Three Lessons for Mitigating Network Security Risks in 2015: Bring Your Own Device


Not too long ago, organizations fell into one of two camps when it came to personal mobile devices in the workplace – these devices were either connected to their networks or they weren’t.

But times have changed. Mobile devices have become so ubiquitous that every business has to acknowledge that employees will connect their personal devices to the corporate network, whether there’s a bring-your-own-device (BYOD) policy in place or not. So really, those two camps we mentioned earlier have evolved – the devices are a given, and now, it’s just a question of whether or not you choose to regulate them.

This decision has significant implications for network security. If you aren’t regulating the use of these devices, you could be putting the integrity of your entire network at risk. As data protection specialist Vinod Banerjee told CNBC, “You have employees doing more on a mobile device and doing it ad hoc here and there and perhaps therefore not thinking about some of the risks that are apparent.” What’s worse, this has the potential to happen on a wide scale – Gartner predicted that, by 2018, more than half of all mobile users will turn first to their phone or tablet to complete online tasks. The potential for substantial remote access vulnerabilities is high.

So what can risk practitioners within IT departments do to regain control over company-related information stored on employees’ personal devices? Here are three steps to improve network security:

1. Focus on the Increasing Number of Endpoints, Not New Types

Employees are expected to have returned from holiday time off with all sorts of new gadgets they received as gifts, from fitness trackers to smart cameras and other connected devices.

Although these personal connected devices do pose some network security risk if they’re used in the workplace, securing different network-enabled mobile endpoints is really nothing special for an IT security professional. It doesn’t matter if it’s a smartphone, a tablet or a smart toilet that connects to the network – in the end, all of these devices are computers and enterprises will treat them as such.

The real problem for IT departments involves the number of new network-enabled endpoints. With each additional endpoint comes more network traffic and, subsequently, more risk. Together, a high number of endpoints has the potential to create more severe remote access vulnerabilities within corporate networks.

To mitigate the risk that accompanies these endpoints, IT departments will rely on centralized authentication and authorization functions to ensure user access control and network policy adherence. Appropriate filtering of all the traffic, data and information that is sent into the network by users is also very important. Just as drivers create environmental waste every time they get behind the wheel, network users constantly send waste – in this case, private web and data traffic, as well as malicious software – into the network through their personal devices. Enterprises need to prepare their networks for this onslaught.

2. Raise the Base Level of Security

Another way that new endpoints could chip away at a network security infrastructure is if risk practitioners fall into a trap where they focus so much on securing new endpoints, such as phones and tablets, that they lose focus on securing devices like laptops and desktops that have been in use for much longer.

It’s not difficult to see how this could happen – information security professionals know that attackers constantly change their modus operandi as they look for security vulnerabilities, often through new, potentially unprotected devices. So, in response, IT departments pour more resources into protecting these devices. In a worst-case scenario, enterprises could find themselves lacking the resources to both pivot and mitigate new vulnerabilities, while still adequately protecting remote endpoints that have been attached to the corporate network for years.

To offset this concern, IT departments need to maintain a heightened level of security across the entire network. It’s not enough to address devices ad hoc. It’s about raising the floor of network security, to protect all devices – regardless of their shape or operating system.

3. Link IT and HR When Deprovisioning Users

Another area of concern around mobile devices involves ex-employees. Employee termination procedures now need to account for BYOD and remote access, in order to prevent former employees from accessing the corporate network after their last day on the job. This is particularly important because IT staff have minimal visibility over ex-employees who could be abusing their remote access capabilities.

As IT departments know, generally the best approach to network security is to adopt policies that are centrally managed and strictly enforced. In this case, by connecting the human resources database with the user deprovisioning process, a company ensures all access to corporate systems is denied from devices, across-the-board, as soon as the employee is marked “terminated” in the HR database. This eliminates any likelihood of remote access vulnerabilities.

Similarly, there also needs to be a process for removing all company data from an ex-employee’s personal mobile device. By implementing a mobile device management or container solution, which creates a distinct work environment on the device, you’ll have an easy-to-administer method of deleting all traces of corporate data whenever an employee leaves the company. This approach is doubly effective, as it also neatly handles situations when a device is lost or stolen.

New Risks, New Resolutions

As the network security landscape continues to shift, the BYOD and remote access policies and processes of yesterday will no longer be sufficient for IT departments to manage the personal devices of employees. The New Year brings with it new challenges, and risk practitioners need new approaches to keep their networks safe and secure.


Data Analytics as a Risk Management Strategy


In our increasingly competitive business environment, companies everywhere are looking for the next new thing to give them a competitive edge. But perhaps the next new thing is applying new techniques and capabilities to existing concepts such as risk management. The exponential growth of data as well as recent technologies and techniques for managing and analyzing data create more opportunities.

Computer Network Wires

Enterprise risk management can encompass so much more than merely making sure your business has purchased the right types and amounts of insurance. With the tools now available, businesses can quantify and model the risks they face to enable smarter mitigation strategies and better strategic decisions.

The discipline of risk management in general and the increasingly popular field of enterprise risk management have been around for years. But several recent trends and developments have increased the ability to execute on the concept of enterprise risk management.

First, the amount of data being produced everywhere has exploded and continues to accelerate. The typical executive today is swamped by data coming from all directions. Luckily, just as the raw amount of data has grown, the cost of the hardware to store data has decreased at an exponential rate. For example, in the last 10 years, retail hard-drive costs have dropped from about $1.20 per gigabyte (GB) in 2004 to about 4 cents per GB today. What’s more, the cost of hardware to store all that enterprise data is quickly becoming negligible.

But such huge amounts of data present a problem: Somebody has to manage and analyze it. All data is not equally important or relevant to the problems business executives need to solve or the risks they’re trying to manage. The explosion of data has created a greater amount of helpful and relevant data, but it can get lost in an even greater amount of useless, irrelevant, and distracting data. So an effective data management and analytics program is crucial to take advantage of the opportunities resident in the new flood of data.

One job of analytics is to sort the important from the unimportant and analyze and synthesize the data in new ways that create actionable information. Fortunately, the tools and techniques to manage large volumes of data have been progressing over the past several years. In particular, there has been a lot of buzz about big data. The field of big data has developed from a specific platform to manage large volumes of data into an entire ecosystem of related technologies. These tools are critical to the process of picking out the grains of useful intelligence from the vast quantities of distracting chaff that are characteristic of many big data sources.

Of course, all the recent technical developments and analytic techniques that make it possible to extract actionable information from a flood of data are all professionally exciting—if you’re an analyst. However, analytics for analytics’ sake does not help an organization. Often, analytics groups can remain isolated from the business itself. When such groups ultimately present what they have discovered, they may simply talk about the part most interesting to them—the analytics process—rather than focusing on the resulting information.

It is important to remember that actionable information is the ultimate goal of the entire exercise. The information must reach the decision makers in an understandable form when it is needed—the right information at the right place and at the right time. When designing information systems or even just presenting information to business executives, it is important for technical professionals to keep technical details to a minimum and focus on the actionable information. A feedback mechanism is critical. Users of the information must have a method to tell the creators of the information whether it was sufficient, correct, timely and understandable.

It’s been said that the three most important factors in real estate are location, location, and location. Similarly, the three most important factors in effective analytics are data, data, and data. Good data can sometimes make up for mediocre analytics, but even the best analytics will never produce anything useful from poor data.

Where should a business begin to leverage the new data and risk analytics? It has to start with the data itself. So start collecting and storing the data that’s available to you. Every business generates vast amounts every day. Collecting, managing, and analyzing internal data is necessary; but by looking outside the organization at social media, government data sources and third-party data vendors, a company can really begin to illuminate the environment in which it operates.

Managing data for analytics is a specialized field in its own right, and a topic for another day. But the business that can effectively leverage data and analytics to manage the risks it faces will be rewarded by seeing the future more clearly, making better decisions and ultimately being more successful than those companies that cannot.

Article authored by Phil Hatfield, modeling data services executive for ISO Insurance Programs and Analytic Services (IPAS), a Verisk Analytics (Nasdaq:VRSK) business.


Risks of Running a Brewery & How to Avoid Them

Poyner Spruill Law firm

Beware of These Risks

Underage Drinkers, Intoxicated Patrons & Employee Restrictions

Restrictions on Employees

  • Employees are prohibited from drinking while on the job.

  • Employees who sell or serve alcoholic beverages must be at least 18 years old.

  • Employees under 21 years old are not permitted to mix drinks containing liquor.

  • Minors who are 16 or 17 years old are permitted to work at the brewery only if they do   not serve or sell any alcoholic beverages.

Sales to Underage Drinkers

It is unlawful to sell or serve alcohol to persons under 21 years old.

What should you do to protect yourself?

  • Train employees to request proper identification from customers.

  • Create a written policy for checking identification and have employees acknowledge that they have read and understand the policy.

  • Diligently supervise employees and their age verification practices.

How much might it cost you?

  • There is a cap on damages of $500,000 per occurrence.

Sales to Intoxicated Patrons

It is unlawful for a brewery or an employee of the brewery to knowingly sell alcoholic beverages to an intoxicated person.

What should you do to protect yourself?

  • Train employees on warning signs that a customer may have had too much to drink.

  • Be cautious in your assessment of a customer’s condition.

How much might it cost you?

  • There is no cap on damages for sales to intoxicated persons.

  • A court may even impose punitive damages against you.


© 2014 Poyner Spruill LLP. All rights reserved.

Making Use of Social Media: FDA Releases Two Draft Guidelines on the Use of Social Media Platforms by Drug and Device Manufacturers


The Food and Drug Administration (FDA) has released two long-awaited draft guidance documents for the drug and device industries revolving around the use of social media platforms by drug and device manufacturers — Internet/Social Media Platforms: Correcting Independent Third Party Misinformation About Prescription Drugs and Medical Devices (“Guidance on Correcting Third Party Misinterpretation”), and Internet/Social Media Platforms with Character Space Limitations – Presenting Risk and Benefit Information for Prescription Drugs and Medical Devices (“Guidance on Presenting Risk/Benefit Information”).

As the titles suggest, the purpose of the documents is to clarify how social media may be utilized by drug and medical device companies for the voluntary correction of misinformation provided by independent third parties, as well as for presenting promotional messaging regarding risk/benefit information of products. But while the guidelines provide helpful clarification regarding how such platforms may be utilized, they each also raise considerations that companies should take heed of before beginning to use these outlets, and should be factored into a company’s social media guidelines.

Internet/Social Media Platforms: Correcting Independent Third Party Misinformation About Prescription Drugs and Medical Devices

As an initial matter, the Guidance on Correcting Third Party Misinterpretation (“Draft Guidance #1”) establishes two points: first, Draft Guidance #1 only applies to misinformation posted to Internet-based platforms by an independent third party, therefore excluding content provided by the company itself, its employees and agents. Second, Draft Guidance #1 establishes that the exception to a company’s obligation to respond to or correct misinformation only applies to information that is “truly independent,” for example posted by an independent third party to an unaffiliated platform or a platform providing content that is not controlled by the company.

However, Draft Guidance #1 does not completely exclude company-operated sites. In stark contrast with the company’s obligation to correct content when that content is “owned, controlled, created …influenced or affirmatively adopted or endorsed by, or on behalf of, the firm,” where such corrections are obligatory and also carry advertising and labeling regulatory requirements, Draft Guidance #1 does not hold companies responsible for correcting misinformation where a company owns or operates an online platform that allows for user-generated content (chat room, etc.) over which a company does notexert control. However, Draft Guidance #1 cautions that such a site should contain an “overarching and conspicuous statement that the firm did not create or control the [user-generated content].”

If a company chooses to voluntarily respond to truly independent misinformation, Draft Guidance #1 sets parameters on the process for taking correction action, which should either be by (i) providing appropriate truthful corrective information or (ii) providing “a reputable source for correct information, such as the firm’s contact information. In either approach, in order to constitute “appropriate corrective information” a firm’s communication should denote the affiliation of the corrective post with the company, and be:

  • relevant and responsive to the misinformation;
  • limited and tailored to the misinformation;
  • non-promotional in nature, tone, and presentation;
  • accurate;
  • consistent with the FDA-required labeling for the product;
  • supported by sufficient evidence; and
  • posted either in conjunction with or reference the misinformation.

In acknowledgement of the vast nature of the Internet and certain forums and the reality that it may be impractical for a company to attempt to correct all misinformation about its products that may appear, Draft Guidance #1 stipulates that companies do not need to address all incorrect information that may be posted regarding a particular drug or device, even if a company elects to correct a selective portion. When addressing any misinformation, therefore, Draft Guidance #1 recommends that a company create a figurative box around the particular misinformation and portion of the forum it intends to correct, and then revise all the incorrect information within that defined boundary, which should include also correcting positive misinformation or exaggerations. Following corrective action, while Draft Guidance #1 does not hold companies responsible for monitoring the communication, it does recommend that companies keep records that include (i) the date, location, and content of the misinformation; (ii) when the wrongful information was discovered; and (iii) a description of the corrective information provided, including the date it was furnished.

Finally, Draft Guidance #1 suggests that the FDA does not intend to object if a firm voluntarily corrects misinformation and the voluntarily provided corrective information does not satisfy otherwise applicable regulatory labeling or advertising requirements, so long as the corrective information is not non-truthful, misleading, or in a manner other than recommended by Draft Guidance #1. However, companies should take heed that any corrective action that goes beyond merely providing accurate information that is specifically tailored to the misinformation it is addressing (i.e., including slogans or promotional information) must comply with applicable regulatory requirements related to labeling or advertising.

While helpful for establishing clearly both the parameters for correctly responding to misinformation as well as for clearly limiting a company’s obligation to respond to any or all misinformation posted by an independent third party, the Guidance on Correcting Third Party Misinterpretation also reminds companies to take caution when doing so to ensure that their responses are narrowly tailored enough to fall under the purview of the guidance and outside regulatory requirements. That caution includes carefully considering where misinformation clearly constitutes “truly independent” information. Companies should be mindful of the reality that “truly independent” is not a concept that is well defined, and should thus be cautious before asserting that certain misinformation may fall under the purview of Draft Guidance #1 as the FDA advances a broad interpretation of when a company is responsible for taking corrective action.

Internet/Social Media Platforms with Character Space Limitations — Presenting Risk and Benefit Information for Prescription Drugs and Medical Devices

Prepared by the Office of Prescription Drug Promotion, the second guidance issued by the FDA last week, the Guidance on Presenting Risk/Benefit Information (“Draft Guidance #2”), addresses the parameters around presenting benefits and risks information on Internet and social media platforms with character spacing limitations, such as microblogs (e.g., Twitter) and online paid search (e.g., “sponsored links” on search engines such as Google). Draft Guidance #2 clearly establishes that, as a threshold matter, the character restrictions do not eliminate the company’s responsibility to ensure its promotional messaging complies with all applicable regulations related to advertising and labeling, and cautions that such forms of media may not be appropriate for promotion of certain products, such as those with complex indications or risk profiles.

For companies that choose to make product benefit claims on character-space-limited communication sites, while each may reasonably use common abbreviations (including scientific and medical abbreviations), punctuation marks, and other symbols to comply with space constraints, Draft Guidance #2 presents a broad set of rules that must be satisfied by each communication relating to both risk and benefit information.

Benefit Information

  • Benefit information should be accurate, non-misleading, and reveal material facts within each individual message or tweet.
  • Benefit information should be included with risk information in the same message. Do not spread benefit and risk information across multiple messages or tweets.

Risk Information

  • Risk information should be included with benefit information in the same message. Do not spread risk and benefit information across multiple messages or tweets.
  • Risk information should be “comparable in scope” to the benefit information, and should, at minimum, include the most serious risks, e.g., those included in a boxed warning or known to be life-threatening, among others, associated with the product. To determine whether risk information is “comparable in scope” to the benefit information, the FDA weighs (i) whether the risk information “qualifies any representations made about the product,” and (ii) whether the risk information is presented with a “prominence and readability comparable to the benefit claims about the product.” While risk disclosures may be concise when paired with benefit information, a hyperlink to a complete, and exclusive, discussion of risks should be included and appropriately titled and not promotional in nature.
  • Both the proprietary and established (generic) name for the product should be included within the character-space limited communication and on each landing page associated with each hyperlink in that initial communication. Draft Guidance #2 recommends that the landing page be devoted exclusively to the communication of risk information about the product and not to the promotional home page. Such landing page should also prominently display quantitative ingredient and dosing information for prescription drugs.

In light of the restrictions set forth by Draft Guidance #2, while companies should feel comfortable taking advantage of current social media platforms including those with character restrictions, they should also ensure that the parties responsible for drafting any such posts are aware of the parameters placed on such communications. A hypothetical example provided by Draft Guidance #2 exemplifies some of the potential disadvantages of such messaging:

NoFocus (rememberine HCl) for mild to moderate memory loss-May cause seizures in patients with a seizure disorder

While the message complies with each of Draft Guidance #2’s directives, the balancing of risk and benefit information in a space restricted communication may have the unintended result of highlighting risk over benefit. Additionally, from a practical standpoint, the space constraints may prevent the inclusion of all necessary information. If a company cannot conclude that “adequate” benefit and risk information (along with other required disclosure) may be communicated in the same message or tweet — particularly at 140 characters — Draft Guidance #2 recommends that the company reconsider whether the use of the particular platform is the appropriate forum for the dissemination of such messaging before making use of such forums, once again in particular for drugs with complex indications or high risk profiles.

As a general conclusion, while the Guidance on Presenting Risk/Benefit Information is self-admittedly limited in scope, and does not address “promotion via product websites, webpages on social networking platforms (e.g., [Facebook, Twitter, YouTube]), and online web banners,” it undeniably provides helpful direction for drug and device companies’ use of social media sites for promotional messaging where communications are restricted to a limited number of characters, as well as highlighting how the FDA may intend to regulate such use. Companies should pay careful attention to the restrictions while taking advantage of the opportunities these social media platforms offer, and should take care to ensure to instill clear policies that comply with Draft Guidance #2 that are available to, and understood by, individuals tasked with producing and monitoring social media content for the company.

The FDA will be accepting comments on both Draft Guidance #1 and Draft Guidance #2 until September 16, 2014.

Article By: