Uh, Oh. And It's Election Time.

Republican, Democrat, Independents, Tea Party supporters, coffee drinkers and anyone in IT security all agree on one thing: cyberscurity is critical. That said, Andrew McLaughlin, White House Deputy CTO said that the multi-jurisdictional, multi-stakeholder certificate-based web browsing model poses a problem that the government can't fix.

"Government can't fix it and government shouldn't fix it," he told the New America Foundation. "So this is not an area where public policy is going to be able to waltz in with a thunder set of regulations, or some kind of rule set perpetrated down through the system by an authority -- it's just not going to happen."

Uh, oh. Normally phrases that tell businesses that they don't have to worry about regulations bring out loud cheers. Not so in this case, even though he added the magic words most business leaders love to hear. "You don't want government to try to be your front line. We have a history of screwing things up."

Cybercrimes are growing and every business that has been a victim wants the government to be its front line, side line and back line. Hackers will not stop trying to break to bank accounts. They don't do it for fun. They do it for one reason only: quick money and lots of it. If the government takes a back seat, it's definitely going to screw up. There is only one justification for government: and that is to protect it citizens -- all of them. Businesses of all sizes are vulnerable. Many large corporations, including big banks, have had their data hacked into and possibly (read: probably) compromised. Ditto for a consortium of hospitals in New York City. Cybertheft has surpassed half a billion dollars, double from the year before. Ari Schwartz, senior Internet policy advisor at the National Institute of Standards and Technology notes that the Internet is comprised of "voluntarily interconnected networks" and one organization's lax practices cane make the entire network vulnerable, even if all the other parties are up to snuff on security. Nevertheless, Mr. McLaughlin is throwing his arms up because it's difficult to detect the weak link among the players, jurisdictions, standards, hardware and physical interconnections that allow browsing. Hey, wasn't President Obama vocal about going almost completely digital, including medical records? It's ironic that when he ran for office, his opponent, John McCain was living in static black and white, totally computer literate. (At least he's now tweeting.) Anyway, the last I checked, robbery is robbery, no matter how it's committed. You wouldn't want your local government to announce that the police department isn't going to protect you from robber because it's not the government's job. Tell us again why the government shouldn't be the front line, Mr. McLaughlin? Maybe you should have a web chat with Mr. Schwartz.

Identity Theft Protection Week

October 17-21 is Identity Theft Protection Week. This is a problem that costs individuals and companies millions of dollars each year. Moreover, for an individual, it's hell. Many people whose homes or cars have been robbed describe it as having felt raped. Identity theft is similar, even if the victim did not come home to drawers that were left open after being rummaged through. Identity theft is like having your personal mail and diaries read. The perpetrator need only know four basic things -- your name, address, date of birth and Social Security number -- but those four things are more than you want him or her to know. That perp can drain your savings and damage your credit score.

No reputable business wants to let that happen, but it does occur because the powers might be so determined to keep costs down that mid-level decision-makers choose not to upgrade their security. In the medical community, it's worse. Hospitals are usually non-profit entities, but they run on thin margins even if they are, for all practical purposes, making money. Most private practices don't make huge profits because they have at least one receptionist, one nurse, one medical secretary and one billing clerk. There is no consensus on Electronic Medical Records -- say, the Microsoft Office equivalent that's the standard in the industry. Even though the system for EMR is about $10-12K, many doctors are reluctant to put the money into it, especially if they are going to have to change in a few years.

Note to anyone who does get electronic records: When asking for medical information by e-mail, make sure it is encrypted. Standard e-mail is not protected by PHI (Personal Health Information) compliance standards. Chances are, those e-mails won't contain items that the identity theft perp wants, but there is no reason why anyone other than immediate family or health providers should have information about your personal health.

Mergers and VDR

It's not uncommon for people to lose their jobs when a merger between two companies occur. From a business standpoint, it makes sense to consolidate some jobs. But management should think hard and long before making decisions to cut staff in some areas, particularly when it comes to Virtual Data Rooms. Here are some of the issues that I see:

1) Different companies probably have different levels of security. Staff members of both IT departments should compare every level of security. For example, it's a well-known fact that banks own shares in each other, as do insurance companies. Let's say that a regional bank merges into another regional bank. The bank with the more advanced IT security may or may not be the one that swallowed the other one. If its IT security is vulnerable, there could be a major problem because often computer systems are changed.

2) Software requires licenses. In an effort to save additional costs, the dominant company may not want to spend money upgrading security or buying additional licenses for software.

3) No one really knows what's going to happen once Obamacare takes effect. The president has talked about having all medical records go digital, but the truth is that hospital computer systems are often incompatible with each other. In addition, many doctors are reluctant to go digital because of the cost and the fact that there is no standard, like Microsoft Office for administrative office work.

Most lawyers use MS, but there are some that still use WordPerfect. If two lawyers can't send each other documents that are readable by their systems, imagine what it would it be like if two financial or insurance firms merged and their security was incompatible. It's an invitation to a security disaster.

Right now I'm doing some research on ShareVault, a leader in Virtual Data Room products. Supposedly, the company has the experience of handling billions of dollars in transactions. If anyone has experience in it, please contact me and let me know your thoughts.

Stop, Thief!

I just came across this frightening and interesting statistic: online fraud more than doubled to $559.7 million in 2009, up from $255 million stolen in 2008.

This should come as no surprise. Online purchases are a way of life. Just try buying some ordinary things, such as tires or wedding gifts at stores. Hardly anyone keeps inventory at each store, so you have to pay for things in advance and, preferably online. Moreover, as apps have become more popular, guess what? If they're not free, you need to pay for them by credit card.

In theory, it is very easy to detect fraud and to prevent future fraud with a sound strategy. But that costs money and most companies are not willing to part with it if it doesn't bring in immediate revenues. If you are a small business owner, you may not have much budget to combat fraud through the use of intrusion detection systems, but here are things you can do:

• Look for unusual account activity.
• Call customers to notify them if you suspect there is a problem. Give them the option of verifying their account activity before they receive nasty surprises on their statement. It will save you a lot of angry calls later.
• Arrange to have all revenues go in a deposit only account. You would be surprised that company employees innocently give away wiring instructions which have bank routing numbers and your company's account number to anyone who calls. It is easy for a thief to take money out once he or she has your company's account number.
  

You need to take this evolving security threat seriously or everything you worked hard to achieve will vanish.