week period, the hacker used the devices to send 750,000 malicious emails to companies and individuals around the world.

Hackers can also use botnets to bombard networks and websites with service requests or messages. When the network or website can no longer cope with the onslaught, it shuts down.

Much more troubling is the fact that hackers are starting to use IoT devices to inflict physical damage. For example, in December 2014, German officials revealed that a steel manufacturing plant had fallen prey to hackers. After breaking into the plant’s network, the hackers disabled the controls on one of the blast furnaces. Due to the attack, the furnace was unable to shut off and caused massive damage to the facility.

In the government and in industry, there is much hand-wringing and concern for organizations that provide Critical Infrastructure, such as power-generation plants and water utilities, since much of the equipment used to control the pumps, motors and other key devices was designed decades ago prior to the Internet age, with little or no security. Many of these devices were subsequently “plugged in” to the Internet and are now susceptible to attack.

Cybersecurity experts are also concerned about the possibility of hackers taking control of Internet-connected cars. After hacking into a car’s system, the attackers could steal it. Worse yet, they could hijack a car while the owner is driving it, as demonstrated by a cybersecurity expert in a “60 Minutes” news report.

It’s not just hackers – last year researchers demonstrated how they gained access to a Nest “smart” house thermostat. This thermostat is designed to “watch” movement patterns in a house to see when it is occupied and to heat/cool it at the right times. So a bad actor could use this data to determine the best time to burglarize the house.

The Future of Cybersecurity

No one doubts the value of IoT devices. There are questions, however, about the ways in which companies can safely implement them. To answer these questions, companies should look to their trusted IT partners. These experts can offer guidance about the best ways to safely capitalize on the opportunities offered by the IoT phenomenon.

How to Create a More Effective Data Center

/in , , /by

IT managers are constantly on the lookout for more efficient — and effective — ways to run their data centers. You can try different tools and setups to help things run more smoothly, but at the end of the day, sometimes you just need to let go and automate.

System administrators who do everything manually are wasting their time — and yours. Tasks that are performed repeatedly can, and should be, automated. Doing so can save you money and prevent mistakes due to human error.

To create a better data center, consider automating the following system administrator tasks:

Security Sweeps

You probably know that you should be performing regular, automated security sweeps on your network. These sweeps will expose and fix any wire-borne vulnerabilities in your system; their frequency and intensity will depend on the complexity of your network. Automated security sweeps enable you to set up scheduled scans, send the output to a database, extract a post-scan report from the database, and create an HTML version of the report for online viewing. Nmap is a free network security scanner designed to scan large networks and report vulnerabilities.

Disk Usage Scans

System admins must always watch out for disk space gluttons — users who go beyond their allotted disk space. You can conduct scans, or regular audits of disk space usage by user. Offenders will receive a warning before personal contact from a system admin is necessary. Remedies include temporary account suspension, removal of files, or an extension of the user’s space quota. Perform these automated scans about once per week to keep users apprised of their disk use.

Performance Monitoring

Monitor performance by taking an occasional “snapshot” for a single point-in-time glance at your system’s performance. However, this peek is only a glimpse into the entire performance picture. For something with more depth and breadth that will show trends and predictive peaks and valleys, set up a monitoring system with Orca. This tool compiles performance data from disparate sources and creates performance graphs that are easy to read. Its automated system gathers data, performs calculations, and generates and displays graphs.

High-Level Administration

Save time and effort by performing housekeeping duties, service restarts, and maintenance notices through automation. You can set up scripts to fire during low-use hours to clear temporary file dumps, restart your favorite services, and send out any maintenance or downtime notices through email. Automating these duties will take some of the pressure off of you to remember which day certain tasks need to be done — no need to keep a calendar; just let the system handle it for you.

Do Not Assume Your Business is Too Small to Attract Cybercriminals

/in , /by

Many small businesses have a false sense of security when it comes to cybercrime. More than 75% of U.S. small businesses believe they are safe from it, even though 83% of them do not have formal cyber security plans, according to a study conducted by the National Cyber Security Alliance and Symantec.

Why Is There a False Sense of Security?

Many small businesses assume their size will keep them safe from cybercrime. They often believe that cybercriminals will only go after large companies because those companies have more money, email addresses, credit card numbers, and trade secrets to steal.

However, large companies also have more security experts and IT administrators to guard their assets. Many small businesses do not even have an IT administrator. A third of all small businesses rely on a nontechnical employee to manage their IT systems, according to an AMI-Partners study commissioned by Microsoft.

In reality, cybercriminals often target small businesses because they usually do not have the expertise or resources to fend them off. In 2014, more than a third of all reported targeted attacks were against small businesses, according to Symantec’s 2015 Internet Security Threat Report.

How to Protect Your Small Business from Cybercriminals

There are many measures you can take to help protect your business from cyberattacks. Some of them are fairly easy to put in place, even without the help of an IT administrator. Others measures are more involved. For these measures, you might want to get help from an outside security expert if your business does not have the necessary expertise.

Use security software and a firewall: In 2014, cybercriminals created 317 million pieces of new malware, almost 1 million per day, according to the 2015 Internet Security Threat Report. So, one of the first measures to take is to make sure you have software that detects malware, viruses, and spyware. This security software needs to be updated often. You will also want to make sure you have an operational firewall.

Create and enforce a password policy: A simple measure that can help keep cybercriminals at bay is to create a password policy. You can use this policy to make sure that employees use strong passwords and change them regularly. You can also use it to make sure that different system accounts have different passwords. To make the password policy effective, you need to enforce it.

Provide security training: Employees will not be able to use strong passwords if they do not know how to create them. This is where security training comes in handy. Besides teaching employees how to create a strong password, you can educate them about security threats, such as how attackers use phishing emails that contain malware to infiltrate companies. You can then tell employees about the best ways to thwart attacks. In the case of phishing, you can tell them to verify links in emails before clicking them and not open email attachments that look suspicious.

Dedicate a computer for online banking: If you conduct financial transactions over the Internet, the FBI, American Bankers Association, and Federal Reserve all recommend that you dedicate a computer for this purpose. You should not use this computer for any other online activities that might expose it to vulnerabilities. For example, you should not use it for emailing and surfing the web.

Use two-factor authentication: Using two-factor authentication during logins adds an additional layer of security. With two-factor authentication, employees need to verify their identity with something they have and with something they know. For instance, you might have them swipe a card through a reader and enter a security code. If you have remote employees, you might have them enter a randomly generated number from an electronic token card and enter a password.

Encrypt and back up your data: You can use encryption to protect your data when it is being transmitted over the Internet and when it is sitting in a database or file server. Encryption protocols such as Secure Sockets Layer, or SSL, enable you to protect your data as it is being transmitted over the Internet. Disk drives and databases usually include encryption technology that lets you encrypt data while it is at rest.

Encryption helps stop hackers from stealing sensitive data. It can also help prevent a ransomware attack. Ransomware is a type of malware that cybercriminals use to extort money from victims. They often use it to encrypt data and then demand a ransom to get the password needed for decryption.

There are other types of ransomware attacks. Cybercriminals sometimes use ransomware to lock a computer system and then demand a ransom to unlock it. The best way to defend against all types of ransomware is to regularly back up your data. That way, you can refuse to give in to the cybercriminals’ demands, knowing that you will be able to restore your systems and data if they cause harm.

Be Prepared for an Attack

The measures discussed here are only some of the ones you can take to fend off cybercriminals. Despite your best efforts, though, your small business might still fall victim to an attack. For this reason, you should create a contingency plan covering how to deal with an attack. You also might consider getting an insurance policy that protects you against any losses that you might incur from a cyberattack.

Free consultation

Six IT Services to Outsource

/in , /by

With the economic climate in the US and Europe still uncertain, many small and medium organizations are looking at outsourcing business services now more than ever. Those organizations that have already outsourced parts of their IT operations are looking to outsource more, and those that haven’t are looking to start. One thing that stops or slows down businesses looking to outsource is simply not knowing where to begin. Here are six places you can start:

  • SaaS: Software as a Service allows you to only pay for the software you use and only while you’re using it. This also has the benefit of cutting management and IT infrastructure needed to support a large collection of software across your computers. A report from 2008 suggest that even in the early stages of SaaS, organizations could expect to save over 50% in some instances, and occasionally more.
  • Managed Hosting: Off-site managed hosting will allow you to make drastic cuts to your in-house IT budget, as well as seriously reduce overhead from having your hosting infrastructure in your office or at a rented space. Managed hosting is one of the oldest, and most well understood, form of IT outsourcing, so there are significantly less risks than with almost any other plan.
  • Data Center: Data centers make the most sense for organizations that either generate or process large amounts of data, or for organizations that don’t have the local facilities to support a data center. Besides saving money on storage and processing, data centers also offer increased security, with redundant backups, redundant power & Internet, high-level encryption, and other protective measures. The added security often makes this a worthwhile investment even when cost-cutting is minimal.
  • Asset Management: In asset management outsourcing, an outsourcing agency takes over the management and support for IT assets like servers, computers and workstations, phones, and other office equipment. While the levels of support provided vary from provider to provider, this is a great way to offload many of the costs involved with running a large office organization.
  • Product Service/Customer Support: If you are in the business of selling technology, one less-often considered form of technology outsourcing is outsourcing your service and support divisions. Toshiba has had great success with outsourcing their service and repair divisions to UPS supply chain solutions in 2004, and HP has been doing it even longer. Likewise, tech support service and call centers can easily be outsourced, increasing margins on products and cutting infrastructure costs dramatically.
  • IT Strategy: Organizations can outsource their IT strategy to a firm that has the breadth of experience, domain/industry knowledge and diverse IT industry knowledge that is nearly impossible to duplicate cost-effectively in-house. Strategic advice can incorporate growth and capacity planning, addressing TCO and ROI, as well as risk management.
Business man on mobile phone

Oh, the Risks of Public Wi-Fi

/in , /by

As technology goes more and more mobile, working remotely from public Wi-Fi locations is going to be a bigger and bigger part of doing business. Whether it’s your sales team using airport Wi-Fi while waiting for a flight, or your creative employees knocking out some work at a Starbucks over lunch, the risks of public Wi-Fi are going to have to become a consideration for companies. Unfortunately, most employees (and many employers) don’t know just how dangerous using public Wi-Fi networks can actually be.

Whenever you connect to a public Wi-Fi network, any information you send or receive can be easily snatched from the air and inspected. In fact, this very issue was highlighted just a short while ago when a plugin called Firesheep made it trivial for anyone on a public Wi-Fi network to hijack the social network and other accounts of people sharing that network. While the major social networks quickly fixed the vulnerabilities that allowed this behavior, not all sites did. This is not to mention any capabilities the Federal Government (read: NSA) has to do this.

To Allow or Not to Allow?

Protecting your business data from being exposed on public networks is critical, and should not be taken lightly. The simplest and most secure way to prevent proprietary data from leaking into public access is to simply not use public Wi-Fi spots for any kind of official business. In fact, for the most security, it might be a good idea to not connect any company mobile devices to any public Wi-Fi networks at all.

Solutions

Another solution is to use a 4G internet dongle. These devices plug in to your laptop and function as cellular modems to connect you to the internet the same way that your cell phone connects. This not only lets you bypass the dangers of public Wi-Fi, but also allows your employees to work online from anywhere where they can get a cell signal. The downside is that if there is no cell reception, there is no internet, and poor cell reception could lead to the connection being agonizingly slow. It’s also fairly pricey, with many providers charging large fees for very limited data. One alternative here is to tether an existing 4G phone that already has a data plan.

The last solution is to use a VPN, or virtual private network, to tunnel through the public Wi-Fi access and do all business-related work under full encryption. A VPN, in this case, involves creating a secure connection within the unsecured public connection, and connecting directly to a work server which you then use to access the broader internet. This keeps the data you send secure between your laptop and the final destination. VPNs are relatively easy and inexpensive to install and deploy.

Hybrid solutions are out there as well. We have deployed software for organizations that enables employee computers to access public WiFi but only in conjunction with a VPN, so users can enjoy the convenience but reduce their risk.

Rising costs image

What Organizations Need to Know About the Looming Internet Taxes

/in /by

The new Marketplace Fairness Act, or “Internet Tax” will require online retailers to collect sales taxes for the states where they ship goods, not just the ones where the seller has a presence. If you are a non-tax exempt organization that purchases or ships any of your products online, these new taxes will affect you.

This article will cover the basics of the Marketplace Fairness Act, so you can understand how it may impact your bottom line.

Currently, both consumer-level and B2B online shoppers have enjoyed purchasing products online mostly sales tax-free. Older laws required stores to collect sales tax only on goods shipped to states where they have a physical presence, such as a distribution center or a physical store. For example, if you purchased office supplies and software from Office Depot online, you would likely pay sales tax on your purchase. If, on the other hand, you made this purchase on Amazon, you might get off scot-free, when it comes to sales tax.

Complication has been the main reason for not requiring these sales taxes; deciphering all of the various sales tax laws for all 45 states that have sales tax was just too much of a burden for businesses.

Back in 1992, the Supreme Court addressed the issue, but Internet commerce was non-existent in those days. According to online sales tax advocates, current technology makes it simpler to collect sales taxes from various states. The so-called Marketplace Fairness Act urges state governments to provide companies with free software for calculating taxes and to establish one state entity to receive the payments.

Interestingly enough, consumer and business purchases from out-of-state are already likely subject to something your state calls “Use Tax.” Surprisingly, many consumers and businesses know little about this tax. Buyers are supposed to track their out-of–state purchases and pay sales tax when they file their tax return. However, many buyers are not even aware of — or ignore — these requirements, and they are difficult to enforce.

Supporters of the Internet Tax include big box retailers like Target, a mix of Democrats and Republicans, President Obama, the National Retail Federation, and even Amazon. While Amazon — as you might guess — was against the new tax for a while, the e-commerce powerhouse has changed its mind as its interest shifts into expanding its physical operations into more states. Apparently, Amazon realized the benefits of providing faster and same-day delivery from increased distribution centers outweighs the risk of requiring customers to pay sales tax.

Opponents include conservatives and anti-tax activists who claim the law will hurt small online businesses. However, one very big online business is leading the charge against the tax. eBay wants the law to exempt any business with fewer than 50 employees, or that make less than $10 million a year on out-of-state sales, to protect its numerous sellers.

No matter which side you’re on, it’s hard to deny the numbers. According to the U.S. Department of Commerce, there were $225.5 billion in online sales in 2012. And, thanks to the current sales tax-free status, states lost a combined $23 billion in uncollected sales tax revenue.

If you live in one of the five states with no statewide sales tax (Alaska, Delaware, Montana, New Hampshire, and Oregon), you’ll get off easy on this one, too. People in these states won’t be charged on goods they have shipped to their home state. However, businesses won’t fare so well  They will have to collect sales taxes for items shipped to other places where there are sales taxes — in other words, most of the country.

In states with sales tax, businesses and individual consumers will have to pay the same amount of sales tax as they would buying a product in person at a brick-and-mortar store. You can use this [tool][https://taxcloud.net/find-a-rate/] to see how much something will cost under the new law by choosing a location and tax category.

The Marketplace Fairness Act is currently pending in the House, and the earliest it could go into effect is October 1, 2013.

iPhone 5

How to Extend the Life of Your iPhone

/in , /by

Your iPhone is your connection to the world, your organization tool, and your technological toy. It’s also expensive. The only thing worse than the cost of constantly upgrading your iPhone to the latest version, is the cost of having to replace your current one due to damage.

To keep this wondrous gadget in top form, and to give it the longest life possible, follow these simple tips.

Wrap your iPhone in armor to protect it physically.

In the consumer tech world, iPhone armor equals a high-quality case and a protective film. A durable plastic shell, like those made by OttorBox, will save your phone from an unfortunate drop, or even the constant abuse it receives at the bottom of your briefcase, handbag, or even the bottom of your pocket. Tons of options exist in a number of styles, but no matter what you choose, make sure it’s designed to withstand accidents and not just look pretty.

A screen protector, like Zagg’s Invisible Shield, will save your screen from keys, loose pens, and any other objects that threaten to harm your iPhone screen.

Give your battery a break every now and then.

Preserve your battery by reducing the strain some of your iPhone’s conveniences cause. Features like push email, maximum screen brightness, and Bluetooth connectivity shorten the life of your phone’s battery, and you can probably live without them. Turn these features off, at least some of the time.

If your screen is broken, why not fix it?

Whether you crack your screen, or smash it into little bits, the appearance of a damaged iPhone screen can be jarring. You might have the urge to run to the Apple store and replace the entire thing.

However bad it looks, a broken screen can be replaced for as low as $70 – much, much cheaper than replacing your entire phone. If your iPhone gets cracks or scratches, simply give it a facelift with a new screen. Just don’t expect Apple to do this for you; the company will only swap out entire phones. You’ll have to do some searches in your area to find a reliable vendor who can do this for you.

Help your iPhone beat the heat.

If your iPhone feels hot to the touch, treat it like it has a fever, and put it to bed. In other words, turn it off to give it some time to “rest” and to cool down. Overheating spells trouble for the phone and your battery.

Protect your iPhone in case it is lost or stolen.

A lost iPhone is just as detrimental as a broken one. Apple’s app, Find My iPhone, can help you recover your investment. The app is free and pinpoints the location of your device with GPS if it’s lost – or stolen.

And, if someone steals your iPhone, using the pass code lock will ensure only you have access to your information.

Keep it synced.

If your phone does meet with an untimely demise, be sure your data doesn’t die with it. Sync your phone with iTunes often to save you tons of time when you replace your phone and don’t want to miss a beat.

Secure computing image

Insider Threat Risks to Your Organization

/in , /by

Business owners and IT managers are well aware of the threats posted by hackers and cybercriminals to their networks, and most are taking steps to secure their organizations and to ward off these outside threats. However, sometimes the biggest threat to your company comes from within the walls of your office.

A recent study funded by the U.S. Department of Homeland Security, the U.S. Secret Service, and the CERT Insider Threat Center at Carnegie Mellon University’s Software Engineering Institute found that malicious insiders within the financial industry often get away with fraud for nearly 32 months before they are detected.

At a February presentation at RSA Conference 2013, Dawn Cappelli of the CERT Insider Threat Center presented several instances in which current and former employees damaged companies by planting malware, stealing corporate data, or colluding with outsiders to commit fraud. In fact, the center has tracked 800 insider threat cases since 2001.

Types of Insider Threats to Watch Out For

According to Cappelli, certain employees often are involved in a range of scenarios:

Cases involving intellectual property theft, such as business plans or source code, often involve a former employee who worked on the project. Often, these culprits save company information on a USB drive and are never caught.

In cases of sabotage, highly technical employees, such as system administrators who become disgruntled after being fired, often set up an attack before leaving the company.

Fraud cases typically involve lower-level support employees, such as help desk personnel, who conspire with outsiders.

Threats from untrained users or users that are not following procedures are also very real.

Potential Sources of Insider Threats

Companies that use file services like Dropbox and virtual machines should be careful, as employees can use these to exfiltrate information. One case Cappelli presented involved a product development manager who had access to clients’ trade secrets. He had access to information on two clients in the semiconductor industry and downloaded 80 documents before leaving the company and taking a job with one of these semiconductor clients. His new employer turned him over to authorities after learning about the breach, including the fact that 18 of the documents belonged to a close competitor. To protect your company from this type of threat, ensure that business partners protect information, audit their controls, and build it into contracts.

Another source of potential insider fraud is shared computers. Cappelli spoke of an instance at a university, where two students loaded malware onto publicly accessible computers so they could steal credentials and spy on student records.

In another situation at a hospital, a disgruntled security guard, who had a background in system administration, installed malware on systems. He was caught when he posted a video of his work, and another hacker reported him to the FBI.

Yet another instance involved a network engineer at a retail company who knew he was going to be fired. He created a VPN token for a fake employee before leaving the company, and then called the company’s help desk pretending to be a new employee requesting a credential activation. After lying low for a few months, the former employee deleted corporate email accounts and virtual machines, creating a major headache for the company. To protect virtual machines, companies can scan memory files and tie virtual environments into existing security systems.

Insider Threat Warning Signs

While these examples of rogue employees wreaking havoc on companies might be scary, they serve as a reminder that threats need not come from outside a business.

In a recent Tech Republic article, writer Tom Olzak shares a list of possible signs that an employee is about to go rogue, possibly creating a security risk for your company. His list includes the following:

  • Attempts to circumvent security controls
  • Unexplained, repeated absences on Monday or Friday
  • Pattern of disregard for rule
  • Long-term anger about being passed over for a promotion
  • Pattern of lying and deception of peers or managers
  • Frustration with management for not listening to what the employee considers grave concerns about security or business processes

Watch out for these signs that someone may become a threat, and communicate with that employee immediately to attempt to remedy the situation before it spirals out of control. Since employees often hide malicious behaviors from managers, training all employees to watch out for signs of discontent can help with prevention. Providing a way for employees to anonymously report peers can help them look out for your company without fear of being labeled a tattletale.

The “Accidental” Threat

While the threat of an insider intentionally compromising security to get what he or she needs is very real. industry statistics indicate that more than 52 percent of insider incidents are accidental or inadvertent. How do you guard against these? A multi-dimensional security approach is required that encompasses:

  • Education  — educate your users about the risks of phishing attacks, social engineering attacks, and high risk behaviors such as downloading and installing unauthorized or illegal software, or sharing passwords.
  • Security Tools — many organizations invest in tools that can monitor in a “trust but verify” manner; reminder emails and popups give users a chance to think twice about an action that may put the organization at risk
  • Policies/Procedures — ensure that your policies and procedures are not just in place for reference, but are actually followed. Audit them periodically to verify compliance. If users are circumventing them, establish user task forces to optimize and improve them. This will also result in more user buy-in.

Parting Thoughts

Protecting against insider threats, malicious or inadvertent, can be the difference in success vs. failure for organizations with key legal considerations or intellectual property to protect. Developing the right approach to managing risk is more than just good business, it is a necessity.  Owners and IT managers of organizations should identify their largest insider risks and develop “right-sized” approaches to mitigating them.

While the threat of an insider intentionally compromising security to get what he or she needs is very real. industry statistics indicate that more than 52 percent of insider incidents are accidental or inadvertent. How do you guard against these? A multi-dimensional security approach is required that encompasses:

Cloud storage icon

4 Tips for Backing Up Your Data in the Cloud

/in , /by

Every IT manager knows that backing up data is essential to protecting a company’s most valuable commodity. Backing up your data off-site is easier than ever, but you need to examine your needs in depth before choosing this important service.

As you examine your options, consider these four ways to backup your data in the cloud.

1. Consider how you will restore data

When you back up a system and all of its storage, you are protecting everything on that OS instance. This is useful if you find yourself needing to restore an entire environment using bare metal recovery scenarios. However, if you just want to protect a service, such as a database like Microsoft Exchange, you may want to restore only a specific mailbox. The point is to consider what you might want to restore, and then make a backup decision that will facilitate your goals.

Also keep in mind that Internet connectivity from the data source to the backup location plays a key role when it’s time to recover. If you have hundreds of gigabytes or more to restore, restoring from the Internet could take many more hours than you can afford. Consider local backup as a first line of defense. See item three!

2. Understand that hypervisor level backup may not be enough

Virtualization offers numerous capabilities, including the ability to perform backups at the hypervisor level of the virtual machines (VMs). However, this type of backup limits your restore to a VM-only level or to files within the VM. Consider running backup agents within the VM OS, rather just on the virtualization host, for the best restoration options, or use a tool that leverages both OS-level and VM-level backup.

3. View local protection as a first line of defense

Using the public cloud offers unlimited server and storage resources, and cloud storage is flexible and scalable. However, while the public cloud is a valuable step in securing your data, consider on-premise backup as your first line of defense for greater peace of mind. Using resources local to the systems and data often yields the best performance.

4. View cloud protection as a second line of defense

In the event of a disaster, cloud-based backup protection can literally save your company. So, if local protection is your first line of defense, then cloud protection should be a necessary second. Prioritize the servers and data that need offsite disaster recovery protection by identifying key business processes that are critical to your company’s day-to-day operations, and don’t forget to include the dependencies of those services, such as databases and middleware.

Software license audit feature img

How to Prepare for a Software License Audit

/in /by

It’s an interesting time for software audit licensing, and companies are, all too often, finding themselves in the storm of an audit. Perhaps it is due to the fact that licensing use rights are being applied to increasingly complex IT environments that have changed beyond the terms of their former software agreements. Or, maybe it is because revenue for new software licenses is down, forcing vendors to focus more on licensing audits to recover some of the lost income.

Whatever the reason, IT organizations need to be diligent if they are audited. And, taking some simple steps to avoid an audit in the first place wouldn’t hurt, either.

Staying Compliant with Software Licensing

The best way to handle a license audit is to stay out of trouble in the first place. While sometimes easier said than done, you can take a few steps to stay in the clear.

  • Maintain robust software asset management (SAM) processes.
  • Make software licensing a core part of change management.
  • Consider how normal IT actions, like upgrading servers, will affect your software licenses and address any issues at the time actions are taken.
  • Don’t just rely on spreadsheets for compliance management — look into how an automated solution might help you stay on top of things better.
  • If you discover a licensing issue, admit to it. It can be advantageous to pursue proactive remediation to possibly avoid punitive costs and other consequences of an audit.
  • Don’t look the other way if there are unlicensed copies of software being used in your organization. Ensure that your written policies and procedures are consistent with your actual policies and procedures, and make sure your employees, consultants, and vendors understand the rules.

Preparing for the Software License Audit

If, despite your best efforts to remain compliant, you find yourself being audited, take these steps to make the process go as smoothly as possible.

  1. Contact the vendor to find out the scope of the audit because audit procedures vary by provider.
  2. Begin an internal audit so you can learn more about the problem and discover any additional shortfalls.
  3. Get all your ducks in a row: Make sure all communications between your team and the vendor are appropriate, and ensure that the process includes an opportunity to review findings prior to settlement. Also, validate that the auditor has included all licenses to which you are entitled.
  4. Along that same vein, make sure your company clearly understands the audit rights by reviewing the provider agreement. Within reason, push back against anything you do not believe is mandated.
  5. If the audit proceeds, manage the process with a proactive mindset. Do not sit back and wait for instructions — find out what you need to do, and just dive in.
  6. Approach settlement talks as a negotiation. Don’t just accept the initial settlement demand as carved in stone. If your company’s non-compliance was inadvertent, or otherwise reasonable, consider a counter-offer based on achieving and maintaining future compliance instead of back-dated compensation, retributory list pricing, and other punitive actions.
  7. If you know you will have to pay punitive costs, have in mind a dollar value settlement before going into talks. The cost will vary based upon the provider and the situation, but a reasonable target settlement amount is the estimated supplementary costs had your company remained in compliance. Expect to pay something, but use any leverage as a customer (current and future) that you might have to come to an agreement.

Whatever you do, don’t be passive and simply accept the audit terms, process, and results. Admit whatever fault may be yours, but stand your ground when it comes time to work with auditors and, especially, when it comes time to work out a settlement agreement.