Please do not send the Sept. and Oct. payment together in one wire transfer. Anything over $10,000 wired could draw too much attention.”
Alleged email written by Paul Shim Devine on October 5th, 2007

Is your business-critical information walking out the door?

A few months ago Ipswitch conducted a survey at an RSA Conference. The line of questioning regarding visibility into files moving out of organizations produced some shocking results:

  • 83% of IT executives surveyed have no idea what files are moving both internally and externally at their organizations.
  • 25% of IT professionals surveyed admitted that they used personal email accounts to send files that were proprietary to their own organizations, with the intent of using that information in their next job.

Both of those figures are frightening. Some companies have refused to seriously consider these numbers, so consider this tale as devine intervention (yes, that’s a play on Paul Shim Devine’s name.) This is the saga of one man getting caught with his hand in the cookie jar. It’s actually a perfect example of the reality and consequences of not knowing what files are moving in and out of your organization. It’s the story of a recent case involving Apple and Paul Shim Devine.

See Martyn Williams’ article for the full details, but here’s the 2 cent version. Back in April 2010 “Apple investigators discovered a Microsoft Entourage database of e-mails and a cache of Hotmail and Gmail messages on Devine’s Apple-supplied laptop. The company took a copy of the drive and began working through its contents,” and as for what they found Apple says “the e-mails contained details of payments, and the supply of confidential information that began in October 2006 with a Singaporean company called Jin Li Mould Manufacturing.”

This is happening. Employees are using private e-mail accounts to transfer confidential company information, but really, how often is this happening?

Not only is it common, but it’s startling in its frequency,” said Ipswitch’s own Hugh Garber, recently quoted in a ComputerWorld article.

Garber goes on to say that it’s not always done with bad intentions and that “of course, most of that privileged information misuse is not malicious. Many of the times, it’s your hardest-working employees just trying to get the job done.”

To Hugh’s point, that’s true. I know that in other jobs that I’ve had I’ve emailed spreadsheets or word docs home (to my Yahoo account) to work on so I wouldn’t have to schlep my laptop home.

But what about the “other” kind? How do you deal with the malicious kind?

I received your e-mail on my Apple account. Please avoid using that e-mail as Apple IT team will randomly scan e-mails for suspicious e-mail communications for forecast, cost and new model information.”
Alleged email written by Paul Shim Devine on Sept. 16, 2008.

Ok, that’s one way. Randomly scanning emails for something suspicious. Seems like a good policy to have. Do you know where your organization is in terms of these kinds of policies?

With hundreds of data breaches over the past five years resulting in multi-million-dollar consequences, it’s hard to believe that organizations still don’t have the right solutions in the right places to protect sensitive information,” said Frank Kenney, VP of Global Strategy at Ipswitch File Transfer. “You may be investing heavily on business applications and their inherent security requirements but if you’re not monitoring and enforcing policies with respect to the information moving both internally (between business applications and people) and externally (between you and your business partners and collaborators), the consequences are dire.”

You can check out more of what Frank has to say on this issue, and see what else Hugh has to offer.

And, with this issue in particular, we’d love to hear your thoughts. Do the numbers surprise you? What is your organization doing? Any crimes or misdemeanors you’d care to confess to?

Did you kill the web?

Let’s check your alibi. Think of how you spent your morning. Normally, I’d share my morning with you here, what websites I’ve visited and what apps I’ve used, but my boss reads my blog posts, and if she knew how much time I spent on … well, let’s let Chris Anderson illustrate the point I’m trying to make:

You wake up and check your email on your bedside iPad — that’s one app. During breakfast you browse Facebook, Twitter, and The New York Times  — three more apps. On the way to the office, you listen to a podcast on your smartphone. Another app. At work, you scroll through RSS feeds in a reader and have Skype and IM conversations. More apps. At the end of the day, you come home, make dinner while listening to Pandora, play some games on Xbox Live, and watch a movie on Netflix’s streaming service. You’ve spent the day on the Internet — but not on the Web. And you are not alone.”

Chris Anderson and Michael Wolff, in an article on Wired.com titled “The Web Is Dead. Long Live the Internet“, present a compelling argument for the demise of the World Wide Web and how “simpler, sleeker services“, like apps, “are less about the searching and more about the getting.”

Peer to peer file transfers are among the suspects at the crime scene:

The applications that account for more of the Internet’s traffic include peer-to-peer file transfers, email, company VPNs, the machine-to-machine communications of APIs, Skype calls, World of Warcraft and other online games, Xbox Live, iTunes, voice-over-IP phones, iChat, and Netflix movie streaming. Many of the newer Net applications are closed, often proprietary, networks.”

This is one of the most interesting articles I’ve read in a while, give it a read and feel free to share your thoughts and whether or not you’re placing any yellow crime scene tape over your PC.

People are non-consistent, incredibly stubborn and risk prone when it comes to information technology. Bottom line you can’t nor should you depend on them to accurately establish and mitigate risk according to your corporate standards and policies.

What incredibly geeky statement to make…

But it’s absolutely true. The future set of technologies from Ipswitch will include capabilities that better allow IT departments to have visibility, management and control of the things that people do. As vision and strategy guide it’s easy for me to make this statement, but trust me our product manager and senior developers are looking at me through the crosshairs of their rifles and shotguns. That is because they understand people dynamically assign and mitigate risk, based on context that we just cannot re-create in current IT environments.

read more “Living at the Intersection of People and Technology”

Frank Kenney, VP of Global Strategy, Ipswitch

Frank Kenney, Ipswitch’s VP of Global Strategy, recently spoke in London at a press conference for InfoSecurity Europe, Europe’s leading information security event which take place on April 27-29, 2010.

Dan Raywood from SC Magazine UK attended this week’s press conference and his article can be seen below:

Problem with the professional consumer is leading to an information security headache
Dan Raywood  January 15, 2010

The culture of the professional consumer, or ‘prosumer’, is leading to increased problems within the workplace.

L. Frank Kenney, vice president global strategy at Ipswitch File Transfer, explained that a ‘prosumer’ is a consumer buyer who purchases an electronic device from personal funds but intends to use it primarily for business rather than consumer applications.

read more “Frank Kenney: Problem with the prosumer is leading to an information security headache”