As retailers continue to search for ways to reduce costs in order to stay competitive, while at the same time raising wages in response to political and societal pressures, shrinkage is an area ripe for revenue recovery opportunities. Recent National Retail Security Surveys and 2014’s Global Retail Theft Barometer Study estimate the cost of shrinkage to US retailers in the range of $42-44 billion annually (depending on which survey’s numbers you go with). Theft by associates and customers account for 75-80% of those losses…well over $30 billion annually. The remaining 20-25% is caused by administrative errors, damage to inventory, vendor fraud and other miscellaneous issues....Read More
Systems Alliance Blog
On Wednesday, the New York Stock Exchange was down for nearly four hours. As soon as trading was halted, speculation began to fly that the outage was the result of the exchange being hacked.
Reality turned out to be a little less interesting. NYSE realized that a botched software update was causing major glitches across its trading systems. Although this was a very high profile outage, it is commendable that NYSE’s IT staff was able to recognize the problem and roll the change back. This is a great example for how IT Change Management should be applied.
Not Every Outage Involves Hackers
With all the attention on cyber security, it’s easy to forget that human error and a lack of good IT governance are far more likely to cause an outage than malicious actors are.
Shooting yourself in the foot is a lot more embarrassing than getting hacked – especially since it can be avoided.
According to the Visible Ops Handbook from the IT Process Institute, "80% of unplanned outages are due to ill-planned changes made by administrators ("operations staff") or developers." ITPI dives further into these self-inflicted & unplanned outages noting that the majority of the time to restore services is spent figuring out exactly what changed because of a lack of effective Change Management.
Change Management Isn’t a Bad Thing
Many IT professionals have a very negative view of Change Management and ITSM frameworks like ITIL. They see them as administrative and bureaucratic burdens that prevent “real work” from being done.
Those true believers that feel like you have to implement every piece of the gospel according to ITIL aren’t helping the cause either. It is unrealistic to go from an undisciplined environment to having every ITIL process fully realized overnight.
Always remember that the Change Management process is there to reduce risk and ensure changes are well thought out. It can be as simple as making everyone agree to write down and discuss their changes and preventing unauthorized changes.
IT “Cowboys” Are Symptoms of a Bigger Problem
Small IT shops without mature IT processes often have one key staffer that keeps all the lights on. They eschew documentation and fix things based on their gut feelings. They’ve always got a magic bullet ready to restore services when the worst case scenario happens.
“Cowboys” in IT have had a good run but it is past time to send them packing. Not only do they often cause the very outages they’re fixing through human error, they tend to keep knowledge to themselves which prevents new staff from learning your systems and grinds troubleshooting to a halt when they’re unavailable.
It is an unacceptable risk to let critical production systems be run by cowboys who make changes outside of the Change Management process. The presence of cowboys is a symptom of poor IT governance where the organization is operating without a plan.
Write it Down!
Documentation is one area where many IT shops struggle. They don’t write down policies and procedures. They don’t keep their configuration information readily available and up to date. They find themselves flailing about when an outage happens because they don’t have any reference materials handy....Read More
You’re going to have a computer security incident. Whether it’s a virus, compromised website, or full-on system compromise, you’ll eventually be forced to react to a security incident in your computing environment. When you find yourself dealing with an incident, you don’t want to be left scrambling. That’s why it’s important to be prepared with an incident response plan....Read More
Let’s face it, the days of getting by with just a good website are over. Now, especially with the ever diminishing attention span of most website visitors, content on your website needs to be more than just a logo and some text on the screen. It needs to draw in, engage and captivate your audience.
One way to make your website more dynamic is video. Videos engage site visitors, often times delivering information that isn’t available or easily understood through text. Shareability is another huge advantage to video. Visitors will be able to share your content easily, helping to increase your brand awareness and credibility with potential clients.
Online video is all the rage right now, and it’s only increasing in popularity. According to Cisco, by 2019, 80% of the whole internet will be online video. And no, we’re not just talking about cat videos (which by the way, 15% of all internet traffic is connected to cats) or that video of the baby giggling when his mom blows her nose (which is now up to over 61 million views). Video is now crucial in web content marketing.
Not only are videos great to have on your website, they are proven to drastically improve email campaign results. According to Forrester Research, when marketers include video in an email, the click through rate increases by 200-300%. And let’s not forget about mobile – by the end of 2019, mobile video will account for 72% of total mobile data traffic.
So, should you be using video in your web content marketing? All signs point to YES.
Now, you may be thinking, “Ok, great! So, what now? How do we start making videos – we don’t have any experience in-house, and we definitely can’t afford to hire outside help”. The truth is, you really don’t need either. There are some fantastic tools out there to help with creating video content. For example, here are just a few of the different types of videos we create at SAI.
For this product video which features our Acadia Performance Platform, we used GoAnimate, a simple- to-use video animation tool to help even the most amateur of users create a fully functional, engaging video. So, why animation over real people? Above all, this is a very budget friendly approach to video; there are no actors and no camera is required. And it’s a step up from just providing screenshots. This is an easy and effective way to showcase a product and explain its use cases, especially considering videos increase people’s understanding of your product or service by 74%....Read More
The New York Times reported yesterday that the FBI is actively investigating the front office of the St. Louis Cardinals for illegally accessing a rival team’s computer system. While this must be the strangest sports scandal since Deflategate, it is also the most high profile case of “high tech” corporate espionage that doesn’t involve a nation state actor.
Per the NYT, “the intrusion did not appear to be sophisticated” according to law enforcement officials. The Astros executive whose credentials were compromised previously worked for the Cardinals. Cardinals staff allegedly used his old password to get into a new system that he built in Houston.
This incident provides a number of lessons learned. The most obvious being to never commit a federal crime from your home computer unless you are interested in taking an all-inclusive vacation at the nearest federal detention center. Here are 3 more you should think about:
1. NEVER REUSE A PASSWORD
If you use the same password more than once and it gets compromised, the damage can be substantially worse. Let’s imagine a scenario where a hacker gets access to one of your accounts. That’s bad but at least it is contained to that website or application.
Now let’s say that your password is the same on every other system you use. Exploiting passwords stolen from one site against others is a very common practice amongst cyber criminals. Now your bank, online brokerage, social media accounts, luggage, etc. are compromised too.
Now let’s imagine a worse scenario. One of your employees just had their accounts broken into and they are now busy picking up the pieces. According to a 2014 study, “one in five Americans reuses the same username and password across their personal and business accounts”. That same study revealed that “73% of US Full-time workers admit to reusing the same batch of passwords online”. You probably are not feeling lucky right now.
2. ALWAYS CHANGE THE DEFAULT CREDENTIALS
According to media accounts, the database built for the Astros was designed by the same executive and was substantially similar to that of the Cardinals. While the credentials used to exploit this system were the executive’s old passwords, since they were known outside of the organization, this is analogous to leaving the vendor’s default password configured.
What’s the last piece of equipment you bought for your IT department? A quick Google search will reveal the vendor’s username and password to anyone with an internet connection. If you put it online and never changed that password, you are taking an enormous risk. According to a 2013 Verizon study “about 90 percent of successful breaches analyzed by Verizon started with a weak or default password, or a stolen and reused credential”. Changing those defaults is common sense.
The same goes for those logon passwords the IT department gives you. Do you really think that they haven’t used the same “P@ssw0rd2015” for the last 20 people who asked for a reset?
3. BE AWARE OF INSIDER THREATS
While many data breaches come from outside, insiders can be just as dangerous. People who know you and your systems probably understand their weaknesses. In the baseball hacking scandal, it was allegedly paranoid and vengeful ex-colleagues who broke the system. In a more famous case, it was an employee motivated by political views who leaked sensitive data.
Insider threats also include outside parties that steal credentials held by privileged individuals like your IT administrators and executives. Making sure that they are aware of how to protect their credentials is critical. The days of CEOs having passwords written on post-it notes must stop. Ensuring compliance with your IT policies and procedures is arguably more important for privileged users than it is for rank and file employees because their access to sensitive data is often greater.
The best defenses against insider threats are common sense best practices. That includes a logical separation of duties and insisting that network activity is logged and audited. Fewer than 60% of organizations are doing this today but it has been identified as a key behavior in quickly identifying malicious activity.
They Are Called “Best Practices” For a Reason
Jumping back to the baseball hacking scandal, the Houston Astros appear to be the second dumbest team in baseball, rivaled only by the team that “hacked” them, the St. Louis Cardinals. As Deadspin so blithely pointed out, “What makes the St. Louis Cardinals hacking scandal really great, aside from the fact that it involves the St. Louis Cardinals, is that it could not have happened if everyone involved hadn’t acted as stupidly as possible.”
If you’re reading this and aren’t sure about your organization’s IT security practices, maybe now is the time to start asking questions and reduce your risk exposure to avoidable problems.
Not sure where to get started? SAI can help.
Wondering what to do if you find yourself having to deal with a data breach? Standby for our next post from SAI’s CTO Josh Crone.