Posts from ‘Cybercrime’
Here’s a great article by Brian O’Connell of CPA Site Solutions on how to deal with email security difficulties. The context of the article is from the perspective of the accounting industry, but I’d say it’s an extremely universal topic that actually impacts almost every kind of company today.
The premise of the article is that email is generally accepted as a dependable way to communicate and share files…. And then he points out that in reality, email isn’t very safe. Sound familiar? – And for you encrypted email lovers out there (you know who you are), I’d like to quickly mention that while encryption can make it harder to open an email or attachment, it does nothing to prevent it from being intercepted.
Brian draws a very important difference between “security” and “privacy” that I want to highlight.
“Privacy is the shield that protects a person’s identity while actively sharing information via the web.
Where privacy is about keeping the door locked, security is about the lock itself.
Security is the actual online authentication and authorization protocols that networks use to protect information and the audit system used to verify the overall system’s effectiveness.”
While I agree that the distinction is important, I’d also like to point out that an organization must protect both the security and privacy of confidential information in order to comply with the growing number of data protection laws and compliance mandates. I wouldn’t worry too much about the distinctions, but instead focus on the need to have visibility and governance over all files, data and information that are being shared both within your company and also externally with business partners and customers.
Email is the world’s collaborative tool and is the electronic ‘sending’ system of choice between people, both within and across organizations.
While the capabilities of transferring files via email hasn’t improved much in the past 10 years, the size and sensitivity of files has multiplied ten-fold.
Email usage is ungoverned at most organizations, meaning that employees can attach any file they have access to and send it to anyone in the world. For CIOs, it’s about more than just security – it’s also about visibility. If you can’t see the files flowing within and from your organization, you can’t protect them.
And how about employees, who are bound and determined to quickly transfer needed information (which may be confidential) with customers, co-workers and partners? For the majority of workers, not sending that file for security’s and visibility’s sake is not an option. Employees will choose ‘productivity’ over ‘security’ if they are given the choice.
Please do take some time to identify and evaluate the tools your employees use to share information with other people and ask yourself if it’s being done in a visible, secure and well managed way. You’ll likely want to rethink how people are really sharing information at your organization.
In my many travels visiting customers and IT professionals around the world, I ask a simple question, “What do you do when you have to send a file to someone that’s just too big?” They ask me how big is big? I say too big for your email or even worse, something that is too big for the receiver’s email. These attachments are typically large powerpoint files, spreadsheets, uncompressed images, media files or even databases. With a sheepish grin people usually tell me they use one of the free email services, like GMail, MS Live or Yahoo. However, recently the answer has shifted. I’m now being inundated with business users and IT professionals professing their love for Cloud services such as DropBox.
In all fairness if you look at my iPad (peeling it from my cold dead hands) you will see my Dropbox app and PAID Dropbox account. So it’s unnerving for me to think about the four hours on Sunday when Dropbox left user accounts unlocked and you could access anyone of the 25 million users’ accounts and data… Including mine. Yep, just type in an email address and use any password you want and it’s all yours.
According to Dropbox there wasn’t any nefarious activity but if YOUR COMPANY’S information was on there – legitimately or illegitimately – you just had a data breach. So I was a breach victim… And if I had any Ipswitch IP on the servers, the breach is extended accordingly. To Dropbox’s credit, their business is all about collaboration and file syncing, not governed file transfer or managed data at rest. In the end, some of these types of Cloud services will eventually get enough of it right to secure their future. Some will last, many won’t.
Regardless, how are you going to handle your data breach this morning? I’m headed over to my bosses office to explain my brazen disregard for corporate data. He’ll probably buy me a new iPad2 that’s locked down (wishful thinking) and order IT to set up a more secure way for me to be mobile with my documents (more wishful thinking).
Ipswitch has been cautioning companies about the dangers of private/confidential information being sent through Google (and other hosted and person-to-person services), both from a security and a responsibility perspective.
Last week’s GMail hack further drives home the point that organizations must proactively manage and have visibility into what information is being shared with service providers and how information is being sent between people.
Don’t let your guard down and simply treat the cloud as just another internal resource…. They need to be properly managed and governed just like any other third-party.
Ipswitch’s Frank Kenney recently concluded a 4-part webcast series on integration. It’s not too late to watch a replay of it. In parts 3 and 4, Frank talks through the issue of relying on cloud providers and provides tips for managing and governing cloud and person-to-person interactions.
Google revealed yesterday a targeted phishing attack from China against hundreds of GMail users, including government officials and military personnel. The FBI, Department of Homeland Security, and the White House National Security Council are all participating in an investigation of the cyber attack.
My hope is that this breach will serve as the wake up call that public and private businesses need to start enforcing policies around personal email. According to an Ipswitch survey at the InfoSec Europe conference, employee use of personal email is still a major problem. Nearly 70% of respondents send classified information (including payroll and customer info) via standard email every month… And 40% admitted to sending confidential information through personal email accounts specifically to eliminate the trail of what was being sent to whom.
Have you provided your employees with a simple tool to send large and confidential files? Do you have visibility into what is being sent and to whom?? Do you have a documented AND enforced policy around using personal webmail accounts from work computers???
Employees have proven over and over that they will ‘do what they need to do’ in order to be productive. It’s critical that organizations provide simple, safe and auditable tools that enable employees to collaborate and share files. It’s equally important that they govern employee activities to mitigate data risk by increasing visibility, control, compliance and security.
“Google has asked for U.S. government support against censorship, but the government’s response has been to ask companies to take responsibility. If Google does have an ulterior motive, it’s likely to be to pressure the U.S. government to take a more active role in defending U.S. companies in markets like China that present obstacles to fair competition.
Google is urging Gmail users to review their account settings to make sure they’re secure, but Kenney suggested Google could do more to alert users when their accounts are accessed from an unfamiliar IP address or when their accounts have been configured to forward messages.”