Posts from ‘Auditing’
Google revealed yesterday a targeted phishing attack from China against hundreds of GMail users, including government officials and military personnel. The FBI, Department of Homeland Security, and the White House National Security Council are all participating in an investigation of the cyber attack.
My hope is that this breach will serve as the wake up call that public and private businesses need to start enforcing policies around personal email. According to an Ipswitch survey at the InfoSec Europe conference, employee use of personal email is still a major problem. Nearly 70% of respondents send classified information (including payroll and customer info) via standard email every month… And 40% admitted to sending confidential information through personal email accounts specifically to eliminate the trail of what was being sent to whom.
Have you provided your employees with a simple tool to send large and confidential files? Do you have visibility into what is being sent and to whom?? Do you have a documented AND enforced policy around using personal webmail accounts from work computers???
Employees have proven over and over that they will ‘do what they need to do’ in order to be productive. It’s critical that organizations provide simple, safe and auditable tools that enable employees to collaborate and share files. It’s equally important that they govern employee activities to mitigate data risk by increasing visibility, control, compliance and security.
“Google has asked for U.S. government support against censorship, but the government’s response has been to ask companies to take responsibility. If Google does have an ulterior motive, it’s likely to be to pressure the U.S. government to take a more active role in defending U.S. companies in markets like China that present obstacles to fair competition.
Google is urging Gmail users to review their account settings to make sure they’re secure, but Kenney suggested Google could do more to alert users when their accounts are accessed from an unfamiliar IP address or when their accounts have been configured to forward messages.”
Last week’s Sony data breach shattered TJX’s longstanding record for the largest customer data theft ever, a dubious honor that TJX has held since 2007.
The massive Sony breach leaves millions and millions of credit cards at risk. Details still aren’t clear yet, but the Sony breach *may* have included the theft of customer credit card information, as well as other personal information such as billing addresses, usernames/passwords, email addresses, birthdays, and transaction histories.
Did Sony take reasonable care to protect, encrypt, and secure the private and sensitive data of its users?
Did Sony take too long to notify customers that their personal information had been exposed?
Looks like these questions will be answered in a courtroom as the first lawsuit resulting from the Sony security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed.
The class action lawsuit seeks seeks a trial by jury and fitting monetary reimbursement…. And the case’s Overview cites “breach of warranty, negligent data security, violations of consumers’ rights of privacy, failure to protect those rights, and failure and on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information” as cause enough, noting Sony’s “failure to maintain adequate computer data security of consumer personal data and financial data.”
For more information, take a look at the post on the Sony PlayStation blog. I’m sure we’ll be learning more as further breach details are disclosed and as court proceedings advance.
Did you know that the average cost of a data breach is $7.2 million dollars?
Or that the cost of each compromised record is $214, an increase of 7% over last year?
A data breach resulting in the loss or theft of protected personal data will have serious financial consequences on an organization – the least expensive breach reported in 2010 was $780,000 (and the most expensive one was over $35 million). You can read more about the cost of data breaches in the Ponemon Institute’s 2010 U.S. Cost of Data Breach survey results.
Here are a few other key takeaways:
- For the 5th year in a row, data breach costs have continued to rise
- Lost business accounts for over 60% of data breach costs, the remaining amount is data breach detection, escalation, notification and response
- Escalating data security threats and compliance pressures are driving rapid responses to data breaches, resulting in higher costs
- Criminals now account for 31% of data breaches and they are significantly more expensive to contain and fix
- Negligence remains the most common threat, and an increasingly expensive one
What is your organization doing to ensure the privacy and confidentially of your information, including when it’s sitting on your servers, being shared between systems and business partners, and shared between people? And don’t spend all your time combating criminal threats…. Negligence now accounts for 41% of data breaches, you must safeguard against negligence too.
Go ahead, estimate the data breach risk to YOUR organization. First, ballpark how many pieces of sensitive files and data are floating around your company today…. Then multiply that number by $214. I’m sure you’ll agree that the ROI on the time, technology and resources spent to protect company data are well worth the investment and risk avoidance effort.
Does it feel like you’re hearing about a new data breach almost every day?
Well guess what — you likely are. The Identity Theft Resource Center recorded 662 data breaches on its 2010 ITRC Breach List. That averages to over a dozen reported breaches per week…. And a whopping total of over 16,000,000 reported exposed records in 2010. The fact that social security numbers and/or credit card information is included in the majority of breaches just makes things even more alarming!
Denise Richardson lays out a solid argument for mandatory data breach reporting, as well as some key takeaways from the ITRC Breach List, including:
- Malicious attacks still account for more breaches than human error, with hacking at 17% and insider theft at 15%
- 39% of listed breaches did not identify the cause — Indicating a clear lack of transparency and full reporting to the public
- 49% of breaches did not list number of potentially exposed records — A clear sign of inaccuracy and incompleteness of reporting
- 62% of breaches reported exposure of Social Security Numbers
- 26% of breaches involved credit or debit cards
As I’ve blogged about before, I firmly believe that breached individuals have the right to timely notification. Delays are unacceptable, and hiding it is unthinkable. Afflicted people deserve quick notification so they can ensure their credit report isn’t showing strange activity and that their social security number isn’t being used to open new credit cards or being used to fraudulently report wages.
Mandatory disclosure would provide the structure, discipline and enforcement required for consistent and transparent breach information. Compliance would require a very high level of visibility and control of all files that enter, bounce around and exit an organization. This would benefit not only breached individuals, but also the organizations and their business partners.
For those unfamiliar, the Information Commissioner’s Office (ICO) in the United Kingdom is the independent regulatory office dealing with data protection regulations such as the Data Protection Act.
Like many policy makers, the actual enforcement of policies has been a major stumbling block to their potential effectiveness. Up until recently, the ICO enforcement powers were very limited. However, the ICO has very recently started to issue fines (or “monetary penalties”) for failing to comply with the Data Protection Act.
- A4e was fined £60,000 for losing an unencrypted laptop containing thousands of client details
- Hertfordshire County Council was fined £100,000 for faxing details about a child sex abuse case to the wrong people
At the very least, seeing harsh penalties handed out for data breaches should help increase organization’s focus on protecting sensitive business and customer information. Hopefully that focus will be centered less on what device people are using to access company files and data (such as USB drives, personal email, portable hard drives, smart phones, etc) and more on the underlying risk mitigation need.
“This is part of a wider trend whereby the penalties for, and consequences of, inadequate security measures are increasingly costly and come from different sources – from the payments card industry, to government and private sector contracts, to activist regulators and the public at large,” said Frank Kenney, VP of Global Strategy at Ipswitch File Transfer. “The ICO move has to be seen in the wider context of increased compliance activity.”
Businesses need to take inventory of their own information and understand what confidential files exist and where they are located. Access to confidential files should only be granted to people that are required to use it as part of their job. Simply making policies won’t make a difference; organizations need to follow up with policy enforcement and also must provide employees with the right tools to keep them productive so they done need to resort to their own devices.