corporate

On August 19, 2008, Microsoft was granted a US-Patent:


Dave Lewis claims this means that Page-up and Page-down is hereby patents owned by Microsoft. I think Microsoft now also have patented using arrows to navigate - if you use your arrow-up or arrow-down in MS Word, you are taken one line up or down - or you are "scrolling a substantially exact increment in a document...".

The same happens using the elevator shafts - moving left/right, or up/down. It may also apply to the shortcuts to jump forward/backward to pages, columns, tables and images.

I agree with Dave that the US Patent system is long overdue for a revision. If it continues like this, anyone with a bit of cash and a way with text can claim patents for anything and everything.

What does this mean to your business? You may risk that someone shows up one day and ask you to pay a license fee for using things you take for granted - like your keyboard. But the most likely scenario is for someone to take your technology - the technology you have spent time, money and effort on developing - and register a patent on it. Using that patent, they own the rights to the technology you developed, and they will cash in on it.

How can you avoid this scenario?

Be sure to register your patents as you go. Spend the money - as it is the only way to ensure that no-one else does it. To SME's the cost of patents may seem high, but consider it an investment - if you fail to register, the whole value of your development is gone (since if your technology have any chances for making money, someone will register it as a patent, and you will pay them to use your own technology...).

What are your experiences with patents?

Sources:
ZDNET
Liquidmatrix (Dave Lewis)

entrepreneurs, small business, patent, microsoft, liquidmatrix

Wow. I am amazed.

I just called a company - or so I thought. I was researching, looking for some particular information, and now just calling competitors of my client in order to gather intelligence.

And as I call around, the phone is answered (no surprise there) with:

branding, phone call

Today, John Sheesley amused me with his attempt to use Windows 3.1 (actually 3.11 Windows for Workgroups) as a workstation of 2008. Those of us who remembers WFW, may wonder why on earth he would do that for, but I leave it to that.

One should think that using a software that was designed only 15 - 20 years ago should be quite possible today. After all, a PC is still a PC, right?

Not so. A PC of today (2008) is based upon the same principles as back in the early 1990's, but the technology has reach a maturity point where backwards compatibility hardly exists.

Yes, you may get WfW to actually work, if you like many others keep an old 486, or even a P1/P2 in a closet nearby. The challenge will be to render it useful, as John realises:


And IE 5 is not 15 years ago - it is more like 5.

Now, why should you, a security minded reader, care about the fact that John failed this project?

Several reasons comes to mind:

• From a continuency point of view - if you rely on some old hard-/software, make sure you have the tools and systems available in case of a failure.

It is not enough to dust off the old software boxes, you need to set up a system in parallel and see that you have all the bits it takes. I even suggest you make this a routine thing - once every year, month or week - depending on the criticallity. I also suggest you start plan to change the old system for something a bit more modern.

• From a data storage point of view - if a software can become totally obsolete in less than 5 years, you need to make very sure that your backup systems; long-time storage; and other data you may require access to in the future; uses technology you are able to access.
  

If you have a bundle of old tapes from a streamer that got replaced some time back - will you be able to access that data? Also consider the long-time effect light, magnetizm and dust has on equipment. CDs and DVDs are not safe for more than 10 years storing - but even that is no guarrantee. (Opposed to the advertisments in the midle of the 1990's, claiming CDs to be the best long-term datastorage available...could last for a houndred years, they claimed...)

• From a compliance point of view - if you are obligued to store information for a periode of time - 3, 5, 7 or 10 years - you are also obligued to be able to access the same data in the future. It is your responsibility, and it is usually a good idea to plan the technology at the same time you plan what and where to store your data.

I find one of the comments to the article particularly nice:



Yes, XP, 2000 and many others will be out of date. 2000 actually did this summer, when MS pulled the support for it. Anyone remember OS/2? DOS I guess most still remember, but only hardcore, old-guys still uses it to some extent. The world (and the technology with it) moves on.

To keep up with changes, you need to keep track on what is going on, as well as on your own requirements. You are required to update once in a while, but you do not need to jump on the latest versions of everything - unless you have special requirements. It is simply a matter of balancing your needs.

The following are 5 tips on working with policies in a corporation. They are simple and to the point.

Enforce the policies

Enforce the policies through incentives. Make sure that you use the policies, or they may be useless when you try to enforce it 5 years down the line.

Follow up policies with technology

Use technology to control and enforce the policies. Never develop policies to adapt to the technology - it must be the other way around. If in doubt, hire specialist.

Review and audit regularly

Technology, markets, regulations and people change all the time. Policies need to be audited and adopted as you go - regularly. Make sure employees are allowed to suggest changes. If errors are discovered - make sure to act swiftly to update the policy.

Corporate governance is key

Corporate Governance is not only a new buzzword. It is only a new name for an age-old best-practice.

1. Set targets / visions

2. Draw the path through strategies and tactics.

3. Compare the outcome with targets/vision.

4. Start over

The purpose is simply to put forward a set of methods to ensure quality, trace-ability and documentation. You can do it in large scale or small scale - the principles stay the same.

Remove the bad apples

Bad apples must be handled correctly. Get rid of them by using their forces and turning them into valuable gems.

Or, throw them out of the basket.

 

 

------------------------------

This is part two of the article Bad advice for good security, as appear on Risksopportunities 2007.

Part one is available here.

Bad advices come from everywhere. One of the struggles of security is to teach management and employees alike the importance of policies and regulations, and the need to abide to them.

In an organization, there are rules. Rules are there to be followed - like it or not. To make sure that the rules are followed, most of them are written down as procedures and policies. That makes it easy to control, and change when necessary. The challenge is that not everyone follows the rules.

Policies enforces behavior

Humans are different - some are energetic and full of ideas, some are very down to detail and control. Others prefer a nice workplace where everyone is happy and calm. Others again like to be in control and drive their own agenda forward. The more people you put in a room, the more diverse the group will be. And without a clear leadership and management, the group will not be able to efficiently come up with anything but noise.

In a corporate world the same scenario is true. You need to control your employees and join their efforts to push in the same direction. On a day-to-day basis, policies are used to control the behavior and to put in place a set of methods and processes.

No incentives - no followers

One very important thing about policies is the fact that if you give no incentives to follow them, people will soon start to make up their own ways of doing things. To the one employee it may make perfect sense to use his laptop to store personal images and share music. To the company, this sort of behavior may result in lawsuits and liability.

The incentives will vary from organization to organization. The most important is that if an employee does not follow the rules, then a penalty must occur. The penalty should be widely known, and practiced.

A few years ago, a Norwegian oil company tried to sack a team of employers that had view adult movies at one of the oil rigs. The company did have a policy that prohibited any kind of adult material to be viewed using their systems. So you would think they had a clear case. Not so, the policy had never been enforced. The company had to take the employees back in, and even pay penalty.

The lesson to be learned is simple - when you have a policy in place, make sure you enforce it.

Technology is a supplement

Technology should supplement policies - not the other way around. You should never invest in (security) technology and then make the policies.

The purpose of security technology in regards of policies is to enforce the policies, to control that they are being followed and to trace possible violations. To do so, you first need to know the behavior you like to have in place (the policy), and then you invest and set up the necessary tools to check if the policy is followed.

Technology include tools that removes threats, tools that enforces a particular behavior, tools that logs and analyze the movement and use of your employers, as well as tools to audit, control and change policies itself.

Today there is a great demand for this kind of technology. The driving force is not so much the company itself. The driving force is the need for the company to stay compliant to public regulations like SOx, HIPAA, PCI and the like. These regulations come in different flavors, from international, to regional, via national laws. And finally as policies in the company. Then add industry standards like ISO. Clearly you need some technology to help you stay on top of the problems. Still, always remember to have the policies in place beforehand - the technology is only there to support and enforce your policies.

Review and audit

If you like it or not - or do not understand the reason behind the policies - then ask around internally. If you have the knowledge and the power, you may change them – a process that should be a major part of the rules, and it is called auditing.

Auditing is important to keep your policies and your employees up to speed.

If you have a policy that your employees see is useless, or wrong, they will try to find ways around it. You need to teach them that if the policy is wrong, the right way of doing things is to change the policy. It must be easy to report errors. It should be positive to report errors.

Errors happen all the time. If you if fail to catch the errors, how will you be able to improve?

The Toyota Production System is one way to do this. The purpose is to improve and manage quality. Toyota does this by emphasizing the need for improvement. They proactively ask their employees to come up with better ways to do their job.

Rule breakers

In every organization you have the people who always seem to be breaking the rules. Some are in the R&D - and there they are doing a great job. But other employees who break the rules with intent must be identified and removed. They are working against the target of the company, and they are reducing the inner bonding and cooperation of the team.

Most importantly, rule breakers impose a risk to the organization. You will never be able to control everyone 100%, but most people will follow most rules if told given a reason to do so.

If you add noise to the group in form of a rule breaker, the team will soon stop following the policies. And of course - people who do not abide by the rules is more likely to sell off company secrets, impose threats to the company and be an overall liability.

The challenge is to discover and neutralize such elements. Especially since they very well may add great value to the organization by their opportunistic views and new ideas. You see them in R&D, Sales and as business developers.

The bad bones you must remove. But if you cater for them correctly, and stay in control, any organization has great benefits from these people.

Success with policies

Policies are a set of rules put in place to ensure a particular behavior. Many policies out there are worthless - either because they are not being enforced, they are wrong or outdated, or they have been put in place by the wrong reasons.

Success with policies comes by combining the right mix of incentives and controls, with regular updates and audits. But if you forget that the policies are all about human behavior, you will fail.

 

 

------------------------------------------

Article as published on Risksopportunities.

Part two - 5 tips on policies - will be available from March 10. 2008.