Secure Value by Keeping an Eye on RedFlags ... some small businesses may be exempt!

Image via Wikipedia

Trying to manage the incoming waves of regulations is bad enough ... but keeping track of what is on and what is not on anymore is a tough job when you really just want to run and grow your business!

Short one this week.  You want to keep an eye on this news.  According to an article in SCmagazine.com there is a bill working its way through Congress that may exempt some small business from the RedFlags rules.

Related articles by Zemanta

• U.S. House Says Most Dental Offices Are Exempt From Red-Flag Rules (implantblog.wordpress.com)

Do Business in Nevada? Secure Value by Complying with New Security Act

Image via Wikipedia

Does your company transmit, process or store payment card data about any individual who lives in the State of Nevada?

If so you need to be aware of the new Security of Personal Information Act passed into law in Nevada.  In a nutshell, data collectors or merchants who collect card data to do business will be required to be compliant with PCI DSS in order to legally conduct business in Nevada.

I'm not going to spend time writing something up if I find something insightful already available.  Read the write up on the Nevada Security of Personal Information Act at InfoSecCompliance.

Secure Value by Understanding Common Threats

Image by zenonline via Flickr

Understand the common threats to your business and think about how to prevent them, detect them and respond to them before they occur

Threat models are commonly used in information security analysis to illustrate the potential for risks to impact an organization. The threat model is used to describe the characteristics of a given threat and the harm it could to do a vulnerable system. 

 If we do a project where we identify threats scenarios we’ll go into detail.  At a simple level we’ll identify the pieces of the threat scenarios including the actor (WHO), the action (HOW), the motivation (WHY), the vulnerability exploited (think WEAKNESS) and the potential impact (think DAMAGE). 

We do not address the probability of these events occurring which in most cases is impossible to predict accurately.

Over your morning coffee run through these common scenarios and ask yourself if you how they would impact you:

 A trusted employee decides to:

 ·         Download unauthorized software from the Internet which contains a Trojan horse or other malicious software. 

·         Disable antivirus scanning prior to the download of an emailed MS Office document.

·         Transfer information from a third-party computer to their work computer bringing in a virus or other malicious software into the company. 

·         With any number of portable memory devices data is copied from the network and is stolen undetected.

A disgruntled employee decides to retaliate against your company:

 ·         With knowledge of the backup tape courier routine the tape drop off is intercepted and the information contained on the tapes are used to attack your company’s reputation or are used for material gain.

·         With any number of portable memory devices data is copied from the network and is stolen undetected.

 A former employee decides to retaliate against your company:

 ·         With a haphazard termination process the former employee uses his/her still active network access and credentials to damage or steal information from an outside location.

·         With a haphazard termination process the former employee gains access to a company facility and uses his/her still active network credentials to damage or steal information from an outside location.

An authorized visitor or an unauthorized visitor or intruder penetrates one of your company’s facilities and:

 ·         Unchallenged as they walk the floors of the facility they exploit targets of opportunity such as unlocked, unattended systems, backup tapes set unsecured waiting for courier pickup, etc.

 A third party caretaker of your company information has a security incident.  While that incident may not impact your company network, your company has no controls to prevent that incident from impacting your company at a business level.

Related articles by Zemanta

• Security Controls and Principles (deurainfosec.com)

Secure Value by Planning Ahead for Bad Things

Bad Things DO Happen ... Or We All Die Sometime ...

Securing your business value isn't just about keeping the hackers out.  It is also about managing other kinds of risks including the very real prospect, given that we all die sometime, that a senior resource might die.  Without thoughtful planning the business might die, too.  My business, Jacadis, recently committed to Sequent, a Professional Employers Organization (PEO), to help us manage our human resources risk.  Part of their services include succession planning.  What follows is an excellent write up by Pat Carpenter, CLU, CHFC of Sequent's Retirement & Benefits Group.

Do you expect your business to die when you do?

Do you expect your business to die when you do?  If your goal is for your business to thrive, how do you intend to harvest the investment you’ve made? If you want your business to provide a continuous income stream after you’re ready to move on, think out and plan the transfer of ownership. Whether the business is sold to a partner, a competitor, a group of employees or to family member(s), there are four elements necessary for a smooth transition. These four elements include:

• A business that has value independent of the founder
• A realistic market valuation of the business
• Willing buyers, and
• An agreement that compels the sale and the purchase at the agreed-upon amount

As your business has grown, you have developed products and services that your clients need. Vendors count on you for part of their business growth. Your management team helps determine, and employees execute, the business plan.  As the business’s life cycle matures, your role has evolved from technician to visionary.  Clients, vendors and employees have deepening relationships. You can move on now.

Setting a realistic market price for the business should be determined by a CPA certified in valuation. He or she will analyze the books, economic conditions, market segment and growth potential. There will be questions about anticipated revenue, and new niche markets. The CPA will select which valuation method is most appropriate for your business and set a purchase price and a formula for determining any future purchase fluctuations.

Evaluating a potential buyer is the next logical step in your succession plan. Often, key employees or family members will have already indicated interest in purchasing the business. Do they have all the skills, vision and drive necessary to be successful? To thrive in a competitive marketplace takes more than being a good technician. In addition to figuring out ‘How much?’ and ‘Who?, you might want to invest in training for any deficient skill areas.

The agreements that compel the sale usually take two forms.

The first option is an employment agreement that defines the conditions under which stock, or phantom stock, is transferred to the successor owners. This provides the current owner “golden handcuffs” and the key employees an incentive. Usually the transfer is contingent on reaching certain productivity goals.

The second option is the Buy-Sell document. This describes the transfer of stock upon the death, disability or retirement of the owner. It delivers assets to the owner’s family while removing them from the business. These documents should be prepared by attorneys who specialize in closely held corporations.

In addition, both agreements need to be funded in order to complete the final transfer. This is usually accomplished by purchasing life insurance and disability insurance on the owner, payable to the business or the successor owners. Insurance provides the funds to purchase the stock. In this way, non-participating family members are gracefully moved away from day-to-day operations and dividend expectations.

Good planning pays off for everyone:  your clients, your employees, your family, vendors and creditors. They all want to work with a company that will thrive, even through a key transition. With proper tax planning, the business will provide an annuity for the owner for the next five to ten years. Your investment in the succession planning process could pay dividends for years to come.

Patricia Carpenter, CLU, CHFC

Vice President, Business Development

Pat Carpenter has more than thirty years’ experience working for and with emerging businesses. A veteran of three start-ups, she has spent more than thirty years of her career working in the life and health insurance industries as a field underwriter, group representative, broker and consultant. Pat has worked closely with business owners to create custom-tailored succession plans and wealth accumulation programs. She has analyzed financial strategies, plan designs, and employee incentives. In addition, she has educated people from line workers to Board members about how to optimize their employee benefits. Pat has earned the Chartered Life Underwriter and Chartered Financial Consultant designations from the American College.

Related articles by Zemanta

• Why Entrepreneurs Sabotage the Succession Process (blogs.harvardbusiness.org)

Secure Value by using Strong Passwords

Image by Bohman via Flickr

Other more complex security and privacy protections don't work if you are not using passwords correctly ... they are your key to security!

I have read more than my fair share of "how to protect yourself in social media" type articles lately (see a good one with links to other good ones at http://www.nateriggs.com/2009/10/how-to-protect-yourself-from-the-social-web/ ) from none security professionals.  These posts discuss protecting your location, creating a family password (like the you say Thunder then I say Flash challenge response) and other very commonsensical kinds of actions to protect your online self.  Most of them forget the basic fundamental password.

So without any more preamble.  Use strong passwords.  They work.  And when you don't use them you can be attacked (See a story on Twitter's corporate accounts being hacked all becwith a loss of tremendous confidential data all because of poor password use).

Use passwords that are at least eight characters long and include a mix of at least 3 of the following character types:  uppercase letters, lowercase letters, numbers and special characters.  (WHY?: Following this practice means that guessing your password means working through more choices making guessing both practically and mathematically  more difficult.)

But doing that makes it harder to remember, too, right?  And most people don't use good strong passwords because they are hard to remember and so because of convenience (or laziness) prefer to type "1234" or "GOBUCKS!".  What to do?

Be thoughtful about how you use and mix these characters (##Pa$$W0rd!! is easier to remember than d$a#aabe and because it is longer mathematically harder to guess):

• Substitute numbers for letters and vice versa (0 instead of O, 4 instead of A, 1 instead of L, 3 instead of E, $ instead of S and so on).
• Substitute words for numbers (one for 1, two for 2, and son on).
• Use capitalization haphazardly (passWord is stronger than password or PASSWORD).
• Use special characters in front of (##password), to end (password$$) or to punctuate or separate words (password!! or pass#word).

Have some fun.  Use these combinations to create words of phrases that are easier to remember:

• ##LuckyDuck$!!
• $$Give8100dPlayRug8y

And then use your passwords like you do your house, car and office keys:

• Never communicate them over the phone, in an email or over IM (or twitter for that matter!).
• Log off (lock the door) when you are done with a site or stepping away from your computer.
• Change your password if you suspect suspicious behavior (it is good to be a little paranoid, no?).
• Do not allow your Internet browser to save your password (if you lose control of your laptop, netbook or PDA whoever gains controls has control of your entire digital world).
• Do not share your passwords with anyone.
• Don't use password hint functions (where you select a challenge like mother's maiden name and you provide an answer) or if you are forced to don't use real data (select mother's maiden name and you provide an unrelated answer like Guinness, but honestly you are liable to fake yourself out on that one so tread lightly).

If you still have trouble remembering you have 2 choices:

• Don't be shy about hitting the "forgot password" button. (It is more secure to have a password reset sent to your email address than it is to use a simple, easy to use password).
• Use a password manager like KeePass Password Safe which is a "free, open source, light-weight and easy-to-use password manager".

This sounds so simple.  Yet, it is such a serious topic.  It isn't the only line of defense, but it is an important one and because of human nature (entering passwords does feel like such a waste of our time) an underused line of defense. 

As an executive and online citizen, don't be a victim because you didn't want to invest a small amount of time to do something simple and highly effective.  As a business owner, make sure you have policies in place to expect the proper use of passwords by all of your employees across all of your systems and applications. 

Related articles by Zemanta

• Stolen Hotmail data reveals widespread use of weak passwords (infoworld.com)
• Gmail Blog - Choosing A Smart Password (lockergnome.com)
• More On the E-Mail Hijackings (pindebit.blogspot.com)
• The art of creating strong passwords (macworld.com)
• Hackers are Everywhere (myventurepad.com)

Secure Value by Planning Now for H1N1 to Hit Your Business

Image via Wikipedia

I have to confess I have had that same "it can't happen to me" attitude about the H1N1 pandemic.  I've scoffed at the sterilizers my wife Jodi put around the house, at being taught how to cough and at all of the concerns people have. 

But I've learned that if you think "It can't happen" it just might.

I've alluded to the fact that I coach football.  I run the defense for the Patriots, a team of 16 fantastic 9 and 10 year old boys, just learning the tackle game.  Tuesday night we were down to 9 kids.  About two weeks ago, one of our players was diagnosed with H1Ni and we lost his services for a game.  The abscenes steam rolled since then. Tuesday night we had 9 boys at practice with the other 6 at home sick.  Not all of them had H1N1, but the resulting impact got me to thinking.  What if 50% of our company was out sick or quaranteened because of fever?

Great question.  And this week we have begun to plan for it.  Over the next week or so our management team is going to ask soem questions:

• How bad could it get?
• Can we function in that environment?
• Can we service clients? Generate revenues? Shift risks?
• Depend on our critical service providers?
• Are there any effective prevention measures we can implement at a company level? Require of our employees?

As we go I'll through my thoughts and findings up here to help you along .. because as I have found out it can happen to anyone.

Some links of interest I've already discovered (and which I'll update as I find new ones):

• Flu.gov which has lots of information for businesses and indiviauals
• Center for Disease Control

Related articles by Zemanta

• How is the flu transmitted? (fitnesstipsforlife.com)
• Areas Hit Hard by Swine Flu in Spring See Little Now (nytimes.com)
• Swine Flu (H1N1): It's Popping up Everywhere (chilmarkresearch.com)
• A Look Inside the CDC's Battle Against the Swine Flu (abcnews.go.com)
• Your resource for tracking the swine flu (news.cnet.com)
• Small Businesses Prepare for a Hit from the H1N1 Flu (time.com)

Business working with health care records? -- Secure Value by complying with HIPAA Breach Notice

Effective September 23, 2009

Just in case you forgot to put this on your calendar OR because it slipped your attention as you were trying to run and grow your business.  By way of HIPAA Breach Notice 74 Fed. Reg. 42740: "Any privacy breaches or security issues that are exposed on or after September 23, 2009 must be recorded and individuals notified.  This rule applies to group health plans and many other HIPAA-covered entities, and will be strictly enforced by HHS"

If you work with health care records of any type or provide services to entities that do, you need to understand what this means for your business.

 

Related articles by Zemanta

• Five Steps to HITECH Preparedness (computerworld.com)
• New HealthCare Data Breach Program Begins September 23rd (ducknetweb.blogspot.com)

Secure Value with a Social Media Plan

Yesterday, I presented my first pass on Securing Social Media: Protecting Yourself, Your Company, Your Customer.  Over the next few days I'll be posting some lessons learned and other odds and ends from the presentation.

One of the points I made was that your company efforts with social media, to be successful and to be secure, need to be managed from a formal action plan.  The security part of that plan is going to include some thought on policy and the procedures and safegaurds needed to support the policy.  But the policy needs to be business driven which requies a social media action plan or a business plan for the use of social media in your company.

Four firms that I've had contact with who have taught me some valued lessons on the use of social media certainly can help you with that action plan.  I would recommend as you are thinking about how to innovate with social media to contact:

• Nate Riggs, huber+co interactive
• Billy Fischer, Oxiem Marketing Technology
• Brenda Stier-Anstine, Marketing Works
• Kate Brodock, OtherSide Group

Secure Value by Protecting Yourself, Your Company, Your Customer

Image by david.nikonvscanon via Flickr

Understanding the Security Risks With Social Media for Business

We have taken the plunge as a firm and use Twitter, LinkedIn and Facebook to promote our personal brands, market our business and build community with customers and prospects.

While we've embraced the 2.0 world, we've done so with eyes wide open. As we use the technology to create benefits we also acknowlledge we create risks that must be identified, addressed and managed.

Most professionals, most firms using these new technologies are not "professional paranoids" like we us. 

If you are using Social Media and have concerns about the risks ... or if you have balked at adopting the technology because of your fears of those risks ... please join me for:

Understanding the Security Risks With Social Media for Business
September 21st, 2009
11:00 am — 1:00 pm

Register to join us.  We will discuss:

• Privacy issues related to social media use
  • For yourself 
  • For your company 
  • For your customers 
• Tactics to maintain privacy
• Techniques to maintain security

You will certainly get a chance to network with other busy professionals.

Related articles by Zemanta

• Are you a trust agent? Do you need to be? (myventurepad.com)
• Seek Quality not Quantity in Your Social Network (myventurepad.com)
• ONLINE: Social networking sites weather attack - Business - The ... (jonggunlee.tistory.com)
• Employees, Privacy and Engagement (myventurepad.com)
• Nearly half of employers look up job candidates on social networks...but your tweets are probably safe (socialmediatoday.com)

Secure Value by Testing Web Applications -- Lunch & Learn Announcement

Jacadis presenting lunch & learn on web application security with Platform Lab in Columbus

I wanted highlight an upcoming lunch and learn reviewing web application security that might be of benefit to you if your business develops and deploys web applications. The event is free and lunch will be provided. Please register below, and send this on to individuals in your organization who would benefit.

 

Jacadis, the company I work for, is putting the lunch and learn on with its non-profit partner the Platform Lab, part of Tech Columbus.

 

Presenter: Simon Herring, CISSP – Founder and CTO Jacadis, LLC.

Cost: Free

When: September 16th, 2009 11:00 am — 1:00 pm - Lunch will be provided

Location: Platform Lab/TechColumbus 1275 Kinnear Rd Columbus,OH 43212

 

 

Register here: http://www.surveymonkey.com/s.aspx?sm=nkZ9YHJyBqezQYQM5xDMmQ_3d_3d

 

Cyber thieves use automated scanners to find web security holes… Why don’t you?

 

Thousands of web applications have been developed by companies of every size and industry to support business growth, extend customer interactivity, and lower service delivery costs.  But how deliberate are you in evaluating the security of web applications throughout the application’s lifecycle, from inception to retirement? 

 

Consider the following:

• Many web vulnerabilities exist due to limited knowledge of secure coding principles.  Catching these weaknesses before “go-live” can decreases costs related to post-deployment patching and the risks associate with a security break-in.

• The sophistication of web hackers and data thieves continues to increase.  Just scanning during the development cycle assumes no new web application exploit techniques will be developed and shared in the Black Hat community. The “10 foot wall” you created last Fall won’t be able to withstand the “11 foot ladder” that cyber thieves throw-up this Summer.

• In addition to being an established best practice for protecting general web servers, routine web application scanning can help you comply with federal, state, and industry regulations.  With little marketing effort, you can also build security into your brand and show your existing or potential clients that protecting sensitive data is important.  

The tools and processes are available to prevent the deployment of poorly coded and insecure web applications.  Perhaps you know the risks, but you don’t know how to manage them, or where to begin.  To answer these questions, we are hosting “Securing Web Applications using Acunetix WVS” to demonstrate how Acunetix Web Vulnerability Scanner (WVS) is an effective tool to add to your security routine. 

 

In this edJACADIS seminar, we will:

• Examine the components of a successful web application development process

• Discuss the role of web application vulnerability scanning in the overall security process

• Explore how Acunetix Web Vulnerability Scanner (WVS) can be used by developers and security analysts alike, to perform automated or manual web vulnerability testing.