Archive for December, 2010
Data breaches, confidentiality and privacy will remain key areas of concern in 2011, and these topics fuel many of Ipswitch’s 2011 security predictions.
2011 will be the year that smart companies shift their focus away from tactical (and often reactive) security tools and instead focus strategically on policy creation, management and enforcement. More organizations will shift their approach from quick-fix to preventative.
Four more 2011 predictions:
- Enterprises will start monitoring and managing the information flowing to and from personal email, IM and cloud-based services.
- The largest data breach of 2011 will hit the retail sector.
- A major data breach with further reaching diplomatic consequences than WikiLeaks will be the direct result of a lost smart phone or USB drive.
- Organizations in the financial, media and health sectors will gain larger market share by leveraging company investments in MFT, specifically those that offer visibility, analysis and analytics.
I’ve blogged a bunch on Ipswitch’s 2010 research that unveiled startling trends about employee access and use of company information. Our 2011 predictions are in part fueled by some of these facts:
- 40% routinely send confidential information through personal email to eliminate the audit trail from management
- 90% admitted to using thumb drives or other external devices to move work-related files
- 25% send proprietary files to their personal email accounts with the intent of using that information at their next place of employment
- 70% access company data through mobile devices on a weekly basis
- 41% rely on personally owned storage devices to back up business files
- 72% of organizations lack visibility into files moving both internally and externally
Let’s do a news recap of yesterday. Some tax legislation was passed, lame-duck Congress, celebrity mishaps, missteps and gossip as usual. Oh and there was also notification of a few data breaches; most notably McDonalds, University of Wisconsin and the Gawker website (the folks that bought a prototype of the iPhone 4 after it was lost by an Apple engineer.). Unlike the “it’s been two weeks and it’s still in the news” WikiLeaks data breach, expect McDonalds, UW and Gawker to melt into the ether of public consciousness along with the Jersey Shore, AOL and two dollar a gallon gas prices.
Lately, we are seeing more companies and institutions admitting to data breaches. Passwords get hacked and ATM cards, identities and cell phones are stolen all the time. Expect to here about more breaches as companies move ahead of legislation that forces them to admit security breaches and expect the media to pick up on the stories and run wild with them. What this forces the public to do is look closer at the type of data breach, the type of data that was stolen and what the company or institution did to cause the breach.
- the McDonalds breach was about third-party contractors and not enough governance around customer e-mail
- the UW breach was about unauthorized access to databases over a two-year period… again not enough governance around data storage and access
- the Gawker breach was about outdated encryption mechanisms and a rogue organization purposely trying to embarrass that community.
Of these three things, the Gawker breach is most troubling because of the organized and intentional motivations of a rogue organization. This is why the FBI is involved. For the past year I’ve been telling you to classify your data, assign risk to your data and mitigate that risk appropriately. Old news.
The new news is this: even something like a breach involving low risk information can actually damage your brand. And damage to the brand can be costly to repair. So when classifying risk be sure to consider not just the loss of the data but the nature of the media hell-bent on reporting any and all data breaches.
This just in… I’m getting that watch I always wanted for Christmas because I compromised that space in the attic where we hide all the gifts. Happy holidays!
Ipswitch was recently awarded “Partner of the Year” by CDW at their 4th annual awards ceremony. Over 700 technology manufacturers and CDW management attended the awards ceremony in which five companies won this prestigious recognition for strong performance in support of CDW customer initiatives.
For those unfamiliar, CDW is a $9 billion technology reseller that sells hundreds of manufacturer products. Over the last year, Ipswitch has had almost daily interactions with CDW account managers, working together to solve customer problems and identify the right technology products to best meet customer needs.
“The Partner of the Year awards honor companies that have provided exemplary products, programs and support to CDW and its customers in the previous 12 months.”
This year’s recipients are:
- Blue Coat
- Tech Data
We look forward to continued growth and success with CDW and their customers. And next year, save me a seat at the awards ceremony!
For those unfamiliar, the Information Commissioner’s Office (ICO) in the United Kingdom is the independent regulatory office dealing with data protection regulations such as the Data Protection Act.
Like many policy makers, the actual enforcement of policies has been a major stumbling block to their potential effectiveness. Up until recently, the ICO enforcement powers were very limited. However, the ICO has very recently started to issue fines (or “monetary penalties”) for failing to comply with the Data Protection Act.
- A4e was fined £60,000 for losing an unencrypted laptop containing thousands of client details
- Hertfordshire County Council was fined £100,000 for faxing details about a child sex abuse case to the wrong people
At the very least, seeing harsh penalties handed out for data breaches should help increase organization’s focus on protecting sensitive business and customer information. Hopefully that focus will be centered less on what device people are using to access company files and data (such as USB drives, personal email, portable hard drives, smart phones, etc) and more on the underlying risk mitigation need.
“This is part of a wider trend whereby the penalties for, and consequences of, inadequate security measures are increasingly costly and come from different sources – from the payments card industry, to government and private sector contracts, to activist regulators and the public at large,” said Frank Kenney, VP of Global Strategy at Ipswitch File Transfer. “The ICO move has to be seen in the wider context of increased compliance activity.”
Businesses need to take inventory of their own information and understand what confidential files exist and where they are located. Access to confidential files should only be granted to people that are required to use it as part of their job. Simply making policies won’t make a difference; organizations need to follow up with policy enforcement and also must provide employees with the right tools to keep them productive so they done need to resort to their own devices.