Archives For spam

shadowShadow IT – It’s Everywhere

CIOs see Shadow IT  as another aggravation in the way of them doing their job.  

Shadow IT is much more serious than job aggravation. Like Spam (something end users see as a time waste) it’s more of a threat than inconvenience.

Where there’s a threat, there’s an opportunity…an urgency to fix the emerging security holes.

What Is Shadow IT?

It’s Hillary using gmail. It’s IT using back doors to managed their systems from home. It’s end users downloading unauthorized apps to get their jobs done faster. It’s the giant DEC VAX Implementation I discovered at a large pharmaceutical manufacturer (one you would surely recognize if I were to name it) during an assessment years ago.  No kidding, the IT department swore the entire company was IBM – little did they know, R&D had installed a global VAX network behind the scenes, and no one knew about it!

Here’s The Problem – And It’s Big

Sound Bites: According to a study published by Cisco Systems this year,…

  • 38% of business and 32% of IT workers use non-approved apps because IT approval processes are too slow.
  • 24% of those surveyed use non-approved SaaS apps because they are better than the approved alternative.
  • 18% of business and 14% of IT workers use these apps because the approved tools don’t perform needed functions.

In another study published by Second Watch, 93 percent of enterprise business units are using the cloud, while a substantial 61 percent of them are bypassing their IT departments and doing it themselves.”$1 HC Book Ad

The two big Issues Named in both studies are Cost and Security. The cost represents about 20% of the IT budget – which is a big number. But the security is the bigger issue. At least 30% of the study respondents were concerned with what this does to security. But think about it, who’s securing these applications if IT isn’t?

This is the perfect lead in to an assessment.  First, to discover where a company’s data is – many larger companies have no idea where their data is. Unstructured data is out of control as soon as Shadow IT enters the picture – reference Hillary’s email issues…Second, looking at end node security is now more important than ever. You can be sure much of this computing is being done on personal devices…so how secure are they?

Please comment – where are you seeing new opportunities with Shadow IT, and how are your IT and CIO contacts reacting to this expanding problem?

© 2016, David Stelzl



What about facebook?

December 15, 2009 — Leave a comment

I’m sure your customers are using Facebook, who isn’t?  So is this okay?  Facebook is like cloud computing and SaaS.  It’s an application like or like using Gmail.  So if you discover Facebook accounts during an assessment or in the selling process, don’t consider this to be justification for a security project.  However, there are some things you should be looking for as you work with clients that access Facebook.

The problem with Facebook; just about everyone uses it, and that means a lot of uneducated users.  It also means that family members are spending time of systems owned by your clients.  Expect company provided laptops and home computers to be used for social networking, peer-to-peer networking, and accessing websites that are likely infected.  So you’re not looking for Facebook accounts, but you are looking for systems that have been compromised by malware, and Facebook (along with any other social network program) increases the chances.

Yesterday’s report on Social Networking Scams is a great start in understanding why these programs open the door to attacks – it’s worth a quick skim.  Remember to pull out the sound bites – know these and you’ll not be challenged by arrogant IT administrators.

Immediate Justification

September 17, 2009 — Leave a comment

When your technical department comes back with an assessment, whether complementary or paid, it should produce immediate opportunity!  If someone from the outside has installed secret code on your client’s PC and is able to access that system surreptitiously, will your client see it as critical?  Not if you simply tell them they have a virus or a port is open.  The message must be translated into an impact statement – “People have access to your finances and are using your computer to send out Trojans that give hackers access to all of your systems, as well as your client’s systems (a liability for your client)!”  This is urgent.

Understanding how spam works, and just how many computers are infected, will help you create a more powerful message.  Bursts of spam touting videos of Michael Jackson, IRS forms, and other hot news are used to propagate infections (bots).  Once infected, a system then becomes a relay, resending this infection to its contact lists.  Spam is not just annoying, it’s dangerous.  A recent post on my blog from ABC News claims 40% of all systems are infected. 

While systems may be protected by antivirus programs, bots are constantly changed to avoid detection (called polymorphic).  Tens of thousands of messages are sent at a time to infect systems while security vendors are working hard to catch up.  By the time they do, it’s too late.

In a today’s USAToday, the author of an article on spam states that systems, once infected, often must be rebuilt in order to completely resolve the issue. 

Change the way you message this to communicate high impact, urgency, and liability – this creates justification.  Read more in today’s USAToday: