Yes, Social Media Is Risky — Find A Way To Make It Work

Nick Hayes

We just published a report explaining all the risks inherent in the use of social media and presenting best practice tools and techniques to manage those risks effectively.

Social media is one of the top three concerns for enterprises in 2012, according to our recent Forrsights Security Survey, and it’s easy to see why: Malware, social account hijacking, data leakage, HR concerns, regulatory compliance — these are just some of the most frequently cited challenges. And with new social media gaffes coming up all the time, like KitchenAid’s offensive tweet during one of the US presidential debates, American Apparel’s Hurricane Sandy Sale, and news of Twitter user accounts getting hacked recently (as well as LinkedIn accounts earlier this year), companies have good reason to worry about their workforce having free, unrestricted access to social networks.

Here’s the problem: You can’t stop it. Sure, you can institute a zero-use policy and completely forbid your workforce from using social media at your company, but we found this is an impractical and ineffective solution.

Read more

The Forrester Wave: Email Content Security

Rick Holland

It is with great pleasure that I announce the completion of my first Forrester Wave™: Email Content Security, Q4 2012. I’d like to thank the research associates (Jessica McKee and Kelley Mak) who assisted me with this project. We performed a 47-criteria evaluation of nine email content security vendors. Given my background as a practitioner and solutions engineer, one of the key requirements to participate was unsupervised access to a demo environment. I had access to the environments throughout the evaluation process and found them to be a great option for validating features and “getting to know” the user interfaces. Here are some of the key findings:  

Email security is a critical component of your portfolio
Email is a key component of business processes within enterprises and must be secured. Despite the fact that email security is low on the spending priority list, it’s critical that organizations safeguard email. Email is a popular attack vector for targeted attacks, and HIPAA and PCI mandate that emails containing confidential data be secured.
Advanced capabilities differentiate vendor offerings
Vendors are delivering enhanced capabilities in response to the threat and compliance landscape. Big data analytics are leveraged to combat targeted attacks. Encryption capabilities have been improved and simplified. Channel DLP is now robust and feature-rich.
The delivery model is shifting
Read more

InfoSec, Structural Engineering, And The Security Architecture Playbook

John Kindervag

Last year the country of Japan suffered a devastating disaster of unspeakable proportions. A massive earthquake on the eastern coast of the country triggered a deadly tsunami that caused the flooding of the Fukushima nuclear power plant. Three dominos fell at once, resulting in a significant and tragic loss of life and property. I visited Japan earlier this year. As I traveled throughout the Tokyo area, I couldn’t see any evidence of these disasters. I asked several residents of the city and all told me that the earthquake did not affect the rest of Japan very much. They all discussed how ready Japan was for earthquakes, having suffered many over the centuries. It was in Tokyo that I learned that not many people actually died as the result of the earthquake. Most of the deaths were the result of drowning in the flood waters created by the tsunami. Over and over again, the people I met wanted to talk about how well their buildings were designed to resist the destructive force of earthquakes.

In 2003 a much smaller earthquake struck Iran. Measuring 6.6 on the Richter scale, the Bam earthquake had much less energy but was more destructive than the 2011 Japanese earthquake, which had a magnitude of 9.0. (Data provided by United States Geological Survey.)







Southeastern Iran




Read more

Risk Management & Business Technology Resiliency – What’s Changed Since 2009

Chris McClean

Guest post from Researcher Nick Hayes.

Take a second to think back to the year 2009. The US was in the thick of the financial crisis; companies were slashing budgets, and the unemployment rate was in double-digits. And do you remember a little thing called the “swine flu”? The World Health Organization (WHO) deemed the H1N1 strain of the swine flu influenza a global pandemic in June 2009. These were just some of the events top of mind for much of the nation and the broader global community three years ago.

2009 was also the year that the annual Forrester And Disaster Recovery Journal (DRJ) Survey focused on the role of risk management in business technology (BT) resiliency and crisis communications programs. Needless to say, the survey was fairly timely. Forrester found risk management was becoming a more common practice for business continuity teams, but that there was still more room for further collaboration with their risk management counterparts.

Fast forward three years, and the 2012 Forrester/DRJ survey is again focusing on the role of risk management in BT resiliency and crisis communications (you can take the 2012 survey by clicking here). A lot has changed since 2009 with a number of new events, technologies, and organizational challenges currently plaguing business continuity and risk management professionals.

Read more

If You Never Anticipated An Event Like Hurricane Sandy, What Do You Do Now?

Stephanie Balaouras

On Monday, Hurricane Sandy slammed into the East Coast of the United States, flooding entire towns in New York and New Jersey, triggering large-scale power outages and killing at least 17 people. The health and safety of individuals is the first and foremost priority, followed by the recovery of critical infrastructure services (power, water, hospital services, transportation etc.). As these services begin to recover, many business and IT leaders are wondering how they will resume normal operations to ensure the long-term financial viability of the company and the livelihoods of their employees and how they will serve their loyal customers.

Most likely, if you have offices that lie in the path of Hurricane Sandy, you are experiencing some sort of business disruption, large or small. The largest enterprises, especially those in financial services, spend an enormous amount of money on business, workforce and IT resiliency strategies. Many of them shifted both business and IT workloads to other corporate locations in advance of the storm, proactively closed offices and directed employees to work from home or a designated alternate site.

If you are small and medium enterprise and, like many of your peers, you didn’t have an alternate workforce site, robust work-from-home employee capabilities, an automated notification system or a recovery data center, what do you do now? While it’s too late to implement many measures to improve resiliency, there are several things you can do now to help your organization return to normal operations ASAP. Here are Forrester’s top recommendations for senior business technology leaders:

Read more

Hurricane Sandy Shows A Dramatic Improvement From Botched Katrina Response

Stephanie Balaouras

My house sits atop a hill overlooking the Atlantic Ocean (hence, the neighborhood name of “Beachmont”) and was built sometime in 1890. It’s one of the tallest houses in the neighborhood and as I write this post, my house is swaying back and forth from 50 mile an hour winds (I’ve been told it’s meant to sway which is somewhat comforting but not entirely) and from my porch, I can see waves crashing over the sea wall and slamming into my neighbor’s homes below me. Needless to say, I have a vested interest in the emergency response to Hurricane Sandy.

There will be time for more detailed analysis later but here are just some initial observations and thoughts:

  • FEMA has come a long way since the incompetent response to Hurricane Katrina.
  • The response at the federal, state and local level has been much more proactive than I’ve ever seen it in the past. Many New England and Northeast states began communicating to cities and towns about the seriousness of the storm almost a week in advance, many declared emergencies as early as Saturday, and many insisted on mandatory evacuations for the riskiest areas.
    • The overall approach is better safe than sorry, even if worst fears about the storm don’t materialize.
Read more

A Chat With Trend Micro: Consumer Security Apps And Services Extend Beyond Security And Privacy

Heidi Shey

I recently attended Trend Micro’s Insight 2012 event for an update on corporate and product strategy from Trend executives, hear from partners and enterprise customers about their experiences working with Trend Micro, and sit down to 1:1's with business unit leaders. I met with Carol Carpenter, EVP of Consumer, who shared a bit about what Trend is doing for consumers and provided demos of their latest Android mobile apps out on the market and in development. Of the ones available now, they are the usual suspects – mobile security, backup and restore, and a password manager. And then, there’s a battery optimizer app. Random? No, not really.

Consumer security has come a long way from simply antivirus software for PCs. Mobile security is undoubtedly on everyone’s minds at this point (oh no! device loss, malware, my apps are spying on me!), but that’s only one factor (albeit a big one) contributing to the evolution of this consumer security market. We’re looking at protecting devices, data, identities, interactions, privacy, the consumer – in short, the online experience. That’s where the umbrella of consumer security expands, and I see apps like Trend’s battery optimizer fitting in. It’s not a “security” solution in the traditional sense, and more of a productivity tool. Consumers gain visibility into what the device and apps are doing (to the battery), and using that information to then make an informed decision (e.g., stop running that app, turn off Wi-Fi, etc) to preserve battery because it’s running too low for comfort.

Read more

Launching The 6th Annual Forrester & Disaster Recovery Journal Survey

Stephanie Balaouras


Each year, Forrester Research and the Disaster Recovery Journal team up to launch a study examining the state of business and technology resiliency. Each year, we focus on a particular resiliency domain: business continuity, IT disaster recovery or crisis management and enterprise risk management. The studies provide BC and other risk managers an understanding of how they compare to the overall industry and to their peers. While each organization is unique due to its size, industry, long-term business objectives, and tolerance for risk, it's helpful to see where the industry is trending, and I’ve found that peer comparisons are always helpful when you need to convince skeptical executives that change is necessary. For better or for worse, it is a fundamental part of human nature to want to go with the herd. For those who are interested, there is a great Freaknomics podcast on the subject called “Riding the Herd Mentality: A New Freakonomics Radio Podcast.”

Read more

The Biggest Risk To BC Preparedness – Third-Party Risk

Stephanie Balaouras

At the recent Disaster Recovery Journal Fall World conference, I gave a presentation of the state of BC readiness. I had some great discussions with the audience (especially about where BC should report), but one of the statistics that really stood out for me and I made it a point to emphasize with the audience, is the state of partner BC readiness.

According to the joint Forrester/Disaster Recovery Journal survey on BC readiness, 51% of BC influencers and decision-makers report that they do not assess the readiness of their partners. If this doesn’t shock you, it should. Forrester estimates that the typical large enterprise has hundreds of third-party relationships – everyone from supply chain partners to business process outsourcers, IT service providers and of course cloud providers. As our reliance on these partners increases so does our risk – if they’re down, it greatly affects your organization’s business performance. And with the increasing availability of cloud services, the number of third parties your organization works with only increases, because now, business owners can quickly adopt a cloud service to meet a business need without the approval of the CIO or CISO and sometimes without the approval of any kind of central procurement organization.

Even among those organizations that do assess partner BC readiness, their efforts are superficial. Only 17% include partners in their own tests and only 10% conduct tests specifically of their critical partners.

Read more

What Are S&R Pros Doing About Data Security And Privacy?

Heidi Shey

Data security consistently tops the laundry list of security priorities because it must. Organizations are collecting data, creating data, using data, and storing data in some way or another. Mishandle data or disregard privacy, and you’ve got a public relations fiasco on your hands with the potential to disrupt business operations or hurt the bottom line.

So, we know that data security is a priority, but what does that mean? What are organizations actually doing here? How much are they spending, and where are they focusing their efforts? And what are they doing about privacy? I’ve dug into data from Forrester’s Forrsights Security Survey, Q2 2012 and data from the International Association of Privacy Professionals (IAPP) to answer these questions in a newly published benchmarks report for our Data Security and Privacy playbook. Note: This is not a shopping list, nor a check list, nor is it a “spend x% on data security because your peers are doing so!” manifesto. This report is meant to be a starting point for discussion for S&R pros within their organizations to take a closer look at their own data security and privacy strategy.

Key findings include:

Read more