Vote for me in
IT Security Blogs
Time To Get Personal?
Gartner has now recommended that employees buy their own laptops. There is nothing new in the concept, otherwise known as consumerisation. The idea is simple, employees buy and use their own hardware for work. In the US, it was the iPhone which has driven the move to consumerisation, lots of people rushed out to buy one and then asked their IT departments to support them. Here in lies one of the issues - support. The other one being licensing.
From a licensing perspective, who owns the software? Is it the company or the individual, what happens when they leave? From a support perspective what happens when a machine goes wrong? If there is a standard build, with a standard machine, then it is simple to fix or just to deliver a replacement. If it is down to the employee to get it fixed, do they do that on their own time? What happens if they don’t - laptops are an essential business tool if not available then productivity can drop to zero! What happens with backup? Who is responsible for doing it and how is it done? What about data loss prevention? If the machine has company information on it, what happens to it when the employee leaves?
There have been a number of successful schemes, but it is still early days. Before rushing in to save costs companies need to work through the issues and ensure that their corporate policies cover all eventualities.
Symantec Vision Conference - Day 3
The big wrap-up today. However, before that some great sessions on topics like using software to reduce power consumption, a big part of green IT and the Veritas Virtual Infrastructure. Some repeated sessions - due to popular demand and a last chance to wander around the partner / exhibit hall.
Mark Bregman closed the conference with a look at trends for the future: consumerization of IT, the boundaryless enterprise and yet more green IT. More on those topics in the coming months.
The final wrapup was with the Mythbusters, Adam Savage and Jamie Hyneman from the Discovery Channel - which made for a great close. All-in-all it was a good conference, as I had hoped there was time to meet old friends and make some new ones. Several people liked the fact that they could download sessions they had missed onto their iPods, and one customer was frantically trying to fill his iPod up before heading back home to Australia. Until next year… I hope you all had a safe journey home.
24 Percent
A civil servant has been suspended for leaving top secret documents on a train. A recent survey showed that 24% of data loss was through paper records, so perhaps this should come as no surprise. As I think back through the past decade or more there has always been one or two occasions each year where records were found, in a skip or beside the road, and before now it was reported and that was that. However today, as we all know, data loss is taken much more seriously.
Electronic data is easily transported, readily copied and therefore simple to use. You can also get a lot of information in a very small space… losing the details on 20 million people in paper form would require a sizeable truck!
We now protect electronic information, either by encryption (if you have a laptop or mobile device) or by content analysis and classification - preventing emails being sent to the wrong people or data being copied unencrypted onto CD ROMs etc. But what to do about paper records? We are back to people and processes. Awareness that paper can be just as damaging as electronic records needs to happen and the processes whereby records are printed out need to be re-examined - especially to ensure the appropriate destruction, eg shredding. In the same way that we are questioning the need for people to have copies of sensitive or confidential electronic information on their laptops, companies should also look at why they need to take bundles of papers home… this would be one case where an electronic version could be more secure.
Just One Cotton Picking Moment
Cotton Traders revealed that their website had been hacked and details of 38,000 transactions had been stolen. They have now worked with experts to fix the problem. OK, so this is ‘yet another’ case of data loss - however, for me I find it interesting that the size of the target organization is relatively small and yet it is obviously still worth the criminals attacking it. Is this because smaller organizations do not necessarily have the security expertise to secure their environments, or because their website was unpatched and therefore open to a well known attack? We don’t know, all we know was that they were attacked and they have now fixed the problem.
Smaller companies seem to think that they will not be a target for an attack… “It won’t happen to me, I’m too small to be on the radar” - this just goes to prove that this is not the case. Hopefully other smaller companies will now sit up and take notice of the potential threats and associated consequences and look how they can prevent it from happening to them.
Symantec Vision Conference - Day 2
Time flies by when you are having fun - and when you are learning a lot. The second day has been packed with information including the sessions that everyone wants to go to… what’s coming out in the next release!
There was a great round-table with customers discussing Enterprise Vault - it’s a pity that there were not more engineers there to hear what they had to say. While there were a few niggles, the feedback was really positive, so often engineers only hear about the problems. If there is one thing that customers do really well, it’s sell the product to other customers! There is nothing like hearing from someone who has implemented 150,000 seats to inspire confidence. Thanks to you all.
The day finished up with the Customer Appreciation Party where Jim Belushi played some great songs - he certainly knows how to get an audience going.
Symantec Vision Conference - Day 1
Today was the first big day of Vision 2008. Thousands of people packed into the hall to hear the opening keynote from the Symantec Chairman and CEO, John Thompson. Run in a chat show and hosted by Steve Trilling, it was quite a spectacle (even if I say so myself).
The message was simple, information is exploding - doubling every two years in most organizations and soon it is estimated that there will be as many pieces of information as there are grains of sand. John went through our larger acquisitions since last year and how they fitted into the big picture. Including Vontu for data loss prevention, Altiris for endpoint management and AppStream for virtualization. He also talked about new product releases and awarded prizes to our most visionary customers.
Parallel sessions then took over with streams covering all aspects of the Symantec portfolio. The ones I went to were packed and people were happy with what they were hearing - which is great. We seem to be back on track of giving the right level of marketing and technical content which is good.
I hosted a table at the analyst lunch on Data Loss Prevention and there was a great deal of buzz around the topic and where it was going. It’s always good to hear the various thoughts and ideas from competing analysts. People generally felt that we were just at the start of understanding all the issues associated with confidential information and how it need to be handled. Technology and the way we use it is moving so quickly, consumerization of IT as well as the boundaryless enterprise all make the problem more complex - but they bring benefits so data loss solutions need to keep pace!
The partner expo hall was packed, I haven’t seen it so busy in the last couple of years, so it was great to see it back in all its glory. Of course for me it gave the opportunity to meet up with old friends and colleagues who have moved to different companies as well as take part in some great discussions with customers, especially around the new technology announcements.
If you weren’t there… then you can still catch some of the highlights from the website.
What’s The Buzz, Tell Me What’s A Happening…
Symantec’s Vision conference starts today in Las Vegas. Even the airport is excited by it… with long banners in the luggage reclaim hall!
For customers, today is tutorial and certification courses. For me, it is partners, customers and the Dell party this evening!
Where’s The Boundary?
A man has been accused of stealing clients using LinkedIn. In this instance, the person involved is a recruiter and he allegedly ‘linked’ to clients while working at one company and then left to start a rival firm - with his contacts from LinkedIn.
Is this data theft? Or is this something that people used to do all the time but because it wasn’t on the ‘web’ people couldn’t find out about it? I think it is the latter. We all create contacts while at work, and some are more organized than others and file them, others, like myself, have a large pile of business cards with notes on them. I guess that if you are a recruiter, you too would have a large pile of business cards - and if you invite people on LinkedIn, well, isn’t that also something we all do?
Should companies look at banning LinkedIn, in the same way as they did with FaceBook? Only to find it wasn’t practical, people would spend more time finding a way around the system, than they would using it - so we have seen a reverse of this trend. So, no, it shouldn’t be banned. Should it be subject to (yet another social networking) policy? Something that defines the boundary between work and not-work. Perhaps… but I would think that people would just add the contacts while at home. I don’t think you can be banned from doing that after all it’s what LinkedIn is all about - keeping up with friends and colleagues in a business context. Maybe companies need to create their own ‘company’ LinkedIn accounts - so that, if nothing else, they have a copy of the information as well.
The way to look at this is that when someone new joins your company, they bring with them their contacts - rather than when they leave, they take them away.
What The FAX…
Bad process strikes again. A businessman was convicted and jailed for fraud after one of his employees accidentally sent a FAX to the wrong person resulting in some unfortunate data-loss! While sending email to the wrong person is commonplace, sending a FAX to the wrong person is seldom reported. However, it does show that data can be lost in a variety of ways and the risks and consequences can be quite dire.
Businesses need to start thinking out-of-the-box when looking at processes in order to catch all the different ways in which data can accidentally (or otherwise) be lost, leaked or breached. FAX machines, printers, photo-copiers all pose a risk as they tend to take a copy of the data before processing it. So, if someone walks out with the physical device they could retrieve the data. New(er) copiers now encrypt the data to disk making it harder to walk out with the disk and recreating the data… is this true of the devices in your organization?
That Advert Recognised Me
There is some new technology being developed that recognises faces so that adverts can be targeted at you as you walk down the street. All very Sci Fi. However, I wonder what will happen to that data afterwards… and more to the point, where did they get my image in the first place? Did I give permission? Did someone ’sell’ it to them, in the same way that mailing lists get bought and sold? Of course, it is not just face recognition that can do this, RFID can also be used to target advertising. RFID tags are increasingly being put into the things we buy - not by the manufacturers but by the retailers. They can help in tasks such as inventory control, but they can also be used for other purposes… if I know you have a pair of brand X jeans on, then perhaps you would like another pair, or something similar. At this point, they don’t necessarily know you are you, but what if they did, what if the RFID tag was matched to your credit card when at the check-out… then when you next come into the store they can greet you by name and ask how the jeans are.
(At the time RFID first came out, there was a great cartoon with a mugger scanning people to work out which one was worth mugging… sounds a little silly, but then so did adverts based on your face…)
Just because technology exists doesn’t mean we have to use it… there is no doubt that face recognition software can help prevent crime and improve security and access control. However when it comes to tracking me just to sell me more stuff - just say ‘no’.
-
Subscribe
-
Podcasts
-
Symantec Security Response Weblog
-
Links, downloads and other resources
Symantec UK
Symantec Podcast Directory
Symantec Security Response
