Is Someone in Your Company Publishing All Your Confidential Files? How Do You Know?

I've written about IT security, in one form or another, for almost a decade now, so I've seen more than my fair share of stories about virus and worm attacks, employees stealing confidential information, malware being used to extort money from large companies, and other nefarious acts of theft and sabotage. But I have to say that a pair of articles—one by John Foley and another by Avi Baumstein—in a recent issue of InformationWeek managed to rattle even me.

The topic is data leakage caused by peer-to-peer (P2P) file-sharing applications. P2P applications enable users to share and transmit files over a vast network of computers all running the same P2P software. In some P2P networks, a node simply makes files available for other nodes to discover and download. For example, I might put a bunch of documents in a sharing folder. You might use the P2P application to search for these documents, discover them, and copy them from my system to yours.

Another model of P2P network is specially designed for handling large media files, such as software distribution packages and movies. These networks use a "swarming" protocol such as BitTorrent to disassemble very large files, transmit them as hordes of little files, and then reassemble them into a copy of the original on the other end. Because there are hundreds, thousands, or even millions of computers functioning as nodes in the network, this type of P2P network offers a convenient solution for efficiently distributing large files, such as 150 MB software packages, without putting excessive load on any one CPU or segment in the network.

Sounds clever and convenient, right? But P2P file-sharing applications can also be dangerous, because many of them allow anonymous remote users to browse and transfer a lot more content that the computer owner may realize. Here's a typical example: Joe comes home from a long day's work at a large accounting firm. He wants to download a song he heard on the radio. He uses a P2P network to find a bootleg copy of the song. He downloads the song. What he doesn't realize is that when he's installing the P2P application and clicking Next, Next, Next, to get through the installation, he's making the entire contents of his laptop accessible to the P2P network. Other users of the network can now browse his laptop and download whatever they find.

His company's firewall? Bypassed. His company's security policies? Moot. Joe is not intending to do harm (well, other than perhaps grabbing a pirated version of a song), but by using P2P software, he's effectively negating the millions of dollars of security controls his IT has developed and implemented to keep their business data confidential and in compliance with regulations such as SOX and Gramm-Leach-Bliley. He's publishing all the confidential materials he has on his laptop. Chances are, he's got quite a few.

When InformationWeek reporters investigated P2P networks to find out just how much confidential data was being accidentally leaked by P2P networks, they were shocked at what they found. Users were inadvertently publishing "spreadsheets, billing data, health records, RFPs, internal audits, product specs, and meeting notes . . . files with the home and cell phone numbers of senators, confidential meeting notes, and fund-raising plans [for a state political party] . . . spreadsheets listing patients' names along with their HIV and hepatitis status . . . [and] a slew of court documents regarding a sticky divorce."

Limewire, the most popular client of a P2P solution called Gnutella, is supposedly installed on over 18% of all computers.

Three suggestions, then:

1. Read the full InformationWeek articles (here
   and here) and encourage your managers and employees to do the same.
   
2. Forbid or tightly control the use of P2P programs such Limewire on your business computers.
   
3. Have an IT engineer use one of these programs immediately to discover if your business is already exposed.
   

Tracking the Recession

The economy is all over the headlines, but if you'd like to see a lot of telltale graphs collected in one place, check out the DismalScientist's Recession Watch.

Happy St. Patrick's Day

Skip the bad jokes about beer and leprechauns today. Here's a better taste of things Irish: two and a half minutes of sheer magic as Tommy Peoples plays a strathspey called the Laird of Drumblair.

Enjoy.

Time for a Check-up

We're just about halfway through March, which means that Q1 is just about over. If you spent Fall 2007 or the first weeks of January putting together a strategic plan or business plan for 2008, it's time for a check-up.

A well-designed strategic plan includes measurable milestones supporting each objective. It's time to call a meeting with stake-holders and see how much progress you're making against your objectives and milestones.

Given the turmoil the financial markets are going through, it's probably also a good time to sanity-check your plans for the year. Adjustments to goals and changes of course may be in order.

And if you've made general plans that lack specific milestones and measurable objectives, it's time to sit down and define those specifics, too, so that you're able to gauge the progress you're making in each area. Judging activity against measurable outcomes is the best way to distinguish work that's truly productive from work that merely keeps everyone busy.

Casting a Critical Eye on Expenses of All Kinds

Jason Calacanis, the CEO of a Web search start-up called Mahalo, has posted a list of recommendations of saving money when running a start-up.

What I like about the list is its thoroughness: Calacanis has really thought about where to invest (comfortable chairs so his employees will be able to work long hours comfortably) and where not to (he buys cheap tables, because all a table needs to be able to do is hold stuff). His recommendation to eschew phone lines in favor of IM, Skype, and cell phones reflects a reality I see in other Silicon Valley start-ups. The company phone list and traditional phone lines an anachronism, once everyone's on Skype. I even know one CEO who never answers his direct dial number, because the only people who call him on that line are vendors pitching him services. (How long before tradeshow vendors, printers, and PR firms realize that trolling Skype is probably going to be more productive than looking up phone numbers on Web sites? How long, after that, before executives begin guarding their privacy more closely on Skype and Twitter?)

Calacanis's recommendation to buy employees a second monitor reminded me of some research conducted by Jacob Nielsen, Sun's Web usability expert. Nielsen found:

Big monitors are the easiest way to increase white-collar productivity, and anyone who makes at least $50,000 per year ought to have at least 1600x1200 screen resolution. A flat-panel display with this resolution currently costs less than $500. So, as long as the bigger display increases productivity by at least 0.5%, you'll recover the investment in less than a year.

The examples of cost savings that Calacanis cites probably resonate most strongly with those in software companies. But managers in other industries could do well to think as critically about what employees really need in order to be productive.

Longstanding industry habits and daily routines can lead us to take too much about our work environments for granted. As a result, we might overlook simple changes we can make to increase worker productivity, minimize distractions, and perhaps even increase employee morale. (I'll bet the folks at Mahalo appreciate those monitors and iPhones.) As Calacanis's list shows, it's useful to critique everything from furniture to communication infrastructure, and put as much thought into what you're leaving out as what you're keeping in.