We are living in a world where we are forced to constantly think about the security of our personal information—when we bank online, at the gas station when we swipe our credit cards, and even as we submit personal information to the federal and state government. Malicious attacks demonstrate every day that our digital data isn’t as safe as we would like it to be, which is why it’s no surprise that organizations everywhere are dealing with increasing government and industry regulations, and customer and employee scrutiny.
BusinessWeek’s Corporate Executive Board discussed personal data security in a recent article: In addition to high-profile cases that invite this attention, “companies face the challenge of managing a greater volume of sensitive information, created by increasing digitization of employee, health, financial, and other personal data.”
BW’s Corporate Executive Board provides four key steps for mitigating the risk of breaches:
1. Understand the laws, requirements and standards for any data your company collects.
2. Educate and convince your functional partners to comply with the same standards as your organization.
3. Plan to fail—that is, have a backup plan in place in case you do suffer breaches.
4. Don’t take vendor compliance for granted.
While these are all important, valid suggestions, there is an extremely important step missing, one that speaks to allowing employees access to the tools they need (and can use easily) for ensuring the security of the data they touch, whether it’s moving within and outside of the organization or while it’s at rest on their desktops, a shared server, or elsewhere.
It’s my pleasure and honor to be presenting this coming Friday, April 9th, alongside Congressman Mike McCaul of Texas at the Austin Technology Council Leadership Series meeting on cybersecurity.
My presentation will explore ways in which we can better protect trade secrets, personal information and our country from cyber thieves and terrorists. I plan to address the growing frequency and complexity of today’s cyber threats—those faced by both governments and enterprises worldwide. Exploring current events, including the recent Google-China conflict, I hope, will emphasize for the audience the real and present danger that state-sponsored cyber warfare poses to private industry and our national security.
Google announced earlier this week that it had stopped censoring the company’s search services—Google Search, Google News, and Google Images—in China. Users visiting Google.cn are now being redirected to Hong Kong (Google.com.hk), where Google is offering uncensored search in simplified Chinese, specifically designed for users in mainland China.
With its decision to discontinue its search services in China, Google made a policy decision NOT to play by host country rules, which demanded self censorship from Google. As I explained when China’s cyberattacks first came to light early this year, companies must understand the risk management aspects of conducting business in countries where rights to free speech (and other human rights) differ materially from the primary country of business. In the case of Google’s ongoing relationship with China, the risks of playing along outweighed the reward of sustaining business. Google, not surprisingly, revised its policy.
Last week’s RSA 2010 Conference highlighted a host of exciting and innovative technologies within the infosec community. While cutting-edge technology and thought leadership (like much of what was unveiled at RSA) plays a significant role in ensuring the security of your organization’s data, applications, and systems, it’s by no means the most important element. Rather, it’s how your existing IT projects, process, policy, and products are implemented that can make the difference between an effective IT department and one that’s vulnerable to data loss, breaches, and other threats.
To help you avoid common pitfalls within your organization, we’ve outlined our thoughts on today’s most common IT project mistakes and risks:
As the excitement around RSA 2010 has calmed down a bit, I thought I’d take a minute to share a few pictures and highlights from the Exhibitor Hall to capture GlobalSCAPE’s team in action over the past week.
We were extremely impressed by the products and insight shared during the event. In his discussion with BankInfoSecurity.com’s Nick Burke, Jim Morris, perhaps, captured best the ongoing discussion at RSA about the delicate balance that government, as the policy makers, and vendors, as the solution providers, must strike if we’re truly going to improve our national security posture.
We were also happy to see GlobalSCAPE’s U.S. Army deployment get some play in Government Computer News’ coverage of the RSA event. Our secure information exchange solutions have been baked into the Army logistics technology for many years now. It’s just one example of how we’re working with Government to help reinforce policy with solutions.
Now for the fun stuff… our staff in the booth!
GlobalSCAPE’ salesman Chris Thacker and Nick Flores pause for a photo opp
CEO Jim Morris and COO Craig Robinson chatting with an attendee
Chris Thacker, Lisa Kelaita and Todd Doerr smiling in the GlobalSCAPE booth
CEO Jim Morris explains how total path security solutions, in particular MFT and application whitelisting technology, can help you more effectively mitigate the risk of data loss or breaches.
Cyberspace defense has largely been a measure/countermeasure/counter-countermeasure game. The good guys build a fence and, in short order, the bad guys climb over it. The good guys build the fence taller and the bad guys figure a way over it again. I would not be the first to compare this reactive security approach to the famous “whack-a-mole” game, but I thought it would be a fun way to demonstrate the point.
A decade ago, it could be argued that the “mole” poked its head up with sufficient enough malaise that you actually stood a reasonable chance of bashing the little bugger on the head. Today’s threats, however, look more like the Caddyshack gopher–and traditional, reactive security solutions looking about as capable as Bill Murray.
In a recent interview with CNET, Bob Russo, general manager of the PCI Security Standards Council noted, “Becoming compliant with the standard is pretty much a snapshot in time. An assessment company would come in and go through all those requirements and check that this stuff is in place. If everything is in place they issue a report on compliance. It is then your responsibility as a merchant to maintain that compliance.”
Russo’s point about continuous versus point-in-time compliance is interesting on many levels. As a respectable business or IT leader, you can’t argue with the fact that companies must not only meet government and industry standards at a single point in time, but that they must also update processes, tools and systems to maintain their compliance as regulations shift and change. In order to ensure information security (that you’ve mitigated risk to an acceptable level), you must treat the policies, processes and tools that you use to protect sensitive data as an evolving, imperfect set of entities.
However, it’s somewhat of a cop-out by Russo and the council to imply that because companies are not completely in compliance all the time, their information and systems are any more vulnerable than those who might be in complete compliance all of the time. To take it one step further, he also seems to be saying that a company’s lack of compliance explains why a breach occurred. Might it be possible that the standards really only provide a false sense of security for consumers? Read the rest of this entry »
Ad hoc file transfer isn’t the only MFT trend to watch for this year. In today’s world of tight IT budgets, reduced workforces, and security mandates, it’s only natural for us to expect that companies will turn to MFT solution providers who offer intelligent file-centric automation capabilities.
Today’s automation differs from the automated functionality available in the past. We’re no longer talking about just moving files from point A to point B. It’s not enough to rely on homegrown solutions (like custom scripts) built in the past. We’re talking about seamlessly moving files into back end systems while providing full audit tracking, robust monitoring capabilities, and the ability to react to anomalies, which can trigger alerts.
Information exchange, by definition, involves endpoints (analogous to a transmitter and a receiver in a communication system) and at least one transfer medium (analogous to a communications channel). Because information is at risk while at rest on the endpoints and during transfer between endpoints, there is an increasing market need for what we refer to at GlobalSCAPE as “total path security.” Total path security protects information from its creation on an endpoint through delivery and retention on a receiving endpoint.
From our perspective, endpoint information security is a natural extension to managed file transfer (MFT). MFT provides the secure channel. Endpoint security measures protect the sending and receiving information systems, as well as the servers that participate in the information exchange. Without both MFT and endpoint security, a business can’t expect to maintain ‘acceptable’ levels of security. There’s little merit in going through all the trouble of securing the transfer if the information comes from an unsecured source or is going to land in an insecure place.
