Earlier this week, health insurer WellPoint, Inc. agreed to pay $100,000 to settle a lawsuit in which the company was accused of failure to properly notify officials that a security breach occurred. According to the Indiana Attorney General’s office (which filed the suit), social security numbers, financial information and health records for as many as 32,051 people were potentially accessible through an unsecured website over a five month period starting in late 2009. As specified in Indiana’s state law, “companies that experience data breaches must notify both their consumers and the Attorney General ‘without unreasonable delay.’ ” In the case of WellPoint, despite the fact that they notified consumers right after the breach was discovered, the Attorney General was never contacted (as alleged in the lawsuit).
While the list of publicly disclosed data breaches continues to grow between hackers and substandard security measures, it’s typically the events at major corporations that get the most attention. From the Sony PlayStation Network incident earlier this year to last month’s Dropbox authentication bug, each serves to emphasize the threat surrounding the information we post online every day. Hackers even hit the Washington Post on Thursday, getting away with email addresses and user IDs (though they report personal data was not compromised).
While the big companies represent enticing targets for hackers, small businesses may face an even larger risk. As illustrated in the WellPoint example, the company was fined for not knowing (or at least, following) the data breach laws established in the state of Indiana. Even if their technology team addressed the system component of the security issue, one of the compliance elements was missing. If that aspect was overlooked by a billion dollar corporation, consider how hard it is for small businesses to comply—unless they have a knowledgeable IT security expert to work with.
Security Never Ends
Solution providers typically find their investment in an IT security practice to be a wise one. The technology that you need to implement and manage for your clients may change rapidly, requiring additional training and, occasionally, collaboration with vendors or other breach protection experts.
One of the biggest challenges in building a security practice is developing a sales and support team that understands—and can address—potential threats and other network/data protection issues that your business customers face. Whether securing the network for a credit union or helping design the information security plan for a regional hospital, the portfolio of services a VAR or MSP can provide are virtually limitless.
For solution providers who wish to build or enhance a security practice, CompTIA will host a number of educational training sessions with that focus at this year’s Breakaway, August 1-4 in Washington D.C. The agenda includes three modules of live IT security channel training, a CompTIA Security Trustmark Workshop and the Cybersecurity Summit (includes a keynote, mobility and cloud migration discussion). With a live classroom setting, these vendor-neutral discussions and educational sessions allow more collaborative peer discussions than online training, and let participants ask more in-depth questions about their own business needs. Another great benefit is that these classes are free to all Breakaway attendees, so all you have to do is register!
Mobility Requires Extra Support One topic on the agenda at Breakaway is the increased security concerns around mobility—and how solution providers can address them. The continued growth of the remote workforce, smart phone technologies, and tablet computing is creating new challenges for business; and securing and properly managing the network is front and center. Which devices should the company allow on the network and which applications should employees be able to access offsite? Small businesses are getting hit with these questions daily, and solution providers are the ones who typically provide the answers. Mobility concerns took center stage this week when Germany’s Federal Office of Information Security warned that “an iOS security flaw could leave Apple devices such as iPhones, iPads and the iPod Touch vulnerable to malicious software when users view PDFs.” While experts claim the issue is specific to devices that have been tampered with or “jailbroken,” it highlighted the need for additional layers of security to protect business systems. Consider the impact to a hospital if someone were able to break into the servers using a hacked smartphone. What concerns do your clients at a law firm have, with sensitive case files and other data that is likely accessible through their mobile devices or laptops? These are all real concerns and a true business consulting opportunity for the channel; especially with a thriving mobility market and employees who want to be connected. If you haven’t expanded your knowledge of security beyond the basic internal business network, it’s time to take a good hard look at it and get involved.
Brian Sherman is founder of Tech Success Communications, specializing in editorial content and consulting for the IT channel. His previous roles include chief editor at Business Solutions magazine and industry alliances director with Autotask. Contact Brian at Bsherman@techsuccesscommunications.com.