Years ago, a New Yorker (?) cartoon depicted a widow and her deceased husband’s boss standing at the graveside of the newly departed. The boss turned to the now-deceased employee’s wife and asked, “I know this is an awkward time, but did he ever mention source code?”
Somewhat in that vein, I had an interesting discussion at MacWorld/iWorld with Allison Sheridan who runs the NosillaCast Mac podcast, and then followed this up by attending her talk (the only talk I have attended at a conference with “death” in the title). Allison recounted the experience of Tim and Alice Verpoorten. Tim, the geek in the family, died and left his wife Alice (a non-geek) with a large amount of stuff – old Macs, routers, cables, diskettes and a variety of other material for which she had no use. Worse, Alice had no access to Tim’s email accounts, cloud-service passwords and the variety of other stuff that would have proven to be extremely useful after Tim’s demise. Long story short, Allison condensed the Verpoorten’s experience (as well as that of her and her husband who helped dispose of this stuff) to four questions to which we should all take heed:
- Who could access your passwords if something happened to you?
- What services should you continue if you were incapacitated or worse?
- How organized are your electronics?
- What could you document to protect your interests and give your family/friends a helping hand?
This raises an important issue – and a number of questions – for business and IT decision makers for those situations in which their employees leave (regardless of how they do so):
- Do these employees have corporate content stored away somewhere that is inaccessible to the company? Places like USB sticks, personal cloud storage accounts, home computers, personally smartphones and tablets, .PST files, etc.?
- What are the consequences of the company not being able to access this content – or not even knowing it exists?
- What steps are you, as a business or IT decision maker, taking today to ensure you know where your data is and that you have complete and unfettered access to it?
- Do you have a succession plan in place that defines who owns Twitter followers, Facebook posts and content that has been posted to social media?
- Have you consulted your legal counsel about your rights and obligations as an employer to ensure you have all of the data to which you’re legally entitled?
- Employees, are you operating in compliance with the law and corporate policy in the context of how and where you store company-owned data?
- Employers who hire people from other companies, do you know what these individuals are legally entitled – and not entitled – to bring with them? Are you sure you’re protected if these new employees use confidential or proprietary data from their previous employer?
These are the kinds of questions that organizations should address in order to protect against their key employees’ untimely demise or some other departure from the company. This is simply part of good information governance. Moreover, Allison’s experience is part of good life governance. We should all take steps to start pursuing both.
Filed under: Uncategorized
Robust and reliable authentication is the essential first line of security for any application or system. Make authentication too difficult and users won’t use your solution, make it too easy and bad guys will.
There are various flavors of authentication, from simple username/passwords solutions through multi-factor and risk-based authentication systems that provide very high levels of security. Here are a couple of noteworthy solutions – both of which have been available for quite some time – that should be on your short list if you’re trying to protect an application, a network or your data:
- TextPower offers an elegant solution called TextKey that provides an interesting twist on two-factor authentication. Many banks, cloud providers and others offer two-factor authentication that sends a code to your mobile phone and asks you to enter it after you’ve entered a username and password. While this scheme does provide an added layer of security, it’s still subject to man-in-the-middle or man-in-the-browser attacks and other hacking exploits. However, what TextKey does is reverse the process for using a mobile phone for authentication purposes: instead of receiving a code via mobile to enter into a browser, the secure application displays a code and asks the user to text it to the application. Because every mobile phone has a Unique Device Identifier (UDID), the mobile carrier will not send the SMS message if someone is trying to spoof the system because the sending mobile number (already stored in the application’s database) and the UDID must match. In short, authentication cannot take place simply because a bogus user cannot get their SMS through. TextKey also uses a number of other authentication criteria to provide very solid protection against hackers and others.
- Confident Technologies has developed an authentication solution that studies have proven to be quite secure despite its simplicity. Instead of a user entering a password, he or she will identify images within categories that have previously been memorized. For example, when setting up access to an application, a user will select three categories of images, such as planes, rockets and dogs. When he or she attempts to access a system, there will be a presentation of a grid of images from which the user will select the images that correspond to predetermined categories. The images will change each time access is attempted, but will always be consistent with their predetermined choices. The company also offers an image-based CAPTCHA system, far better than the text-based solutions that are widely deployed. Studies have shown that image-based authentication is easier to use than password-based systems and is more resistant to brute force attacks and dictionary attacks. In one study, users were asked to set up text-based passwords and image passwords. After 16 weeks, only 40% of users could remember the former, but 100% could remember the latter. When asked to change their passwords and images, 75% could remember their text-based passwords, but all of the subjects could remember the changed images. Add to this the fact that image-based systems are also more resistant to keystroke loggers, a serious problem for many.
Authentication is a necessary evil, but there are solutions that can offer greater security while not making life more difficult for users.
Filed under: Uncategorized | Tags: content, discovery, email, Microsoft, PST, storage
Email contains a wealth of critical business information. The importance of email to the typical information worker and his or her resulting use of email to create and manage a large proportion of business content means that using and migrating email must be risk-free, and non-intrusive to users.
Osterman Research surveys of end users have repeatedly found that the typical corporate email user spends approximately 150 minutes per day working within their email client – sending or receiving email messages, searching for content, managing contacts, managing tasks, using email as the default information filing system, etc. Moreover, email remains the primary file transport system in most organizations, used to convey important business documents like purchase orders, contracts, proposals and the like – as such, it often becomes a key repository of this content, as well.
As a result, email is the most important single source of business content in most organizations.
In Exchange environments, .PST files are commonly employed by end users for a variety of reasons: to store email locally so that mailbox-size quotas are not exceeded, to allow messages to be easily transportable between mail systems, for purposes of email backup, or because users want to maintain a personal archive of corporate information. Microsoft effectively encouraged the use of .PST files by increasing the maximum size of these files tenfold to 20 gigabytes beginning with Outlook 2003.
Because .PST files are used extensively in Exchange environments, they are a significant repository of corporate content and house much of the critical business information to which organizations must have access.
A recent survey we conducted found that 36% of users in the organizations surveyed store email locally in .PST files. Further, we found that the median size of a .PST file in these organizations is 1.3 gigabytes, the equivalent of more than 100,000 email messages. However, some users maintain much larger .PST files – one large professional services firm, for example, maintains more than 4.5Gb of .PST content per user.
Although good .PST management is essential, many organizations are not following best practices in two key areas.
- First, our research found that users store .PST files in a number of disparate locations, including their desktop machines, laptops, local file servers and cloud-based storage systems, among other locations.
- Second, our research found that only 29% of organizations back up local .PST files to a central location, despite 65% or more storing .PST files on laptops or desktops.
The immediate consequence of this highly distributed storage of .PST files is that the business content contained in these files is not accessible to those that need it, such as legal counsel, senior managers, compliance officers or information auditors – or, in many cases, to the individuals who created this information.
For more information on our .PST research, please feel free to download a just published white paper on the topic here.
Filed under: Uncategorized | Tags: analytics, big data, discovery, email, intelligence, investigations, messaging
Because email is used so extensively for purposes of communication, collaboration and content management by information workers and the organizations that employ them, it represents the primary source about how information flows within a company, and between companies and their business partners. For example, email data stores contain:
- Data on what information workers are doing during working hours. This information includes data on emails sent and received, to whom and from whom they are sent and received, files sent and received, how employees responded or did not respond to various communications, the tasks they assign to themselves or to others, the appointments they set, where they will be at specific times, requests that they make of others, etc. Moreover, because social media, real time communications, voicemail and other content types are often integrated with email, email archives often contain a wealth of information on other modes of communications used by employees.
- Information about how they collaborate with fellow employees, customers, business partners and others.
- Information about how employees support internal workflows and key business processes across the organization.
- Information on when employees work.
- Information on how employees work, such as sharing content with others or sending content to their personal accounts.
- Information about whether or not employees are complying with corporate policies, such as appropriate use or data leakage policies.
Clearly, email contains the primary source of information about content flows within an organization. Because decision makers rarely have the tools available to extract meaningful data from this rich content source, they lack much of the insight into their organizations that would help them to ask better questions, make better decisions about how to manage their companies, respond more effectively to customers, or satisfy their compliance obligations – just a few examples of how this information might be used. In short, decision makers need three fundamental capabilities:
- Insight about what is being said and transmitted via email; who is generating, receiving and responding to this information and content; and where this information is being sent and from whom it is being received.
- The ability to prioritize investigations based on these content flows.
- The ability to perform triage on email content at the beginning of an investigation in order to minimize the effort and intrusiveness required to completely it fully.
It is important to note that by “investigations”, we are not referring to the invasion of individuals’ privacy, nor are we talking about monitoring user behavior for the purpose of unreasonable or excessive control. While some may be sensitive to a misapplied notion of monitoring or investigating corporate email, particularly in light of the early June 2013 revelations about US government activities focused on widespread information gathering from email and other sources, what we are discussing here is much more about understanding how information flows through an organization’s email system and how decision makers can use this insight and intelligence more effectively to meet their legal, regulatory and best practice obligations. The goal of improving insight through the appropriate application of Messaging Intelligence is to enable better decision-making and to understand the context about the activity of the organization without invading privacy.
We have written a white paper that provides more detail on this topic – you can download it here.