PC Data Security Blog

The financial crisis could be more costly than you think.

I have read two recent articles that are troubling: “IT administrators admit they would steal data” and “When Credit Crunch = Data Security Crunch” .Both discuss the likelihood that employees would steal from their employers if they were laid off or otherwise perceived that their loyal service to their organization was not being reciprocated.

Especially in these difficult times, companies and organizations should recognize that it is increasingly risky to rely on their employees to be an integral part of their data security posture. What, you say, are you asking them to do? If you demand that sensitive data not leave the building on laptops, are you sure this is not happening? If you instruct your employees to transport and store their laptops out of sight, are they? And how about protecting their passwords? Does anybody share and/or write down their passwords in your organization? Even if you encrypt the data on a laptop, are you aware that all it takes is the password to decrypt that data?

Do you really want to depend on your users to comply with all of your data security policies if there are technologies available that could effectively remove the user from that equation?

New economic threat: Vulnerable data.

In times of economic downturn, one of the first things organizations cut is security and compliance projects. It is also the worst time to cut in these areas. When the economy is unstable, the threats against data security increase. You have more IT-savvy individuals out of work and sometimes desperate. You may also have made cuts in your own IT staff. A recent survey of 300 IT administrators found that 88 per cent said they would steal company secrets if they were laid off.

IT staff know where you may be vulnerable and also have greater abilities to gain unauthorized access to your data. So many organizations just don’t see the immediate need for protecting sensitive data because they have yet to experience a loss. The key word here is “yet”. If your organization is currently feeling the pinch of this tight economy, just think how much worse it would be if you were to have a publicized data breach. Laptop data security is so important and the real threat evident by more and more losses publicized every month. Data Encryption and trigger-based actions taken to secure or delete at-risk data is easy to implement and is the best insurance against making tough times tougher.

What will it take to get businesses to care about your privacy?

In a recent blog post on WSJ.com, Why All the Data Breaches? Businesses Just Don’t Care, Bruce Schneier, chief security technology officer at BT Group, weighed in on the staggering number of data breaches we’ve seen this year. “For the most part a company doesn’t lose its data, they lose your data,” Schneier said. The victims of the breach, Schneier went on to say in his interview, “are often powerless to punish the business that exposed the record because they can’t link the fraud to a cause.”

Indeed, the legal precedents in this type of case support Schneier’s statement. In recent years, several class action suits have been brought against companies who lost consumer data. According to The New York Law Journal, in Randolph v. ING Life Insurance & Annuity Co., plaintiffs brought a consumer class action in District of Columbia federal court for invasion of privacy, gross negligence and negligence against ING following an announcement of the theft of an employee laptop from that employee’s home containing the personal information of 13,000 government workers and retirees. In Guin v. Brazos Higher Education Service Corporation Inc., plaintiff brought a negligence suit against Brazos after it announced the theft of a laptop containing personal information for 550,000 customers.

Both judgments ruled in favor of the defendant, citing that the plaintiff “proved no actual damages and, thus, no ‘recognized injury.’”

But is this enough reason for companies to simply ignore the security protocols that protect consumer data? And do you really think consumers experienced no “recognized injury” knowing their social security numbers and private information were in the hands of criminals? Anyone who has ever been the victim of identity theft will probably tell you, it’s not something you just “move on” from. The effects can last for years.

“Schneier says that what is happening in the tech-security world is a market failure similar in nature to what has happened with global warming: There is a problem that everyone is contributing to, but individual businesses don’t have a reason to do anything about it,” according to the WSJ.com article.

In the comments on this post,  reader Steve Muck suggests “a better approach is the adoption of national technology standards applied to IT systems and networks designed to safeguard PII. This approach recognizes that human error will always be problematic so why not leverage technology to reduce the likelihood of human error associated with PII handling. As an example and following the Federal Government lead, require encryption of all data used by industry. This action alone will signifcantly reduce the risk of harm.”

And another reader adds, “It is one thing to impose criminal and civil penalties on businesses, but what do you do with the federal government?”

Indeed. What about the breach at the Veterans Administration that exposed the personal information millions of American veterans? There is an ongoing case against the VA that could change the precedent. With claims of $1,000 per veteran (or $26.5 billion,) a settlement in favor of the plaintiffs might very well inspire government–and businesses–to “care.”

Security News Brief: 09-09-08

• UK security expert asks, “Why bother holding up a bank when you can steal a laptop?” after Bank of Ireland and the Department of Social and Family Affairs expose personal information of over 500,000 people in separate laptop theft cases. (Sunday Business Post, September 7, 2008.)
  
• Erie County laptop stolen from a health facility in Buffalo, NY contained personal private information of county residents. (WBEN Buffalo, September 5, 2008)
• Laptop with personal data stolen from National Technical Institute for the Deaf. The data contained the names, birth dates and social security numbers of 12,700 applicants to the NTID and another 1,100 people at the Rochester Institute of Technology.  (Democrat and Chronicle, August 31, 2008)
• Ohio school district laptop with student data stolen from Reynoldsburg school employee’s car. The breach affected 4,259 students enrolled in the district. (Columbus Dispatch, August 29, 2008)

Dell’s Kill Switch

In a recent CNBC.com interview, when confronted with the scenario of a business laptop filled with sensitive data being accidentally left in a taxicab, Michael Dell explained the need for businesses to have access to a mechanism to “remotely kill the data on the device (laptop) if the device is lost”.  He went on to report that Dell offers such “Mission: Impossible” capability.  One can infer from this that Dell offers an Internet-based kill switch that allows the business administrator to remotely wipe all data if it ever again connects to the Internet.  That’s a great start but what if the crook doesn’t let it connect?  Laptops need be able to protect themselves by having behavior and time-based triggers that can take self-protective actions even if they never connect to a server again. And, of course, the data needs to be encrypted as well.  This is the security that PC makers should really offer.

A kill switch is nice but Mission: Impossible’s Mr. Phelps never connected the tape recorder to anything like the Internet – it simply self destroyed with a timer.

Security News Brief: 08-26-08

• Medical identity theft is “the fastest-growing form of identity theft in America today.” (Chicago Tribune, August 22, 2008.)
• More data breaches have been reported so far this year than in all of 2007, according to Identity Theft Resource Center. (Washington Post, August 26, 2008)
• Most mid-sized U.S. firms rate information security as a higher priority than reducing business costs. (Dark Reading, August 22, 2008.)

Kill at-risk data! Apple’s iPhone does it.

Apple’s recent announcement that its wildly successful iPhone has a “kill switch” capability has been met with surprise and even outrage on the part of some industry watchers and privacy advocates. http://news.yahoo.com/story//nf/20080811/tc_nf/61270 Apple’s stated purpose for imbedding the kill switch technology in the iPhone is that it needs the capability in the event a malicious program is introduced to the device such as applications that steal users’ data.   While conspiracy theorists might see a pernicious side to the kill switch and worry that Apple might use the application to collect information about its users, the momentum toward the broader application of this technology would appear unstoppable.  And there is already precedent:   As Business Weeks’ Olga Karif points out, other industry players, including wireless carriers, regularly remove harmful and/or offensive applications from users’ handheld devices.   http://www.businessweek.com/technology/content/aug2008/tc20080818_266301.htm?campaign_id=rss_tech

Regardless of how one feels about the kill switch concept, this technology has legitimate and extremely useful applications, especially in the enterprise market, and particularly with regard to laptop computers.   Although Apple’s stated purpose for the kill switch is to remove potentially harmful applications, the same basic technology can be used by enterprises to destroy or prohibit access to lost or compromised laptop ­data.  In the same way that Apple might reach out and remove harmful content from the iPhone, an enterprise can use kill switch technology to remove data on lost or stolen laptops. Potential benefits of this capability are obvious given the myriad laws and regulations pertaining to protection and/or loss of private data.

The Big Security Stall

The PC Data Security Blog offers the opportunity for professionals to post on topics important to those within the IT Security community. This week, Rob Weber, Product Specialist at Beachhead Solutions, brings us this post.

Has your company or organization secured its laptop and desktop data yet? Maybe they have and now they can rest easy. If they have not secured the data yet, the number of reasons and excuses is mind-boggling. Security isn’t sexy, doesn’t increase the productivity of employees, and can be a drain on those charged with implementing the solution. Nobody wants to own the security solution or take on the work it involves, yet it is a necessary evil. Thus it becomes an internal battle in many organizations between the economic buyer / product champion and the IT staff that must implement the solution. The product champion pushes for their chosen solution and the IT staff puts up barriers to the encroachment of their ‘turf’. Why does IT balk? The following reasons are commonly heard:

- IT had little or no say in the selection of the solution
- IT is not staffed properly to manage the solution
- The solution creates more work for the IT staff since the end user experience has changed
- While acknowledging a solution is needed, it just isn’t seen as high on the list of priorities

Whether these reasons are spoken or implied, the solution is blocked using one or more of the following ploys:

- Utopian product requirements are put in place to block any worthwhile solution
- Other, sexier IT initiatives are elevated ahead of the security solution
- Solution inquiries are simply met with radio silence by IT

What could happen to change this behavior? It hasn’t happened yet, but it will soon . . . a real data loss followed by a real penalty charged to the offending company or organization. As soon as this happens, the world will change. A security solution will be pushed through at many organizations due to fear and anxiety. The fact that the solution is not sexy, not properly staffed, or simply annoying won’t matter anymore. Those will be smaller pain points on the path to fulfilling a company necessity. CEOs will get involved and make it uncomfortable for anyone standing in the way or delaying a solution. Why? It will be embarrassing to be caught with unsecured data, but more importantly, it may prove to be the end of the company or organization if real penalties are applied.

TSA fails to secure “trusted traveler” data.

Yesterday, a missing laptop with the names of 33,000 people enrolled in the Clear program — the most popular airport “trusted traveller” program, was found at SFO Airport. The laptop belonged to an employee of the TSA-contracted security firm and is said to have contained, “personal information on applicants to the program, including names, address and birth dates, and in some cases driver’s license, passport or green card numbers.”

The good news is the laptop turned up in the same office it was reported stolen from. The bad news is the alleged theft has exposed the serious vulnerabilities of a trusted security program associated with a government agency.

In a statement, the company said the information on the laptop, which was originally reported stolen from its locked office, “is secured by two levels of password protection.” Beer called the fact that the personal information itself was not encrypted “a mistake” that the company would fix.

Not encrypted? What?

Even Anheuser-Busch, (a brewery for crying out loud,) knows better than that. When one of their laptops went missing last month, potentially exposing the personal information of over 150,000 current and former employees, many of those affected could breathe easier knowing the laptop was encrypted.

So, how does a public company charged with the task of filling America’s beer mugs have better security policy than a private company charged with securing America’s airports?

This goes back to ensuring that all contractors and vendors have a sound security policy before signing up with them and putting your information at risk.

Secondly, when the physical security of airline passengers is at stake, wouldn’t it be a good idea to have a Plan B that gives an agency the option to destroy data if a breach is suspected? If that laptop hadn’t turned up, or in the case that the laptop was stolen, breached and returned, the data contained within could make it easier for dangerous people to travel undetected. This puts anyone who travels by plane at risk.

Not even Google is immune to security threats.

Earlier this month, a major breach was reported when a third-party employee benefits administrator’s office was burglarized and part of the theft included personal employee data. Data breaches happen all the time, but this particular incident raised some eyebrows because it happened to Google.

Turns out the company Google had entrusted with administering benefits to its employees and protecting their personal information is just as vulnerable as everybody else to this type of risk. A company like Google must prove its ability to secure user data on a daily basis, or they won’t have users. So why, then, would they not ensure such security measures are being taken by third-party vendors to secure employee data?

The problem is more common than we’d all like to admit. It can happen to anyone who hands over their employees’ or clients’ personal information to a third-party vendor. And is that vendor to blame when the information is breached? Yes and no. The responsibility is still on the company its employees and clients trusted to secure their data, regardless of where that data travels along the B2B highway.

Bottom line: vendors, contractors, and service providers should be measured not only by the quality/value of their services but by their diligence in maintaining the privacy of the custodial data they’ve taken responsibility for.  When considering a vendor, add a sound security policy to the items you value. You won’t be sorry.