Choosing Office 365 to Reduce the Stress of Starting a New Practice


This article excerpt, by Dr. Vikram Gandhi, originally appeared here: http://bit.ly/11yXkhp
When I finished my three-year residency in Periodontics at Texas A&M Baylor College of Dentistry, I didn’t think I would purchase a dental practice and remodel a new office that same year. But that’s what happened. When I bought Firewheel Dental Implants and Periodontics in August 2013, it was in an older building and staff used snail mail to communicate with referring dental practices.
I wanted to modernize the practice and work in a paperless office, so when the opportunity came along, I took it. Making decisions about permits and dental equipment took a lot of my time, so I wasn’t thinking much about business technology. I used Gmail and that was about it. I was living at my brother’s house, and one day he heard me complaining about how difficult it was to find a contractor’s email. Then, when I told him how expensive it was to hire someone to build a website, he told me about Office 365.
I’m not really a technology person. I like working with my hands and meeting people. That’s why I chose dentistry. So for me, Office 365 is perfect. I have everything I need at my fingertips: email and the Office applications for collaboration as well as web design and development tools. Everything is easy to use and familiar, and it’s cloud-based so I don’t have to worry about servers in the office. I have a professional-looking email address that includes our company name. And compared to Gmail, it’s so much easier to organize my business correspondence using folders that I assign to different topics and vendors. I’m saving a lot of time not searching through my emails. Office 365 is HIPAA-compliant and has email encryption capabilities, so I can send emails that contain patient data to referring dentists without worrying about breaching confidentiality regulations.
But the biggest surprise for me was how easy it was to build my own website using SharePoint Online. I saved approximately $5,000 USD in web development fees. In basically one weekend, I built a website (www.dentalimplantsandperio.com) that matched my expectations. There’s lots of educational content, with videos that walk patients through the procedures and pre- and post-op instructions. I don’t want people to leave my website to learn what a periodontist does or what a gum graft looks like because if they go back to search the Internet, my competition could pop up. Now I’m busier with my practice, but it doesn’t take long to add a new page or a new tab. Right now, I’m looking into creating a page where patients can provide reviews of their experience at Firewheel.
I have five computers and laptops with the latest version of Office applications on all of them, thanks to Office 365 ProPlus. This comes in handy when I teach at the dental school every Wednesday afternoon. I can store all my PowerPoint presentations and lecture notes online in OneDrive for Business, and if I tweak my notes or make a change to the presentation during class, they are saved the next time I upload the files. Now I never have to figure out which device has the latest version of a document.
This is especially true with OneNote. No matter what device I pick up, it has all my notebooks up to date. One of the ways I use OneNote is for employee reviews. We go over the review together, they sign it at the end, and I email them the OneNote page. It’s as easy as that. There are so many ways that Office 365 has simplified the first year of my practice, but the most important thing is that I’ve been able to devote more time to building the business instead of worrying about technology. I can’t see running my practice without it.

Choosing Office 365 to Reduce the Stress of Starting a New Practice


This article excerpt, by Dr. Vikram Gandhi, originally appeared here: http://bit.ly/11yXkhp
When I finished my three-year residency in Periodontics at Texas A&M Baylor College of Dentistry, I didn’t think I would purchase a dental practice and remodel a new office that same year. But that’s what happened. When I bought Firewheel Dental Implants and Periodontics in August 2013, it was in an older building and staff used snail mail to communicate with referring dental practices.
I wanted to modernize the practice and work in a paperless office, so when the opportunity came along, I took it. Making decisions about permits and dental equipment took a lot of my time, so I wasn’t thinking much about business technology. I used Gmail and that was about it. I was living at my brother’s house, and one day he heard me complaining about how difficult it was to find a contractor’s email. Then, when I told him how expensive it was to hire someone to build a website, he told me about Office 365.
I’m not really a technology person. I like working with my hands and meeting people. That’s why I chose dentistry. So for me, Office 365 is perfect. I have everything I need at my fingertips: email and the Office applications for collaboration as well as web design and development tools. Everything is easy to use and familiar, and it’s cloud-based so I don’t have to worry about servers in the office. I have a professional-looking email address that includes our company name. And compared to Gmail, it’s so much easier to organize my business correspondence using folders that I assign to different topics and vendors. I’m saving a lot of time not searching through my emails. Office 365 is HIPAA-compliant and has email encryption capabilities, so I can send emails that contain patient data to referring dentists without worrying about breaching confidentiality regulations.
But the biggest surprise for me was how easy it was to build my own website using SharePoint Online. I saved approximately $5,000 USD in web development fees. In basically one weekend, I built a website (www.dentalimplantsandperio.com) that matched my expectations. There’s lots of educational content, with videos that walk patients through the procedures and pre- and post-op instructions. I don’t want people to leave my website to learn what a periodontist does or what a gum graft looks like because if they go back to search the Internet, my competition could pop up. Now I’m busier with my practice, but it doesn’t take long to add a new page or a new tab. Right now, I’m looking into creating a page where patients can provide reviews of their experience at Firewheel.
I have five computers and laptops with the latest version of Office applications on all of them, thanks to Office 365 ProPlus. This comes in handy when I teach at the dental school every Wednesday afternoon. I can store all my PowerPoint presentations and lecture notes online in OneDrive for Business, and if I tweak my notes or make a change to the presentation during class, they are saved the next time I upload the files. Now I never have to figure out which device has the latest version of a document.
This is especially true with OneNote. No matter what device I pick up, it has all my notebooks up to date. One of the ways I use OneNote is for employee reviews. We go over the review together, they sign it at the end, and I email them the OneNote page. It’s as easy as that. There are so many ways that Office 365 has simplified the first year of my practice, but the most important thing is that I’ve been able to devote more time to building the business instead of worrying about technology. I can’t see running my practice without it.

Behind the Scenes on Goodyear’s Drive to the Cloud (Part 2)



This article excerpt, by Jim McKinnon, originally appeared here: http://bit.ly/1D9RbbN
Jim McKinnon joined Goodyear as an IT intern for the company’s England subsidiary and spent the next four decades working his way up to vice president and CIO. McKinnon, who retires this month, isn’t ending his 40-year career on cruise control—instead he’s been in a pedal-to-the-metal drive to change IT at Goodyear.
The transition to Office 365 coincided with our move to a new world headquarters and an increasingly more collaborative company culture. We wanted IT to help enable that culture change. But updating the toolset doesn’t drive behavior modification. If you want projects to succeed, change management is very important.
At Goodyear, we have a mature, externally recognized project management process that delivers results. That process includes change management.
Our Office 365 change process began with executive sponsorship: essential support from the top to ensure proper governance. We established a steering committee of leaders from all business units, representing the key functions of human resources, communications, legal, project management, research and development, and engineering. We laid out the road map for detailed implementation. Very early, we had nearly 2,000 people involved—early adopters and change agents.
We also created a support network of approximately 100 IT professionals who provided online support 24 hours a day, seven days a week. From anywhere in the world, our employees could ask a question via live chat and someone would pop up and answer it.
There were a few bumps, but Microsoft was a good partner and helped us along the way.
So far, the new tools are already making a big difference. Some of them are simple changes: working in the same document instead of passing files around, accessing documents from the web, a significant increase in instant messaging instead of emailing, more sophisticated calendaring and booking of conference rooms. We are using Lync Online for video chat, and soon we will ramp up with Skype for Business. We are also developing plans for how to leverage Yammer more to support our collaboration agenda.
Change is not just about data, processes, and systems—it’s also about people. I take great pleasure in developing teams and individuals, and since I joined Goodyear, we’ve started an IT development program to focus on emerging talent, leadership, and employees with a high level of potential. I wanted to build a great global team top to bottom: a group that works as a team, partners well with the business, and has the respect of the business. I think we’ve done that.
We’ve supported a number of business objectives during my time here, but employees are saying the move to Office 365 is one of the most visible changes for IT and the business. It’s truly a global project—it touched all our office workers, and it’s foundational for the future. 

Behind the Scenes on Goodyear’s Drive to the Cloud (Part 1)


This article excerpt, by Jim McKinnon, originally appeared here: http://bit.ly/1D9RbbN
Jim McKinnon joined Goodyear as an IT intern for the company’s England subsidiary and spent the next four decades working his way up to vice president and CIO. McKinnon, who retires this month, isn’t ending his 40-year career on cruise control—instead he’s been in a pedal-to-the-metal drive to change IT at Goodyear.
I grew up a working-class boy.
My father was a tire builder at Goodyear. There was no work after the war in Dundee, Scotland, so he went south to England. He married a local girl, raised a family, and instilled strong values and principles in his children. I started as an intern at Goodyear in the IT department, as an analyst/programmer. It was a great job. It’s still a great job. I’m really proud that I’ve gone from IT intern to chief information officer of the company.
I like driving change. That’s where my passion is.
I’ve been driving change my whole career—especially the last five years. Within our global IT organization, we’ve improved communications and project management and deployed new tools to support the business. Technology is fast, and you need to stay current.
When I started as CIO five years ago, we needed more tools for mobility, productivity, and collaboration. Our legacy tools—Lotus Notes, WebEx, and Microsoft Office 2003 and 2007—no longer met our needs. We were frustrated with the old capital model where you purchase a toolset, then upgrade and make another big purchase two or three years later. Office 365 gave us the ability to track our licenses along the way—it’s more transparent and much easier to control.
We have approximately 67,000 employees globally, and we manufacture in 50 facilities spanning 22 countries. Across this geography, we have about 30,000 Office 365 users, and more than 13,000 are using Office 365 ProPlus. It’s a very diverse workforce representing many languages and cultures. Our Office 365 users are located at manufacturing facilities, offices, warehouses, and retail stores; they may be mobile or working from home.
Integration, communication and collaboration were some of the big reasons we made the move to Office 365. Microsoft cybersecurity capabilities gave our team peace of mind about the decision to shift to the cloud.
Watch for Part 2 next week

GE Chooses Microsoft Office 365 for Employee Collaboration and Productivity

Microsoft Corp. and General Electric (NYSE: GE) have signedan agreement to deliver Microsoft’s cloud productivity suite, Office 365, toGE’s more than 300,000 employees across 170 countries worldwide.

“As we deepen our investments in employee productivity,Microsoft’s innovative approach to collaboration made Office 365 our firstchoice for providing scalable productivity tools to our employees worldwide,”said Jamie Miller, senior vice president and CIO of GE.

GE’s IT organization, which is recognized as one of the moststrategic and forward-thinking among large enterprises worldwide, selectedOffice 365 based on Microsoft’s ability to deliver rich productivityexperiences at massive scale across devices and platforms, as well as itsability to rapidly and reliably deploy to GE’s large global employeepopulation. Specifically, Office 365 will provide several key benefits to GEand its employees, including these:

• A comprehensive and integrated set of productivitycapabilities including email, Skype for Business calling and meetings,real-time document co-authoring, and team collaboration

• Extensibility of the Office 365 platform, which willenable GE to enhance the capabilities of critical line-of-business applicationsby connecting to Office 365 through open APIs

• IT controls and security capabilities that enable GE toprovide employees with secured access to information and full productivitycapabilities on a multitude of devices, while adhering to corporate policies,industry regulations and legal requirements

“Microsoft and GE share many values in common—openness,transparency, data-driven intelligence and innovation—all of which are drivingforces behind Microsoft’s own mission to help people and organizations achievemore,” said John Case, corporate vice president of Microsoft Office. “As one ofthe most innovative companies in the world, GE understands what it takes tounleash the potential of its employees. We’re delighted GE has selected Office365 as the productivity and collaboration solution to empower its globalworkforce.”

Microsoft (Nasdaq “MSFT”/@microsoft) is the leading platformand productivity company for the mobile-first, cloud-first world, and itsmission is to empower every person and every organization on the planet toachieve more.

5 new Azure features you need to hear about

This article excerpt, by Infoworld Tech Watch author Serdar Yegulalp, originally appeared here: http://www.infoworld.com/article/2996538/cloud-computing/5-new-azure-features-you-need-to-hear-about.html

Every public cloud offering is in constant mutation — adding features, revising old ones, revamping pricing, striving to stay ahead of the competition and to give existing customers incentive to stick around.

Microsoft’s Azure improvements are often incremental changes aimed at a specific subset of users. But over the past month, several new features — and expansions on existing ones — have bubbled up, all of interest to a wide variety of Azure users. Here are five of the most significant additions.

1. Azure’s close integration with the Akamai CDN

The idea is simple: Come early 2016, Azure users will be able to programmatically deploy content into the Akamai CDN and buy Akamai offerings through their Azure self-service portal.

Microsoft has its own CDN and has long enjoyed a close relationship with Akamai, but this takes the partnership to the next level. Apart from allowing Azure-deployed content to reach a broader audience (Latin America and Asia, in particular), it also means Microsoft can pit itself directly against Amazon CloudFront.

Pricing wasn’t announced for the Akamai deal, although CloudFront is automatically quite competitive — its free tier allows up to 50GB out per month, albeit only for one year for a new account. Let’s see if Microsoft can hatch something at least as appealing.

2. Azure’s PowerShell is almost ready for prime time

Build a better command line, and the world will beat a path to your door. Microsoft made a bid in that direction with PowerShell, the power and utility of which speaks for itself.

Integrating PowerShell with Azure has been in the works a long time, but earlier this month, a major milestone arrived: the preview release of Azure PowerShell 1.0. With it, the user can manage Azure resources and services from the command line instead of through a GUI — which most any veteran sys admin appreciates.

Be warned: It’s such a major change that the featured Azure Resource Management cmd lets break backward compatibility with previous versions.

3. Azure App Service supports Go, albeit experimentally

If you’re a fan of Google’s Go and want to use it on Azure, desire no more: Support for Go with Web apps was added to Azure earlier this month — even in the free trial. Azure will take care of configuring the  file if needed for the app, but you can supply your own if your deployment requires custom settings.

Right now, only Go 1.4.2 and Go 1.5.1 are supported in their 64-bit incarnations, and the whole package is considered experimental; deploy a production application at your own risk. For now, anyway — you have every reason to believe Go support on Azure will graduate to full support status before long.

4. Azure Backup backs up a lot more than VMs

Originally, Azure Backup was designed to back up Hyper-V VMs and their associated data volumes. Anything beyond that was the province of Microsoft Data Protection Manager. But of late, Azure Backup has grown to provide backup support for other Microsoft products as well. Microsoft SQL Server, SharePoint Server, Microsoft Exchange, and Windows Clients are all protected.

Note that the cost of backups is two-fold: one charge for the size of the instance itself ($5 and up depending on the size of the instance), and charges for storage consumed by the backup. But the range of products covered by Azure Backup is likely to continue expanding.

5. Azure File Storage gives you SMB in the cloud

Sometimes you need to wait the longest for the simplest, most basic features because, counterintuitively, they’re hard to get right. Azure finally offered Azure File Storage, to perform conventional Windows file shares (via the SMB 3.0 protocol) in the cloud, at the end of September.

The idea is to support existing applications as they’re moved to the cloud, some of which might depend on SMB share mounts. An Azure File Storage share can be mounted anywhere, allowing on-prem and cloud applications to share storage and data in a familiar manner.

Note: Any clients that connect to an Azure File Storage share will be limited by their level of SMB support. For Windows 7, that’s SMB 2.1, which lacks support for encryption; SMB 3.0 is supported in only Windows 8 and up, as well as Windows Server 2012 and up. However, most recent Linux distributions support SMB 3.0 natively.

Rising Cyber Insecurity

Most executives can estimate their revenue per customer but have difficulty trying to budget the potential costs if their business’ computer systems crash or they are compromised by viruses, other malware or attacked by hackers.

By Frank Goad

Potential dire effects vary by business, the type of computer-reliant operations it has and the nature of its data, and these effects can range from mere irritation to significant financial loss all the way up to a closing of the company doors.

Information technology security issues grow more important and urgent for business and industry week by week. Commerce-critical data today is made with intention at work stations as well as streamed by always-connected apps and devices into the cloud – streams that simultaneously make operations more efficient and more vulnerable.
Managers, accountants, healthcare providers, lawyers, retailers, bankers, public officials and more all are joining IT professionals in spending more of their time and energy on cybersecurity matters.

Anti-virus expert Eugene Kaspersky said at an IT security conference in October 2013 that the cost of data system disruption to business is “many times more than $100 billion.” Since then, data breaches have occurred at Target, Neiman Marcus, JP Morgan Chase, Home Depot, Sony Pictures, Anthem and others. However, while these large events attract news coverage, much of the overall cost of data breaches actually occurs at small- and medium-sized businesses because they are often easy targets.

John Askew

John Askew

“You have to assume that you have already been breached to some extent and determine how to continue running your business with that assumption,” according to John Askew, consulting manager and security team lead for SDGblue, a Lexington-based IT services firm.

“Hacking” into computer systems started three decades ago, largely among young men wanting to impress friends with their technical savvy. Nearly all data breaches today are by criminals looking to make money using an array of methods and powerful tools. The realities of computer security are much different than even just five years ago.

One result is that no one is too small to be a target. Thieves formerly tended to individually target the high-dollar score, like fishing with a large pole for that “big one.” Computer-powered automation today, however, enables thieves to fish with a net – which because of volume targeting creates large cumulative results.

Security experts all estimate the likelihood that a specific business’ computer systems will crash or be compromised at 100 percent – a matter not of if but of when. They also agree that most incidents are either preventable or can be cleaned up quickly with proper preparation. Money-sapping downtime can be averted or recovery expedited, reducing costs across the board. This security has a price, but prevention and planning tend to be far cheaper than curing a system shutdown for which a business is unprepared.

Most businesses today can’t run without computers, which are service platforms for credit card processing, tax filing, business websites and interacting with suppliers and customers.

Another recent computer security issue is that Kentucky and 47 other states along with Puerto Rico, the District of Columbia and the Virgin Islands have laws that punish companies found negligent in handling customer data, or that do not notify customers of a breach in a timely fashion.

Barbarians at the gate – and inside

Think of data security, experts say, in terms similar to doors to your business: The more data connection doors you have, the more security you need since doors are generally the most vulnerable points for unauthorized entry – or exit. Every email account is a potential door.

Further data vulnerability exists because businesses have to go through lot of other people’s “doors,” too. Cyber criminals watch that activity with programs designed to sniff out your and their weaknesses.

Many business people are shocked to learn that various studies find from 45 percent to 80 percent of data security issues originate inside the company. Not all are malicious; sometimes an employee password is easily hacked, like the word “password” or “1234567890” or their password is pasted on their desk for anyone passing by to see.

Data security becomes compromised because employees often aren’t trained, or no security guidelines exist and they innocently do something inappropriate. It can be a disgruntled employee or one paid to steal company data. “Drive-by downloads” into business networks can occur when an employee visits a web page with a malware delivery mechanism that is disguised as an ad. Sometimes network anti-virus programs are inadequate (such as free versions) or are not installed at all.

Phishing is most common attack mode

Internal breaches commonly come from “social engineering” attacks, which prey on human behavioral weaknesses. “Phishing,” a common social engineering method, is the most commonly used data assault process seen by those interviewed for this article. And it achieves the most success against users.

Phishing2Phishing criminals, usually using stolen email addresses, “bait” users at a target business with what appears to be an urgent email from a familiar company, such as a bank or retail chain they use. Problems begin if a recipient clicks a link or opens an attached file promising f urther details. The 2013 Target stores holiday shopping season breach that led to 110 million customer credit card records being stolen started with a phishing attack against employees of a subcontractor; Home Depot’s 100-million-customer-records breach in 2014 was a phishing attack.

Phishing messages whose official-looking logos, headquarters information or other content succeed in prompting a click for details instead initiate a download of malware onto the recipient’s device that propagates across the network. The many variations of this trick have worked worldwide millions of times.

“Phishing is the No. 1 problem for us on campus, and that is across faculty, staff and students,” said Brian Purcell, Murray State University’s information security officer and the school’s interim chief information officer. “If we see a phishing attack on campus, we proactively look to see who has responded to it by examining data traffic leading to the offending site. We then change their password and user identification and notify them that we have done so … because data breaches are very expensive to correct.”

A sophisticated variation is “spear phishing” in which attackers research individuals at a company and target them with sometimes surprisingly personal appeals. This technique increases the odds of success so much that spear phishing accounts for 91 percent of attacks. At financial institutions specifically, reported individual losses average $55,000 and some have exceeded $800,000, according to the Washington-based Internet Crime Complaint Center.

Phishing is one of the most common consumer complaints the Kentucky Attorney General’s Office gets, said Daniel Kemp, deputy communication director.

“Many of the calls lately extended from attempts to dupe consumers affected by the recent Anthem (Blue Cross Blue Shied) data breach,” Kemp said. “Getting trained in spotting these threats is one of the most effective defenses a business or consumer has. We have staff who go around the state training consumers in our Scam Jam classes. Face-to-face training is always effective, and every business should consider it for their employees.”

Who are the phishers? They come from around the world. The Chinese and North Korean governments have often been accused (e.g., the Sony Pictures Entertainment hack), as have criminals in former communist bloc countries, South America and in the United States. A town in Romania’s Transylvanian Alps, Râmnicu Vâlcea, population 120,000, is called the cyber-crime capital of the world, but it has only two government agents assigned to combat digital law-breaking. Regardless of their origin or motivation, the criminals are after your system, your data, your customers and your money.

Those illegally harvesting customer data often bundle their stolen info and sell it to others to avoid being caught using it – they let others do the phishing or scamming. It makes arrests and prosecutions difficult, and even if they are caught, restitution for victims’ losses is rare.

Assessing costs, value, safety and savings

Brian Purcell, Information Security Officer, Murray State University

Brian Purcell, Information Security Officer, Murray State University

The good news is that with appropriate measures, a business network can be kept reasonably-to-very safe. Although the due diligence of installing, maintaining and securing computer systems can be costly, security breach costs can be far, far more.
“PCs and computing resources are now a utility, not a luxury. IT security is often regarded as a discretionary cost, but it’s not – it should be fixed in the budget of every business,” Purcell said.

The term “disaster recovery” refers to being able to restore a computer system to the state it was in a short time before a failure. Only very rarely is this the result of a fire, flood, lightning strike or tornado, although those are considerations. Much more commonly it means a single computer’s hard drive fails and ruins all its data, which a business must recover to get back to work; or a server dies, corrupts a wider swath of data and shuts down daily operations.
Business IT disaster recovery plans often mean having off-site backup in case equipment is stolen or offices are too damaged to use. With off-site data storage, operations can be restored in a temporary location and to continue to serve customers and avoid losing revenue also.

 Dave Sevigny, President, DMD Data Systems

Dave Sevigny, President, DMD Data Systems

“A company with six PCs that has no regular service vendor for support, and that hasn’t been getting regular system evaluations, is usually down two or three days,” according to Dave Sevigny, president of Frankfort-based DMD Data Systems, a regional IT services provider. “A company that has an established relationship is usually down about a half day. There is no substitute for qualified help.”

Sevigny and others advise considering the question: How would being without computers for two or three days affect your company?

“Today’s technology is more robust, more resilient and has more ‘call home’ properties that alert us, often before the customer knows they have a problem,” he said. Clients “have fewer problems if they make an effort to keep up their systems and allow us to help them. That’s what IT professionals do.”

An office technology policy can avert some of the latest threats to business. Sevigny advises caution regarding “the bring-your-own-device (BYOD) trend of letting employees bring smart phones and tablets into the office with no supervision, and even letting them do (company) work with them.

“While an employer might think he’s saving money by having employees use their own equipment to perform tasks for which the business formerly provided the equipment,” he said, “they are also opening themselves up to some real security problems. Giving someone open access to a business network when you can’t control what happens with that device after work is a very risky proposition.”

Lack of knowledge, lack of preparation
Investing in IT security and disaster recovery is less costly than restoring data from bits and pieces, or going back to printed records. Data breaches mean lost customers and tarnished business reputations, especially when customers must be contacted to inform them sensitive personal data is now “in the wild” and in the hands of criminals.

In calculating a budget for IT security and disaster recovery, managers are advised to consider their company’s average revenue or profit per hour or per customer, then assess the potential cost of lost operating hours or customers. At what point would losses become critical? At what point would the business be fatally crippled?

Many businesses lack security and data recovery plans.

Russ Hensley, CEO,  Hensley Elam Associates

Russ Hensley, CEO, Hensley Elam Associates

“Kentucky lags the national averages for a variety of reasons,” said Russ Hensley, CEO of Hensley Elam Associates, a regional data services firm with headquarters in Lexington. “Despite the routinely quoted (estimate that there are only) 30 percent of businesses with adequate protection, we may be as low as 10 percent for companies with appropriate backup and disaster recovery plans.”

Lack of knowledge is thought to be the main reason why. “Most of them simply don’t know the risks, or they think it won’t happen to them because it hasn’t happened yet,” Hensley said. “They don’t realize their employees are usually their biggest threat. They often see the backups and IT security as something being sold to them versus being a real asset. Since they have never had an incident – despite some of them already being infected with malware and they don’t know it – they either balk at the cost or don’t see the need.”

Studies estimate the cost of repairing a data breach at $185-$195 per customer. That’s $18,500 for 100 customers or $185,000 in losses for 1,000 customers. Repairs can take months as little issues continue to present themselves. It’s fairly common for some data to be lost forever, complicating making financial books whole again. Damage to reputation and trust can mean a loss of current customers and future business.

Studies show preventive measures do reduce per-customer losses for data breaches: $14 less for companies with comprehensive security policies and procedures; $13 less when the company has an incident response or disaster recovery plan; another $7 less if a well-trained staff person serves as the chief information security officer. Those steps lower average losses to $151 per customer.

Mitigation but no 100% guarantee
Locks“There’s a saying in our industry that computer security always seems to cost too much, but still is never enough,” said Jerry Bell, a computer security consultant and founder of the DefensiveSecurity.org website and blog in Atlanta. “Computer security is something like what they say about those who fight terrorism: We have to be right all the time, but they only have to be right once.

“There is no 100 percent guarantee against hacks or data loss,” Bell said. “Everyone is a target, too. There are breaches and attacks going on at all levels – from giant financial firms all the way down to parking garages. Statistics don’t tell the whole story because many breaches are not reported to authorities. The fear of damage to a company’s reputation is pretty powerful.”

One product that can mitigate the cost of data breaches, he said, is cyber-security insurance, which many companies now offer. Data breach coverage can mitigate costs in any case, and especially when the policyholder is not to blame.
“When a breach happens and a claim is paid, the insurance companies are looking for those responsible for the breach,” said Bell. “If (the insurance company) pays a claim, then someone else is likely to wind up paying the insurance company.

“Take some of the big, well-known, national companies whose data breaches made headlines in 2014. There are lawsuits against some of them by their vendors, like credit card processing companies, and those vendors’ insurers to cover the costs of cleaning up the mess,” he said. “They lay the blame at the feet of the big company, and that mess includes new cards, reimbursements, credit monitoring and many other charges.”

All the experts in this article concur that, on average, only about 30 percent of businesses today have adequate security and a disaster recovery plans – not elaborate security, but decent protection and enough to help with recovery.

“The one thing that keeps me awake the most at night is how our data is handled,” said Purcell at Murray State. “We’ve been collecting people’s personal data since the late ’80s, and the standards for security were different then. We’re like any other business in that regard. That legacy data is very valuable, and we have the responsibility for protecting it.” Most businesses are in the same boat.

The most common lament among the IT security professionals interviewed is that customers reel when told the cost to adequately protect their systems but don’t understand the value of that investment.

For example, initiating recommended system security measures might cost a small to medium-sized business $10,000 up front and another $300 in costs per month to monitor the system security, perform maintenance and pay for regular professional services ($3,600 per year). Under this scenario, first year expenses are $13,600; subsequent years might total $5,000 when software upgrades, checkups, equipment replacements, etc., are included. This is a five-year cost of $33,600, or $6,720 per year. It’s a considerable budget line.

If this business has 300 customers, however, using the $185-per-customer cost for a breach that studies found, a data system problem could cost $55,500. That’s about $22,000 more than the cost of IT system security.

Compliance does not mean security

Michael Gilliam, Security Team Lead, SDGblue

Michael Gilliam, Security Team Lead, SDGblue

In managing costs, businesses generally opt for meeting legal or regulatory obligations as an expense baseline.
“Compliance does not equal security,” warns Michael Gilliam, consulting manager and security team lead for SDGblue. “Security is a very complex issue to tackle (and) it becomes harder to defend the individual information systems and the organization as a whole as it grows.”

A lack of dedicated resources to implement an effective security program is the biggest issue SDGblue sees, Gilliam said.
“Security (is) often viewed as a cost center that needs to be minimized,” he said.

That anemic approach is further weakened when “combined with a confusion with regulatory compliance,” The word Compliance in blue 3d letters surrounded by related terGilliam said. A managerial view that data security resources are “dedicated to avoiding fines stemming from violations makes security often nothing more than an afterthought, prioritized only when it is too late.”

State and federal government requirements to notify customers of a breach are considered burdensome and complicating factors. However, the cost of doing so is small compared to the fines and penalties for not doing it in a timely fashion, and far less than criminal or civil charges, or lawsuits by customers.

There are major additional compliance issues in the medical field, which also must comply with complicated federal HIPAA and HITECH regulations.

The Health Insurance Portability and Accountability Act of 1996 mandates the confidentiality and security of healthcare information. Health Information Technology for Economic and Clinical Health Act of 2009 anticipates a massive expansion in the exchange of electronic protected health information.

“The cost of a breach to medical clinics can be staggering,” Hensley said. “One doctor had a laptop stolen with 2,000 patient records, and none of the data was encrypted (to make it unreadable to the thieves). They were fined $150,000 by the government for non-compliance – un-encrypted laptops are the No. 1 cause of fines. It used to be that large clinics were the ones fined, but now smaller offices are seeing fines, and they are never cheap. For the largest companies, there have been fines of $12-14 million. It’s quite serious.”

Breaches trigger legal obligations
Hensley holds the advanced Certified Information Systems Security Professional credential, which in addition to technical expertise requires knowledge of IT’s legal and financial issues. The CISSP credential is valued especially in the healthcare sector and other operations with high-stakes compliance obligations. Hensley said it improves his ability to advise clients about avoiding potentially expensive situations.

“For instance, I’ve seen cases where attorneys took a patient’s medical records into their office for a case. This puts the lawyers at tremendous risk because they think the attorney-client privilege protects them, but that’s not entirely true,” he said. “By assuming responsibility for those records, they are now under HIPAA laws and subject to penalties.”

Meanwhile, state legislatures are enacting new cybersecurity laws and reporting requirements, creating legal obligations sometimes to notify customers and staff about a data breach – or to not notify them because the breach is under a criminal investigation.

In Kentucky, HB5 and HB232 cybersecurity laws passed in the General Assembly in 2014 are now in effect. They changed the way the commonwealth’s businesses are required to store customer data and protect confidentiality. Depending on who is potentially affected, businesses and other entities that experience a data breach must contact the Kentucky State Police, state auditor of public accounts, state attorney general, Kentucky Department of Education or the Council on Postsecondary Education.

HB 232 defines what businesses must know about an electronic security breach, sets deadlines for informing customers and staff and whether to notify law enforcement.

Frank Goad is digital editor of The Lane Report. He can be reached at frankg@lanereport.com.

Source: Lane Report