Clients      Employees

May 28, 2014

No Comments

Avoiding the Risks of Poor Password Practices

ICG-Poor-Passwords

The latest in a long line of security breaches hit eBay last week. On May 21st the company announced that, two months ago, hackers broke into its systems and stole the customer names, passwords, email and physical addresses, phone numbers, and birth dates associated with “a large number of accounts.” eBay is recommending that customers change their passwords immediately.

 

The good news is that eBay’s password data was encrypted using techniques that should be difficult for the hackers to crack. The bad news is that many users have the same password for multiple accounts. If hackers were somehow able to access a user’s eBay password — or any other password for that matter — many of that user’s accounts would be at risk.

 

Despite ever-more-sophisticated security threats, the humble password remains a first line of defense for your systems and network. It is absolutely essential to establish strict password policies and ensure that everyone in your organization follows password best practices.

May 22, 2014

No Comments

Poor Security Habits Put Your Business at Risk

 

ICG-Security-Habits

As the reliance on centralized offices shifts to distributed business models and remote and mobile workforces, lines are blurring between work life and personal life. The proliferation of devices such as smartphones and tablets along with collaboration tools, video and social media are driving this operational shift, enabling employees to become far more mobile than previously possible. Unfortunately, this also allows employees to engage in behaviors that can place company networks and data at risk.

May 13, 2014

No Comments

Encryption Protects Sensitive Data

 ICG-Encryption

More and more organizations are using the public cloud to store data despite lingering concerns about security. Yet a study by U.K. security firm Thales found that these organizations are not taking basic steps to protect that information. Specifically, more than half of survey respondents admitted that they are not encrypting data in the cloud.

 

That’s unfortunate because data encryption is a nearly foolproof way to prevent a data breach. Encryption effectively “scrambles” data, which cannot be read without access to the correct encryption key. As a result, encryption can dramatically reduce, if not eliminate, the risk of a costly and embarrassing security breach.

 

The increasing use of cloud storage is just one of many reasons why organizations need to encrypt data. Encryption is designed to protect so-called “data at rest,” whether it’s stored on in-house systems, portable media such as thumb drives, or mobile devices. Encryption is also used to protect “data in motion” as it is transmitted across networks, sent via email and moved to the cloud.

May 5, 2014

No Comments

Why You Still Need Rules around Thumb Drives

 

ICG-thumbdrive-security

In January, the University of Texas MD Anderson Cancer Center notified more than 3,500 patients that their confidential information may have been compromised because a researcher’s thumb drive had been lost.

In December, the loss of an unencrypted thumb drive led a New England dermatology practice to pay a $150,000 fine under HIPAA.

Last October a thumb drive was stolen, putting the names, birthdates, phone numbers and health information of hundreds of Denver elementary school students at risk.

While much has been written about the risks of data loss associated with cloud computing and mobile devices, the humble thumb drive has largely been forgotten. But these portable storage devices — small enough to attach to a key chain — are capable of storing scores or even hundreds of gigabytes of data. That makes them potential security nightmares.

What’s the Risk?

There’s no question that thumb drives offer a convenient way for users to keep a copy of critical files handy. Just slip the device into a USB port, drag and drop files, and then pocket the device again. What could be easier? The tradeoff for that convenience is security.

Viruses: Users could bring in infected documents from home, or take home a business document to an infected PC, update it, and return it to a corporate file server. Network administrators typically combat viruses by installing antivirus software on email servers and restricting Internet sites with firewall settings, but the use of USB flash drives can bypass these safeguards entirely.

Inappropriate and malicious files: Users could bring in unauthorized software, MP3 files, video clips, pornography and other inappropriate files that affect productivity and violate corporate policies. Even worse is the prospect of spyware or keystroke loggers that could enable someone to capture passwords or other sensitive information.

Data theft: These devices greatly increase the risk of data theft and corporate espionage. A disgruntled employee or contractor could copy client lists, sales forecasts or research data in a just a few minutes.

Data loss: Thumb drives open the door for data to fall into the wrong hands. Most of these devices have little or no security features. Anyone who finds a lost device may be able to access all the data on it. In addition, these devices can also be quickly stolen from a desk, or “borrowed” and later returned to the office once the data has been copied.

What You Should Do

Thumb drives are extremely difficult for network and storage administrators to manage. Short of disabling all of the USB ports in an environment, they are nearly impossible to defend against.

However, it would be a mistake for organizations to attempt to forbid the use of the devices. To do so — or to create a burdensome set of rules — will simply drive their use underground and remove any control the business may hope to have over them. Ultimately, these devices cannot be locked out, so they must be accommodated and managed.

To deal with the potential problems personal storage devices create, organizations should develop guidelines and rules for their use. This should include educating users about the risks these devices can present, and establishing policies for taking data out of the office, or bringing files in from home. Encryption should also be used to protect sensitive information, particularly in regulated industries such as healthcare and financial services.

May 1, 2014

No Comments

What You Should Really Expect from a Cloud SLA

 

ICG-cloud-SLA

The cost of data center downtime is on the rise. A recent study of data centers based in the United States found that unplanned downtime costs approximately $7,900 per minute, a 41 percent increase from the 2010 survey.

But your organization relies heavily on the cloud. It’s your cloud service provider’s job to worry about your IT infrastructure, and the service level agreement (SLA) guarantees 99.95 percent uptime. That means you only have to worry about a small fraction of a percent of downtime, right?

Not really.

While cloud SLAs typically include some type of “uptime guarantee,” some downtime is virtually inevitable. All the major cloud providers have had incidents of unplanned downtime. The SLA simply spells out how the cloud service provider will compensate you for downtime, which typically involves some kind of credit on your monthly bill.

However, keeping your data center onsite doesn’t make you immune to outages. On the contrary, onsite IT resources are probably more likely to experience downtime than cloud services. Few small to midsize businesses have the budget or IT skills to set up a fault-tolerant environment with the redundancy and failover capabilities necessary for high availability.

Cloud computing shifts this responsibility to the service provider, which is likely to have more sophisticated, enterprise-class technology, better management tools and a larger IT staff. Around-the-clock monitoring of your cloud services minimizes the impact of an outage.

Still, it is important to understand that you are trading one set of risks for another. For example, we recommend that our cloud customers maintain a redundant Internet connection to ensure business continuity in the event of a telco service disruption.

Some customers look at cloud SLAs and think there will be no downtime, which creates the wrong expectations. We view the cloud SLA as a way to ensure clarity and transparency with our customers.

The Cloud Standards Customer Council offers the “Practical Guide to Service Level Agreements,” which is designed to help organizations develop cloud SLAs that satisfy their business needs. We encourage anyone considering cloud services to read this document.

A cloud SLA should be developed cooperatively and document expectations, define responsibilities, eliminate confusion and protect your interests. It should include very specific parameters and protocols for availability, performance levels, security, storage and backup, troubleshooting, updating of cloud services, managing disputes and how cloud services can be seamlessly shifted to a new provider. It can also include guidelines for maintaining regulatory compliance, particularly in the medical, financial and retail industries.

ICG’s IT-as-a-Service offering enables you to leverage the cloud to improve how you do business. Unlike the large, impersonal providers, ICG is a local partner that will work with you to develop a customized cloud strategy and SLA that meet your specific business requirements.