Archiving as a Customer Service Tool

We live in a suburb of Seattle and, like most of us who live in Western Washington, we have lots of trees in our neighborhood. One of the consequences of our winter storms is that our trees lose a number of limbs. To get rid of the tree debris each winter, about 16 years ago we and our neighbors purchased a gas-powered chipper from a company in northwestern Vermont called Country Home Products.

A pulley on the chipper shattered and I needed to order a new one. I tried to purchase a replacement part locally, but was told to contact Country Home Products directly, which I did. I didn’t remember the model number of the chipper and I didn’t have a part number for the broken pulley. However, I told the rep our address and that the broken pulley “was the larger one on the right as you face the housing.” He quickly brought up our purchase record from their database, knew the exact model of chipper we had purchased, and knew exactly what part we needed. The part was shipped and it was the right one.

We hear lots about archiving for purposes of regulatory compliance, litigation support, eDiscovery and the like — mostly defensive reasons just in case we need old data to satisfy a regulatory audit or address a legal action. But archiving can also be used as a customer service tool. In my case, a vendor’s customer service rep was able to immediately access my records from 16 years earlier and he knew more about my purchase and the specific replacement part I needed than I did.

That’s the kind of service that satisfies customers and builds brand loyalty — enabled because someone opted to keep their customer records in an easily accessible archive.

The Demise of the A380

The Airbus A380 is an amazing airplane and an engineering marvel – it’s the largest commercial aircraft currently flying, able to carry up to 868 passengers in a one-class configuration (although the typical three-class configuration carries 544 passengers). The plane is quiet, it’s comfortable and passengers like it. It can reduce airport congestion, since one A380 with 544 passengers will require less airport footprint and fewer resources than the three A320s that would carry the same number of passengers.

And yet, Airbus announced this week that it will cease production of its flagship A380 in 2021, just 14 years after its first commercial flight in 2007. Contrast this with the Boeing 747, which flew its first commercial flight in January 1970 and is still in production (albeit now only as a freighter and as two new Special Air Mission/Air Force One aircraft to be delivered in 2024), giving it a production life of at least 54 years.

So, why the demise of the A380? There are a number of reasons, including the logistical difficulties associated with producing the aircraft’s components in four countries across Europe and transporting them for final assembly in Toulouse, France; the high cost of the aircraft (~$445 million); the limited number of airlines that have purchased it (only 16 have ordered, and only 13 fly); the high cost of modifying airport terminals to accommodate it; and the introduction of highly fuel-efficient aircraft like the Boeing 787 and Airbus A350.

The A380 was designed to accommodate the hub-and-spoke model of air travel: fly large numbers of passengers to a central hub like London or Dubai, and then put those passengers on several smaller planes to their final destination. In contrast, aircraft like the 787 and A350 were designed more for point-to-point flights, making routes like Minneapolis to Lisbon financially viable. To be fair, the A380 was conceived before the 787, A350 and other, more fuel-efficient aircraft were available, but Airbus simply made the wrong decision about the future of air travel and was woefully optimistic in its forecasts: the company predicted in 2000 that 1,235 “very large aircraft” would be delivered from 2000 to 2019, but orders and deliveries of the A380 have been just 313 and 234, respectively, through last month. That’s a revenue miss of roughly $410 billion!

In my opinion, the A380’s demise boils down fundamentally to a single question: as a passenger, would you rather take one flight or two to get to your destination? Airbus seems to have answered that question with “two”, while a large proportion of the flying public and most airlines answered “one”.

In my own case, I would rather not make a connection through a large and busy airport if it’s at all possible to avoid it and I will go out of my way – and pay more – to take a flight without connections. I realize that many people will opt for cheaper, connecting flights, but they carry with them some fairly high costs: for example, a dated study commissioned by the FAA found that in 2010, missed connections cost passengers $1.5 billion each year.

The inconvenience of needing to make connections, as well as the lost productivity and opportunities that sometimes result, is not something that most business travelers, and many leisure travelers, are willing to accept. It’s one of the key reasons that we will see no new A380s produced after 2021.

Should You Rent or Buy Your Email and Productivity Apps?

Microsoft dominates the business email and desktop productivity markets. Over the past few years, the company has been pushing hard to move its user base for both to Office 365 and away from Exchange Server and desktop versions of Office. The push has intensified in recent months to the point where the company is now telling customers not just to adopt Office 365, but also not to use non-Office 365 solutions. For example, as noted in this article, the Microsoft corporate VP for the Office and Windows group said that the various applications in Office 2019 are “frozen in time. They don’t ever get updated with new features”. By contrast, Office 365 keeps “getting better over time, with new capabilities delivered every month.” It makes one wonder why Microsoft bothered to produce Office 2019, but that’s a subject for a different post.

Perhaps telling people not to use your products is the natural consequence of having such a dominant market share that the only competition left for your new and shiny products is your old and dull ones.

The key for decision makers, then, is to determine if the “new capabilities delivered every month” in Office, coupled with the reduced IT labor required to manage corporate email, is worth becoming a renter in perpetuity rather than a buyer.

To compare the costs of renting versus buying for a 50-person company, we compared the cost of two competing systems:

  1. MDaemon Server (including MDaemon AntiVirus, MDaemon Connector for Outlook, MDaemon ActiveSync and MailStore email archiving) and Office 2019 Home & Business.
  2. Various flavors of Office 365 (Office 365 Business Premium, Office 365 Enterprise E3 and Office 365 Enterprise E5).

Using only publicly available pricing on the MDaemonOffice 365 and Amazon.com web sites, here’s the annual pricing to support 50 users with business email and productivity applications over a three-year period:

  • MDaemon and Office 2019: $114.68 per user per year
  • Office 365 Business Premium: $150.00 per user per year
  • Office 365 Enterprise E3: $240.00 per user per year
  • Office 365 Enterprise E5: $420.00 per user per year

Of course, the primary advantage of any cloud-based solution is the reduction in IT labor realized from not having to manage on-premises infrastructure. But productivity applications don’t need significant levels of IT support, and most on-premises email solutions for small companies, as in our 50-user example, don’t either.

Please understand that this is not meant to disparage cloud-based solutions. Osterman Research is a strong proponent of the cloud for productivity solutions, CRM, security, archiving and a wide variety of other capabilities, and we are also a strong proponent of Office 365. But when making decisions, it’s important to understand where to rent and where to buy — buying is still not a bad business decision in some cases.

 

Bartering our Privacy

Many years ago I worked for a brilliant man, an industry analyst who did groundbreaking work in developing models for delivering broadband services to residential customers. I recommend you check out his current company, DEEPfutures.

Last August, he wrote a post on LinkedIn discussing new business models for Internet services. It’s a good read, but I disagreed with a key point that he made about the business model of presenting ads based on personal data:

“That business model is an unequal barter. In old-style, traditional barter, a farmer might trade a sheep and two chickens to have the barn roof repaired: both sides would have calculated the value and benefit. In our unequal barter, we trade all our personal information for…cat videos [and] free-to-us online services: Gmail, Facebook, Whatsapp, Twitter, etc. It’s unequal in that we, the users, have no say over or insights into the value the adtech giant firms abstract from our data. It’s also unequal in that all people’s data, mine, yours, a billionaire banker’s, a poor farmhand’s, are traded for the same “free” service, although our data clearly have different utility and value to the adtech companies and their customers.”

I disagree with this statement in two key areas:

  1. “It’s unequal in that we, the users, have no say over or insights into the value the adtech giant firms abstract from our data.” Yes, it may be unequal, but it’s certainly not unfair. In the old-style barter system, we assume that the farmer traded his sheep or chickens to the roof repairer so that the latter could feed his family. But what if the roof-repairer had discovered a way to make chickens lay golden eggs and he could generate millions of dollars in income going forward? That’s still not an unfair barter, since the farmer received something valuable — a now leakproof roof — in exchange for something he considered valuable. In the same way, companies like Google, Facebook and others who give us cat videos or apps in exchange for our data are providing something of value — we don’t lose in the bargain if they are smart enough to turn our data into something more valuable than we consider it be when we hand it over.
  2. “It’s also unequal in that all people’s data, mine, yours, a billionaire banker’s, a poor farmhand’s, are traded for the same “free” service, although our data clearly have different utility and value to the adtech companies and their customers.” Here again, that doesn’t really make the barter unfair — if adtech companies find more value in a billionaire banker’s data than they do in the data from a farmhand, but are willing to provide the same free services to both, that’s not really unfair to the banker or farmhand. These individuals, as well as the adtech companies, are willing to enter into a barter relationship for something they each perceive to be of value.

This should not be interpreted as any kind of defense of Google, Facebook or others who have clearly demonstrated that they often play fast and loose with others’ data. Nor is it a defense of adtech companies and others that take your data without permission. For example, TechCrunch has found that companies like Air Canada and Hotels.com will record your mobile phone interactions, sometimes without permission. That’s not barter, since something of value has been taken from you without your consent in exchange for nothing in return.

Instead, I believe the fundamental problem is that too many aficionados of cat videos and various types of “free” apps place too little value on their privacy. They are too quick to hand over their data without first considering the consequences of doing so. The transaction is fair, but the adtech companies are thinking critically about what they can do with data owned by people who don’t think critically about entering into a relationship with them.

Any unfairness in the bartering between individuals and adtech companies will be solved only when the former begin to think seriously about the implications of handing over data without first considering the consequences.

Some Ideas, Other than Fines, to Reduce Data Breaches

An idealist might view the European Union’s General Data Protection Regulation (GDPR) as an effective means of reducing the number of data breaches by imposing massive fines on those who lose control over the private data of EU residents. A cynic might view the GDPR simply as a means for the EU to make lots of money from those who violate it, while not having much impact on reducing the total number of data breaches.

The truth might lie somewhere in the middle.

In terms of good news about the efficacy of the GDPR, Cisco recently released a report showing that only 74 percent of GDPR-ready organizations experienced a breach since the GDPR went into effect last May, compared to 89 percent of non-GDPR-ready organizations that suffered a breach during the same period.

The bad news is that 74 percent of GDPR-ready organizations experienced a breach since the GDPR went into effect last May.

Corroborating the fact that data breaches are still running rampant is a DLA Piper report showing that more than 59,000 data breaches occurred in Europe during the eight months since the GDPR went into effect, or roughly 10 breaches per hour. The DLA Piper data shows that data breaches are significantly more common than the 41,502 breaches reported by the European Commission for the same period.

The continuing high rate of data breaches should not be used by corporate decision makers as an excuse for not complying with the GDPR. Every organization should do so for a couple of reasons: first, it’s the law and decision makers should comply with the law. Second, becoming GDPR-compliant will make organizations and the data they process and control safer and less likely to be breached.

Plus, complying with the requirements of the GDPR is a good idea because they make sense: encrypt data, keep it only for as long as you need it, ensure that third parties that have access to data comply with good data governance practices, enable data owners to have control over information about them, and so forth.

What might not be such a good idea is imposing massive fines on companies for data breaches because big fines often don’t work. For example, in 2015 five US banks were fined $5.6 billion for their role in colluding to manipulate interest rate and currency markets, yet some concluded that the fines had little impact on the future behavior of these institutions. In January of this year, Google was fined €50 million (~$57 million) in France for GDPR violations, or about 0.04 percent of the company’s 2018 revenue – a drop in the bucket for a company this large. Even at a personal level, huge fines have little impact: for example, in 2014 the State of Illinois imposed new anti-littering laws that, for a third offense, impose a fine of $25,000 and a felony conviction on the offender. The result in the first three months of the new law was that very few citations were issued.

So, what might be a more effective way to reduce data breaches and increase compliance with privacy regulations like the GDPR? Here are three ideas:

  1. Every time a breach occurs, require offending companies to pay for 1,000 randomly selected victims to be flown first class to an exotic location — perhaps a very nice hotel for a long weekend — where victims can meet in a public forum and air their grievances with executives of the company that lost their data. Also require that the event be recorded and made available on the home page of the offending company’s web site for one year following the event. This would allow executives to meet their victims face-to-face and learn first-hand of the pain their carelessness has caused.
  2. Require the CEOs from offending companies to take a three-month sabbatical following a data breach, not allowing them to participate in the day-to-day activities of running their companies.
  3. Instead of imposing fines on offending companies, instead require that these companies spend the same amount on technologies, processes, training, etc. to ensure that their data processing practices are improved so as to prevent future data breaches. The spending plan and expenses could be monitored by a third-party consulting firm not connected with the offender.

While these ideas certainly won’t prevent all future data breaches, they might be more effective than slapping offenders with big fines that dissipate into a government bureaucracy.

How Secure Can Your Company Be?

Last week, Cisco released an interesting report entitled Maximizing the value of your data privacy investments. Among the various findings from the in-depth, 18-country survey discussed in this report is that organizations that are mostly or completely enabled to satisfy the compliance requirements of the European Union’s General Data Protection Regulation (GDPR) had a significantly smaller number of data breaches during the past year than their counterparts that are least prepared to satisfy the requirements of the GDPR.

One one level, that’s good news: 89 percent of organizations that are not yet ready for GDPR experienced a data breach, while only 74 percent of GDPR-ready organizations experienced a breach. Clearly, GDPR is having a positive impact on data security.

Then again, that’s not particularly good news: even after going to the significant expense and difficulty associated with GDPR compliance, 74 percent of organizations still experienced a data breach! Of course, we would expect that figure to drop in the future given that the GDPR went into force only about eight months ago, but three in four GDPR-ready organizations still experiencing a data breach is very high.

This kind of result prompts a bigger question: just how secure can any organization be in the context of security? Given that we face a well-funded, intelligent, and collaborative set of adversaries in the cybercriminal community that will always have a guaranteed advantage (we need to protect every point of ingress while they need to break into just one), what is the lowest possible number of data breaches, malware infections, account takeovers, successful DDoS attacks, etc. that we can ever hope to achieve? Could a large organization not experience even one data breach in the course of a year? Could it not experience even a single malware infection? Could it prevent every insider threat? Could every CFO recognize every CEO Fraud attempt?

Probably not. So what is the target at which we’re aiming? A senior executive team or board of directors that is asked by the CIO for a 20 percent budget increase to improve security probably should know what they can expect to gain from that kind of investment. A vendor marketing a new technology to combat CEO Fraud or account takeovers would find it beneficial to their sales and marketing efforts if they could provide some concrete metrics about what their prospective customers could hope to gain by implementing their solution. Vendors of security awareness training would be well served by being able to report an X-percent reduction in successful phishing or ransomware incursions after employees were properly trained.

In short, it’s highly unlikely that any organization will ever reduce the success of cybercriminals’ efforts against them to zero. But what can we reasonably expect to achieve?

Inbox Zero? Why Not Inbox Giganticus?

We hear lots about “Inbox Zero” and why it should be the goal of every business professional. The purpose of emptying one’s mailbox, according to the proponents of this approach to mailbox management, is to eliminate clutter, get better at prioritizing tasks, delegate work to others, de-stress, gain more control over one’s information, or some combination of these and other factors.

But is it a good idea?

Yes, if you view email solely as a communications platform. No, if you view email as a combination of communications, file transfer, file storage and business intelligence. I fall into the latter camp — here’s why:

  • Email storage is cheap: from a cost perspective, there’s no advantage of minimizing email storage in an era of 50-gigabyte or larger mailboxes.
  • Keeping old email is useful: you can search years’ worth of email quickly and easily to retrieve old communications with clients, colleagues, prospects and the like. You can see what files you sent others and when they were sent. You can easily resend information that was not received by a recipient. You can follow conversations in email to see how they develop. You can determine how quickly people respond to your emails. Yes, all of these things can be done with a good archiving system, but not all businesses have an archiving platform (even though they should), particularly small businesses.
  • It can make you more efficient: instead of spending time reviewing, filing, deleting or otherwise managing emails on a daily basis, you can simply ignore the less important ones until you have the time or inclination to deal with them. Moreover, you can deal with some types of emails in batch mode on a weekly or monthly basis instead of handling each email individually every day.
  • You have a defensible a record of your conversations: in the event that someone disagrees with your record of what happened with a client or a vendor, for example, an email thread can easily support your position and quickly resolve any disagreements that might occur.
  • It saves you time: even if it takes only three seconds to deal with each email, someone receiving 150 emails each work day will save about 31 hours per year by not clearing his or her inbox each day.

Just my two cents for your consideration.

If Your Job Depended On It, How Would You Prevent a Data Breach?

Data breaches are an almost daily event and the problem is getting worse over time (although 2018 may end up being not quite as bad as 2017). If your job as an IT or security professional was dependent on preventing data breaches for your organization (and it very well could be), what steps would you take to prevent them? Here are a few ideas:

  • Understand where your data lives
    Our research has found that many decision makers really don’t know where all of their data is located. This is partly due to poor management of data, but also by the explosion of “Shadow IT” that enables employees to store data on personal devices, their own cloud accounts and in a variety of other places beyond the control of IT. To correct this problem, IT should conduct a thorough audit of every potential source of corporate data and bring it under the control of IT. That’s much easier said than done, but it’s essential if an organization is to regain control of its valuable data.
  • Analyze your data
    After the location of all corporate data is known and brought back under IT control, it should be analyzed as part of a good information governance protocol to determine what can safely be discarded, what data is subject to various compliance obligations, the duplicate data that is being stored, and so forth. This will reduce the volume of data that must be managed and identify what needs to be better protected, leaving less data available to breach.
  • Implement the appropriate access controls
    Implement robust identity access management to ensure that users have access to data only on a need-to-know basis. Implement risk-based authentication to ensure that more valuable assets require a greater degree of authentication than just username and password, but use multi-factor authentication at a minimum…everywhere. Implement user behavior analytics to ensure that anomalous behavior (e.g., unusually large file downloads or accessing sensitive data resources at odd times) is recognized and access to data is restricted, approved or blocked, as appropriate.
  • Train users
    It’s essential to educate users about how to protect corporate data. That means common sense things like not sending sensitive or confidential data without encryption, not using personal webmail or file-sharing services to send corporate data, not clicking on email links or attachments unless the identity of the sender is known and trusted, not visiting inappropriate web sites, not using personal webmail at work, being skeptical of requests delivered through email, not clicking on links in social media posts without first verifying their validity, not logging into unsecured Wi-Fi networks (e.g., at airports or coffee shops) without using a VPN or appropriate controls, not oversharing on social media, and maintaining robust security software on personal devices and networks if they are going to be used to access corporate networks or data resources.
  • Use air gaps wherever you can
    Not everything should be online. Old databases, older archived data and other data sources that are valuable, but rarely accessed, should be air-gapped to prevent breaches of this data.
  • Encrypt devices
    One of the most common sources of data leaks is the loss of laptops and mobile devices that contain unencrypted data. Every device must be encrypted to ensure that even if a device is lost, the data on it will remain inaccessible. Plus, the loss of encrypted data will, in most cases, not trigger requirements under data breach notification laws.
  • Encrypt data
    All data should be encrypted – at-rest, in-transit and in-use.
  • Evaluate your providers
    The typical large enterprise employee more than 1,000 cloud providers in addition to many non-cloud providers. It’s your responsibility to ensure that each of these providers maintains appropriate security controls for your data under their control. Regulations like the General Data Protection Regulation codify these types of requirements, but it’s good to implement this best practice even in the absence of a specific external requirement to do so.
  • Establish multiple and disconnected communications channels
    One of the most financially damaging types of data breach is CEO Fraud or Business Email Compromise, in which a cybercriminal impersonates a CEO or other high ranking official to someone in the organization like a CFO or HR staffer. The recipient will often trust the message and execute the requested action, which might include initiating a wire transfer or sending W-2 data on employees. By establishing a communications backchannel, such as text messaging on mobile phones, the validity of the request can be confirmed.
  • Implement DLP
    To prevent malicious and inadvertent data breaches, implement a data loss prevention (DLP) capability that will inspect outbound emails, file transfers and other outbound content for sensitive data that is being sent without encryption, information being sent to competitors, emails sent to the wrong party, and so forth.

These are just a few ideas that will help to mitigate, if not prevent, data breaches. Of course, every organization should implement a robust information governance program, but these are some good steps that will help to move an organization in that direction.

Cybersecurity Predictions for 2019

Around this time of year, it seems as though everyone publishes their predictions about what they think will happen during the next 12 months. Being one in that “everyone”, I decided to follow suit:

Boards of directors will be a focus for security education
Boards of directors’ knowledge about business issues is generally quite good, but knowledge about security issues is typically not their strong suit. As a result, CISOs, security managers and others charged with providing security for their organizations often feel overstressed and under supported. However, we believe that 2019 will be a turning point during which boards will get serious about security. This enlightenment will be driven by high profile data breaches (the Marriott data breach of 500 million records figuring prominently in this awakening) and will take the form of making more CISOs board members, discussing security issues at most or all board meetings, and accelerating funding for security in most organizations.

Ransomware will make a comeback, but with low ransom demands
The ransomware problem was terrible in 2016, got worse in 2017, softened a bit in 2018, but will make a comeback in 2019. However, we believe that the focus of ransomware authors in 2019 will be low level ransom demands, perhaps on the order of $20 to $40. The goal of cybercriminals will be to make ransom demands low enough to make paying the ransom an easy decision akin to an impulse buy at a supermarket check stand. Moreover, these ransom demands will come with full instructions about how to pay the ransom using Bitcoin or other cryptocurrencies.

Cryptocurrency mining will become a much more serious threat
Osterman Research believes that the price of Bitcoin will recover significantly from the significant drop it has experienced during 2018. This will motivate more external cybercriminals to infiltrate corporate systems for the purpose of installing cryptocurrency mining malware on various corporate servers, and it will motivate some insiders to do likewise.

Home routers will become a greater focus of corporate security managers
The large number of employees who work some or all of the time from home, coupled with the fact that 83 percent of routers in the US have unpatched vulnerabilities, leads us to believe that a rapidly growing threat focus will be employees working from home. The relatively low use of VPNs, which ranges from 18 percent to 30 percent worldwide, will contribute significantly to this threat and will motivate corporate security managers to address the security of their employees’ home-based security infrastructure in a much more serious way.

Malware will be used to damage the reputations of celebrities and high level government officials
A tool commonly used to tarnish the reputations of celebrities, nominees to high level government positions and others is to reveal information they have posted to social media in the past, sometimes many years past. Osterman Research believes that in a few cases during 2019, some will go one step further and use malware to install compromising content on the computers, social media accounts or cloud accounts of celebrities and others. For example, while malware has been used in the past to install child abuse images on the computers of victims, such as in a 2009 case involving an employee for the Commonwealth of Massachusetts, we believe this approach will be used to discredit a few high-profile individuals in 2019.

The market for security awareness training will grow significantly
Employees are the last line of defense in any security infrastructure. Because technology-based solutions cannot block 100 percent of malicious content 100 percent of the time, employees need to be trained to deal with the phishing, spearphishing and other threats that will inevitably reach them. While the market for security awareness training has been growing at a healthy pace over the past several years, the fairly recent spate of acquisitions in this space by mainstream security solution providers will accelerate the trend at an even faster pace.

The market for web isolation technology will explode
A significant share of malware and other threats enters the corporate network through web browsing, webmail access and the like. To combat this, organizations of all sizes will increase their use of web isolation technology to prevent this avenue of attack from being effective. While these technologies have been available for several years, we believe that 2019 will be the breakout year for them.

A Proposal for Archiving in Government

There are two fundamental problems with electronic content archiving in the US Government:

  1. Government employees, particularly senior staff members, are largely in charge of what gets archived and what doesn’t, and what archived content is retained or deleted.
  2. Many government employees use their personal accounts (or, in some cases, their own servers) to conduct government business.

Here’s a simple proposal to address these problems:

  • Every bit of information in emails, text messages, social media posts, files and all other content sources generated by government-owned devices, servers, cloud services and other platforms should be archived by an independent government entity, such as the National Archives and Record Administration (NARA) or the US Government Accountability Office (GAO). This means that every government server automatically archives everything, without exception, and without advice from the employees whose content is archived.
  • Every government employee should be required to agree to one of the following: a) all of their personal emails, text messages, social media posts, files and all other content they generate on personal devices (or personal servers) will be securely archived by an independent government entity; or b) if they opt not to submit to having personal content archived and are later found to have been using a personal device or personally managed platform to transact government business, they will pay a fine equal to the past five years of their gross income and will relinquish any government pension for which they might have been eligible.
  • The independent entity that archives content will determine, at its sole discretion, what can safely be deleted from the archive. Things like spam, phishing emails, content that has no value as a record, and so forth, can be deleted based on policy established by NARA, the GAO or some other independent entity. However, the government employees whose information is archived cannot provide input or be consulted about the content that is retained or deleted. They should be able to access these records, but not provide input about what is retained or not.
  • All content that is retained must be kept for a minimum of 30 years unless NARA or a court determines that a longer retention period is warranted.