Corporate IT, in my opinion, is at crossroads. They can proactively adopt cloud-based services in the organization or wait for the early adopters to provide feedback to the rest of the world. The only problem with the latter option is that, unlike your traditional enterprise software with high start-up costs and infrastructural needs, these cloud services are built “to-go” and are ready to be used off-the-shelf services. In other words, the employees can use their credit cards and start using these products in their teams without the knowledge of their IT counterparts. You do not want your employees to use services and technologies without any structured processes. BYOD (Bring Your Own Device) is not the primary concern anymore, its BYOS (Bring Your Own Service). And no, BYOS is not a made-up acronym…

In fact, cloud computing is a great option as firms don’t have to make a big initial investment on these products. SMBs (Small and Medium Size Businesses) can now afford real-time collaboration, increased availability, easier backups and larger cloud storage at an affordable cost. They also can cut down on their internal IT staff’s effort and time in maintaining their in-house applications, hence giving the ability for their IT teams to focus on strategic initiatives. However, it is important to recognize that the above advantages do have a risk price tag associated. Cloud solutions pose a whole new gamut of risks, some of which are new to SMBs and I will discuss some of these below.

Availability

As your company moves into the cloud, you are increasingly dependent on the consistency of your service provider and your ISP provider. Before you move/choose a cloud service, ask yourself this question: “Can my team function if the service is unavailable for 30 minutes? Would this downtime be more of an inconvenience or would this affect productivity drastically?” Remember, collaboration does not mean much if your efficiency and productivity do not increase.

Software Change Management

With on-premise solutions, you have control over when/how/if you would like to change your application. This is not the case with cloud solutions. (oh btw did you see : Googlighting). For example, you might lose some of the functionality that you have been using for some time.

Although you cannot control the changes coming into the system, you can definitely make it much easier on your end-users by making sure they are aware of the change(s) in advance and providing necessary training materials. IT departments have to adopt and redesign their Change Management processes. This aspect might probably not be a deal breaker, but it surely is something to think about and plan ahead. Also, while choosing your vendor, look at their methodology on change management and how they bring in changes into the system. For example, when Google changed its Mail interface, it gave an option to the end user to revert back to the old look temporarily for about 6 months. This made it easy for the end users to get accustomed to the new interface without disrupting their daily business.

Security

Industry experts tell us that the data stored in the cloud is as secure as the data secured in your hard disk (of course, the assumption here is that we have not chosen a run-of-the-mill service provider). With most vendors, your data is encrypted during transfer as well as in the servers housed. Companies such as Google and Amazon are better equipped to deal with hackers than SMB IT owners. One might argue that SMB’s are usually not targeted by hackers and the probability that their vulnerabilities are exploited is very low with in-house solutions.

But the real question is this:

• What is the nature of data that you plan to move to the cloud?
• Is the data subjected to any Federal/State Laws?
• Is this data subjected to any industry specific laws (HIPAA, SOX etc )
• Does the Service Provider have SAS70/SSAE/SOC2 Certification?

It’s just not about hacking. Remember this incident? …of course don’t forget incidents like this.

Business Continuity

Many cloud solution providers are start-up companies with just a few employees. So before you take the leap of faith, have a Plan B ready and prepare for contingencies.

Recently, Mega Upload business users were shocked to see that their data was lost forever. After FBI closed down the Mega Upload website, there were a few business users disappointed with the fact that they lost access to their files and did not have any backup either.

This is probably one key differentiating factor between enterprise application and the currently available cloud services. Many of the current cloud solutions were initially targeted toward individual customers and then made “Enterprise Ready”. Hence concepts such as business continuity, single sign-on, password management, access control, user provisioning, active directory integration are not built into the system initially.

Which brings me to…

Integration

With any new application, you will have to think of integration (or lack thereof) and determine if/how you would integrate the product with existing portfolio of application. For instance, Google Apps Email does not integrate with Microsoft Office products, and hence, you might not be able to send a word document to email from within the document (You cannot use File –> Save as). I am not sure if many of these file hosting services offer Active Directory integration (unless you use Open ID). These are real limitations and reasons why business users are reluctant to move to the cloud.

However, there are some companies who have started taking note of enterprise needs. For instance, one of our vendors provides a hybrid file hosting platform where the files reside in the cloud but will be synchronized to a Network Attached Storage at our premise. This way, we have a copy of all our files. There are some vendors who provide private key encryption option to allure the enterprise users to the cloud.

In summary, cloud services are a very good and sound concept as long as…

You know exactly what you want from these services,
You understand their limitations.
You plan for contingencies.
You remember that you own the data even if it does not reside in your environment.

Photo Credits

By Luke Stock and Jarrett Crusor

In the wake of one of the worst economic downturns the world has seen in decades, companies are looking for ways to do more with less. Whether identifying cost reduction opportunities or launching initiatives to generate incremental revenue, companies are turning to technology and their own data to increase the speed and accuracy of making critical business decisions. This demand has brought advanced analytical techniques like predictive analytics to center stage, which aims to identify patterns and relationships using statistical methods to arrive at the optimal decision based on all factors and inputs considered in the model. For over a decade the insurance, retail, and travel industries have instituted these techniques to predict consumer behavior and now many other industries are attempting to reach the maturity to take advantage of the additional revenue living within their data.

The basic objectives and benefits of predictive analytics may be rather clear; however, the challenges are typically common across companies and industries alike. First, it is important that an organization’s enterprise data be profiled to evaluate the quality and cleanliness. Having accurate, consistent, and complete data reduces than likelihood of skewed or erroneous results and promotes a culture that treats data as a vital asset rather than dismissing it for managerial “gut instinct.” Second, it is strongly encouraged to perform a readiness assessment to help determine an organization’s ability to effectively implement predictive analytics and mitigate the risk of failure. As a part of this assessment management needs to also determine the accuracy of their current decision-making process and identify what the “target” effectiveness is for a predictive model. It should also be understood that this target should be realistic as no model will ever be 100% accurate. There will always be something new to incorporate into the model; some new variable that predicts outcomes and drives results. As new real-life conditions in the data are discovered, the model too will need to be updated to stay as current and accurate as possible.

So what are some examples of how predictive analytics is being used? Let’s explore two scenarios:

1. Containing Transportation Delivery Costs without Sacrificing Customer
Satisfaction

Transporting goods to customers is a critical component for nearly all retail and consumer-based businesses. With the many transportation carrier options to choose from, making an informed decision can be difficult and costly depending on what you ship, where you ship to, and who handles the freight. A potential solution could involve relating the value of the goods being shipped to transportation vendor costs, quality of service, and on-time delivery metrics. By building a model around these inputs, a predictive model could determine the optimal shipping method which would be the most cost effective based on distance, a carrier’s price points, estimated time to destination, and likelihood of goods making it to where they need to be on-time. This model would render the decision making process less of a guessing game while also achieving the benefits of containing costs without sacrificing customer satisfaction. This is truly a case where the data can drive profit directly to the bottom line.

2. Generating Incremental Revenue by Knowing your Customer

It’s no secret that companies who understand the behaviors and buying habits of their customer tend to sell more. Let’s pretend you are in the process of planning your annual spring break trip to your favorite warm climate destination. Over the past few years you become fond of using a specific travel planning site because they provide you with the best deals. As you go through your decision-making process, the travel site is also making decisions that connect you with other customers in real-time. Using information such as your age, gender, household income, and home address, this company develops a model of you that builds a relationship between your buying habits and others like you. Using this relationship a prediction is made for the best flights and hotels within a reasonable cost range of what others like you have agreed to pay. As the site continues to gather more information, the accuracy of the model also increases. This leads to increased sales of their airline and hotel partners. In the end, you as the customer become more loyal to the site and are less likely to look elsewhere for planning your next vacation. Who knows, you might also spread the word around to your friends.

These examples show the benefits of creating a successful predictive model, but realizing these benefits does not happen overnight. Building a predictive analytics program is a journey that provides many learning experiences along the way. The companies that capitalize on these opportunities the quickest are those who treat their data as an asset. In other words, companies that understand opportunities truly exist to monetize their data such as Google and Facebook, understand their data needs to be properly collected, organized, and protected. After all, Facebook’s impending $75 – $100 billion IPO is not based on selling a physical product, it’s because of the vast amount of data they maintain and what they can do with it.(1)

References

1. Bloomberg. “Facebook Insiders Push $100 Billion Value.” Bloomberg, 2012. Web. 23 February 2012.

Photo Credits

This is a scenario of events has been dramatized for effect. This illustrates how compliance can be such a strong emotional driver that it can stand in the way of actual progress; especially from an Information Security professional’s perspective, it can be very frustrating.

By way of background, this example company’s previous information security policies were extremely high-level and had no additional guidance or support. As a result, they were not an effective governance measure; after all, we’ve all seen those cookie-cutter policies downloaded off the Internet. Updating these policies and developing prescriptive standards seemed like a logical first step to better govern information security in this organization. After all, if there isn’t guidance published, how is anyone supposed to know what they are supposed to do?

This company is also in a highly regulated industry in which internal and external information must meet a strict set of information security controls. The organization had never undergone a detailed audit of their policies and implementation, so there has been no implication for failing to meet an internal or external guideline.

Fear does strange things to people. Have you ever had the feeling that there was someone lurking outside your window…but it turned out to be a shadow of a tree limb? Did you creep around the house, grab a baseball bat, or peep out around the curtain? What I’m talking about here is what I’m going to term “Regulatory Fear” or “RF” for short. RF is good in many ways because it forces us to meet a minimum standard. But in our case, it has contributed to a significant setback in moving the organization’s security posture forward.

The following is not a single conversation, but it describes the types of discussions that a fictional team has been…umm…enduring…

InfoSec: We are undergoing a project to update our existing policies and create some more detailed guidance for the entire organization. This will help us to enforce specific security behaviors and provide guidance to disparate portions of the company so we can improve our overall security posture.

Leadership: Improve? That sounds terrific. When do you think we can push this out?

InfoSec: We will be working with the subject matter experts to develop the details in accordance to the ISO 27001, 27002 (et. al.) standards. We estimate the standards will be ready to publish in a few months.

Leadership: It sounds like you have a good plan! Let’s get started right away.

InfoSec: We will plan to roll these out as a batch so we can identify any potential gaps and work toward remediation.

Leadership: Ah, the “Big Bang Theory.” Yes, that will help push things along. Do we expect to have any gaps between the new standards and our current operations?

InfoSec: Yep. Since we are trying to add better guidance and raise the maturity bar, we expect a number of gaps to come forward, especially from the groups that aren’t currently integrated into our common processes. This is an opportunity to enforce standards and push the disparate teams into our centralized processes, so we want to take full advantage of it. This will all be managed through the IT Risk Management team, and remediation will be tracked using their tool, so we can continue to monitor and report progress.

Leadership: Sounds like you have a great plan. We’ll push these through a few levels of review when they are complete, so they meet the needs of Compliance, Legal, IT, and others. Let us know if you need any support from the executive team.

InfoSec: Thank you. We certainly will.

Now at this point, our InfoSec team should have had alarms going off, but why? Despite the obvious support from the executive team and desire to proceed with the plan, organizational change is not something that happens overnight. For the sake of argument, let’s say the organization is not very mature in information security and it is assumed that there are some gaps that currently exist but are not captured or reported (remember, we’re taking baby steps…). Our originally rollout strategy (version 1) was to publish these standards and take 90 days to complete gap assessments to identify the top remediation priorities. We’d use our IT Risk management team to help manage and track these gaps, so we could close them and actively show progress toward our goal.

Fast forward in time…

Over the 6 month period, the teams met with stakeholders and developed standards that were ISO-based and included input from the stakeholder for their current processes. All standards were reviewed by the stakeholders, Compliance, Legal, and a whole steering committee of decision-makers and were approved. At the time of publishing, we reviewed the rollout strategy (version 1 again) with the executives, and the team got nervous.

Leadership: Can you explain this gap assessment process? Why are we intentionally identifying gaps?

InfoSec (after blinking several times): Well, since the organization still has a ways to go to meet the foundational security components in our standards, we need to identify where we need to put remediation, so we are proactively building our program.

Leadership: Why would we publish standards that we’re not compliant with?

InfoSec: Excuse us for a minute…..#$%@! OK, we’re better now. If we don’t publish new standards – higher standards that actually raise the maturity and overall security of the organization – then we can’t push the organization to improve.

Leadership: But if we publish standards, then we’re going to be held accountable to them, and you just said we are going to have gaps. We don’t want our external auditors to be holding us to a standard that we aren’t compliant to and risk fines and additional oversight.

OK, ok… I could go on and on for volumes but I think you get the point… Now, this scenario is obviously exaggerated, but I think it warrants some discussion.

Have you seen anything similar? Have you been in this position and completed a gap assessment? What has been your experience with external or internal auditors in this scenario? We’re anxious to hear your war stories!

How have you raised the capabilities and/or maturity of an organization without sending up the emergency flares of instant non-compliance?

Photo Credits

Passwords

Passwords are the first line of defense against cyber criminals. It’s important to pick strong passwords that are different for each of your important accounts and to change them regularly. Here are some ideas to help create strong passwords.

1. Use a unique password for all your important accounts.

Use unique passwords for your accounts, especially important accounts like email and online banking. You are likely to have dozens of accounts across the web, and you cannot guarantee the security of all of them. Criminals target sites that lack strong security, in order to harvest usernames and passwords that they test against other popular sites. When you use the same password across the web, a cyber criminal can learn the password from a less secure site and then use that password to compromise your important accounts.

2. Use a long password

The longer your password is, the harder it is to guess. There are almost one quintillion possible 10-character passwords (that’s 4,000 times as many possibilities as if your password only has eight characters) … and that’s if you only use numbers and letters.

3. Use a password with a mix of letters, numbers, and symbols

Using numbers, symbols and mixed-case letters in your password increases the difficulty of guessing or cracking your password. For example, there are more than 6 quadrillion possible variations for an eight-character password with numbers, symbols, and mixed-case letters – 30,000 times more variations than an eight-character password with only lowercase letters.

4. Make sure your password recovery options are up-to-date and secure

Make sure your recovery email address is up to date so that you can receive emails in case you need to reset your password. Sometimes you can also add a phone number to receive password reset codes via text message. Additionally, many websites (including Google Accounts) will ask you to choose a question to verify your identity if you ever forget your password. If you’re able to create your own question, try to come up with a question that has an answer only you would know. Try to find a way to make your answer unique – you can do this by using some of the tips above – so that even if someone guesses the answer, they won’t know how to enter it properly.

5. Keep your password reminders in a secret place that isn’t easily visible

Don’t leave notes with your passwords in plain sight, on your computer or desk. If you do decide to save your passwords in a file on your computer, create a unique name for the file so people don’t know what’s inside. Avoid giving the file an obvious name, such as “my passwords.” If you have a difficult time remembering multiple passwords, a trusted password manager may be a good solution. Spend a few minutes checking out the reviews and reputations of these services.

6. Add an extra layer of security to your Google Account

When you leave your house you feel a bit safer knowing the door’s locked. But imagine how much safer you’d feel if the door was guarded too? The same goes for the information in your Google Accounts. By switching on 2-step verification you’ll have not one, but two security measures to help prevent someone from breaking in.

Once you’ve created a password for your Google Account, you can add an extra layer of security by enabling 2-step verification. 2-step verification requires you to have access to your phone, as well as your username and password, when you sign in. This means that if someone steals or guesses your password, the potential hijacker still can’t sign in to your account because they don’t have your phone. Now you can protect yourself with something you know (your password) and something you have (your phone).

Social Riskology started life as an opportunity to educate students about the potential personal risks associated with social media and social networking. To make the learning experience tangible, this dedicated social media site was created in order to show some of the potential dangers of disclosing personal information on social media sites. Our objective is to provide a hands-on experience for users to explore the potential implications of personal data that is available on social media and enable users to think about the risks of sharing their information online.

While it would have been an interesting exercise to create some fake people on popular sites such as Facebook and Twitter, Social Riskology allows for a tailored, scenario-based site that is designed to keep users (and us) from overexposing ourselves. In other words, Social Riskology is a safe place to educate others on the dangers of social networking.

The document below contains a nice point of view highlighting the risks of social media and how you can shape your personal brand through social media. It contains examples and guidance on how to build your personal brand and not fall victim to some of the risks. We update this document periodically so be sure to visit the website and download the latest and greatest!

Download

As with many scientific advancements, when the rate of change is rapid, important questions go unanswered.

Over the past few years, how many times have you heard that social networks can be ‘risky’? How often do parents tell their children to be ‘careful’, not knowing what ‘careful’ really means?

With SocialRiskology.com we have developed an interactive, consequence free environment for young people, old people, and social networking pros to come together in a discussion of social networking and the consequences of our online behavior. Using SocialRiskology.com as a platform, discover what it means to have high risk online social behavior and what it means when people say the ‘internet never forgets’. Leverage and explore our fictitious scenarios, thought leadership and the discussion designed to illicit response. We hope you can’t relate but know that many of you will.

Check out the learning tools:

• The Scavenger Hunt: Our scavenger hunt has to flavors: “personal” and “professional.”  The personal scavenger hunt has been constructed to show the risk of use social networks in our personal lives.  Interactions with friends, family, acquaintances, loved ones and non-professional relationships can have a tremendous impact on our lives.  We explore these risks but showing examples of inappropriate actions in a variety of forms.  The professional scavenger hunt is intended to show the potential impact of social networking on our careers and jobs.  Interactions with colleagues, customers, bosses, and vendors can have dire consequences unless we truly think about “what could go wrong” when we hit the “post” button.
• Social Media Risks: Social media risks are everywhere. We have classified these risks into personal and professional “use cases.” Personal risks typically cover interactions with friends, family and peers. They often begin as harmless interactions but can have real, dangerous impacts on our lives. Professional risks cover those consequences that impact your livelihood, your career or your professional reputation. Each risk has been described as “what could go wrong” and we have listed the individual behaviors or actions that led to that risk. This is, by no means, an exhaustive list; however, we will update it over time (especially as we receive suggestions)!
• Social Media Resources: Most of us go to great lengths to protect our personal credit – credit cards, bank account numbers, credit reports, etc. We only allow others to access this information on a “need-to-know” basis, so we naturally are reducing our risk of someone disclosing our financial data. Social media should be thought of in a similar context – except on a much more personal level. Only share the information you intend to share with the audience with whom you want to share it. Just because you can share a piece of information does not mean you should.

Join us in shedding light on the risks inherent to social networking.

The first step in establishing the social media strategy of a company is to determine whether or not it is advantageous for the organization to build its social media presence. There are many factors the organization must consider such as types, benefits, risks, and the associated training related to engaging in social media. The organization must assess the various forms of social media before deciding the strategy to best enable the organization in sharing its message. Even if an organization opts not to actively pursue a social media presence, the organization should still track the use of its brands on-line. Unauthorized misrepresentation of a brand could damage even the most pristine reputation. United’s stock dipped 10% when a musician uploaded a video on-line about his broken guitar after United neglected to respond to his refund claim. Investing in brand monitoring software assists companies in monitoring on-line discussions about the use of their brand so they have the ability to rebut as necessary.

Social networking websites such as Facebook and LinkedIn help people connect and build relationships. Audio websites such as iTunes or Rhapsody allow consumers to download songs or buy full length CDs on-line. Organizations now use video websites such as Vimeo and YouTube to advertise and promote their message. Rather than wait for a customer to see a commercial on TV, organizations create buzz around their videos luring consumers to search out their promotional content (e.g. YouTube, Hulu, Google Video, etc.). Old Spice connected to a whole new generation of customers after it successfully launched its ‘The Man your Man could smell like’ campaign attracting 19 million views on-line. Microblogging, another form of on-line expression through sites like Twitter messages reach hundreds or thousands of people in an instant[1]. The importance of information mobility has given rise to the boom in laptops, tablets, and smart phones. Use of mobile devices includes synchronized video conferencing for business as well as downloading entertainment and news applications. HBO Go allows users to watch HBO shows anywhere, IHeartRadio increases the audience of local radio stations, and CNN’s application for Blackberry, iPhone, and Android keeps people informed of breaking news. Establishing a presence on-line in one space over another may depend on the characteristics of an organization’s industry, the image the organization is interested in portraying and its customer base.

When an organization understands what media channels are available it needs to determine if the costs outweigh the benefits of investing in social media. There are many benefits in today’s world to taking advantage of on-line marketing. There is an entire generation that receives almost all of their information, including news and advertising, through on-line channels. Television recording makes it possible for people to fast forward through commercials. Newspapers and the United States Post Office are struggling to stay relevant in a world where anyone can read breaking news or obtain email documents in seconds.

Actively engaging in social media has its risks. Risks include unknowledgeable workforces that do not understand the implications of their on-line communication or organizations accidently releasing confidential corporate information.

Organizations willing to accept the risks associated with on-line communication must align their internal and external communication strategies. Many organizations have tried to boost productivity by limiting the types of external sites to which employees have access. Access restrictions create a dilemma for a company that has decided to add social media to its marketing strategy. The organization is sending the message externally that it embraces social media but communicating the opposite internally to its employees. Lifting access restrictions allows employees to align themselves with the social media strategy of the firm and explore the ways the organization promotes the brand. Before a company grants employees access to social media, it must take the appropriate steps to train its employees on best practices and acceptable use policies. The organization must create comprehensive social media standards and policies that align with the organization’s overall governance framework and communications strategy.

As with other forms of communication, organizations need to gauge how much information they are willing to share with the public. Companies also need to decide how much information they want to collect about their customers through the use of social media. Companies have the ability to collect mass quantities of information about every customer but the information may be irrelevant, a waste of resources, or viewed as an invasion of privacy by customers.

Organizations should not feel pressure to engage in all forms of social media. Through analysis and preparation, companies can tailor successful social media strategies to ultimately support the organization’s operational objectives.

Citations
[1] Brake, D., & Safko Lon (2009) The Social Media Bible: Tactics, Tools & Strategies for Business Success.

Employee Related Risks

Companies must train employees about appropriate communication practices and behavior expectations around the use of social media. Comprehensive policies and standards define these acceptable communication practices and help guide employees to make informed decisions. Below are several key examples:

• Employees should not post confidential company information. Once a person posts information online it can never be undone. Also, employees should be isolated social media websites when working with confidential company information. The accidental exposure of confidential information could give a competitor an advantage over the organization or breach a service contract. Tri-Medical Healthcare Centre fired five employees after they violated HIPAA regulation by discussing patient information on Facebook.
• Employees must be aware of all relevant regulations related to their industry and job function. The Federal Trade Commission (FTC) protects consumers from deceptive practices, which is why an employee must identify that they are employed by their company when discussing their employer via social media. Employers are responsible for their employees’ actions and must therefore implement controls to monitor and protect themselves from employee behavior.
• Employees must qualify any statements they make via social media as their own and not that of their employer. Employees should reflect on the impact of their statements. Inappropriate remarks can damage an organization’s reputation and lead to termination of the employee.
• Employees must not use social media to harass or bully a fellow employee. Companies do not tolerate bullying and bullying exposes the organization to lawsuits related to hostile work environments. Many companies are now extending their code of conduct to their employees’ actions online.

Organizational Management of Risks

Social media related risks exist, whether or not an organization chooses to engage in online marketing. The risk is greater if an organization is not tracking its brand’s presence within social media. Consumers love to share their opinion about a person or company. If the company is not tracking the mention of its brand and employees then it cannot respond to the positive or negative comments about the company on the internet.

An organization must understand that online communication can reach people around the entire world and one mistake can damage a brand and have a financial impact. This could happen through an accidental click of a mouse or through a disgruntled employee. The head of a company could be recorded saying something inappropriate and the video could be uploaded and sent to hundreds of people in minutes. Brands can be damaged through rumors of inappropriate actions. Public figures’ (such as politicians and celebrities) reputations are damaged when rumors surface affecting their image and so are the reputations of the companies with which they are affiliated.

Companies proactively managing social media should also be prepared for the potential of social media related incidents. Organizations must incorporate monitoring of communications into the organizations’ overall incident monitoring program. Organizations must establish a defined response plan for the business involving the teaming of HR, Legal, Communications, and Information Security departments that also includes a process for treating social media related incidents.

Organizations that engage in social media and effectively manage risks benefit from expanding the brand’s presence and protecting their reputation.