Safeguard company data on employee phones

Standard

The following was originally published on May 29, 2016 on Seacoastonline.com.

Everyone has a mobile device, be it a smartphone or tablet. One of the key questions
most business owners and managers have is whether the company should provide these tools to employees who need them or if they should allow the employee to use their own devicesafeguard, often referred to as “Bring Your Own Device.”

Whether a company should provide a smartphone and/or tablet to an employee or allow them to use their own may be driven by a number of factors. Among these factors are cost, standardization, position with the company, department and job role, just to name a few. Regardless of the decision, whether company-wide, department-wide or employee by employee, one thing you have to be sure you have in place is an appropriate mobile device policy the employee signs.

If you allow one or the other, it’s a bit easier in that you only need one policy document. If not, you will need to have one policy document for company provided mobile devices and one document for employee owned devices that are allowed to connect to company resources.

A mobile device policy document should address several critical aspects of employees’ use of these devices. These include statements related to mandatory compliance with the policy, enforcement and changes to the policy, standard definitions so there will be no confusion about what the policy refers to, supported devices, permitted and restricted uses, approved company applications, privacy and monitoring, erasure and preservation of data, sharing of devices and reporting of lost or stolen devices. Also to be included should be costs, usage, security and confidentiality as well as personal use and personal data on the same device as company data.

The policy should identify the device or devices assigned to the individual and be signed by that individual. Included in this policy of a companion policy document should be a clear statement about texting while driving, mobile device use while driving and adherence to any state laws where the employee or operating related to mobile devices. More and more states are adopting these laws. In fact, New Hampshire has one of the toughest hands-free laws in the nation. Be sure you understand it clearly.

A consideration specific to employee-owned devices is how to appropriately secure any company data on the mobile device. Any mobile device connected to company resources should be governed by mobile device management software that allows you to control what devices connect to company data as well as remotely wiping those devices in the event of loss, theft or termination of employment, regardless of the cause. The only issue with this specific approach is that any personal apps and data on the mobile device will be lost if it is wiped. Therefore, you need to be sure your mobile device policy makes it clear the employee is responsible for backing up their personal apps and data on the device as it could be lost.

Better technology is also available to help with this. Mobile device management tools exist that allow you to specify not only which devices are allowed to connect to company resources, but more importantly, what apps and data are company apps and data. This allows a mobile device to be selectively wiped, only erasing apps and data that belong to the company, leaving the personal apps and data intact. This type of technology presents a much more effective way to manage these devices while being certain company policies and data are properly safeguarded.

If you have employees using mobile devices, even if just to access email, be sure you have these things in place. If you have not been audited for these requirements yet, it’s only a matter of time, so be proactive and get these policies and technologies in place to protect your business.

 

Email archiving important for your business

Standard

The following was originally published on May 15, 2016 on Seacoastonline.com.

email-archivingIn today’s world, email has become one of, it not the most important and relied upon communication mediums in business. In addition to being a communication platform, it has also become an unintended digital file cabinet for many people.

How many folders do you have in your mailbox? Just the default of Inbox, Deleted Items, Drafts, Outbox and Sent Items? I doubt it. I have seen some statistics that suggest average mailboxes contain dozens of folders beyond the defaults and upwards of 25,000 individual messages.

While mail servers have matured over the years to support this exponentially growing use of email as a file storage medium, as well as to support the increasing use of electronic mail for near real-time communication, there are still limitations. There are numerous considerations to take in to account when using email to both communicate and store information for future reference.

While most mail systems will support extremely large mailboxes, some to the tune of tens of gigabytes and hundreds of thousands of items, the computer you are working on could cause performance issues, even though you have not theoretically reached the limits of your mail system. An example of this would be a large mailbox, say in the area of 100,000 mail items and 20 gigabytes in size. With most mail systems, the mail is stored both on your server as well as a local cache, that is a copy of what’s on the server that is actually stored in a single file on your computer’s hard drive.

With a large mailbox, this generates a lot of read and write requests to the data and may put a heavy load on your computers resources. The nature of this activity benefits from newer, faster hard drives like solid state drives, as opposed to the traditional mechanical drive. Random access memory, RAM, also helps in this case. A computer that has worked quite well for years may seem to be underperforming when dealing with a very large mailbox. You may see your email be slow to work through, your email application periodically pauses, search not function reliably and other symptoms. It can be a very frustrating experience.

Email archiving is a solution to many of these issues and more. Email archiving is often misunderstood, as many email applications have an archiving feature, yet that’s not the same as archiving in the context of this article. Email archiving within an email application simply involves copying messages based on a range of criteria from the original mailbox to an archive copy and then removing those messages from the archive copy. While this makes the original mailbox itself smaller and easier to work with, it simply transfers a given number and size of email from the mailbox to this archive, which is also sitting on the local computer hard drive. Thus performance impacts may still be in play as these archives continue to grow just as the mailbox itself has been.

True business class email archiving involves setting retention rules on the mailboxes to automatically clean out email messages over a certain age, say anything 18 months old and older. These messages are automatically captured into an online archive that is outside of and separate from the mail server and your mail application. This keeps the size of your mailbox within established best practices limits while ensuring you are able to search and find historical email reliably and efficiently.

What’s unique with archiving like this is that your current mail is also available in the archive as soon as it is received or sent. While you may still use your mail application to manage and search for messages within the time limits that are enforced, in this example 18 months, you would also be able to rely one hundred percent on your email archive to search or any mail message. Another unique element of email archiving is that you are able to search for messages by conversation or topic. This allows you to bundle up all mail messages related to a particular topic and recover them a single file. This can be very valuable when dealing with contact negotiations, legal issues and more.

With email being so heavily relied on, problems can’t be prevented all the time, but as companies grow and email usage increases, archiving is an excellent protocol to insert to help manage your growth while ensuring people can do their work efficiently

Using USBs a real security risk

Standard
usbTechnology columnist MJ Shoer says the Mass Storage function of USB devices poses a significant security risk.

The following was originally published on May 1, 2016 on Seacoastline.com.

We all love our USB ports and devices. USB stands for Universal Serial Bus and this compact connector has replaced several legacy ports that used to be commonplace on all computers. Such includes PS/2 keyboard and mouse connectors, serial ports, parallel ports (mostly used with printers), even audio ports and more. The utility and small form factor of USB has revolutionized computers, specifically all the various peripherals that we plug in to these ports.

USB has also given rise to all manner of external devices, including web cams, security keys and in the case of my focus for this article, hard drives. What is known as the USB Mass Storage service allows us to plug in hard drives and USB flash memory to easily transfer data to and from our computers.

From a security perspective USB Mass Storage is a significant security risk. The plethora of USB drives, sometimes called flash drives, thumb drives, USB sticks, etc., make these handy devices an excellent Trojan horse for hackers to exploit.

Over the last year, exploits have been discovered and in some cases fixed, that allow hackers to hide malicious software code on a USB drive so that when it is plugged in to a computer, the code activates and installs itself on the computer with no awareness of the person plugging it in to their computer. The malware then spreads across connected computers and allows the hackers to access your data or use your computers to help them attack their ultimate target.

Recent studies by the University of Illinois and CompTIA, the Computing Technology Industry Association, confirm the clear and present danger that USB sticks pose to businesses and individual computer users. In both studies, researchers left 200 to 300 USB sticks around the University of Illinois campus in Urbana-Champaign as well as in major cities around the country. More than half of the USB sticks found were plugged in to computers. Some on secure corporate networks. The sticks were setup with fake malware that would “phone home” to let the researchers know the stick had been found and connected. The “infection” took hold almost immediately after the stick was plugged in. In as little as six minutes, the infected stick contacted the researcher’s server to confirm it was online. The percentages rise when the USB sticks have a well-known logo on them.

Beyond just plugging in the USB stick, the real worry was that most people who plugged them in also opened files on the sticks. Just as unsuspecting people open email attachments that infect their computers, people will also open files on found USB sticks. It’s critical to protect yourself against falling victim to these threats.

In the case of e-mail attachments, education is the best defense. The same is true with USB sticks, but you may also want to consider using technology to help protect your computer. Start with education. The CompTIA study points out that 45 percent of corporate computer users report they receive no form of education relating to cybersecurity. There are numerous excellent resources available to train your staff to be safe cyber citizens.

For the threat posed by USB sticks, at least in a business environment, give serious consideration to disabling the Mass Storage service on the USB ports. This will not impact other uses of the USB ports, but will prevent USB drives of any kind from functioning. When a user plugs a USB drive into the USB port, no data will flow to or from it. However, keyboard, mice, webcams, printers and more will all function normally.

This is a security best practice and something you should seriously consider implementing on your corporate computer network. With the proper tools, you will be able to easily enable and disable USB functionality on a user-by-user basis, so when there is a legitimate requirement to plug in and work with a USB drive, you will be able to do so. If you work with an IT partner, they will be able to help you put this in place. It’s a smart thing to do, especially considering the risk that has been validated by multiple studies.

%d bloggers like this: