Many of the small business owners I have spoken with have grimaced at the thought of how much may be needed to invest to be in compliance with 201 CMR 17.00, the new Commonwealth of Massachusetts data security regulations. But, after meeting with me and answering a few of my questions, each of them feels better about the direction this is going for them.

Under Mass. Gen. Laws - Ch. 93H, the new regulations require most individuals and businesses to make immediate organizational and computer system changes, which includes maintaining a Written Information Security Plan, due on May 1, 2009.

This doesn’t have to be a daunting task, and it doesn’t have to kill your budget for 2009. When evaluating whether or not you are in compliance with the regulations, the Commonwealth of Massachusetts is taking into account the following:

a. the size, scope and type of business
b. the amount of resources available
c. the amount of stored data
d. the need for security and confidentiality of both consumer and employee information

To provide assistance to local small businesses, Centrend is currently scheduling Compliance Interviews at no charge. If you need help, contact Centrend for more information.

Online social networking is a growing phenomenon becoming widely used in business. As the popularity of sites like Myspace, Facebook and others grows, so does the threat from Internet criminals. As MSN reported today, even President-elect Barack Obama and his Twitter account was victimized over this past weekend. Even business machines running behind an Internet Security program or network firewall are vulnerable, and this is mostly due to human nature.

People who feel secure while web browsing and enjoy the ease of use and functionality found on the social websites have become a favorite target of Internet criminals. In the Twitter attack, it appears that the criminals used a phishing scam to gain personal login and password information for the site. For the president-elect, this resulted in the loss of control over his account on Twitter.

Your first line of defense is learning to recognize phishing scams.

• Often the criminals will copy a legitimate web site’s logos and design.
• They will also use web addresses designed to fool you into thinking that you are dealing with the real organization.
• Suspect foul play if the look and feel of the browser window appears different than usual
• Because the criminals don’t have your personal information yet, they will address you as “dear customer” when the legitimate organization would call you by your name.
• Phishing messages will often ask you to verify your account.
• Phishing links will often look legitimate, but when you view the actual address where the link points, it will be different than what was shown.

Centrend helps its business clients by maintaining the most up-to-date Internet security, anti-malware and anti-spyware solutions available. We also help develop acceptable use policies, provide monitoring and take extra care to educate our clients’ users about both the benefits and the risks of online social networking.

-Bill

***
Bill Bowman
Senior Technology Advisor
Centrend, Inc.
888-558-9550 ext. 135

The new Massachusetts data security regulations, 201 CMR 17.00, are set to become effective May 1, 2009. Are you ready? Here’s the downside: The Office of Consumer Affairs and Business Regulations has estimated that it will cost the average small business operating in Massachusetts approximately $3,000 to get into compliance.

After some initial study, we believe that it will cost many small businesses much less.

Let’s also consider the upside to compliance. Protecting the personal information of millions of Massachusetts residents with a consistent set of industry accepted policies and procedures across the board for all persons responsible for handling the data. Now, you know that every business you engage with already does everything possible to protect your personal identity, right?

-Bill

***

Bill Bowman
Senior Technology Advisor
Centrend, Inc.
508-347-9550 x135

Errors, delays and inefficiency have no place when conducting your business, mainly because the competition will be better, operate more efficiently and deliver faster for less. Strangely, their seems to be a split approach on decisions about technology, information and computer systems. Successful business leaders I’ve worked with are making their technology decisions as an essential component of a profit center, assigning accountability, and investing accordingly. There are many other executives, very bright, but who have a different focus. This could be you.

When it comes to staffing or production, you have no tolerance for ineffectiveness, delays or insubordination. But, maybe you are advised on how to keep things running by someone who knows something about computers, and this works well enough. Place you in front of your computer keyboard, and you’ll either fight back or you’ll find a way to “work around” any problem.

Do you continuously attempt to work with issues that you know can negatively impact your business performance?

Yes, there are those who will simply not tolerate interruptions, slow-downs and ineffectiveness from their technology solutions, because they have made a commitment to technology performance. But, the majority of business leaders have come to expect that their information system efficiency will decline and “glitches” are a part of business. It just seems to be expected…and acceptable! These executives operate with a technology cost-center, watch as their systems depreciate over time until a new solution investment is mandatory, and a new cycle begins.

Often an objection to the proposed cost of an IT staff member, or the investment in an IT outsourcing firm like Centrend, freezes the organization, and keeps it from achieving top performance. But, consider this: when IT investments are planned properly to achieve specific results, it’s easy to justify the predictable costs of maintenance, troubleshooting and repair of technology purchases. So, when IT plans are thoughtfully aligned with the business plan, you’re working with the information system, and not fighting with it.

-Bill

***
Bill Bowman
Senior Technology Advisor
Centrend, Inc.
508-347-9550 x135

According to Governer Duval Patrick’s report on the source of information resulting in identity theft, 75% of stolen data was not encrypted and/or not password protected. This finding is one of the main reasons for the Commonwealth’s new Identify Theft Prevention Regulations I’ve been blogging about in recent months. Even though the date has been pushed out till May, 2009, many of our clients have begun initiatives to achieve compliance well ahead of the deadline.

By starting your password protection and encryption project now, you’ll have more time to completely evaluate where password protection is insufficient, and where data encryption will be necessary. Once data is collected about what information exists where, and who has access to it, stategic decisions can be made that will minimize the negative effects poorly implemented security initiatives have on an organization.

As an alternative to conducting a detailed analysis of what data exists where and who needs access to it (though Centrend believes this is a good business practice even for all data sets, not just those covered by this regulation) it is also possible to encrypt and password protect everything. You will still need to practice due dillegence to take care that users have access only to the information that they need, but it does save the some work if all data everywhere is password protected or encrypted.

Some of the negative consequences of poorly implemented security you’ll want to avoid are:

1. Users are too constricted in what they can get to
2. It’s difficult or even impossible to recover from lost passwords
3. Encryption deployed on weak platforms can slow the flow of information to a crawl
4. Data that should be protected by passwords and/or encryption is missed while data that is not considered PI (private information) is not secured

The result of these negative consequences is quite severe. At best, users will experience lower productivity because of “password roadblocks” and at worst, confidential information becoming exposed in the form of a data security breach. When a data protection initiative is ineffective or incomplete, not only is your data still vulnerable, but the poor strategy makes it harder for everyone to get their jobs done.

The consequences of a bad implementation of security best practices is severe and does not have to be your experience. Contact me for a free consultation on how Centrend can help you protect your company’s private information without crippling your team’s ability to get their job done.