Osterman Research

We have just published a major study of messaging in the small- and mid-sized business (SMB) market in North America. Here’s some of what we found:

• Interestingly, despite the fact that SaaS can reduce the cost of providing email, particularly for smaller organizations, many decision makers are absolutely against the use of this delivery model for email. Most SMB decision makers believe that in-house infrastructure managed by internal IT staff is the most desirable approach for managing email capabilities. Not surprisingly, appliances are preferred by a large proportion of SMBs – even more than SaaS services. However, many SMBs would likely or definitely deploy – or seriously consider deploying – an email system using more than one delivery model.
• The top four problems in managing SMB email systems are storage related: increase backup/restore times, growing sizes of messages, users sending large attachments, and overall growth in email storage requirements.
• Some of the more popular social networking tools are generally not perceived by IT decision makers to be legitimate. For example, Twitter is viewed by fewer than one in three decision makers to be legitimate and Facebook fares only slightly better. Even LinkedIn, a clearly business-focused social networking site, is viewed as non-legitimate by two out of five decision makers.
• Mobile platforms in the SMB space are led by RIM BlackBerry devices, accounting for a substantial proportion of end users’ mobile devices. This penetration is expected to remain steady into 2010. However, the penetration of the iPhone will increase substantially during the forecast period. Similarly, mobile phones that use the Google Android operating system are expected to approximately double in use between 2009 and 2010.
• Green computing, while certainly not dead as an issue in server, data center and other IT infrastructure planning, is probably not going to be a major factor for purchasing decisions among SMBs over the next few years. While SMBs will want to reap the benefits of green computing, such as hardware cost savings and reduced power consumption, the economics of these decisions will likely play a much greater role than the PR value of “going green”.

As I and many others have discussed before, data leaks are a fact of life when employees are allowed to use communication tools of any kind, including email, instant messaging or even the telephone. Social networking tools like Facebook and Twitter have become a key and growing area of concern for many decision makers because these tools are typically used independently of IT management or oversight.
An interesting example of such a data leak - albeit not a corporate one - is an Israeli soldier's post to Facebook about an upcoming raid by Israel's Defense Forces in the West Bank. The soldier's post, which included both the time and location of the operation, prompted the IDF to call it off. More information about the incident is available here.
This should serve as a good lesson for senior business managers, IT management and others in organizations that allow the use of social networking tools: while these tools can be incredibly useful in a business context and their use should be encouraged, unmanaged posting to these sites can result in the revelation of information you might not want the outside world to know.
Osterman Research will be publishing a white paper in March on why organizations need to focus on managing the content that leaves their organization through email, instant messaging systems, social networking tools and other systems.

Social networking tools like Twitter, Facebook, LinkedIn and a growing variety of other Web 2.0 tools offer a number of benefits: they allow you to monitor trends among customers and prospects, they provide a vehicle for low-impact marketing, they can give your key people a presence as thought leaders or industry gurus, and they provide a channel to communicate with individuals that might not otherwise hear your message.

But these tools also have a number of downsides: every employee that tweets or posts or recommends using one of these tools becomes your company’s de facto spokesperson – whether you like it or not. An employee can inadvertently divulge confidential or sensitive information in violation of corporate policies, regulatory obligations or legal counsel’s advice. Plus, social networking tools carry with them a key problem that consumer-facing instant messaging clients have always had: as capabilities that users initiate, those users define their online moniker and how and when the tools are used.

There are a number of things that IT can do in response to the problems posed by social networking and other Web 2.0 tools:

• Block their use (good luck with that).
• Implement policies about acceptable use. This is a good and necessary first step, but it won’t solve much of the problem.
• Pre-review tweets and other postings. This provides IT with lots of control, but negates the timeliness of posts and requires enormous IT and/or compliance resources to manage properly.
• Implement lexicon-based or other policy management tools that will scan outbound content for violations. This is a useful approach, but can lead to false positives and it misses certain types of content, particularly whn usrs r tryng 2 stay under 140 chars.
• Archive all content that is sent to social networking sites. This is a good approach because it can capture all content and make it available for review, legal discovery and regulatory compliance audits, despite the fact that it does represent an extra expense for IT.

LiveOffice has just announced Social Archive, a solution designed to archive content from social networking sites. The solution archives this content and also makes it available for monitoring, discovery, audit and other purposes. This is a necessity in the financial services industry, particularly in light of FINRA’s Regulatory Notice 10-06 that defines the regulator’s position on the use of social networking tools by registered representatives and others. However, archiving social media content should also be a consideration by those in less regulated industries as a best practice to monitor for inadvertent data breaches and other communication that might not be considered acceptable according to corporate policies. It can also be useful for things like e-discovery, since there will be an increasing number of discovery efforts in the future that will require production of social networking content.

On February 22nd, Iron Mountain announced that it had acquired archiving vendor Mimosa Systems for $112 million – 5.4 times Mimosa’s 2009 revenues of $20.6 million.

The acquisition is an interesting one on a couple of levels. First, Mimosa Systems is a very solid archiving vendor, one of the leading players in the email archiving space, despite the fact that the company was not yet profitable (it had a bit more than $32 million in expenses in 2009). The company also offers archiving capabilities for SharePoint and other electronic content, as well as e-discovery, .PST archiving and disaster recovery solutions. Mimosa was fairly well funded, receiving $34.5 million in venture capital funding by April 2008 and another $17 million from various sources through January of this year.

Second, the acquisition is interesting because it bucks the trend in which hosted archiving vendors have been the prime acquisition targets (Fortiva, ZANTAZ, MX Logic, MessageLabs, FrontBridge, MessageOne, etc.) By acquiring Mimosa, Iron Mountain now has a very solid player in the on-premise archiving space and a broader range of offerings for archiving customers. Plus, it gives them the opportunity to provide a solid hybrid offering, a trend that we think will pick up steam over the next 24 months.

The acquisition price was certainly not high by historical standards. For example, Veritas bought KVS for $225 million in 2004 and EMC bought LEGATO for $1.3 billion in 2003. However, given the size of Mimosa’s substantial customer base, coupled with a still soft economy, the value of the deal was not at all bad for either company.

One of the traditional difficulties of business travel has been not having access to files when you need them. You can take key files with you on a USB stick, but reviewing a proposal or making changes to a document, for example, can result in confusion about the latest version of a file, making changes to an old document, etc. One of the ways around this is the use of online productivity applications, such as Google Docs, that permit access to the latest versions of every file because they are on the Web and not on a desktop machine or in some other location that might be inaccessible. However, for those that still rely heavily on traditional, desktop applications, there are several Web-based file synchronization tools that allow your content to be automatically available on every platform you use.

I have used two such solutions, SugarSync (http://www.sugarsync.com) and Dropbox (http://www.dropbox.com), and have generally favorable impressions of both:

• Both tools provide very easy setup: you install a small footprint application on your “home” computer and define the files and/or folders that you want to synchronize across your other computers. You can then set up as many other platforms as you’d like, such as your notebook or home computer, installing the same application on each.
• SugarSync is a bit more flexible in defining content to synchronize, since you can specify any file or folder on your computer; Dropbox requires a specific folder into which you move the content you want to synchronize (although the SugarSync capability is a planned feature in Dropbox).
• After the initial synchronization takes place (which can take a few days depending on the amount of data you’re copying and the speed of your connection), all of your files are available in the cloud. When you connect with your remote platform, all of the files that you’ve identified on your home computer are downloaded.
• From that point, synchronization is automatic – update and save a file on any platform and the file is copied to the cloud. The next time you connect with any other platform in your network, any changed files are automatically downloaded. All of your files are also available in the cloud, accessible via any Web browser.
• One of the nice features of both SugarSync and Dropbox is that they work with both Windows and Mac platforms (which I really appreciate because I use both platforms), although Dropbox for the Mac is still in beta mode as of this writing. Dropbox also has a Linux version and supports the iPhone; SugarSync does not support Linux, but supports the iPhone, BlackBerry, Windows Mobile and Android platforms.

As noted, I have used both tools and generally have had good experiences with both. That said, I have had some problems with SugarSync, such as its automatically appending more than 2,000 files on my Mac with “(from [computer name])” – an annoying, but relatively harmless problem. Dropbox has caused a few problems, as well, such as creating multiple copies of a file because it perceives a conflict between file versions. On one occasion, this led me to send the wrong draft of a white paper to a client, which was a bit embarrassing – I attribute the versioning problem to the fact that Dropbox for the Mac is still version 0.7+.

Bottom line: I would recommend either tool, but lean slightly toward SugarSync because a) it is out of beta on the Mac, and b) it provides greater flexibility in terms of the content that you want to synchronize.

IT managers, CIOs, CTOs and others make technology decisions about a wide variety of solutions that impact how we work: email, archiving, encryption, collaboration, managed file transfer, Web 2.0 applications and so forth. Decision makers take into account the features and functions these systems will provide, how they will mitigate risk, how they will boost productivity or how they will boost revenue.

However, I believe that a key missing element in the analysis of what will work and how much it will cost is how (or even if) it will be used. This is simply because a key determinant in the success of many technology solutions is the existing culture of the corporate environment. For example:

• If you deploy a corporate collaboration system based on social networking that allows employees to share information through Twitter-like capabilities, blogging and the like, but your corporate culture rewards employees for hoarding information, the collaboration system will have little impact and might actually be resented by some.
• If you deploy easy-to-use, manual encryption capabilities for your employees, but do not make it easy for your employees’ recipients to receive and open encrypted emails, few will send encrypted communications.
• If you want to alleviate the burden of large attachments sent through email and improve the security of your content by deploying a managed file transfer system, it will be necessary to make this system about as easy to use as email. However, if a file transfer system is cumbersome and disruptive to normal workflows, it simply won’t be used.

The key, therefore, is to examine technology solutions in light of the existing corporate culture to see what will be used and what employees will simply ignore. Corporate edicts of “thou shalt use” the new technology are unlikely to work – employees will typically find workarounds that will negate the value of the investment in the new technology. Instead, corporate culture should be the first thing that decision makers review in light of a) the current state of the culture and b) where they might like it to be. For example, if productivity and the bottom line will be improved by employees sharing information, they must first develop a corporate culture that rewards people for sharing information, working in teams, developing communities of content sharing and the like – and then deploy solutions that will enable that to happen.

Deploying technology first and hoping corporate culture catches up rarely works.

I originally wrote this for Network World Fusion back in July 2008, but thought it would be timely for presentation again:

There’s a lot of talk about unified communications – the integration of email, voice, fax, video, presence-enabled applications like instant messaging, collaboration tools and other capabilities into a unified system that can be accessed through a single interface. But what if we look 10 years down the road and examine the characteristics of a truly unified communications system? Here are my thoughts on what that might look like:

Instead of having multiple email addresses, instant messaging handles, phone numbers, etc., each of us would have just a single address – either an email address as we have today or a phone number. To support this, we would have a powerful directory system that would be populated with information on all of our various modes of communication – published and unlisted phone numbers, email addresses, instant messaging handles, etc. – as well as detailed information on our preferred methods of communication based on time of day, day of the week, presence status, travel status and, perhaps, even our current mood based on biometric sensors at our desk or on our mobile device. For example, based on my presence information, when I’m out of the office on business travel I may prefer to receive a communication from a business associate as a text message on my mobile device. However, if that communication were urgent, it would then be converted to a voice call for both the sender and recipient so that a real-time conversation could take place. If that communication took place on a weekend, a normal message might be sent to my email client, but an emergency message might go to my home number. The bottom line is that the sender does not know how to reach us – he or she simply sends a message to our only address and we, using a sophisticated directory system, decide how and when to receive these communications.

The interface for such a system, I believe, will look more like social networking tools we know today than traditional email clients. For example, in Facebook I can receive emails, view the presence status of others in my network and obtain other relevant information all from a single interface.

Further, such a system would learn from my behavior and would be tightly integrated with a variety of Web services. For example, instead of having to set up an autoresponder in email when I’m gone to a conference, the system would know my travel plans and automatically enable and disable the autoresponder.

I’d like to get your take on this: what do you think unified communications will look like 10 years from now. Please send me an email with your thoughts.

Michael Sampson is an industry analyst who for many years has focused on collaboration practices and technologies with an emphasis on how distributed teams can work together more effectively. He is on my short list of most respected analysts in the collaboration space. Recently, he graciously sent me his new book, SharePoint Roadmap for Collaboration. I would highly recommend it for anyone that is using SharePoint, considering it, or just needs to get up to speed on how collaboration technologies from any vendor can be used more effectively.

In the book, he discusses his “7 Pillars Model for Team Collaboration”, a framework that he developed in 2005 for evaluating collaboration technologies without the vendor-bias that can sometimes be present using other methods to evaluate them. Michael offers a frank assessment of SharePoint in the context of these seven pillars, giving it a pass or fail grade for each.

I won’t give away his ratings for SharePoint on each of the pillars, since I really think you should invest in this book, but Pillar 5: Social Engagement is of particular interest to me because of its impact on corporate culture and the way that distributed teams work. Michael’s assertion, with which I agree, is that collaborative technologies that are made available to teams of distributed co-workers should have a) presence and availability information for each team member made available to all other team members, b) the ability to interact in real time, and c) personal blogging capabilities. The goal is to recreate, as closely as possible, the typical office environment in which people can interact by walking down the hall, schmooze at the water cooler, overhear others’ conversations, and so forth. The goal of recreating this environment is that information of a less formal nature can be shared by all team members, allowing them to use this information for the advantage of the team and allowing them to interact on an ad hoc basis whenever they are available to do so. Michael points out that SharePoint by itself does not offer all of these capabilities, but in conjunction with OCS 2007 these capabilities are available.

While SharePoint Roadmap for Collaboration is focused on SharePoint and users of that offering will derive the greatest value from it, it also offers some valuable insights for organizations that are focused on other collaboration offerings. Given that collaboration is a major thrust at IBM with its growing set of excellent offerings focused on real-time communications, Web conferencing and social interaction; and that Novell is also pursuing this focus with its innovative Pulse offering, as are other vendors, Michael’s book is definitely worth a read even if SharePoint is not your immediate interest.

Michael can be contacted at michael@michaelsampson.net.

Without doubt, the Apple iPad is an extremely cool device. Watching the video on their Web site, I would definitely like to have one.
But where does the iPad fit for business travelers? Here's my two cents:

• If I was going on a day trip and had no plans to do any writing of more than a few paragraphs, a Wi-Fi-enabled, 3G-enabled iPad would be a great device for checking emails, watching a video or reading a book on the plane, writing a short blog post, etc.
• If I was visiting a client and wanted to make a presentation, the iPad would also be a great device.
• However, if I was traveling overnight or longer, would the iPad be my device of choice? Maybe, but answering 50 emails would likely be more difficult than on a laptop or netbook. Writing multi-page reports would be even more difficult.

Admittedly, I have not held an iPad and can't evaluate its virtual keyboard more thoroughly. However, I'm not sure I would want to lug around both an iPad and my MacBook Air on a trip. (That said, I will probably end up getting one at some point.)
So, where do you think the iPad will fit for your business travel?

Why do we have an office? For must of us, it's so that we can have a physical location in which to receive and send emails, make calls, access files, visit Web sites, write documents, build spreadsheets and tweet.
We're all familiar with the ubiquitous "out of office" messages that are the automatic response to emails received when we're physically out of the office - we create them when we're physically removed from our office. But, in an era in which our notebooks and mobile devices can receive and send emails, allow us to make calls, access files, visit Web sites, write documents, build spreadsheets and tweet, what does an "office" really mean? Not much. With unified communications systems that build on all of these capabilities, an office means even less.
So why do we still use "out of office" messages?

The Financial Industry Regulatory Authority (FINRA) has issued a regulatory notice that provides its guidance on how registered representatives should use, and how their firms should manage, postings on social networking sites and blogs. Here are some highlights:

• Firms must preserve the communications sent through social networking sites relevant to broker-dealers' business dealings. SEC Rules 17a-3 and 17a-4 and NASD Rule 3110 apply to these communications.
• A securities recommendation made through social networking tools must be "suitable for every investor to whom it is made". NASD Rule 2310 applies here.
• Firms must supervise relevant employees' electronic communications, including those posted to blogs and social networking sites. NASD Rules 2711(b)(3)(A), 3110(j) and 3070(c), and NYSE Rules 472(b)(3), 410 and 401A may apply here, depending on the type of communication involved.
• "Firms must adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are appropriately supervised, have the necessary training and background to engage in such activities, and do not present undue risks to investors."

The bottom line in this notice is that social networking tools - Twitter, Facebook, blogs, etc. - are fundamentally no different than the other types of electronic communication tools on which FINRA and the SEC have previously imposed requirements. Communication using newer tools must be supervised, managed and archived just like email and instant messages have been for years.
You can read the notice here.

At GWAVAcon yesterday in Las Vegas, I had an interesting discussion with three gentlemen from SEP Software.
We were talking about long-term archiving and the problems associated with accessing old data for which systems are no longer available. For example, if you have a regulatory compliance obligation to preserve data for 10 years or more (a likely possibility in the healthcare, chemicals and other industries) how will you access data that old? If you have archived the content to tape, machines capable of reading those tapes might no longer be available, or services that can extract the data might be extraordinarily expensive. You can archive them to optical media, but you could have the same problem. You could print your records on paper, but that's is very onerous and expensive.
I suggested that perhaps the best way to manage long term archival is simply to dump the problem on someone else, namely SaaS archiving providers. They will still need to upgrade their storage media over time as on-premise deployments will need to do, but it becomes their problem instead of their customers'. Plus, given that they are specialist providers, they could likely accomplish the migration at a lower cost per bit than you could.
For those opposed to SaaS archiving, a hybrid approach that combines near- and mid-term archival using on-premise systems with long-term archival in the cloud could provide that future-proofing that companies will eventually need.

Mobility in its greater context – namely, enabling employees to work from any location – is becoming more common as a means of increasing organizational flexibility, reducing operating expenses, reducing taxes and improving customer service. Mobile messaging is a key component of this trend by enabling properly equipped workers to send and receive email, access the Web and Web 2.0 applications, use corporate applications and communicate in a variety of ways regardless of where they work.

Although mobile messaging carries with it the promise of significantly enhanced employee productivity, faster decision making and greater overall efficiency for organizations of all sizes, it also carries with it a number of quite serious risks. Among these risks are:

• Loss of sensitive or confidential data - In a survey of mid-sized and large organizations conducted by Osterman Research in 2009, the most serious problem faced by organizations in the context of their mobile messaging use is the loss of corporate data in the event a device is physically lost.
• An inability to archive mobile content - Another survey conducted by Osterman Research during 2009 found that 20% of corporate data in mid-sized and large organizations is contained on mobile devices of various types. However, few organizations have a way of archiving this content.
• An inability to monitor communications sent via mobile devices - Organizations must be able to monitor communications to detect policy or legal obligations.
• Violation of compliance obligations - There are a growing number of obligations with which virtually every organization must comply. These obligations, which are focused primarily on the archiving, encryption and monitoring of certain types of communications, are increasing in number worldwide.

In short, organizations face a variety of risks from their inability to properly manage, secure and archive the use of mobile devices in their organizations.

The answer, then, is to deploy a capability that will permit mobile devices to be used as freely as possible by as many people in an organization as necessary, while at the same time allowing IT to manage these devices and the content that users send and receive with them.

We have just published an executive brief on this topic that you can download at http://www.ostermanresearch.com/whitepapers/download102.htm.

I am attending Lotusphere in Orlando, always an interesting and enjoyable time in (mostly) sunny and warm Florida.
There have been three major themes for this Lotusphere thus far:

• Cloud: IBM is making major strides toward moving its offerings into the cloud. Announced last week, and mentioned today, is that Panasonic will be migrating 380,000 employees to LotusLive, clearly the largest cloud deployment to date. Many of Panasonic’s employees are new to email, while the rest are migrating from a combination of platforms, including Exchange. Somewhat surprisingly, Panasonic is not migrating slowly to LotusLive, but instead started migrating employees in a serious way the week after the agreement was signed. Interestingly, the primary use case for LotusLive is not replacement of on-premise infrastructure, but instead additive to the existing on-premise infrastructure of on-premise Notes deployments.
• Mobility: IBM is also focusing heavily on mobility, demonstrating a number of interesting mobility-based features and functions for Notes, Sametime and other platforms. One of the first speakers at the Monday morning keynote was from RIM, although announcements were also made for the iPhone, as well.
• Vulcan: Project Vulcan is the evolution of the Lotus portfolio into the next generation of collaboration offerings. A variety of what are essentially “pre-alpha” software offerings will be made available through LotusLive for the purpose of offering new capabilities rapidly from the IBM Research labs. While the new offerings will be offered perhaps monthly, specific support will not be provided.

Arguably, the most interesting of the announcements was Project Vulcan, including the unavoidable references to Mr. Spock and the alternatives being “illogical”. The announcement has the combined feel of the interesting and innovative products that Google offers through the beta versions of its products; and the offerings that you might find from a small startup that is providing its offerings at no cost in order to gain visibility.
As a company, IBM has an interesting persona. As the second largest software company, they strike me as a bit self-deprecating. Their thrust in Collaboration Agenda, for example, will focus only secondarily on their own solutions. Their Panasonic win is, by far, the largest cloud computing deployment ever, yet it did not receive inordinate attention at Lotusphere. LotusLive now has more than 18 million seats deployed, yet this was mentioned only in passing.
By no means do I mention this in a pejorative way – in fact, I believe this persona makes IBM’s offerings better and the company a more formidable competitor in the long run. Further, being second in the market is a benefit to IBM’s customers, in part, because it forces the company to do things that it might not otherwise do – build for a wide variety of platforms, offer a robust desktop productivity suite at no charge, etc.

Panasonic will be migrating its users worldwide from Microsoft Exchange to LotusLive, IBM's cloud-based Notes service. Although 100,000 users will be involved in the initial migration, a total of 300,000 internal and external users will eventually be migrated. More information is available at CNET.
The win is a big one for IBM on two fronts: first, this is a major win for IBM which has seen some of its customers migrate away from Notes to Exchange. Second, and perhaps more importantly, this is an enormous cloud deployment, the largest to date. It follows the March 2009 announcement that GlaxoSmithKline would migrate 100,000 users to Microsoft BPOS.
While many view cloud-based email and collaboration as primarily for SMBs, that simply is not the case anymore. The Panasonic announcement, and the GSK announcement early last year, should help decision makers to realize that.

I have been writing this column since the beginning of 2000, first for Network World Fusion and now for Messaging Wire. In looking over a couple of columns I wrote in January 2000, I found the following results from a study we had done while I was at Creative Networks:

• We found that about two in five organizations does not have an email or document retention policy, and that one in six organizations has not implemented any policies related specifically to archiving or backing up the messaging system.

• One-quarter of email users are not able to retrieve information from the backed up or archived message store. That means that for a large percentage of users, old information in the message store is not accessible once it becomes more than a few weeks old.

• We also found that the median message store space allotted to each user is 45 megabytes.

What has changed during the past 10 years? Surprisingly, not a tremendous amount.

For example, a survey that Osterman Research conducted during late summer 2009 found that 12% of organizations do not have a policy focused on the use of email and other communications technologies, while another 2009 Osterman Research study found that more than one-quarter of organizations have not yet established any sort of email retention policy. That’s certainly better than the situation a decade ago, but not as good as it should be.

An Osterman Research study in 2009 found that for 55% of users, old email gets archived only if individual users do so themselves to a local hard disk, a file server, etc. While a larger proportion of organizations archive their email today than was the case 10 years ago, there has not been a tremendous amount of progress here either.

What has changed dramatically, however, is the amount of space allotted to users’ mailboxes. A 2009 study found that the median mailbox quota size is 200 megabytes, more than four times the size of a mailbox 10 years ago. This is due largely to the much greater use of email and attachments, more use of multimedia, etc.

In short, we have found progress in the adoption of archiving and retention policies over the past 10 years – but not quite as much as many had anticipated.

I have been participating in a series of seminars around North America with a leading anti-malware company, discussing the growing problem of malware and the impacts it is having on organizations large and small. At several of these seminars, I have asked the audience members if they have any sort of anti-virus software installed on their mobile devices. Out of all the times I have asked the question, only one person indicated that they have any sort of anti-virus or anti-malware capability on their mobile device.

What this means is that there is an enormous vulnerability for corporate networks given that smartphones and other mobile devices are used extensively for accessing corporate email, the Web, etc. For example, a study we did in late 2009 found that 12% of email users check their work-related email from home using a smartphone as the primary way of doing that. Many users are not going in through a VPN or other secure tunnel, instead relying on their home Wi-Fi network or their carrier’s network, potentially allowing malware and other bad stuff into their mobile device and then into their corporate network.

The problem is not a theoretical one. Malware was first discovered for the Symbian platform in June 2004 and for the Windows CE platform a month later. Last year saw the introduction of a variety of new malware aimed at the iPhone and Android platforms. Today, there are hundreds of mobile-specific threats – I anticipate that the number of such threats will grow dramatically this year with the increasing adoption of mobile devices as a means of accessing corporate email systems, the Web, Web 2.0 applications and the like.

There are a variety of tools you can install on a mobile device to thwart malware, including:

• Airscanner AntiVirus for Windows Mobile (http://www.airscanner.com/downloads/av/av.html)
• F-Secure Mobile Security (http://campaigns.f-secure.com/mobile-security/index.html)
• Kaspersky Mobile Security (http://www.kaspersky.com/mobile_downloads)
• NetQin Mobile Antivirus (http://www.netqin.com/en/products/antivirus/)
• Norton Smartphone Security (http://www.symantec-norton.com/Norton_Smartphone_Security_p36.aspx)
• Trend Micro Mobile Security (http://us.trendmicro.com/us/products/mobile-security/)

The bottom line is that mobile devices are now indispensable for anyone who travels, as well as for many who use them in an office or when working from home. Not having good anti-malware capabilities for these devices, whether deployed on the device itself or through some other means, means additional risk that organizations should simply not take.

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009. Part of the “stimulus” bill that Congress passed, HITECH modifies the Health Insurance Portability and Accountability Act (HIPAA) that has been in effect for many years.

There are a number of areas in which HITECH will have a significant impact:

• Previously, physicians were permitted to disclose electronic health information to others if that disclosure was necessary for treatment of patients, payment of claims, etc. That has not changed, but now physicians will be required to track when that information is disclosed, necessitating them to implement policies, procedures and technologies to help them do that. That means that if they disclose electronic health information for a patient, they must track that information wherever it might go for as long as it exists.
• However, while HIPAA previously applied mostly to physicians, medical practices, hospitals and the like, now the business associates of these entities will be required to comply with HIPAA’s rules about the security and privacy of protected health information (PHI). That means that if you’re an accountant, a benefits provider, an attorney or anyone else who is given access to PHI, HIPAA now applies to you.
• Breach notification rules have been significantly beefed up in the new HIPAA. For example, if 10 patients’ records are breached, the offending organization must post information about the breach. If the breach impacts 500+ patients, every patient in the offender’s operation must be notified, the secretary of Health and Human Services must be told, and a prominent, local media outlet must be notified.

What does this mean for those who use email for the transmission of PHI or store it electronically? First, it will negatively impact small medical practices the most because, like any small business, these operations spend the most per patient on technology solutions. These practices will need to implement encryption solutions that will protect data in transit and at rest. Their business partners will also need to implement this technology so as to manage PHI during the entire lifecycle of the information.

For larger operations like hospitals and large medical practices, costs will also go up to protect PHI in more robust ways than has previously been necessary. Here, too, business partners of these larger organizations will need to implement encryption and other technologies to protect PHI.

Long term, profits in the healthcare industry will almost certainly decrease given that a) government is paying a larger share of healthcare costs over time, b) government will be paying less per patient in the future, and c) healthcare organizations will be spending more on technology to protect PHI.

On the positive side, PHI may be more protected as a result of these changes. Further, organizations inside and outside the healthcare industry will implement encryption technology (which they should be doing now anyway). Because the use of encryption is an important best practice, this might be the primary, positive impact that comes from the new HIPAA.

Communications is completely about surrogates, or the best available substitute when the better alternative is unavailable. For example, the telephone is a good surrogate for an in-person conversation when it would be impractical or impossible to be with the person to whom you're speaking. Email is a good surrogate for communicating with someone when they are a) not physically available and/or b) when it doesn't matter if they are available in real time. Web conferencing is a good substitute for in-person meetings when it is not possible or practical to meet.
Which leads to communication tools like Twitter used in a business context. While people who don't really get Twitter think of it as little more than a way to tell people what you're having for lunch or when you're waiting for a flight, it really can be much more than that. If you use Twitter correctly, it's really a surrogate for the people you think are likely to pass along useful information to you. For example, using Twitter is a surrogate for asking an industry veteran what he thinks of cloud-based computing. It's a surrogate for overhearing an elevator conversation about an article on color theory in marketing materials. It's a surrogate for asking a trusted contact what he or she thinks of a competitor's recent announcement.
Twitter, like any surrogate technology, is not perfect. Deep insights normally can't be conveyed in 140 characters. But it's a good way to keep tabs on who and what you think might be important in your job and in your personal life.