The following excerpt from an article titled “Cyber-Legislation Bill Approved by House, Senate Prepares Its Own” by Fahmida Y. Rashid says a lot about the need for every organization to assure that it is protecting its most important asset: its information: “The U.S. Director of National Intelligence James Clapper urged the U.S. House of Representatives and the Senate to pass legislation to increase cyber-security in both the public and private sectors during a hearing of the House Select Intelligence Committee on worldwide threats on Feb. 2. Clapper discussed intrusions on public systems that control major defense weapon systems, electrical grids and banking infrastructure. The U.S. economy is losing upwards of $300 billion per year because of rampant cyber-espionage, Clapper said.”
What this says is that those that provide any type of product, service or solution that touches important data need to have a strategy and a plan to support their customers in this endeavor. Understand that the $300 billion discussed is only regarding cyber-espionage – not day-to-day hacking or employee or partner breaches that occur on a regular basis.
The most interesting thing is that this is the proverbial elephant in the room that people are reluctant to talk about. When you ask many people what their organization’s data governance plan is, the majority will tell you that they don’t know if they even have one. Also, when I speak to many providers of printers, copiers, scanners, faxes, MFPs and managed print services, the majority of them do not note data security as either a priority risk issue or a business opportunity.
Current legislation and compliance varies from state to state, country to country and by industry. However, the U.S. Federal Government is going to continue to push additional requirements down the line, which will have significant impact on states as well as any organization that deals with government agencies or even nongovernmental but sensitive consumer or corporate data.
The article goes on to say that “as much as 85 percent of the country’s critical infrastructure is controlled by the private sector.” So the question is, are you offering security as a part of your business solutions? The main point I am illustrating is that if you are not, then you are either at risk of significant loss of future business or are not taking advantage of a very significant business opportunity.
There are several approaches to take, starting with making sure you are looking within your own organization to determine how secure your data is and whether your practices maintain a high standard of care for your own information. It is also a great way to learn and pass on the experience and knowledge gained from designing, implementing and executing an effective data governance program. Finally, it makes you much more credible when you are having a discussion with your customers and prospects.
From there it is important to have the right set of questions prepared regarding the critical information that you are touching or managing for your customers. Then, assure that your representatives are properly trained, prepared and consistently asking their clients about the information they are managing. Not only is this a best practice to protect your organization against any liability, it is a great prospecting approach to sell add-on products, services and solutions that are going to benefit your clients and expand your business model.
Your most immediate opportunity is in the data security offerings currently available to you from the manufacturers you represent, so determine what those are. Many offer secure print, print monitoring, secure file transfer, digital rights management and other solutions that are either built into devices or easily added. Some also provide additional software solutions that can easily be added to a monthly or quarterly payment.
Although some of these solutions may not add immediate extra revenue, they may be the difference between winning or losing a deal. However, once you have begun the security conversation and made that part of your regular customer dialogue, the door opens to a world of opportunity and, most importantly, you extend your credibility with your clients.
The key first step in security conversations is assessing and prioritizing the different types and categories of data that need to be secured. Also, examining the process lifecycle of that data is important so that you can follow the steps and identify areas of particular risk. Look carefully at the devices – whether they are printers, scanners, copiers, MFPs, fax machines, computers, laptops and servers – to determine the device and location security levels of any that you interface with.
It is also important to determine how to protect actual physical documents or electronic files; this is a people, process and technology issue. It is imperative to understand who creates or accesses them as well as what the processes are that are followed to assure that the chain of control is not broken and apply varying hardware or software technologies to add the appropriate level of protection based on the value of the information. Finally, you should consistently review and challenge the governance plan that is deployed to assure that it is being followed as well as updated as appropriate.
I think that the closing quote in the Cyber-Legislation Bill article speaks volumes about the future of document and data management. It should also hopefully get you to think about where you stand within your company and what role you can and will take in providing solutions for your customers: “Where the market has worked, and systems are appropriately secure, we don't interfere,” said Sen. Joseph Lieberman (Ind.-Conn.), chairman of the Senate Homeland Security and Governmental Affairs Committee. “But where the market has failed, and critical systems are insecure, the government has a responsibility to step in,” Lieberman said.
Posted on 02/13/20121 comments
“Shopper sues Amazon over Zappos hacking exposure” by Greg Lamm on Wednesday, January 18, 2012.
This is just one of several article or blog headlines I see multiple times daily regarding data breaches. It has literally become a “common” event. The challenge with “common” events is sometimes people become complacent or oblivious to the impacts or opportunities that extend from them; they get the “hasn’t/won’t happen to me” attitude.
I’m sure some of you have seen the Allstate “Mayhem” commercials that do a fantastic job of humorously bringing attention to the everyday accidents that “just happen.” The reality is many of them don’t just happen; they happen because people don’t pay attention or they maliciously do something. They happen because of process breakdowns, or they happen because of the lack or misuse of technology.
Just like the day-to-day “mayhem” we all face, document and data security is subject to the same risks. I would like you to think very carefully about whether you are doing enough, if anything, to reduce the risk of a document or data mayhem event? Do you think you are adequately covered by insurance or something else if there is a catastrophic breakdown in your organization or an organization that you partner with or rely on to serve your market and customers? Reality is that in the majority of cases, the answer is no! If that weren’t the case, you would not see the number of breach articles and blogs you see today, and this number is growing at an alarming pace.
What to do in the face of impending document and data mayhem? First and foremost, start with awareness. It is most likely not a matter of if, but when this issue (if it already hasn’t) will impact you or someone close to you professionally or personally – maybe even one of your most important customers.
No one is immune from this growing epidemic. Ironically, although people and organizations have spent billions of dollars for years on network, malware and virus protection, they are just starting to openly discuss and prioritize this important issue: protecting their most valuable asset, which is information.
From the federal government’s “WikiLeaks” episode to Google’s China breach to Amazon’s most recent Zappos event and the unbelievably fast-growing impact of identity theft, it is an explosion that we are all faced with today.
What has changed in such a short time? With the explosion of integrated environments (servers, desktops, laptops, PDAs, phones, printers, copiers, scanners, software applications and storage environments including the cloud), the risk of breaches has not multiplied; it has grown and is growing exponentially. You’re subject to risk from even the most remote parts of the world that you and our traditional protection agencies have little or no access to. Don’t lull yourself to sleep thinking that is even the biggest threat. The reality is that the number of intentional and unintentional breaches coming from within an organization through employees or one of their partners is growing at just as fast a rate – if not an even faster one.
Hopefully, I have sufficiently scared the heck out of you; however, my real intent in sharing this information was to create awareness – waking some up or expanding the thinking of those who are already awake.
In my first blog here on The Imaging Channel, I would like to leave you with some important thoughts that I, and other domain experts, will bring to the blog in the future.
I am aging myself here: Think back to Clarence Thomas’ appointment to the U.S. Supreme Court. It was an event that changed business and the world in general. (I am not in any way implying my position on the actual case, but rather using it as a milestone that changed how we all do business and behave in the corporate world and even our own personal environments.)
When Thomas was accused of sexual harassment, almost every company or organization reacted to new requirements for discrimination and sexual harassment in the workplace. They all created and implemented new hiring, orientation and continuous training processes and deployed technology to consistently address the issue. The most successful of these organizations realized it was not just these important tactical things that needed to occur, but most importantly, the creation of a zero-tolerance culture beginning at the top of an organization with its boards and executives as well as a proactive approach to and quick and appropriate action taken regarding an event.
Unfortunately, the reality is that discrimination and sexual harassment events still occur even in the most effective environments. The difference is the risk and reputation for those organizations that have taken the proper approach – starting with a culture is that determines the financial, brand and overall valuation – are much more controlled because of their ongoing proactive approach.
When it comes to document and data security, you and your organization need to think the same. Start with the following:
- Create culture, beginning with “the tone at the top.”
- Create “people programs,” beginning with recruiting and continuing with orientation, ongoing training and education, employee evaluations and succession planning.
- Consistently evaluate your processes, starting with identifying and ranking your most important and sensitive information, then looking carefully at the processes surrounding that information.
- Look to deploy and evaluate technologies that effectively protect the information itself – not just the access to your networks and devices, but also the transport as well as the other parts of the document and data life cycle.
In closing, for those of you in the business of managing documents and data not just for yourself, but for customers, look at your own organization first. Are you effectively protecting yours and your customers’ sensitive information? If so, look at this as an opportunity to extend your business models in an area that you are already touching.
Grab a mitt and get in the game!
I look forward to communicating with each of you in the future, providing valuable information and also helping you to consider and build an effective and profitable document and data strategy and practice.
Posted on 01/24/20120 comments
The Imaging Channel, together with Dave Anastasi, is launching a new resident blog on the site: Doc & Data Security Steward.
Dave is the CEO of eDocument Sciences, a company specializing in securing information through developing data governance/security programs focusing on people, process and technology. They work with technologies such as enterprise digital rights management (EDRM), secure file transfer and collaboration, electronic signatures and remote IT support services to help customers control and protect the information that is critical to their businesses and customers.
Anastasi has dealt with document and data management and security throughout his career. He has extensive channel management and international management experience and has seen the critical need for data and document security measures while he served as the CEO of Captaris, a publicly traded company acquired by Open Text. He has been part the advancements of technology during his 14 years in the office products industry with Neopost, and network infrastructure while an officer at U S WEST, Chip Technology as founder and CEO of the Global Chipcard Alliance and now helps companies and VARs protect themselves and their customers against security breaches.
Along with his extensive knowledge, Anastasi will bring together industry and domain experts and companies he has worked with to address all things security-related concerning documents and data.
Get to know Dave and what you will find on this blog in the coming months:
TIC: What is your background? What makes you a “Doc & Data Security Steward?”
Anastasi: Throughout my career, I have been involved in many businesses and industries – having an undergraduate degree in Marketing and masters in International Management as well as cutting my teeth in the advertising business. My focus has always been to look from the customer’s perspective and then through the eyes of the distribution channel. Also, having been a public company CEO and sitting on multiple company and private organizations boards, I have had the benefit of seeing data and document security issues from many different angles and perspectives.
Everything starts with knowing your customer’s industry, business, goals, risks and business landscape. Document and data security requires a commitment to understanding who they’re serving, what their business is and the environment that they’re operating in. However it is most important to approach data and document security not just trying to find a way to make them more secure or compliant. More importantly, it’s about making your customers more efficient, more successful and profitable. It’s not just about supplying technology it is about improving scalability and ultimately measurable value.
With my time in document and enterprise content management, I understand the channel dealer network very well – the hardware portion as well as the intersection with services and software. Neopost was basically the same kind of business model as the copier, scanner, printing and managed services markets. Actually, almost 20 years ago, I started the first managed services partnership between Xerox Business Services and Neopost combining copying, printing and mailing services.
Ultimately though, it is my experience as a customer that led to the conclusion that document and data security is rapidly becoming one of the most strategic concerns of any type of organization. As I’ve sat in board audit and compliance, merger and acquisition, strategy and other meetings one of my deepest concerns was, how do we protect our most important asset: our information? I spent many a sleepless night worrying about breaches, both malicious and unintended. With that, I was both at risk in my job and personally as an officer and board member and ultimately the company value and brands reputation were at serious risk.
In time, it became apparent that the best approach to consistently dealing with this fragmented, complex and ever-growing issue was focusing on the culture, people, process and technology of an organization, also it’s extended network including partners and customers and creating a “Control Conscience Corporate Culture.”
Finally, due to the nature of the businesses I was in, I learned how to make money for my organization and our channel and strategic partners by using it as a tool to improve our customers overall business and financial results.
TIC: Why is security such a concern today?
Anastasi: It’s important to understand data security has been a concern for a long time. For example: organizations (and even home’s) have spent billions of dollars on network security, virus and malware protection for many years. Those have been billion-dollar industries for a long time. So people have always understood that they needed security, but it has been historically focused on protecting unauthorized access to networks and devices.
What’s really changed is that today, there’s this convergence. Everything is moving so quickly; technology is moving rapidly and converging. Documents are converted from hard copy to electronic files, expanded workstations and devices (desktops, laptops, pads, PDA’s along with networked intelligent copiers, printers and scanners) and locations where data can be moved and stored including the rapid emergence of cloud and applications.
In this industry historically copiers, printers and scanners were not networked, had minimal if no memory, unsophisticated keyboards and limited simple applications. Before they were networked and had expanded capabilities weren’t as significant a data security risk. The paradigm has shifted; today they are not just copiers, printers and scanners but workstations with computer capabilities. In reality they are computers that copy, scan, print.
It’s now one of those things that regulators, boards, executives, auditors, lawyers, insurers and most importantly those trying to breach critical information realize, and all these people have to think more seriously about securing their devices and data. Unauthorized access is an issue, but protecting critical content or data is really the goal.
So organizations have already have spent billions of dollars on security – realizing the importance of protecting data – but now the real question really is are traditional methods sufficient in today’s and tomorrow’s environments?
TIC: How does security relate to managed services/managed print services? Can providers turn these security concerns into opportunities? If so, how?
Anastasi: Providers’ awareness that they are part of the process is essential because they are managing print, documents and data, so they’re right in the middle. They are touching, moving and accessing important data, so they could become point of the breach, which could cause liability for them. They need to make sure they have proper protection in their environment when they are doing managed print services. The bad news is, if they don’t take security seriously, they could be negligent and accountable.
The good news is, because they are in the middle, it provides an opportunity for them to create their own document/data practice, expanding their business opportunities by providing services, solutions and technology to their customers in a way to help them manage their data security.
It is a massive and fast growing market that will never go away, it’s only going to get bigger. So, if providers are looking for market opportunities, why not look where they already are, both reducing their risk and expanding their business opportunity in an area that compliments what you are already offering. The great news it is an existing market on the leading edge not the bleeding edge.
And people today are aware and understand how important security is. In many cases, it’s a requirement for companies to pay attention to it, 46 states have deployed breach notification laws requiring organizations to respond quickly and effectively to data breaches or they face expanded damages due to negligence. So if providers become good at it, there are going to be massive dollars and opportunities, and if they become the go-to provider, think about the potential.
TIC: What kind of information will readers find on the Doc & Data Security Steward blog?
Anastasi: Throughout the years, I attended many conferences, and heard only about technology. I listened to auditors many who were primarily focused on financial people, processes and technology, and lawyers talking about my risk and litigation but not about prevention. There was no answer in one place, primarily because it’s so fragmented. We recognized a need for somebody to help facilitate a collaborative approach.
Our focus is to draw not only from my experience, but also from all the domain expertise out there that I know and work with, we will have a variety of expert guests join me in some of the blogs. The focus will be on culture, people, process and technology because all are critical. We will show that there’s opportunity to build a document/data security practice and to sell additional services like assessment services, technology, tools, training and technology that improves security and adds value.
Most importantly, I’d like to teach readers how to protect themselves because it starts there. From there, we’ll get into how to build a strategy and package an approach showing measurable ROI. We’ll introduce key verbiage and teach readers how to speak the language – not just sell the tools. We will talk about developing training and marketing strategies and tools. Then finally, I plan to help providers expand their offering and help their customers develop a “Control Conscience Corporate Culture” making then more competitive, scalable and valuable as an organization.
Posted on 01/17/20120 comments