We’ve got some fresh stats and trends to share from data that we collected at the recent RSA Security Conference.  Many thanks to the “statistically significant” number of people that took the time to fill out our survey questionnaire.

Our survey results highlight some major security and compliance concerns for businesses – information security, visibility and policy enforcement remain a major problem in 2011.  Here are a few key data points:

  • 65% have no visibility into files and data leaving their organization
  • >80% use easily lost or stolen portable devices like USB drives and smartphones to move and backup confidential work files
  • >75% send classified documents as email attachments – including payroll, customer data and financial information
  • >25% percent have purposely used a personal email account (like yahoo or hotmail or gmail) instead of their work accounts as a way to hide their file transfer activity
  • 55 percent said their companies provide – but do not enforce – policies and tools around sharing sensitive information

The fact that so many companies admittedly lack visibility into the files and documents that are moving around and leaving their organization is pretty scary.  How can an organization protect information that they don’t know even exists?  Clearly, increased focus is needed to first identifying sensitive data and then protecting it – These critical information security components should be carefully baked into an organizations security, governance and compliance initiatives.

Lastly, I’d like to vent on the last data point for a minute.  Policy creation simply isn’t enough…. the enforcement of that policy is the critical step.  Writing down a policy but not enforcing it is just as risky as not having documented the policy in the first place. Creating the policy is a good start, but please please please don’t stop there.

This week’s NASDAQ data breach has raised serious questions about the security of the US stock exchange and clearinghouses – not to mention further shaken an already fragile investor confidence.

My head is spinning just contemplating the possible ramifications if this network breach had resulted in the theft of non-public inside information that could be used illegally to gain a stock trading advantage!

Ipswitch’s Frank Kenney shares some additional thoughts on this week’s NASDAQ breach, including why it’s so critical that your software/service providers be held accountable for the security and privacy of your files and data.   The confidentiality of your information may very well depend on it.

Let’s do a news recap of yesterday. Some tax legislation was passed, lame-duck Congress, celebrity mishaps, missteps and gossip as usual. Oh and there was also notification of a few data breaches; most notably McDonalds, University of Wisconsin and the Gawker website (the folks that bought a prototype of the iPhone 4 after it was lost by an Apple engineer.). Unlike the “it’s been two weeks and it’s still in the news” WikiLeaks data breach, expect McDonalds, UW and Gawker to melt into the ether of public consciousness along with the Jersey Shore, AOL and two dollar a gallon gas prices.

Lately, we are seeing more companies and institutions admitting to data breaches. Passwords get hacked and ATM cards, identities and cell phones are stolen all the time. Expect to here about more breaches as companies move ahead of legislation that forces them to admit security breaches and expect the media to pick up on the stories and run wild with them. What this forces the public to do is look closer at the type of data breach, the type of data that was stolen and what the company or institution did to cause the breach.

 For example:

  • the McDonalds breach was about third-party contractors and not enough governance around customer e-mail
  • the UW breach was about unauthorized access to databases over a two-year period… again not enough governance around data storage and access
  • the Gawker breach was about outdated encryption mechanisms and a rogue organization purposely trying to embarrass that community.

Of these three things, the Gawker breach is most troubling because of the organized and intentional motivations of a rogue organization. This is why the FBI is involved. For the past year I’ve been telling you to classify your data, assign risk to your data and mitigate that risk appropriately. Old news.

The new news is this: even something like a breach involving low risk information can actually damage your brand. And damage to the brand can be costly to repair. So when classifying risk be sure to consider not just the loss of the data but the nature of the media hell-bent on reporting any and all data breaches.

This just in… I’m getting that watch I always wanted for Christmas because I compromised that space in the attic where we hide all the gifts. Happy holidays!

More than any other question, customers and prospects are asking me: What is the Ipswitch Cloud story? What are you going to do in the Cloud?

The Cloud has been the topic of discussion in many Product Management and Research & Development meetings and strategy sessions here at Ipswitch. While we may not have all the details sorted out, I want to provide you with a my initial thoughts…and I’d like to encourage you to provide feedback.

Ipswitch looks at the Cloud as having multiple personae. That is, to say, it represents various “things” to us.

In one sense, it’s a destination. When I use a Cloud-based service, my destination is the Cloud and there are attributes about this destination that are pre-configurable, predictable, and static, as far as connectivity goes. The notion of a set of Cloud Streams offered by Ipswitch is a real possibility. With over 10 million active users, we could offer pre-configured, governed connections to common Cloud-based SaaS providers like Salesforce.com or Office 365.

In another sense,  the Cloud represents a way to broker information to some other endpoint that may be cloud-based or on-premise. Our Sendable offering is just that. We broker the interactions between people and systems. Brokering includes adding layers of visibility, management, and enforcement. In this case, it’s important to offer multiple ways of connecting and multiple ways of provisioning, from ad-hoc to more formalized adapters and interfaces.

Finally, we look at the Cloud as being half of any domain-to-domain exchange of information, whether it’s people-to-people, system-to-system, application-to-application, or business-to-business. Companies of any size need to seriously consider a hybrid approach to MFT, B2B, and EAI overall.

In my last three blog posts on the Ziff Davis MFT survey, we dove into security and compliance, highlighted other notable strengths such as speed, reliability, scalability and up-time, and looked at some perceived deployment challenges.

Today, let’s look at the business benefits of a MFT and how they impact an organization’s bottom line.

The survey did a nice job uncovering some supporting business processes which respondents claim were positively impacted by their MFT solution.  These include:  communications with remote office and remote workers, collaborating with external business partners, vendors and suppliers, distribution and fulfillment, compliance management and customer service.

Here’s a nice summary:  “Note how these improvements address the bottom line for an organization directly by improving efficiency, security, and customer outreach all at the same time.”  That’s quite an impressive trifecta!

I’ll conclude this 4-part blog series with a couple of closing thoughts:

  • I wholeheartedly agree with MFT solutions wearing the “unsung security and compliance solution” label…. And that growing perception will spread as more and more organizations look at refining, automating, optimizing and securing their file transfer policies, processes and workflows.
  • It all comes down to visibility, management and enforcement.  Organizations need visibility into data interactions, including files, events, people, policies and processes.  They also need to be able to manage and automate internal and external data transfers and interactions.  And of course, organizations must be able to easily create and enforce administrator defined policies and rules, including (but certainly not limited to) security.

 

A top Pentagon official has confirmed a previously classified incident that he describes as ‘the most significant breach of U.S. military computers ever,’ a 2008 episode in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan.”

Brian Knowlton, in a NYTimes.com article gives us the rundown on what happened, and what this all means to the military and to the future of cyberdefense and the U.S. Cyber Command.

Deputy Secretary of Defense, William J. Lynn III, referred to the breach as “…a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” and he also describes it as “a digital beachhead, from which data could be transferred to servers under foreign control.”

The nightmare of this happening to the military is enough to keep you awake at night, and thinking of this closer to home doesn’t make sleep come that much sooner.

Think of your own office where USB flash drives, removable disk drives and cell phones are making it easier than ever for employees who need to transfer large files. It’s harder than ever for companies to monitor and protect sensitive information.

Portable devices are far too easily lost or stolen, and while most employees have good intentions, USBs are one of the easiest ways for insiders to compromise business-critical information. IT managers need to make it easier for people in their organization to move information securely. By decreasing reliance on transferring physical media and focusing more on easy-to-use browser-based or email plug-in solutions, information will be better governed.”
Frank Kenney, VP of Global Strategy at Ipswitch File Transfer.

Last year (2009) there was a study by the Ponemon Institute of nearly 1,000 recently terminated individuals. The study revealed that 42% of them used USB memory sticks to take business data and that 38% sent documents as attachments to personal email accounts.

Digital beachhead” is such a great way to put this, especially coming from Deputy Secretary of Defense, William J. Lynn III. The images one can conjure up of storming the “digital beach” and imagining the data security version of those first 15 minutes of “Saving Private Ryan” is truly powerful stuff and should keep us up a little later at night.

Give Knowlton’s article a read and if you’re interested in hearing more from Frank Kenney on this topic, check out his surprised reaction at a recent RSA event.

Please do not send the Sept. and Oct. payment together in one wire transfer. Anything over $10,000 wired could draw too much attention.”
Alleged email written by Paul Shim Devine on October 5th, 2007

Is your business-critical information walking out the door?

A few months ago Ipswitch conducted a survey at an RSA Conference. The line of questioning regarding visibility into files moving out of organizations produced some shocking results:

  • 83% of IT executives surveyed have no idea what files are moving both internally and externally at their organizations.
  • 25% of IT professionals surveyed admitted that they used personal email accounts to send files that were proprietary to their own organizations, with the intent of using that information in their next job.

Both of those figures are frightening. Some companies have refused to seriously consider these numbers, so consider this tale as devine intervention (yes, that’s a play on Paul Shim Devine’s name.) This is the saga of one man getting caught with his hand in the cookie jar. It’s actually a perfect example of the reality and consequences of not knowing what files are moving in and out of your organization. It’s the story of a recent case involving Apple and Paul Shim Devine.

See Martyn Williams’ article for the full details, but here’s the 2 cent version. Back in April 2010 “Apple investigators discovered a Microsoft Entourage database of e-mails and a cache of Hotmail and Gmail messages on Devine’s Apple-supplied laptop. The company took a copy of the drive and began working through its contents,” and as for what they found Apple says “the e-mails contained details of payments, and the supply of confidential information that began in October 2006 with a Singaporean company called Jin Li Mould Manufacturing.”

This is happening. Employees are using private e-mail accounts to transfer confidential company information, but really, how often is this happening?

Not only is it common, but it’s startling in its frequency,” said Ipswitch’s own Hugh Garber, recently quoted in a ComputerWorld article.

Garber goes on to say that it’s not always done with bad intentions and that “of course, most of that privileged information misuse is not malicious. Many of the times, it’s your hardest-working employees just trying to get the job done.”

To Hugh’s point, that’s true. I know that in other jobs that I’ve had I’ve emailed spreadsheets or word docs home (to my Yahoo account) to work on so I wouldn’t have to schlep my laptop home.

But what about the “other” kind? How do you deal with the malicious kind?

I received your e-mail on my Apple account. Please avoid using that e-mail as Apple IT team will randomly scan e-mails for suspicious e-mail communications for forecast, cost and new model information.”
Alleged email written by Paul Shim Devine on Sept. 16, 2008.

Ok, that’s one way. Randomly scanning emails for something suspicious. Seems like a good policy to have. Do you know where your organization is in terms of these kinds of policies?

With hundreds of data breaches over the past five years resulting in multi-million-dollar consequences, it’s hard to believe that organizations still don’t have the right solutions in the right places to protect sensitive information,” said Frank Kenney, VP of Global Strategy at Ipswitch File Transfer. “You may be investing heavily on business applications and their inherent security requirements but if you’re not monitoring and enforcing policies with respect to the information moving both internally (between business applications and people) and externally (between you and your business partners and collaborators), the consequences are dire.”

You can check out more of what Frank has to say on this issue, and see what else Hugh has to offer.

And, with this issue in particular, we’d love to hear your thoughts. Do the numbers surprise you? What is your organization doing? Any crimes or misdemeanors you’d care to confess to?

Of the 385 organizations hit with data breaches so far this year, 113 were in health care.”
The Identity Theft Resource Center (ITRC).

Are Dr. Howard, Dr. Fine and Dr. Howard in charge of the health care industries data security? You’ll most likely need 113 aspirin after reading this article on eWeek.com by Brian T. Horowitz.

In it Horowitz quotes Jay Foley, executive director of the ITRC, who says that when it comes to data breaches that “hospitals are vulnerable to insider data breaches with the multitude of doctors, nurses, lab technicians, janitors and food service personnel circulating throughout the facility.

The article also quotes Ipswitch’s very own Frank Kenney, VP of global strategy, who confirms the ITRC’s diagnosis. Frank notes that “health care facilities are not complying with HIPAA (Health Insurance Portability and Accountability Act) and regional government regulations on data privacy.”

As usual Frank has a way of breaking the issue down to it’s most honest and simplest point, and he stats that “even signing your name in at the front desk in a doctor’s office for all to see is a breach of HIPAA regulations.”

It’s an interesting read that may have you reaching for the Anacin.

I just finished reading a great article in Network Computing titled “Managed File Transfer Asserts Data Governance In Transit”.  Author Neil Roiter hit the nail right on the head by calling out the importance of visibility and governance over person-to-person file transfers.  And if you don’t believe us, just ask any eDiscovery judge!

Sure, organizations absolutely positively must carefully consider how to transfer staggering volumes of data between systems and servers, both inside and outside the organization – all with management, policy enforcement and visibility capabilities.

That being said, individual employees are sending files to other people too… And unless IT provides them with an easy-to-use process to accomplish this, they will find their own ways, such as personal email accounts, USB drives, online file sharing services, etc.

Increased focus on data security, governance, regulatory compliance and eDiscovery has really put pressure on IT to not only have complete visibility into the processes involved in data transfer, but ALSO THE PEOPLE.  Frank Kenney,  sums it up well  in the article:

“MFT can bring (person-to-person) file transfer under the corporate governance umbrella. We can give people ad hoc technology and enforce the use of those technologies. We make capabilities dead easy to easy and enterprises have the right policies in place about how to use them. MFT products provide visibility and validation through dashboards, reporting, real-time updates on data transfer and audit trails.

Some day, an eDiscovery judge may ask you to provide an audit trail with proof of chain-of-custody for a particular file that has bounced around your company and between people.  Here are just a few questions you’ll need to be able to answer:   Who sent what?  When?  Where?  To whom?  Was it encrypted?  And did it get there?

What will your answer be?

It’s great to have a line that’s far above the rest. It’s great to see that in the Magic quadrant, it’s great to see that in a wave, it’s great to see that in any industry report. But what does it all mean? The technology provider I understand that corporate executives like dashboards, spreadsheets, charts and graphs. These are the tools that many of them used to run their businesses day-to-day. But what does it mean to see a spike in the line; or what does it mean to see a drop in the line? The key to any reporting capability is to have solid analysis and analytics. For instance a marketing executive needs to know why the dramatic spikes in news reference volume from some vendors and not others. That same executive would also want to consider why search trends don’t follow news volume.

read more “Looking Deeper Into The Data: Analysis and Analytics”

With all the news around the Apple iPad, I was determined that I would not buy one until the second generation became available. With the second generation, prices will undoubtedly come down and I’ll get more functionality than what’s available in the first generation. I learned my lesson with the first iPhone and the first iPod.

As I sat around on Sunday feeling very smug, I looked over at my five-year-old son who was playing with his iPod Touch. It hit me that not only do I have to base the decision of when to buy an iPad on my technology geekness, I have to base it on my son’s needs and desires. Simply put, the iPad, and similar gadgets, were not built for my generation…but built for my son’s.

With more and more digital natives entering the workplace and procuring executive positions in companies all over the world, the traditional methodologies, mechanisms, and technologies for dealing with risk will have to change. The reason for this is simple: digital natives place a different level of risk on personal and enterprise intellectual property and information. In a world where everyone can be found on Facebook and the intimate details of every company can be found via blog sites, forum discussions, and on a company’s website itself, determining how much risk should be assigned to any individual piece of information is changing and in fact becoming more dynamic.

Let’s expand this thought. What do we need to do to ensure that our technology is being built for use by “Generation I” (ones who always had iPods) and digital natives? If issues around security and trust dramatically change, as we see them already, what does the future WS_FTP client and WS_FTP server  look like? What are the expectations that our future customers will have for this technology? Is it just a new experience, e.g. GUI change? Or do we assume that many of the basics around security and management are taken care of? What does it mean for portability and mobility? Should a user be able to carry around their WS_FTP license for use on any machine? This begs an answer to the question…are Google, Apple and Microsoft my real competitors or are they just enabling the underlying infrastructure that will be and should be commoditized?

These are real questions that need real answers…and we need to have those answers very soon. As we embark on delivering technology and services that are aligned with our next-generation architecture, issues such as what to do about “Generation I” and digital natives must be addressed.

Just a few thoughts…

I was reading an article about budgeting for a data breach and it got me thinking.

A breach is only as damaging as the publicity and awareness around it. I just found out that the lock on my backdoor has been broken for the last year and a half. What a breach! Fortunately no one knew. Now I have it repaired, yet I still will not tell many that the incident happened in the first place. I would hate for people to start checking that backdoor or checking the front door or any other door to establish my risk tolerance.