IncTechnology.com > Managing Customer Data

No Downturn for Privacy Practices

Michelle V. Rafter — 2009-07-30T12:18:09-05:00

The recession has pummeled small businesses’ IT budgets, but that’s no excuse to slack off on electronic privacy and data protection safeguards.

In fact, hard times make keeping an electronic eye on privacy and IT security critical as economic factors are contributing to more frequent data breaches from outsiders and information theft from just laid-off employees and other company insiders, according to attorney Charles Kennedy, a privacy and data protection expert.

In 2008, reports of data breaches at U.S. companies jumped 47 percent to 656, according to the Identity Theft Resource Center, a San Diego nonprofit.

Reports of laid-off employees taking company information with them are also on the rise says Kennedy, with the Washington D.C. office of Morrison Foerster. Over half of 945 laid-off workers responding to a recent poll by Ponemon Institute, a Traverse City, Mich., privacy researcher, admitted taking company data when they quit because they felt entitled to it, thought it would help in their new job or didn’t realize it was stealing.

With breaches on the rise, small businesses simply can’t use the bad economy to rationalize trimming their electronic data protection program budgets, Kennedy says.

Another reason companies can’t let down their guard: state and federal regulators continue to pass stringent electronic data protection rules. One of the latest is the Federal Trade Commission’s Red Flags Rule, which takes effect Aug. 1 and requires financial institutions, health care providers and loan processors to create identity theft prevention programs. The Obama Administration’s economic stimulus bill included a stepped up health-care records security breach notification requirement that takes effect in February 2010. In addition, states such as Massachusetts and Nevada have passed laws requiring companies to use encryption and put in other controls over consumers’ personal information.

Regulations aside, following stringent privacy and security protocols is good for business. “If you have good privacy practices you can make it a feature of your advertising,” if you don’t exaggerate claims, Kennedy says. “When the other guy has a breach and you don’t, that’s good for you. Security is an edge you can’t afford to ignore.”

Doing the same or more with less

Still, no one expects small businesses to spend half their revenue on the latest firewalls and other data protections. Companies have to maximize whatever manpower and financial resources they’ve got. Kennedy and Alex Puertas, a program development manager at Iron Mountain, the data storage and protection vendor, recommend the following:

Squeeze every penny from existing privacy protections. If you’ve already purchased encryption, intrusion protection and other security technologies, make sure you’re using everything you’ve paid for. “Some data breaches occur because companies didn’t do things they should, like update passwords and firewalls. They’d already paid for them, they just didn’t use them,” Kennedy says.
Eliminate redundancies and shift resources. Cut costs by eliminating some of the overlapping functions in the security technologies you use. Likewise, reallocate funds from less critical IT and compliance programs to privacy and security, Kennedy says.
Create written policies and make sure employees know what they are. Written policies can stop problems from happening in the first place and the more trouble you avoid, the less money you have to spend mopping up after the fact. Policies should cover electronic records management - what data is saved, who saves it, how often, and by what method. Policies should also cover employees’ use of portable electronics, updates on new regulations and what to do to limit employees’ access to sensitive data if there’s a layoff.
Lean on outside contractors. Small businesses might not have the financial resources to maintain an in-house chief privacy officer or compliance department. If that’s the case, make sure you’re working with lawyers, CPAs, or other consultants who can provide you with reliable guidance and technology on privacy and security matters. “I deal with small, medium and big companies and I don’t know of any that can handle all phases of this alone,” Kennedy says.
Pick an insider as your privacy policy point person. Even if you use a third party to run privacy programs, choose a company insider as a liaison to ensure policies are being followed. That person should also head up formal audits every year or two so programs can be altered to adhere to new laws or industry regulations.
Tap into industry groups for cheap assistance. Trade associations are great resources for timely information on privacy regulations. In some cases, you don’t even need to be a member to take advantage of reference material that’s available for free on a group’s Website, Kennedy says.

SIDEBAR: Electronic Privacy and Security Policies Resources

Here are additional resources for creating and electronic privacy and IT security practices:

Fighting Fraud with the Red Flags Rule: A How-To Guide for Business -- A 17-page guide from the FTC on its new identity theft prevention requirements that includes step-by-step instructions businesses can use to create their own programs.

The Identity Theft Resource Center -- Theft prevention information for businesses and consumers, plus updates and statistics on data breaches at U.S. companies.

HIPAA health-care records data breach notification -- Health and Human Services Department document spelling out details of health-care privacy protections included in the economic stimulus bill that take effect in 2010.

Iron Mountain Knowledge Center -- Free white papers, webcasts, and other materials on electronic privacy protection and security issues.

2009 Tech Security Forecast

Michelle V. Rafter — 2008-12-18T20:00:24-05:00

Great, you may be thinking, now that it’s 2009 I’ll be getting a smart phone to use for work.

Just great, your IT manager may be thinking, now that it’s 2009 they’ll be getting smart phones to use for work.

IT experts predict a substantial uptick this year in the number of small businesses using smart phones -- as well as flash drives, social networks, and faster Internet connections. While that might make employees more productive, it also increases the security risks a small business faces.

Last year saw the start of a new wave of cyber crime that put spam on smart phones, phishing and virus attacks on Facebook, and even malware on flash drives, according to IT security experts. Those threats will only increase this year, says Derek Manky, a cyber-security project manager at Fortinet, a manufacturer of intrusion protection systems and other IT security equipment.

Small businesses are at greater risk because chances are they have fewer IT staff and don’t take as many precautions to avoid threats, says Brett Scudder, an IT security consultant and proprietor of IT Security Suite Network in New York City. “We’re seeing a lot more work coming from” small businesses, Scudder says.

IT security trends in 2009

According to Manky, Scudder and other computer security experts, here are trends to watch in 2009:

3G phones -- Web-enabled smart phones and the 3G networks they run on will become the newest playground for cyber criminals, who started launching worm attacks on cell networks last year. “2009 won’t necessarily open the flood gates, but it is an indication that this will be a significant trend and will overflow in 2010,” Manky says

Social networks and online games -- More worms and viruses circulating on Facebook and other social networks as well as on online games will jump to company networks as employees use laptops or home PCs for work and pleasure without having proper security measures in place.

USB storage devices -- As use of flash drives and USB memory cards grows, so will the appearance of worms and malware that hop on for the ride, and then infect inadequately protected company networks.

Databases -- Cyber criminals will continue breaking into networks to launch botnets, but also to go after specific information stored in databases there, including Social Security and credit card numbers and bank account information -- data they can sell on the Internet black market.

Faster Internet connections -- As 10 gigabyte Ethernet connections go from luxury item to commonplace network pipe, companies’ existing security measures will have trouble keeping up with the increase in volume, making networks more vulnerable to attack. “The shear volume of traffic will make it difficult to identify what’s good traffic and what’s malicious,” says Anthony James, senior vice president with Fortinet, the IT security hardware company.

The economy -- Due to the recession, IT departments will be asked to maintain current service levels with the same or less money. As a result, interest should pick up in integrated security hardware and software that performs several functions, such as combination intrusion protection systems and firewalls.

SIDEBAR: Protect Your Small Business from Threats

In light of many potential threats, what can a small business do?

Create and maintain strong IT security policies. Update written policies with information on newer technologies such as smart phones and flash drives so employees know what they can and can’t do. Include rules covering how employees can log onto company networks, for example, either from an official company machine or one that’s passed certain security requirements.

Restrict access. Block employees’ ability to log onto high-risk types of websites or domains, such as peer-to-peer networks, where the risk of picking up viruses or malware is greater.

Patch early and often. Regularly install patches and updates from Microsoft, anti-virus, firewall, and other security vendors for desktop machines, laptops, and servers.

Educate employees. Having policies isn’t enough. Companies need to use every means possible to inform employees about them, including listing them in employee handbooks, newsletters, e-mail bulletins and on a company’s website, wiki, or blog.

Free Tips to Protect Data on the Go

Marc Saltzman — 2008-11-26T16:48:22-05:00

It's a word every small business IT manager wants to hear: free. But does this popular F-word -- especially given today's ailing economy -- also apply to computer security, too?

While there are a number of paid products and services designed to protect data while employees are on the go, there are also solutions and tips to guarding your sensitive business data -- and in some cases, customer information, too -- that won't cost you anything to implement.

"There are thousands of cases of security breaches on laptops that have hurt the owners of those laptops and compromised the privacy of customers, citizens, and others," explains David Daoud, an analyst with IDC's personal computing for PC trackers and green IT programs. Examples include the recent announcement from the North Carolina Department of Health and Human Services about a laptop security breach involving an estimated 85,000 citizens.

"Travelling can be an important source of theft and the consequences can be devastating from a legal and personal standpoint," adds Daoud, whose offices are based in Framingham, Mass.

If budgets are tight, the following are some free ways to help protect your data.

Encryption
The most obvious way to deal with laptop security is using existing encryption technologies and passwords, says Daoud. "BIOS-level passwords help in that they add more security at the operating system level," along with setting up a password to launch Windows, too, he says. "For added security, you could use password protection at the folder or directory level."

Many mobile executives use Windows Vista's built-in BitLocker encryption technology that can protect the data on the laptop should it fall into the wrong hands. Available in Windows Vista Enterprise and Windows Vista Ultimate, this data protection tool encrypts the entire Windows operating system volume on the hard disk (including user files and system files) so that the data is inaccessible unless the user provides the right password or biometric identification.

Others prefer free third-party encryption options, such as PKWare's SecureZip or TrueCrypt's software.

Biometrics

Many laptops now -- from the likes of HP, Lenovo, Sony, and Dell -- offer an integrated fingerprint reader, so only the user can access files. Usually this finger scanner is located near the keyboard or just underneath the laptop's LCD screen.

Daoud says common sense also comes into play. "These biometrics security features are efficient on a certain level, but savvy hackers can certainly find ways to break into the system if they really need to," he says. "So during travel make sure you keep your laptop with you all the time."

Another tip is to avoid unfamiliar Wi-Fi networks -- even if they seem tempting because they're unlocked -- because these could be rogue connections by malicious types out to steal your data. On a related note, wherever possible, users should log into their company's secured network to send messages or files rather than relying on free Web-based e-mail programs. Try to avoid using a public PC, such as at an airport lounge, but if you must, be sure to delete Internet history, cookies and clear cache before you're done.

Virtual desktops

Some business owners prefer their employees not carry around any company files with them. Instead, mobile workers must log into the company's secure network "in the cloud" and access files remotely. This technology is sometimes referred to as a “thin client” or “virtual desktop” solution.

"The hosted virtual desktop concept is good for data security, in that data is not attached to a hard drive. The industry is still relatively immature, however, and users should balance the need for data security with other needs such as information accessibility," advises Adam Hils, an Atlanta-based principal research analyst with Gartner's security, privacy, and risk division. "It is true that users should limit the information on their laptops to what they need for the trip."

Daoud agrees: “The best advice is to have some centralized storage system at home or in the office where all the critical data is stored and secured… that can be securely accessed via Web browsers when someone needs to access the data.”

Back-up
Finally, there are free ways to back-up important data, in case a laptop is stolen, lost, or damaged. For example, Microsoft offers up to 5 gigabytes (GB) of free storage per month with its Windows Live SkyDrive service. Not only is this password-protected online file storage solution easy to use but you can access your files from any Internet-connected computer in the world, which can prove very handy while traveling.

"And because remote laptops are outside the protection of the corporate firewall, every laptop should also have a personal firewall installed," adds Hils. "These are available with Windows, and with most anti-virus products, for free."

Secure Your PCs for Free

Marc Saltzman — 2008-10-28T15:26:40-05:00

Given the state of the economy, many small and mid-sized businesses and small office, home office (SOHO) workers might be tempted to trim essential services, such as anti-virus and anti-spyware protection, firewall, spam detection, and offsite back-up.

The question isn’t whether or not you can afford security software -- rather, it’s can you afford not to? Don’t fret, there is an alternative.

Free software exists

Rather than putting your company’s data at risk by not doing anything at all, consider a handful of downloadable tools that offer protection for your PC, without costing your company a dime.

“Free is the best four-letter word in the English language" for small and mid-sized businesses, says Steve Hilton, vice president for small and mid-sized business and enterprise research at the Boston, Mass.-based Yankee Group. “Try out free solutions and talk with someone who's already used the product to avoid any gotchas.”

What “gotchas,” you ask? Hilton says free software is free for a reason. “The vendor might support the free product, hoping you’ll upgrade to the pay-version, or some vendors rely on ad-sponsored revenues to support free products.” But in some cases the software might conflict with your operating systems or applications on your PC, adds Hilton. “Therefore, the best idea is to work with your tech advisor or IT department to make sure you won't have any unfortunate surprises, because free software often doesn't come with vendor-provided tech support.”

Not everyone believes these free options are a good idea for your business. “While most of these tools, such as free anti-malware, are very good for consumers I don’t think they are a good idea" for businesses, says Peter Firstbrook, research director for information, security and privacy at Gartner, a Stamford, Conn.- headquartered technology market research firm. “They key requirement for business is centralized management and reporting and that is absent from these tools,” explains Firstbrook, and “in some solutions commercial use is specifically prohibited by the license agreement.”

Recommended freebies

Anti-virus software is important to safeguard your PC from the latest threats out there in cyberspace, which usually make their way into your e-mail inbox. Without anti-virus detection, all it takes is for you or an employee to click on an attachment, such as an .exe file, causing an immediate infection and perhaps propagating itself through your contacts list (and yes, your clients and customers will just love that). On a related note, spyware refers to other “malware” (malicious software) that can do everything from slow down your PC and spy on your Internet surfing behavior to causing inappropriate pop-up ads and hijacking your browser’s home page or toolbar.

Some of the anti-virus software programs experts recommend include the award-winning AVG Free and Avast!, while competent anti-spyware tools include Windows Defender and Ad-Aware 2008 Free.

On a related note, make sure you have a powerful firewall and intrusion detection to protect your PC from predators, such as Personal Firewall by Sunbelt or Comodo Firewall.

Online storage

Backing up important files is critical -- but saving them to a local external hard drive, USB thumb-stick, or recordable DVD means they’re still vulnerable to theft, fire, or flood. It’s no wonder, then, why many companies prefer to upload data to a secure offsite location. An added advantage to these online back-up and storage solutions is the ability to access those files anywhere in the world you’ve got an Internet connection.

While some services let you back a couple of gigabytes for free, such as MozyHome, Microsoft gives you up to 5GB of free storage per month with its Windows Live SkyDrive. All that’s required to use this password-protected virtual drive is a Windows Live I.D. (a Hotmail e-mail address will do). And if you need to send large files to someone -- such as sending a huge PDF to a coworker or client -- you can set up a separate folder on Windows Live SkyDrive only for shared files.

Spam protection

Spam, or unsolicited junk mail, isn’t just a productivity drain as you and your employees can spend hours deleting these unwanted messages per week, but often they contain viruses, spyware, or phishing attempts that try to lure you to authentic-looking websites to steal your identity for financial gain.

If you use Microsoft Outlook, however, a free plug-in program called SPAMfighter dramatically reduces the amount of junk mail you get by segregating suspicious messages and dropping it into a folder. It catches quite a bit (with few “false positives,” meaning it thinks mail is spam when it’s not) and doesn’t slow down your PC.

A word of warning: while free, SPAMfighter adds a “signature” to the end of your outgoing e-mails that is meant to spread the word about the software (and no, you can’t remove it), plus the company hopes you’ll upgrade to the paid version with additional bells and whistles.

Would Your Network Survive a Targeted Attack?

Minda Zetlin — 2008-07-28T16:51:25-05:00

A small company selling products from its website had bare-bones security in place. Its executives had figured its small size would put it beneath the radar of hackers and other cyber-criminals. After all, cyber attacks are usually aimed at large organizations such as the U.S. Commerce Department or Circuit City, or in one stunning case, the entire nation of Lithuania. Why would anyone bother to attack a tiny company with only a couple of servers and a handful of employees?

Someone did, though. A hacker managed to crack this company's not-very-elaborate security system, gain access to its network, and obtain credit card information for its customers. Not only that, the hacker left a root kit that continued to collect new credit card numbers as they came in. (Root kits are rogue software designed to give unauthorized outsiders administrator-level access to a system.) It took not only a new security setup, but completely wiping and reinstalling the company's computers to resolve the problem.

"The common belief is, 'I have nothing of value, so no one will bother me,'" says Dirk Morris, CTO and founder of Untangle, an open-source network gateway company that helped the small e-tailer rid itself of the hacker. "But we keep running into small businesses that are getting hacked and having their machines taken over." Smaller companies tend to have smaller security budgets and weaker security in general than larger ones, he explains, and that makes them attractive.

Organized crime may be involved

"We view targeted attacks in the same category as zero-day attacks," notes Adam Hils, primary research analyst specializing in small and mid-sized businesses for Gartner. "It's essentially the same problem as with zero-day attacks: they will never show up on any virus definition list." (For more on zero-day attacks, see previous article.) Hils adds that as hackers become more sophisticated, targeted attacks are "trickling down" to smaller and smaller companies.

To make matters worse, Morris says, organized crime is beginning to take advantage of security vulnerabilities, coordinating and managing cyber-attacks—and tracking which campaigns are most effective. This has led to an increased focus on hacking small businesses, because the success rate there has been higher.

For instance, he says, some attack campaigns target small businesses specifically by masquerading as e-mails from the Better Business Bureau, notifying the company of a complaint against it with a link to click for more details. "You click it, and it's malware."

What's the best defense against these kinds of attacks? There's an old joke about two campers being chased by a bear: one camper notes he need only outrun the other camper to reach safety. In the same way, you may not need the tightest security possible to preserve against targeted attacks -- as long as your security is as strong or stronger as that of other small companies. Having anti-virus, anti-spyware, anti-spam, and a firewall all up to date can go a long way toward providing the necessary protection.

"Hackers look for the weakest defenses, so if you have credit card numbers, you'd better have better security than the next guy," Morris says. The same goes if your servers contain personal information on customers, valuable patents, insider financial information, or anything else valuable enough to be worth stealing.

Targeting a single computer

Some attacks aim very small. "Things like botnets target individuals, rather than companies," Hils says. In a botnet attack, one or more of your users' computers becomes a "zombie," sending out virus-carrying spam or otherwise doing the hacker's bidding, usually without the user being aware of it.

That's what happened to furniture maker Summer Hill, Ltd. "This is a small company, with 35 employees," Morris says. "They started catching tons of spam, and a large number of attacks. It was all coming from one machine inside the network." It turned out a botnet program had overcome the security on that one computer, and taken it over.

The best way of coping with botnet attacks, Morris says, is careful monitoring of network activity since an unexpected increase in little-used applications may be the first indication that something is awry. In this case, the user's computer was using internet relay chat (IRC) to a surprising degree. "I doubted that the person using the computer even knew what that was," Morris says. Sure enough, the zombie computer was using IRC to send out spam -- and scan the entire Internet in search of other vulnerable machines.

Tech Talk: Fashion Designer Upgrades Firewall

Elizabeth Wasserman — 2008-07-25T10:55:38-05:00

Nanette Lepore, a New York-based fashion designer high end clientele, rapidly expanded to 10 boutiques in the United States, and one each in London and Tokyo. While the designer's fashions were making a splash, network specialist Jose Cruz tells IncTechnology.com that the firm upgraded its firewall and network security in the wake of a hacker attack.

Elizabeth Wasserman: How does a fashion house use IT?

Jose Cruz: Until recently, we didn't have much of an IT presence. When they brought me in, the company was growing pretty fast. The one thing that they seemed to overlook as the company was growing fast was their IT needs. My objective was to get them on a corporate e-mail system, lock down the network so it was not open to the world, and to implement security standards so that their intellectual data would be their intellectual data alone.

Wasserman: Last year, you found out that hackers had compromised some of your customers' credit and debit cards. What happened?

Cruz: I got that call on a weekend. It was a frantic call from our store manager in our Las Vegas location. The FBI showed up and questioned what was going on. They said purchases had been made on credit cards belonging to our clients. We found out our point of sale systems had been compromised. These were in place long before I came on board. It was dated equipment and not up to the task. This was very disturbing to me as I had been auditing the main infrastructure in New York and hadn't yet had time to see how the other locations operated.

Wasserman: What did you do?

Cruz: As soon as I got that call, I called up my support providers at Webistix. I've relied on them at times to tackle some situations I've never encountered before. This was something new for me. Webistix suggested that we get some SonicWALL firewalls in place. These are PCI compliant – they're certified by the credit card bureau that puts standards in place for retailers. We got the SonicWALL TZ 180 in place. I immediately flew to Las Vegas and pulled the router offline. It looked as if someone had actually gone in and tampered with the firmware settings on it and pre-programmed it with a set of IP addresses unknown to us which meant it shouldn’t have been working but it was still allowing internet traffic to pass through or possibly piggy-back off of equipment that was capturing information. The FBI confiscated the equipment and we had to replace it all. We decided to harden everything through intrusion prevention, anti-virus prevention, and anti-spyware. We are now in a far better place than we used to be.

Wasserman: Is it true that you had to shut down stores that weekend?

Cruz: We shut the Vegas store immediately. It's right there in the Caesar's Palace mall and weekends are very busy. We also shut the two locations in Los Angeles. The location at Robertson in LA and the New York Broome Street location get extreme amounts of foot traffic coming in so we asked them to push off credit card transactions for the weekend, which of course affect business since almost all transactions are done credit card. We lost over a million dollars in business that weekend. The fear alone made Nanette consider closing stores in other areas around the U.S. over the weekend because they had the same legacy equipment. It was legacy equipment in place before I came on and before the company took experience a major growth spurt. When you think about what is going on, some of bigger retail chains have been affected in the same way on a grander scale, with thousands of their clientele level-three credit card information compromised. We're just a small pea in a pod compared to those retailers for now. But, still, in a company in a growth mode, it's scary to consider. If we were marching forward with technology in play that was dated and not up to the task, it could have been worse and we might have had more stores breached.

Wasserman: Have you had any intrusions since?

Cruz: No, we haven't seen any intrusions since we installed the firewall. A lot of viruses have been blocked. A lot of spam bots have been blocked. I can now pull up this information with our global management system and monitor all our remote locations and get real-time feedback on the status of all our locations. We not only hardened our firewalls and locked down our systems and network but we also implemented security and group policies on our systems for our staff. This way, users are forced to log in before they can use any of our machines. And, depending up the group structure, they only have rights to do certain things on certain machines.

Is Security Software Choking Your System?

Bill Pfleging — 2008-06-25T09:56:29-05:00

Are your desktop systems feeling sluggish? There might be more than slow hardware or spyware at fault -- it may just be your security software.

“Generally, users will experience a twenty percent decrease in performance, just from having Norton or McAfee Antivirus installed on their desktops," says Perri Naccarato, owner of The Computer Guys, a computer service and repair shop in Saugerties, N.Y. “And that's not taking into account any other security software you may also be running.”

Naccarato believes that for all but the smallest businesses, it makes more sense to take a unified threat management (UTM) approach, placing the security on the network, and off the individual desktops. The constantly increasing need for more and better security on all workstations is a problem in any company. The trick is how can you keep a computer safe from intrusion without loading the system down to the point of non-functionality?

What a UTM solution is

UTM solutions are primarily hardware gateways, routers with hardened operating systems that contain centrally maintained firewall, anti-virus, anti-spyware, and anti-spam functions, as well as assorted other monitoring and blocking capabilities for the highest levels of security. This relieves the need for each workstation to provide these services, thereby freeing their resources so they can better do the work needed.

According to Jon Kuhn, director of product management at SonicWALL, Inc., a secure network infrastructure company based in Sunnyvale, Calif., the security problems don't come just from outside threats, but maintaining control over just what your employees are doing as well. The rapid growth of innovations that provide services through the Internet, and the accompanying increase in network traffic, can pose real problems for IT to manage.

“The Web 2.0 approach makes for a loss of control,” says Kuhn. “Internet applications like Google Documents, Scribd, and Zoho are quite useful, but a potential security problem for IT.”

UTM solutions also allow IT to control all incoming and outgoing data. This gives IT one place to manage all maintenance, and gives far more control over what Internet sites workers can access, and what they can't. Plus, not only can you control threats of intrusion, but with some of the more sophisticated UTM solutions being offered now, you can control the content itself sent out by employees, safeguarding confidential content, like medical or legal documents, from accidental release or insider espionage.

“It's so important for admins to have access to tools to control and monitor all throughput,” says Kuhn. “The UTM solution protects your bandwidth and secures all your sensitive data.”

Prices have come down

UTM systems used to be more costly, too high for small and mid-sized businesses to handle. But Moore's Law continues to apply across the tech spectrum, bringing everything within reach, and now even the smallest company can protect its network investment.

“If you have just 10 employees or more, then investing in security hardware becomes cost effective," Naccarato says. "Those aren't cheap items for small businesses, but take into account all the money spent on multiple licenses for security software installed at each desktop, as well as all the man-hours reclaimed that used to be spent updating and patching individual computer boxes, and it suddenly looks like a bargain.”

Though UTM devices and network-based software provide great protection for in-house desktops, they obviously can't protect users' laptops while they're off the network, using a home Internet connection or surfing the Web from a café, airport, or hotel room. But they can use UTM to free up processing power by simply plugging it into a USB port.

The Yoggie Pico, an award-winning miniature personal security server that resembles a USB flash memory, provides the mobile worker with security software solutions that include a firewall, VPN, IDS/IPS, anti-virus, anti-spam, and more. The little thumb-sized unit contains a 520 MHz Intel Processor running a hardened Linux-based OS. All data coming in and going out is seamlessly passed through the unit, keeping your data safe. And at under $200, it's affordable for every business -- even if you're the entire company.

“My customers are usually amazed at how much faster their system runs when I take all the security software off the desktop,” says Naccarato. “It can make the difference between a slow, frustrating working experience and a smooth, responsive one.”

SIDEBAR: Some Companies Offering UTM Services and Products

Fortinet is a provider of Unified Threat Management (UTM) security systems that enable secure business communications and deliver excellent security. Their security systems and subscription services protect more than 20,000 customers worldwide -- including telecommunications carriers, service providers and enterprises of all sizes.
IBM Internet Security Systems (ISS) offers a large portfolio of IT security products and services for organizations of all sizes. Their UTM solutions protect against a wide variety of attacks and Internet nuisances, and provide data security solutions to safeguard valuable information.
3Com Unified Security Platforms offer threat protection for organizations of all sizes, as well as those with multiple sites, branch offices or numerous teleworkers, including services like virtual private network (VPN), packet inspection firewall, application bandwidth management, and IP multicast routing support.
Astaro Security Gateway provides protection for networks, Web access and e-mail traffic, and offer a complete range of hardware appliances.
Cisco Systems provides security products that combine firewall, virtual private networking (VPN), and intrusion prevention system (IPS) technologies, and incorporate content inspection and control over applications like e-mail, Web access, instant messaging, and others.
The SonicWALL network security appliances provide UTM security services with deep packet inspection to provide small, mid-size and enterprise-class organizations excellent protection. SonicWALL appliances integrate automated and dynamic security capabilities for protection and performance.
ZyXEL solutions offer networking features such as quality of service (QoS), network security, and network management. Serving both corporate and home users, the companies UTM Series combine firewall, content filtering, anti-virus, anti-spam, and intrusion detection and prevention. It also supports virtual private network, load balancing, and bandwidth management features.
Yoggie’s range of USB key-sized and ExpressCard-sized security mini-computers connect to any PC or laptop at home, in the office or on the road, blocking Internet threats outside the host computer and boosting computer performance by off-loading installed security software.

Can Outsourcing Better Protect Customer Data?

Mary O. Foley — 2008-06-25T09:47:24-05:00

“Is it inherently insecure to let someone else handle your own security?” mused an October 2007 report by Forrester Research.

Not if a reputable firm can do the job better and for fewer greenbacks than you can, experts say.

In today’s marketplace, your company must meet a dizzying number of compliance regulations, with acronyms to match, if you store your customers’ personal or financial information. Everything from the Payment Card Industry Data Security Standard (PCI DSS) to the Gramm-Leach-Bliley Act (GLBA) to Health Insurance Portability and Accountability Act (HIPAA) requirements. High-profile cases of laptops containing such data being stolen have added to the angst.

Meanwhile, many smaller businesses just don’t have the manpower to handle these added security concerns. “You might have someone on-site who can put in a firewall or a VPN [virtual private network] gateway, and then forgets about it,” warns Guy Fardone, chief operating officer and general manager with Wayne, Pa.-based Evolve IP, a managed security and compliance services firm. “So no one is looking at it, and no one is updating it…they never inspect it.” As a result, there is no threat detection and the system is at risk, he says.

Does this sound familiar?

Providers come in several flavors

If it does, hiring a managed security services provider (MSSP) may be the solution. They can step in and install and manage firewalls, VPNs, vulnerability management, Web filtering and anti-spam, security intelligence services, and wireless and mobile functions. According to the Forrester report, there are several types of these providers, including:

Managed services specialists, such as Evolve IP, SecureWorks, and Solutionary;
Security product or service vendors, including VeriSign, McAfee, MessageLabs, and Google’s Postini, which offer either security services or products;
Telcos and managed services providers, such as Verizon Business, AT&T, and Sprint now offer some of these services.

Which type of MSSP should you choose? That, experts say, depends on how extensive your needs are. For example, do you need consulting, hardware, and services, or only some of these? Telcos do not provide compliance consulting, “but if requirement number one for PCI [compliance] is that you need a firewall, you can get one through a telco,” notes Doug Barbin, director of product management with Mountain View, Calif.-based VeriSign. VeriSign, which offers a full range of MSS products and services to enterprise customers, currently services the small business market only through telco partners such as AT&T, Barbin says. Other service vendors may cover specific security needs (for example, MessageLabs offers email protection and archiving services) but not a full range of service.

A so-called pure-play MSSP, such as SecureWorks or Evolve IP, can provide a wide range security and compliance systems and consulting, notes Evolve IP’s Fardone. The cost can start at $100/month for a managed firewall and run over $1,000/month for a threat detection service, but is still “cheaper than hiring someone,” he says.

Choose wisely and get everything in writing

The next big question: whom to choose? “Like choosing a doctor, the customer’s lack of specified knowledge in the field makes trust an essential issue,” the Forrester report notes. Many companies tend to rely on word of mouth.

Whomever you choose, make sure the service-level agreement (SLA) you draw up with the company is crystal clear and is done with legal help. This IncTechnology article on avoiding security pitfalls with subcontractors can help. Experts recommend that the SLA includes enforcement rights, consequences, and a policy about how sensitive data will be destroyed after use.

After all, a good security agreement with the correct firm can save you time, money -- and your bottom line.

Tech Talk: E-mail Storage Sails for Boat Supplier

Elizabeth Wasserman — 2008-06-19T08:59:05-05:00

Quantum Marine Engineering, of Fort Lauderdale, Fla., custom makes boat stabilizers, thrusters and other hydraulic equipment for yachts all over the world. Staff members rely on e-mail to communicate with customers. IT Director Michael Bartlett tells IncTechnology.com how e-mail archiving helped the company manage mailboxes and facilitated e-mail retrieval on demand.

Elizabeth Wasserman: How does your business use information technology?

Michael Bartlett: The single technology that the owners of Quantum have decided and maintained as critical to our business is e-mail. Our market is worldwide. We build custom equipment that is essentially for boat builders. A lot of communication is from the sales side and engineering side, between our engineers and ship builders, and between our engineering staff and captains and those on board. These often have to do with specifications on board, changes in specifications back and forth and, because sales are worldwide and we're driven by e-mail, keeping records of who said what to whom and when is critical for us.

Wasserman: So what problems did you encounter?

Bartlett: Everybody wants to grow their mailboxes without restraint. They want to keep all of their inbound and outbound e-mail as a record. Because technical specifications are spent back and forth and projects stretch of several years, sometimes staff changes and then you have a point of dispute with the customer. The original specification was half inch. At some point, it changed to three-quarters of an inch. And we have to know who changed what and when. Some mailboxes grew to 2 gigs. At that point, we started have problem with our Exchange performance and the individual users' performance -- especially if they were mobile users.

Wasserman: Why did you decide on an archiving solution?

Bartlett: To have a permanent record that is separate from the Exchange server. We decided to use the GFI MailArchiver. This way, the e-mail is not deleted, it can't be manipulated, and we can search it and track things down. A huge reason is to keep the size of the individual Exchange mailboxes down. We have a default limit of 250 megs for individual e-mail boxes. Once people understand we have a separate archive of all e-mails, they realize they don't have to save everything. It keeps the database smaller and it has improved the Exchange system performance.

Wasserman: How has this helped your business?

Bartlett: The system we're using is searchable. Our administrators can search the whole database. Each department head has the ability to search through their department e-mails. We had a moment already when the owners realized that this was a good move. We had one of those situations where a product arrived at a shipyard and the specifications were not right. We had to find the e-mail where the specifications were changed. The engineers on both ends had made changes. I was able to find this e-mail in five minutes. That proved the worth of the system in everyone's eyes.

Tech Talk: Firm Uses Backup for Accountability

Elizabeth Wasserman — 2008-06-19T08:53:32-05:00

VAALCO is a Houston-based energy company that explores, develops and produces crude oil and natural gas. It's a small, but publicly-traded company with 20 employees in Texas and more worldwide. Robert Walston, IT supervisor of VAALCO, says that moving to an online backup service helped the firm comply with regulations regarding accountability of financial data and allay disaster recovery concerns

Elizabeth Wasserman: What type of data do you keep?

Robert Walston: The critical data is the financial data. And recently, in the last year or two, we implemented Microsoft Exchange server so we have all of our e-mail data also that would be critical.

Wasserman: Why did you look for a new backup solution?

Walston: We are a public company and we were introduced to the Sarbanes Oxley requirements. Even though we're a pretty small company, our market cap is big enough to make us have to abide by the same regulations the large corporations. In late 2005, we were basically backing up everything to tape drives. I was hand carrying them to my house at the time. Once we were introduced to the Sarbanes Oxley regulations, we knew that wasn't going to cut it. It didn't meet the standards for accountability and so we had to come up with a solution pretty quickly. That's when we started looking into an offsite, online type of backup. We went with Netmass, based out of Dallas, with Asigra software.

Wasserman: How does it work?

Walston: We downloaded a client and it backs up our computers over the Internet. It's all encrypted, so it meets the securities standards and accountability standards we need. Basically, each night a couple times a week, we rotate between the accounting/purchasing and Exchange server. It's really easy to set up. Every night at a certain time, it backs up our servers.

Wasserman: You're based in Houston, which was hit pretty hard during Hurricane Rita. Does this give you peace of mind during hurricane season?

Walston: The main concern was with our auditors at the time. They didn't know where I lived and whether I lived in a flood plain. I, myself, wasn't concerned. Our offices are located on the third floor of a three-story building. Having said that, it does provide peace of mind. That's for sure. If something were to happen, a disaster in our building itself, we would be able to get these backups from a remote location and restore then in a matter of hours if we had the right hardware.