Perimeter Highlighted in IBM Cloud MSP Press Release

Written by Mike Flouton. Posted in Blog Post

Today we were featured in an announcement by IBM, highlighting the strong success they are seeing working with Managed Services Providers (MSPs) like Perimeter to deliver industry-leading cloud solutions. As more organizations embrace cloud computing as a means to reduce cost and complexity, it is critical that organizations pick trusted long-term technology providers like IBM and Perimeter.

The release highlights this synergy.

“ IBM Business Partner Perimeter E-Security, based in Milford, CT, is collaborating with IBM to address the increasing cost, complexity, and stringent compliance requirements associated with securing communications and infrastructure in information intensive businesses such as banking, healthcare, and government. Solving today’s regulatory and security challenges has and continues to become more and more cost prohibitive. While smaller financial institutions face the same regulatory pressure and data security threats, they lack the resources larger banks have to secure their institution. Cloud technology is now making it possible for smaller banks to address these issues cost effectively. This collaboration complements Perimeter’s capabilities with advanced technologies such as IBM SmartCloud, storage, and security capabilities, as well as expanding the MSP’s global presence in growth markets such as Africa.”

The full release is available here: http://www-03.ibm.com/press/us/en/pressrelease/38943.wss

We are excited to be working closely with IBM, and believe this collaboration represents an excellent opportunity to continue to deliver market leading capabilities, solving customer problems and delivering business value.


SECURITY BULLETIN: Cyber Attacks on Financials Raise Threat Level to High

Written by Grace Zeng. Posted in Blog Post

By Grace Zeng and Richard S. Westmoreland

Early this week, some major US financial institutions experienced website service interruptions possibly due to cyber attacks.  In the wake of such events, the Financial Services Information Sharing and Analysis Center (FS-ISAC), has issued Security Advisory ID 2012-09-037 and raised the cyber threat level from “elevated” to “high” to call for heightened alertness.

The issues were first brought to attention on Tuesday when Bank of America’s website availability was intermittent. On Wednesday, the website of JPMorgan Chase suffered similar sporadic problems.  Many sources attribute these two incidents to a hacktivist group called “Cyber fighters of Izz ad-din Al qassam.” Earlier Tuesday an alleged representative of this group posted a warning on pastebin.com threatening to attack Bank of America and the New York Stock Exchange, labeling them as “properties of American-Zionist Capitalists”. A day later, a second attack occurred against Chase and was referenced as a continuation of “Operation Ababil” in another posting by the same group.

In the advisory, FS-ISAC urges financial institutions to “ensure constant diligence in monitoring and quick response to any malicious events.” The advisory also warned that targeted attacks via exploitation of the recent Internet Explorer (IE) zero-day bug are actively circulating in the wild, in the absence of a permanent fix.  Microsoft has posted temporary workarounds, and says that they will be providing a patch on Friday, September 21st.

Perimeter’s Security Operations Center is closely monitoring our customer’s network traffic, 24/7. At this time, SOC is not seeing any attempted DDoS attacks. For customer’s utilizing Fortigate with IPS enabled, a signature is in place for the IE flaw. SOC has also added correlations to our monitoring: they are able to detect activity originating from successful exploitation of the IE zero-day. Even though detection is possible, SOC still strongly recommends that customers stop using IE for web browsing until a patch from Microsoft is available and installed.


Five BYOD Traps to Avoid

Written by Andrew Jaquith. Posted in Blog Post

There’s no stopping the move to mobile. Gartner expects that by 2015, PCs will account for only 28 percent of Internet-capable devices sold. With this surge in post-PC tablets and smartphones (mostly made by consumer behemoths such as Apple, Google and Samsung), employees are increasingly demanding to use their personal mobile devices to access company information, such as email.

Forrester Research estimates that 65 percent of enterprise employees are already using personal devices for work purposes. Many CFOs are looking to cut BlackBerry contracts and telecom expenses from their budgets by letting their employees foot some (or all) of the monthly bill. This phenomenon is generally referred to as bring-your-own-device, or BYOD for short. For a company with 500 employees, we estimate that cost savings associated with BYOD could add up to $300,000 or more annually.  BYOD is even catching on in the financial services industry, which has traditionally been extremely conservative and security-conscious. We estimate that 50 percent of Perimeter’s banking and credit union customers are currently considering rolling out BYOD programs.

Despite the growing interest in BYOD, it is a phenomenon many IT departments continue to wrestle with. Countless press articles spread fear, uncertainty, and doubt (FUD) about the terrors of BYOD, which doesn’t help CIOs figure out what to actually do. In fact, if I had a nickel for every article on the topic, I’d be rich – but no closer to actually solving the problem.

What these articles don’t tell you is that BYOD doesn’t have to be complicated. The trick to managing successful BYOD programs is to set clear ground rules, create sensible security policies, devise a strategy for navigating the privacy minefield – and know what common traps to avoid, including:

  1. Not having a BYOD policy: Without a formal BYOD policy in place, organizations are unclear about what devices are allowed on the network, and left with an ambiguous set of rights regarding what protections they can reasonably assert over employee-owned devices. What is the company’s responsibility to secure an employee-owned device, or to wipe it if it’s lost or stolen? Who is responsible for repair when the device is broken? Who pays the bill? Without a policy in place, companies will likely act inconsistently on BYOD matters, frustrating everyone from the executive level down to entry-level employees. Even worse, these inconsistent actions could be used against the organization in court.
  2. Over-collecting personal data: If an organization has decided to allow employees to use personal devices for work, it may be tempting to use MDM products to track calls, data usage, browsing habits, device locations, inventory applications and so on. Where this may be reasonable in the world of PCs and company-issued devices — where absolute control over devices is assumed and assured — BYOD is a different story. If employees have to pay for their own devices, they won’t be happy about employers controlling the way they are used and monitoring all of their activities. It cross the Creepy Line. More to the point, it’s not always legal, and aggressive data collection practices usually have unintended side-effects. Many of the data-collection features in MDM will rapidly drain device batteries, which make these policies even less practical.
  3. Treating all devices the same: All devices are not created equal. BlackBerry and Apple iOS are both fairly secure and highly manageable. Android, by contrast, has only a limited number of native security features that can be managed by MDM products or Google Apps. Android is also not a monolith; it is a fragmented ecosystem of many vendors and countless devices – each with its own security capabilities. That makes it hard to know what devices to allow or disallow, and what policies you might need. For example, ask yourself this question: which Android phones support hardware-based encryption? Where would do you go to find out? Because not all mobile OSes aren’t created equal, you can’t treat them all the same. Less secure platforms — I’m looking at you, Mr Google — may need to be retrofitted with additional security software.
  4. Control freakery: Personal devices are just that — personal. Avoid laying down a blanket prohibition on using personal devices for personal activities during work. While it’s generally recognized that employees should keep personal activity to a minimum, it is sometimes unavoidable. Attempts to control personal devices can cause resentment. Requiring a 12-character complex password that must be changed every 30 days was generally acceptable on PCs, but expecting employees to do this on their own mobile devices is far too aggressive. If BYOD policies are too strict, you will be forced to make exceptions, and inconsistency is never a good thing.
  5. Relying on ActiveSync: ActiveSync enables non-BlackBerry devices to access email, calendars, tasks and address lists, and has the ability to implement a handful of security policies. Though these policies can be useful, they are not nearly enough. ActiveSync is implemented inconsistently across different platforms, forcing companies to go a least-common-denominator policy. ActiveSync also doesn’t do much to limit enrollments. Typically, when an organization allows an employee to use ActiveSync to connect to email, the employee is able to register as many devices as her or she likes. That’s not good. Furthermore, ActiveSync doesn’t allow the partial wipes of a device. Instead, when a device is wiped, the whole device is erased. If the device contains something personal photos or music, wiping it could be deeply upsetting. In fact, fear of capricious wipes creates a perverse incentive to not report security issues.

The bottom line: BYOD introduces new risks and operational burdens associated with employee-owned devices in the workplace. But by avoiding these common traps, while applying sensible management and security policies that are grounded in the law and enforced through technology, BYOD programs can be safe, secure and legal.

Interested in learning more? I encourage you to check out my on-demand webinar – The 5 Best and Worst Bring-Your-Own-Device Mobile Policies.


The BlueToad data breach shines a light on the mobile app developer ecosystem

Written by Andrew Jaquith. Posted in Blog Post

Earlier today, NBC News ran a story naming Florida-based mobile developer and publisher BlueToad as the source of a huge leak of 12 million unique identifying numbers (UDIDs), which were published a week ago by the anarchist hacker collective known as Anonymnous. Anonymous named the FBI as the original source of the leak, but that turned out to be a red herring. When BlueToad compared its database of UDIDs to those that were stolen, it found a 98% correlation, suggesting that the data actually originated from them — meaning, somebody stole it from their servers. And so BlueToad has come forward, to their great credit.

Some background: UDIDs are the unique device identifiers assigned to Apple iPhone and iPad devices. They are important because are permanent, and unique for every device. For this reason, many app developers have used historically UDIDs in the same way that web publishers use cookies: to track user behavior across applications. If you run an mobile ad network or have lots of apps in the App Store, you can collect UDIDs to understand how many of them are used by the same people. Although Apple banned the use of UDIDs in March of this year, the practice won’t be fully eradicated for a while. Old apps need to be purged from the App Store, and/or superceded by newer versions that don’t collect the UDID.

The disclosure of the UDIDs is less of a genuine security worry than a borderline privacy one. The file contains device UDIDs, device name, device type, and APNS certificate information. There does not appear to be any “personally identifying information,” at least with respect to the way that data breach statutes define it, i.e. the information cannot be used to uniquely identify or verify the identity a natural person.

I could certainly speculate at greater length about whether or not the UDID breach should worry customers, In my view, it shouldn’t. But what is more interesting here is where the data was stolen from. Per BlueToad’s description of what it does, the company has makes mobile apps for customers. Hundreds of apps. Many, if not all of these, were written under contract for publishing firms and  other corporate customers. As NBC’s article states, “]BlueToad] provides private-label digital edition and app-building services to 6,000 different publishers, and serves 100 million page views each month.”

A huge ecosystem exists to provide custom mobile application development services. I know this first-hand: I get dozens of solicitations from these types of companies every month. As CTO of Perimeter, I am a natural magnet for every lead-generation campaign; my email address seems to be in every marketing database. Many of these mobile app development companies are offshore. They all promise the same thing: high-quality mobile apps, built to spec, and cheap! Or at least: much cheaper than I could possibly build them in-house. Here’s a sampling of pitches I’ve gotten in the last few months:

  • “Mr. Sam Alva is keen for a meeting with you to introduce our company and discuss the possibilities of ValueLabs supporting your software development, QA/testing and back office processes. Over the years, ValueLabs has provided enormous benefits to its clients by developing and supporting mission critical applications, enabling them to leverage the power of the web. Some of the key areas of our experience that may be relevant to your organization are mentioned below: Platform technologies (.NET, Java & Open source), Web services, application development & Strong UI design capabilities, Mobile Application technologies…”
  • “My name is Mahesh and I wanted to take this opportunity to introduce my company, Prime Technology Group. With over a decade of strong experience in Software Development and other IT allied services, Prime has been serving variety of industries includingHealthcare, Financial, Insurance, Retail & e-commerce, Social Networking & Media, etc. both in the US and European markets. Prime has its corporate headquarters in Philadelphia, PA and a state-of-the-art offshore Software development center in Hyderabad, India. We have a proven track record with large and midsized clients including AstraZeneca, HSBC, Merck, PAMF, SUNRx, Gerson Lehrman Group, Harleysville Mutual Insurance Company, JP Morgan Chase and MedImpact Healthcare Systems, Inc. to name a few. Our Technical Practices include: Full lifecycle Software Application Development, Mobile Application Development, Web Application Development”
  • “I would like to request a meeting with you to discuss an opportunity of building a dedicated development team in Eastern Europe to support your IT needs. I represent TEAM International; a US owned and managed IT Professional Services Company with operations center in Ukraine. We specialize in custom Software Development on JAVA and Microsoft platforms, mobile Application Development, QA & Testing and SaaS / Cloud Computing.”

Now, I don’t mean to pick on these companies (other than to raise an eyebrow at how indiscreet one of them is regarding its clients). The broader point is that there are many, many such firms who are eager to sell mobile app development expertise to companies who don’t have the time or talent to make them themselves. These companies can’t all be geniuses at building security and privacy into the apps they make for their customers. Here are some questions that I’d ask each outsourcer:

  1. Given the focus on outsourcing and cost containment as the key value driver for your clients, how focused are you on secure development lifecycle practices?
  2. How aware are you of best practices for building mobile apps that are secure?
  3. How aware are you of best practices for building mobile apps that conform to the privacy laws that affect your clients?
  4. Are you collecting potentially privacy-invasive identifiers, such as Apple device UDIDs, in spite of the fact that Apple “bans” them?
  5. If you have stopped collecting device identifiers, have you gotten rid of the data?
  6. Are you transparent about your data collection practices, as recommended by the FTC? Or are you, as Graham Lee memorably put it, “Being a Dick?

BlueToad gets credit for being forthright about what they knew and when they knew it. But then again, Apple advised iOS developers in August of 2011 ago that UDIDs would soon be banned. And here we are a year later. Millions of UDID records were just kicking around in BlueToad’s databases, and Anonymous stole them. That means BlueToad either wasn’t very quick about updating its apps (Apple started rejecting apps that collected UDIDs in March), or it never got rid of the data. I’d bet the latter. Either way, it’s not good.

But again, this isn’t really about BlueToad — it’s about the entire mobile app developer ecosystem. How many of these custom mobile developers are in the same boat? It’s hard to tell, but somehow I think we are about to find out.

Mark my words — if 2011 was the year that privacy issues became the Third Rail of mobile security, 2012 will be the year these concerns spread to the developer ecosystem.


Perimeter E-Security 1H 2012 Financial Institution Threat Report

Written by Grace Zeng. Posted in Blog Post

By Grace Zeng, with David Coffey and Andrew Jaquith

Summary: Perimeter E-Security provides comprehensive security services to financial institutions of all sizes. In this report for the first half of 2012, we summarize security incidents based on data from 861 financial institution customers. During that period, 1,619 likely and confirmed compromises were detected. Of these, 43% targeted small, 38% targeted mid-sized, and 19% targeted large institutions. In total, 483 financial institutions were affected by those incidents. A majority of our financial customers (56%) experienced at least one security incident in the last six months. Large institutions had the highest average number of incidents per institution: six, about one per month. Our security services blocked about one third of all incidents, preventing damage to customers’ assets. Based on our analysis, Trojan horses and the Blackhole exploit kit are the most common threats facing financial institution customers today.

Monthly incident trends

Perimeter processes about 1 billion raw security events per month. We distill these events down to approximately 120 thousand potential security incidents. Among those incidents, a majority are low-level — that is, they are informational or reconnaissance related. A smaller number are likely or confirmed successful system compromises — what we call medium- and high-level incidents. Throughout this report, a “security incident” refers to these two types. A Perimeter security analyst analyzes every one of these. When a customer suffers a security incident, it is likely that one of their computing assets such as a desktop, server or other resource has been — to put it plainly — 0wned.

The Perimeter security team analyzed over 1,600 incidents — likely and confirmed compromises — in the first six months of 2012. From the monthly trend graph, we can see that the number of security incidents increased steadily from January to May before slightly declining in June. It appeared that threats and attacks are seasonal: more active in spring (Mar to May) than in winter (Jan and Feb).

Impact on financial institutions

Perimeter protects approximately 1,800 financial institutions. Our financial customers’ businesses range from banking and brokerage to credit unions, savings and loans and insurance. Our financial customers consist of 62% small institutions, 29% mid-sized institutions and 9% large institutions. We define small institutions as having assets less than $25 million; medium-sized between $25 million and $1 billion, and large institutions above $1 billion.

The chart below shows the distribution of incidents among our customer base. The plot shows percentages of financial institutions that had at least a certain number of incidents. In total, 56% of our financial customers experienced at least one incident. At one institution — the outlier at the right side of the chart — we detected 28 incidents over the past six months.


When analyzing the incidents by size of institution, we found additional patterns. In the past six months, 69% of our large financial customers experienced at least one incident. Midsize and small institutions, 63% and 51%, respectively, experienced one incident or more. On average, each institution suffered from about three incidents.

Of the top 10 customers that suffered the most security incidents, four are midsize (assets between $25 million and $1 billion) and six are large (assets greater than $1 billion) institutions. On average, each large institution had six incidents; each midsize had four; and each small had three. We believe large institutions are disproportionately targeted because they have large attack surfaces and can garner attackers larger financial gains. Although small institutions are not usually primary targets of attackers, they can serve as stepping stones for larger-scale attacks. And crucially, small institutions are most vulnerable to financial losses, and  may not be able to survive even one attack.

Approximately one-third of all security incidents were successfully blocked by our in-cloud and on-premise security devices. The rest were detected after-the-fact by our security monitoring systems.

Attacker countries of origin


Although Perimeter is not as wildly enthusiastic about “top attacking country” metrics as some — we do not suffer from congenitally nervous urges to “name and shame” former colonies, for example — the country origins of attackers help confirm hunches and things we already know.

Of the security incidents we observed, attackers’ IP addresses are distributed across 50 countries across the globe. The heat map below plots these countries with respect to the number of offending sources.  From a percentage perspective, more than 55% of attacks and threats originated from inside the United States. We expect that the main reason is that the financial institutions under scrutiny are almost all US-based. In addition, many of our customers commonly block traffic to and from non-US IP address ranges. We noticed that many users picked up malware from visiting legitimate US web sites.


Threat highlights

Financial institutions are particularly vulnerable to cyber crimes such as phishing and identity theft. We have seen numerous security incidents that have resulted in significant losses to the victim institutions.  A common propagation vector is targeted phishing emails addressed to employees with privileged account access. Once the recipient opens the link or the malicious attachment in the email, malware (in most cases, a Trojan) is installed. Sensitive account information is collected, which leads to unauthorized monetary transfers and customer data compromises. Based on the six-month incident data, Trojans turned out to be the major threat category facing financial institutions. As shown in the top 10 threat list, more than half of the incidents we observed were Trojan-related infections. Two threats on the list are particularly noteworthy: the Blackhole exploit kit and the ever-popular fake Anti-Virus. Details on each follow.

Blackhole exploit kit

The Blackhole exploit kit was the top threat plaguing our customers over the past six months. According to AVG Technologies, the Blackhole kit is the most popular toolkit in the cyber-underground. AVG’s Q2 threat report indicates that the Blackhole Exploit Kit makes up over half of detected malware; our figures agree broadly with AVG’s.  The Blackhole kit is installed on a server controlled by a cyber-criminal. When an unsuspecting user visits a compromised page or clicks a malicious link in a spam message, the page or link redirects (usually via <iframe> tags) the user to the server. The server hosts obfuscated code that delivers various exploits targeting vulnerabilities in browsers and their popular plug-ins such as Adobe Flash, Adobe Reader and Java. Once an exploit is successful, the victim machine loads and executes malicious payloads, and downloads additional component if needed.

Perimeter has been closely following this exploit kit since its emergence.  We observed that the ease-of-upgrading helps to make the kit prevalent; zero-day exploits are constantly added to the kit.  For example, a Java vulnerability was disclosed in mid-June and an exploit leveraging this flaw was made available in early July. Blackhole kit also rapidly evolves the way it spreads to web servers. In its recent campaign in late June, web servers were compromised by exploiting the Plesk SQL injection vulnerability.  Many web pages were infected with contaminated JavaScript files which loaded the Blackhole exploitation.  To defend against this ever-evolving exploit kit, we have implemented several protection mechanisms for our customers:

  1. Network-based anti-virus is equipped with JavaScript/iframe signatures to offer client-side protection
  2. Web security (content filtering) can block domains that host Blackhole exploit kits
  3. Multiple correlation rules in our SIEM match patterns of related IP addresses, domains and file names.  Please refer to our recent blog post for details.

Fake Anti-Virus

Rogue anti-virus is a form of Internet fraud that tricks users to install or purchase fake AV programs, to “help” remove non-existent threats in their computers.  These malicious AV programs usually introduce Trojans to the victim computer to harvest personal information. Fake AV has been one of the most prominent online threats in recent years. Purveyors of fake AV push it through a variety of channels:

  • Spam emails with links or attachments
  • Malicious advertising and compromised ad networks
  • Web pages containing exploits
  • Search engine optimization (SEO) poisoning

We have been closely monitoring fake AV activities for our customers and observed a rash of campaigns that led to dozens of infections this May. Early June, we discovered that Major League Baseball and a few other legitimate websites fell victim to a compromised ad network and served up fake AVs to their users.  We managed to pinpoint a specific ad on MLB’s website that embedded an iframe redirection to a malicious server. This server then pushed fake AVs from several Indian .in domains to users.  We published detailed analyses of these campaigns here and here.  To protect our customers, we immediately added null-routes to IP addresses malware-hosting domains resolve to. We also have created several correlations that keep updating to detect new campaigns.

Protecting financial institutions

As our review of the first half of 2012 shows, financial institutions continue to be under attack. To protect our financial customers from attack, we provide multiple layers of defense: firewalls, web content filtering, IDS/IPS, AV tools and SIEM. Each plays an important role in defending against state-of-the-art threats.

Perimeter highly recommends our financial institution customers take all necessary steps to safeguard machines and follow security best practices. Customers should:

  • Never open unexpected email attachments or click on any links in suspected emails
  • Never supply any personal or account information as a result of an email
  • Always keep the operating system and software packages (browser and AV programs in particular) up-to-date
  • Always disable and/or uninstall unused services on endpoint machines, servers and network devices
  • If possible, block ads in the browser, or use web content filtering services

Dan Carter and Mike Flouton contributed to this report.


Archiving in the Age of BYOD

Written by Andrew Jaquith. Posted in Blog Post

You send and receive emails all day — and sometimes into the night — for work. In my own case, for example, I’ve sent over 10,000 emails since I joined Perimeter over a year-and-a-half ago, and have read or deleted thousands more than that.

Legal and compliance issues increasingly are driving companies to save every email, every instant message, and every tweet. The US Federal Rules of Civil Procedure (FRCP), for example, expect that companies involved in litigation have an email retention program in place. This is so that if you are sued — and compelled to produce electronically stored information (ESI) relating to the case — you can readily do so by retrieving these materials from a tamperproof archive. Beyond its uses in litigation, archives are often essential to comply with regulations or legislation. Financial institutions that are subject to the SEC’s rule 17a, for example, must retain all records related to their business activities for up to seven years, whether they are embodied in email, IMs, or (yes) tweets.

Archiving is also necessary and useful for employees. What is everybody’s favorite knowledge management system? Their email, or course! What do they search when they are trying to chase down something they nearly-but-almost forgot? Email! Employees want access to their archives from the devices they are bringing to work, whether it’s their iPads or Android devices. But this is hard to do well. A profusion of proprietary email “archive plugins” leave employees frustrated as they juggle multiple passwords, hunt through non-native search boxes and navigate proprietary portals.

Archiving is clearly needed in the modern age. But the modern age is conspiring against us. Why? Ever-growing data volumes require large amounts of disk space. And employees are shifting more of their communications to personal devices such as tablets and smartphones. Gartner Group, for example, estimates that only one-quarter of the internet-capable devices sold in 2015 will be traditional PCs — the rest will be post-PC tablets, smartphones and e-readers.

It’s fair to say that traditional email archiving is becoming less and less effective in the age of bring-your-own-device (BYOD). To learn more about email archiving — including what you should archive and problems you may face — take a look at my recent webinar with my colleague Frank Tsang: Email Archiving in the Age of BYOD.


Getting Your Team to Function Like an Elite Unit

Written by Tim Harvey. Posted in Blog Post

How Lessons from the Navy SEALs Will Make your Organization Stronger

We hosted an event just recently in New York City where we were honored to have two Navy SEALs address our audience of approximately 75 C-level executives on what it takes to form an elite team capable of executing the most difficult missions. As a former Marine officer and the current CEO of Perimeter e-Security, a cyber-security firm on the front lines of IT threats 24/7, I have always been impressed and inspired by the level of determination and commitment exhibited by these elite warriors.

To get a better appreciation of how the Navy recruits for this select group, I spent some time investigating the traits they view as most important for success. I took the following descriptions directly from the Navy’s website for special operations:

Job Description:

To become a SEAL in the Naval Special Warfare/Naval Special Operations (NSW/NSO) community, you must first go through what is widely considered to be the most physically and mentally demanding military training in existence. Then comes the tough part: the job of essentially taking on any situation or foe that the world has to offer.

Work Environment:

The job of a Navy SEAL relies heavily on adaptability and teamwork. Members train and work in all manner of environments, including desert and urban areas, mountains and woodlands, and jungle and arctic conditions. Whatever the specific mission and surroundings, you’ll utilize the specialized skills and the high-tech equipment required. And you’ll operate not only as a highly capable individual but also as a member of tightly knit SEAL units.

While the mission of the Navy SEALs may be different than those of most corporations, the dedication and traits of those charged with executing the objectives are surprisingly transferable to the business world. As a CEO, when I read the descriptions and see terms such as mentally demanding, taking on any situation, all manner of environments and ability to perform as an individual and as a member of a team, I’m thinking this it type of person I want working for me.

I’ve pulled together 10 universal business lessons from their presentation to share with my colleagues and peers that I truly believe can make an organization stronger:

  1. Hire the best people. This may seem obvious, but how rigorous is your screening, especially if you are in a rush to fill a position? Only 1 out of 250 candidates become Seals after a grueling weeding out process that including “Hell Week.” Remember, one bad choice can weaken the entire team.
  2. Have an aggressive mindset. George S. Patton said, “A good plan violently executed now is better than the perfect plan executed next week.” Don’t ask ‘how can I fail?’ Ask ‘how can I win?’ Being defensive is never as good as being on the attack.
  3. Be prepared. The SEALs are ‘ready’ for the scariest environments imaginable. They practice for them. Over and over again. To be sure, standard operating procedures can act as a safe guide when chaos reigns, but it’s good to know the rules so that you can judge when and why to break them. It is also important to know your enemy’s standard operating procedures. Learn their ways and you can defeat them.
  4. Be vigilant. The word comes from the Latin meaning, stay awake. Even if you are succeeding, don’t get comfortable.
  5. Foster dialogue. Most organizations know that communication is essential. But this doesn’t just mean that leaders should be talking a lot. It means that an organization’s entire culture should promote sharing of ideas; that includes from the bottom up. Everyone has a valuable idea to bring to the table. As one SEAL put it, when a new recruit joined an experienced group on the battlefield, he asked if they should bring a piece of equipment that the group had never before considered or used. Instead of brushing off the rookie, they honored his contribution, brought the tool, and it ended up saving a life. Does that mean you should listen to the intern? At least entertain what he or she says before dismissing it.
  6. Mentorship is huge. When the new person makes a mistake is it his mistake or his superior’s? It’s important to teach others the right path because they can also contribute to your success.
  7. Build trust. Build it within your organization, with your customers – and, in the case of the SEALs, sometimes with your enemies.
  8. Apply the concept of force multiplication. This is when various tools feed off each other—but it doesn’t just mean adding knives to your gun arsenal. It can mean leveraging another’s brainpower to build on your ideas. Colin Powell once said “perpetual optimism is a force multiplier.” The result creates additional layers of security.
  9. Learn from experience – the good and the bad, in order to improve. SEALs use “After Action Reports” to highlight what went right and wrong and they typically write these reports before their day ends so the event is fresh in their minds. These AARs, as they call them, can lead to new standard operating procedures and better outcomes.
  10. Be dynamic and adaptive. Nothing ever goes as planned. Base your plans around the facts and don’t get caught up worrying about what-if scenarios.

We will most likely never be put in a situation that a Navy SEAL might encounter. However, the corporate battlefield can be difficult to negotiate as well and requires its own unique skill set to meet objectives. By keeping these lessons in mind, we will all be better prepared to successfully execute when the time comes.


Wait! Before You Sign That Cloud Contract, Read This

Written by Andrew Lazarus. Posted in Blog Post

I recently read an article in CFO magazine written by Rob Livingstone, “Before You Sign That Cloud Contract,” urging companies considering cloud-computing services to take a good, hard look at their contracts before committing to anything. His piece was spot-on, and if you haven’t already, I urge you to check it out.

The cloud is important to enterprises because it allows them to move essential functions to specialists who can provide economies of scale and skill. Done right, cloud computing enables companies to focus on their core businesses, while reducing risk. In his article, Mr. Livingstone recommends customers negotiate six key contractual terms with their cloud providers. These include getting a wet-ink contract rather than a “click wrap”, asking providers to guarantee minimum functionality, demanding transparency, clarity and assurance around the provider’s data protection policies, and reserving a “right to audit” the provider’s practices.

What it boils down to is that enterprises want a more customer-friendly agreement than they have been getting in a traditional shrink-wrapped software model. It’s easy to understand why they might want that: their cloud vendor isn’t just supplying software, but managing data and operating infrastructure on the customer’s behalf. So the shrink-wrapped vendor negotiating stance won’t work. This is a hard lesson for our colleagues in the cloud-computing business to heed.

At Perimeter E-Security, we think that transparency, clarity and assurance is essential to engendering trust in the cloud. As the only national cloud email and security services vendor under the supervision of the Federal Financial Institutions Examiners Council, we understand the importance of both having high standards and communicating them clearly to our customers. Enterprises want contracts they can understand, metrics that are clear and assurance standards they can rely on. These things all lead to trust, and trust is what will make the cloud go mainstream.


The Cloud Owner’s Manual: Chapter 5 — Termination

Written by Andrew Jaquith. Posted in Blog Post

Is your company considering cloud-based services such as email or security? You need an “owner’s manual” to know what to expect, and what to look for as you evaluate providers. To help you make informed choices, we have put together a short set of video clips from my well-received presentation The Owners Manual for the Cloud, which I gave at the Forrester Security Forum in Las Vegas last month.

The final chapter of the Cloud Owner’s Manual explores termination. In this segment, we’ll examine ways to ensure a simple “easy-on,” “easy-off” termination process, should (heaven forfend) you wish to take your business elsewhere.

This is the eighth post in our Cloud Owners Manual series. As always, we welcome your comments, observations, Tweets, likes and links.


The Cloud Owner’s Manual: Chapter 4 — Contractual Terms

Written by Andrew Jaquith. Posted in Blog Post

Is your company considering cloud-based services such as email or security? You need an “owner’s manual” to know what to expect, and what to look for as you evaluate providers. To help you make informed choices, we have put together a short set of video clips from my well-received presentation The Owners Manual for the Cloud, which I gave at the Forrester Security Forum in Las Vegas last month.

Chapter Four in the Cloud Owner’s Manual covers contractual terms, from customer indemnification against IP infringements to guaranteeing functionality.

This is the seventh post in our Cloud Owners Manual series. As always, we welcome your comments, observations, Tweets, likes and links.