Posts from ‘InfoSecurity’
Google revealed yesterday a targeted phishing attack from China against hundreds of GMail users, including government officials and military personnel. The FBI, Department of Homeland Security, and the White House National Security Council are all participating in an investigation of the cyber attack.
My hope is that this breach will serve as the wake up call that public and private businesses need to start enforcing policies around personal email. According to an Ipswitch survey at the InfoSec Europe conference, employee use of personal email is still a major problem. Nearly 70% of respondents send classified information (including payroll and customer info) via standard email every month… And 40% admitted to sending confidential information through personal email accounts specifically to eliminate the trail of what was being sent to whom.
Have you provided your employees with a simple tool to send large and confidential files? Do you have visibility into what is being sent and to whom?? Do you have a documented AND enforced policy around using personal webmail accounts from work computers???
Employees have proven over and over that they will ‘do what they need to do’ in order to be productive. It’s critical that organizations provide simple, safe and auditable tools that enable employees to collaborate and share files. It’s equally important that they govern employee activities to mitigate data risk by increasing visibility, control, compliance and security.
“Google has asked for U.S. government support against censorship, but the government’s response has been to ask companies to take responsibility. If Google does have an ulterior motive, it’s likely to be to pressure the U.S. government to take a more active role in defending U.S. companies in markets like China that present obstacles to fair competition.
Google is urging Gmail users to review their account settings to make sure they’re secure, but Kenney suggested Google could do more to alert users when their accounts are accessed from an unfamiliar IP address or when their accounts have been configured to forward messages.”
Tonight I’m blogging from the PCI Council Community Meeting here in Orlando, FL. Tomorrow we’ll be talking about the new changes in version 2.0 of the PCI DSS audit requirements (set to go into effect in 2011), but tonight was the welcome reception for the 1000 attendees here at the Buena Vista Palace Hotel.
Participation in the PCI Council Community Meeting conference is on the rise. Two years ago there were about 500 attendees from 300 participating organizations – now the numbers have roughly doubled. There are probably two major factors behind this.
One factor is the de facto status of PCI DSS as one of the gold standards of information security. When five competing credit card companies came together in 2004 to publicly agree on a single security standard there was much rejoicing throughout the industry. And the standard has held up: though major releases have come every two years, the original twelve categories and most of the subcategories remain essentially unchanged from the original.
The second factor is the ever-widening circle of companies that fall under the scope of PCI compliance. Originally it was large credit card processors and retailers, but in recent years even companies that only handle a few dozen credit card transactions a year have had to take notice. And as the scope widens, there are more people who want their voices to be heard in the decision-making process, which is where this week’s conference comes in.
I’ll be posting a few more items about this conference in next few days – please stay tuned.
I’ve been sitting on some startling statistics for a couple weeks now, and it has been hard to keep my fingers quiet… But today is the day Ipswitch is sharing them with the world. Here are a few key takeaways from the survey that Ipswitch conducted at the recent InfoSecurity Europe 2010 show in London.
40% of IT professionals surveyed admitted to sending sensitive or confidential information through personal email accounts as a way to eliminate the audit trail of what they sent and to whom.
Let’s be clear: Almost half of IT professionals use their personal email as a way to send sensitive company files while hiding their activity from company auditing and reporting. Yikes, that’s a major security and compliance breach!
But wait, there’s more:
69% said that they send classified information, such as payroll, customer data and financial information, over email (with no security) at least once a month; 34% said they do it daily.
IT folks seem to be swayed by a similar set of drivers that as other worker bees – Namely, speed, convenience and the ability to send large files without the hassle.
This leaves us with an environment where IT professionals are:
(1) Feeling the same pains as their end users
(2) Smart enough to sidestep the very security and governance policies put in place
(3) Deliberately break company policy and controls as a way to hide what they are doing
And just establishing a file transfer policy isn’t enough. While 62% of organizations have file sharing policies in place, many don’t have the means or tactics in place to enforce them. Despite increasingly strict governance and compliance mandates, 72 percent of respondents said that their organizations lack visibility into files moving both internally and externally.
Organizations that lack true visibility, management and controls around sensitive information now find themselves wide open to all kinds of risks, namely data breaches and compliance. The fact that risk contributors include those tasked with protecting IT networks in the first place, and that it’s being done on a premeditated and recurring basis, just brings the whole situation to an entirely different level of ugly. Try explaining THAT to an eDiscovery judge!