It’s particularly galling when a company specializing in security issues gets monumentally hacked. That was the case for Stratfor, which suffered a massive data breach just before the holidays that exposed thousands of client names, e-mail addresses and credit card numbers. Adding insult to injury, hacktivist group Anonymous revealed on Twitter that it was able to get at the data because the company hadn’t encrypted them, according to the Associated Press. Stratfor’s travails serve as a reminder to all companies that they need to get their cyber security policies and practices in order. Here are some issues to consider.

1. Beware of the mobile threat.

Mobile devices have become ubiquitous and more powerful. Companies can no longer just protect employees’ laptops, but must be aware of tablets, smartphones, iPods and anything else with a brain and wireless connectivity. Inadequately secured devices, if stolen, can give thieves access to corporate networks, allowing them to steal sensitive data.

Employees downloading new apps may download keystroke-logging software as well, giving hackers access to their credentials—but few people have anti-virus software installed on these devices.

“2012 is going to be a significant year for mobile threats enterprise-wide because so many devices are being adopted,” says Dave Marcus, director at security firm McAfee Labs. Companies “have to start looking at mobile devices like other devices—‘If it’s got data on it, it’s got my corporate data on it, then I’ve got to manage and secure it like every other device on my network,’” he adds.

2. Review privileges.

Do all users really need all the access rights they now have? Keeping privileges to a minimum limits the damage hackers can do if they get into a user’s account, as well as the damage employees can do on the way out the door.

Controlling privileges can also help with compliance since “most regulations, including SOX, HIPAA, GLB and PCI, have a clause on the level of access to key IT assets,” says Jim Zierick, executive vice president at security vendor BeyondTrust.

But privileges can be hard to manage, especially in big organizations with lots of applications. “Users are proactive about acquiring access they need or want, but rarely ask for access to be taken away even if they no longer need it,” says Michael Bennett, chief information officer for the U.S. unit of defense contractor BAE Systems.

One option is to roll out a centralized system to allocate and manage privileges, which allows for quick changes if employees are hired, fired, move internally or temporarily need special access for a project.

Companies should move beyond automated provisioning, access control and auditing solutions to add a new security control and abstraction layer that sits between the information and the people who use it, Bennett says. This allows the data to be displayed in a way that the particular user—and device—needs to see it, “while denying access to anything not specifically required by and permitted to the user,” he adds. “Apart from the huge security gains, this architecture makes it much simpler to support the many different kinds of access devices that users want to bring to work.”

3. Prepare for breaches.

No system is completely hacker-proof. If a security hole—or human error—allows key data to leak out, companies must be ready to deal with it quickly and effectively. And that’s going to require more effort than before.

The Securities and Exchange Commission’s guidance issued in October reminds public companies that breaches could be considered material events that need to be disclosed, says Richard Bortnick, an attorney at Cozen O’Connor. Private firms may be affected if they are suppliers or partners of a public company.

States are also rolling out or toughening up disclosure laws, including California, Bortnick says.

After a breach disclosure, companies should be prepared for lawsuits, says Bob Parisi, senior vice president at consultancy Marsh. As the result of a recent court ruling, plaintiffs no longer need to show actual harm or imminent threat of harm, but simply increased risk of potential harm to take their cases to trial, he says.

And lawsuits are now being filed faster, just days or even hours after a breach is disclosed rather than months later, Parisi says. Companies need to respond quickly to a breach, which may involve more than just offering credit monitoring to clients whose information has been compromised, he says, and remedies should be relevant.

“If you’re a hospital losing patient data, offering credit monitoring might not be the most appropriate response,” Parisi says. “If what you offer is the wrong remedy or no remedy at all, you’re basically waiving a red flag in front of the potential plaintiff class.”

4. Encrypt, encrypt, encrypt.

In the past, encryption slowed down systems and inconvenienced users, so it was used only to protect data traveling over the Internet. Technology has improved to the point where companies can encrypt data that’s stored on mobile devices, moving across internal networks, even stored inside databases, without adding lag or hindering productivity.

The new technology operates on a more basic level, even embedded into the hardware. If a breach occurs, the stolen information can’t be used and no disclosure is required.

One organization taking this approach is AGS Capital Group. “The risks and penalties of breach laws are increasing, so we are looking at increased and mandatory encryption on all employee computers and laptops,” says Allen Silberstein, CEO and chief investment officer at AGS. “So if the hard drive gets into the wrong hands, the information remains protected.”

5. Add new authentication mechanisms.

Most applications require only a user name and password. Companies have been reluctant to ask customers to use a second form of authentication, such as an additional password sent by text message.

As breach notification requirements and costs escalate, companies should take another look at second-factor authentication, says David Miller, chief security officer at Covisint.

In the past, the second form was often key-chain fobs that generated one-time passwords—and employees who misplaced their keys would be locked out of the system. But the solution now could be a cell phone.

“A mobile device can run a one-time password-generating app to supply a PIN for network access, hold a digital certificate that uniquely identifies the device or can receive an automatically generated text message with a one-time password to authenticate each login,” says BAE’s Bennett. “Using a mobile device that a user already has, as opposed to issuing another physical device for authentication, makes a lot of sense.”

For a look at what the Securities and Exchange Commission wants companies to disclose if they’ve been hacked, see SEC Provides Guidelines for Disclosing Cyber Attacks.

Article originally published at Treasury & Risk.

This can have serious consequences for a company. For example, employees who move to different jobs within the company may retain access rights associated with their previous role. This may allow them to bypass the company’s checks-and-balances system.

Or an employee might leave the company altogether. It’s hard to turn off all access if you do not have an up-to-date list of things that the employee could access. This is particularly important when it comes to outside applications that do not require access to the company network, such as Dropbox or Salesforce.com.

Then there’s the case where an employee’s account is compromised. In the best-case scenario, when the problem is discovered, the company acts quickly to shut off access and review sensitive systems for unauthorized activity. In the worst-case scenario, the company doesn’t know which systems the employee can access, and appropriate security responses are delayed. Then the hacker can abscond with data to which the employee had access, including data the employee no longer needed and should have lost access to long before.

Finally, overprivileged employees may pose compliance problems for companies in regulated industries such as healthcare and financial services.

In a recent survey of more than 5,000 IT operations and security managers by the Ponemon Institute, 52 percent said that they were “likely” to be provided access to restricted, confidential information beyond the requirements of their position, and more than 60 percent said privileged users access sensitive or confidential data because of their curiosity, not because of their job function.

The Ponemon Institute also released a report outlining security best-practices, in which technology that focuses on privileged users was listed as a top critical factor in the success of a data protection program.

A CIO at a defense company told me that “least privilege” is one of the fundamental building blocks of information security.

I recently talked with Jim Zierick, executive vice president at the security systems vendor BeyondTrust. He also suggested that companies embrace a “least privileges” policy. For example, instead of giving IT administrators blanket access to servers for maintenance or software installation, companies could give them policy-based access that allows them to make changes under specific circumstances, with all access logged in detail.

The key is to restrict privileges without taking away critical rights, Zierick said. Your company might not want to give employees administrator rights to their computers, but this policy would prevent them from, say, adding a printer driver. A policy-based solution like those BeyondTrust offers would give employees just the rights they need while allowing rapid, across-the-board changes when employees leave or change jobs or responsibilities, he said.

This article originally appeared at The IT Services Site.

It’s like betting your company on Beta right before VHS went big. Or betting on VHS right before everyone switched to DVDs. Or betting on… anyway, you get the idea.

In a perfect world, we’d be able to accurately predict which technology will dominate, and make our investments accordingly. But, in practice, people just wait. They sit and watch other guys place their bets, and they continue to sit and watch until a clear winner emerges.

But, what if there is no clear winner? What if you have a technology with multiple — and incompatible — approaches? That’s the situation with clouds right now. There’s the Amazon approach to cloud computing. The Microsoft approach. The IBM approach. The Google approach. And, the ever-popular VMware approach.

Picking a vendor too early can cost the company significant amounts of money down the line when it is time to switch. So after the early adopters have all adopted, if there’s still no clear winner, someone has to take a step to break the logjam. This is usually when the vendors — all except the market leader — get together and decide on a standard.

That’s what seems to be happening now in the cloud computing space. Amazon is the market leader. But its cloud platform is proprietary, which means its customers aren’t going anywhere. So, Amazon’s name isn’t popping up in any of the standards discussions, except when people discuss whether Amazon will actually be the standard. It’s like Windows was the standard for office computing for decades.

So Amazon’s competitors, including IBM, Cisco, EMC, CA, SAP, and Red Hat, have just gotten together and agreed on a cloud standard called Topology and Orchestration Specification for Cloud Applications (TOSCA). In November, VMware and partner SAP also said they would support TOSCA.

For companies still sitting on the cloud sidelines, this is good news in three ways. First, if they pick a vendor that supports TOSCA, and later want to move their cloud to another vendor, they will be able to do it at a lower cost than if they were moving between proprietary platforms.

Second, if they have a private cloud running on their own servers, they can move processes from it to a public cloud, and back again, to handle sudden spikes in demand, to use as backup systems, or to roll out new applications faster. This is the “hybrid cloud” approach, and many companies are looking at doing clouds this way so they have the control and security they need, when they need it, while still being able to benefit from public cloud infrastructure.

Third, companies will be able to buy pre-packaged cloud-friendly software systems that can be deployed with any of a number of cloud vendors. That would reduce the dependence on a cloud vendor’s own solutions, allowing more choices, and, in the end, lowering costs for everyone.

It remains to be seen how many other cloud vendors will support TOSCA, and to what degree they will implement it. If they don’t support it, enterprises will be stuck paying extra for cloud middlemen, vendors that package up cloud applications for customers in a way that enables them to be deployed to different clouds. Sure, those vendors add more value, as well. For example, they might monitor cloud performance and automatically redistribute applications as needed. But if the middleware vendor itself uses a proprietary system, that’s just stepping out of one quagmire right into another.

Article originally appeared at The IT Services Site.