Osterman Research Blog

What Happens When You Leave (Either Your Company or Earth)?
March 28, 2014, 10:11 pm
Filed under: Uncategorized | Tags: , , ,

Years ago, a New Yorker (?) cartoon depicted a widow and her deceased husband’s boss standing at the graveside of the newly departed. The boss turned to the now-deceased employee’s wife and asked, “I know this is an awkward time, but did he ever mention source code?”

Somewhat in that vein, I had an interesting discussion at MacWorld/iWorld with Allison Sheridan who runs the NosillaCast Mac podcast, and then followed this up by attending her talk (the only talk I have attended at a conference with “death” in the title). Allison recounted the experience of Tim and Alice Verpoorten. Tim, the geek in the family, died and left his wife Alice (a non-geek) with a large amount of stuff – old Macs, routers, cables, diskettes and a variety of other material for which she had no use. Worse, Alice had no access to Tim’s email accounts, cloud-service passwords and the variety of other stuff that would have proven to be extremely useful after Tim’s demise. Long story short, Allison condensed the Verpoorten’s experience (as well as that of her and her husband who helped dispose of this stuff) to four questions to which we should all take heed:

  • Who could access your passwords if something happened to you?
  • What services should you continue if you were incapacitated or worse?
  • How organized are your electronics?
  • What could you document to protect your interests and give your family/friends a helping hand?

This raises an important issue – and a number of questions – for business and IT decision makers for those situations in which their employees leave (regardless of how they do so):

  • Do these employees have corporate content stored away somewhere that is inaccessible to the company? Places like USB sticks, personal cloud storage accounts, home computers, personally smartphones and tablets, .PST files, etc.?
  • What are the consequences of the company not being able to access this content – or not even knowing it exists?
  • What steps are you, as a business or IT decision maker, taking today to ensure you know where your data is and that you have complete and unfettered access to it?
  • Do you have a succession plan in place that defines who owns Twitter followers, Facebook posts and content that has been posted to social media?
  • Have you consulted your legal counsel about your rights and obligations as an employer to ensure you have all of the data to which you’re legally entitled?
  • Employees, are you operating in compliance with the law and corporate policy in the context of how and where you store company-owned data?
  • Employers who hire people from other companies, do you know what these individuals are legally entitled – and not entitled – to bring with them? Are you sure you’re protected if these new employees use confidential or proprietary data from their previous employer?

These are the kinds of questions that organizations should address in order to protect against their key employees’ untimely demise or some other departure from the company. This is simply part of good information governance. Moreover, Allison’s experience is part of good life governance. We should all take steps to start pursuing both.

Should You Archive Social Media Content?
March 21, 2014, 10:46 am
Filed under: Uncategorized | Tags: , , ,

Many organizations are not aware of their regulatory obligations to retain social media, but this can result in serious problems. While the focus of social media management and control is today skewed heavily toward financial services, there is growing expansion into other heavily regulated industries, as well.

Archiving is an essential component of social media control and management for the simple reason that, from a legal or regulatory perspective, electronic content in a Facebook post or tweet is fundamentally no different than email or other electronic content. For example:

  • In Armstrong v. Shirvell, the defendant requested “[a] complete copy of all communications between you and the following individuals… whether it be on Facebook, in a blog, via e-mail, text message, voicemail, letter, facsimile, or anywhere else…”
  • In Calvert v. Red Robin International, Inc., the plaintiff ordered by the court to “bring all materials, electronic or otherwise, including e-mails, Facebook messages, and any other communications he has had with putative class members in this action”.
  • FINRA Regulatory Notice 10-06 states that “Every firm that intends to communicate, or permit its associated persons to communicate, through social media sites must first ensure that it can retain records of those communications as required by Rules 17a-3 and 17a-4 under the Securities Exchange Act of 1934 and NASD Rule 3110.”
  • In addition to Notice 10-06, there are a number of other financial services-focused regulatory obligations, including FINRA Notice 11-39, NASD 2310 and FINRA Rule 2210(c)(6). In addition, the SEC offered advice in a January 2012 National Examination Risk Alert about how investment advisers should use social media.
  • In early 2014, the US Food and Drug Administration issued guidelines for the use of social media in advertising and marketing by pharmaceutical companies. These guidelines focus on a wide range of social media, including blogs, social networks, live podcasts and other platforms.
  • The Government of Queensland (Australia) has published its opinion that “Public authorities that embrace social media must manage the content created in accordance with the recordkeeping requirements of the Public Records Act 2002, Information Standard 40: Recordkeeping and Information Standard 31: Retention and Disposal of Public Records.”

Although relatively few organizations archive corporate-sponsored social media content like Facebook posts or tweets, and even fewer archive employees’ personal social media posts, there are some use cases to consider, as in the following examples:

  • If an employee is terminated for an offensive post he or she made on her non-work-related social media page, the employer must be prepared to defend its actions. A case in point is that of Lindsey Stone who was terminated because of a photo she posted on Facebook mocking the Tomb of the Unknown Soldier at Arlington National Cemetery. An archive of social media content used to make a termination decision – if it can be produced in context and authenticated – may prove valuable in helping an organization to justify it decision if the decision is ever challenged in a legal action.
  • A 2012 survey by CareerBuilder found that almost 40% of hiring managers use prospective employees’ social media posts to evaluate them, and many reject applicants based on their discovery of objectionable content in those posts. However, Title VII of the Civil Rights Act of 1964 prohibits employers from discriminating against prospective employees based on their race, color, religion, sex, pregnancy or national origin. If a hiring manager evaluates prospects’ social media posts that might include references to their national origin or their participation in a gender-based organization, how will he or she prove that this “off-limits” information was not taken into account if the employer is accused of failing to hire someone because of this information? If the organization has a process that a) has someone outside of the HR department cull information from the social media stream that cannot legally be evaluated, b) presents only this data to HR, and then c) archives this content, it will be better able to defend itself against charges of illegal hiring practices because it can demonstrate, through its archived content, that HR managers evaluated only legally relevant information. Archiving probably will not insulate the organization completely from charges of illegal hiring practices, but it will allow it to present evidence that it is complying with the law.

The bottom line is that even if an organization does not have a specific regulatory or other obligation to retain social media content today, it should seriously consider doing so as a means of protecting the organization and managing the risk it faces from the growing use of social media, both official and unofficial.

Smarter Authentication
March 13, 2014, 1:50 am
Filed under: Uncategorized

Robust and reliable authentication is the essential first line of security for any application or system. Make authentication too difficult and users won’t use your solution, make it too easy and bad guys will.

There are various flavors of authentication, from simple username/passwords solutions through multi-factor and risk-based authentication systems that provide very high levels of security. Here are a couple of noteworthy solutions – both of which have been available for quite some time – that should be on your short list if you’re trying to protect an application, a network or your data:

  • TextPower offers an elegant solution called TextKey that provides an interesting twist on two-factor authentication. Many banks, cloud providers and others offer two-factor authentication that sends a code to your mobile phone and asks you to enter it after you’ve entered a username and password. While this scheme does provide an added layer of security, it’s still subject to man-in-the-middle or man-in-the-browser attacks and other hacking exploits. However, what TextKey does is reverse the process for using a mobile phone for authentication purposes: instead of receiving a code via mobile to enter into a browser, the secure application displays a code and asks the user to text it to the application. Because every mobile phone has a Unique Device Identifier (UDID), the mobile carrier will not send the SMS message if someone is trying to spoof the system because the sending mobile number (already stored in the application’s database) and the UDID must match. In short, authentication cannot take place simply because a bogus user cannot get their SMS through. TextKey also uses a number of other authentication criteria to provide very solid protection against hackers and others.
  • Confident Technologies has developed an authentication solution that studies have proven to be quite secure despite its simplicity. Instead of a user entering a password, he or she will identify images within categories that have previously been memorized. For example, when setting up access to an application, a user will select three categories of images, such as planes, rockets and dogs. When he or she attempts to access a system, there will be a presentation of a grid of images from which the user will select the images that correspond to predetermined categories. The images will change each time access is attempted, but will always be consistent with their predetermined choices. The company also offers an image-based CAPTCHA system, far better than the text-based solutions that are widely deployed. Studies have shown that image-based authentication is easier to use than password-based systems and is more resistant to brute force attacks and dictionary attacks.  In one study, users were asked to set up text-based passwords and image passwords.  After 16 weeks, only 40% of users could remember the former, but 100% could remember the latter. When asked to change their passwords and images, 75% could remember their text-based passwords, but all of the subjects could remember the changed images. Add to this the fact that image-based systems are also more resistant to keystroke loggers, a serious problem for many.

Authentication is a necessary evil, but there are solutions that can offer greater security while not making life more difficult for users.

The Need for Better .PST Management
February 27, 2014, 5:06 pm
Filed under: Uncategorized | Tags: , , , , ,

Email contains a wealth of critical business information. The importance of email to the typical information worker and his or her resulting use of email to create and manage a large proportion of business content means that using and migrating email must be risk-free, and non-intrusive to users.

Osterman Research surveys of end users have repeatedly found that the typical corporate email user spends approximately 150 minutes per day working within their email client – sending or receiving email messages, searching for content, managing contacts, managing tasks, using email as the default information filing system, etc. Moreover, email remains the primary file transport system in most organizations, used to convey important business documents like purchase orders, contracts, proposals and the like – as such, it often becomes a key repository of this content, as well.

As a result, email is the most important single source of business content in most organizations.

In Exchange environments, .PST files are commonly employed by end users for a variety of reasons: to store email locally so that mailbox-size quotas are not exceeded, to allow messages to be easily transportable between mail systems, for purposes of email backup, or because users want to maintain a personal archive of corporate information. Microsoft effectively encouraged the use of .PST files by increasing the maximum size of these files tenfold to 20 gigabytes beginning with Outlook 2003.

Because .PST files are used extensively in Exchange environments, they are a significant repository of corporate content and house much of the critical business information to which organizations must have access.

A recent survey we conducted found that 36% of users in the organizations surveyed store email locally in .PST files. Further, we found that the median size of a .PST file in these organizations is 1.3 gigabytes, the equivalent of more than 100,000 email messages. However, some users maintain much larger .PST files – one large professional services firm, for example, maintains more than 4.5Gb of .PST content per user.

Although good .PST management is essential, many organizations are not following best practices in two key areas.

  • First, our research found that users store .PST files in a number of disparate locations, including their desktop machines, laptops, local file servers and cloud-based storage systems, among other locations.
  • Second, our research found that only 29% of organizations back up local .PST files to a central location, despite 65% or more storing .PST files on laptops or desktops.

The immediate consequence of this highly distributed storage of .PST files is that the business content contained in these files is not accessible to those that need it, such as legal counsel, senior managers, compliance officers or information auditors – or, in many cases, to the individuals who created this information.

For more information on our .PST research, please feel free to download a just published white paper on the topic here.

You Should Monitor and Archive Social Media
February 6, 2014, 5:51 pm
Filed under: Uncategorized | Tags: , , , , , , , ,

Some gems of less-than-thoughtful expression gathered from Twitter this morning:

  • “Women lie so effortlessly…. My secretary just lied to a client about my availability so convincingly haha ah ya”.
  • “I am going to kill the next person I see.”
  • “My boss is stupid haha”.
  • “I want to kill my client.: I just want to strangle him.”
  • “I would love to be raped by a woman.”
  • “a little reminder as to why we steal microsofts software…”.
  • “I came to subtle realization that white people are crazy and black people are stupid lol”
  • “It’s time to pass ENDA. I want to be fired because I insulted my boss on Facebook and stole from the company, not because I’m gay.”
  • “My boss is so stupid sometimes.  But I suppose if he was any smarter, I wouldn’t have a job.”

And another post from a now former “friend” on Facebook last night: “Is Justin Bieber the reason God still allows abortion? As a parent, I suggest they melt him and use the oil to grease the wheels of 100 coal cars in a Chicago train station!”

If you’re a decision maker for your company, ask yourself four questions:

  1. Is this the kind of material you would like your employees to be posting on social media, particularly when their social media presence is linked to your company in the minds of clients, prospects and others familiar with your business or brand?
  2. Are you absolutely certain that this kind of stuff is not being posted on social media via your company’s network?
  3. Do you have a formalized method for monitoring the content that your employees post to social media using your company’s network?
  4. Do you have an archive of every social media post that has traversed your corporate network over the past several years, as well as its context?

If you answered “No” to each question, you have a serious liability that you must address. A client could see an offensive post and cancel an order or simply not do business with your company in the future. An employee being sexually or racially harassed via Twitter could sue your company for millions of dollars. A single tweet could prompt an investigation from The Software Alliance or some other organization that investigates illegal use of software.

I strongly recommend implementing a social media monitoring solution that will actively monitor any social media content for offensive content, as well as an archiving solution that will capture social media posts sent via the corporate network. The monitoring solution is essential in order to make management aware of what is being sent on social media so that they can take corrective action and prevent this content from being sent, or at least discipline employees to ensure that it does not continue. The archiving solution is essential in order to preserve this content – and its context – in the event it is required for legal or regulatory reasons.

While these solutions won’t prevent employees from posting offensive content using non-company networks, you must do what you can to protect content that is sent over the facilities you control.

The bottom line: failure to manage social media content can be deadly to your business.

IBM Mail Next
January 29, 2014, 7:52 pm
Filed under: Uncategorized | Tags: , , , , , , ,

At Connect 2014 (formerly Lotusphere) on Monday, IBM unveiled the next generation of its combination of email and social communications that it has dubbed “Mail Next”. Depending on the way you look at it, this is either the next generation of email that integrates with social business capabilities, or it’s social business that more tightly integrates with email. I view it as more of the former – a realization that email is central to the way that people work, but with some interesting social capabilities, task management and other functions integrated into the interface.

Although I have not had a chance to play with Mail Next because it has not yet been released, I like the concept and direction that it represents.

The fundamental goal of Mail Next is to bring together various email and social functions into a cohesive interface, thereby minimizing information overload by presenting what is most important to the user. Toward this end, and in keeping with a key IBM theme of the “Internet of People”, the interface includes a row of people icons across the top – the individuals that Mail Next thinks are most important to you based on your communication with them. Clicking on these icons reveals additional information, including a basic social graph of these individuals, your interactions with them and other relevant information.

My Kiwi-collaboration-expert-and-much-smarter-than-me colleague Michael Sampson and I were discussing Mail Next on Monday evening. His take, which you can (and should) read here is that Mail Next, instead of using people icons, would be more useful if it provided icons that represented conversations. I partially agree. While having conversation icons across the top would be useful, the people-centric nature of social gives credence to IBM’s decision to focus on personal relationships in the context of Mail Next. That said, I would like to see Mail Next v2.0 (v1.1?) offer the ability to define these icons as people or conversations or projects or deadlines or whatever else is important to me, since many of us would find it useful to have any or all of these front and center in our primary communications and collaboration tool.

IBM has focused heavily on social for many years – last year the company introduced Notes/Domino Social Edition, the initial attempt at doing what Mail Next does in a more refined and useful way. I believe last year’s and this year’s introductions represent, to some extent, IBM’s move to refocus on email given its central importance for most information workers, its ubiquity and its utility. That’s not to say that IBM had abandoned email in favor of social, but this is more of a subtle shift in emphasis back toward email while not minimizing the importance of social. This opinion was corroborated by one of IBM’s most important Notes/Domino customers (who shall remain nameless only because I have not asked his permission to identify him).

To be sure, Mail Next is an important step forward for improving the management of email, conversations and social content management, but I see it as more of a waypoint toward where IBM will take communications in the future. I would like – and expect – to see greater integration of IBM’s social analytics capabilities in Mail Next and more use of predictive analytics to tell me who should be involved in conversations or projects instead of who is a part of them.

In short, Mail Next represents an important step forward for both minimizing information overload by focusing first on what’s most important, and also because it integrates IBM’s social technologies with email in a very elegant way. It’s a nice offering that should be evaluated seriously by any IT decision maker that needs to help employees become more productive.

The Need for Messaging Intelligence
January 24, 2014, 11:32 am
Filed under: Uncategorized | Tags: , , , , , ,

Because email is used so extensively for purposes of communication, collaboration and content management by information workers and the organizations that employ them, it represents the primary source about how information flows within a company, and between companies and their business partners.  For example, email data stores contain:

  • Data on what information workers are doing during working hours.  This information includes data on emails sent and received, to whom and from whom they are sent and received, files sent and received, how employees responded or did not respond to various communications, the tasks they assign to themselves or to others, the appointments they set, where they will be at specific times, requests that they make of others, etc.  Moreover, because social media, real time communications, voicemail and other content types are often integrated with email, email archives often contain a wealth of information on other modes of communications used by employees.
  • Information about how they collaborate with fellow employees, customers, business partners and others.
  • Information about how employees support internal workflows and key business processes across the organization.
  • Information on when employees work.
  • Information on how employees work, such as sharing content with others or sending content to their personal accounts.
  • Information about whether or not employees are complying with corporate policies, such as appropriate use or data leakage policies.

Clearly, email contains the primary source of information about content flows within an organization.  Because decision makers rarely have the tools available to extract meaningful data from this rich content source, they lack much of the insight into their organizations that would help them to ask better questions, make better decisions about how to manage their companies, respond more effectively to customers, or satisfy their compliance obligations – just a few examples of how this information might be used.  In short, decision makers need three fundamental capabilities:

  • Insight about what is being said and transmitted via email; who is generating, receiving and responding to this information and content; and where this information is being sent and from whom it is being received.
  • The ability to prioritize investigations based on these content flows.
  • The ability to perform triage on email content at the beginning of an investigation in order to minimize the effort and intrusiveness required to completely it fully.

It is important to note that by “investigations”, we are not referring to the invasion of individuals’ privacy, nor are we talking about monitoring user behavior for the purpose of unreasonable or excessive control.  While some may be sensitive to a misapplied notion of monitoring or investigating corporate email, particularly in light of the early June 2013 revelations about US government activities focused on widespread information gathering from email and other sources, what we are discussing here is much more about understanding how information flows through an organization’s email system and how decision makers can use this insight and intelligence more effectively to meet their legal, regulatory and best practice obligations.  The goal of improving insight through the appropriate application of Messaging Intelligence is to enable better decision-making and to understand the context about the activity of the organization without invading privacy.

We have written a white paper that provides more detail on this topic – you can download it here.


Get every new post delivered to your Inbox.

Join 2,095 other followers