Archive for August, 2010
Misuse, but not malicious
I recently blogged about some pretty alarming statistics from the newly published 2010 Data Breach Investigation Report.
Let’s take a closer look at the 48% of breaches that involved privilege misuse.
I guarantee you that a large chunk of employee misuse is 100% non-malicious. In many cases, it’s the hardest working and most dedicated employees that feel forced to find their own way – any way – to get the job done because they were not provided the appropriate tools.
Over the last year I’ve spoken to well over 100 people that admitted to many of the items in the chart above.
In fact, I’m sure many of you blog readers have used a personal hard drive to temporarily store company data because you simply want to back-up your important work files. What about copying company files to a USB/DVD as a convenient way to transport data — or even subscribing to a file sharing website or using your personal email account — simply because you can’t send or receive large files from your work email account? And how many of you access company email or files from that shiny new smartphone of yours?
And you know what, I’m guilty too. But with total non-malicious intent I assure you. 
We recently published our summer issue of Ipswitch Insight, our customer newsletter.
If you haven’t already read our newsletter, now is your chance to catch-up on some recent Ipswitch File Transfer news, product releases, thought leadership, events, interesting statistics and a couple of insightful customer stories… We’ve even included a few snappy videos for your viewing pleasure.
If you’d like to be added to our mailing list, shoot us an email at MyStories@ipswitch.com and we’ll add you to the list next time around. And of course, we’d love to hear all about how you are using Ipswitch File Transfer solutions too!
“Estimate how many pieces of sensitive files and data your company has … Now multiply that by $204. I’m sure you’ll agree that the ROI on the time and resources spent to protect company data are well worth the investment.”
Hugh Garber – in a July 28th, 2010 blog
Hugh and the rest of the world have been talking about the 2010 Data Breach Report from Verizon Business that was released last week.
One of the many frightening figures given was that “96% of breaches were avoidable through simple or intermediate controls.”
Here’s a bit of a catch 22 though, in a recent article by Stuart Sumner of Computing, he says that “while technological advances can provide more capable security, they can also often provide opportunities to cyber criminals.”
What can we do?
Here’s where things get … interesting, and leaves me thinking that perhaps Cyberdyne Systems isn’t such a fictional company after all (yes, that’s a “Terminator” reference – c’mon “cyborg” is in the title of this post)
Sumner suggests that CIO’s can fight back against these data breaches with enforced encryption, reporting and biometric technology, and that “selecting the correct blend of tools to protect the business is key for CIOs today, and encryption and end point security can help.”
The concept and practice of biometric technology is not new to us, and it seems that the case can be made that biometric technology is truly becoming a necessary solution for all businesses.
The article is a quick read on what CIO’s can do to help fight data breaches and it makes a motivating case for biometric technology.
In writing this blog post I find myself interested in your thoughts on that, is biometric technology something that your company would benefit from?
I’ve been sitting on some startling statistics for a couple weeks now, and it has been hard to keep my fingers quiet… But today is the day Ipswitch is sharing them with the world. Here are a few key takeaways from the survey that Ipswitch conducted at the recent InfoSecurity Europe 2010 show in London.
40% of IT professionals surveyed admitted to sending sensitive or confidential information through personal email accounts as a way to eliminate the audit trail of what they sent and to whom.
Forty percent!
Let’s be clear: Almost half of IT professionals use their personal email as a way to send sensitive company files while hiding their activity from company auditing and reporting. Yikes, that’s a major security and compliance breach!
But wait, there’s more:
69% said that they send classified information, such as payroll, customer data and financial information, over email (with no security) at least once a month; 34% said they do it daily.
IT folks seem to be swayed by a similar set of drivers that as other worker bees – Namely, speed, convenience and the ability to send large files without the hassle.
This leaves us with an environment where IT professionals are:
(1) Feeling the same pains as their end users
(2) Smart enough to sidestep the very security and governance policies put in place
(3) Deliberately break company policy and controls as a way to hide what they are doing
And just establishing a file transfer policy isn’t enough. While 62% of organizations have file sharing policies in place, many don’t have the means or tactics in place to enforce them. Despite increasingly strict governance and compliance mandates, 72 percent of respondents said that their organizations lack visibility into files moving both internally and externally.
Organizations that lack true visibility, management and controls around sensitive information now find themselves wide open to all kinds of risks, namely data breaches and compliance. The fact that risk contributors include those tasked with protecting IT networks in the first place, and that it’s being done on a premeditated and recurring basis, just brings the whole situation to an entirely different level of ugly. Try explaining THAT to an eDiscovery judge!
“Of the 385 organizations hit with data breaches so far this year, 113 were in health care.”
The Identity Theft Resource Center (ITRC).
Are Dr. Howard, Dr. Fine and Dr. Howard in charge of the health care industries data security? You’ll most likely need 113 aspirin after reading this article on eWeek.com by Brian T. Horowitz.
In it Horowitz quotes Jay Foley, executive director of the ITRC, who says that when it comes to data breaches that “hospitals are vulnerable to insider data breaches with the multitude of doctors, nurses, lab technicians, janitors and food service personnel circulating throughout the facility.”
The article also quotes Ipswitch’s very own Frank Kenney, VP of global strategy, who confirms the ITRC’s diagnosis. Frank notes that “health care facilities are not complying with HIPAA (Health Insurance Portability and Accountability Act) and regional government regulations on data privacy.”
As usual Frank has a way of breaking the issue down to it’s most honest and simplest point, and he stats that “even signing your name in at the front desk in a doctor’s office for all to see is a breach of HIPAA regulations.”
It’s an interesting read that may have you reaching for the Anacin.
