Cyber Monday Means Loss of Productivity

As Black Friday has come and gone many consumers are excited for Cyber Monday. The only problem? Many Americans who plan to partake in the deals offered online are doing so at work. According to a recent survey done by the staffing firm Adecco,nearly half of American workers (46 percent) plan to make a dent in their holiday shopping during work hours – either through online shopping while at work, shopping on lunch breaks, taking sick days or cutting out a little early periodically. Another similar survey done by Randstad shows that 40% of employees plan to only spend an hour online shopping at work while 1 in 3 plan to spend over 5 hours of their work day shopping online.


The lure of online deals does not only pose a threat to productivity, but it can also expose the corporate network to malware. Malware and spam attacks are often quickly formulated and executed based on current events and popular online happenings. These malicious websites are found as links that are a part of common searches such as "Cyber Monday Deals". 


Since many people will be ordering online the use of online postal tracking will go up as well, because of this hackers will be sending postage and shipping related emails to trick people into downloading malicious attachments. Websense Security Labs cites this type of spam as one of the "Top 5 Malicious Spam Subjects" .


Security Labs has detailed the type of subjects and email contents everyone should be on the lookout for.

• USPS Invoice copy ID46298 (numbers vary)
• FedEx: New Agent File Form, trackid: 1V6ZFZ7FEOHUQ (numbers vary)
• DHL Express Notification for shipment 90176712199 (numbers vary)

The email will look like this:

The moral of the story is to shop at home, be careful, and no matter how good the deal looks, do not suspend judgement to click on a strange looking link. Also remember that shipping companies will never require you to download an email attachment to get information about your packages and if you are still concerned, check their website for accurate and up to date information.

Sacramento Health System Breached - 4.2 Million Records

Two branches of the Sutter Health network were breached in October of this year after an employee's laptop was stolen. The laptop contained databases with Personally Identifiable Information and Personal Health Information for 4.2 million patients. These records are from dates as far back as 1995 and as recent as this year.  Sutter does say that the employee's laptop was not encrypted even though they are currently in the process of encrypting all laptops across the enterprise. 

Data stored in an unprotected state on a laptop or desktop PC puts organizations at risk of becoming the next data breach headline, like Sutter. Only strong encryption of all data on hard disks counters the threat of losing critical intellectual property, customer and/or competitive information and provides a safe harbor from the high profile public disclosures and costly remediation mandated by privacy laws. To protect mobile data from the risks of loss or theft of a laptop or desktop, enterprises not only need the security provided by strong encryption, but also a standards-based solution to the practical issues that organizations encounter when deploying endpoint data protection.


Sutter Health network of care press release below: 

/PRNewswire/ -- Sutter Physicians Services (SPS) and Sutter Medical Foundation (SMF) — two affiliates within the Sutter Health network of care — announced the theft of a company-issued password-protected unencrypted desktop computer from SMF's administrative offices in Sacramento the weekend of Oct. 15, 2011. Following discovery of the theft, Sutter Health immediately reported it to the Sacramento Police Department. It also began an internal investigation. The computer did not contain patient financial records, social security numbers, patients' health plan identification numbers or medical records. While no medical records themselves were on the computer, some medical information was included for a portion of patients.

Following a thorough internal review, Sutter Health discovered that the stolen computer held a database that included two types of information:

1. For approximately 3.3 million patients whose health care provider is supported by Sutter Physician Services (SPS), the database included only the following patient demographic information dated from 1995 to January 2011: name, address, date of birth, phone number and email address (if provided), medical record number and the name of the patient's health insurance plan. SPS is an organization that provides billing and managed care services for health care providers with which it contracts, including facilities within the Sutter Health network. Patients who think they may be affected should visit www.sutterhealth.org to see the list of impacted health care providers.

1. For approximately 943,000 SMF patients, the database contained the above demographic data as well as the following information dated from January 2005 to January 2011: dates of services and a description of medical diagnoses and/or procedures used for business operations. Because the data of SMF patients was broader in scope, Sutter Medical Foundation has begun the process to notify these patients by mail. Patients should receive letters no later than Dec. 5.

Read more: http://www.sacbee.com/2011/11/16/4059251/sutter-health-informs-patients.html#ixzz1dyUMTGrj

Two-fer Thursday!

It is rare that we see two security and data breach related reports cause a stir on the same day. However, today Forrester and lesser known Risk Based Security Inc. delivered two reports with a similar theme -- data breaches can and will affect you personally as well as your organization.


Forrester reports that in a questionnaire distributed to 2,300 IT executives via LinkedIn 25% responded that their organization has had a data breach in the last year. Even more surprising, 21% declined to answer despite being assured that names and responses are kept confidential. 7% of very honest IT executives reported that they don't know and Forrester believes that many of the remaining who reported no breaches in the last year, were probably breached but just don't know it yet.


The above findings by Forrester make this second report more understandable but no less shocking. According to Risk Based Security Inc. and research done by the Open Security Foundation as of October 2011 there have been over 1 billion records exposed. In the first nine months of 2011 we have seen  176,385,870 records exposed compared to 88,473,589 records for all of 2010.


All of these statistics server to prove a point that organizations still are not taking the necessary measures to protect their data and the data of their customers and clients. When it comes to securing your organization taking a holistic approach is the first step to enforcing better protection. By better understanding business needs and processes your security department can better determine where risks reside. Security is more than a simple technology solution. Aligning IT security with business needs requires a combination of policies, people and enforcement.


Links to the above reports
Forrester
Risk Based Security Inc.

Advanced Persistent Threats -- Something to worry about or just another buzzword?

In recent months there has been increased discussion in the media about advanced persistent threats (APTs) and even more discussion about how to define an APT. McAfee defines an APT as a "targeted cyberespionage or cybersabotage attack that is carried out under the sponsorship or direction of a nation-state for something other than a pure financial/criminal reason or political protest." Other definitions are more broad describing an APT as a cybercrime category in which the attacker utilizes the full spectrum of attack vectors to reach and compromise the their target. 


Whatever definition is used often is the definition that best serves the main goal of the article or advertisement, which has lead many IT security professionals to put advanced persistent threats in the "buzzword" category. It seems that despite those non-believers almost two-thirds of enterprise information security managers believe their businesses have been targeted by advanced persistent threats and  72% expect to see such attacks continue in the future. These numbers are according to an Enterprise Strategy Group report on  advanced persistent threats. These managers believe that these attacks are being carried out, in order of likelihood, by hacktivist groups such as Anonymous, organized crime rings, competitors conducting reconnaissance or perpetrating industrial espionage, foreign governments, and terrorists.

Whether or not APT is just another catchy acronym we can see that based on the survey results, organizations are responding in the correct way. 51% of respondents said that senior executives have increased the amount of money allocated to training employees on security strategies, 33% now meet more frequently with their Chief Information Security Officer (CISO) or IT risk team and 18% have created the role of CSO or CISO, or another type of senior security position.  The trend of organizations to staff Risk and Security related positions, as direct report positions to the Board of Directors, continues to demonstrate the importance of integrating technology with business process.  Risk and Security of the organization and its critical technology infrastructure (uptime and productivity) and its confidential and sensitive data (GRC, Brand Loss, IP Loss) should be a fundamental to any best-practices organization.   


With the increasing sophistication of the threat matrix, reliance on under managed technologies (AV, IPS, IDS) is simply not enough.  As we continue to build more efficient and open B2B and B2C models, an organization must take into account the context of the information being accessed starting with the roles of people accessing that information, the sensitivity of the information, and the actual use of the information, and enforcement policies.   This takes coordination, via the CISO, of Executives, HR, Legal,  Technology , and Business Unit leaders.

Sony Breach: Indentifying the Possible Attack Vectors

WHEN: Available Now SPEAKER: Chris Lytle, Security Researcher

About This Vendor Webcast

The recent breach of Sony’s Playstation Network has left many scratching their heads. Even with all the commentary around the attack, there has been no real conclusion on how the network was infiltrated. View this engaging webcast as Chris Lytle, security researcher for Veracode, as he explores the rumors in the marketplace regarding the PSN breach and examines multiple theories of how the attack happened .

View Now

About the Speaker: Chris Lytle, Security Researcher Chris Lytle is a security researcher at Veracode. He holds a BS in Information Assurance and Security Engineering from DePaul University, where he was a frequent speaker. He spoke at BSides Las Vegas 2010 and BlackHat 2010 on the Collegiate Cyber Defense Competition. He also coordinated the puzzles at SOURCE Boston 2011. Chris enjoys solving puzzles.

Massachusetts Attorney General says you must practice what you preach

In the first public settlement of its kind related to violations of the new Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth, 201 C.M.R. 17.00, Belmont Savings Bank has entered into a settlement with the Massachusetts Attorney General following a data breach in which an unencrypted backup tape containing the names, Social Security numbers, and account numbers of more than 13,000 Massachusetts residents was lost after a Belmont employee failed to follow the bank’s own Written Information Security Program (“WISP”).

In May 2011, a Belmont employee left an unencrypted backup tape on a desk rather than storing it in a vault for the night, which was then inadvertently thrown away by the evening cleaning crew. Although Belmont had a WISP, which met the new Massachusetts data security standards, Belmont failed to comply with the WISP in practice. Specifically, Belmont failed to encrypt portable devices, such as the backup tape, which contained personal information.
The Attorney General’s settlement with Belmont provides for a civil penalty of $7,500 as well as injunctive relief to mitigate the risk of future data breaches at Belmont. Under the terms of the settlement, Belmont must comply with the provisions of its own WISP, including:

1. Ensuring the proper transfer and inventory of backup computer tapes containing personal information;
2. Storing backup computer tapes containing personal information in a secure location; and
3. Effectively training the members of its workforce on the policies and procedures with respect to maintaining the security of personal information.

Attorney General Martha Coakley noted that, “Consumers expect businesses to not only develop policies and procedures to safeguard their sensitive personal information, but to follow these procedures as well.” Bottom line, it is no longer enough for businesses to just have a WISP relative to treatment and protection of its personal information. Organizations must actually put the safeguards in place that they set forth in their WISPs.

Hacking Group Anonymous Breaches InfraGard

On August 18th hacking group Anonymous published documents stolen from Richard Garcia, senior vice president of Vanguard Defense Industries. The collection of documents contains internal meeting notes and contracts, schematics, non-disclosure agreements, personal information about other VDI employees, and several dozen 'counter-terrorism' documents classified as 'law enforcement sensitive' and 'for official use only.'


Mr. Garcia is also a director of U.S. defense contractor InfraGard, who was breached by one of Anonymous' affiliate hacking groups LulzSec. In the initial post by Anonymous, they state that Mr. Garcia's account was easily hacked because he had not changed some of his passwords after the InfraGard breach in June.


One of the most sensitive emails that was published contains a response from one of Vanguard's chief executives responding to a U.S. Department of Justice contact regarding the suitability of its ShadowHawk drones for use by U.S Marshals. There are also reports that there are documents that show evidence of a Merrill Lynch wealth management adviser giving private advance notice to Garcia about upcoming S&P US credit rating downgrades. This report has yet to be substantiated.

Mansfield, Ohio -- Area Agency on Aging: Breached due to Lost Laptop

On June 3, an employee of the Area Agency of Agency in Mansfield, Ohio had a laptop stolen from their car. This resulted in the exposure of personal data related to 43,000 customers.  The laptop was assigned to a Passport case manager. The personal data was health related in nature and also contained the  personal contact information of 35,000 related clients' personal representatives.  


According to a report in The Morning Journal  the Area Agency on Aging had the following response to the Breach:

“The Area Agency on Aging understands the importance of safeguarding our consumer’s personal information and takes that responsibility very seriously,” said Duana Patton, chief executive officer. “We deeply regret that this incident occurred, and we have already taken steps to ensure our laptops are properly equipped to secure personal information from unauthorized access in the future.” 

Unfortunately many organizations take a reactive approach to encrypting endpoint devices such as laptops and cell phones that may contain sensitive information. 


Oil giant BP, had a similar incident this spring in which an employee lost their laptop during routine business travel. The laptop contained  unencrypted personal data such as names, social security numbers, and dates of birth for over 13,000 people who submitted claims with the company after last years oil spill. 


According to Ponemon's "Cost of a Lost Laptop" report, a lost or stolen, unencrypted laptop, will cost an organization $20,000 more than if an encrypted laptop is lost or stolen. Read the full Ponemon report here: Cost of a Lost Laptop Study - Ponemon

77% Of Business Experienced Data Loss Last Year

A survey of over 2,400 IT security administrators conducted by Check Point and Ponemon reveals 77% of businesses experienced data loss last year. This number does not correlate with the number of reported breaches, but with increasing stringency of compliance regulations, we may begin to see more and more reported breaches.

The study’s research shows organizations are struggling with the growing set of security priorities and limited employee awareness about corporate security policies. Over 55 percent of companies surveyed are using more than seven vendors to perform security tasks. Because of this, organizations struggle with minimizing TCO and maximizing performance.

Approaching security with a holistic view of an organization’s technology is the first step in enforcing better protection. This helps to determine where risks can reside. Security is more than a simple technology solution. Aligning IT security with business needs requires a combination of policies, people and enforcement.

Sony Share Price in Tokyo Tumble

Sony's recent breach has affected the personal data of up to 100 million users. As one of the largest data breaches to date, Sony estimates that it will result in a $170 million hit to its operating profit.

The financial affects do not stop there. Brand "pain" or the financial losses experienced by loss of consumer confidence will likely be much greater than the $170 million hit on operational profits. The breach has already sent shares down more than 2% in Tokyo. Sony is not the only company to experience a drop in stock prices after a major data breach. The figure below is a sampling of other companies who experienced a similar drop.

The cost of a data breach will be detrimental to your organization. Develop a plan to protect your data to decrease the likelihood of a breach.

Massachusetts Executive Office of Labor and Workforce Development Breached

Client names, social security numbers, email addresses and residential addresses and bank account detail of users of the Massachusetts Executive Office of Labor and Workforce Development claim system. The 1,200 system users were warned that their personal details may have been accessed by a data-stealing worm named W32.QAKBOT.

Symantec defined the W32.QAKBOT as a worm that is capable of keylogging, collecting cookie data, DNS, operating system, private keys from system certificates and URLs. The virus can spread through a computer network, open a back door on a compromised computer that would allow someone to control the machine and keep itself hidden.

Although the problem has been fixed, Executive Office of Labor and Workforce Development is hoping people continue to use the system. It has been communicated that all possible steps are being taken to avoid future recurrence.

Sony CEO Apologizes for Data Breach

Last week, Sony announced that 24.6 million names, addresses, e-mails, birth dates, phone numbers, potentially credit cards and other private information from Sony Online Entertainment accounts could have been taken from company servers or from an old database.

Last month,  a hacker attack on the PlayStation Network may have caused the stealing of data from 77 million user accounts.

This totals over 100 million accounts that were potentially compromised.  Each potentially affected customer will get $1 million in identity theft insurance. 

Sony CEO, Howard Stringer, apologized for “inconvenience” and “concern” the data breach has caused. The company is working on restoring full and safe service as soon as possible. Stringer has a lot of brand mending to do as this breach is being referred to as one of the largest Internet security break-ins in history. 

Epsilon Breach Estimated to Cost $4B

The highly publicized data breach of email service provider Epsilon could cost the organization upwards of four billion dollars. This estimate comes from a report done by cyber risk advisory firm CyberFactors, and is dependent on what is done with the data.

               

According to CSO.com

"That figure [$4 billion] could be reached if criminals get hold of the email addresses and successfully exploit them to gather more personal information and carry out a spear-phishing blitz, according to the report. 'However, until such an event takes place and can be directly linked back to this specific breach, the estimate remains theoretical, but certainly possible given the multitude of sites that use email addresses as user IDs,' the report says."

The report goes on further to estimate that the Costs to Epsilon's customers could be $5.5 million each for notification of their customers about the theft, settlements to those customers, legal defense, compliance adjustments and loss of business.

In contrast to this report CEO of Alliance Data Systems, Epsilon's parent company, Ed Heffernan says he sees no meaningful cost or liability stemming from the incident and that they will not see the customer churn that often follows a breach. 

Although Heffernan believes he will not see significant costs as a result of the breach, the widely known act could hold weighty impacts to Epsilon and even Alliance Data’s brand. If Epsilon is lucky, the company has the potential to escape any non-compliance fines, but this does not mean they will be free of detrimental brand impact. Brand losses are approximately 49% of the cost of a data breach and Heffernan may not be taking this into account when he states that the cost will not be meaningful.

If you were a company who needed third party email services, would you want to do business with a company that had more than a million customer records at risk? Probably not.  A tactical data loss prevention strategy may have saved this company, and those customers affected by the breach the trouble this breach has presented.

2011 Verizon Data Breach Investigations Report

Verizon recently released their Data Breach Investigations Report.  The report covers approximately 800 data breach cases from 2010.  The review of breaches covers threat agents and actions, how breaches typically occur, and provides statistics on breached organizations.

Below you will find a summary of organizations who have reported breaches in the past year by size. It may be surprising to find that organizations with 11 to 100 employees have reported 436 breaches.

1 to 10	46
11 to 100	436
101 to 1,000	74
1,001 to 10,000	49
10,001 to 100,000	59
Over 100,000	55
Unknown	40

This may not be surprising to you, but the report concludes that 97 percent of the breaches could have been avoided by using simple controls. Do you have the simple controls in place to protect your organization's data? According to the study, organizations should focus mitigation efforts in the following areas:

Marketing Firm's Customer Data Exposed by Hackers

One of the country's largest e-mail marketing firms, Epsilon, reported that on March 30th, “a subset of Epsilon clients’ customer data [was] exposed by an unauthorized entry into Epsilon’s email system."

Epsilon is a subsidiary of Alliance Data Systems and sends over 40 billion emails annually for their clients. These clients include 7 of the top Fortune 10 companies.

Companies whose clients may have been affected by this breach include:

Brookstone

Capital One Financial Corp.

Citigroup 

J.P. Morgan Chase & Co.

Kroger Co.

Marriott International Inc. 

McKinsey & Co.

New York & Co.

Ritz-Carlton

TiVo Inc.

US Bancorp

Walgreen Co.

The hackers were only able to access names and email addresses, and it is still unknown if the information has been used in any email based attacks aimed at obtaining credit card or social security numbers.

This attack reminds us to be vigilant and skeptical of all unsolicited emails or emails from unknown senders. Keep in mind the following tips next time you check your email:

1. Under no circumstances should anyone respond to an email from an unknown or known party that asks for sensitive personal data. 
2. If you receive an email from an unknown sender, delete it and mark it as spam in your email client. If you receive an email asking for personal or financial information from an organization that you are a customer of, notify their customer service office immediately.
3. Also, do not click on links in email or pop-up messages that may come up after clicking a link in an email that asks for your personal or financial information. 
4. Always use anti-spyware software and a firewall to protect your computer.
5. Never open or download attachments from an email from an unknown sender.

Lost Laptop Exposes 13,000 Oil Spill Victims

According to a BP spokesman the laptop was lost on March 1 by an employee on routine business travel.


The laptop held unencrypted information including the names, Social Security numbers, addresses, phone numbers, and dates of birth of people who filed claims related to the Deepwater Horizon accident that occurred last spring.


"The lost laptop was immediately reported to law enforcement authorities and BP security, but has not been located despite a thorough search," BP said Tuesday. They added that the device was equipped with a tool that would allow them to disable the system under certain circumstances. No further details on the nature of the circumstances that would be required to be met were given.


Unfortunately lost laptops containing sensitive personal data are lost every day, and even more commonly when traveling. In Ponemon's "Billion Dollar Lost Laptop Study" the institution found that of laptops lost 46% contained confidential data, and only 30% of those laptops were encrypted, as shown below. Encryption is not the only method used to protect confidential data on a laptop, but it is one of the most easily implemented and trusted ways to protect your company's and customer's sensitive data.

Cost of Data Breaches Rising – Average Cost $7.2 Million

According to the Ponemon Institute, the average cost of a data breach in 2010 was $7.2 million. This number continues to rise each year. The Ponemon Institute also states that the cost per record breached in 2010 was $214. This cost is up 5% from 2009.



Negligence is main cause of a data breach and accounts for 41% of reported breaches. Close behind are malicious or criminal acts which are the reason for 31% of breaches. These malicious or criminal attacks are the most expensive breaches for an organization to respond to and cost an average of $318 per record. While some industries experience higher breach costs than others, these figures represent the averages.

To calculate the potential cost of a breach for your organization, log on to Attevo’s DLP Toolkit and use our free Risk Calculator. This tool will provide you with an estimated cost per record and a total remediation cost estimate.  

Do you consider your ZIP code "personal identification information" ?

The California Supreme Court does.  In a recent decision, the California Supreme Court ruled that a ZIP code is "personal identification information" for purposes of California Civil Code §1747.08. As a provision of the Song-Beverly Credit Card act of 1971, California Civil Code §1747.08 prohibits prohibits businesses, as a condition to accepting a credit card as payment for goods or services, from requesting and recording personal identification from credit card holders during credit card transactions. Personal identification is further defined in the statute as:

"information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number."

The lawsuit was filed by a private citizen against retailer Williams-Sonoma after a ZIP code was requested at checkout and was later used in conjunction with other information to determine the customer's address for marketing purposes.

This decision comes as a further reminder to credit card processing retailers of the increasing complexity of credit card compliance. With the new Payment Card Industry Data Security Standards (PCI-DSS) and decisions such as this one, non-compliance is becoming more costly than ever. 

Does your organization process credit cards? Would your business be hurt by losing the ability to process credit cards? If you answered yes it is time to discover your compliance requirements and start working towards meeting the standards put in place by credit card companies and the courts. A great place to start is Attevo's DLP Toolkit where you can search a database of compliance regulations tailored to your business.

88% of Breaches Involve Insider Negligence

Malicious acts only account for 12% of reported breaches. Preventing the negligent acts, which are the cause of a breach 88% of the time, is much easier than trying to stop someone who is actively attempting to steal data. By creating an risk strategy and putting DLP policies and an Enterprise DLP (eDLP) technology into place, an organization can protect itself from negligent data loss.

Someone maliciously trying to steal data has a high likelihood of success. If organizations can effectively stop the easy stuff, the negligent leaks, they will achieve a much higher risk reduction than if their focus is simply to stop malicious acts. 

Mobile Internet Adoption Introduces a New Level of Risk

The graph above shows mobile Internet growth accelerating at rates unseen before. This growth is higher than the Internet adoption rate of AOL or Netscape. Businesses see this growth, and are actively devising business strategies to drive revenue via these devices.
  

Mobile devices are becoming as powerful as our desktops and laptops, and the data that is stored on these mobile devices needs to be equally protected.

How will we manage this quickly-growing service? Going forward, Mobile Internet devices like SmartPhones and tablet PCs need security too. It is not just your internal network. Proactively manage your risk by creating a risk strategy with these devices in mind. 

DLP Webinar Topics

For those of you who participated in any of our past webinars, thank you. We hope you have enjoyed them. For those of you who have not attended yet, we have our final webinar scheduled for Feb. 24th at 1:30 PM EST.

The purpose of this blog is to allow past and future webinar attendees to provide us with topics they would like to see discussed. Simply reply to this post with your suggestions.

The topic next week is DLP Buyers Guide: What You Need to Look for in a Solution.  If you have specifics within this topic you would like to know about, let us know.

We are looking forward to hearing from you next week! Register using the link above or the link on the right hand side of the blog.

Ignorance of the Law is No Excuse

Many healthcare providers and vendors could find themselves claiming ignorance was as an excuse for not complying with the new HITECH Act regulations. HITECH compliance regulations are like a traffic sign; by simply doing business you are subject to the government’s "signs" regarding compliance regulations. The HITECH Act (Health Information Technology for Economic and Clinical Health) applies to healthcare providers, health insurance companies, clearinghouses, and business associates. A business associate is broadly defined as vendors, service providers, or even consulting and staffing companies.  Yes. That is correct. Business associates must comply with this law. What exactly is a business associate? Well the HITECH Act defines it as anyone who provides…

"... a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing?" [45 CFR §160.103(1)(i)(A)]; or

"... legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity" [45 CFR §160.103(1)(ii)]

Do you need to comply with this law? Not sure? The best step to take is to discuss it with your legal counsel.  While you’re at it, you might as well discuss other regulations you must comply with and put together some policies and procedures that address them. This might be more work than you expected, but it will be worth it in the long run. The cost of compliance is much lower than if you are found guilty of non-compliance. Try $5 million dollars less.  Now go do your homework and read up on the regulations you must follow. The DLP Toolkit Regulation Finder is a great place to start.

Can You Afford the Cost of Non-Compliance?

The Ponemon Institute recently released a study titled “The True Cost of Compliance.” This study uncovered the average cost of compliance for organizations is $3.5 million and the cost of non-compliance is nearly $9.4 million. These numbers vary from industry to industry, but the averages accounted for a $5.8 million dollar difference in compliance vs. non-compliance. 

Source: Ponemon True Cost of Compliance

Compliance involves following all privacy and data protection laws and regulations and policies that are designed to protect individuals’ sensitive and confidential information. Costs necessary for compliance include staff to support a risk strategy and enabling technologies to decrease risk. Costs that can occur due to non-compliance include brand losses, legal costs, public relations costs, auditing, consulting, and more.

Some of the most important, but also most difficult, requirements to obey are the Payment Card Industry (PCI) standards, the various state data breach notification acts, the European Union Privacy Directive, and Sarbanes-Oxley (SOX).  Do you know what regulations your organization has to follow? Use the Regulation Finder in the DLP Toolkit to determine which regulations and guidelines you must observe.

What sounds better to you, paying the cost to comply, or approximately 2.65 times the cost of compliance in the event of a data breach? You are not invincible. In 2010, over 16 million records were breached and over $3 billion was spent on remediation.  Do not become a part of this statistic.  Start creating a risk strategy today.

Two in Five Social Networkers Have Been Sent Malware

Does this alarm you? It should. Malware can take over your browser, redirect your searches, deliver frustrating pop-up ads, and slow down the performance of your PC. These effects are not only annoying, they are costly to remove. Think upwards of $50 per effected PC and even more for malware removal on a server. 

Approximately half of US employees can use social networks from their work machine without any restrictions. Total bans on access to social networking sites is becoming rare as firms recognize the value such sites can bring in raising brand awareness and promoting social media marketing campaigns.

"Over the year, we saw an average of 30,000 new malicious URLs every day - that's one every two to three seconds. More than 70 percent of these are legitimate websites that have been hacked - this means that businesses and website owners could inadvertently be infecting their patrons unintentionally and without their knowledge." 

- Graham Cluley, Senior Technology Consultant, Sophos

So what’s a solution that will allow you to continue realizing the benefits of social media while protecting your organization from malware? Can your current anti-malware solution keep up with the 30,000 new malicious URLs per day? A data loss prevention solution with real-time security scanning is ideal. This technology detects threats and analyzes user-generated content in real-time as it is posted to blogs and Facebook pages, to protect visitors from being exposed to malicious links and spam. Real-time scanning can allow you to continue reaping the benefits of using social networks while preventing nasty malware from slowing you down.

Risk Management Strategies Shifting Towards a Data-Centric Protection Model

In response to our Smartphone Security post from last week, Mark Mahovlich, Director at Attevo, provides the following insight:

The introduction of smart phone technologies into the corporate environment is creating a shift in how we design our risk management strategies.  The most fundamental change in focus is the movement from the traditional networked-based protection model to one that is data-centric.  The ability to "wrap" security policies around an individual data element allows an organization to protect its assets and its client’s Personally Identifiable Information from malicious intent, or simple misuse.  If a device (Smartphone) can be anywhere at any time, then the same holds true for your data.  Data-centric security tools, such as DLP make it possible to minimize risk no matter where your data resides or how it is being used.  DLP is not only about breach prevention, it’s about security best practices in an ever more mobile world.

WikiLeaks - Lessons Learned

Reputation and brand are crucial to an organization’s success.  A single data breach can be crippling to an organization’s image. Brand loss alone is 49% of the cost of a data breach.  Therefore, protection of sensitive data should be a priority for all organizations.  WikiLeaks has caused anxiety for leaders of many organizations, and many are left wondering if their organization is protected.  Just the thought of someone having access to your organization’s or employees’ confidential information is troubling.

Those leaders who have implemented DLP tools are free from the WikiLeaks anxiety.  DLP tools enable us not only to protect standard data types such as PCI or PII data, but fingerprinting techniques enable organizations to protect all data deemed sensitive.  This technique allows for detecting and protecting sensitive data despite alteration, reformatting, or other modification.  Fingerprints enable the protection of whole or partial documents and derivatives of the protected information. Some examples of data organizations fingerprint are executive summaries of documents or specific customer records.

How does fingerprinting work?

“Fingerprinting technology examines the content of documents or raw data and extracts a set of mathematical descriptors or "information fingerprints." These fingerprints are compact and describe the underlying content. By assigning unique identities to each information asset, fingerprinting technology can track information in motion with great precision.”

-          Websense

Start thinking about how a DLP solution might ease some of the concern in your organization. 

Hot Topic: Smartphone Security

Cell phones have come a long way, from the Gordon Geckko 80's brick phone to today’s smartphones which are essentially pocket-sized computers.  Cell phones are no longer "just" a phone, they help us organize our lives, stay in touch via social networking, waste time. As more and more people adopt "smartphones" it is becoming an enticing frontier for hackers everywhere. Smartphone security is going beyond protecting against physical loss.  Many organizations that have employees who use smartphones to store company data often overlook simple security measures that are standard for any laptop or any other device with access to the internet.  

There are many companies that see this space for what it is, a relatively un-penetrated market with room for growth. Virtualization giant VMWare has partnered with smartphone manufacturer LG and they have begun building a smartphone with two virtualized machines, one for work and one for personal usage. These machines would be completely isolated from one another and allow an organization to support, distribute, and secure one type of smartphone while allowing employees to use the phone for personal use as well without risking exposing company data. Internet security firm Check Point Software found in a global survey that 64% of organizations are concerned that the growth in remote users will result in exposure to sensitive data and as a result are looking to encrypt and protect mobile devices. Smartphone manufacturers have also begun building proprietary encryption for their phones, or partnering with encryption companies. The gold standard for secure, encrypted smartphones is Blackberry which has been deemed secure for use in some of the highest levels of government.

Moral of the story is, protect yourself against these developing threats by installing anti-malware software on your smartphone and beware inherent threats when downloading mobile apps and clicking on mysterious links on social networking sites. Treat your cell phone like you treat your laptop, after all, the delineation between these devices is getting fuzzier and fuzzier.

Bank of America Prepares for WikiLeaks Disclosure

The Bank of America is on edge about a statement made by WikiLeaks founder, Julian Assange. The statement claims that early this year (2011), a major American bank will suddenly find itself turned inside out. In response to this statement, Bank of America has created a team of 15 to 20 internal and external experts to come up with a damage control plan in the event that WikiLeaks releases documents that would affect its reputation and brand. An internal investigation to determine what internal documents have been leaked to WikiLeaks has already begun.

Since Assange has announced that a company in the banking industry will be affected next, there has been speculation within the industry that the bank he is referencing is Bank of America. Bank of America has stated that its investigations have not lead to any information regarding what documents WikiLeaks may have, but it wants to be prepared.

FinallyFast.com to Refund Thousands for Deceptive Advertising

Finallyfast.com is a company who promised viewers of their late-night commercials downloadable software would “make your computer run fast – the way it’s supposed to.” This company was able to successfully sell its software to thousands of customers, but will now pay tens of thousands of dollars in fines and refunds for its deceptive advertising.

The company will pay $78,000 in penalties and offer refunds to customers who purchased the FinallyFast.com software but did not use it. The company was selling “scareware” or software that claimed to find problems with computers tested, no matter what the condition of the computer actually was.  Companies should be cautious of trusting just any vendor.  This is true in the DLP space as well. Make sure you are working with reputable software providers and thoroughly research software tools before they are used.

Would an employee at your office be able to download software similar to the product FinallyFast.com offers? Do you have any processes or policies in place to prevent an unwanted software from being downloaded? This is an important aspect of computer use organizations should consider.

Geisinger Health System Breaches Protected Health Information

Physician led Geisinger Health System (GHS) is a healthcare system based in Pennsylvania. GHS stated approximately 2,928 patient names, medical records, procedures, indications, and physicians’ patient notes were emailed by a former physician to his home email account. The email, which was sent in early November, was unencrypted. 

Although the email did not contain addresses, telephone numbers, Social Security numbers, or any financial information, GHS sent notification to affected patients to comply with the Health IT for Economic and Clinical Health (HITECH) Act of 2009. The HITECH Act broadens the scope of protection available under HIPAA. It also increases the potential legal liability for non-compliance and provides more enforcement.