Data breaches put the scare back in Halloween!

For most people outside the IT profession, the scariest thing they deal with on Halloween is a spooky costume or the newest episode of AMC’s ghastly drama “The Walking Dead.” For IT professionals, a data breach is far worse. With the frequency and cost of data breaches on the rise, it’s easy to see why the topic worries IT professionals. In its fifth annual survey the Ponemon Institute showed a significant spike in legal defense spending to address fears of successful class actions resulting from customer, consumer or employee data loss. In fact, the total cost per data breach incident now exceeds six million dollars.

If that’s not enough to chill IT and security professionals, another report commissioned by Websense surveyed 100 IT managers around the world about the latest threats to corporate security. The IT managers surveyed went on to say that data loss incidents put their jobs on the line, and that managing the stress of a company data breach is more taxing than divorce, managing personal debt, or a minor car accident.

There were 561 data breaches in 2010 and 589 data breaches to date this year. To avoid the stress of a data breach, IT professionals are employing robust security strategies to ease their worries.

We do our part to help Accellion’s customers and their business users protect data while sharing files with external and internal users.

As for the haunts of Halloween… there is nothing that can help the chills and thrills.

by Ryan Swindall

Three of NetVision's recently released feature upgrades that we know you'll love.

NetVision recently released version 7.2 of our product suite. Recently, we covered a few of the new features that were introduced, including the ability to find the real owner of files and folders, identify where permissions may differ from a share level folder, and track workstation logon activity. This time, we'll discuss three more enhancements and how they can add value in your environment.


1.  Combined Permission and Activity Reporting

Access Rights Inspector provides calculated effective rights reporting across the file system essentially answering "Who has access to what?". One of the really powerful uses of this tool is to run a report showing to what a given user or group has access. As you drill down on a specific file or folder, you have access to effective rights as well as explicit rights assignments so that you know how those permissions are actually assigned. But until recently, if you wanted to review the recent activity on that file, you'd have to switch over to NVMonitor reporting and then adjust the scope of the report to that specific file.

That's a few more clicks of the mouse than we were comfortable with. So, with the release of 7.2, the Access Rights Inspector details pane provides file activity data from NVMonitor right there. No additional clicks required. It also tells you who uses the file most so you can quickly identify the potential owner or high-frequency user to answer any questions about that particular file.


2.  Role Based Access to Reports

NetVision's reporting console provides access to reporting for the entire NetVision suite. Because there are numerous types of users who want access to NetVision reporting, it was a natural extension to provide role-based access to reports. A department manager should perhaps only have access to the reporting on the security groups and files that are relevant to their department. A finance auditor might only need access to the READ events on certain files and certain exceptions rather than ALL file activity.

Previously, these scenarios were handled with the built-in report scheduling and automated emailing of reports to users based on their need. But, role-based access to reports provides additional control so that report consumers can set their own report schedules and leverage the report parameters which make searching through data a breeze.


3.  Automatically Linked Reports

One of NetVision's clear advantages is our separation of data from display. Our event information is normalized and stored in a relational database. Reporting, then, is extremely flexible in that the same set of data (e.g. group changes) can be viewed in numerous formats (e.g. a pie chart based on who did it, a bar chart based on type of change, a tabular view of chronological changes, etc.) Some NetVision users felt a bit overwhelmed by all the choices.

So, with the 7.2 release, NetVision introduced linked reports into our policy management console. As you are managing policies, there is an additional tab that enables you to select from a recommended report template list. Upon saving the policy, those reports are automatically created in the reporting console. The initial feedback is extremely positive. Linked reports save a few steps and make process of selecting the best report template for you a lot easier.


by Matt Flynn
NetVision

Go Mobile, Go Secure with Accellion

The latest Accellion Mobile App for iPhone and iPad with support for iOS 5 was introduced today.  With this release, Accellion is leading the industry when it comes to enterprise mobile file sharing security features and control.

The Accellion Mobile App offers the industry’s first encrypted, protected container for mobile file sharing, including 128-bit AES data encryption for files locally saved on a mobile device.  For those of you with iPhones and iPads you now have a secure way to save files locally on your mobile device.

Let’s say you’re travelling on business.  Momentarily distracted by thoughts of your upcoming presentation, you leave the iPad behind at the security line.  If you have been using a consumer cloud storage app, your files can be easily accessible to the next person that picks up your iPad.

With Accellion, files downloaded and saved on to the device are automatically encrypted.  If you don’t see your iPad again, at least other people won’t see your information.  Oh, and your files are still safe, secure and available to you from your iPhone and laptop.

We’ve built a number of additional IT and security features geared for enterprise use into the Accellion Mobile App. Learn more.

The Accellion Mobile App is a free download and works in conjunction with Accellion Secure Collaboration and Accellion Managed File Transfer.  Register for a free 30-day individual user trial of the Accellion Mobile App at: http://www.info.accellion.com/mobile-trial.html

Monitor. Communicate. Educate.

Last week, the US-based National Institute for Standards and Technology (NIST) issued new guidelines on monitoring information security across computer networks, devices and software. In the wake of a series of high profile data breaches, the recommendations reiterate the ongoing need for companies to take control of their IT security strategies and policies.

A key message in the guidelines is that an effective, continuously monitored information security programme helps organisations move from purely compliance-driven to data-driven risk management.

This is an important shift for many organisations; while no one can deny the ongoing, growing need to comply with increasingly complex regulations, there’s more to security than box checking. As the NIST points out, data-driven risk management gives organisations the information they need to “support risk response decisions, security status information and ongoing insight into security control effectiveness.”

On the face of it, it all sounds very complicated. Monitoring all risks while negotiating a path through compliance leaves a lot of organisations bound up in so much red tape that they simply opt for what looks to be the easiest route: lock, block and limit communications. As we’ve seen so many times before, this is a self-defeating approach that ultimately holds companies back.

We operate in a dynamic business environment, not a vacuum; companies need to be flexible and agile. This calls for equal measures of self knowledge and threat understanding – and effective monitoring can help get you there. Security should be about policy, not policing, and quality risk assessment drives quality policy, which in turn allows your organisation to communicate with confidence.

Monitor. Communicate. Educate. Security policy should drive technology, not the other way around.

Nick Peart.

The fine line between transparency and privacy

Public sector organisations have unique information security challenges. Trusted to legitimately gather and use citizens’ private information, they are also required to adhere to standards of openness and transparency in everything they do. It’s a tough line to walk, as the Scottish Council of Dumfries and Galloway recently discovered, when it accidentally published the personal details of almost 900 employees – in response to a Freedom of Information (FoI) request.

Among the data made public: names, dates of birth and salaries. All up on the council’s web site for over two months before people noticed and complained.

The difficulties of being both transparent and secure were underscored by the Information Commission’s Ken MacDonald, who said that “Being open about council pay is a fundamental way that citizens can hold local authorities to account, but that should never be at the expense of upholding individuals’ privacy rights.” MacDonald added that the council was now reviewing its procedures in light of the lessons learned and that appropriate checks to ensure that personal data is handled in compliance with the Data Protection Act were put in place.

On this occasion, the council avoided a financial penalty, but the incident serves to highlight the difficulties faced by public sector organisations in fulfilling their mandate to serve citizens while protecting their privacy. There’s an inherent risk in sharing information online that can only be mitigated by putting the right security procedures and controls in place – and enforcing them.

A key component of this is education and the creation of visible, flexible policies that take into account the real-world communications needs of any workforce while underlining why such policies are necessary. At a time when purse strings are tight, those charged with delivering public sector data security must increasingly look to solutions that enable them to unite technology with strong policy and people, striking a balance between compliance, risk and work requirements. Fortunately for public sector organisations and businesses alike, the guidelines are already out there. That’s half the battle – the really important thing is to ensure that they’re adhered to. By making security policies relevant to all users, organisations can support productivity and transparency while ensuring private data remains private.

Richard Turner

The Mobile Offensive! BYOD (Bring Your Own Device)

Mobile employees have been worrying IT managers for years. It all started with pagers, PDAs, and the first cellular phones. Now iPads, smartphones, and a slew of other Wi-Fi enabled mobile devices are on track to outnumber desktop computers. The local area network (LAN) that interconnects computers in a limited area such as a home, computer lab, or office building is fading fast. Most enterprise networks are moving to wireless as the primary way to connect. In the same way that video killed the radio star; Wi-Fi enabled devices and the BYOD trend are killing the LAN. Mobile devices that were restricted by IT managers are now considered indispensible for everyday operations.

Do you think the BYOD trend is not real, or a fad? According to ZDNET, about 75% of enterprises now have a “bring your own device” policy in place. That’s nearly three-quarters of companies surveyed—so yeah BYOD is for real.

A quarter of organizations give employees a whitelist of allowed devices, while almost half let employees bring in and use any device.

Bring Your Own Device? It’s real. Nearly three-quarters of companies allow employee-owned smartphones and/or tablets to be used at work, according to Aberdeen data (mix of late 2010 and 2011 surveys). A quarter give employees a whitelist of allowed devices, while almost half let employees bring in and use any device.

Here are four trends that motivate companies to try BYOD:

Employee gratification: device lust is no longer just for tech geeks. Employees love BYOD at work. Allowing BYOD can be a real motivational tool. Employees, particularly younger, on-the-move employees, see the brand of a laptop or smartphone as a lifestyle choice and an important part of who they are. Of course Apple is at the epicenter of this movement.

Tech developments: the days of compatibility problems and sharing issues from Mac to Windows are ancient history. A few anti-trust lawsuits got everyone’s attention and a solution was found. The compatibility problems were one thing. In the past the size, weight, and cost of computers made mobile computing an oxymoron.  In 1983 BYOD would not have been possible. This 29 pound BASF 7000 computer would have been nearly impossible to bring to work.  Today’s shinny mobile devices are easy to transport and don’t weight a ton.

Telecommuting and mobile workers:  some of the same technical developments listed above enable more and more workers to work from home, remotely, or on-the-go. Other technical developments like secure file transfer and secure collaboration allow external employees to be productive and secure.

Cost: back in the good old days a computer like the BASF 7000 would have hurt your back and strained your IT budget. At $2800 ($6000 at today’s dollar) this beast of burden cost an arm and a leg. Just think about that next time your fingers are deftly gliding across your light weight tablet or smartphone. With the cost of laptops and tablets around $500 the cost factor, like the BASF 7000, is a thing of the past.

At Accellion we see the BYOD trend as a shift in the increasing demand for mobile access to file sharing. If you haven’t already tried out the Accellion mobile apps here is the link.

Information security: More investment than expense

Last week, The Guardian reported that the Metropolitan Police’s Central e-Crime Unit (PCeU) had saved the UK economy £140m in the previous six months by cutting illegal trade and online practices – including preventing data loss through cyber crime.

Although it’s heartening to see that the Met’s e-crime team is likely to exceed its targets for the year, figures like this leave me wondering why so many organisations view information security as a burden to the bottom line, an additional cost that must be absorbed under infrastructure spending. It’s time for this perception to change.

There’s more to information security than in-bound threat detection; it’s about the values and benefits beyond it, some of which aren’t always immediately obvious if all you’re looking at is bottom line cost. Consider the following:

Your organisation’s ability to comply with increasingly stringent data privacy legislation doesn’t only affect internal policy, but also has a knock-on effect on your ability to trade and partner with businesses in other jurisdictions.

Our recent WorkLifeWeb research revealed that a significant number of businesses felt security concerns were hindering their adoption of new, collaborative technologies. Social media opportunities are a poster child for this: Security fears mean an increased number of businesses are blocking staff use of these services, even as management says it plans to invest more on social media in the coming year. With the right software and policies in place, social media doesn’t have to be a workplace dilemma – you can give staff the kind of access they need without having to worry about security.

You’ve got policy, you’re just not enforcing it. The really surprising thing about many of the recent, high-profile data breaches hasn’t been the fines, it’s been the fact that many of the organisations in question actually had data protection policies in place – they simply failed to enforce them. A comprehensive data protection policy is only as good as you organisation’s willingness and capacity to ensure it’s adhered to. You spent time and money developing your policies, why aren’t you extracting the value from your investment?

It’s time to view information security as an investment rather than a cost. The technology’s there: encryption, Data Loss Prevention (DLP), email and web gateways, anti malware protection...educate yourself and your employees and you’ll soon get a clear view beyond the bottom line.

Nick Peart

Accellion Named a Finalist in Government Security News’ 2011 Homeland Security Awards Program

Accellion, Inc. today announced that Government Security News (GSN), Magazine has named Accellion a finalist in GSN 2011 Homeland Security Awards Program. Accellion Secure Collaboration has been chosen as a finalist in the Best Compliance/Vulnerability Assessment Solution category.

“Accellion is honored to be recognized by GSN for the second year in a row for our continued commitment to help government agencies share files and collaborate in a manner that is highly secure and compliant,” said Yorgen Edholm, president and CEO of Accellion. “Continued recognition from GSN validates our achievements in enabling IT departments to maintain the necessary visibility and control to demonstrate compliance while providing users a secure, easy way to collaborate.”

Demand for secure mobility solutions is making it increasingly difficult for organizations to control how information is shared. Never before has the need to equip users with a secure, easy way to share information been as important as it is today. Accellion provides government agencies and enterprises with the security and tracking features necessary to protect information and demonstrate compliance.

Accellion Secure Collaboration makes it easy for government employees and contractors to securely share information with internal and external partners while ensuring security and compliance. Accellion Secure Collaboration provides secure workspaces and file transfer capabilities. Secure workspaces allow teams to streamline workflow and keep projects moving forward. Users can review, comment, upload, and download files. Using Accellion Mobile Apps, file sharing and collaboration can be easily and securely extended to mobile devices and tablets. Accellion supports public, private or hybrid cloud and FIPS 140-2 certified deployments.

Winners of the 2011 Homeland Security Awards Program will be announced on November 14 at a gala Awards Dinner at the JW Marriott Hotel in downtown Washington D.C.



The GSN Homeland Security Awards Program

The awards programs were created by Government Security News (GSN) to salute dedicated officials and their agencies and departments at federal, state and local levels of government who have created effective and cost-efficient security programs. They were also created to salute the outstanding vendors of IT and Physical Security products who have introduced innovative technologies and products that protect our nation and its people 24/7.



About Accellion

The world's leading corporations and government enterprises rely on Accellion secure file sharing and collaboration solutions to secure their enterprise information and ensure compliance. Founded in 1999, Accellion, Inc. provides enterprise-class secure file sharing solutions that deliver the ease-of-use internal and external users need while giving the enterprise organization the protection it needs. Accessible to employees and external users from the Web, iPad, iPhone, Android and Blackberry mobile devices, Accellion secure file sharing solutions offer the widest choice of deployment options spanning virtual and public, private, or hybrid cloud environments. The company is headquartered in Palo Alto, California with offices in North America, Asia, and Europe.

Keeping on top of data discrepancies

In November this year, the European Commission (EC) will publish its new version of the Data Protection Directive, the legislation on which the Data Protection Act is based, and amongst the new measures will be instructions on data processing. The updated version will include a 'mandatory data breach disclosure' law for every organisation in the public and private sectors. Adoption of the law is expected by early 2013.

Currently, it is optional for private companies to report data breaches so it is fair to assume that there are many leaks which occur that we never get to read about in the papers. This will all change once this legislation is passed. All companies’ data discrepancies will then be open to public inspection and the impact of any kind of data breach can be felt not only on the bottom line but also at a brand and reputation level. However, there are a few simple measures you can take now to avoid any corporate embarrassment down the line.

Firstly, make sure employees understand IT policy; those that are responsible for data need regular clarification on what activities may put data security at risk as well as what is and what isn’t permitted by the business. This can be achieved through frequent communication and training. In addition, once you have formulated a policy make sure it’s enforced. In extreme circumstances, this may mean having to take disciplinary action if rules are transgressed, but if you’re too lenient then nobody will take the policy seriously.

Interestingly, this EC news comes out in a week where analysts are predicting an increasing appetite for cloud computing. Ovum is claiming that spend on cloud services is growing 29% year-on-year, by 2015 it will have reached $66 billion. When you consider that the security of data is the number one concern about moving to the cloud, we have a curious dilemma for corporate UK. Businesses will not only be using services which potentially leave them more prone to data loss but if the worst happens they will be legally enforced to tell the world about it.

Richard Turner

Accellion and MobileIron Announce Partnership

Most IT organizations have minimal visibility into what’s on an employee’s phone and how it’s being used, and even less control or insight into information being accessed and shared.

MobileIron and Accellion announced a partnership today to provide our customers with secure mobile device and content management. Together, MobileIron and Accellion help an IT organization to regain control over mobile devices and how employees collaborate and share information from them.

As part of the partnership, Accellion will be one of only seven applications chosen to participate in MobileIron’s AppConnect program.  The goal of AppConnect is to secure MobileIron-developed apps as well as third-party apps on the App Store, Android Market and other mobile app services.

The benefit of the Accellion and MobileIron partnership was summed up by Jason Otani, Director, IT Infrastructure, Curtiss-Wright Corporation, a mutual customer:

Using Accellion Secure Collaboration’s native mobile apps, our teams really appreciate being able to securely collaborate on contracts and engineering plans with internal and external business partners.  MobileIron’s ability to wipe the device clean remotely any time a device is lost or stolen adds another level of security protection against a possible data breach.

For the most up-to-date news and information about this partnership, follow us on Twitter, Facebook, and LinkedIn.

Security’s a boardroom issue

It’s not that long since responsibility for information security lay firmly at the door of the IT department. Not viewing it as a business critical issue, boardrooms were happy to take a watching brief; after all, they had a company to run.

Recent times and a changing threat landscape have driven a change in attitude, however. From privacy and compliance legislation to high profile data breaches, intellectual property protection and network security, it’s a lot easier to make the business case for IT security. As such, security has climbed up the business agenda for many organisations, moving from a ‘nice to have’ to an essential component of the day-to-day business.

There’s nothing like the threat of financial penalties, criminal proceedings or serious reputational damage to focus the business mind on the need for a high quality, unified security strategy. The current economic climate has, however, put some IT departments under significant pressure to run security programs on ever-tightening budgets. A survey released by PricewaterhouseCoopers this week found that only half of global respondents said they planned to increase their spend on security over the next year; in the UK, that figure’s 35 per cent. This despite the fact that 85 per cent of PwC’s respondents claimed to have experienced a security breach of some kind over the previous six months.

To maximise return on information security investment, it is vital that any programme has senior management buy-in. Security is no exception and, in order to retain priority status, needs to evolve alongside the changing technologies that have become pivotal in the workplace. But it’s a two-way street: just as security technologies and policies need to evolve, so too do the humans involved. Security should never be a silo-based activity; the key to gaining buy-in across all levels of the organisation is advocacy from the highest level.

Nick Peart