Archive | Data Security RSS feed for this section

Keeping the Problem People Out of the System – Possible?

It’s widely documented that most security breaches are caused by internal staff, either by accident or on purpose. Training can help in the accidents, but what about a disgruntled employee who deliberately causes a data breach? Think it won’t happen to you? Think again.

In an article on ZDNet, ‘After OPM breach, Manning and Snowden are just the beginning’, the author, David Gewirtz commented on the basic problem of people and security, “It is impossible to separate individual decision-making and action from the national security apparatus of any nation. Sure, we can carefully vet individuals, subject them to background checks and psychological tests. We can interview friends and neighbors. We can examine financial records and elicit stories about what they were like in college. We can certainly weed out the obvious problem cases. But we can’t keep all the problem people out of the system.”

Ok, you may say well, that’s the government and the staff can deal with highly secure information that impacts the country. That’s true. According to Mr. Gewirtz, “While some very misguided individuals celebrate Snowden’s actions, I submit that any individual who harms the American economy to the tune of at least 47 billion dollars and costs nearly a million jobs is no hero.” I hardly think that most organizations are in the same position as the government.

But, what if a data breach happened in your organization? Chances are it isn’t going to jeopardize national security – but your organization is in for some hefty fines, potential loss of brand and customers.

How do you protect your organization from the enemy within?

Comments are closed

Walking the Tightrope of Cloud Security

Interesting article, To Err Is Human; to Indemnify, Divine?: Human Foibles in the Cloud, authored by Tanya Forsheit, and published in Data Privacy Monitor, that looked at both the enterprise and the cloud provider for owning responsibility of security in the cloud. Security is still an issue of reluctance for organizations thinking about adopting the cloud. And rightly so, with the dramatic rise of data breaches and hacking, organizations should be confident that their information is safe.

Although the cloud adds additional concerns, many of the same issues exist in on-premise only environments. so I’m not sure why the ‘let’s throw up our hands attitude’ is so prevalent. Back to the article. It is well reported by both the Ponemon Institute, and now BakerHostetler’s inaugural ‘Data Security Incident Response Report‘ (the “Report”) that concluded employee negligence and theft were two of the top five causes of data security incidents for the more than 200 incidents that they handled in 2014. Nothing new, except to confirm findings from the past several years.

The viewpoint expressed was an atypical response. That there is risk both for the organization and for the cloud provider. The author broke down the two perspectives as follows:

  • “If I am an enterprise customer and my cloud provider disclaims all liability or indemnification obligations for data security breaches except those resulting from the provider’s own willful misconduct or gross negligence, how can my company protect itself from plain old negligence (not just willful misconduct or gross negligence) of employees of the cloud provider?
  • If I am a cloud service provider, how can I agree to accept unlimited liability for the mere negligence or wrongful conduct of employees and still provide cloud services at a low price point to thousands of enterprise customers?”

Obviously both perspectives are sound, if not logical. As far as I am concerned, the organization has to clean up its own house (errgh – cloud) first. Why on earth would a cloud service provider accept unlimited liability, as the ‘human’ element is one of the greatest sources of data breaches? But, how then does the cloud service provider more or less, test the organization’s environment so the cloud provider is willing to take more risk? Or do they just say, ‘sorry, we’ll do what we can, but you’re on your own’.

I do think it is a valid dilemma. Although, I do believe there is a certain amount of fear expressed by organizations but I am not sure if they really understand the issues.

What do you think?

Comments are closed

Ok – doctor or lawyer? I say lawyer and hope I don’t get sick!

I had to at least peek at an article authored by Lucas Mearian, simply because of the title, ‘Lawyers smell blood in electronic medical records‘, published in ComputerWorld. It appears that Electronic Medical Records (EMRs) is becoming a gold mine for lawyers. Unfortunately, bad news for patients. Judgements have reached over $7.5 million in some cases as the information contained in the EMRs could not be trusted.

The next target on the list for legal professionals is technology vendors. Medical malpractice has focused specifically on physicians and hospitals. Lawyers see another opportunity to expand medical malpractice to include the vendors who make the products used. Rather a sad state of affairs. According to Keith Klein, a medical doctor and professor of medicine at the David Geffen School of Medicine at UCLA, “there are attorneys now looking for a clean case to sue the vendor,” he said. “This is reality. It is not theoretical. I was approached by Washington, D.C. law firm who had a very clean case for suing a vendor.”

The issue is people and technology. The technology needs to be simplified and provide safeguards. Healthcare professionals need to be more careful when entering information into complex applications.

To highlight a few mistakes:

  • One recent lawsuit involved a patient who suffered permanent kidney damage when he was given an antibiotic to treat what was thought to be an infection resulting in elevated creatinine levels. The patient was also suffering a uric kidney stone, which precludes the use of the antibiotic. Because of the complexity of the EMR, none of the attending physicians noticed the kidney stone. Detracting from the EMR’s validity was the fact that a date related to a previous intravenous drip was repeated over and over on all 3,000 pages of the record.
  • In another case, the physician was accused of plagiarizing data entered from another healthcare provider because he copied and pasted basic patient information.
  • And the best for last, “We’ve seen 92-year-old women getting diagnosed as crack addicts because of drop down menus.”

The vendors of medical applications better wake up, or they may be next at the mercy of the lawyer’s hatchet. I would also strongly suggest that there is more stringent oversight on health care professionals.

Let’s just hope none of us get sick – or we have an excellent lawyer.

Comments are closed

To Delve or not to Delve? The jury’s still out.

Delve is a dashboard like interface using machine learning and artificial intelligence (using Office Graph) to display the most relevant information of interest to you, based on your work, and of those in your network. Delve indexes and analyzes emails, meetings, contacts, social networks, etc., and presents this information as cards. Rather than having to search for something, Delve tries to automatically and intuitively put it in front of you. Some may not like the overly intrusive approach of being presented with data, but others will see it as a huge time saver. It is important to note that Delve integrates with Exchange, and OneDrive for Business from the individual personal blog page within Delve, and Yammer, with more content sources planned. Integration with iOS and Android was recently announced.

According to Mark Hachman, Senior Editor of PC World in an article “A revamped Microsoft Delve looks like a corporate mashup of Facebook and LinkedIn, he wrote, “it’s looking more like a corporate-sponsored mashup of Facebook and LinkedIn—with likely the same self-editing effect that friending your parents on Facebook would inspire.” He continued, “also note that Delve is only as good as the people who use it. Case in point: IDG uses Office 365, but an early attempt to nurture conversations on Yammer failed miserably. Each group and even publication had already settled on their own collaboration solution. One of two things needs to happen for Delve’s profile pages to become a hit: Either HR must be able to auto-populate them with your information, or the corporate culture must encourage its use. Otherwise, your Delve profile could be a wasteland.”

As stated above, for Delve to be readily and willingly adopted, its success is solely based on participation by organizational users. This is not just a Microsoft challenge. This is a business challenge as social applications typically fail because of lack of end user acceptance, even when sponsored by management. It will be up to the individual organization to decide if Delve is a help or a hindrance. Microsoft has a huge challenge ahead, as Delve currently works with some Microsoft products, but the optimal solution is to provide integration with a vast number of third party Microsoft applications and non-Microsoft applications, which is still years away.


Comments are closed

Visual Hacking – Watch Out for Those with Camera Phones

The Ponemon Institute on behalf of 3M and the Visual Privacy Advisory Council, performed experiments with visual hacking techniques and the results were surprising. Ponemon hired a computer security expert as a hacker and gave him access to eight firms through a temporary worker badge. What the institute found was disturbing.

The hacker achieved success in close to 90% of the attempts. This included access to sensitive corporate information on a workers desk or computer screen. Information included contact lists, customer information, corporate financials, and employee access and login credentials.

According to the report, ‘The hacker used three techniques to obtain the information: walking through the office looking for information on desks, computer screens and other locations; taking business documents labeled as confidential; and using his smartphone to take a picture of confidential information displayed on computer screens. What’s more, the hacker used these techniques in plain view of employees. In fact, 70 percent of the time, the expert was not stopped by employees. Even when he was stopped, he was still able to steal some sensitive information.’

What I find interesting, in only one case did someone ask why the person was there and why they were taking pictures. Curiously the same experiment in a traditional office layout did yield as much hacking success.
Since Ponemon granted security access to the firms being hacked, in reality, they may have been stopped by security.

Still, interesting findings.

Comments are closed

A Data Breach – Just Pocket Change

I just read a really interesting article about the cost of data breaches. The average expenditure to rectify a data breach is now topping $3.8 million. The article I read, How much do data breaches cost big companies? Shockingly little, is the result of an analysis, published in Fortune. The analysis was written by Benjamin Dean, a fellow at Columbia University’s School of International and Public Affairs.

According to Mr. Dean, despite that the Anthem breach is now approaching $111 million, Target at $10 million, Sony anticipates spending $35 million and Home Depot $28 million, and these sums are minor in the big scheme of things. The gist of the article is that these sums are just pocket change to these companies. “These numbers are likely not small enough to vindicate Sony Pictures’ former executive director of information security. In 2007, he told CIO Magazine that “‘it’s a valid business decision to accept the risk’ of a security breach…I will not invest $10 million to avoid a possible $1 million loss.” But Dean’s analysis does come alarmingly close to making the minimal effort-stance a defensible position.” For Home Depot, the $28 million “represents less than 0.01% of Home Depot’s sales for 2014,” Dean points out.

In his conclusion, “until corporations are held more accountable for these breaches—not with $10 million slaps-on-the-wrist—but with, well, he isn’t quite sure what yet, companies won’t make the big investments in information security needed.”

Although this is an interesting perspective, there are so many harmful impacts of a data breach, considering credit card theft, theft of health information, social security numbers, etc. The above is just an example of irresponsibility on the part of the organization and to blow off the cost at the expense of their customers and stakeholders.

I think organizations must act ethically, even if that means putting the appropriate security in place to protect their employees, customers, vendors, anyone they do business with. I think it’s a sad commentary. What do you think?

Comments are closed