Why You Need a Security Consultant — and What to Look For

Why You Need a Security Consultant — and What to Look For

SecurityManual -- Policies & Procedures
Security Policies

Security Consultant – For years now, security experts have warned small businesses: You are a target for cybercriminals. While the news media focuses on the major security breaches affecting millions of individuals, what’s often overlooked is that smaller businesses are not only victims of hacking more often, but that they are also often a key piece of the puzzle when investigating larger breaches.

In short, the simple fact is that small businesses are at risk for cyber-attacks, and even if you think you are too small to be of any interest to hackers, you might want to think again.

Security-ConsultantThe problem for many small and micro businesses is that they simply do not have the resources to fully protect their business and their data. While it would be great to hire a full-time, dedicated cybersecurity professional (or even an IT person, in many cases) most smaller companies don’t have the money in the budget to do so.

As a result, they piecemeal security solutions together: They secure their Wi-Fi, use antivirus software, set up firewalls, etc. These are all important steps, but while they may be enough for the average home network, they represent only the beginning of the protection necessary for business.

Since most entrepreneurs aren’t well versed in the latest cyber-protection methods —and don’t necessarily have the time to learn — there is a growing number of security consultants who specialize in small businesses and designing security protocols to protect their valuable data. For a fraction of the cost of hiring a full-time employee, businesses can implement the security measures they need to keep their data safe, remain in compliance with industry security regulations, and stay ahead of emerging threats.

What Will a Security Consultant Do?

SolutionIf you cannot bring a dedicated security professional onto your staff, a security consultant is the next best thing. However, it’s important to understand a few key considerations before you sign a contract.

First, it’s very important that you hire an independent consultant. Many security companies, particularly security software vendors, will offer consulting services for “free.” However, these consultants are typically employees of that software company, and the recommended solutions for your security issues are likely to be limited to the products and services offered by that company.

That’s not to say the advice isn’t relevant and valid, but you want to make sure that you are receiving the unbiased evaluations and recommendations to ensure that all of your bases are covered and that you aren’t purchasing products and services that you don’t necessarily need.

It’s also important to understand what a consultant will do for you. In most cases, the consultant will conduct a thorough risk assessment and evaluate your current security set-up to identify potential problems, and identify solutions to minimize risk. From here, consultants will either do the work themselves (or through their team) or recommend qualified vendors to implement security solutions for you.

Most security consultants work on a project basis. Some offer ongoing service and support, but most will leave the ongoing implementation up to you. These are points that you will work out in the contract, but understand that usually, your consultant is there to assist with a specific project and not to fill the role of a staff IT security professional.

What to Look for in a Consultant

Finding the right consultant involves more than just choosing someone who works independently of a specific company. Ask a few important questions, including:

What is your background? Choose a consultant with an advanced educational background, ideally with a degree in information security and experience within your industry. Some consultants have even earned the Chartered Security Professional (CYSP) designation, indicating a high level of knowledge and experience within the realm of cybersecurity.

Do you have experience within our industry? Different industries have different needs in terms of security. If you are bound by regulations such as HIPAA or PCI, does the consultant have the knowledge and experience required to incorporate those regulations into your security plan?

Who will perform the necessary work? If you are working with a consultant who will implement your security upgrades, be sure to determine who will be actually doing the work. In some cases, the experienced principal of the firm conducts the analysis and makes recommendations, and then sends less-experienced individuals to conduct the work. Know who you will be working with and their qualifications from the start.

Of course, cost is always a factor, but as with anything, the least expensive option is not always the best option. Keep in mind that you will be trusting this person (or team) with your most valuable and sensitive data, and select a consultant who has both the technical and the project management skills necessary to ensure your business is fully protected.

Security Manual Template and Compliance Tools

Order Security Manual Download Selected Pages

IT Job Market Forecast

IT Job Market Forecast

Janco has just released its IT job market forecast and does not look good.  The forecast for 2016 is that 100,800 new IT jobs will be created.  That is 12% lower than the number of jobs that were created in 2015 and 2014.  In addition, a number of industry analysts are forecasting that a new recession is around the corner.  That was magnified with the testimony of the Fed Chairman before Congress. The Chairman said, “… we (Fed) will not raise interest rates in the near term as we are seeing signs of a recession occurring over seas.”

IT Job Market Forecast

When Janco analyzed the recent employment data provided by the BLS, they found that 5,300 new IT jobs were created in January 2016 versus 15,900 last year at the same time. The CEO of Janco said, “The BLS did reclassify some jobs from the Telecommunication category to the Computer System Design and Related Services, but that was a push and in aggregate the result was that fewer new IT jobs were created. In support of this, our interviews of 47 CIOs in the last few weeks have them being much more pessimistic than they have been as group in some time.

IT Job Market January 2016

Order Salary SurveyDownload Selected Pages

H-1B visa program costs IT Pros jobs

H-1B visa program costs IT Pros jobs

H-1B visa program does not help US Nationals — costs jobs and limits development of IT professionals

H-1B visa program — We have just completed a review of the H-1B visa program for both the application process and approved visas.  It is clear from the data that foreign corporations are utilizing the program to undercut the salaries paid to IT professions.  In the process corporations are reducing tier costs and eliminating jobs that should belong to US nationals.

In some cases the jobs remain in the US, but the positions are filled by foreign nationals.  Specifically, offshore outsourcing companies continued to make up the majority of the top H-1B visa applications according to new government data. These offshore firms have been adding employees by the thousands as their revenues increase. Infosys (India based) led the list in 2014 with 23,759  visa applications with a median salary for those positions $72,254, edging out Tata (India based) which had 14,098 visa requestswith a median salary for those positions $66,600.

Both of those salaries were well below the median salary ($81,583 in 2014) for IT postions.  The overall median salary for the top 30 enterprises that filed for H-1B visas was $77,027.

H-1B Visa Program
H-1B Visa Program – Top 30 applications by company

The impacts of the H-1B program as it is implemented today are:

  1. Overall costs of IT are being reduced as lower salaries are are paid.
  2. Companies are encouraged to hire offshore IT Pros at wages that are lower than those paid to US nationals.
  3. Entry level positions are being eliminated which would provide the experience to US nationals so they could proceed in the IT career path.
  4. Dependence on foreign based companies will limit the flexibility of US corporations to change their infrastructure as technology advance.
  5. Risks due to a changing international political climate.  For example, when the “Arab spring” took effect in Egypt, companies that were depending on those “off-shored” operations had few alternatives they could use as data centers were closed.  Costs and risks to move the operations chewed up most if not all of the savings that were projected.

Order Salary SurveyDownload Selected Pages

 

Size Doesn’t Matter: Every Business Needs Security

Size Doesn’t Matter: Every Business Needs Security

 

Business-storeOf the hundreds of data breaches that occurred in 2015, most people can only name those that targeted major corporations: BlueCross BlueShield, Experian, Ashley Madison, etc. However, just because these massive thefts were the only ones to make the news doesn’t mean smaller businesses are safe from cyberattacks; in fact, oftentimes they are even more vulnerable to digital disasters.

A majority of small businesses are woefully under-protected against cyber-threats, but erroneous feelings of invincibility are preventing businesses from correcting their cybersecurity mistakes. Learning why security is important for every business ― no matter how small ― will help companies stay alive in this dangerous digital climate.

The Temptation of Small Businesses

A common belief among new entrepreneurs is: “My business isn’t as profitable as larger companies, so hackers wouldn’t gain much by targeting me.” However, small businesses actually tend to be most criminals’ bread and butter.

Password-hiddenIn reality, the size of a business isn’t what attracts a hacker ― it is the type of data the business collects. Cybercriminals make money from mining and selling personal data, such as health information, financial information, or contact information. Digital thieves build automated viruses and malware capable of locating and stealing this data, so hackers make few conscious decisions regarding the size of business they target. Usually, larger enterprises have the resources to protect their digital cache while smaller companies make more digital mistakes, such as:

  • Lacking a dedicated IT specialist on staff
  • Lacking employee training for digital security
  • Failing to update security programs
  • Failing to secure endpoints, especially mobile devices

No matter how little revenue a startup makes in a year, its data is usually low-hanging fruit for cybercriminals to pluck and enjoy, causing untold ruin for the business and its customers.

The Essential Defenses

Fortunately, digital security isn’t difficult to enact quickly. In fact, many experts have compiled lists of basic defenses every business should have to be effectively secure. Essentially, a business can avoid harmful attacks with antivirus software, anti-spam software, and anti-phishing software, which are usually bundled together in a neat security suite. Thousands of security software providers exist, but businesses would do well to trust industry leaders, like Trend Micro.

However, before any business begins downloading programs and hiring system administrators, it is crucial to have strong security policies in place. Software is only as powerful as the people using it, which means employees must be trusted to uphold security measures, like using strong passwords and keeping those passwords secret. The security policies should explain punitive measures for those employees who skirt the rules, as they put the entire enterprise at risk.

Additional Technologies for Added Protection

In addition to basic protection, businesses can adopt a number of supplementary technologies to keep their data safe. Many of these target specific security risks incurred by alternative business practices.

For example, businesses that employ a number of employees who use networks remotely might be interested in using a virtual private network (VPN), which is a device that allows users to connect through browsers, encrypting any and all network traffic. Usually, VPNs require a username and password, but some businesses take security a step farther with a token that randomly generates passwords, like the RSA SecurID.

Additionally, businesses could complete full-disk encryption on all of its devices. This process translates all data stored on the machine into incomprehensible characters which can only be read with the proper password. Once again, users can use a security token, or businesses might prefer to use biometrics such as fingerprint scans or voice recognition, which is in early stages of use.

Common Security Mistakes

Some small business owners might believe they are protected ― after all, some pay big bucks for fancy security systems which are installed on every company-owned device. However, even small businesses with a satisfactory security budget are susceptible to cybercrime, all because of human error. Before any business believes itself secure, it should ensure it isn’t engaging in these major security mistakes:

  • Relying on the cloud. It is acceptable to store some data on the cloud, but businesses must have complete faith in their cloud-provider’s security first.
  • Ignoring smart devices. Nearly every piece of tech in the modern office can connect to Wi-Fi, which means hackers potentially have several unprotected entry points. Businesses must research everything, from office phones to printers, to be secure.
  • Forgetting to dispose of data. When tech gets old, many businesses sell, donate, or throw it away without doing a proper memory sweep. Criminals can find everything from passwords to actual information on unwanted devices.

Order Security Manual Download Selected Pages

Top 10 Worst Passwords

Top 10 Worst Passwords

Security PoliciesUsers have continued to use the same worst passwords to access secure systems for several years

Top 10 worst passwords – Passwords are the first line of defense in securing systems, yet users continue to circumvent that basic security by using the same easily hacked passwords.

Below is a list of the historic top 10 worst passwords that Janco has found users continue to use.  As can see the same ones appear year after year.

 

2016

2015

2014

2013

2012

#1

123456

123456

123456

password

password

#2

password

password

password

123456

123456

#3

12345678

12345

12345678

12345678

12345678

#4

qwerty

12345678

qwerty

abc123

qwerty

#5

12345

qwerty

abc123

qwerty

abc123

#6

123456789

1234567890

123456789

monkey

monkey

#7

football

1234

111111

letmein

1234567

#8

1234

baseball

1234567

dragon

letmein

#9

1234567

dragon

iloveyou

111111

trustno1

#10

baseball

football

adobe123

baseball

dragon

In order to counter this here are 5 easy rules that can be implemented in your password routines. This will minimize the risk that your users will use these easily hacked weak passwords.

  1. Include in the list of unacceptable passwords the ones list above.
  2. Move towards biometric passwords or dual step authorization for access to systems.
  3. Do not allow users to use a previous password when a password reset is done.
  4. Do not allow the same password to be used by multiple users in the organization.
  5. Once an employee leaves see that his/her password is eliminated and see that all of the passwords in that “area” are changed in a timely manner.

Order Security Manual Download Selected Pages

Unemployment Data Accuracy – Fact or Fiction

Unemployment Data Accuracy – Fact or Fiction

BLS adjustments reported they overstate Labor Force Participation Rate (LFPR) – For 2000 – 2010 the LFPR was overstated by 2.8%

Unemployment Data Accuracy – The BLS publishes a massive universe of data on the state of the US labor market.  Recently they reported that they have not captured the Labor Force Participation Rate correctly for the past 20 years.  They said they had overstated the percentage.

The BLS statement was:

The labor force participation rate that BLS projected for 2006 was 67.6 percent, but the actual rate was more than a percentage point lower, at 66.2 percent. Similarly, the projected rate for 2008 was 67.6 percent, but the actual rate was 66.0 percent. Finally, for 2010, the projected rate (67.5 percent) was nearly 3 percentage points higher than the actual rate (64.7 percent), which was much lower than expected because of the recession of 2007–09.

That adjustment means that almost 2,000,000 additional people were not in the labor force.  At the same time the BLS gave no indication that they have changed the methodology they used to generate that percentage.  Nor did they say they would go back and adjust the historical percentages that they had previously published.

A real question that has yet to be answered is the quality of the general unemployment percentages that was calculated in those periods. Was it correct?

2016 IT Salary Survey Released

2016 IT Salary Survey Released

Janco has just released its 2016 IT Salary Survey.  The major finding of the survey are:

  • In 2015 the IT job market grew by 125,700 versus 129,400 in 2014 and 74,900 and 62,500 in 2013 and 2012 respectively according to the Bureau of Labor Statistics (BLS).
    • Technology centers like San Francisco (Bay Area), Chicago, Atlanta, District of Columbia, New York and Washington State continue to lead the way in new IT job creation.
  • IT compensation for all IT Professionals has increased by 1.39% in the last 12 months.
    • Between January 2015 and January 2016 the total mean compensation for all IT Professionals has increased from $81,583 to $82,483.
    • In large enterprises, the median compensation has risen 1.48% from $83,872 to $85,110.
    • In mid-sized enterprises, the mean total compensation for all positions has increased by 1.29%% from $78,838 to $79,856.
    • In general, staff level IT position have not seen much pay fluctuation over the past eight years.
  • CIOs compensation across all organizations has shown another increase. The mean compensation for CIOs in large enterprises is now $189,672 (up 2.33%) and $174,124 (up 1.21%) in mid-sized enterprises.
    • Media CIO tenure has remains at 4 years and 4 months.
  • Positions in highest demand are all associated with security, training, large data center management, distributed/mobile system project management, quality control, BYOD implementation, capacity planning and service level improvement.
  • Over the long term IT executives have fared better in large companies than mid-sized companies.
    • IT executive salaries have recovered all of the losses sustained in the recession and in some cases exceeded prior highs.
  • On shore outsourcing has peaked and companies are looking to bring IT operations back into their direct control and reduce operating costs.
    • A number of enterprises are moving help desks and data center operations in-house which has resulted in an increase demand for data center managers.
  • Mandated requirements for records management systems and electronic medical records have increased the demand for quality control staff and custodians (librarians) of mechanized records.
  • Companies are continuing to refine the benefits provided to full time IT professionals. Though benefits such as health care are available to 80%, IT professionals are now paying a greater portion of that cost.

Order Salary SurveyDownload Selected Pages

Security breach cost $3.8 million

Security breach cost averages $3.8 million

Security breach cost – Cybersecurity threats are on the rise. In 2015 the average cost of a data breach was $3.79 million, and that figure is expected to grow to close to $5 million by the end of this year.

Security RisksAreas of concern are:

  • Cloud Services – danger that they’re bypassing security protocols and systems in the process
  • Ransomware – Kits for this software are now readily availalbe. The attack encrypts important files, rendering data inaccessible until you pay the ransom.
  • Spear phishing – Phishing attacks are growing more sophisticated all the time, as official-looking messages and websites, or communications that apparently come from trusted sources, are employed to gain access to your systems.
  • Known vulnerabilities – Once these are published everyone is exposed
  • Internet of Things – As connectivity spreads into every corner of our lives and businesses, it becomes more and more challenging to maintain a clear view of entry points and data flow.

Order Security Manual Download Selected Pages

The top 10 drivers of security shortcomings include:

  1. Insufficient funding for security
  2. Lack of commitment by senior executive management
  3. Lack of leadership in the security arena by the CIO
  4. Belief that the organization will not be targeted
  5. Lack of internal resources who are “security” experts
  6. Lack of an effective IT security strategy
  7. Lack of an action plan on how to implement a solution before an event
  8. Infrastructure for IT that does not easily lend itself to security implementation including complex and disjointed applications and data
  9. No central focus with the enterprise that focuses on security
  10. Lack of a good termination policy for employees and contractors

25 CIOs make over $1,000,000 annually

25 CIOs make over $1,000,000 annually

In a review of public records Janco has found that 25 CIOs make over $1,ooo,ooo and the top paid CIO made $7.75 million (Adriana Karaboutis – Biogen).  Most of the compensation for the CIOs come is he form of company stock and stock options .  The highest base compensation was $763,000 for Rob Carter at FedEx.

CIO-Top-Salary-2015-narrow

Salary Survey Job Descriptions
Order Salary SurveyDownload Selected Pages

 

 

Top 10 predictions

Top 10 predictions

Top 10 Predictions for technology – As we are about to enter a new year Janco Associates is making its top 10 predictions for the new year.  All of these will impact IT spending and the IT job market.

  1. IT InfrastructureSuccessful enterprises will understand how technology impacts the business cycle
  2. Remote and mobile-only users will drive next generation applications
  3. Multimedia applications will drive the next wave of productivity
  4. Cloud processing, network systems and data communications analysts will have the greatest demand
  5. E-commerce applications will drive up the value of security expertise
  6. IT Job Family ClassificationBig data will continue to expand
  7. Internet of Things will expand at a rate that will require more dedicated resources
  8. Consulting and contractor demand will rise
  9. Social networking will be in a state of flux
  10. Cyber warfare, both political and economic will be in the rise

A full description of each these predictions can be found at http://goo.gl/3BcyRF

Threat Vulnerability AssessmentDownload Threat AssessementDownload Threat Assessement

 

Job Market tightens

Job Market tightens

Job Market tightens – Even with the national unemployment data showing positive improvements, the job market is tightening.  In a review of the just released October unemployment data by state Janco has found two interesting items.

The first is that the number of states with unemployment levels of 6% and greater has increased to 8 states in October versus 6 states in September.  No states fell from the list and Alaska and Oregon were added.

October High Unemployment States - Job Market Tightens
October High Unemployment States – Job Market Tightens

The second is the number of states at full employment levels in October fell to 11 versus 17 in September.   Indiana, Kansas, Idaho, Maine, Wisconsin, Wyoming, Montana, and South Dakota falling from the full employment state list and no states added. Plus this data has not been adjusted for the lowest labor Market participation rate  in almost 40 years.

States with full employment levels
States with full employment levels
National Labor Participation Rate
National Labor Participation Rate lowest in over 38 years

Order Salary SurveyProvide Salary Data

Cost of business interruption

Cost of business interruption

Cost of business interruption – Calculating the impact and cost to an enterprise of a disruption of service is difficult.  It is a necessary planning step that needs to be re-visited on  an annual basis. Some of the factors need to be considered:

  • How will your clients, customers, and users react a disruption? Will they react in a way that will be more or less disruptive to the business and its operation?
  • Will the disruption have an impact on other activities? For example your sales force may still be able to make sales call but the distribution arm of the company may be at a standstill.
  • How will the event impact the overall reputation of the enterprise?  Will there be an adverse media or social networking publicity?
  • Once the event is over how quickly will you company be able to catch up and get back to business as normal?
  • During the outage and how much revenue will your company lose?
  • Will there be any contractual or legal penalties that will be imposed and how extensive will they be?
  • If the event impacts items that will need to be repaired or replaced, will the repair parts, maintenance staff, and replacement equipment be available?  At what cost?
  • If you activate other services, overtime, or incur other expenses what will the cost of that be?

To address those issues we have found that a speadsheet like the one below will help to summarize the information that you will collect and present.

Order DRP BCP Download Selected Pages

IT Job Market Growth Slows

IT Job Market Growth Slows

IT job market – We have just reviewed the latest BLS data. Plus we have interviewed almost 100 CIO. We find that rapid growth is not something that is going to happen soon. On the plus side 2015 is still better than 2014 with 31,200 more new jobs year to date.

Moving average of IT job market is trending down
IT job market growth trend

Since November of 2014 the number of new IT jobs, though positive, has continued on a trajectory downward.  At the same time there is a great deal of uncertainty due to the current political climate, international unrest and the general economic situation.  

IT Job Growth
Historic and forecast job market growth

IT Job Family Classification

Over the past three decades Janco Associates and its principles have created a set of over 270 IT job descriptions (http://www.e-janco.com/IT_Job_Descriptions.htm) that are viewed by many as the industry standard.  As a natural extension of that offering Janco has documented its IT job classification system.

Both in an individual’s personal career planning and an enterprise’s staffing, promotion and compensation it is important to have benchmarks on the levels that individuals are at.  To that end, one of the best objective ways to meet this goal is to have formal job descriptions and clear paths for promotion and compensation.

Download Selected Pages

10 step security implementation

10 step security implementation

10 step security implementation process:

Order Security Manual Download Selected Pages

  1. Make security an executive directive – The driver for security needs to be at the CEO and or the Board of Directors
  2. Implement clear security guidelines – Have a published security manual with specific policies, procedures, and statements of what will occur if someone does not follow the rules.
  3. Provide specifics for security compliance – Do not use statements like “in general” without having specific example of what the individual needs to do.
  4. Enforce that everyone follows the rules – If ID badges are require then everyone including the CIO and CEO need to use one.
  5. Provide formal training program – All new employees should go thru this program as soon as they are hired and all existing employees need to have “at least” an annual review of the security guidelines and rules
  6. Communicate Security – On an on-going basis communicate what security best practices all employees and associates need to follow.
  7. Monitor security compliance – Validate that security rules and guidelines are being followed and make individuals and managers accountable for breaches.
  8. Establish security compliance metrics – Identify metrics that are meaningful to validate that compliance is occurring. Have metrics which show violations to the security guidelines as well as the total breadth and depth of the security process
  9. Provide security compliance feedback – At least month provide a general report that show the status of the security program.
  10. Audit security with a third party – On an annual basis have a third party audit the security program and validate:
    • The program is in place and functional
    • The program is being followed
    • All of the right things are included

Security Manual Template and Compliance Tools

Security PoliciesSecurity Policies – Procedures – Audit Tools

Order Security Manual Download Selected Pages

10 step BYOD

10 step BYOD

10 step BYOD10 step BYOD  or how to implement BYOD successfully. We have created a policy that can be used to successfully implement BYOD.  The 10 step BYOD includes the following tasks:

  1. Define Your BYOD Objectives and Get Executive Buy-in
  2. Define Your Mobile App Strategy
  3. Identify a Pilot
  4. Decide Which Devices You Want to Allow
  5. Negotiate Mobile Service Rates With Carriers
  6. Define Your End-user Help Desk Model
  7. Identify Eligible BYOD Users
  8. Implement an Acceptable Use Policy
  9. Distribute and Train Users in Policy
  10. Monitor Program Usage

BYOD Policy Template Includes two (2) electronic forms 1) BYOD Access and Use Agreement and 2) Mobile Device Security and Compliance Checklist

BYOD include consumer SmartPhones and tablets which are making their way into your organization. Going mobile makes employees happier and more productive, but it’s also risky. How can you say ‘yes’ to a BYOD choice and still safeguard your corporate data, shield your network from mobile threats, and maintain policy compliance?

With the advent of Bring-Your-Own-Device – BYOD and the ever increasing mandated requirements for record retention and security, CIOs are challenged to manage in a complex and changing environment.

Read on…

Download Selected Pages