A Game Plan for Protecting Stored Data

An effective data security policy is critical now more than ever, as data is increasingly stored in a variety of devices. But even though IT decision-makers put stringent security strategies in place to patch operating systems, secure the perimeters of the network and protect data, breaches are everyday news. The potential harm involved, in terms of negative press and financial losses, when companies lose laptops, backup tapes and other devices containing private information can be staggering.

To prevent theft of sensitive assets, it’s critical to follow security best practices and adhere to a set data security policy. Here’s what to consider when creating one for your company.

Use the Right Technologies
As the Yankee Group has observed, storage networks are becoming more complex and have matured to the point of requiring additional perimeter and internal security services to ensure data integrity. In addition to encryption, IT decision-makers should consider implementing the following:

  • Access controls. Corporations must institute data security policies regarding who can access databases. Monitoring software is also key -- it helps track who has accessed data.
  • Filtering software. Tools from various vendors help you watch the way content is accessed -- via email, instant message and file transfer protocol (FTP), for example -- and inspect the content for policy violations. Some tools block or quarantine violations, and others offer the ability to block outbound email.

Put a Strategy in Place
To protect corporate data, your strategy should focus on physical access controls, data network transport protection, host defenses, and system and application authorization, says Rich Mogull, director of research for the Gartner Group.

In addition, you should perform regular audits of your security practices. You should also establish a specific policy for protecting data, data management, backup and audit frequency. It is important too to consider internal access to corporate data: Gartner estimates that 70 percent of security incidents that cause loss involve insiders.

Determine How the Data Should Be Protected 
Extremely sensitive data, such as confidential customer information and credit card numbers, should be encrypted before being designated for storage. Not all data must be encrypted, however, according to Mogull. “Use encryption to protect only data that moves physically or electronically, or to enforce segregation of duties for administrators -- for example, encrypting credit card numbers in a database to prevent database administrators from seeing them," he says.

Ensure Compliance
Companies in certain industries, such as health care, must ensure that their data backup, storage and recovery policies comply with government regulations. The Gramm-Leach-Billey Act and the Health Insurance Portability and Accountability Act (HIPAA) require more stringent corporate governance and controls. The Sarbanes-Oxley Act requires corporations to be financially accountable; it doesn't specify the amount of time specific data should be stored or how, but because it does require integrity of data, it motivates IT executives to determine their own policies and be more vigilant about backing up and storing corporate information.

Is NFC Technology the Next Big Thing for Business?

IT professionals, get ready for yet another acronym you’ll need to learn, implement and secure: NFC.

Near-field communication, while not new, is becoming a hot buzzword among tech-savvy consumers and businesses alike. This short-range wireless radio technology can turn a smartphone into a digital wallet, but that’s just one of many potential uses.

Some industry experts predict NFC will be the next big thing. And if it is, you might be the one who has to ensure your company is securely integrating the technology.

What Exactly Is NFC?

Here’s a scenario in the not-too-distant future: A customer walks into your store and swipes his smartphone near the cash register’s terminal to complete a transaction. Then, on a nearby bus shelter, he swipes his smartphone against a movie poster to download the trailer to the upcoming film. Later, he sees a friend on the street, and she tells him about her new job. The two swipe smartphones to exchange up-to-date contact info.

This is the promise of NFC, and with major smartphone platforms like BlackBerry, Android and iPhone onboard, it could soon be a quick and convenient way for your customers to buy goods and services. Note: Apple hasn’t officially confirmed iPhone 5 will have NFCs, but analysts say it’s more than likely.

When Will NFC Go Mainstream?

Many experts agree that NFC is an exciting alternative to QR codes, but a few obstacles must be overcome before the technology can be deployed by the mainstream.

“NFC is the one Holy Grail-like technology most likely to make the long-held promise of the electronic wallet a reality,” says Carmi Levy an independent technology analyst based in London, Ontario. “Companies in all sectors, including retailers, financial services organizations and mobile carriers, are all salivating at the prospect of NFC-enabled smartphones that make paying for something as quick and easy as sending a text message.”

Tim Bajarin, president of the Creative Strategies Inc. tech consultancy in Campbell, Calif., agrees that NFC has a lot of positive buzz -- especially among businesses. “There are a lot of uses for NFC -- from getting you into doors at the office, which has been around for many years, to commerce, where things really get interesting.”

NFC Brings New Security Concerns

As with all new forms of wireless connectivity, security is NFC’s Achilles’ heel, says Levy.

“Any time vendors add new ways to seamlessly move data on and off of a mobile device, it’s only a matter of time before hackers and criminals figure out a way to exploit that new capability,” he cautions. “The fact that NFC will be a staple of the next generation of smartphones makes it an even more likely security target.”

NFC’s saving grace might be its relatively short range. The technology works within about 8 inches, so it will be more difficult for criminals to position attacks, explains Levy.

Security isn’t the only challenge that has prevented NFC’s rapid adoption so far. Levy and Bajarin both make mention that the technology lacks a unified standard.

Integrating NFC

If your business works in retail, you certainly don’t want to be behind the curve when it comes to NFC. Now is the time to educate yourself about potential options. It’s smart to talk to your existing transaction terminal vendor, advises Bajarin.

“I’d start by asking your existing credit or debit terminal vendor if they support NFC, and if so, what standards are they backing and what banks are they working with,” says Bajarin.

But even if your business isn’t a retail operation, you’ll have to think about NFC. Because NFC doesn’t require a PIN code, you’ll need to educate employees about the need to immediately freeze financial accounts if a smartphone is lost or stolen. And you’ll need to have a game plan to remotely wipe devices in the case of vulnerable data.

And as with most emerging technologies, you’re better off planning while NFC is the next big thing, rather than scrambling when demand hits.

Like this article? Connect with us @ITinsiderOnline

Photo Credit: @iStockphoto.com/lenta

Are Free Public Wi-Fi Networks Safe?

You already have plenty on your plate, whether you are implementing and maintaining technology, helping to resolve technical issues or ensuring your company’s data is safe and secure. Now, you can add the proliferation of rogue free public Wi-Fi networks to that list.

Free Wi-Fi connections can be tempting for traveling employees. And hey, you can’t blame them, as one less item on an expense report can make them look better -- especially if your company is tightening its belt. But talking to them about the risks can help protect them -- and you.

How Rogue Free Public Wi-Fi Works
Tech-savvy thieves are taking advantage of users’ thirst for constant connectivity. “The basic idea is someone in vicinity has created a ‘free Wi-Fi network’ that you connect to, but in doing so, you’re allowing them to tap into your info, access your files and possibly steal your personal identity too,” says Tim Bajarin, president of Creative Strategies, a tech consultancy in Campbell, Calif.

“These ‘rogue’ networks are really individuals who have software to hack into your systems -- and because the majority of people’s laptops are not protected, they’re a lot more susceptible than they think.”

In fact, New York-based independent security consultant Dino A. Dai Zovi says he and a colleague, Shane Macaulay, authored a tool called KARMA to demonstrate the risk of unprotected wireless networks. “KARMA acts as a promiscuous access point that masquerades itself as a wireless network,” explains Dai Zovi. “It makes the victim connect to our rogue wireless network automatically.”

Rogue operators will often craft network names similar to the name of the hotel or the coffee shop where your end user is attempting to connect. One careless click and your data is exposed.

Scary stuff. So, what to do?

Tips for Safer Surfing on Free Public Wi-Fi
You’ve got your work cut out for you, and it starts with employee awareness, say the experts. Consider these steps:

  • Avoid free public Wi-Fi. Caution employees to steer clear of freebies. “When I go to hotel, I make sure they have a wired [Ethernet] connection,” says Bajarin. “And if I want to go wireless on my laptop or other devices in my hotel room, I bring an Airport Express with me,” he adds, referring to Apple’s compact wireless router.
  • Be efficient. If you or your end users can’t avoid a free public Wi-Fi network, “get on, get what you need and get off -- and don’t do any financial things until you’re back at home," cautions Bajarin.
  • Use VPN. Only use free public Wi-Fi if you have VPN (Virtual Private Network) access, says Dai Zovi. “Otherwise, everything you do can be easily monitored by anyone nearby.” Citing recent Firesheep attacks, Zovi says that even password-based networks can be attacked by malicious types. Firesheep is an extension for the Firefox browser that can grab your login credentials for sites such as Facebook and Twitter.
  • Give employees your own connection. Another option for mobile workers is to use WAN-enabled laptops, USB sticks with cellular connectivity or to create a mobile hotspot through a smartphone or tablet.
  • Use security software. Make sure all security software is updated regularly, enable firewalls and give employees a means to encrypt sensitive data.

Only through education, secured connections and some common sense can your employees keep personal and professional data safe from cyber-snoopers, waiting to attack through a free public Wi-Fi.

Like this article? Connect with us @ITinsiderOnline

Photo Credit: @iStockphoto.com/gulfix

Protect Your Company’s Bank Account

Here's a sobering thought for anyone who has a small business account: If your account gets hacked and thieves break in, you're not going to get your money back.

Unlike consumers, small businesses are on their own. The FDIC does not insure small business bank accounts for cybertheft (although it does insure them for other types of theft up to $100,000).

That's particularly bad news because cybertheft is on the rise. Tom Kellerman, vice president of security awareness for ethical hacking firm Core Security, says falsified wire transfers -- the primary type of small business account hacking -- is up 500 percent in the last two years.

The good news is there are some things you the IT decision-maker can do to lower the odds of a break-in. In particular: 

  • Limit the use of wireless. Kellerman says that wireless is a "very easy access point" for hackers. Best not to use wireless at all, but if you need to, use equipment adhering to the 802.11.i IEEE standard.
  • Move away from passwords. Even the best passwords aren't as secure as alternatives like tokens or biometrics. Tokens, which are physical objects like smart cards, are best paired with passwords to prevent fraud. Biometrics, using a fingerprint or voice, are unique to a particular user. (But of course, if you have a Trojan already lodged in your PC, such protection won't offer any help.)
  • Segregate your company’s banking data. Severely limit Web browsing on the PC that connects to your company’s bank account. Anton Chuvakin, principal of Security Warrior Consulting, takes this a step further and suggests that you have one PC on hand that just connects to your bank account and does nothing else. It’s worth it: The price of one PC (under $500) can completely protect your company from having its account hacked.

If Nothing Else, Be Smart
Security analysts say the best thing you can do is educate yourself and any other employees who might access the account on the dangers of phishing scams and Trojans. Since a Trojan causes mischief by lodging itself on your computer, the goal is to not allow that in the first place. So remind users to be extremely cautious about opening any suspicious email, particularly if it's sent over a social network.

Kellerman says that even fairly sophisticated users can be taken in by so-called “spear phishing” attacks, which mimic websites or email addresses of people with whom you do business. So a good way to minimize the risks of such attacks is to limit the amount of people and PCs allowed to access banking information. IT’s rep is on the line if data is stolen, so take control of access points. Says Kellerman: “There’s no point in administration privileges if you’re going to have it for a bunch of devices.”

Like this article? Connect with us @ITinsiderOnline