Overall, virtualization is a good thing, said Dave Asprey, VP of Cloud Security at Trend Micro, in a presentation at the recent Interop IT conference in Las Vegas.

But the problem is that, like driving — or dating — in high school, Asprey said, everyone’s doing virtualization now, but most aren’t doing it very well.

One key to using virtualization properly is knowing when it makes sense to virtualize servers. Here are seven situations in which Asprey said virtualization won’t benefit organizations:

1. When you already have predictability and stability

When deciding what to virtualize, Asprey recommends following the old rule, “If it ain’t broke, don’t fix it.” If something is already working well, adding virtualization to the mix will only add complexity and increase the possibility of downtime.

The exception, of course, is when you have to use an old operating system that’s no longer supported — in those cases, you’ll have to virtualize whether you want to or not.

2. When servers are already running at high capacity

Likewise, if a server is already running at high capacity, virtualizing won’t provide much benefit.

One of the biggest benefits of virtualization is that it allows companies to consolidate servers and get more out of the hardware they already have. But if a physical machine is already running at close to its full capacity, virtualizing will just add another component that draws CPU power and other resources.

3. When software licensing is tricky

As virtualization becomes more common, things are improving, but many software vendors still don’t have a virtualization model, Asprey says. That’s especially the case with highly specialized software from small vendors.

Your best bet in those situations: Hold off on virtualizing for now, and talk to the vendor and try to use your clout to negotiate a virtualization-friendly license.

4. When virtual machines just won’t work well

Some machines simply run better without virtualization, Asprey says. Those include machines with:

• High I/O apps like databases
• Disk-intensive workloads
• Graphics-intensive apps, and
• Hardware cards without virtualization drivers.

5. When applications are highly time-sensitive

Virtual machines use their own clocks, which are different from the clocks used by the host machine. Over time, tiny differences can lead the two clocks to drift apart, Asprey warns.

For that reason, companies may want to avoid using virtualization for highly time-sensitive applications, such as financial trading systems or some industrial control systems.

6. When you have no safe way to manage encryption keys

With physical servers, IT departments can keep USB drives with encryption keys locked and then plug them directly into servers when they’re needed. But with virtual servers that doesn’t always work, because virtual machines move and it can be tough to find which USB ports correspond to which machine.

Therefore, virtualization may not make sense for machines with high security needs, unless the company has a way to manage those keys. Asprey recommends policy-based encryption key management.

7. When you can’t pay for it

When used in the right situations, virtualization should help companies save money — but only if IT has the initial budget to implement it properly and make sure everything works, Asprey says. Even with low-cost or free open source tools, companies still need to pay for expertise and staff time to virtualize.

Doing a bad job will only require the company to spend a lot of money to fix problems down the road. Best bet: Don’t start virtualizing until you can convince the CFO to fully fund the project.

For web users, 2011 was a dangerous year, according to a recent report from Symantec. Overall malicious attacks increased 81% last year compared to the year before, including a 36% increase in the number of web-based attacks that were blocked per day.

As cybercriminals begin to rely less on email spam, the report notes, they’re more often using social networks and compromised websites to spread their attacks. Therefore, one of the keys to keep malware off of personal computers and corporate networks is staying clear of sites where malware is likely to be found.

The problem: That’s difficult to do, and there are a lot of misconceptions about what parts of the web are dangerous.

Many users assume pornography sites or those dedicated to illegal activities are most likely to be infected. However, as Symantec’s report shows, that’s not the case.

In fact, religious and ideological websites had three times as many malware infections on average than adult sites, Symantec says.

And the top categories of sites most likely to infected with malware were:

1. Blogs and web communications
2. Personally hosted sites
3. Business and economy
4. Shopping, and
5. Education and reference

The reason is that cycbercriminals have a lot of success compromising legitimate sites to conduct drive-by attacks. When people are on sites they trust, they’re less likely to take precautions that could prevent the attacks from being successful.

Symantec recommends businesses educate users on the realities of online security threats, as well as stay diligent about keeping software patched in order to limit the number of vulnerabilities that can be exploited.

Click here to download kit!   

As IT managers know, tech departments often get passed over for budget increases in favor of other areas that are seen as more crucial for producing revenue.

However, investments companies make in IT have a bigger impact on profitability than comparable spending in advertising and research and development, according to a recent study published in MIS Quarterly. The study looked at information from more than 400 companies from 1998 to 2003.

Although IT investments can have a significant positive impact, the effects of IT spending on profits were also more varied than in other areas, researchers reported in MIT Sloan Management Review.

The biggest gains were seen when companies invested in IT projects designed to increase sales growth and revenue — for example, projects that support customer satisfaction and customer retention strategies. For the companies studied, a $1 increase in IT spending per employee for those projects led to a $12.22 increase in sales per employee, on average.

In comparison, researchers found that IT projects implemented to boost efficiency and cut costs had a much smaller effect on profitability.

Click here to read the free whitepaper!   

Once the job market improves, the majority still plan to jump ship for other organizations.

IT employees will be more likely than workers in other areas to test the job market in the near future, according to a recent survey from recruiting firm Randstad Technologies. More than half (53%) of IT pros said they plan to explore other job opportunities when the market improves.

That’s despite the fact that most are generally happy with the positions they have now. Among the 319 IT employees surveyed:

1. 76% are proud to work for their organizations
2. 75% are inspired to do their best work every day
3. 68% feel their efforts are recognized by their employer, and
4. 63% enjoy going to work every day.

IT employees also feel optimistic about their current jobs, with 80% saying they feel they have job security and 77% believing that their employer has a great future.

However, IT hiring is picking up, and more quickly than in other areas of the job market. That means IT pros will have a lot of opportunities to make a change and companies must put in extra effort to hang on to their best tech workers.

What can IT managers offer employees to make them more likely to stay? According to a recent study conducted by InformationWeek, the things that matter most to IT pros include:

1. Salary – No surprise here, but 70% of IT employees looking for a new job cited a higher salary as their primary motivator.
2. More interesting work – 40% said they wanted a new job with more interesting duties.
3. Low-cost benefits – In addition to bigger factors like salary and job security, survey respondents also cited the importance of smaller benefits that can add up and have a big impact, including flexible schedules, vacation time and telecommuting opportunities.

Here’s some advice on improving data center performance and increasing efficiency, according Mark Thiele, executive VP of data center technologies at Switch, who spoke at the recent Interop conference in Las Vegas:

1. Know your power

Most small or mid-sized companies don’t have a facility that’s just a dedicated data center — the data is usually part of a general office space. That makes it difficult to measure how much power the data center itself is using, Thiele says, but if that power use isn’t monitored, it can’t be managed.

2. Think beyond the obvious stuff

While the bulk of data center energy is used to power servers and provide cooling, there are also a lot of smaller items that can add up and increase costs, Thiele says. Depending on the company, that might include things such as lights and the processes used to bring equipment in and out of the data center. Even something seemingly minor like taking new servers out of their boxes inside the data center can introduce a lot of dust into the server room and cause problems.

3. Raise temperature and humidity

We’ve written before about experts’ recommendations to turn up the heat in the data center in order to save money on cooling. Servers can typically handle higher temperatures than what most data centers are cooled to. And the same is true for humidity, Thiele says. Organizations can save a lot of energy without adding much risk by raising their humidity thresholds a small amount.

4. Focus on efficiency, not total costs

The goal of optimizing a data center’s power use shouldn’t be strictly to lower the company’s energy bill, Thiele says — it should be to get the most out of what the company is spending on power. In some cases, that will mean a lower bill, but in other situations, just cutting costs in the data center will decrease efficiency elsewhere.

None of IT’s security controls will make a difference if the business’s culture doesn’t value security, says John Pironti, President of IP Architects, LLC, who spoke at the recent Interop conference in Las Vegas.

IT security teams never get as much funding as they should, so IT has to leverage what they do have and get people to work for security. That’s tough, but not impossible, says Pironti. For example, a 2007 breach of TJX Companies, Inc., one of the largest data breaches of all time, was discovered by a group of cashiers, rather than security professionals.

So what can IT departments do to create a culture where security is on people’s minds, rather than viewed as a hindrance to operations?

That’s obviously a big undertaking that takes a lot of time, but here are a few key mistakes to avoid, according to Pironti:

1. Assuming you know the business’s priorities and needs

A discussion about security shouldn’t start with IT telling the CFO or other executive what must be done to prevent unacceptable security incidents — it should start with IT asking what is considered an acceptable risk. For example, it’s important for IT to understand what kind of losses from a data breach the organization is willing to accept.

Once that is known, the IT department can explain what types of threats the business must protect itself against and what tools and processes are needed to do that.

2. Using negative reinforcement

It’s often said that an organization’s biggest security threat is its employees. While there may be some truth to that, Pironti says, if IT departments tell users they’re the problem, it will be impossible to get them on board with security programs.

Instead of chastising users for mistakes, Pironti recommends giving them information to help them make better security decisions. One way to do that is to offer training that gives them tips on keeping their personal information secure — for example, how to use social networking securely, how to protect their children online, or how to safeguard their personal financial data. That will encourage people to think about security at home and at work and hopefully get them to learn more about IT security.

3. Focusing on technology, rather than objectives

While there are a lot of security tools available that can help businesses protect their data, Pironti says, businesses too often decide what tools they want to buy before figuring out what they need to do.

Security policies and objectives should be in place first. Only after that’s done should IT start deciding how to implement those policies and meet those objectives.

The Ponemon Institute Total Direct Cost Estimate for each incident was calculated using figures reported by the Ponemon Institute in its 2009 Annual Study: U.S. Cost of a Data Breach. The institute found that the direct cost of each compromised record was $60 in 2008. See page 5 of the report.

1. Citigroup/Citibank, N.A. – June 2011

Using a technique taught in Hacking 101, hackers manipulated the URL of Citigroup’s online banking website to steal account information from more than 300,000 customers including names, email addresses and card numbers. The company was liable for $2.7 million in unauthorized purchases made using the accounts of 3,400 card holders in North America.

Total Records Compromised: 360,000

Ponemon Institute Total Direct Cost Estimate: $21.6 million

Lesson Learned: Make sure your programmers know what they’re doing. There were a couple of basic steps the developers could’ve taken to prevent the attack. Citigroup was widely criticized for not doing more to provide secure online account access and for waiting too long to notify its customers of the breach.

2. Triwest/US Department of Defense – December 2002

Thieves broke into the Phoenix office of Triwest Healthcare Alliance and stole computer hard drives containing the Social Security numbers and other personal information of more than 500,000 military personnel and their families. Some credit card numbers were exposed as well.

Total Records Compromised: 562,000

Ponemon Institute Total Direct Cost Estimate: $33.7 million

Lesson Learned: This breach occurred at the time the Department of Defense was embarking on a project to computerize the health records of all military personnel. It prompted the military to examine both its physical and electronic security measures throughout its health care system.

3. Sutter Medical Foundation – October 2011

A password-protected but unencrypted desktop computer containing the names, addresses, birthdates, phone numbers and some email addresses of more than 4 million patients was stolen during a break-in at one of the foundation’s administrative offices in Sacramento, CA. The organization was in the process of encrypting the data stored on its computers when the theft occurred.

Total Records Compromised: 4.2 million

Ponemon Institute Total Direct Cost Estimate: $255 million

Lesson Learned: Physical security is just as important as electronic security.

4. Tricare Management Activity/US Department of Defense – September 2011

A Science Applications International Corporation (SAIC) contractor working for Tricare in San Antonio, TX, was supposed to transport back-up tapes from one government facility to another, except a thief broke into the contractor’s car while it was parked in a parking garage and stole the unencrypted tapes. Tricare is the health care system for active-duty military personnel and veterans. The tapes contained the names, addresses, phone numbers and Social Security numbers in addition to clinical notes, laboratory tests, and prescriptions of almost 5 million Tricare beneficiaries.

The agency initially spent more than $14 million on a mass mailing and running a call center to notify all current and former service members whose information was potentially compromised. The VA later agreed to pay out $20 million to settle a class-action lawsuit brought by the veterans and active-duty service members affected.

Total Records Compromised: 4.9 million

Ponemon Institute Total Direct Cost Estimate: $307 million

Lesson Learned: Another example of the importance of physical security (and data encryption).

5. Fidelity National Information Services – July 2007

A senior-level database administrator at Fidelity subsidiary Certegy Check Services stole more than 8 million consumer records and sold them to a data broker who then sold a subset of the records to numerous direct marketing companies. The employee was in charge of managing who had access to what data. The records included financial data like checking account details and credit card numbers, plus names, addresses and birth dates. Ultimately, the company paid out $6.7 million to settle court cases filed against it.

Total Records Compromised: 8.5 million

Ponemon Institute Total Direct Cost Estimate: $510 million

Lesson Learned: Install data loss prevention software and take other steps to limit employees’ abilities to copy data. The perpetrator was said to have copied the data and carried it out the door.

6. US Department of Veterans Affairs – May 2006

A laptop and external hard drive containing the names, addresses and Social Security numbers of US veterans and active-duty military personnel were stolen from a VA employee’s home. Victims filed a class action lawsuit and were awarded a $20 million judgment.

Total Records Compromised: 26.5 million

Ponemon Institute Total Direct Cost Estimate: $1.59 billion

Lesson Learned: Password-protect and encrypt your data. The stolen laptop and external hard drive weren’t password-protected, and the data wasn’t encrypted.

7. CardSystems Solutions – May 2005

Hackers infiltrated the company’s computer system after breaking in through the website customers used to access their accounts online. In total, 40 million names, card numbers and card security codes were exposed in the breach.

Total Records Compromised: 40 million

Ponemon Institute Total Direct Cost Estimate: $2.4 billion

Lesson Learned: Verify that your internal procedures are in compliance with business partner requirements designed to keep customer data secure. Being out of compliance could mean being out of business: While a forensic analysis showed that only a fraction of the compromised accounts were actually downloaded, it was revealed during the investigation that CardSystems Solutions kept an unauthorized file of transaction data in violation of MasterCard and Visa’s security policies – in the end, the company was forced into acquisition.

8. Sony Corporation – April 2011

Hackers swiped more than 70 million customer records, including financial information, by injecting rogue SQL code that performed database dumps.

Total Records Compromised: 77 million

Ponemon Institute Total Direct Cost Estimate: $4.62 billion

Lesson Learned: Install patches and updates regularly. The hackers exploited out-dated Apache web server software.

9. TJX Companies, Inc.  – January 2007

Hackers, led by the infamous Albert Gonzalez, stole almost 100 million credit and debit card numbers from the parent company of retail outlets TJ Maxx and Marshalls. The company was held liable for $64 million: $23 million in monetary awards resulting from class action lawsuits and $41 million in an out-of-court settlement with Visa.

Total Records Compromised: 94 million

Ponemon Institute Total Direct Cost Estimate: $5.64 billion

Lesson Learned: Secure your wireless networks. The criminals used war driving techniques to pinpoint holes in the company’s wireless networks. Once inside, they installed sniffer software to steal passwords and get access to the card numbers, which were used to buy millions of dollars worth of electronics from Walmart and other stores.

10. Heartland Payment Systems – January 2009

Gonzalez and his cohorts also stole more than 100 million account holders’ names, credit and debit card numbers, and expiration dates from Heartland Payment Systems, the 5^th largest electronic payment processor in the US. Heartland was forced to pay out $68 million in monetary damages as a result of class action lawsuits filed by victims and out-of-court settlements with American Express and Visa.

Total Records Compromised: 130 million

Ponemon Institute Total Direct Cost Estimate: $7.8 billion

Lesson Learned: Identify and fix your computer system’s vulnerabilities before hackers exploit them. The thieves stole the card data as it traveled unencrypted over the payment network and used it to rack up millions of dollars in fraudulent charges.

One of the biggest things companies must do to protect their data when it’s in the Cloud: Make sure providers are taking the proper security precautions.

However, a lot of businesses aren’t doing that, according to a recent survey by PwC and Infosecurity Europe.

The survey found that 73% of organizations have outsourced some business processes to a web-based provider. However, just 38% ensure that data held by external organizations is encrypted.

Smaller organizations in particular struggle to verify the security of cloud computing providers. In fact, more that half (56%) of small businesses don’t carry out any checks on cloud providers’ security. That could mean a lot of sensitive data is being held on networks without the proper security controls in place.

In addition to making sure data is encrypted, what types of checks should businesses conduct before signing a deal with a cloud computing provider? Experts recommend asking cloud providers questions such as:

1. Can other cloud users see our data?
2. How do I manage who has access to our data?
3. What controls do I need to securely move to the cloud?
4. How can I prove to auditors our cloud systems are secure?
5. How will I know if our data’s been breached?