Security not included ?? real lessons you should know about before you hire your next IT service provider

By Terry Cutler

A recent vulnerability audit and stimulated hacking scenario on a website belonging to a small non-profit uncovered 25 possible vulnerabilities, and according to the director and his board of directors such a problem should have never occurred.

“When we created the site two years ago we assumed that our web developer would consider security of the site as a normal consideration,” said the director, who asked to remain anonymous for security reasons. “Actually, we are a small association with a small budget and a small website. Who would think that anyone would want our information?”

It is a prevailing attitude, one that has implications on the bottom line.

As the head of an association or business, you expect your outsourced IT group or web developer to be handling security, but are they really? The answer to that is a resounding no. Website creators or managed service providers are not in the business of testing or coding  your website to security best practices.

It is assumed that they are.

Not long ago, I ran a 45-minute rapid audit for the website of a Door and Frames supply manufacturer and discovered a vulnerability that allowed an attacker to modify the website which would deliver an infected PDF file to every site visitor. Breaking it down, any visitor who didn’t have an updated Adobe reader could be compromised. After contacting the web master I learned he didn’t feel the need to fix it or insert any protection.

“If I’m paying my outsourced IT group several hundreds of dollars a month, I assume they’re taking care of my security as well since it falls under IT. No one will hack my site because there’s nothing valuable on it,” said the owner of Doors and Frames.

The common theme in the industry is that providers have adopted a “sweep the incident under the rug” attitude as a best practise without advising the client. The hope is that it will go away. That assessment may be too harsh. Most developers are still making the transition from basic web development to a more secure built-in security development.

In the interim, directors and owners are caught staring like a “deer in headlights”.

Small businesses are the perfect victims for the unscrupulous and this is directly linked to a small, and sometimes non-existent security budget. The unscrupulous are not after your information but want to use your systems as the middle man to break into others and more likely a mega-companies’ systems with more to lose.

In other words, they are using your network to frame you.

The big problem for the unwilling and unknowing middle man is that when a security forensic team shows up and uncovers what happened, law enforcement will be paying you a visit since it was your system, or someone you employ, that have been led to believe committed the crime.

Many small businesses are simply not aware of how vulnerable their sites are to hackers. While developers in the past were not trained to build in security, their roles are changing. More certified training is being offered, which lays the basic foundation required by all developers to produce applications with greater stability, posing lesser security risks to the end-user.


TANSTAAFL – “free” email accounts – oh really??

Going back in time for this one – due to recent article in Vancouver Sun and other places about a pending class-action suit (at least the plaintiff is asking for CA status) regarding the “mining” of information from emails sent to and from so-called “free” email accounts.

So let’s get off the privacy bit for a minute – how many people REALLY believe that these accounts are made available out of the goodness of the hearts (if any) of these corporations?? Same goes for E-Post by the way!

Remember – There Ain’t No Such Thing As A Free Lunch

Browsers, search engines and all of the other so-called “free-ware” comes with the price that we leave footprints in the sand – crumbs on the forest floor (a la Hansel and Gretel) or whatever. Those bits of information are pure gold to these companies.

They indicate our taste in everything from food to entertainment to clothes to our political beliefs to where we bank to what we read and watch to the news we choose to believe to x-rated websites we view – if you use an internet connection to do ANYTHING there is a trail to and from you to everywhere you go – and back. I hope no-one is really under any illusions to the contrary – and parents need to be VERY aware of their childrens’ usage. BTW, this also applies to texting on cell-phones, iPhones etc. – if it is electronic, there is a trace – just keep that in mind all the time.

All of these corporations sell the information they gleen from our wanderings to other businesses so they can target us with their advertising and also help (at least in theory) designing and creating new products and services.

So what can you do about it – short answer, virtually nothing! There are some commercially available software packages that promise browsing anonymity – but just think about that for a minute – too good to be true?? YES. Nothing can screen you or your on-line presence from someone or some entity that is determined to find out what we are doing on the world of floating electrons.

Another issue is wi-fi security. Unfortunately, many people with wireless/wi-fi connections in their homes leave their networks unprotected completed – no security – or use such simple passwords like password admin administrator etc. – believe it or not. As a fun exercise, take your wireless/wi-fi enabled laptop or notebook with you in your car. Drive around with your wireless/wi-fi radar enabled, and you will see lots of SECURED access points but also a high number of UNSECURED ones. Internet cafes are wonderful and convenient, but remember, you are in a public place using a public connection.

So how is this all about TANSTAAFL – part of the cost we pay, although not in terms of absolute cash, we pay by giving up some measure of privacy. You need to determine the value and worth of your privacy!

The Importance of Structured Data

The annual conference of XBRL US is winding up today in Austin, Texas. Many of the attendees at this conference are representatives of the public companies who must report their financial statements in XBRL (eXtensible Business Reporting Language) format to the Securities and Exchange Commission (SEC). XBRL is a form of structured data, which means it contains tags that provide information about the data, such as the standards followed in preparing it.

In the modern world of stock trading, structured data is important because it can be consumed by machines, or perhaps more accurately, by software. That means the data can be processed more quickly and in many ways speed has become incredibly important.

Traditionally, data aggregators and other intermediaries in the financial reporting process have taken the company data and re-formatted it in a form for their own purposes and passed it along to their clients – in effect structuring it themselves. But this is done in many different ways, and the process of structuring the data takes time and its usage is limited because only they know what they did to the data. XBRL is based on globally accepted standards, which means that once structured, it is more readily consumable – and therefore faster to process.

At present, the SEC requirements for structured data are mostly related to the financial statements. There are early indications, however, that they may be interested in looking at expanding the requirements to include other financial data, such as the MD&A, Proxy Information and Earnings Releases. There is a demand for this information. Eventually the structured data will be available for non-financial information as well.

In a study recently carried out by Columbia University, not yet published, in which they surveyed a large number of analysts and other users of data, it was found that 87% of them make use of non-financial data. That would be data pertaining to, for example, government productivity reports or sustainability information.

Because it is well known that such information is widely used in making investment decisions, an emerging trend in financial reporting is towards the idea of Integrated Reporting, in which companies actually integrate their financial information, such as financials and the MD&A, with their non-financial information, such as sustainability information, in a single “integrated” report. Ultimately, structured data will be available for integrated reports, which will mean faster, better and more comprehensive information for investors. Since it will be processed by computers, inequities that currently exist in the distribution of information to investors will be substantially reduced, making a more level playing field for everyone.


When Internet security takes a back seat

By Terry Cutler.

Why is it that those in charge of protecting the company’s security network, that database of sensitive customer data – bank cards, credit cards, bank accounts and personal information – don’t seem to spend the money to protect it? This is a question that is baffling to those in the data protection business, and may be more baffling in the years ahead.

CEOs and Chief Security Officers (CSO) do not always see eye-to-eye on this problem. The CEO is budgeting the overall books, while the CSO is focused on his task, and can only submit for his budget. This is understandable. However, a recent survey ( released by Core Security which highlights and demonstrates this separation over the security stance of the same company who has the potential to drop a company in a “click”.

Staggering is the first word that comes to mind after a quick read of this benchmark. Only 15 percent of CEOs said they were very concerned about an attack on their network, and didn’t think their systems were under attack or even compromised. There is a large gap between CEO and CSO thinking.

Sixty percent of CSO’s reported being very concerned about attacks and reported their systems were already penetrated. Yet with all the breach threats filling the news, and the numbers in dollars lost rising with each attack, or even a threat, the report unearthed that 36 percent of CEOs don’t deem it necessary to get a security briefing from the member of their own security team. It is inevitable. With large customer databases becoming the norm with big companies, the norm for hackers is to go after the company. Decide this at the board level, or decide how to fix it later, of course at a loss of reputation and customers and millions.

It isn’t fashionable to call Internet security unimportant, yet CEO’s continue to scoff at filtering money in that direction. This is risk management of the grandest form. One breach can cost millions. As I have written in previous blogs, that extra money may go to training that one employee not to “click”, or maybe not?

It’s the CEO’s call.

When the complacent CEO gets hacked

By Terry Cutler

When that home phone rings at a time of morning when sleep has moved into deep R.E.M., and the text messages start appearing it could only mean one thing to a CEO; there is a problem with the company security net. This could cost millions.

From best-case scenario to worse, you go over it in your head. Best Case? The security team caught a small breach. It isn’t enough to be overly alarmed, but it does warrant a phone call. Worse? Your monitoring system has spotted what security is calling “highly” suspicious activity over the company network. They are addressing the problem.

When the phone is answered you are told it is the ladder and the situation is expected to get worse.

This could mean even bigger money problems. Nasdaq, Sony, Citibank, whos hacks cost millions. Citibank’s hack attack ( in June of 2011 exposed personal information about some 200,000 customers. Since 2005, some 533 million personal records have been exposed, according to the Privacy Clearing House ( Sony’s 2011 hack of its PlayStation now reports that up to 70 million people had their personal data in jeopardy to hackers after a breach in 2011. Sony’s cleanup was estimated at 2 billion dollars.

In the meantime, the overnight customer service representative is reporting more than the usual complaints of unauthorized debits to their credit cards and banks, and your customer service department is overloaded with irate customers.

You’re next move? Admit it: you’ve been hacked.

Three credit card companies are on hold. Enough, you say. You’ve known all along, and on your way to work, the longest drive of your life. The year 2011 has been called the year of the hack, or at least more companies are admitting their security had been breached. Time to minimize the damage. On the drive to the office, you order company representatives to post a notification letter on the website, explaining the situation and assuring customers that the company is working on the problem. Offer credit-rebuilding services and flag unauthorized use of credit cards, and offer free stuff.

As CEO, you are aware of the value of reassuring customers and keeping them as valued customers. It’s the company’s bread and butter. A company’s reputation if founded on how customers are treated, and including them in the problem through notifications will help maintain the established reputation. Your head security consultant meets you at the door. He informs you that the hack is not as bad as first thought. In fact, only a few files were lifted, but the network was breached, and the consultant reminds you that security is not a reactive game, but one with a proactive approach.

What he is saying is budget more money for security – it’s better that way. Or pay the price of a large-scale hack!

The decision is clear, or is it?

Next week: why companies don’t budget for an eventual hack

follow me on twitter @terrypcutler


Why the Cloud Will Change Our Lives

We are on the cusp of yet another internet based revolution. This time, it’s the cloud – that term we see used so often to denote the ability to process and store data over the internet.

There are several versions of cloud computing, including Software as a Service (SAAS) and Infrastructure as a Service (IAAS) among others. The idea is that instead of buying computer equipment or solutions, you rent them over the internet.

For almost ten years now, companies have been jumping onto this bandwagon, most notably in the past few years. The cloud enables them to do more than they ever thought possible, simply because they don’t need to invest in the Infrastructure that would be required if they did everything themselves. Instead of spending millions on new IT systems, purchasing and implementation, they just rent the systems and work with the providers to get what they want.

There are several cloud providers, including Amazon and Google. Amazon’s AWS System is widely used by business. It employs some 450,000 high end servers. Google approximately double that. The computing power thus represented is mind boggling.

Mostly companies have been using such services to provide them with the computing power they need in peak seasons, or to install major new applications, like ERP and CRM, without enduring the costly implementation process that caused so many problems a decade ago.

But there is another aspect of these immensely powerful systems that is only beginning to be felt. That’s the ability to do High Performance Computing or what more often used to be called Massive Scale Computing. That’s where you do things like one start-up company, Climate Corporation, is doing. They serve the crop insurance industry by performing simulations of the weather for the next two years in more than one million locations in the US.

In one way or another, huge amounts of data are available on the internet. The massive scale computer systems are out there in the cloud too. The more we put the two together, the more we can move into a new realm where no job is too large, where virtually anything is possible.

Data is becoming at one time both the most valuable resource in the world and the cheapest. Massive computer systems, and particularly the people to run them, are not cheap. But the cloud removes these barriers and enables us to access and analyze data to an extent we never even dreamed of a few years ago. With the “big data” phenomenon, companies are starting to realize this by, for example, mining social media for customer information. But they have only just scratched the surface.

If you want to prepare a comparative analysis of the performance of all public companies for the past ten years on your laptop at home, nothing to it. The data and the infrastructure are there, just waiting to be pulled together.

Massive scaling in the cloud. It’ll change everything. Again.


Companies guarantee our phones are secure? Really?

By Terry Cutler

Just how fast is technology moving? At lightening speed say security specialists, and when it comes to online security it’s moving too fast. We cannot keep up. The example is our growing use of mobile devices. In today’s world of business the Smartphone is fast becoming the gateway to sales and customer communication and operations. These mobile devices also double as the tool for personal banking, social media and emails.

According to several reports

There are now 5.9 billion mobile-phone subscribers across the world. Returning to the Ponemon Institute study

I referred to in my last blog six out of every 10 cyber-security breaches can be linked to our mobile devices. Mobile device intrusions have increased by 155 percent. The speed, at which mobile breaches are occurring, according to the study, has increased to 3,325 percent over a seven-month period in 2011.

How does one control how corporate Smartphones are used?  Let’s start with knowing what applications are being installed and operated by the users?

But our phones are secure, right?

Why would such reputable companies develop and mass-market unsafe products? The product itself may be somewhat safe, but using the apps and other device products that are for sale are out of the control of the main manufacturer.

The Android Market, BlackBerry App World and Apple, reputable as three leading and business companies, are all present themselves as safe, but outside products, or third party products, may have malware that could wreak havoc on a Smartphone.

Consider that almost one third of the applications available from the Android Market or Apple App Store require access to user’s location data, according to App Genome Project, to help keep mobile phone users secure.

Briefly, the App Genome Project (AGP) is an ongoing project that has scanned nearly 300,000 free applications, and mapped out nearly 100,000 applications available in both Android Market and the App Store.

The list of apps available seems endless. The project reported that the number of apps available on the Android Market increased by a whopping 127 percent since August 2010, while the Apple App Store grew at a rate of 44 percent. It is interesting to note the numbers for one reason; If the growth rate continues at the same pace, the Android Market will have more apps than the Apple App Store by Christmas of 2012, the project estimates.

Next Week,  “Mr. CEO you’ve been hacked! Now What?”

What should every CEO know?

By Terry Cutler

Security was once equal to a magnetic swipe of a plastic card along with a friendly wave to the neatly dressed and overworked security guard. In some companies “loose lips sinks ships” meant don’t talk business outside the office. In some cases, employee movement was tracked at every company door by tracking the employee’s magnetic card.

That was security.

These days, security means Internet and Smartphone security, and it is a whole new ball game with billions at risk. Loose lips sink ships now applies to employees social networking and not talking online with strangers, and recognizing a phishing attempt.

But what do employees understand about spyware, Trojans (other than what they read in media), phishing attacks, spamming and hacking techniques? Company CEOs are dealing with this and are offering in-house training to raise the security awareness of its employees. The premise is that knowledgeable workers who have acquired security training will develop a vigorous defense against outside intrusions.

This is what today’s CEO needs to know. His threat to security, and also his weapon against a threat, are the employees.

These employees bring greater value to the workplace, and can be extraordinarily productive, efficient, and add value to the company by fostering a company that has little to no security breaches.

It isn’t that complicated, as some are led to believe. Do employees need to be certified ethical hackers? No, but employees can determine if an email is legit, or not, and recognize a phishing attack.

Yes, companies can even go further by providing high-level security training that could lead to security certification; the cost has to weigh against the number of employees leaving the company. High-level training can be a large expense, yet the return in security could reap rewards.

So there is no question that today’s business is based on, or moving towards, online operations and in the last three years the drive to protect customer data is gathering the same amount of speed, and while CEOs have the entire security system to lose sleep over, employee training in security systems should not be overlooked.

Next week, the myth that companies can guarantee Smartphone security

Why Social Media is an Investment Game-changer

Social media is changing the world, that’s no secret. Twitter, Facebook, LinkedIn, Youtube and others all attract more users every day and the range of uses continues to grow – from forcing change in governments to just keeping in touch with friends and family.

A key aspect of social media is that it is essentially interactive, allowing for fast communication with stakeholders and for feedback from them.

While many companies have been slow to use social media for conveying investor information, this is changing. Twitter is now commonly used for releasing quarterly earnings reports and for making important announcements. Numerous companies have Facebook pages, which extend beyond investor information but often do include it as well. And the interaction on Facebook between the company and its stakeholders can be revealing and sometimes even act as a forerunner of significant stock price changes.

Many companies are also using LinkedIn, a social media site that tends to cater more to professionals and business people. They use Slideshare for sharing key presentations, Youtube for sharing videos of annual meetings and executive presentations and StockTwits to channel important investor information to stakeholders and numerous stock outlets for financial news.

What this means is that investors have a variety of new information sources, which can be received on a very timely basis and which can be very revealing about a company. It’s an interactive media where you can see the responses and complaints of customers and observe how the company is handling them. It’s a media that levels the playing field. A media that is showing signs of becoming a major force in Investor Relations.

A less obvious result of the growing use of social media is the vast amount of information that becomes available online about a company and its customers, investors and other stakeholders. This information is tremendously valuable to the companies themselves.

The difficulty, however, is the sheer volume of that information. This is where the concept of Big Data comes in – a concept that has been receiving extensive attention in the world of corporate information systems. Companies are mining the data coming available through social media and analyzing it for purposes of evaluating their strategies in dealing with stakeholders – from customers to green advocates. There has been a huge emphasis in many companies on installing new “Big Data” tools that can be used to feed the data into their Business Intelligence and Customer Relationship Management Systems.

So social media represents not only a new means for stakeholders to interact with a company, it also provides a vast array of information that is being used to help shape future strategy and policy. That’s true interaction and something that is changing the way both the stakeholders and the companies behave – a true game-changer.

Why the Web is Good for Investors

By Gerald Trites, FCA

The Web has become a prime source of information for investors in making serious investment decisions. In particular, the Investor Relations sections of corporate websites contain much of the information needed to make a decision to invest, to hold or to sell.

At one time, printed annual reports were the primary source of information for investors, analysts and other intermediaries. But now, although they are still being used, they have been replaced by the Web. The reason is that the annual (and interim) reports are always included in the websites, but there is a lot more information there than ever before, which amplifies and complements the formal reports. And the information is a lot more accessible, usable and varied.

But now investors have a quandary. With all this rich information to work with, how do they avoid getting lost in all that detail? What should they look for? What is the most important information? And how do they use it?

The most obvious information is usually heavily reported in the press. This includes net earnings, earnings per share, dividends paid and the dividend yield. But that’s only the tip of the iceberg. What you really want to know is how sustainable are these earnings. And whether they are heading up or down in future periods. These are broad issues, and involve tying together a range of information in making decisions.

Companies have been working hard to improve their IR websites to help investors deal with these challenges. They try to make their sites friendly, informative and easy to navigate. Many have also been innovative in presenting information to investors in new and innovative ways. For example, the Data Tool in the site for Potash Corporation, one of the leaders in financial reporting, represents a recognition that investors want to have data they can download and analyze on their own terms. Other leading companies like Agnico-Eagle are doing the same.

Most companies have at the beginning of their IR section a series of key performance indicators. Often these indicators are unique to their industry and can help to provide a roadmap to the investor’s investigation. Sections like the CEO’s Report often speak to significant changes in these indicators. Of course, the financial statements are crucial and deserve a thorough reading. Many of the companies provide them in HTML format. The advantage of this, as opposed to the provision of PDF versions, is that individual items can be linked to relevant notes to the financial statements and the MD&A, which provide more explanation of the changes in the numbers and, in the case of the MD&A, more forward looking information to help in making judgments about the future. And most of the websites include the proceedings of analyst conference calls, which often provide timely and relevant information about recent results and plans for the future.

Drilling down is a fundamental characteristic of the Web and drilling down from the key indicators to the detailed information that helps to explain them is a logical and effective means of investment analysis.