Friday, August 21, 2009

Trust, but Insure, pt 2: Firewalls won't stop an employee with access

As I preached in a prior post (Trust, but Insure), employees have weaknesses. In today's economy, an otherwise angelic employee may be easily influenced by a bribe in exchange for network access.

Below is a great blog entry from Dave Stelzl, The Profit Program, who writes about the potential catastrophes of information theft. Companies should consider Network Security Liability to protect themselves from liability claims that will arise from the release of confidential information.

Insider Threat makes the perimeter useless
Posted: 20 Aug 2009 07:50 AM PDT

Well Fargo in the news for bank fraud? This article came from a recent workshop attendee at Heit in Colorado, a company that specializes in bank security. It’s actually a common thing for insiders to take advantage of systems they know, for personal gain. Organized crime syndicates sometimes employ someone inside a bank with the title money mule – someone who helps them gain access to system inside the bank. In the linked article below, there is no mention of organized crime. Instead, the article reports an insider charged with gaining access to bank accounts and using the money and credentials to create credit cards, debit cards, and pay down their personal debt. It looks like they have at least 35 years imprisonment coming; maybe more.

The sales tip – insider threat is real. Firewalls, VPNs, and a bulletproof perimeter (which is never the case) won’t protect companies from this threat. Let’s face it, there is no perimeter in today’s borderless network world.

http://sacramento.bizjournals.com/sacramento/stories/2009/08/10/daily81.html?ed=2009-08-14&ana=e_du_pub

Thursday, August 13, 2009

Landscapers: We'll Insure Everything but the Plants

I insure several local landscaping companies, and I always talk to them about Installation Floaters. These policies cover materials that are transported to and installed at the jobsite.

On larger jobs, some of these materials are stored at the site for a day or two, waiting for their chance to be permanently installed. During that time, the materials may be stolen, vandalized or just blown away by one of our hazy day windstorms. When this happens, the landscaper is responsible for replacing this material. Installation Floaters will cover this material cost.

BUT, I recently discovered an Installation Floater with the following caveat:

The following types of property are not covered:
Trees, shrubs, and plants - "We" do not cover trees, shrubs, plants or lawns.
If you store a significant amount of plant material at a jobsite, your Installation Floater may not cover it. Check your policy exclusions to make sure your plant material will be replaced if it's ever "gone with the wind."

Thursday, August 6, 2009

Employers: Protect Yourselves Against Information Theft

Has your business been the victim of an inside job?

This is a great article from HartfordHelp, a site designed for Hartford policyholders and partners. The site is a treasure-trove of information for employers to arm themselves against claims of wrongful termination, harassment, discrimination, employee theft, etc. Knowledge is power! http://www.hartfordhelp.com.

When Computer Network Employees Go Bad

A terminated employee of a not-for-profit organization pleaded guilty to unauthorized access to her former employer's computer network. She now faces a two-year prison term and will have to pay $94,222 in restitution to the employer. "Houston Computer Administrator Sentenced to Two Years in Prison for Hacking Former Employer's Computer Network," www.usdoj.gov (July 15, 2009).

The evening following her termination and the next day, the former director of information technology illegally accessed the not-for-profit's computer network via a remote connection in her home. She then deleted important database records; including accounting invoice files, database and accounting software applications, and various back-up files. In an attempt to conceal her sabotage, she also disabled the computer logging functions on several employer servers and erased the computer logs that recorded her remote access.

Commentary and Checklist
A surprising aspect to this story is that many employees that destroy data have no clue that they are committing a crime. To some, it is just a cruel prank to get back at their employers. Employers should make their employees aware that data destruction is a crime. In this example alone, the network employee that went bad has nearly $100,000 to pay in restitution and is looking at two years in a federal prison.

The ironic aspect of this story is that the person who was in charge of data protection used her knowledge to damage her employer. Too many employers, especially smaller employers, do not take data protection seriously enough and therefore are more vulnerable to attack.

Protecting your data from theft, destruction or corruption by an employee is akin to protecting your finances from embezzlement. Employers must set up safeguards, including having more than one person in charge of data security.

In this case, the person in charge of data security had given herself the ability to access the employer’s system remotely. Had another person had access to oversee the data’s protection at the time of termination, he or she could have dismantled the remote entry at the same time that he denied her other access points.

Moreover, organizations should make it an employee offense to develop remote entry access without authorization. The organization should approve all access points.

To that point, employers should establish and enforce a policy on computer usage and data management. This Site offers a model policy on Computer, Internet and Network Usage. To see if you have access to this policy, log on and go to Knowledge Vault and then Model Policies. [for access, go to HartfordHelp and register to obtain a login id and password]

Consider these steps to get your message across that your data is not to be stolen or sabotaged:
  • Establish a clear and concise policy that employer data is valuable.
  • Define what is appropriate use and transfer of employer data, and provide examples of what is improper use of employer data.
  • Explain that data thieves will go to extraordinary measures to capture sensitive data.
  • List possible outcomes to an employee that steals or sabotages data including, but not limited to, termination and possible criminal prosecution.
  • As part of employee orientation, make certain that employees acknowledge your data protection policy.
  • Develop a procedure that locks down your data when an employee is terminated.
  • Consider banning personal memory transfer devices such a USB memory stick.
  • Consider limiting the sensitive information that employees can store on laptops.
  • Consider regulating the information that employees can have access to from home and other remote entry places of origin.

This informational piece is part of "The Loss Prevention Journal" published on July 29, 2009.

Sunday, August 2, 2009

MAREMA Monthly Meeting - August 19, 2009

MAREMA Monthly Meeting - August 19, 2009

***** *August is Members Bring a Guest Free Month* *****

Bring a colleague to the August meeting and your non-member guest will
get in free.

This month, we have an opportunity to learn how our clients can benefit from Commercial Auctions. Our Guest Speaker this month is Jeff Stein, Vice President, Tranzon Fox. Jeff, a former MAREMA member will speak on “Opportunities in Commercial Auctions”. If you have a listing that is currently on the market, the auction route may be a good alternative. Tranzon Fox has accelerated marketing expertise and experience that can help commercial property owners expose their property to the market in an intensive marketing effort that will bring more activity and interest to the property than conventional sales methods. Jeff brings experience and expertise in the following types of commercial properties: Office Buildings, Retail and Restaurant Properties, Hospitality and Lodging, Warehouse and Industrial, Convenience Stores and Service Stations, Commercial Development Land, and special uses such as Medical, Bank Branches, Retirement, Skating Rinks, etc. Don't miss out on learning more about how auctions can help you and your clients sell properties.

*Bio - Jeff Stein*:

Jeff concentrates primarily on Real Estate auctions and has represented a wide variety of real estate clients from banks and corporations to private owners. He has been an active real estate broker since 1985 and has sold over $200 million in property throughout the Mid-Atlantic
region. Jeff is a graduate of the University of Virginia with a degree in Economics. He is a licensed real estate broker in Virginia, Maryland, the District of Columbia, North Carolina, South Carolina and West Virginia. Jeff is the Sales Manager of the Washington-Baltimore Region and is Principal Broker for Tranzon’s Virginia, Maryland, D.C. and West Virginia operations.

Jeff Stein
Vice President, Tranzon Fox
jstein@tranzon.com
3819 Plaza Drive
Fairfax, VA 22030
Tel.: (703) 539-8111
Fax: (703) 539-8633
Cell: (703) 626-7407

Bring your Package Presentations, Quick Pitches (Haves and Wants), and Cash for the Cash Board and let us hear what you have and/or your Client needs. Forms are available on the MAREMA Web site at
http://marema.com/

New to commercial real estate or want to break into the commercial real estate field. Ask about the new MAREMA Intern Program. Networking starts at 9:00 a.m. with the meeting starting at 9:30 a.m. Lunch is served immediately following our guest speaker. Join us this month at the Westpark Hotel in Tysons Corner on August 19, 2009.

Please RSVP at
http://marema.com/rsvpmeeting.html as seats are limited. Also, don't forget to RSVP for attending the MAREMA Annual Meeting this year. Join us this year at the Hilton Springfield. Get all the details at http://marema.com/ameeting.html

Looking forward to seeing you there and bring a colleague!!!

Thank you for your support to the MAREMA membership.