Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Must you choose between having security or keeping the money?

Eric Jeffery

28-May-2015 The opposing security and business considerations of cloud sourcing.



If you’re going to outsource instead of keeping your data on premises, there are things you must consider.

At SC Congress Toronto Eric Jeffery will lead a panel discussion about security and business considerations of on-premises and cloud-hosted data.

“Social engineering is what I’m most concerned about,” he said. “Hacking is a problem, however you need a select skill set. Kevin Mitnick for example, while a skilled hacker, did most of his via social engineering.”

When you outsource your data hosting, you’re outsourcing physical security. Social engineering and phishing are going to hit inside the organization.

“And now you’ve got a third party firm hosting your iron, you’ve got to trust their people are not susceptible to social engineering. Who is doing the cleaning? Have they been trained how to respond to requests for entry or information?”

No one is immune – when he signed on with LifeLock Jeffery received feedback that his main email and password were for sale on the black market.

Consumers and businesses need to protect themselves. Maintaining as much control as you possibly can is very important.

“For example, a CIO wanted tapes of everything. He wanted to touch it, feel it, and hold it,” Jeffery said. “While that’s a violation of HIPPA, I understand why.”

He says there are two kinds of CIOs – the control freak, and the businessman who knows he can’t afford everything and must outsource and/or offshore. Many CIOs aren’t businessmen; they’re technologists who don’t know about business.

On the other side CIOs who are business people don’t know technology and are scared, so they outsource. They’re the people who get defensive about outsourcing.

“What makes a good leader is using who and what you have,” said Jeffery. “It depends on the business and what they’ve moved out. You can’t make the decision if you haven’t looked at both sides. Any CIO who doesn’t look first before transferring to the outside is an idiot.”

Then you get the CIO who reports to the CFO. Companies make their money back when they outsource, as offshore workers receive less than their North American counterparts.

“You can’t have all the money or all the security,” Jeffery said. “You have to choose: walk the line between business and security, the one and zero, understanding that you can’t have them both. Everybody talks about how great the cloud is great and secure. But they don’t talk enough about the benefits of keeping it in house.”

He recalls the time a previous employer outsourced Office365 and email, over which Jeffery’s IT co-workers now had zero control.

“Some people outsource so they can be the ones who do the yelling, rather than being the ones yelled at,” he said. “Well there was a famous outage. Two weeks later I ended up leaving the company and people thought I got fired because of that outage.”

Insource, outsource, onshore, offshore, consolidate or distribute. You’re passing an electron over a wire. Is data going to sit here, or sit out there?

“Don’t think the cloud is all well and good. The wave may be going that way, but there are other considerations you have to think about. You trained a guy and he quit. You need licenses. You trained a guy and he just had a baby and doesn’t want work that hard any more. Not everything and not everything at once should go into that cloud.”

This discussion is reminiscent of the previous move from mainframes and terminals to client-server. 

“Maybe it’s the Millennials, because they were all in diapers when we were using UNIX terminals, however it’s the same thing,” noted Jeffery. “Most of the guys making the decisions are Gen Xers and some Baby Boomers. That’s the way the pendulum goes. I want people to understand there are benefits to insource, cloud and outsource. There are financial and security benefits for keeping it inside.”

Our discussion took place using Vidyo, which has a YouTube channel of examples. It was a pleasure to use, because in addition to voice tone and inflection, all three participants’ hand gestures and expressions were visible. There was only one minor hiccup, which was a local ISP momentary bandwidth issue.

“I work in the financial services sector, to help them use technology to further their businesses, like putting Vidyo in their applications,” Jeffery said. “GoToAssist and LogMeIn are remote access tools that have a person open their system to a third party to work on it. They are extremely vulnerable to social engineering attacks. Hospitals for example would call the help desk at their software provider and certain providers ask the nurse or other employee at the hospital if they can connect via one of these tools... meaning hospital staff are used to these tools. An attacker can randomly call a hospital and say, 'Hi, I am Eric from Cerner or Epic or McKesson or wherever, and I know there is an issue with your system. Can you please let me connect via LogMeIn Rescue or GoToAssist so I can help?' How does the employee know who I am?"