Not even Google is immune to security threats.

2:10 pm on July 22, 2008 | By Meghan Whelan | In data breach, pc security tips | 2 Comments

Earlier this month, a major breach was reported when a third-party employee benefits administrator’s office was burglarized and part of the theft included personal employee data. Data breaches happen all the time, but this particular incident raised some eyebrows because it happened to Google.

Turns out the company Google had entrusted with administering benefits to its employees and protecting their personal information is just as vulnerable as everybody else to this type of risk. A company like Google must prove its ability to secure user data on a daily basis, or they won’t have users. So why, then, would they not ensure such security measures are being taken by third-party vendors to secure employee data?

The problem is more common than we’d all like to admit. It can happen to anyone who hands over their employees’ or clients’ personal information to a third-party vendor. And is that vendor to blame when the information is breached? Yes and no. The responsibility is still on the company its employees and clients trusted to secure their data, regardless of where that data travels along the B2B highway.

Bottom line: vendors, contractors, and service providers should be measured not only by the quality/value of their services but by their diligence in maintaining the privacy of the custodial data they’ve taken responsibility for.  When considering a vendor, add a sound security policy to the items you value. You won’t be sorry.

Share/Save/Bookmark

 

Relying on user compliance is risky business.

7:28 pm on July 14, 2008 | By Cam Roberson | In laptop security, laptop theft | No Comments

 

Most of us have become desensitized to the almost daily reports of laptop loss or theft. Heck, I barely notice them anymore - and I’m in the industry! What blows me away though, is the boilerplate mantra from the spokesman of the at-fault company when defending their indefensible position with the media. Always well-rehearsed and nearly believable, those statements are derived from the now necessary PR outline, “CYA: Laptop Loss, What to Say to the Press”. I happen to have found this early version used in 2006 by a very large aeronautics manufacturer. It has been used and personalized hundreds of times since by companies big and small. Here it is:

“CYA: Laptop Loss - What to Say to the Press”

(note to spokesman: whenever possible try to assign the loss as a theft. A simple loss implies that the user may have been flippant, careless and/or negligent).

1.    (your company name) is very concerned about protecting the privacy of its employees customers and/or clients.

2.    (your company name) has no reason to believe that the laptop was stolen for anything other than the hardware value

3.    The laptop was protected with passwords

4.    The employee of (your company name) is being reprimanded (or terminated) for violation of data security policy. Cite one of these policy violations:

a.    employees are prohibited from taking sensitive data outside business walls on laptops

b.    employee shared or otherwise exposed passwords and/or login credentials

c.    (your company name) has selected, and is in the process, of deploying encryption but have not yet completed the rollout

d.   if possible, assign blame to a rogue contractor, vendor or service provider. This action tends to confuse readers as to whom is really at fault for the breach

5.    Reiterate that “because (your company name) is very concerned about protecting sensitive data,” better and more strict employee (or vendor/contractor) data policy will be effective (fill in reasonable time schedule).

Continue reading Relying on user compliance is risky business….

Share/Save/Bookmark