We know that approximately 5% of data breaches take years to discover. Just this month, for example, the City College of San Francisco discovered an “infestation” of computer viruses that have been leaking data for more than a decade. The investigation of the initial security flag found that an infestation of computer viruses had been lurking on college computers since 1999. Not all systems have yet been analyzed.

According to what is known already, each night several viruses would troll college networks and transmit data to sites in Russia, China and several other countries. Computers all across campus have been infected and it is likely that personal computers and data devices connected to the college network in the last 10 years have also been affected.

“We may never know the full extent of the damage, and how many lives have been affected by this,” CTO Hotchkiss told three college trustees Thursday evening who met to discuss school buildings and technology issues. “These viruses are shining a light on years of (security) neglect.”

The college is currently attempting to trace the extent of the breach and will attempt to notify affected individuals.

According to the news report, the City College of San Francisco was particularly lax in its security policies. For example, passwords for computer systems had not been changed in more than 10 years and that both technologies and policies for protecting information were years in arrears.

Zappos recently announced that they had been the victim of a cyber attack and that their 24+ million customers would be contacted about the incident. The database accessed did not include credit card or payment data and Zappos has already performed a reset on customer passwords. The breached information included name, e-mail address, billing and shipping addresses, phone number, the last four digits of a credit card number and/or the cryptographically scrambled password (not actual password).

As we know from earlier articles, passwords, while not a “primary” source of information, can still be quite lucrative for cyber criminals. Given that many people re-use passwords across websites, a stolen password could potentially grant access to banking information or other personally identifiable material used for fraud or identity theft. While Zappos has taken the precaution to encrypt their passwords, encrypted passwords are still sought after by cyber criminals in the hopes that encryption can be broken.

As outlined on Forbes, identity theft is still a threat from this breach and consumers should take precautions to protect their information. From a corporate perspective, a consumer breach this large could compromise business passwords, so it may be a great time to encourage a password reset with renewed training on the importance of password security.

As we shared earlier this month, healthcare breaches in the US are on the rise: up 32% over the previous year. Larry Ponemon, chairman of the Ponemon Institute, discussed these findings with Government HealthIT, alongside Rick Kam of ID Experts, saying that a “data spill” in healthcare could be more damaging than what BP faced after the oil spill in the Gulf.

According to Dr. Ponemon, the street value of health information is 50 times greater than other types of data. Given that data has shown that the healthcare industry is the weakest at protecting its information, this is troubling.

Dr. Ponemon and Rick Kam both believe the industry is ‘ripe’, given all the risks and increased attacks, for a big data heist, a “data spill”. The industry currently spends $6.5 billion on data breaches. That same amount of money could, for example, pay for the yearly salaries for more than 81,000 nurses.

The article discusses some of the reasons that data breaches are growing – in general as well as in healthcare – and some of the nefarious uses that healthcare data can be put to. Perhaps more importantly, the article looks at why healthcare information breaches are so damaging – and impossible to recover from. It’s an insightful read for anyone, particularly those working in healthcare.

According to a recent survey by Compuware, the International CIO Study on Impact of IT Consumerization, reveals that services such as cloud computing alongside the consumerization of IT are creating “blind spots in IT management.”

The survey questioned 520 CIOs of big corporations across the US, UK, France,Germany, Italy, Benelux, Australia and Japan. The survey shows that CIOs fear the increased risks that come along with the consumerization of IT, social media and mobility, as well as models including cloud computing and SaaS.

Insights from the survey:

• 77% of CIOs worry that further consumerization of IT will lead to greatly increased business risks
• A lack of transparency into the performance of cloud and SaaS providers is currently reversing IT maturity across 64% of enterprises
• 64% of CIOs say support for employee mobility is almost impossible due to reliance on external networks, making it much harder to control performance and the end-user experience
• The consumerization of IT trend is already driving unrealistic expectations around role of IT in 74% of enterprises
• 64% of CIOs say that enterprise mobility projects forging ahead without the full involvement of IT

The survey shows that IT is not well connected with business drivers and this is leading to a great deal more risk. When end users bypass IT, security becomes uncontrollable. It’s clear that companies will need to take steps to become more proactive in order to mitigate these risks.

Hat tip to Network World

Just as we have summarized 2011 in terms of data breaches, and talked about some of the breakdowns of those stats, Trend Micro has put together a report on 2011, Information is Currency, highlighting how 2011 was the “Year of Data Breaches.”

The report looks back at some of the predictions prior to 2011 and what we saw throughout the year. Insights include:

• Targeted attacks were prevalent and costly
• Mobile threats are maturing
• Malware targeted social networks
• Reported exploited vulnerabilities went down overall
• Hacktivism became a large issue in 2011, unforeseen

The report will look more into what we can learn from 2011. A great read for planning into 2012.

According to an upcoming study from the Identity Theft Resource Center (ITRC), previewed in advance by Information Week, 419 breaches were publicly disclosed in the US for 2011 affecting 22.9 million records*. Of those breaches, hack attacks were the leading cause of data breaches for the year, responsible for 26% of all known data breach incidents.

Following hack attacks, lost “data on the move” accounted for the second largest sector of breaches in 2011 (18%). Data on the move includes data storage devices, laptops or paper reports that were lost or stolen in transit. Insider theft accounted for another 13% of reported data breaches.

The data for 2011 indicates that malicious attacks, combining both insider theft with malicious hack attacks, accounted for 40% of known breaches. Breaches that were the result of accidents accounted for 20% of known breaches. Non-financial and healthcare groups saw the greatest incidence of insider theft and non-financial businesses were also the target of the greatest number of hack attacks.

If you break down the data breaches by sector, Government and Armed Services exposed 44% of all exposed records, non-financial businesses (33%), medical and healthcare groups (16%), educational institutions (4%), and banking, credit and financial firms (3%). When it comes to data breaches, 81% of the 22.9 million exposed records included Social Security Numbers.

*Only 52% of disclosed breaches detailed the number of sensitive records exposed. Records not-deemed ‘sensitive’  (financial or SSN related) or breaches undisclosed or undetected would seriously inflate these figures.

With the introduction of new devices into the workplace this year, both BYOD and internal device upgrades, it’s a good time to take a look at your physical data management practices to ensure that old devices are being disposed of safely.

As noted in our post on establishing a Document Retention Policy, you want to be sure that papers and CDs are shredded and that old electronic devices are properly purged of data.

For end-of-life IT assets, it’s important to properly dispose of items versus simply placing them in storage or throwing them out. Devices left in storage are often unattended and are at risk for theft or loss. Throwing out devices, particularly small ones like flash drives, is not a safe data disposal practice. In addition, recycling or refurbishment and resale of devices is a more environmentally-friendly approach to IT asset disposal.

Simply deleting data files will not permanently remove the information; special software will be required. You will want to run your hard drive disk wipe and data cleaning several times to overwrite the whole disk with random data.

There are companies that specialize in data destruction, refurbishment and resale: IT asset recovery companies. If you use such a company, or do the data wipe on your own, you should ensure that a forensic analysis is done on the device to confirm the data wipe. If data was not fully erased, destruction should be an option. You should keep records of your devices and the process of data destruction for a proper IT asset audit trail.

Impervia has released a study on Enterprise Password Worst Practices as a sequel to a study they did two years ago on Consumer password practices. The aim of the report is how businesses can upgrade their password security practices.

“Instead of consumers, we believe responsibility rests on enterprises to put in place proper password security policies and procedures as a part of a comprehensive data security discipline,” explained Imperva CTO Amichai Shulman.  “Passwords should be viewed by security teams as highly valuable data.  We hope this paper guides enterprises to rectify poor password management practices.”

The study looks at:

• how hackers bypass security controls to protect passwords
• popular resources hackers employ
• steps to mitigate password breaches

There are some great recommendations in the study on changing your password policies, using encryption and using passphrases.

Check out the report here or the corresponding consumer report here.

Building upon the last major release of Absolute Manage, we released Absolute Manage 6.0.1 at the Consumer Electronics Show (CES) this week.

Absolute Manage offers the only single, unified console that natively enables IT administrators to efficiently manage all of their Mac, PC, Android and iOS devices by automating time-consuming IT processes such as software distribution, patch management, asset inventory and management of applications and licenses. All of these features, and more, allow IT managers to quickly respond to security incidents.

Absolute Manage includes AbsoluteSafe, allowing IT administrators to securely distribute sensitive or confidential files to iOS devices including security options to block the file from being copied or emailed, as well as password protect files. With sophisticated functionality, you can implement the tightest document / media security available on the market today. Learn more about AbsoluteSafe in this video.

Here are some photos we took while at CES this past week!

Larry Seltzer of @Byte views a demo / LA County Sheriff stops by the Absolute booth

If you’re in the healthcare field, you can expect that 2012 will bring more complications when it comes to data security: increased risks, increased regulatory expectations and greater reputation fallout for breaches.

According to these predictions for 2012 in healthcare data, healthcare data breaches could reach “epidemic proportions” unless action is taken.

Here is a summary of some of the predictions:

• Mobile device risks on the rise in healthcare
• Class-action litigation on the rise in healthcare
• Social media risks on the rise in healthcare
• Cloud computing agreements will increase liability risks
• Reliance on partners will increase, carrying new data risks
• Increased enforcement of HIPAA

For more on these predictions and others, read here.