Keep Your Enterprises’ Private Data Secure While Collaborating Online --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Go back

Keep Your Enterprises’ Private Data Secure While Collaborating Online

True story
Posted: Jul 06 2004
By Cathy Planchard, Director of Marketing Communications, VIACK Corporation

True story: A San Francisco bank distributed, by accident, the e-mail addresses of thousands of customers along with a message warning them that its online service would be down for maintenance for part of the weekend. The bank received hundreds of customer complaints and had to expend a great deal of time and energy to e-mail apologies to the 3,300 customers whose addresses were revealed. This is an unfortunate example of how e-mail and other “mishaps” related to Internet applications can cause irreparable damage to customer relations and can cost thousands of dollars in time and cleanup efforts, all directly due to the lack of technology security.

While the very nature of the Internet has made collaborative communications fast and easy, it has also opened up personal and private data to opportunistic hackers, white collar criminals, and the careless or disgruntled employee. All could cost substantial money and great embarrassment for your organization. Security defenses, such as encryption, firewalls, and authentication, are increasingly being put in place to protect data and ensure that online communication vehicles are safer than ever. However, these security measures are not entirely foolproof, especially when it comes to complex business networks.

Internet Application Security Issues

Two of the most vulnerable areas of online communications for business use in today's open Internet environment include those that are also the most well-known and widely spread: e-mail and instant messaging. E-mail and instant messaging can be effective, easy, paperless ways to communicate, but companies need to be aware of risks and challenges to security in relying on these tools for all online communications, especially when they're dealing with private information only certain eyes should see.

Take this scenario, for example: Tom in the human resources department scrambles to make a 5 p.m. deadline for an early morning audit. He sighs in relief as he hits his last keystroke: Send. But in his haste, he accidentally includes his global address list-sending sensitive internal information to the entire staff. Thousands of unauthorized viewers not only can see the company's staff billing, but are also able to access everyone's salaries. Fiction? Hardly. This is a prime example of what can happen when companies do not prepare for errors through e-mail.

E-mail is not only the most often used technology, but also the most commonly overlooked technology threat. Typing the wrong e-mail address or forwarding information to the wrong person—commonly called pilot error—are the main sources of internal security mishaps and can cause serious ramifications. Unfortunately, pilot error is an all too common occurrence that is starting to affect businesses where it hurts most in the wallet.

In addition to pilot error, another security issue often talked about in relation to e-mails or instant messaging is hacking. With the right expertise, software, and know-how, anyone can gain access to sensitive or insider information, from financials to human resources to company strategy or even proprietary client information.

Some people have resorted to disclaimers at the bottom of e-mails asking recipients to disregard the e-mail if it was not intended for them or reminding senders and receivers that there is no guarantee that Internet mail is fully secure or private. Some companies believe that adding this simple disclaimer removes their liability. Not true! If a user sends the wrong person an e-mail inadvertently, or communications are hacked, disclaimers cannot provide any legal recourse. By the very nature of the disclaimer, companies are admitting that e-mail is not a secure environment, yet a majority of businesses continue to put sensitive information in e-mails anyway.

Why are e-mail and IM so non-secure? Many of today’s most popular e-mail and IM services were not built for the sensitive handling of information that businesses require. These services often do nothing to protect the information being sent, keeping it in clear text that can be easily read by others. As a result, many companies have begun to ban the use of instant messaging, for example, rather than regulating its use; however, most admit that renegade use of these services is virtually unstoppable.

Could It Happen to You? History Shows it Can – and the Government is Taking Notice

To further put the Internet security problem in perspective, the Computer Security Institute (CSI), a San Francisco-based association of information security professionals, recently found that 75 percent of the survey respondents acknowledged financial losses due to computer security breaches. CSI’s 8th annual “Computer Crime and Security Survey,” co-sponsored in 2003 by the Federal Bureau of Investigation, also found serious financial losses of nearly $202 million among surveyed companies. So yes, it could definitely happen to you.

Due to these financial losses, some resulting from multi-million dollar lawsuits from citizens whose data has been compromised, the state of California passed a privacy law that extends far beyond its boundaries. The law, which took effect July 1, 2003, requires businesses maintaining personal data on California citizens to inform those citizens whose “unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” This is good news for consumers, but the ramifications to businesses could be great if an organization has to put the law into practice. Consider the dismal possibility of consumer lawsuits, government fines, and most of all, the loss in consumer and investor confidence.

A similar bill, proposed by U.S. Senator Diane Feinstein (D-Calif.), “the Notification of Risk to Personal Data Act,” is going through Congess now, along with more than 75 other security/privacy bills. According to Michael Rasmussen, Forrester analyst and a vice president at the Information Systems Security Association (ISSA), the majority of these bills ask companies in the private sector to manage security in the business by protecting their customers’ data, while complying with government regulations for sharing information. (CSO Magazine, December 2003)

So What Can You Do?

E-mail and instant messaging are undoubtedly convenient and fast, but companies need a communications solution with this same efficiency that does not compromise security. E-meetings can be a solution. They help business professionals become more productive by focusing on everyday business processes and by reducing costly, time-consuming travel, and the best ones do it with security at the forefront of the solution.

For example, VIACK’s VIA3 E-meeting Service provides telephone-like audio, live video, joint document editing, free instant messaging, and whiteboarding—all with security built from the ground up using the highest levels of encryption allowed by law—not as a quick fix or several security software solutions patched together.

But how do you find the right e-meeting solution for your company, one that will keep your data protected and keep your organization from experiencing the ramifications of the laws mentioned above? Do your homework. Most vendors state they are secure. But, oftentimes collaboration technologies have added on security as an after thought or expensive option. This is because security, if not built from the ground up, can cause slow performance and scalability issues.

Unfortunately, some online meeting vendors will never offer complete security because implementing security into their applications would require a rebuild of their entire solutions. To re-architect their solutions would force them to spend an exorbitant amount of development time and money and they would lose too much momentum in the market. So, in the meantime, users should be extremely diligent about asking the right questions, especially if the information and communications taking place in the collaborative application should be kept private and confidential between authorized recipients. This list should help you in your quest for a secure e-meeting solution:

Question: Are all meeting components encrypted with AES?
Reason for asking: AES, commonly used in confidential online transactions in the banking and financial industries, stands for Advanced Encryption Standard. If data including your documents, instant messaging text, audio and video are not encrypted at all times during transmission or storage, the information is vulnerable.
Question: Is data (including text, files, audio and video) decrypted at any point when it is transmitted from one computer to another?
Reason for asking: Some collaboration software applications use servers where data is decrypted and then re-encrypted before sending the data to the intended recipient. To have true end-to-end security, data should never be in an decrypted format until it reaches the intended recipient’s computer.
Question: How does the system protect against unauthorized or fraudulent use? How are users authenticated (verified to be who they say they are) when they join a meeting?
Reason for asking: Conference calls that use 1-800 numbers are vulnerable to unauthorized use through publicly available pass codes. Additionally, many vendors have passwords that appear in plain text or provide a list of meetings that is accessible by typing in a URL. Video is also an effective way to authenticate someone if you are unsure of who they are by the sound of their voice.
Question: Does your security architecture include more than just using SSL to protect data, before, during and after transmission?
Reason for asking: Some systems don’t go beyond using SSL because they haven’t figured out how to make their system perform well with the addition of AES. Many companies have added a security layer after developing the original product, so the addition of AES encryption as an afterthought causes a performance hit. AES is approved as the latest federal information processing standard and is trusted over any other type of electronic security currently available.
Question: How are users’ passwords protected? Do passwords ever exist in an decrypted format? Does a system administrator have access to user passwords?
Reason for asking: Passwords should always be in an encrypted format and should not be accessible to anyone else but the end user. Some systems transmit passwords in clear text (human readable) and only secure the connection or “pipe” using SSL, but the actual passwords are not scrambled (encrypted so they are not readable by a human). If passwords are not encrypted when sent over the Internet, an intruder could obtain them by hacking the connection. If passwords are stored in a database in a decrypted format, anyone who can get to the database (like an IT admin or a disgruntled employee who gains access) could gain access to passwords.

More Preventive Measures

Asking the above questions should help you find the e-meeting solution that will provide the layers of security your organization demands. But remember the following preventive measures in all of your communications and you’ll be much more likely to keep your private data secure:

Stop transmitting sensitive data electronically without the use of full encryption with standards such AES
Secure more than just the perimeter of your organization. Perimeter security is important; however, since more than 80 percent of security breaches come from insiders, making data unintelligible at the file/data level is critical to ensuring your confidential information and communications doesn’t end up in the wrong hands.
Remember the safest way to conduct e-meetings is through software installed at the desktop, not through a browser interface on the unprotected Internet. If e-meetings will involve any non-public materials or information, a browser-based meeting may not be the safest choice.
Both audio and video components should be a part of the e-meeting environment so attendees can be identified by their voice and their face. If a meeting is conducted without personal “identifiers,” hackers can sit in, uninterrupted, on confidential meetings.
Even if you already use a secure e-meeting tool, the best safeguard to protect the valuable assets of your company, including your customers’ private data, is to create a companywide security and privacy policy and continually educate your employees on this policy. Rules to consider should include:
1. Change passwords frequently—do not use services where passwords can be easily obtained and abused.
2. Only allow employees to participate in e-meetings and have access to documents if they absolutely have a right or a need to know the information. For example, a human resource manager and her team might need to discuss personnel data in a meeting, but the CEO would most likely not have the need to know this information.
3. If you’re going to send confidential information online, be certain it’s encrypted.

By eliminating user error, protecting data from every possible point of external access, and implementing a company side security policy, you can insure that you’re proactively doing your part to keep your data private and confidential while communicating online.

Cathy Planchard, Director of Marketing Communications
Cathy Planchard is director of marketing communications at VIACK Corporation, a leading authority on private, online business meetings and communications. VIACK's flagship product, VIA3 E-meeting Service, includes voice and video over Internet protocol (VoIP), joint document editing of Word, PowerPoint and Excel documents, whiteboarding, and instant messaging, with every component of the meeting fully encrypted using Advanced Encryption Standard protocols.
At VIACK, Cathy, oversees outbound marketing and communications vehicles for the company, including corporate communications, public affairs, lead generation activities, promotions and events. Prior to joining VIACK, Cathy was the marketing manager for Motorola Computer Group, where she directed the marketing communications efforts for their telecom offerings. During that time, she oversaw the group's most successful product launch to date, receiving three industry recognition awards and significant national and international press coverage. Prior to that position, she held a variety of marketing roles in high-tech start-up organizations, including WAVO and StarCite. Before transitioning to the high-tech arena, she held senior level communications and brand management positions for the parent companies of Hilton Gaming Corporation, Doubletree Hotels and Promus Hotel Corporation. She holds an MBA from the University of Nevada Las Vegas, as well as a B.S. in marketing and a B.A. in communications.
14811 N. Kierland Blvd., Suite 100
Scottsdale, AZ 85254
Tel: 480.735.5900 or 1.866.265.8060
Fax: 480.735.5901

Go Top