Cyber-Attack — If you have not been faced by one the odds are you will be
Cyber-attacks are now an everyday event and it is only a matter of time before your company faces one if it has not already. Cyber criminals are ubiquitous and attacks will continue despite our resolute attempts to stop them – even organizations with the best defenses in place are not immune. CIOs and CSOs need to accept these risks as fact and be prepared to respond quickly and effectively.
Managing cyber breaches starts before the breach occurs
- Perform a security data audit
- Conduct endpoint security analytics
- Determine the extent of exposure
- Understand the capability of the malware or attack
- Collect data for post event analysis
- Implement long term solution
- Adjust monitoring protocols
- Post Mortem Analysis
- Activate Incident Communication Plan(see https://www.e-janco.com/Incident-Communication-Plan-Policy.html)
- Document results and keep them up to date
CIO challenge – how to manage the social media risks
CIOs are faced with new social media risks. Analysts are predicting that by 2016 as many as 40 percent of all organizations will utilize social media as a customer service channel. With that in mind CIOs need to be aware that their organization’s reputation can quickly be damaged through the instant spread of bad news or a negative incident via social media.
It only takes one disgruntled customer to take to Twitter, You Tube or Facebook and the results can be costly. Even worse, damage can be done by a disgruntled employee with access to corporate social media accounts and a determination to discredit the company.
The issue faced by enterprises of all sizes is ensuring that the right message is being communicated in a consistent manner. The first step in achieving this objective is to have a uniform social network policy.
The Social Networking Policy Template is the right tool for this task. With it you can successfully manage and control your employees’ activity that are related to your enterprise.
Risk management rules apply
Traditional risk assessment rules apply to managing social media – identify, record and mitigate risk. So, while there is no doubt that social media will continue to be a risk, by implementing sound processes and procedures supported by an enterprise control platform risk managers should still be able to sleep soundly at night.
The processes to follow are:
The first step is to identify potential risks, in the case of social media these include:
- Employees sharing confidential information;
- Loss of control or ownership of the organization’s social media accounts;
- Careless posting by employees: accidental or deliberate;
- Employees defaming their employer on personal profiles;
- Failing to respond to negative posts or responding in an inappropriate manner;
- Failing to listen to the social web or the right conversations;
- Not sharing best practice;
- Being unaware of who is listening to which conversations and responding on behalf of the organization.
A lack of attention to detail in terms of knowing how usernames and passwords are being shared means that in the event of something going wrong no-one is accountable or traceable for posting the offending content. The lack of an audit trail makes it difficult to identify who and why a damaging internal post has appeared. Likewise, is it clear who is responsible for replying to external negative comments and in what tone? Adding fuel to the flames can make matters worse but if the source of that fuel cannot be identified steps to call a halt and correct the situation will take precious time.
Document and manage
Document and manage potential social media risks in order to implement a control platform that works seamlessly across the entire organization.
Step three: mitigation
Mitigation is the third step when it comes to the control of social media risk. In the event of the worst happening social media channels should be kept open and readers kept informed as to what is being done to remedy the situation. Openness and clarity are essential. In the event of the crisis having been created internally, audit trails and validation will soon identify the source and allow the necessary actions to be taken. If the crisis was as a result of an external source, the right people required to respond will be alerted and the appropriate reaction documented.
CIO role has changed it now part of the executive management team
The CIO role is now defined with a new skill set and the individual is.
- Both visionary and pragmatic – It is not enough to plan for innovation, the CIO needs to be perceptive and realistic. As an insightful manager, a CIO promotes broad technology agenda to help the business profit from leading-edge initiatives. At the same time as a pragmatist, a CIO deals with the realities of the business. The pragmatist also facilitates the productivity of current IT solutions. The CIO focuses on minimizing cost and maximizing results, in addition the CIO helps to increase the customer and product/service base of the enterprise.
- Focus is on ROI improvement of IT – CIOs finds new ways to help customers and the organization profit from how data is used while focusing on managing budgets and processes to eliminate or reduce costs.
- Inspire the enterprise and expand the business impact of IT – CIOs have proven expertise in both business and technical facets of their role. CIOs will interact with the enterprise and its executive team as enterprise leaders and drive new business initiatives and shifts jointly the other members of the executive team.
The role of the CIO is changing as more enterprises more towards a “Value Added” role for the Information Technology function. Those changes are depicted in the detail job descriptions that have been created for all of the functions with IT — especially for the CIO. The table below depicts several of those changes.
Top 10 points of CIO focus in planning
10 points of CIO focus that need to be addressed in Disaster Recovery and Business Continuity Planning
- Business resiliency during and after the event – What is the capacity of your company to adapt to change after an unplanned business operations disruption? CIOs need to address – crisis management, incident response, business continuity, disaster recovery and pandemic planning – are integrated into one set of processes and capabilities that work collectively. This in turn will allow businesses to benefit from minimal disruption in the event of an incident that affects the entire company, and can more effectively spring back from a disruption to its operations.
- Business continuity plan location – Where are the applications going to execute after an event occurs? CIOs need to plan for both a physical presence and a cloud operation.
- Emergency mass notification – Advancements in social media and communication modes now mean CIOs can reach employees by personal or work email, fax, SMS text, mobile and work or home land line. It is also possible to now store incident management plans, procedures and actions on smartphone or tablet device so users can access the latest information and plans.
- Accurate information – Delivery at precisely the right time, to the right people is more important than ever. Bad information degrades the reputation of whoever is delivering it and the company associated with the message deliverer.
- Workplace violence – Make your employees feel safer by having practice tests, conducting training and awareness sessions so that they can learn the best way to keep safe. It’s a sensitive and difficult topic to address but you will save lives in the long run; as well as empowering your employees rather than leaving them to feel like lost targets.
- Testing your business continuity or crisis management plans – It os one thing to say “Yes, I have a plan”. It’s another thing to say “We have tested the plan and it can support the recent growth of our company.”
- Enterprise mobility – The mobile application market is expected to grow by at least 30 percent in the coming year. The continuing shift in the traditional workforce means fewer people in the office and more that work from home. It also means that instant access to work related applications and data must be reliably available at anytime and anywhere.
- Social media use – Facebook has become the preferred way to share content, second only to email (for now). Use it to help you get in touch with people or to track what’s going on. It’s important to have a social media plan for incident management as you cannot stop the public talking about issues involving your organization: the key way to deal with this is to be prepared and to respond quickly.
- Planning for all risks is a best practice for business resiliency planning – New risks are added every year! The all risks approach encourages a generalized framework for responding to a wide variety of disasters regardless of cause and developing capacities and capabilities critical to preparedness.
- Integrated response and recovery – An integrated response means a well-coordinated and communicated response, with a team that trains together. Integrating response teams results in strengthened collaboration and capabilities on the efficiency and effectiveness of responses.
10 Best Practices in Managing Social Networks and Social Relationship
Social networks provide an opportunity to communicate electronically with both personal and business associates. Done properly they are a great new way to stay in touch or market.
- Create relationships to connect in a consistent manner
- Minimize low value communications
- Group relationships to make it easier to track relationships
- Utilize multiple social networks to segregate relationships – utilize the right network for the relationship
- Ensure you have proper groupings
- Establish metrics to use in following relationships
- Assess the impact of a change before you make it
- Document changes
- Keep communication flowing via Email
- Validate relationships are working both ways
IT Management Suite
The IT Management Suite contains all of Janco’s products at a savings of over $2,500. Plus for a limited time (until 12/31/2013) you can save an additional 20% by entering the coupon code of Post201311.
- CIO IT Infrastructure Policy Bundle including electronic forms
- Disaster Recovery Template
- Security Manual Template
- Internet & IT Position Descriptions HandiGuide – including all Job Descriptions in MS Word
- IT Infrastructure, Strategy & Charter Template
- IT Salary Survey
- Functional Specification Template
- Safety Program Template
- IT Service Management Template
- Practical Guide IT Outsourcing
- Client Server Management HandiGuide
- Metrics for the Internet & IT HandiGuide
- Internet & PC Workstation Policies & Procedures HandiGuide
- Business & IT Impact Questionnaire
- Threat & Vulnerability Assessment Tool
Cyber war continues
Cyber war and security recent postings:
- CIOs worry more about cyber threats with mobile computing Cyber threats are now a much greater concern with the expansion of the use of mobile devices and services. At the same time online criminals…
- Anatomy of a Chinese Cyber Attack Cyber Attack — How the Chinese do it… A Chinese cyber Attack (a Stuxnet-style attack) frequently makes its first entry into a company’s secure network…
- Fraud is on the rise CIOs need to address fraud issues with better security For the last three years it has been reported that estimated fraud losses that are doubling…
- Cyber war breaks out – slows Internet Cyber war pushes need for more security The recent cyber war between Spamhaus and Cyberbunker with commercial Denial of Service Attack (DDoS) pushed the Internet…
- CIOs Worry More About Cyberthreats CIOs face more cyber threats Cybert hreats are now a much grater concern with the expansion of the use of mobile devices and services. At…
Cyber attacks are more extensive as the criminal element moves in
Cyber attacks and threats to networks and enterprise data are not going away. Risk is always with us, but the focus on security has expanded from physical security to cyber security.
The type and sophistication of cyber attacks are shifting and so are the people launching the attacks.
Initially cyber attacks started out with individuals infecting computer networks with viruses, but now the criminal element is involved. In 2011 there was an increase in denial-of-service attacks by hacktivists, like Anonymous, and, more recently, foreign-based cyber criminals have targeted automated clearing house (ACH) transfers and used diversionary denial-of-service (DoS) to attempt account takeovers.
Over the past five years there have been some big changes. There are websites where you can buy the tools you need. In fact, users can purchase 100,000 fraudulent bank cards that are guaranteed to work.
The targets are not limited to the United States, online fraud attempts have jumped significantly in Europe and Asia as well.
Just as banks continue to be targets for criminals looking for big scores, the crooks are not deterred when some tighten their defenses. They just move on to other banks. And just as bank robbers of the past were reticent to give up techniques that worked, today’s thieves are reluctant to develop new tools.
The Zeus family of malware is still the gold standard, a trojan horse botnet that came to light in 2007.
IT Infrastructure is key to enterprise visibility
Visibility is essential to manage, analyze, and secure the complex system that is the IT infrastructure. Traditional approaches to network, application, and security management are breaking down in the face of trends including convergence, mobility, and consumerization of IT. With the growing volume of data, and with the mobility of users, devices, and applications, monitoring tools such as systems used for application performance management (APM), customer experience management (CEM), data loss prevention (DLP), deep packet inspection (DPI), intrusion detection systems (IDS), intrusion prevention systems (IPS), network performance management (NPM), network analysis, and packet capture devices, are struggling to provide accurate and timely analysis.
This is because traditionally tools would directly attach into the production network through TAPs or through mirror/SPAN ports. However it can be costly to proliferate tools wherever critical data exists in the infrastructure and can lead to several challenges.
Worldwide, enterprises and public sector organizations leverage their IT Infrastructure in their remote locations and distributed processing centers, data centers and headquarters, or primary locations to:
- Gain pervasive and intelligent visibility for real-time insights
- Reduce expenses by simplifying operations and centralizing monitoring
- Eliminate contention among tools and IT departments for access to data
- Optimize tool performance for greater ROI
Web Design on 32% of sites has design flaws
Web design flaws were the focus of a recent Janco survey. There were 10 major design flaws that impacted web sites when they are viewed on the smaller displays of SmartPhones and Tablets.
Janco reviewed 1,045 major sites and found that 32% (335 out of 1,045) of them had at least one of these top 10 flaws.
- Look and feel is not consistent across devices – Pages were designed for a desktop and have not been adapted to meet the requirements’ of SmartPhones and tablets
- CSS style sheets lacking – Style and formatting information is contained within the body of the pages. For example the font sizes may be good for a desktop but without the proper use of css styles it is too small in smaller displays.
- Images are not scalable – Images are of a fixed size, as the device changes the image do not in proportion to the page resulting in pages that are difficult to view on the smaller screens if SmartPhones
- Pages have too much content and are too busy – Page content often is not focused and tries to cover too many “bases”
- Pages take too long to load – Pages have not been optimized to improve load times
- Text is too small – The text is too small and when the page is magnified on the smaller display the user has to scroll in order to view the page
- Layouts do not adjust according to device the pages are viewed on – On multi-column pages, on smaller devices, the layout is not adjusted to show one column at at time.
- Images do not have alternative text – If images do not load quickly no alternate text displays.
- Adobe Flash is used and non function on Apple devices – Apple’s Safari does not support Flash so this content cannot be viewed on iPads and iPhones
- Menuing systems are not conducive to variable size devices – Long horizontal menus do not display well on smaller screens and vertical menus in multi-column pages do not work well.
IT Infrastructure is key to CIOs leading enterprises in their management processes
CIOs and other members of the IT management team could be the reason their companies’ management processes may not be working. There are many recent changes in the business and operating environments that need to be addressed on an on-going basis:
- Expectations for governance oversight
- Globalization of markets and operations
- Changes and greater complexities of business
- Demands and complexities in laws, rules, regulations, and standards
- Expectations for competencies and accountabilities
- Use of, and reliance on, evolving technologies
- Expectations relating to preventing and detecting fraud
If the managers, the CIO and IT management team have good demonstrative behavior, everybody down the line will copy that. People need to operate by example, if the CIO does not follow the rules or address issues like those above then that is viewed as acceptable behavior.
An effective management process needs to be the right tone from the IT leadership team. Though the effectiveness of management process is difficult to quantify, it can mean the difference between successful companies and struggling ones. Firms that sell products overseas, for example, are at a “competitive disadvantage,” if they don’t have good management process control outcomes. It’s like fire prevention. You don’t know how many fires that you’ve stopped.
A lack of good management processes leads to poor internal controls. This in turn presents opportunities for fraud, even among some of the most trustworthy employees.
For example, having good internal controls means segregating the bookkeeping and accounts-receivables duties. That means not having one person in charge of authorizing, posting and having final custody of live checks. Bad controls, for example, would be if the accounts-receivables clerk is responsible for all those things, which can be the case in small businesses.
Companies need to be particularly mindful of former employees in business units as well as within the company as a whole. When employees move departments, their access to sensitive data can increase. Equally important is an employee who changes positions in the company. Simply by keeping old passwords active, CIOs are enabling a good person to do bad things.
Critical Success Factor in Web Implementation is Personalization
Personalization is recognized as a Critical Success Factor (CSF) for both e-commerce and non-commerce sites. Companies with an online presence are learning that they need to take action to learn more about their customers in order to increase customer loyalty, gain new followers and outshine the competition. More than 60 percent of the companies surveyed are prioritizing investments over the next year that will enable a more personalized Web experience.
There are several benefits companies can realize by creating a more personalized website experience. Cited by 69 percent of survey respondents, improved website engagement is at the top of the list. When businesses employ website personalization techniques, the visit becomes a two-way interaction. Instead of solely clicking or pushing his or her way through the site, the user is enticed or pulled through the site via personalization, thus increasing website engagement.
The second benefit, according to 62 percent of survey respondents, is improved brand image. Visitors think highly of businesses that anticipate their needs and appeal to their individual interests. Finally, coming in third and fourth, 44 percent of respondents cite improved lead generation and decreased customer or website abandonment rates.
In order to provide a personalized Web experience and realize these benefits, companies need information about their visitors. Yet there are gaps identified when it comes to the information companies are currently able to collect. These gaps primarily exist around location, which inhibits the ability to offer visitors a personalized Web experience.
Happy employees make happy customers. Employee satisfaction and engagement are correlated to business outcomes.
Ponder for a moment the last person you hired. After you selected them, did they work out as intended? Or did they turn into somebody totally unlike what you thought when you interviewed them?
The most important aspect of any business is recruiting, selecting, and retaining top people. Research shows those organizations that spend more time recruiting high-caliber people earn 22% higher return to shareholders than their industry peers. However, most employers do a miserable job selecting people. Many companies rely on outdated and ineffective interviewing and hiring techniques. This critical responsibility sometimes gets the least emphasis.
Finding the right employees, providing them with the tools they need to do their jobs, keeping the good ones happy, and keeping them around is the job of the whole organization — even the CIO. Yet employees report significant dissatisfaction with the technology provided to them at work: the technology expectations gap. And that gap is more pronounced in Europe than elsewhere. With technology tools front and center in the minds of many employees, the CIO can play a critical role in steering the right course to attract and retain the company’s key assets — the workforce. That role requires close collaboration with HR to embed technology into the corporate culture, to enable and promote the use of technology across the organization, and to constantly evaluate the attitudes of the workforce in order to accommodate an ever-changing workforce.
Facebook is about to make a change to its privacy controls and make it so that ANYTHING that you have on their system is no longer yours. In essence they are saying WELCOME STALKERS. When there will be an “Alliance” with Google nothing about you, your family, and your job will be private.
If you thought that the NSA data collection process was scary – this would even scare George Orwell.
Facebook is pulling the plug on a setting that allowed people to prevent others from finding them by name using the Facebook search bar, the company said. The setting was actually removed last year for people who weren’t using it, but it was left in place for those who were.
Not any longer. The setting will disappear for all users in the coming weeks, Facebook said. People still using the setting will see a notice on their homepage alerting them that it will soon be going away. Less that 10% of Facebook’s 1 billion-plus users were still using the setting, according to a Facebook spokeswoman.
Its disappearance means Facebook users will no longer have a way to prevent people from finding their Timeline on the site.
BYOD guidelines are just being defined, but one warning must rise above the din: never, ever, try to gain unauthorized access to an employee’s pri…
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists BYOD …
What is HIPAA
What is HIPAA snd what does the FTC rule mean
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists What …
Compliance Mandates – Security Manual Template Version 8.0 Released
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists Internet …
Companies should also weigh the vulnerabilities associated with various cloud computing service and deployment models
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists Cloud …
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights…
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists HIPAA …
Cloud Computing Service Level Agreement – Reaching agreement on the terms of service of a negotiated SLA for public cloud services can be a compli…
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists Cloud …
Security Issue Trends
… Articles Archives Register CIO Roundtable Company Who we are Customers Downloads Advertizing Rate Sheet Testimonials Privacy Payment Options Terms and Conditions Return Policy Site Map Blog Top 10 Lists Security …
PCI Compliance Security Issues
What’s needed for PCI compliance is a comprehensive, high-quality security policy. To that end Janco has a security policy template available for immediate download. Take a look at what’s included when ordering today from the company that’s helped thousands since 2009:
- Section I: Easy-to-understand, step-by-step process for achieving PCI compliance that’s been exclusively authored by payments experts with a focus specifically on merchants and service providers seeking clear and concise directions for PCI DSS certification.
- Section II: Detailed set of high-quality Policies and procedures developed specifically for PCI compliance as required by the PCI DSS standards themselves.
- Section III: Comprehensive PCI DSS information security manual as mandated by the PCI DSS standards for PCI compliance.
- Section IV: Certificate of compliance to be self-awarded upon meeting all requirements for PCI compliance.
- Section V: PCI security awareness training material for training all employees on important security issues, threats, concerns, and best practices.