PC Data Security Blog

The Effects of Economic Downturn on Data Security

The current economic landscape has left corporations brutally exposed to loss and even abuse of sensitive data.  According to a survey conducted by SailPoint of over 100 Fortune 1000 IT managers, “nearly 70 percent can’t summarize which workers have access to the most critical applications and data. Further, if faced with a layoff, 44 percent of respondents are unable to remove access privileges of terminated employees on a timely basis.”  This is extremely dangerous with the high number of layoffs and merger/acquisitions that are increasingly happening every day.  It allows for situations where disgruntled workers can maliciously misuse their access such as in the case of the disgruntled S.F. admin who hijacked their network.

Public CIO has some useful tips on what to look for and how to keep your company from being vulnerable.  The four things to look out for are :

• Orphan Accounts – Do employees that no longer work at your company have access to any systems
• Access Level of Contractors/Temps – Do you regularly restrict the access you give to contractors as they move off and on various projects
• Entitlement Creep – Have employees who have worked at your company for a long time received more access than they should have just for being around?
• Separation of Duties – Do any employees have excessive control over critical business transactions?

Regularly monitoring these things should greatly help maintain access control over your sensitive data so that the economy does not cause more damage than it already has.

The Illusion of Security by M.T. Thrett

Best I can tell, IT data security expenditures buy compliance, piece-of-mind and sometimes, little else.  But are they buying real, bona fide security? Not really. Hook these buyers to a lie detector and I’ll bet you find that you’d find that most know this to be true. We know for example that antivirus services are always behind the eight ball. The leading antivirus tools are ineffective at combating the latest and greatest viruses.

            IT also throws money into encryption. Don’t misunderstand – encryption is necessary but it alone is not true security. After authentication, encryption is ineffective. IT often reasons it prudent to mandate a policy of strong passwords as a first-level barrier to a breach. This policy is parallel to Superman’s kryptonite. Users will write down these complex passwords for fear of forgetting them.

            Security products and services offer piece-of-mind but shouldn’t kid themselves – it is not usually true security. As long as computers are operated by humans (even honest ones) this is our greatest security threat. No antivirus or encryption software will eliminate that reality.

Data breach: ATF = Another Total Failure?

In September, the Washington Post reported on a five-year study of the ATF’s handling of government computers and firearms and found that the agency had misplaced over 400 laptops, many of which had sensitive information. While this study focuses on the ATF, the sad truth is that the loss of computers and the often confidential information that they contain has become commonplace in both the public and private sectors. To a great degree, as a reading public we’ve become anesthetized to this news, at least until it impacts us - or our networks….

Of even more concern in the article was that in most cases, the ATF had absolutely no idea of what data might have been compromised and as a result, who the loss might directly impact. Since employees often don’t comply with stated data security policy, it is inevitable that data will find its way to the network’s edge - and be mobile.

It is insufficient that an organization set a data security policy without putting in place the instrumentation and systems to ensure its compliance. Furthermore, that compliance can not depend upon the end-user’s conscious adherence to manual process - it just does not work. Managed solutions must be put in place that can ensure the end user’s compliance with corporate data security policy, without requiring their active participation.

It is critical that data be encrypted - at a minimum - only then can we be assured that data losses will not easily put ourselves and others at unnecessary risk. However, encryption by itself that is not enough.
When the inevitable loss occurs, it is equally necessary to be able to ascertain the risk associated with the loss and to determine the necessary corrective action. Some may feel that plausible deniability is an effective approach to addressing this problem. “If you don’t understand the impact of the loss, you don’t need to consider it as serious.”

I think this is both wrong, and short-sighted. Assuming you have the ability to respond wouldn’t it be better to fully understand your risk so that an appropriate counteraction could be chosen? File and folder cataloging on devices within control of an organization’s IT department should be an integral part of an effective PC data security solution. This feature can be used in many ways, including:

• risk assessment, by identifying the devices that contain particular sensitive data
• risk amelioration, by surgically destroying data that is found on unauthorized devices
• policy management, by identifying and establishing policies on the retention of sensitive data throughout an organization
• data forensics, by understanding the full extent of the impact of any data losses

Tools that can both assess and eliminate risk represent a much better data security strategy than either ignorance or hope.

What’s scarier than a hacker? Your employees.

In a study recently released by Compuware, results showed most data breaches are caused by employees, not hackers. The survey of 1,112 IT workers found that only one percent of data losses this year were the result of hackers. Here’s a breakdown of the results:

Negligent insiders were overwhelmingly cited as the cause of data breaches in the survey. What does this mean for company security policies? Will we soon see a shift towards tying up the internal loose ends that compromise company data?

It might be a good idea. Especially when you add to the equation the data from other security studies showing the impact of a data breach on a small company. One-third of companies in one survey said that a major security breach could put their company out of business. Additionally, a data breach that exposed personal information would cost companies an average of $268,000 to inform their customers–even if the lost data is never used. Or, to break it down further, which a Forrester survey did, a breach will cost a company between $90 and $305 per exposed record.

In today’s economy, every dollar spent in a security budget has to get scrutinized. A better strategy for security professionals is to put those dollars toward preventitive measures that combat insider negligence instead of throwing money at an outside threat.

Security News Brief: 10-22-08

• Study shows biggest threat to data security comes from the inside. 80% of respondents to the survey said they’ve had at least one data breach this year. 58% of breaches come from mobile devices, including laptops, PDAs and memory sticks. (Dark Reading, Oct. 9, 2008)
• Over half of British companies have lost data. Two-thirds of respondents said negligence was the cause for the data breach in their company. (Computerworld, Oct. 10, 2008)
• Stolen laptop in W.Virginia contained personal information of over 500 state workers. The laptop was stolen from the vehicle of an employee of the state’s accounting firm. (The Charleston Gazette, Oct. 7, 2008)
• Laptops stolen from Boston ACORN office. Police were investigating a break-in at the office of the community activist group. (WBZtv.com, October 17, 2008)
• Newark TSA employee accused of stealing 31 laptops from passenger baggage. Pythias Brown was finally caught when he allegedly stole a $50,000 camera from an HBO crewmember and a camcorder from the bag of a CNN employee. (New Jersey Star-Ledger, Oct. 7, 2008.)

What if it’s Your Data on a Lost or Stolen Device?

It’s important to consider the information you’re storing on them. Do your devices include online banking information, bills, receipts, tax returns, personal photos and videos, contact information, online account information, electronic signatures, emails, and…? If this information is intercepted by another person, they can learn a great deal about you. Losing such a device now becomes a much larger undertaking than most people realize. It’s like losing your wallet. What do you do when your wallet is lost or stolen? You cancel your credit cards, get a new id/driving license, perhaps subscribe to a credit reporting/protection agency. Would you do the same thing if you lost one of these electronic devices? You might not - but you should.

These are necessary precautions against identity theft and other damaging uses of your personal information. Your vulnerability may be even greater. Do you store photos or video of your family on these devices? How would it feel if they were in the hands of a complete stranger? A stranger with the morals that justified stealing the device in the first place?
I encourage you to think about all the information you keep on such devices and to ask yourself what would happen if someone got access to that data? What will you do? These are some questions to think about and plan for - preferably before it happens to you.

New economic threat: Vulnerable data.

In times of economic downturn, one of the first things organizations cut is security and compliance projects. It is also the worst time to cut in these areas. When the economy is unstable, the threats against data security increase. You have more IT-savvy individuals out of work and sometimes desperate. You may also have made cuts in your own IT staff. A recent survey of 300 IT administrators found that 88 per cent said they would steal company secrets if they were laid off.

IT staff know where you may be vulnerable and also have greater abilities to gain unauthorized access to your data. So many organizations just don’t see the immediate need for protecting sensitive data because they have yet to experience a loss. The key word here is “yet”. If your organization is currently feeling the pinch of this tight economy, just think how much worse it would be if you were to have a publicized data breach. Laptop data security is so important and the real threat evident by more and more losses publicized every month. Data Encryption and trigger-based actions taken to secure or delete at-risk data is easy to implement and is the best insurance against making tough times tougher.

What will it take to get businesses to care about your privacy?

In a recent blog post on WSJ.com, Why All the Data Breaches? Businesses Just Don’t Care, Bruce Schneier, chief security technology officer at BT Group, weighed in on the staggering number of data breaches we’ve seen this year. “For the most part a company doesn’t lose its data, they lose your data,” Schneier said. The victims of the breach, Schneier went on to say in his interview, “are often powerless to punish the business that exposed the record because they can’t link the fraud to a cause.”

Indeed, the legal precedents in this type of case support Schneier’s statement. In recent years, several class action suits have been brought against companies who lost consumer data. According to The New York Law Journal, in Randolph v. ING Life Insurance & Annuity Co., plaintiffs brought a consumer class action in District of Columbia federal court for invasion of privacy, gross negligence and negligence against ING following an announcement of the theft of an employee laptop from that employee’s home containing the personal information of 13,000 government workers and retirees. In Guin v. Brazos Higher Education Service Corporation Inc., plaintiff brought a negligence suit against Brazos after it announced the theft of a laptop containing personal information for 550,000 customers.

Both judgments ruled in favor of the defendant, citing that the plaintiff “proved no actual damages and, thus, no ‘recognized injury.’”

But is this enough reason for companies to simply ignore the security protocols that protect consumer data? And do you really think consumers experienced no “recognized injury” knowing their social security numbers and private information were in the hands of criminals? Anyone who has ever been the victim of identity theft will probably tell you, it’s not something you just “move on” from. The effects can last for years.

“Schneier says that what is happening in the tech-security world is a market failure similar in nature to what has happened with global warming: There is a problem that everyone is contributing to, but individual businesses don’t have a reason to do anything about it,” according to the WSJ.com article.

In the comments on this post,  reader Steve Muck suggests “a better approach is the adoption of national technology standards applied to IT systems and networks designed to safeguard PII. This approach recognizes that human error will always be problematic so why not leverage technology to reduce the likelihood of human error associated with PII handling. As an example and following the Federal Government lead, require encryption of all data used by industry. This action alone will signifcantly reduce the risk of harm.”

And another reader adds, “It is one thing to impose criminal and civil penalties on businesses, but what do you do with the federal government?”

Indeed. What about the breach at the Veterans Administration that exposed the personal information millions of American veterans? There is an ongoing case against the VA that could change the precedent. With claims of $1,000 per veteran (or $26.5 billion,) a settlement in favor of the plaintiffs might very well inspire government–and businesses–to “care.”

Security News Brief: 09-09-08

• UK security expert asks, “Why bother holding up a bank when you can steal a laptop?” after Bank of Ireland and the Department of Social and Family Affairs expose personal information of over 500,000 people in separate laptop theft cases. (Sunday Business Post, September 7, 2008.)
  
• Erie County laptop stolen from a health facility in Buffalo, NY contained personal private information of county residents. (WBEN Buffalo, September 5, 2008)
• Laptop with personal data stolen from National Technical Institute for the Deaf. The data contained the names, birth dates and social security numbers of 12,700 applicants to the NTID and another 1,100 people at the Rochester Institute of Technology.  (Democrat and Chronicle, August 31, 2008)
• Ohio school district laptop with student data stolen from Reynoldsburg school employee’s car. The breach affected 4,259 students enrolled in the district. (Columbus Dispatch, August 29, 2008)

Security News Brief: 08-26-08

• Medical identity theft is “the fastest-growing form of identity theft in America today.” (Chicago Tribune, August 22, 2008.)
• More data breaches have been reported so far this year than in all of 2007, according to Identity Theft Resource Center. (Washington Post, August 26, 2008)
• Most mid-sized U.S. firms rate information security as a higher priority than reducing business costs. (Dark Reading, August 22, 2008.)