Archive | Data Security RSS feed for this section

Visual Hacking – Watch Out for Those with Camera Phones

The Ponemon Institute on behalf of 3M and the Visual Privacy Advisory Council, performed experiments with visual hacking techniques and the results were surprising. Ponemon hired a computer security expert as a hacker and gave him access to eight firms through a temporary worker badge. What the institute found was disturbing.

The hacker achieved success in close to 90% of the attempts. This included access to sensitive corporate information on a workers desk or computer screen. Information included contact lists, customer information, corporate financials, and employee access and login credentials.

According to the report, ‘The hacker used three techniques to obtain the information: walking through the office looking for information on desks, computer screens and other locations; taking business documents labeled as confidential; and using his smartphone to take a picture of confidential information displayed on computer screens. What’s more, the hacker used these techniques in plain view of employees. In fact, 70 percent of the time, the expert was not stopped by employees. Even when he was stopped, he was still able to steal some sensitive information.’

What I find interesting, in only one case did someone ask why the person was there and why they were taking pictures. Curiously the same experiment in a traditional office layout did yield as much hacking success.
Since Ponemon granted security access to the firms being hacked, in reality, they may have been stopped by security.

Still, interesting findings.

Comments are closed

A Data Breach – Just Pocket Change

I just read a really interesting article about the cost of data breaches. The article, How much do data breaches cost big companies? Shockingly little, is the result of an analysis, published in Fortune. The analysis was written by Benjamin Dean, a fellow at Columbia University’s School of International and Public Affairs.

According to Mr. Dean, despite that the Anthem breach is now approaching $111 million, Target at $10 million, Sony anticipates spending $35 million and Home Depot $28 million, and these sums are minor in the big scheme of things. The gist of the article is that these sums are just pocket change to these companies. “These numbers are likely not small enough to vindicate Sony Pictures’ former executive director of information security. In 2007, he told CIO Magazine that “‘it’s a valid business decision to accept the risk’ of a security breach…I will not invest $10 million to avoid a possible $1 million loss.” But Dean’s analysis does come alarmingly close to making the minimal effort-stance a defensible position.” For Home Depot, the $28 million “represents less than 0.01% of Home Depot’s sales for 2014,” Dean points out.

In his conclusion, “until corporations are held more accountable for these breaches—not with $10 million slaps-on-the-wrist—but with, well, he isn’t quite sure what yet, companies won’t make the big investments in information security needed.”

Although this is an interesting perspective, there are so many harmful impacts of a data breach, considering credit card theft, theft of health information, social security numbers, etc. The above is just an example of irresponsibility on the part of the organization and to blow off the cost at the expense of their audience and stakeholders.

I think organizations must act ethically, even if that means putting the appropriate security in place to protect their employees, customers, vendors, anyone they do business with. I think it’s a sad commentary. What do you think?

Comments are closed

Be Happy You are Not Responsible for the Security of this.

Do you know every 60 seconds there are:

  • 98,000+ Tweets
  • 11 million instant messages
  • 698,445 Google searches
  • 168+ million emails sent
  • 1,820TB of data created
  • 217 New mobile users

What’s my point? People love their Internet communication toys? No, the real point is security. Although the above are global numbers, many points are admissible in a court of law. It is the organization’s responsibility to protect and secure tweets, instant messages, and emails. Finding privacy or confidentiality holes in unstructured content is hard. It’s a growing problem, even more so with the use of the cloud. My guesstimate is that more than 95% are harmless. But what about the remainder? Content needs to be analyzed as it is created or ingested, not after the fact. To accomplish this, there are tools available, such as ours, that will identify exposures, either privacy or confidential and remove them from search or portability. Even something as simple as restricting the ability to download files can prevent 63% of potential exposures before they occur. It’s a help.

What measures do you take to safeguard privacy or confidential information, either in the cloud or on-premise?

(If you have a few minutes and use SharePoint or Office 365, could you kindly take our metadata survey? You could win a free conference pass to Microsoft Ignite. We would greatly appreciate it)

Comments are closed

Challenges in Adopting Cloud? Will it stop you from taking the leap?

According to Microsoft we will all be using Office 365 sooner or later. Not so says KPMG. 53% of enterprise executives say that data loss and privacy, risk of intellectual property theft (50%) and the impact on their IT organization (49%) are their top three challenges in adopting cloud computing. Compared to the 2012 survey, security and data privacy are now more important to enterprises than cost efficiency.

The following graphic provides an overview of the most challenging areas enterprises face when adopting cloud-based applications and platforms as part of their business strategies.

Let me know if you are in the cloud, regardless of product. Do you still have concerns about security? Will this factor decide if you use cloud technologies or not?

(If you have a few minutes and use SharePoint or Office 365, could you kindly take our metadata survey? You could win a free conference pass to Microsoft Ignite. We would greatly appreciate it)

Comments are closed

Well, there you have it – IDC’s 10 predictions for emerging technologies in 2015

Now, who didn’t know it would be cloud centered? In the article, IDC’s 10 predictions for emerging technologies in 2015, authored by Frank Gens, he refers to the ‘third platform’. Sounds rather ominous. But it isn’t. The third platform, was defined by IDC in 2007, and according to IDC is in a key phase of development. Historically, as outlined in the article there have been three waves of computing. First, the mainframes and terminals, secondly, PC’s, networking, relational databases, and client services apps.

Now it gets interesting. The third platform is our current state, built around cloud computing, social applications, big data, and mobile computing. IDC has predicted that the third platform will continue to evolve and grow for the next twenty years. This will be attributed to a community of developers and a wave of core technologies (e.g. Innovation Accelerators). These accelerators include:

  • The Internet of Things
  • Cognitive systems
  • Pervasive robotics
  • 3-D printing of all kinds
  • Natural interfaces
  • Optimized security technologies and solutions

Now to the list. Not as exciting as the accelerators:

  • Information and Communications Technology Spending
  • Wireless Data
  • Mobile Development
  • Cloud Services
  • Data and Analytics
  • Internet of Things (IoT)
  • Data Centers
  • Industry Disruption
  • IoT security

I guess we will just have to wait to see if all these predictions come true. What do you think of the ‘third platform’? Does anything on the list surprise you? I personally think the Innovation Accelerators sound pretty amazing.

(If you have a few minutes and use SharePoint or Office 365, could you kindly take our metadata survey? You could win a free conference pass to Microsoft Ignite. We would greatly appreciate it)

Comments are closed

Oh, you mean government has to follow the law? What was I thinking???

Just another story that illustrates how stupid government thinks we are. Or, perhaps another story for us to illustrate how stupid government is. President Obama announced on January 12th new cyber reforms. He is calling on Congress to mandate that companies whose customer data is breached inform affected individuals within 30 days. But why don’t agencies that are hacked have to notify citizens when their data is compromised? Good question it seems.

On a more humorous note, the silence on the government’s responsibility to protect its own data became awkward, as pro-ISIS hackers allegedly leaked personal information on U.S. military members around the same time Obama was speaking.
There currently is no U.S. requirement for notifying breach victims within a certain time period. A hodgepodge of state regulations give companies varying guidance on contacting victims. Less than 30 percent of federal agencies recently surveyed notified affected individuals of high-risk breaches, the Government Accountability Office reported last year.

The Federal Agency Data Breach Notification Act, introduced by Rep. Gerry Connolly, D-Va., in the last Congress would require, among other things, notifying individual victims within 72 hours after discovering evidence of a personal data breach.

According to Connolly, “he does not feel the administration is applying a double standard by omitting agencies from its legislative agenda.”

Need we say anymore?

Comments are closed

Metadata Matters: Is Big Brother Watching? Yup!

I am one who is continually harping on security and protection of all assets in an organization. I turned the table on myself the other day and started thinking about the mis-use and abuse of personal information by organizations. If we look at Morgan Stanley, why on earth was an essentially a junior level financial advisor given access to all client data? What were they thinking? Big mistake. What about from the marketing perspective? As a member of that profession, marketing loves to gather as much data as possible about clients to increase sales. In fact, our job depends on it. Just a fact of life maybe.

But what about other uses, or mis-uses of privacy data? Regardless of industry, including government, who does have access to my personal information? More people than I would think and more information than I would expect. Not all internal breaches are caused by nefarious purposes but the information is available for the taking.

I suppose it can be attributed to the ethics of the organization, how they protect data, and the importance they place on protecting privacy data. I’ve had my personal information compromised three times now. In the last incident, which was HIPAA data, it was entirely up to me to protect my identity. That included notifying all credit agencies, putting credit holds on all accounts, and purchasing credit monitoring software. To say the least it’s rather irksome. Given that most organizations don’t even report a breach until they absolutely must, we, the people carry the burden of someone else’s mistake. And then we have to figure out how to get our identity back. 

I wonder how bad will this get?  Since most employers are now doing comprehensive background checks, you do have some recourse. You can request your own Lexis/Nexis Accurint Person Report, which is free. At least you can see what your potential employer may see.

Comments are closed