Research

Warning- today’s introduction includes my political views. History Whatever your political persuasion, there’s no denying the magnitude of this week. While we are far from eliminating racism and bias in this country, or the world at large, we passed an incredibly significant milestone in civil rights. My (pregnant) wife and I were sitting on the couch, watching a replay of President Obama’s speech, when she turned to me and said, “you know, our child will never know a world where we didn’t have a black president”. Change One thing I think we here in the US forget is just how much we change with the transition to each new administration, especially when control changes hands between parties. We see it as the usual continuity of progress, but it’s very different to the outside world. In my travels to other countries I’m amazed at their amazement at just how quickly we, as a nation, flip and flop. In the matter of a day our approach to foreign policy completely changes- never mind domestic affairs. We have an ability to completely remake ourselves to the world. It’s a hell of a strategic advantage, when you really think about it. In a matter of 3 days we’re seeing some of the most material change since the days of Nixon. Our government is reopening, restoring ethical boundaries, and reintroducing itself to the world. Faith When Bush was elected in 2000 I was fairly depressed. He seemed so lacking in capacity I couldn’t understand his victory. Then, after 9/11, I felt like I was living in a different country. An angry country, that no longer respected diversity of belief or tolerance. A country where abuse of power and disdain for facts and transparency became the rule of our executive branch, if not (immediately) the rule of law. I was in Moscow during the election and was elated when Obama won, despite the almost surreal experience of being in a rival nation. When I watched the inauguration I felt, for the first time in many years, that I again lived in the country I thought I grew up in- my faith restored. Talking with my friends of all political persuasions, it’s clear that this is also a transition of values. Transparency is back; something sorely lacking from both the public and private sector for far longer than Bush was in office. Accountability and sacrifice are creeping their heads over the wall. And lurking along the edges of the dark clouds above us is self sacrifice and unity of purpose. I’m excited. I’m excited more about what this mean to our daily and professional lives than just our governance. Will my hopes be dashed by reality? Probably, but I’d rather plunge in head first than cower at home, shopping off Amazon. Oh- and there was like this really huge security breach this week, some worm is running rampant and taking over all our computers, and some idiots keep downloading pirated software with a Mac trojan. Here is the week’s security summary: Webcasts, Podcasts, Outside Writing, and Conferences: Martin and I talk a bit about all sorts of things- including Obama’s tech agenda, on The Network Security Podcast. I seem to run off on 3 separate rants. I wrote up the Heartland data breach for Dark Reading. I did a few interviews on the breach, including the MIT Technology Review, SearchSecurity, and SC Magazine. Favorite Securosis Posts: Rich: My Heartland post, because it got Slashdotted. Adrian: Perhaps it is the contrarian in me, but my favorite post is The Business Justification for Data Security. There is a lot of information here. Favorite Outside Posts: Adrian: Hoff’s ruminating on Cloud security of Core services. The series of posts has been interesting. I follow many of these blog posts made on dozens of different web sites, but only for the occasionally humorous debate. Not because I care about the nuts and bolts of how Cloud computing will work, how we define it, or where it is going. The CIO in me loves the thought of minimal risk for trying & adopting software and services. I am interested in the flexibility of adoption. I do not need to perform rigorous evaluations of hardware, software, and environmental considerations- just determine how it meets my business needs, how easy is it to use, and does the pricing model work for me. After a while if I don’t like it, I switch. Stickiness is no longer an investment issue, but a contract issue. And I am only afraid of these services not being in my core if I run out of choices in the vendor community. I know there are a lot more things I do need to consider, and I cannot assume 100% divestiture of responsibilities for compliance and whatnot, but wow, the perception of risk reduction in platform selection drops so much that I am likely to jump forward without a full understanding of other risks I may inherit because of these percieved benefits. Not that it’s ideal, but it is likely. Rich: Sharon on Wwll the Real PII Stand Up? He raises a great issue that there are a bunch of definitions of PII in different contexts, and an increasingly complex regulatory environment with multiple standards. Top News and Posts: Barack Obama’s inauguration stopped all activity at Securosis as Adrian came over to watch for a couple hours. His speech is worth a reread even if you watched it live. A lot of trusted websites are serving malware. The NSA spied on everyone. Except you, of course- you’re too boring. Conficker worm bad. I thought you Windows users figured out that patching thing? Actually, I highly suspect the infection numbers are inflated. Blog Comment of the Week: We didn’t post much, but the comments were great this week. Merchantgrl on the Heartland Breach post: They were breached a while ago and they just happened to pick that day to finally announce it? Several people have brought up the Trustwave audit of

You’ve probably noticed that we’ve been a little quieter than usual here on the blog. After blasting out our series on Building a Web Application Security Program, we haven’t been putting up much original content. That’s because we’ve been working on one of our tougher projects over the past 2 weeks. Adrian and I have both been involved with data security (information-centric) security since long before we met. I was the first analyst to cover it over at Gartner, and Adrian spent many years as VP of Development and CTO in data security startups. A while back we started talking about models for justifying data security investments. Many of our clients struggle with the business case for data security, even though they know the intrinsic value. All too often they are asked to use ROI or other inappropriate models. A few months ago one of our vendor clients asked if we were planning on any research in this area. We initially thought they wanted yet-another ROI model, but once we explained our positions they asked to sign up and license the content. Thus, in the very near future, we will be releasing a report (also distributed by SANS) on The Business Justification for Data Security. (For the record, I like the term information-centric better, but we have to acknowledge the reality that “data security” is more commonly used). Normally we prefer to develop our content live on the blog, as with the application security series, but this was complex enough that we felt we needed to form a first draft of the complete model, then release it for public review. Starting today, we’re going to release the core content of the report for public review as a series of posts. Rather than making you read the exhaustive report, we’re reformatting and condensing the content (the report itself will be available for free, as always, in the near future). Even after we release the PDF we’re open to input and intend to continuously revise the content over time. The Business Justification Model Today I’m just going to outline the core concepts and structure of the model. Our principle position is that you can’t fully quantify the value of information; it changes too often, and doesn’t always correlate to a measurable monetary amount. Sure, it’s theoretically possible, but practically speaking we assume the first person to fully and accurately quantify the value of information will win the nobel prize. Our model is built on the foundation that you quantify what you can, qualify the rest, and use a structured approach to combine those results into an overall business justification. We purposely designed this as a business justification model, not a risk/loss model. Yes, we talk about risk, valuation, and loss, but only in the context of justifying security investments. That’s very different from a full risk assessment/management model. Our model follows four steps: Data Valuation: In this step you quantify and qualify the value of the data, accounting for changing business context (when you can). It’s also where you rank the importance of data, so you know if you are investing in protecting the right things in the right order. Risk Estimation: We provide a model to combine qualitative and quantitative risk estimates. Again, since this is a business justification model, we show you how to do this in a pragmatic way designed to meet this goal, rather than bogging you down in near-impossible endless assessment cycles. We provide a starting list of data-security specific risk categories to focus on. Potential Loss Assessment: While it may seem counter-intuitive, we break potential losses from our risk estimate since a single kind of loss may map to multiple risk categories. Again, you’ll see we combine the quantitative and qualitative. As with the risk categories, we also provide you with a starting list. Positive Benefits Evaluation: Many data security investments also contain positive benefits beyond just reducing risk/losses. Reduced TCO and lower audit costs are just two examples. After walking through these steps we show how to match the potential security investment to these assessments and evaluate the potential benefits, which is the core of the business justification. A summarized result might look like: – Investing in DLP content discovery (data at rest scanning) will reduce our PCI related audit costs by 15% by providing detailed, current reports of the location of all PCI data. This translates to $xx per annual audit. – Last year we lost 43 laptops, 27 of which contained sensitive information. Laptop full drive encryption for all mobile workers effectively eliminates this risk. Since Y tool also integrates with our systems management console and tells us exactly which systems are encrypted, this reduces our risk of an unencrypted laptop slipping through the gaps by 90%. – Our SOX auditor requires us to implement full monitoring of database administrators of financial applications within 2 fiscal quarters. We estimate this will cost us $X using native auditing, but the administrators will be able to modify the logs, and we will need Y man-hours per audit cycle to analyze logs and create the reports. Database Activity Monitoring costs %Y, which is more than native auditing, but by correlating the logs and providing the compliance reports it reduces the risk of a DBA modifying a log by Z%, and reduces our audit costs by 10%, which translates to a net potential gain of $ZZ. – Installation of DLP reduces the chance of protected data being placed on a USB drive by 60%, the chances of it being emailed outside the organization by 80%, and the chance an employee will upload it to their personal webmail account by 70%. We’ll be detailing more of the sections in the coming days, and releasing the full report early next month. But please let us know what you think of the overall structure. Also, if you want to take a look at a draft (and we know you) drop us a line… We’re really excited to get this out

Brian Krebs of the Washington Post dropped me a line this morning on a new article he posted. Heartland Payment Systems, a credit card processor, announced today, January 20th, that up to 100 Million credit cards may have been disclosed in what is likely the largest data breach in history. From Brian’s article: Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country. He declined to name any well-known establishments or retail clients that may have been affected by the breach. Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients. … “The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was grabbed.” I want you to roll that number around on your tongue a little bit. 100 Million transactions per month. I suppose I’d try to hide behind one of the most historic events in the last 50 years if I were in their shoes. “Due to legal reviews, discussions with some of the players involved, we couldn’t get it together and signed off on until today,” Baldwin said. “We considered holding back another day, but felt in the interests of transparency we wanted to get this information out to cardholders as soon as possible, recognizing of course that this is not an ideal day from the perspective of visibility.” In a short IM conversation Brian mentioned he called the Secret Service today for a comment, and was informed they were a little busy. We’ll talk more once we know more details, but this is becoming a more common vector for attack, and by our estimates is the most common vector of massive breaches. TJX, Hannaford, and Cardsystems, three of the largest previous breaches, all involved installing malicious software on internal networks to sniff cardholder data and export it. This was also another case that was discovered by initially detecting fraud in the system that was traced back to the origin, rather than through their own internal security controls. Share:

It has been a very trying week, between all our current projects- both Rich and I have had untimely home repair work, Rich is recovering from the flu, and we are both scrambling to get work done before deadlines. We have been focused on a series for security spending justification, which we will be mostly posting in blog entries. This is one of the tougher projects I have ever worked on, especially when your goal is to provide pragmatic advice that does not require dusting off calculus. While I was never particularly comfortable with many of the economic models that have been bastardized adapted for security spending justification, I had never spent this much time examining them closely. Having now done so, wow, what a crock of s^&! ROI, NPV, IRR, ALE, ROSI: these things are worthless in terms of security justification. They just completely miss the concept of the value of information, and the careful balancing act between risk and security. Many concepts treated as orthogonal are not, and some of the loss calculations are non-linear. Typically half the relevant data cannot be quantified, and some is simply unavailable. I am happy to say that both Rich and I have had a few ‘ah ha!’ moments, and a few areas where we have disposed of some BS, and I look forward to posting and getting some comments on the subject. Most of the other stuff going on here at the Lane household is related to ergonomics and comfort. Since I returned from San Jose, it has felt like one long moving project. With more fu iture than could fit into two houses, let alone one, there was a lot of packing and organizing. Yes, it has been 6 months since I got back to Phoenix full time, and the move project is just now winding down. We packed the closets and third garage space with stuff, and gave away a lot as well. Slowly and surely we have rearranged the fu iture to make things comfortable. New desk, new computers, new chairs. And four years of back-logged home repair projects: “fix this, paint that, move everything around. No, move it back”. I can now say I feel like I am done, and I am finally concentrating on having a little fun. That is what got me started on the Music rant (see link below) about FM radio. I was trying to get music into the kitchen, the office and the car, which is when I was confronted with the hideous reality that is FM radio. So it is time to get a music server in the house, and transfer 500 or so CDs into Apple Lossless format. And then start the search for new music to fill it up, and find some online stations worth listening to. There was a LOT of interesting stuff in the news this week and we compiled a lot of links. Here is the week’s security summary: Webcasts, Podcasts, Outside Writing, and Conferences: In the Network Security Podcast this week, Martin & Rich discuss phishing, compliance costs, programming errors, and “How to suck at security”. Adrian quoted in eWeek article on DAM and SIEM integration. Rich’s TidBITS article on protecting yourself in Safari Favorite Securosis Posts: Rich: There are no Trusted Sites: Paris Hilton Edition. Adrian: So it has nothing to do with security, but this is still my favorite post this week. Time to shop for a music server. Favorite Outside Posts: Adrian: Martin’s PCI related blog list. Rich: This is a VERY impressive workflow for managing potentially controversial blog posts, and understanding the different categories of bloggers. I’m shocked this came out of the Air Force, not because they aren’t capable, but because it looks more attuned to the business world than the military. If you are a blogger, or work with bloggers, or read blogs, take the 2 minutes to read this. If you don’t fit any of those categories, what the hell are you doing on our blog? Get off our lawn! Top News and Posts: Very sneaky approach to capturing ATM pin numbers. Trolls suck; just because you wrote down an idea, filed some paperwork, then completely failed to actually do anything with it doesn’t mean you get to sue the world. Oh wait, I guess it does. Microsoft patches Windows. TJX Hackers gets 30 years in prison. How many of you, in your best ‘Spicoli’ voice, said “Awesome! Totally awesome!”. Just me? No, wait, Rothman did as well. Oracle Critical Patch Update for January 2009. Our comments here. You would never know it from looking at the Sana site, but AVG has acquired Sana Security. This is crazy: Countrywide execs mock their own ads. In court, no less. BitArmor’s latest PR bit. I admire their moxy, but they’re taking a serious gamble, both in PR and liability. Maltego 2 tutorial: Maltego is an information collection tool that absolutely rocks. If you ever want to track down the connections between people, systems, documents, and whatever: Maltego is your friend. PCI hits POS– It’s about freakin’ time. Gunnar’s 2009 to do list. Steve Jobs taking a leave of absence from Apple. This does not look good. Blog Comment of the Week: We did not get any security related comments this week, but we did get several good observations on music. Rob’s comment on Phil Collins is the Mel Torme of my generation: Radio? Are there still radio stations? I’m never out of internet range when I’m working, and if I’m not listening to my music I’m on Pandora (free subscription with my Squeezebox) or Radio Paradise. No commercials. Pandora does a good job of giving me the music I pick, and Radio Paradise has lots of good, new music. FM radio is so last century. 🙂 Now, time for a beer and a a few hours of frantic editing. Share:

It’s just Martin and myself on the podcast this week. Originally Martin sent out a bunch of stories and we figured, knowing our verbosity, that we would only get through about 3. But totally against our normal natures we managed to roll through them with nary a non-sequitur. I suppose people really can change. We think we’ve finally figured out our end of year audio problems, but please let me know if anything sounds off to you. Network Security Podcast, Episode 134, January 13, 2009 Time: 32:27 Show Notes: CWE/SANS Top 25 most dangerous programming errors SANS: How to Suck at Information Security The Air Force’s rules of engagement for blogging – This is one that’s worth sending to your marketing/PR departments Phishing scams for money? Don’t bet on it. The High Stakes of Compliance Watchdogs bite IRS for continued security lapses Tonight’s music: Details of the war by clap your hands say yeah Share:

Just finished a review of the Oracle January 2009 Critical Patch Update/advisory (CPU). There are two issues that you need to pay attention to with this release: If you are using Oracle Secure Backup or Weblogix Server plugins, you will want to download and patch ASAP. Here is why: In the former case, it appears that the Fortinet team discovered a few bugs within the Oracle Backup Server that can be exploited by buffer overflow, resulting in a server crash or worse. I have not seen any specific exploits for this, but I have heard that this could result in the hacker being able to execute arbitrary code on the backup server for the Windows platform. That is bad news as not only can you tapes be overwritten, but he backup server could be used to launch attacks against other services. I am making the assumption that you are blocking port 10,000, but regardless, patch ASAP. The second issue has to to with the Weblogic plug-in for Apache/IIS. I have asked a couple people if they understand the scope of the exploit, but none of my contacts know the specifics. If you know, please send me an email. As a matter of course I am really wary of threats to the web application stack as an attacker has many different methods to exercise vulnerabilities, and will, as soon as they learn about the vulnerability. If you are using the plug-in, patch ASAP. The core database server does not seem to suffer any significant vulnerabilities. One of the bugs that is patched allows a user to execute certain functions and circumvent the auditing functions, so if you are using Oracle’s native audit for regulatory efforts, or to seed a Database Activity Monitoring solution, consider the patch a little higher priority. Otherwise I recommend that you patch according to your established deployment cycles. Share:

While not on the scale of Amex or BusinessWeek, I just find this one amusing. Paris Hilton’s official website was hacked and is serving up a trojan (the malware kind, not what you’d expect from her*). From Network World: The hack was discovered by security vendor ScanSafe, which said that Parishilton.com (note: this site is not safe to visit as of press time) had apparently been compromised since Friday. Visitors to the site are presented with a pop-up window urging them to download software in order to enhance their viewing of the site. Whether they click “yes” or “no” on this window, the site then tries to download a malicious program, known as Trojan-Spy.Zbot.YETH, from another Web site. The best part? Only 12 of 37 tested AV vendors catch the trojan. All of you that give me crap for hammering on AV can go away now. sorry, couldn’t help myself there. Share:

This post is deeply off topic, has nothing to do with security, and everything to do with my personal realizations about music. My calendar says that it is 2009. My radio says it is 1978. The radio must be right because I just listened to ‘Warewolves of London’ each and every day for the last three days. It’s just weird, because I like music, but I am also getting tired of itl. I like to have the radio in the background pretty much all the time. I am what is called a ‘Stereophile’ as well. I love music and I love the intricacies of the technology used to reproduce music, so playing with stereo equipment is nirvana for me. When not writing white papers and blogging, I am reading about and listening to my stereo systems. 3 systems in all, plus a radio in the kitchen, car and garage. My musical tastes vary, but tend to listen to rock during the day, jazz/ragtime/blues at night. The latter has been great as I am not saturated with it, and I am constantly finding new stuff that I like (while I am on the subject, James Brown was a bad-ass!). But it’s the rock and roll on the Radio that’s got me really vexed. Why? On the Radio it is 1987. I know this because I have heard ‘Welcome to the Jungle’ each and every day for the last 8 days. Did our brains somehow imprint an image of what music was supposed to be when we were young, and now we cannot move away from that? It never thought as a child that when I became an adult I would be listening to the same music I was listening to at 4, 8, 12, 15, every day, day after day for eternity. Bad when you grow tired of songs you like, awful when you still hear the songs you grew weary of in high school. I always assumed that there would continually be new music that I liked, from the bands that I liked, and the radio stations would progress as the musicians did. Not so! AC/DC and Aerosmith may have the odd hit, most new music flops horribly. Chinese Democracy can’t get half the air time of Appetite for Destruction. Sure, that’s a blessing, but one is new and the other is a tired 22 years old. A couple new bands offer the interesting song or two, but the rock & roll stations continue to play the same music, over and over and over. It appears that every major rock band in the world wrote three songs and the reminder of their recordings were burned so that we could focus all our time and energy on a handful of ‘important’ (re: safe) songs. Oh, listen, it’s Aqualung. Just like yesterday. This is what prompted me to try and diversify from Rock a bit, but with very little success. Old school Hip Hop gets my occasional attention when I run across something like ‘You Be Illin’, but I have never been able to really enjoy Rap. Tried real hard with classical; even accepted the 1200 classical albums to see if my musical tastes somehow ‘matured’ enough to listen to these composers. Boredom forced me to give the collection away to someone who would appreciate it. Country and Western makes me feel like life is not worth living and I want to slash my wrists. There are plenty of popular mexican music stations that are somewhat entertaining, but after a while, especially when you do not understand the words, the same ‘da da da dat dat dah’ accordion bridge grows very fatiguing. So I tune back to one of the 6 rock stations I get here in Phoenix, where it’s 1985, and I am listening to this fresh cut of Sussudio. In my teens I would never have dreamt that Phil Collins would be on the radio, every day, as if he was a first run artist that everyone listed to – with a new top 10 hit every week. But just listen a few minutes and there he is, as if we just loved his stuff. He gets more air time than Kanye West. A competent singer, songwriter & drummer, I really have no problem with Phil Collins. OK to listen to, say, once a month. 4 times a day on the radio makes me want to hurl. And now I know why Phil Collins is the Mel Torme of my generaiton. Good enough to make the favored radio station play list, but if you were a non-fan of the art, you would think this guy is a Louis Armstrong or Mozart-esque musical genius. What can you do? Keep singing along I guess … “Aaahoo, Werewolves of London”. At least I LIKE that song. Share:

Here it is, our first Friday Summary of 2009. While it’s Adrian’s week to put the summary together, we thought it would be better if I handled the intro since I was at Macworld looking at cool stuff all week while he was manning the fort and cleaning my gutters (if he ever reads his employment contract, I’m totally screwed). Last year was my first Macworld, and I feel lucky I got to see the Great Jobsness give a keynote before he decided to take a break. Phil Shiller did a great job, there just wasn’t that much to announce; even without Jobs, these are still the best product announcement sessions I’ve ever seen. As for the products, I think Apple is hitting a home run with the iLife changes- the power in iPhoto and iMovie is just sturn ing. But if you want to read about this stuff, head over to our TidBITS coverage. On the security front I saw two really interesting things I’d like to award with the Securosis Best of Macworld Expo. First up is Agile Software for 1Password. They win for 2 reasons- first is that they decided to cancel My1password.com. The idea was to build a web application for password management you could access from anywhere. If you read this site, you know the difficulties in such as risky move. Instead they are leveraging DropBox and letting you move passwords via USB storage. Yes, there are still risks, but it’s a granular system and sometimes we really do need to move passwords around with us. The second reason is the upcoming 3.0 version of the product. It’s polished, secure, useful, and one of those tools I use daily. Our second winner is Checkpoint for a pre-alpha version of the iPhone VPN client. They added an option so that when you go to connect it sends a text message to your phone with a one time password. Sure, this has been done before, but on the iPhone the VPN client automatically picks the password out of the text message and logs you in… no manual cutting and pasting or anything. Which is good, because you sort of can’t cut and paste on the iPhone. I saw a lot of other really great stuff, and quite enjoyed the usual evening activities. Macworld is a lot less crazy than our security conferences, so Amrit Williams and Adam O’Do ell came out to spice things up, and Amrit ran into Raffi while parking his car. Who says Mac users hate security! (Then again, I was buying, which might explain a few things). On that note, it’s time to catch up on massive amounts of email and turn the Summary back over to Adrian for all the security news I missed… Here is the week’s security summary: Webcasts, Podcasts, Outside Writing, and Conferences: The Network Security Podcast this week was a little shorter with Rich being at Moscone Center and Martin needing to spend time with the family, but they covered some good stuff with a discussion on 0Auth, weak passwords, the Phishing attack on Twitter users and facial recognition in iPhoto. Rich has a nice writeup of the new MacBook Pro on Tidbits. Favorite Securosis Posts: Rich: Part 8 of Building a Web Application Security Program is a great ending to the series. Adrian: Contingency Plans: The tech collapse took its toll on me, but I learned a lot, and hopefully there might be some advice you find helpful during this go-round. Favorite Outside Posts: Adrian: Robert Graham’s post on Verisign’s Response to the MD5 cert problem is a good analysis of the situation and how Verisign responded. It’s a bad sign when a company fails to defend its core business and then reacts in this manner when issues are pointed out. Rich: Crazy Apple Rumors site: “The best Keynote Liveblog ever!” Top News and Posts: Twitter Phish reported this week. Social engineering gets better and it becomes increasingly difficult to tell a real from fake without close inspection. MacWorld with week, with a nice, shiny new MacBook Pro announced. Life parodies itself, with CheckFree having a breach of 5M records. Unemployment is officially listed at 7.2% nationally. Here in AZ, our state is telling us it is still around 6.8%, but I am willing to bet that it is closer to double that number. TJX Hacker gets 30 years. More and more fake shopping sites popping up. Blog Comment of the Week: windexh8er on Part 7, Secure Operations: Great series guys! I was just playing around with NSMnow! — so the content in the monitoring portion was fresh in my mind. Maybe look to include a tools list in your next post where you talk about balancing the program. http://www.securixlive.com/nsmnow/index.php   Which is one of our recommendations in part 8 … we’ll also do a ‘recommended free tools’ post in the coming weeks. Share:

‘I was a bit shocked to read about Adolf Merckle’s suicide yesterday. You just don’t see this sort of thing coming and I cannot even fathom the reasoning behind it. This has sent tremors through the market and certainly his holding company into dis-array for a while. It also reminded me of other similar events surrounding the last economic downturn , and that was kind of the ‘final straw’ that prompted this post. With many of the same signs and issues occurring as they did in the tech collapse of 2000-2002, few are eager to look at the downside, but it is time to spend a few minutes and verify contingency plans within your organization. It is a New Year, and what’s more a bright sunny day in Phoenix, so while it feels a bit incongruous to be talking about disaster recovery and such, it is a good time for you to give it a little thought. I am not really going into the issues of natural disaster, rather economic disaster. Nor am I focused on executives who need to consider change in management, but for the general well being of the people who work in your company whose livelihood and personal information may be dependent upon some degree of continuity. Files: Budget in advance for the storage of sensitive information. I am not just talking about electronic data, but all of the legal, contract, HR and other files that contain sensitive information. Pre-pay for files to be housed off site and stored safely. This is typically not that expensive, and in the event that the company changes hands or goes out of business, could become essential- but when the need is clear, it might already be too late. What you don’t want is contracts, accounting information, and employee files getting chucked in a dumpster. It happens, and it happened a lot in 2001, only this time there are regulatory fines if you get caught. If you are not doing this today, look into it. Many of the services provide destruction services at the end of term so the data is safely disposed of. Executive transition: Executives leave, and sometimes in unexpected ways. I am not trying to make fun here but point out that in stressful times, people look to change their situation. In tough economic climates, executives leave for what is perceived to be a safer place to work. As a board, HR department or executive team, think about the risks and have a basic plan of action in the event that any of the key staff leaves the company. Executive departure can stall incoming revenue, business partnerships, financing and even sale. There may not be a lot you can do, but better to be prepared. On-site and off-site backups: You are probably already doing this, so I will focus on an equally important issue: Verify your backups. In the tech collapse of 2001-2002, many firms went out of business without access to the data that formed the core business value. Backups could not be found or were unreadable. In many cases, their servers were ‘in hock’, locked up at the Colo facility with unpaid fees. This stalled the sale of assets and cost jobs that would have otherwise been offered had the data been available. So verify that the backups are complete and readable. If the backup are encrypted, make sure the key and de-cryption infrastructures is also available. Employees on Visas: I have seen some very uncomfortable moments for those employees on a Visa that are in a much more vulnerable situation. If this applies to you, go through a couple ‘what-if’ scenarios and have a plan to deal with the company shutting down, downsizing or being acquired. Press your HR team for assistance in this area. General Security: As a company begins to reduce staff, items walk out the door, from office supplies to computers. You really don’t want a laptop with customer data being sold on eBay, so you will want to tighten up on security. Physical security- make sure major assets are accounted for. Have your IT staff take inventory. Electronic security- Make sure you procedures are in place for shutting down accounts and snap-shotting the end point so there is no loss of data or correspondence. You may want to consider adding email filters to forward business related email, or re-routing telephone numbers. Startups: If you work for a startup, you want to take this advice a little more to heart. Startups by their very nature tend have less cash reserves, their margin for error is smaller, and their tolerance for both is higher. That means when things go bad, they do so very quickly. Most entrepreneurial CEO’s always figure the next deal is around the corner and are out of business the next day when it does not come. This leaves for some ugly exits where the employees do not get paid, benefits not covered and investors are wondering where all of the remaining assets are. If your revenues are not on the rise, then look for ways to cut costs at a company and individual level. Look to eliminate things you deem wasteful. Demand that management be forthright with you on what they are doing to cut costs and what a realistic run rate is. Set expectations with supervisors that you will be more tightly focus on priorities, but doing less with less. Without these steps, life devolves into a Dilbert cartoon. Personal Development: On a positive note, downturn s offer opportunity, and are a great time to expand your horizons. As companies try to perform the same functions with fewer resources, it is an opportunity to offer your assistance in areas you are interested in and broaden your skill set and increase your value. Education and training is also a great for this, providing a distraction form the daily grind and a good motivator as well. Try to contain your exposure to bad economic news if possible; I used