Everyone from Walmart to my 10 year old nephew is using cloud computing.  Small and mid-sized businesses see it as a great way to use the types of services that were only available to large organizations in the past.  Large companies see it as a way to scale quickly and provide new services fast.  My business runs completely in the cloud.  Ten years ago this would have been impossible.

Businesses are taking advantage of filing sharing services from Onehub, DropBox, Egnyte, Box and others to share documents across PCs, Macs, smart phones and tablets.  Evernote is a great service for sharing meeting notes and documents with colleagues.  Numerous other services exist for collaborating with customers, business partners, development teams and anyone who needs access to information quickly and from any device.  The cloud has become a big virtual file cabinet for most of us.

Before you use any computing system you should decide how you will use it.  Will it store sensitive information about your business?  Will it house brochures and marketing collateral?  Will it contain credit card information or personal information about patients?  Whether the system is in the cloud or in your server room, you need to decide the sensitivity of information before determining how you should handle it.

If you store confidential information in a file cabinet or safe, you lock it.  The same applies to electronic files and documents.  You need to lock down anything sensitive or confidential so only those who have a need can access the information. This is logical, but is also time consuming. You could take a blanket approach and lock down every piece of information in your organization, but that might not be practical or feasible. It makes more sense to determine the sensitivity of something and then take appropriate measures to secure it.

Putting information into the cloud is no different from putting it anywhere else. Some people think the cloud is some magical place of unlimited computing and storage in the sky – I always thought it was. The cloud is really millions of servers in data centers all over the world with hard drives, CPUs, memory and software providing computing on demand through virtualization techniques. These are the same servers and software that sit inside your company’s private data center or server room.  Securing information in the cloud is really no different from securing it anywhere else.

The best way to secure and control your documents is to encrypt them with a persistent security policy.  Whether they are in your email system (local or cloud-based), an on-premise SharePoint server or a cloud-based file sharing service, you need to take the same care.  If you have a document sitting in SharePoint that should not be seen by anyone outside Finance, you better lock it down with a policy that limits its access to Finance.  When you move it to the cloud, the same security should apply.

The confidential nature of some information is time sensitive, such as earnings reports. Once you announce quarterly earnings, the information is public and no longer confidential. Other information is always confidential, like a social security number or Personal Health Information (PHI).  Once you decide the sensitivity of something, you can decide how to lock it down and where to put it.  Don’t assume your on-premise systems are safer than a cloud service or vice versa.  Cloud providers are in the business of keeping their systems running and keeping your information secure. That’s all they do. If they don’t, they will go out of business. Your IT department is charged with a lot of things and may not be expert at everything.  Security may be good, but IT has a lot of other things to worry about.  Just look at all the data breaches that are constantly in the news.

Assess your information, decide what is sensitive and lock it down with the appropriate level of access permissions.  Determine how long the information should stay confidential and apply policies that enforce that timeframe.  If a document gets into the wrong hands, you can revoke access rights to it and then no one can use it.  Whether you put your sensitive information in the cloud or not, lock it down. You’ll sleep better.

The world is moving at lightning speed today.  People used to talk about doing business at the speed of the Internet and it’s clear we are already there.  Change is the only constant, which has been attributed to Heraclitus, Isaac Asimov and others, is the only thing we can rely on.

Just look around at the world of business, academia and government.  Everyday new products, services and ideas are emerging.  Customer loyalties are shifting as frequently as the tides.  Companies that were thriving a few short years ago, may be gone or struggling today.

Look at what’s happened to book stores. Borders declared bankruptcy and a lot of the smaller ones have closed.  People are buying ebooks, listening to audio books or buying physical books from Amazon. When is the last time you went to a travel agent?  Most people go online to Expedia, Orbitz or Priceline to book travel. How about using a traditional stock broker?  We still use the post office, but email has replaced a lot of our correspondence – and more of it is in the cloud than ever before.

Software as a Service (SaaS) is growing because businesses need to change quickly.  They need to keep up with their customers.  Every week a new smart phone hits the market and more people are using them to find and make purchasing decisions.  The term office worker is becoming outdated, since most people don’t sit in a traditional office anymore.  Everyone is using mobile devices from laptops to smart phones and tablets for work and play.

Using traditional on-premise systems can’t keep up with the pace of business.  It used to take 18 – 24 months to rollout a new ERP or CRM system.  By the time you were done, the system was obsolete.  No one can take the time to do that anymore.  Business systems must be flexible and fast to implement.  They must be accessible from Android phones, iPhones and iPads.  They have to scale up and down quickly.  They have to accommodate people at all times of the day and everyday, since business is international and doesn’t sleep.

Today, one of the largest SaaS companies is going public.  Facebook has over 900 million users and many of us turn to it for our sales and marketing efforts.  Workday, an HR management company, is planning to go public this fall.  ExactTarget, an email marketing company, went public earlier this year.  In fact, most of the IPOs today are for SaaS companies.  That’s a lot of people using SaaS and expecting to have access all the time from anywhere on any device.

Organizations use Facebook, Google, LinkedIn, Pinterest, Twitter and other outlets to drive business.  They use Salesforce.com for CRM, Netsuite for ERP, DocuSign for electronic signatures and many other services for everything from invoicing to IT management.  All of these are SaaS companies and we use them because they are innovative, let us get up and running fast and provide us with the flexibility we need to meet our customers’ demands.  10 years ago only 3 of these businesses even existed – you get to figure out who.  Now many of the them are worth $1billion or more.

The consumerization of IT is blurring the lines between work and play.  People are demanding the same rich application experience at work that they have in their personal lives.  The old way of doing things is dying and SaaS is capturing more and more of all the businesses that will thrive in the future.

Are you thriving or stuck in a rut?

Photo credit worthyfm

Data breach headlines are almost becoming a cliché.  Not a week goes by when I don’t read about people stealing information from a company or someone losing a confidential document.  Just this week 435 credit card numbers and 1,175 social security numbers at the University of Maine and 1,007 online store transactions at the University of Arkansas computer store were compromised by hackers.  This may not be as large as the 280,000 social security numbers stolen from the Utah Department of Health in April 2012, but it’s a big deal to those people affected.

The cases above were deliberate acts, but sometimes a data breach is unintentional.  It could be as simple as an employee forgetting they had confidential documents on a USB flash drive and misplacing it.  Or maybe someone accidentally emailed an HR spreadsheet with employee’s personal information to a friend.  We all love email look ahead, but sometimes it can bite you.

This past week an internal memo from Kodak found its way into a newspaper.  The leaked memo was from Kodak co-President Philip Faraci talking about the company’s success at the Drupa print media fair in Germany. In the memo, Faraci said:

“Visitors are not just coming to see what we have to offer, they are coming to buy. By day two, we were at 30 percent of our Drupa sales goal — and by day four, we had reached more than 60 percent.”

The official response from Kodak says they do not release trade show financial performance.  A nice way of trying to cover up the fact that something internal became public.  Kodak is having enough problems without bad press dogging them.

This may not be a big deal for Kodak, but it’s definitely embarrassing.  On the other hand, this may cause them legal and financial trouble.  Kodak is a public company and as such must meet strict rules for financial disclosure.  Clearly this gives the general public an idea of internal financial information.  They may be violating laws or just showing they can’t keep track of internal information.  Not the best show of controls needed to comply with Sarbanes-Oxley and other legislation.

Most of us worry about hackers stealing our information, but you also need to worry about employees and contractors accidentally giving information to the wrong people.  The leaked Kodak memo is just one example of an insider deliberately or accidentally causing problems.  Either way, you still have the same consequences. 

How many people have access to very sensitive documents inside your organization?  You constantly hear about new product designs getting leaked onto the internet.  RIM’s devices have been leaked for months, but this may be a deliberate attempt to show the market its still viable.  But it may not and could cause a lot of problems.

Just prior to announcing its quarterly earnings in May 2011, 3 memos were leaked from HP’s CEO that painted a very bleak picture for the company.  The memos warned of upcoming cost-cutting measures that pointed to a rough few quarters ahead. As a result HPs stock lost $4 billion. That’s quite an oops.

And think about all the documents that are floating around on Dropbox, Apple iCloud, Box, Microsoft SkyDrive, Google GDrive and a hundred other file sharing services.  If one gets into the wrong hands, your business could have a lot of problems.

One way to solve this problem is to encrypt your documents with a persistent security policy that controls access to them.  Having the ability to dynamically change access permissions is critical in these cases.  If an organization realizes a document got into the wrong hands, a quick click of the mouse changes the policy on the fly.  Since the encrypted file checks the user’s access rights and permissions every time someone tries to open it, you can immediately prevent leaked information from going anywhere.  Sure I might have the document, but I can’t read anything inside.  That’s makes it useless.

Kodak may have been able to enjoy the success its having at Drupa this year calmly, but instead it needs to worry about bad press.  Whoever said all press is good press never had to deal with the fallout of a leaked document.

Photo credit roy costello

It’s 2012.  Do you know where your data is, who has access to it and what they are doing with it?

These are 3 fundamental questions that every organization should ask, because most people can’t answer all of them.  You know you have data in databases.  Most financial and customer data sits there and is hopefully protected by encryption.  If you aren’t sure, you better check.  But a lot of that data makes its way into spreadsheets, customer proposals, quotes, reports and numerous other documents.  Do you know where all of them are and who is accessing them?

Data breaches seem to be in the headlines almost every day.  Just do a Google search on “data breach” and you will get more than 29 million hits.  Do a search on News stories in the last month and you will get over 2400.  Here are a few interesting stats from 2011 according to the Verizon 2012 Data Breach Investigations Report.  The report reviewed 855 confirmed security breaches that affected 174 million compromised records in 36 countries.  This is the largest number of breaches ever reported.  In all likelihood there were probably more that went unreported or discovered.

Just this week the Florida Department of Children and Families notified 100,000 child care workers that their personal information may have been compromised.  It was stored online, but it wasn’t password protected, and low and behold, someone found it and stole it.  That’s like waving a sign in front of a bank vault and saying “Come in, please grab your free money”.

No one should store personally identifiable information (PII) online so that anyone can find it with a simple Google search.  Passwords are about the most basic form of security we have and at a minimum the information should be password protected.  Why was it online at all?  PII is sensitive and should be tucked away behind a lot of security.  This incident points to issues about data retention, basic security and a lack of training.

Organizations need to understand a few things about their data.

• The data they collect includes some form of PII or other sensitive information
• If a business collects data it will experience a data loss incident at some point
• Data security is everyone’s concern

Most organizations believe that collecting as much information about their customers is very important to their business.  They can do better marketing and they need customer information to process orders.  This is true to a point.  There is a key rule of thumb when it comes to collecting data.  You can’t lose it if you don’t have it.  This may sound overly simplistic, but think about it.  Do you really need a customer’s social security number to process an order or market to them?

When it comes to customer information, keep the data that provides you with a competitive advantage and get rid of the rest.  Keeping names, email addresses, industry and similar demographics is adequate for marketing.  A better approach is to aggregate data to find patterns, not worry about an individual.  Keeping aggregated data and discarding PII reduces your risk of a severe data breach.  That may not always be possible, especially if you are in the healthcare or financial services industries.  In those cases, you need to understand what you have and who has access to it.

This comes down to data classification and employee training.  Every organization needs to define sensitive and confidential data.  Where is it, how do you store it and who can access it?  If your business requires collecting a social security or national identification number, access to that should be limited.  You should keep it separate from other basic information, like name and address. 

Next you need to provide employees with privacy and data security training.  You should teach people about data collection processes, retention policies, safe handling and sharing of confidential and sensitive information.  This also includes the importance of unique strong passwords and safe computing practices.  And this is not a one time event, but an ongoing process.  Part of the training should be what to do in the event of a data breach.  Just like you teach people how to respond to a fire or burglary, they need to understand what to do if there is a data breach.

It’s very important to understand the information in your organization, where it is, how sensitive it is and who can access it.  Is it in the cloud, on people’s desktops, in your web server?  Many of the data breaches in the past year were caused by sloppy security, like default passwords or no passwords.  It’s true that IT is responsible for server and firewall security, but everyone in your organization is responsible for information they touch.  Using “password” as a password is still very common.  Teach employees how to identify sensitive information and how to handle it properly.

Look at what you are collecting on a regular basis.  If it’s PII and you need to keep it, make sure access is limited and the information is encrypted.  If you don’t need it, get rid of it.  Imagine the look on a criminal’s face if they get into your secured environment and find it’s empty.  It’s like opening a safe and finding nothing.  Now that’s good security.

Photo credit Arenamontanus

I just finished reading a book where the entire operations of a financial company are digital.  “The Fear Index” by Robert Harris is a thriller that combines the world of hedge funds with an algorithmic trading program that becomes autonomous.  The financial company uses no paper in its operations.  In fact no paper products or anything related to them are allowed in the offices.

There are no magazines or newspapers in the reception area.  It is company policy that as far as possible, no printed material or writing paper of any sort should pass the threshold.  They came up with a clever incentive to ensure this.  Each employee is required to pay a fine of 10 Swiss francs each time they were caught in possession of ink and wood pulp rather than silicon and plastic.  Violators would have their names posted on the company intranet.

It’s amazing how effective this was in changing behavior.  They also realized that they couldn’t control if their visitors carried paper, but it was very evident from the lack of paper in the office, that it was frowned upon.

The company had its rubric as a screensaver on every computer in its office.

THE COMPANY OF THE FUTURE WILL HAVE NO PAPER

THE COMPANY OF THE FUTURE WILL CARRY NO INVENTORY

THE COMPANY OF THE FUTURE WILL BE ENTIRELY DIGITAL

THE COMPANY OF THE FUTURE HAS ARRIVED

This might sound like a dystopian future or a dream, but I think many companies are there today or well on their way.

In 1999, Bill Gates wrote a book called Business @ the Speed of Thought where he discussed how a Digital Nervous System would integrate business processes with technology.  One of the things it preached was the paperless office and how the Internet and computers would effectively change the way everyone does business.

Let’s take a look at where we are in this brave new world.  According to IDC, manufacturers shipped about 1.5 billion mobile phones and 67 million tablets in 2011.  Tablet sales are expected to increase to 326 million by 2015 according to Gartner.  On April 24, 2012, Apple announced a 94% increase in earnings for the quarter with IPhone sales at 35.1 million units, up 88% from a year ago.  Apple sold 11.8 million iPads, up 151% from a year ago. 

After 244 years, Encyclopedia Britannica will cease production of its iconic multi-volume book sets and go all digital.  The Baltimore Ravens and the Tampa Bay Buccaneers moved their playbooks to Apple iPads last season and more NFL teams announced plans to do the same this year.  Alaska Airlines and American Airlines replaced their flight manuals with iPads.

I just have too look at my own life to realize that most business is done digitally.  I haven’t looked at a paper map in years.  I either use Google maps from my iPad or my laptop – sometime I use a GPS in the car.  I do all my bill paying electronically.  I purchase things online.  I read all my news online.  All my invoices are sent electronically and I get paid through bank transfers.  I use an electronic boarding on my phone when I fly.  The only reason I use paper is because someone else is still using it as part of a business process.  Even then, I scan the paper documents and put them into an electronic workflow to get rid of the paper.

My whole business runs electronically and most of it is in the cloud.  I use DocuSign to sign contracts and any document needing a signature.  I can take any electronic document and in minutes turn it into an electronic workflow.  I can sign it with my iPad, iPhone or laptop and complete the entire transaction in a few minutes.  I use Onehub to share presentations, reports, statements of work, videos and training materials with numerous customers and business partners.  I use Evernote to share interview notes and general strategy information.  I share business and personal information on Facebook, Google +, Flickr, Slideshare, YouTube, Pinterest, Twitter and LinkedIn.  No matter where I am I can access business information on any device.  It’s all digital and its in the cloud.

This past Sunday April 22, 2012 was Earth Day.  Thinking about ways to conserve our natural resources was one thing on my mind as I thought about this topic.  Eliminating paper from business is one way to save trees and water.  It also keeps toxic chemicals out of the air and ground water.  And it’s good for business.  No matter how you look at it, doing business digitally is faster and far more efficient than anything we have ever experienced.  The future is here and we are living it.

The autonomous program in “The Fear Index” gave a chilling but possibly realistic view of where things may be headed.  After it took over (you have to read the book for all the fun), it put up a new screensaver on all the computers.  The last two lines are:

THE COMPANY OF THE FUTURE WILL BE A DIGITAL ENTITY

THE COMPANY OF THE FUTURE WILL BE ALIVE

Photo credit Big Game Hunter

How often have you accidentally sent an email to the wrong person?  If you’re lucky, there are no consequences other than apologizing for sending someone the wrong information.  Unfortunately too often, there may be dire consequences.  If you sent confidential company information to your competitor, that could be a big problem.  You could be in legal and financial trouble.

Email is still the medium we use the most to communicate information to friends, coworkers, customers and business partners.  It’s available on any platform and it becomes a default filing cabinet for many of us.  Because of its ubiquity, a person with malicious intent can cause a lot of havoc by simply emailing sensitive information to themselves or a confederate.

Here are two interesting examples of sending information to the wrong person.  One was accidental and the other deliberate.

I use Verizon Wireless as my cellphone carrier.  I get an email from them every month reminding me to pay my bill.  In the email is my total balance due and a link to click if I want to pay it online.  It’s very convenient and I appreciate the service.  The email also contains the last 9 digits of my account number.  Imagine my surprise when I got an email from Verizon saying my monthly bill was $1810!

By examining the email shown below, I noticed there was no account number and there were 9 other recipients in the To: line.  At first I thought it was spam, but everything else looked legitimate, including the sender address.  I concluded that this was a mistake and the total balance due was the sum of all the customer’s bills.  I got my legitimate reminder later in the day.  Fortunately no account information was shown, but now I have the email addresses of 9 other Verizon Wireless customers.  This could be a perfect opportunity for a phishing scam.

A deliberate act of stealing information also occurred this week using email.  An employee from the South Carolina Department of Health and Human Services compiled medical information from about 228,000 people and sent it to his private email account.  He gathered this information into a spreadsheet over the last few months.  It contained Medicaid ID numbers, which are linked to Social Security numbers.  Other people had their names, addresses, phone numbers and birth dates stolen.

The agency estimates it will cost about $1 million to hire a firm that is contacting the affected patients and offering personal information protection.  A security review and upgrade will cost up to $500,000. The state could also face federal penalties for violating patient confidentiality laws with a maximum fine of $1.5 million.  This data breach could cost the state of South Carolina at least $3 million.  There are probably other costs that they haven’t yet thought of, so the true cost will be much higher.

In both cases, emails were sent to unauthorized people.  Imagine if Verizon and the South Carolina DHHS had a way to “kill” the attachments after they had been sent.  Persistent file-level security allows organizations to manage sensitive information after it has left the premises – either intentionally or unintentionally.  They could define a policy so that any document with specific information, like an account number or Medicaid ID, is encrypted and the document limited to certain people.  The policy can control who can open the file, what editing features are available, the time frame within which the file can be opened and the ability to revoke all access rights if the file was sent out in error.  That turns an oops into a non-event.

Inadvertently sending documents to the wrong person can be embarrassing or cause major financial and legal problems.  Malicious theft is even worse.  Look at simple tools to prevent these problems in the first place.  We all would love an undo switch and persistent document security gives you that.

Photo credit The Atlantic Wire

That almost sounds like the title to a bad movie, almost.  In reality it’s a real problem today, since most of the important information inside any business is digital information.  In the past, if you wanted to keep your secrets safe, you locked your filing cabinets or stored paper documents in a safe.  Today, information is all over the place and in many forms.  Someone leaving your company could walk out the door with the keys to the kingdom.

Much of our important information is either sitting in databases or documents.  These may be on premise or in the cloud.  Most of us think that if it’s in a database, we have it secured, but a lot of people run reports that export the data into regular spreadsheets or word processing documents.

But it’s not just what we think of as traditional documents.  It’s also in presentations, videos, photographs, image and audio files.  Just think about how damaging the tapes of conversations from the Nixon White House were during the Watergate scandal.  It’s also email messages in your inbox and on email servers.  Voicemails on your cellphone.  Or it could be source code to your software product.  

Granted that a lot of this information is pretty innocuous, but clearly your company’s livelihood exists in many documents.  Your customer lists, financial information, manufacturing processes, product designs and even software source code are all written down somewhere.  All of this information is very valuable to your competitors and in some cases could invite legal action.  Think back to Enron, Goldman Sachs and of course the theft of sensitive diplomatic information from the US government that wound up on WikiLeaks.     

Is it really that common to have a departing employee steal valuable information?  According to studies by the Ponemon Institute, 65% of people admitted to taking email lists, 45% admitted to taking non-financial business information, and 39% said they took customer information.

In a study by Symantec last year, two forensic psychologists examined corporate data theft trends from existing employees and other insiders. The research showed that in about half of intellectual property (IP) theft cases the employee stole trade secrets, followed by business information such as billing information or price lists.  Employees also took source code, proprietary software, customer information and business plans.  In 75% of cases the person had authorized access to the information they stole.  That makes it a lot harder to solve this problem by strengthening perimeter based security, like firewalls and intrusion detection systems.

Why do people do it?  In some cases a competitor will pay a lot of money for corporate secrets.  In many, it’s so the employee can have an advantage in their next job.

So what can you do to prevent theft of your important information?  As with anything complex, it’s a combination of people, process and technology.  I’ll start with people, since that’s the most difficult.  When you hire someone, you should let them know about your information policies.  What is the company’s and what is theirs.  This needs to be reasonable.  Many companies still say anything created on company time or with a company device belongs to the company.  In today’s world with work and personal time blurred so much, this needs to be reasonable and spelled out.

Another important point is that your company needs to show employees their value.  If an employee is engaged, feels part of a team, enjoys their work and feels that the company values them, there is less likelihood of data theft.  The Ponemon Institute survey I cited earlier said that 61% of people who took information had a negative view of their company, while only 26% had a positive view.  I feel like I am an important and valued part of a company, stealing from the company feels like stealing from myself.  If I am unhappy, it’s easy to justify stealing.

On the technology front, many organizations spend a lot of money on perimeter security.  Much of that is intended to keep out the bad guys.  That does nothing for the trusted insider.  Since most of the IP in a company is in documents, the best way to protect yourself is by encrypting the files with a persistent security policy that controls access to the file no matter where it is.  If you suspect sensitive information was taken, you can remove the access to that document.  This renders the information inside useless.  It doesn’t matter if it’s a Microsoft Word document or a jpg.

Stopping information theft by employees is not an easy problem to solve. Your first goal should be determining the value of your information.  Then you can decide who should access it and how to protect it.  Creating a company of trusted, loyal, engaged employees is part of the answer.  The other is putting in technology that controls access to the documents that houses that information.  This protects malicious and accidental leaks.

Two way trust goes a long way.  But an added layer of security is there, just in case.

Photo credit mac_filko

Ah, the poor password.  We love it.  We hate it.  It’s the most maligned thing in our daily lives.  Whether you are at work, home or on the road, you use multiple passwords a day.  It’s the most common way we have to provide secure access to computers and applications.

Because we have so many passwords and we have to remember them, most of us are still in the bad habit of creating ones that are easy to guess.  This happens for personal and business accounts.  It’s one of the reasons that important systems are hacked.

A case in point is the recent data breach at the Utah Department of Health where at least 780,000 people’s personal information was compromised.  According to IT officials investigating the matter, hackers got into the system because of a configuration error at the authentication layer of the server.  I think that’s corporate speak for someone was using a default admin password or one that was easy to guess.  If someone was guessing, the system should have locked out the account after a certain number of failed attempts.

Unfortunately this is more common that people realize.  When organizations deploy servers, applications, printers, routers and a variety of other devices, many of them have a default password.  It might be admin, default or sa.  It’s there to provide a starting point so a user can log into the system and configure it.  Many people don’t change the password or they create a new one that’s just as easy to guess.  Examples include password, someone’s name, 123456 and countless others.   

Another related issue is too many people have administrative credentials within organizations.  I remember working with a company years ago that had very strict rules for who had admin access and when they were to use it.  If a user needed administrative access to a system, that person had their own admin account.  It was against policy to share accounts.  The person would only log in with an administrative account to perform administrative functions.  Once finished, they had to log out.  They had a separate account for standard user tasks.

They also had a policy for two factor authentication for certain functions.  This relied on 2 users each having half of a password.  When needed, the two people had to be present and each would key in their half.  Today, there are many other two-factor authentication systems that don’t rely on 2 people, but require separate steps.  These are more efficient and secure.  Think about the voice print and retina scan system at the CIA in the first Mission Impossible movie with Tom Cruise.

The fatal flaw with the current password mechanisms is that we need something that isn’t obvious, but something that we can remember.  Some of the simplest ways to create a more complex password is to use upper and lower case alphanumeric characters plus a number or symbol.  Unfortunately those can be hard to remember.  It turns out that it’s more important to use a long password rather than a weird combination of characters.  Each additional character adds an exponential layer of complexity for a brute force dictionary attack.

That means that using “Pa$$worD” is much weaker than “IwishIhadamilliondollar$”.  If you are limited to a certain number of characters, make sure you pick the longest password you can.  Use a phrase you know, but add something random into it like a symbol or a few punctuation marks.  I also like adding spaces into passwords, because most people and hacking programs assume that a password is contiguous.  Unfortunately many online password systems won’t allow spaces or symbols.

Businesses at a minimum need to ensure the following:

1. Do not use default passwords
2. Only people who need to perform administrative tasks regularly should have admin accounts
3. After 5 or fewer failed login attempts, a system locks out the user
4. Change passwords every 90 days, at least
5. Do not allow simple passwords, such as the user name, “password”, etc.

Make sure you don’t use the same password for everything.  If a criminal gets one they can access a lot of systems.

Until the computer industry comes up with another authentication system as simple as the password, we are stuck with them.  Make sure you use a little common sense when choosing yours.  Because if someone has the keys to the castle, it’s very easy to bypass all the locks.

Photo credit marc falardeau

After you get married, you may want to change your last name.  Some people take their spouse’s last name and some combine last names with a hyphen; I even know some people who picked a completely different name.  Get ready for a tedious process that is still using paper and old fashioned shoe leather (walking around).

You’ll need to notify various government agencies, financial institutions and service companies of your name change.  Regardless of where you live, every country and state or province has similar procedures.  The same basics apply to all of them.

You can pay for a name-change kit or you can do it yourself.  Some places require you to file documents in-person, while others will let you change it over the phone, online or by letter.  Find out what the protocol is for each place on your list, as the rules and documents required may vary.  The common factor is that you will be completing a lot of forms and getting a lot of documentation.

The major concern with these processes is that most of them require paper documents.  This makes business processes slow, subject to errors and introduces security risks.  If you change your name, you have to travel from place to place with personal information, like social security numbers, on paper documents.  If you lose them or someone breaks into your car when you are grabbing lunch, you could be in bad shape.  You have a lot of personal information in those documents.  They would be a boon for identity theft.

Let’s take a look at what a typical person in the United States needs to do to change a name after getting married.

1. Get certified copies of your long-form marriage certificate.  This has your parents’ information and places of birth.
2. Get and complete Social Security form SS-5 to update your name; you can get this form online and complete it before going to the Social Security office.  You will need several original documents besides your marriage certificate proving your age, identity, and U.S. citizenship or lawful immigration status.
3. Take your completed SS-5 and documents to your local Social Security office.  You will have to stand in line to process your form.  Fortunately the Social Security Administration (SSA) will notify the Internal Revenue Service of the change once processed so you don’t have to worry about notifying them.
4. Go to your Department of Motor Vehicles (DMV) website and get the forms needed to update your driver’s license.  You can complete these before you go to the DMV.  If you are lucky, your change will coincide with your normal license renewal, but that’s probably asking too much.
5. Take your completed forms and go stand in line at the DMV.  Make sure you have your marriage license with you.  You should also bring a snack.  You might be there awhile.
6. Once you have your new SS card and driver’s license, you can change your name with everyone else.  Here are a few places to think about:

• Place of employment
• Banks
• Credit card companies
• Insurance companies (health, home, life, car to name a few)
• Doctors
• Utility companies (cable, phone, internet, gas, electric, cell phone)
• Alumni associations and club memberships
• Passport (this could be an article in itself)

Exhausted yet?  You don’t have to go in person to change your name at most of the places in number 6.  You can do many of these online or over the phone, but some still want documents.  And yes, many will ask you to fax a copy of something.  I can file my taxes and pay my bills online, so why can’t I change my name online?  Or at least use a simpler process. 

Signing documents with an electronic signature, like DocuSign, would make this faster and more secure.  You could do this all from the comfort of your home.  You could complete and sign the SS agency and DMV forms online.  The process is completely secure and lets you add documents, like your marriage certificate and driver’s license, to verify your identity.  You could scan them or take a picture of them with your phone.  A few clicks and the whole thing would be done.  It would also speed up the process on the other end.

You get a receipt in email with an audit trail and all signed documents to verify the transaction.  All of this conforms to the Uniform Electronic Transactions Act (UETA) and the Electronic Signatures in Global and National Commerce Act (ESIGN).  These laws cover the use of electronic records and signatures in governmental, interstate and foreign transactions and commerce.  There are similar laws in many other countries.

Using your computer, tablet or smart phone to change your name after you’re married would make your life a lot easier.  There’s also no chance that you could lose the documents with your personal information.  It’s time governments and other organizations stopped doing things the hard way. 

Using electronic signatures makes transactions faster and more secure.  That would be one less headache you have to worry about as you start your new married life.

The last few weeks have been very busy for hackers.  On April 8, 2012, a group claiming affiliation with Anonymous says it hacked emails of the Tunisian prime minister.  On March 30, 2012, hackers compromised about 25,000 social security numbers at the Utah Department of Health.

The biggest headlines were from the Global Payments data breach where information about 1.5 million credit cards were stolen.  The hackers got card numbers and Track 2 data, but not names, addresses or social security numbers.  Fortunately the Card Verification Value (CVV2) or Card Verification Code (CVC2) is not encoded in the magnetic strip where the Track 2 data is stored.  This card security code (CSC) is the three- or four-digit value printed on the card or signature strip.  When you conduct an online or phone transaction with your credit card that’s the code the merchants ask for.  That makes sure you have the physical card.

With breaches like this one a lot of us worry about identity theft and thieves using our credit cards to ring up thousands of dollars of charges.  It also makes you wonder about the security these companies use to store our information. 

In the past few months I had 3 erroneous charges against different credit cards.  The most recent one was a bit of a surprise, but not because it happened, but because of how I found out.

I get a lot of calls from 800 services that I assume are solicitations, but I answered this one.  It was from WalMart and they said they noticed a charge on my Discover card purchased through my walmart.com account; I had forgotten I even had a walmart.com account.  The woman on the phone said they noticed a large purchase and was checking with us because it was unusual.  The last purchase I made on walmart.com was in 2010 and the amounts were always under $100.  She gave me the transaction number, purchase amount and date.  I checked with my family and no one made any such purchase.

I immediately called Discover to notify them of the unauthorized charges.  I mentioned this was the second time in as many months that there were unauthorized charges on the card and the woman on the phone suggested we cancel the card.  I agreed.  She closed the account, issued new cards and removed the unauthorized charges.

My family is very careful about our credit cards and we only use legitimate online merchants.  Unfortunately, credit card fraud and identity theft are huge businesses and all of us are at potential risk.  When I hear about another breach at a credit card processing company, I wonder how safe I am.

I have written about this in the past, but I still don’t understand why businesses entrusted with personal and financial information don’t encrypt this data inside their databases.  Every modern database has this feature.  It’s not hard to implement, but many don’t do it.  If a business has to export the information out of the database for legitimate reasons, they need to encrypt it and restrict access.  Applying a persistent security policy to documents with sensitive information can provide this protection.

The continued hacks of emails and documents, like in the case of the Utah Department of Health, illustrate that organizations must take stronger measures to protect sensitive information.  There is continuing call for the US government to consolidate the numerous state data breach laws and regulations into a federal data breach law. This may help eliminate some of the conflicting rules out there, but also understand that this is a national (actually international) problem.  The EU has strict data privacy laws and are looking to strengthen them. 

Everyone must take these issues seriously.  Look at your own information and make sure you are encrypting anything that is confidential and sensitive.

Photo credit muffet