According to a new survey, schools all across the US are feeling the effects of the downturn in the economy. The study, released by the American Association of School Administrators (AASA), is based on a survey of school superintendents from October of 2008. It finds that schools across the nation are cutting costs in response to shrinking budgets, which could “threaten gains in student achievement and progress in narrowing the achievement gap.”

The study is very in depth, looking to many areas of budgets and cost-custting, from thermostats to staff levels. Currently, 67% of those superintendents polled describe their districts as “inadequately funded.”

Highlights from the study:

• 36% of superintendents have increased class sizes
• 35% have reduced instructional material
• 30% are considering lay offs, while 48% have already reduced staff-level hiring
• 95% say unemployment has impacted the families of students in their districts
• 87% say the economy affects the schools’ capacity to maintain focus on student learning (similarly, most indicate the same inability to focus on instructional improvements, learning needs of all students, and meeting performance assessments)

There is no doubt that education is vital to a healthy economy, so a struggling education system could, according to AASA Executive Director Dan Domenech, “multiply the negative impact and prolong the economic downturn.”

Although the survey did not ask about IT budgets in any way, I would imagine that IT has been as impacted by tighter budgets in the education sector. It will put extra pressure on IT departments to find solutions that help automate tasks and increase efficiencies. Also, given that data breaches in the education market account for a significant portion of all breaches in 2008, reductions in security spending could increase the risk of data breach (which is a costly issue). Download the study here. [PDF]

Another extremely interesting article on the topic of education looks to Obama’s campaign and what lessons the education sector can learn from his embrace of technology during his campaign. Obama’s campaign made effective use of social media - Facebook, Twitter, blogging - to get in touch with young voters. A strategy that had more young voters out to the polls than any time in the last 34 years, and which teachers can take inspiration from in terms of getting their students involved. Continue reading about this here.

Learn more about Absolute Software’s initiatives in Education here.

Via eschoolnews

Absolute Software dropped some big news today! Absolute has begun a closed beta of extending Computrace Mobile to the BlackBerry platform! It is estimated that Computrace Mobile will be generally available to corporate customers in the first quarter of 2009.

Computrace Mobile will deliver asset management, data protection and geolocation tracking, features of the Computrace protection package for laptop computers, to the BlackBerry.

“We will be able to offer our customers a single system for managing and securing their Windows and Mac laptops and desktops, Windows Mobile devices and now BlackBerry smartphones… This solution will provide them with the visibility and protection they need to reduce operational costs and losses due to theft and inefficient allocation.” - John Livingston, president and CEO of Absolute Software.

We’re quite excited about the news, and hope you are too! Although the beta is closed at the moment, if you’re a journalist interested in doing a review, contact Absolute for a private demo. Continue reading the press release here.

Computrace Mobile currently is supported on all Windows Mobile 5 and 6 handheld devices including the HP iPAQ, HTC Touch, MOTO Q, Samsung BlackJack and Treo 750.

Cisco recently released a whitepaper about data leakage worldwide and the resulting costs. The global study, polling more than 2000 employees and IT professionals in 10 countries, indicated that insider threats were far more prevalent than previously thought.

Cisco commissioned the security study from InsightExpress in order to understand if social and business cultures had any impact on data leakage. The results indicate that “insider threats”, caused by uninformed, careless or disgruntled employees accidentally or purposefully doing something which breaches data, have the potential for greater financial losses than outside attacks to the company. In the context of this survey, they also considered that every device capable of storing data added to “insider threats”, given that the loss of these devices pose a high risk.

Cisco put together two papers focused on employee behavior that could put corporate data at risk. The papers found that IT professionals are often unaware of the employee behaviors which put data at risk - this obviously makes preventing loss quite the challenge.

The study examined the effectiveness of security policies - how they are created, communicated and how compliance is enforced. The lack of a policy and compliance with existing policies were large factors in data loss. Unfortunately, the survey showed that IT professionals lack an awareness of how many employees understand and comply with security policies.

Highlights from the study:

• 39% were more concerned about the threat from their own employees than the threat from outside hackers
• 33% were most concerned about data being lost or stolen through USB devices
• 27% admitted that they did not know the trends of data loss incidents over the past few years
• 43% said they are not educating employees well enough
• 19% said they have not communicated their security policy to employees well enough
• 9% reported that they have lost or had their corporate device stolen (26% of those experienced more than one incident in the past year)
• IT professionals believe that employee behaviors slipping, in terms of safeguardint intellectual property, stem from too much information being dealt with (48%) and a growing apathy towards security stemming from faster-paced jobs (43%)
• 11% reported that they or fellow employees accessed unauthorized information and sold it for profit, or stole computers

The study concludes that a lack of awareness and of diligence, as well as purposeful defiance, place a significant risk to data loss. The report lumps the loss of laptops and other portable devices in with the “diligence” section, for the most part. Sadly, most lost laptop reports back up the findings: that employee behaviors are to blame for a lack of data safeguards in laptops. Leaving laptops logged on, leaving passwords in sight, leaving laptops in cars, etc.

“Preventing data leakage is a business-wide challenge. IT professionals, executives, and employees at every level of responsibility must work together to protect critical data assets…

Like outsider threats, addressing the insider threat demands a comprehensive approach that includes education, policy, and technology.”

The recommended approach focuses on education and accountability. Technologies can help, such as Absolute’s Computrace solutions, which solves some compliance issues by tracking assets and even monitoring software.

Download link: Data Leakage Worldwide White Paper: The High Cost of Insider Threats [PDF]

Document Retention - understanding what documents to keep, for how long, and how to destroy what you no longer need. This is an area Michael Overly recently explored, providing a series of tips about basic elements to be considered in a document retention program. Using those tips as a jumping off point, and supplementing with other research, I came up with this list.

10 basic elements of a good document retention policy

1. Understand what documents to keep, looking first to type of record (employment, accounting / tax, legal, electronic). Understand legal requirements, as well as business requirements, as to how long to keep documents. In the master policy, list the rationale to any decisions made for each type of information. The retention period for each type of document should be listed.
2. Electronic documentation retention should be clearly defined on its own, particularly as it pertains to email and IM. List the location where electronic information will be stored and policies as pertain to backup tapes.
3. Define how data is disposed - for both physical and electronic information. This includes how information is shredded and disposed of, how old electronic devices are purged and/or resold, how electronic information is purged from the network, etc.
4. Choose a storage / backup method that matches with the continued demand for information. Accessing backup tapes is not cost effective, so retain information in a way that makes sense with its use
5. Restrict the copying of data so that it cannot be duplicated to local machines (if desired) and/or restricted devices such as USB keys or mobile devices
6. Detail actions associated with the policy - for example, if email >X days old is to be deleted, list that the network will automatically perform this function.
7. Define disposable documents - those documents that don’t need to be retained. For example, duplicates or “trivial” documents.
8. Assign a process to keep documents, if a legal claim arises to exempt them from regular disposal
9. Assign a person or group to maintain the program and answer questions
10. Audit the program regularly to ensure the program has been implemented correctly and that it stays up-to-date with changes in the business or legal environment

Also in security news:

• Four in five Australian companies suffered data breaches in past five years
• Express Scripts customers threatened on data breach (millions perhaps affected)

Supplemental research sources: nfib, it world, uofaweb, microsoft, abanet Image: ppdigital @morguefile

Joan Goodchild has put together an article entitled “Social Engineering: Eight Common Tactics” for CSO Online. Knowing some of these tricks, and integrating tips such as these into regular employee training, can help ward off some of the threats to data security. Several of the tactics regard employees unwittingly giving information to criminals via the phone, while others are more traditional cybercrime issues.

“Social engineering is the art of manipulating people into performing actions or divulging confidential information… The term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.” - Wikipedia

8 Common Social Engineering Tactics to Avoid

1. Ten degrees of separation - criminals may try to draw out information from the “front line” employees, each time gaining information to access employees further inside the organization. Another tactic is to be friendly, slowly drawing out more and more information.
2. Learning your corporate language - if a criminal sounds familiar, your guard may be down to disclosing confidential information
3. Borrowing your ‘hold’ music - to pretend to be from inside the company
4. Phone-number spoofing - as above
5. Using the news against you - as lures for spam, phishing and other scams. Particularly dangerous if targeted to company news.
6. Abusing faith in social networking sites - suggest typing site names manually, not clicking links
7. Typo Squatting - for web URLs
8. Using FUD to affect the stock market - FUD = fear, uncertainty, doubt. Can be used in a number of ways to scam stock prices.

You can read the full details here. You can also read the latest McAfee Security Journal report about the increase in use of social engineering techniques in cybercrime.

Also of interest, ScanSafe has released the 3rd quarter results of their Global Threat Report. [PDF]

Although we’ve talked many times about the security issues around employees working remotely from home or while abroad, we haven’t specifically touched on the issues that the self-employed face when working at home.

We talk many times about the importance of keeping private or sensitive information on the corporate network, accessed remotely, but not stored on mobile devices. At home, this is more of a challenge because that data is in your home, on your home computers. One must consider physical data storage (bank information, tax returns, receipts, etc), as well as protecting the data you store on your desktop or laptop computers.

Basic data security tips:

1. Use strong passwords, and don’t write them down
2. Install an anti-virus solution & encryption solution
3. Keep your software up to date
4. Don’t click links or open files from untrusted sources (and be wary of trusted ones too)
5. Log out of your computer at night
6. Set up a firewall
7. Read our Ten Steps to Laptop Security list

Absolute Software’s Computrace LoJack for Laptops comes with 2 editions, Premium and Standard, allowing you to protect all the computers in your home office. The Premium edition comes with the advanced capabilities to not just help recover lost laptops, but to remotely delete sensitive data.

The FTC also has out a guide for businesses wanting to protect personal information. This guide is geared to businesses of all sizes, but is particularly useful for the small business owner. If you are in the business of dealing with a lot of sensitive information, consider that there may be more advanced solutions to storing data off-premises, via a secure business network solution and even physical data storage.

Other articles on the blog you may find interesting:

• Handheld Devices Big Security Threat
• Hotel Network Security
• NCIX Mobile Security Tips for Overseas Travel
• Federal CISOs Green Light Telework
• Trusting Contractors with Laptops
• Unofficial Teleworkers Put Federal Data at Risk

On November 17th, the One Laptop Per Child initiative will come to Amazon. The mission of OLPC is to make sure kids in the developing worlds are able to learn effectively on their own personal laptops, to that “they, their families and their communities can openly learn and learn about learning.”

In addition to making sure kids in developed countries have laptops, the OLPC Association focuses on designing, manufacturing and distributing laptops into the hands of children in lesser-developed countries. Of course, in order that the laptops can be used, the association focuses on getting government support to create programs so that children can not only own, but use, laptops.

The ability to support OLPC was previously restricted to the OLPC site - however, on November 17th, news has it that Amazon.com and Amazon.co.uk will be participating in the Give 1 Get 1 program. Under this program, people can buy one of the XO laptops for themselves and donate the other to a child in a developing country - the starter price to give 1 and get 1 is just $199.

You can support the program as an individual or business, but you can also help in creating open source software and learning resources (info here). For future news, you can follow the One Laptop per Child initiative on Twitter or read the independent OLPCNews blog.

A number of great articles for consumers, about technology, security and identity theft, caught my eye this week. Rather than talk only to one or two of these articles, I wanted to point to some of them for you to check out:

• ConsumerReports.org creates 7 online blunders that can ruin your computer or identity
• Network World warns - beware of Obama spam
• CNet’s podcast - what’s next for net neutrality?
• Chris Pirillo’s 10 tips to keep your notebook safe when traveling - though Chris forgot to mention LoJack for Laptops, he’s previously spoken very highly of it!
• eSchool News - Florida considers virtual school
• Another great tip - how to protect yourself against identity theft over the phone

Also, given the recent elections, you may wish to read Barack Obama’s Information Security plans here.

Employees continue to ignore security policies, notes another survey from RSA. Over 50% of employees work around existing IT security policies in order to get their work done.

The insider threat survey, conducted among 417 industry event attendees by RSA, polled workers across a range of industries, heavier in financial and technology sectors. Nearly half of respondents worked in IT. The survey indicates that, despite awareness of IT policies, convenience trumps security.

Highlights from the survey:

• 94% are familiar with their organizations’ IT security policies
• 53% have felt the need to work around IT security policies in order to get their work done
• 64% frequently or sometimes send work documents to their personal email address in order to access and work on them from home.
• 15% have held a door open for someone at work that they did not recognize
• 89% frequently or sometimes conduct business remotely over a virtual private network (VPN) or webmail
• 58% frequently or sometimes access their work email via a public computer / 65% via a public wireless hotspot
• One in 10 has lost a laptop, smartphone and/or USB flash drive with corporate information on it
• 79% frequently or sometimes leave their workplace carrying a data device containing sensitive information related to their jobs
• 43% had switched jobs internally and still had access to accounts/resources which they no longer needed
• 37% have stumbled into an area of their corporate network to which they believe they should not have had access

As you can tell, may of the results mirror the study from Cisco that came out earlier in October. Basically, the lesson to take from this is to rethink the “insider threat” as not just malicious actions taken by employees, but also the “innocent” rule breaking that they do day-to-day in order to get stuff done.

This type of rule breaking is a little complex, as it may be due to a lack of clear instructions. Although employees may be familiar with IT security policies, those policies may be vague in some areas, or employees may receive mixed messages by overlapping policies or a mismatch of policy and procedures. For example, if certain programs and websites are, by policy, not allowed, they should be, by procedure, blocked. That’s not always the case.

As in many cases with security policies, it comes down to training and enforcement. Train all new employees well, but keep on training existing employees on an ongoing basis. Everyone could use the refresher. And enforce the rules - employees should know what the potential outcomes are of crossing the line at the corporate level (risk of data breach) and the personal level (being reprimanded for going against policy, regardless of outcome).

Technology solutions like Absolute’s asset management software can help you identify if users are operating outside corporate policies.

Via CSO Online ; image: mconnors @morguefile

The Financial Times reports that Chinese hackers penetrated the White House computer network on multiple occasions, obtaining emails between government officials. On each hacking incident, the cyber criminals were able to steal information before the White House security systems and professionals could patch the security holes.

The new insight comes on the heels of another report that the presidential campaigns of Barack Obama and John McCain were hacked over the summer. The FBI and Secret Service revealed to each Obama and McCain that large amounts of files had been stolen as related to policy positions - information that may be useful in future negotiations with the U.S. administration. The hack came from a “foreign entity”, either Russian or Chinese.

Subsequent reports indicated that the attacks on the Obama and McCain systems came from China, and that other cyber attacks have been made on the White House from the same source. E-mail archives were attacked several times in recent months, a constant “cat and mouse” game with defenses going up each time a new attack was detected.

It is difficult to trace the exact source of the attacks. It is reported that, as far as the White House attacks go, only the unclassified network was breached. That doesn’t mean the information was not valuable or sensitive, nor that classified information was not present.

Also in Government related news:

• Google shares health searches with government (CNet)
• Inmate hacked prison network, broke into employee database (Register)
• Hackers buy their way into Obama search results, seed malware (Times Online)
• FTC grants delay in enforcement of ‘red flags’ identity theft program (TFC)
• IRS rolls out system with known security issues [PDF] (.Gov)
• Nevada, Massachusetts roll out new data privacy laws (WSJ)

For more information on Absolute’s services for the Government sector, read here.

Via CNet image: barackobama.com