Just like IT systems are moving away from monolithic big-bang style releases to agile increments, so it seems is life in related areas. Business continuity, enterprise computing, information security, and the major business systems that are affected by them – notably supply chains – seemed to have less thunder and lightning in 2015, and more trending cloudiness (or was it cloudy trendiness?).
A big driving factor in the search for the perfect biometric security app is the wish to stop using current user ID and password access methods. The biometric body-part solutions typically have the advantage of being unique (unforgettable) and impossible for a user to forget, because of course his or her fingerprints, etc. are always to hand. Here’s a rundown of some of the contenders:
Revelations of government snooping and pressure on cloud providers to provide customer data to authorities have led to new developments in the way encryption is applied. The problem came about because the providers did the encryption of the data, but also held the encryption keys. That meant that customer data was protected from everyone else, except from the provider itself. Of course, the option for customers to encrypt their data before sending it to the cloud for storage has always existed, but makes it more difficult to use the data for cloud-based applications. A recent twist to the encryption saga is BYOE, also known as BYOK (Bring Your Own Key). How well does this answer concerns about data privacy in the cloud?
Data breaches, IT incidents or any other corporate disasters have an impact on a company’s standing. Reputation management is a matter of protecting that standing or of keeping damage to minimal levels. In some instances, data breaches for instance may not need to be declared to the public. In other cases, when customer, medical or other personal data is compromised, a company has no choice but to advise consumers, patients and other individuals about the risks engendered. An interesting insight from MIT’s Sloan School of Management into how the public at large perceives enterprises and organisations suggests that trying to leverage feelings may be a bad move, when it comes to reputation management.
If you use a cloud service or let your employees access company systems from their own smartphones, you’ve probably already noticed how your IT security world has expanded. What used to be a tightly defined domain behind a firewall has morphed into something that now extends to the far confines of cyberspace. As a matter of principle, any business data that travels outside the company perimeter is automatically at greater risk, even if enterprises make great efforts to keep the risk delta as small as possible. However, the macro style solution of a bigger firewall no longer works when you have to deal with the Internet at large. Micro-oriented approaches offer another approach.
Have you ever looked at an IT security plan and wondered, “what’s wrong with this picture?” When words like “policy”, “procedure” and even “implementation” are prominent, but others like “user”, “training”, “performance” and “awareness” seem to be pushed into the background, there may be room for improvement. Unless your context is entirely “lights-out” and computer-driven (still rare even in this age), human beings will be an integral and fundamental factor in your IT security planning and management. And unless your context is completely on-premises without any connections to the cloud (increasingly rare), the days of the bolt-on, “bigger fence” are numbered.
Business continuity priorities don’t come much bigger than having a properly functioning supply chain. Whether an organisation is in the private or the public sector, supply chains have to work without interruption, profitably and to the satisfaction of end-customers. Over time, observations and experience have helped put together the following list of tips for BC management of this critical part of all companies. As we progress through 2016, here’s what to look out for.
Corporate policies on anything from safety to ethical sourcing are all about rules. Do this; don’t do that! Often created from the experience of everything that went wrong in the past, policies can soon turn into large, unwieldy documents. IT security also has its rules, some of them born of common sense, others of past problems. These rules for checking attribution of user access rights, encrypting data volumes and similar precautions, can easily mount into the hundreds. Some cloud services vendors now make rules-based management services part of their offering to customers, but with a key advantage that sets them apart from those other chunky policy documents that managers must cope with.
Barrels of apples can go bad, both literally and figuratively, because of just one rotten apple. The rot spreads from one apple to another until the whole barrel is infected. Not so long ago (in 2014), experts from security company ESET discovered 25,000 servers infected with malware, some of these servers being grouped together in a network and infected together. The common factor was the installation of the Linux/Ebury malware, allowing login information to be harvested and communicated to the attackers that installed the malware. According to the experts, attackers needed to compromise just one server to then gain easy access to others in the same network. But was this one bad apple – or the whole lot?
System hacks, data breaches and information theft are frequently in the news, and will surely continue to feature strongly in 2016. However, recent crystal ball gazing by different actors and experts yielded an intriguing variety of predictions for the coming year. Broadly speaking, there are IT security trends we can expect, those we should suspect, and those that sound a little like cyber-fiction, but still sound just credible enough to be given at least a modicum of attention.
What do encryption and reputation have to do with each other? On the face of it, the link seems tenuous. However, if a data breach occurs, encryption could be the difference between intense corporate embarrassment and a corporate reputation that remains untarnished. Of course, we’re talking about than standard encryption of data in transit with SSL. This must be complemented by encryption of data at rest. Organisations are then better protected all round. In some locations, there is no obligation even to inform consumers if only properly encrypted data has been breached. But is this a reasonable approach? And if so, why did at least one recent high profile corporate victim fail to encrypt highly sensitive, compromised data?
Does this sound like a contradiction in terms? If your idea of cryptography is all about keeping confidential information hidden from prying eyes, then the idea of applying it to information that is then consumable by others may seem strange, to say the least. However, this is a major function of cryptography too. It makes it very difficult to change information without such a change being easily detected. Practical examples of application include secure transfer of funds: for example, you wouldn’t want anybody to add an extra zero at the end of that payment you just made. Business applications of cryptography in this sense can go much further too.
Embarrassing – or inevitable? How you view a failed security audit, whether in IT or at an overall organisational level, depends on whether you think security is a result or a process. There is a fundamental difference between the two points of view. In addition, current trends suggest that security is becoming less of an achievable state, and more of a continual improvement. Surveys confirm that many organisational executives consider that security breaches are no longer a question of “if”, but of “when”. In that case, a security audit should always “fail”. What counts is the reaction to such failure.