This also goes for companies when we’re talking about protecting their most valuable capital: DATA….CONFIDENTIAL DATA. At least at one point in their business activity they thought competition or other third parties are going to find out the secret of their success…the “secret Coca-Cola ingredient”!
Think about the fact that some IT admins used to Super Glue USB ports so that employees couldn’t plug in USB sticks to copy data and infect the computers with viruses. Crazy, huh? (Yet when I think about the data breaches that occured lately, it’s understandable). Even if they don’t use Super Glue anymore, they do it through software and there are still many companies that, out of too much caution, ask their IT people to simply block all transfers of files. This is both annoying and counterproductive for users, since the business environment nowadays requires high mobility for fast response times. This doesn’t mean they should just leave confidential data and exit points unprotected and unsupervised. Don’t get me wrong! Maybe I’m just pointing out the obvious, but they should allow legitimate file transfers and block dangerous file transfers, instead of blocking the activity of all users. In one word: FILTERING.
With Data Loss Prevention solutions you can set filters at the endpoint level: filters by File Type (Word, Excel, PDF, PowerPoint, exe, jpg, etc.), filters by Personal Data (emails, phone numbers, SSNs, credit card numbers, etc.) and even filters by Custom Content (for instance I can define a filter that will prevent all my users from sending files containing the word ‘dog’ inside). You can basically control every word that goes out of the company network, whether by email, social media, instant messaging, file sharing applications, Dropbox, iCloud, USB drive, external HDD, CD/DVD, zip drive, etc., all you can think of.
My point is you have to be on the safe side without taking it to the extremes: hope for the best (security conscious, well-intended, employees) but expect the worst (be prepared to face any security threat).
We will talk more in depth about filtering and Data Loss Prevention in a future post. To Be Continued…
Law enforcement agencies worldwide are getting better at catching cybercriminals, scoring some big cybercrime busts and getting better at detecting and investigating data breaches. Officials worldwide detected five times as many breaches in 2011 as in 2010, according to new data in the Trustwave’s 2012 Global Security Report. About 33% of organizations with data breaches discovered the incidents when alerted by law enforcement, up from 7% in 2010. These good results for law enforcement are mostly powered by the work of the U.S. Secret Service, Interpol, the Australian Federal Police, and the U.K.’s Serious Organised Crime Agency (SOCA).
Only 16% of victim organizations detected hacking incidents on their own in 2011, while the other 84% only discovered them when alerted by outside entities, such as law enforcement, regulatory bodies, or a public venue. When analyzing the circumstances of the hacks discovered by third parties, it’s been discovered attackers had been active within the victim organization’s network for an average of 173.5 days before being detected. Read more
Based on the many stories about data breaches reported by organizations in the healthcare industry, from hospitals to insurance companies and other third-party companies that deal with healthcare data, we could have guessed this is not even close to being a top sector when it comes to data security. A new report released by the Ponemon Institute now brings even further insight into the state of the healthcare industry, showing a spike in data breaches of over 30% and average annual costs of 6.5 billion US dollars.
The “2011 Benchmark Study on Patient Privacy and Data Security,” commissioned by IDExperts, idendified employee error to be one of the main cause for data breaches in hospitals and healthcare providers. These types of organizations in the healthcare industry suffered an average of four data breaches in the past year. Nearly 30 percent of healthcare companies said the breaches they suffered resulted in medical identity theft – an over 25 percent increase over 2010. Read more
Only 55 of the data loss breaches have actually been reported
If you can’t stop data breaches, at least cover them up! This seems to be the data security code British authorities go by. Too bad for them there is something called Freedom of Information Act requests… A new report issued by privacy campaign group Big Brother Watch showed that councils across the UK experienced over a thousand data loss cases over a three year period – August 2008 to August 2011.
To get the information, the group sent 433 FOIs to local authorities and councils across the Great Britain and showed s shocking discrepancy between the reported 50 something incidents and the harsh reality. Not only did BBW uncover the data mishandling cases, they also requested information on what happened to the employees of said councils – if they had been disciplined, fired or prosecuted over the data breaches -, and inquired about the council’s response to each incident. Read more
A recently published study shows that database administrators don’t fully understand security. According to these fresh findings, database administrators and IT decision-makers in general admit to knowing very little about security issues like change control, patch management, auditing etc. This survey was conducted on 214 Sybase administrators belonging to the International Sybase User Group.
“A majority of respondents admit that there are multiple copies of their production data, but many do not have direct control over the security of this information,” the survey report stated. “Only one out of five take proactive measures to mask or shield this data from prying eyes.”
According to the report’s author, Unisphere Research analyst Joe McKendrick, the ISUG survey is the first released of a series of similar database security surveys being conducted across various database user groups, including those running other platforms such as Oracle and SQL Server. Read more
Printed, stored on computers or on flash drives, your data is just not safe. Your personal details that you entrust to companies you work with, doctors and other third parties will just end up exposed. If you are lucky enough, they might get in the hands of someone who won’t use your address, social security number or card details to harm you on their quest to get fast and easy money. If you’re unlucky, your accounts will just turn empty one day, your identity will be used to commit felonies or crimes and you will have years of paperwork and bad credit records in front of you.
Let’s check the recent data breach news. We have a stolen computer that contained names, ages, addresses and medical conditions of 700 children. Next come rushing in: backup tapes and other media containing cord blood bank customer information stolen from car, which ended up exposing about 300,000 records; and 113 patients’ names and Medicare numbers on a document stolen from a vehicle… Read more
When one thinks of institutions like the British Ministry of Defense, one expects tight security. Tight as in you cross us once, we expect you not to cross us twice. Apparently, things go another way, as the MoD, quoted by V3.co.uk, says the number of data breaches they have been exposed to was 4 times higher in the past year.
The Ministry’s latest resource accounts show it suffered eight serious breaches in the 2008 to 2009 period, up from just two in the preceding year. The most serious case lead to the loss of a portable hard disk from a contractor’s premises containing the names, passport information and bank account details of about 1.7 million individuals. That’s a big blow!
Other incidents included the theft of three USB sticks from “secure government premises”, which contained details of all RAF service personnel who served between 2002 to 2008 and some of their next of kin.
And in April last year, an unencrypted laptop was stolen from government premises containing the personal records of 300 people.
The MoD admitted that it had lost electronic equipment, devices or paper documents from outside government premises on 15 occasions, and in six instances they were lost from within government offices.