Archive for March, 2007

Bob Brown of Network World addresses the fear of reporting data breaches. The fear is valid. If a breach is handled incorrectly, it can indeed damage your company’s reputation. However, the fear should not paralyze your ability to take action. Instead, it should compel you to work hard to improve your security and rebuild your brand.

The greatest fear in reporting a data breach is that it will doom your company. That consumer reaction will be so severe as to never recover from it. However a reporting breach does not mean the end of your brand. You can recover. There are positive actions you can take to mitigate the damage.

Suggestions for the best outcome after a data breach include: learning from competitors who have had breaches, talking with partners to avoid finger-pointing, involving decision makers in the breach notification and the ability to search data to tell whose data is whose.

CSO Online also gives some sage advice in responding to data breaches:

• Accept that security issues will happen
• Accept that you will be sued
• Ensure your customer notifications are clear and accessible
• Be willing to shift strategies
• Initiate dialogue with your critics

The last point is critical to recovering from any tarnish to your reputation. By communicating with your critics on an ongoing basis, you will slowly recover. Listening and responding productively are two very important skills to have.

Tags: data breach, data breach recovery, fear of data breach, security breach, reputation management

Computerworld’s security blog talks about Six Ways to Stop Data Leaks. I have taken the liberty of renaming it "avoid" data leaks in my own title, since security breaches are more than likely to occur even with the use of best practices. Nonetheless, we should take the precautions offered in the article.

These six tips will help you prevent data leaks from within the firewall – breaches and misappropriations of data by your employees.

1. Get a handle on the data – know where sensitive and proprietary data is within your network. Categorize data and choose controls for each categorization.
2. Monitor content – you can be connected to any number of networks, so monitoring the flow is important. This can include using software to inspect and/or encrypt email, P2P, IM, and FTP.
3. Monitor database access and activity. Encrypt sensitive information.
4. Limit privledges – monitor access and set controls on who sees what. Have alerts for unauthorized uses. Enforce your policies.
5. Cover endpoints – laptops, jump drives, etc. This goes back to #2 and being able to see an audit trail of how data is being used and by whom.
6. Centralize intellectual property data – making it easier to keep secure.

There are software solutions now that will help you with every step of your security efforts. Securing data is becoming increasingly complex, but also increasingly important.

Tags: data leaks, data breaches, securing data, data security, network security

CNN warns us of the potential security threat posed by photocopiers. Not by copied pages, per se, but by the data drives inside photocopiers.

Most photocopiers made in the last 5 years have disk drives – data storage – used to copy documents. Most photocopiers now are all-in-one models: print, scan, fax, and photocopy. Many of the functions that made these actions different have now been streamlined. Some models even have the ability to edit the scanned text using optical character recognition – OCR.

What does this mean for security? Simply that there is another piece of technology able to read and store secured information. Anything from tax returns at the government level to internal memos at the corporate level.

Just like with any data disk, photocopier data disks should be encrypted. Additionally, the material stored should be overwritten when the task is completed.

Sharp Document Solutions Company of America issued a security warning earlier this month to warn of the potential threat. The company conducted a survey which indicated more than half of Americans did not know copiers posed a security risk.

Daniel Katz-Braunschweig, of DataIXL, lists digital copy machines as a data hole corporations should try to protect.

Tags: security threat, photocopier data threat, data threat, data loss, copier security threat

Absolute Software has a growing track record of protecting and recovering laptops in the education field. We’ve compiled a list of some of our more interesting recovery stories.

Like in California, where 13 laptops were stolen from a private school. When one went online, Absolute Software tracked it down – and there, the police found the laptops… and $100,000 in stolen goods!

For more great recovery stories, read our press release here [PDF].

Tags: absolute software, education, laptop recovery, laptop security, laptop security schools

Bill Gates is pushing for a privacy reform at the federal leval. Gates, who has been a strong lobbyist through the Bill & Melinda Gates Foundation, is now lobbying for an "all-inclusive" consumer privacy and security law to be enacted by the end of 2007.

In a speech earlier this month at the Center for Democracy and Technology, Gates encouraged transparency about data collection and use, suggests that users have access to their own data, to correct said data, and giving users a say on what companies need to do if a breach occurs.

Gates, and other companies and lobbyists, are encouraging a privacy law at the federal level to overcome the disparate and uneven state security laws.

Senator Patrick Leahy, also in attendence, is continuing to pursue his Personal Data Privacy Act which would impose fines – or prison time – on intentional concealment of a breach which results in fiscal damages. Leahy notes the important balance of new technology nevelopment with privacy & security:

"I don’t want to stop the technologies, I want to protect our privacy, I think we can do both."

Read more about the Personal Data Privacy Act legislation here.

Sources: ZDNet, InternetNews.com, Computer World

Tags: bill gates, privacy, privacy act, personal data privacy act, security, patrick leahy, privacy lobbyists, national privacy act, national security act, technology

According to Forbes, and a press release issued yesterday, Empire Blue has lucked out.

Back in January, Empire Blue Cross Blue Shield lost a CD containing unprotected personal data (health and ID) for 75,000 members. Wendesday, it was found.

The CD was sent via UPS from a third party vendor to Magellan Behavioral Health services, and was lost in transit. The CD has now been found, although where it was found, and whether privacy information has been breached, was not mentioned. Empire is offering free credit monitoring for a year to those members who may be affected – a cost to the company of about $179 per customer. If all 75,000 members accepted this credit monitoring, you can see how costly this could get.

Empire Blue had a standard for encryption of data that was not followed. The standard is now being raised to remove CDs entirely from the process of data transfers. Confidential information may now be sent only via encrypted email or a secured website.

More often that we care to realize, we burn CDs or send emails without regard to the encryption of data. The data we store on our computers is vulnerable in many ways to data breach and we should be more sensitive to all the ways we store and transmit that data.

Tags: empire blue, empire, empire blue cross blue shield, data breach, data loss, encryption, data transfer

Absolute Software has now surpassed one million customer subscriptions!

Absolute Software yesterday announced that, as of February 28th, it has surpassed one million active customer subscriptions. Thanks to all our customers who have trusted Absolute to protect and recover their laptops since 1993.

What’s the next goal? 3 million customer subscriptions by June 30, 2009. Here is what John Livingston, our CEO, has to say about the next goal:

"On the heels of our recent OEM agreements, strong growth in all our market segments, growing data privacy concerns, and embedded BIOS support in more than 30 million laptops shipped annually worldwide – we believe we are positioned to achieve this new three million customer subscription goal.”

One million laptops are currently protected by Absolute Software. And here’s a fact: the average theft rate for computers in corporations is 3.5% to 5%. With Computrace, the theft rate drops to 0.5%. There’s even a guarantee if you use Absolute’s flagship ComputraceComplete product.

Press Release Link [PDF]

Tags: absolute software, laptop security, corporate news, absolute, computrace

The Consumer Reports Electronics Blog’s Donna Tapellini outlines some great ways to keep your new Windows Vista PC safe. Although Vista is being advertised as more safe, with included antispyware, steps should always be taken to protect your data more aggressively.

Donna suggests that you first update any existing security software you may have – check vendor sites for Vista upgrade availability. Preferably do the security upgrade before upgrading to Vista.

The following vendors/products have Vista upgrades available for free:

BitDefender Antivirus & Internet Security, Computer Associates Antivirus, F-Secure Security & Antivirus (beta only), Kaspersky Antivirus & Internet Security, McAfee 2007, Symantec Norton Internet Secuirty, AntiVirus and Confidential, Trend Micro Internet Security & Antivirus, ZoneAlarm Identity protection (beta only).

Absolute Software’s products are all Windows Vista compatible, for any new install. If you are upgrading to Vista, we recommend you log into your account, uninstall the agent, and do your Vista upgrade. Then, you can log into your account again and reinstall – a process which will ensure you have the very latest version.

Tags: windows, windows vista, vista security, security, laptop security, pc security, windows vista upgrades

Airports may be more of a threat for laptop security – and data theft – than you realize.

The BBC’s "The Real Hustle" reports that 10% of laptop thefts occur at airports in the UK. This includes theft as well as loss. The television show, which ran a segment on laptop theft, showed just how easy it is to heist laptops at the airport.

Aside from theft & loss, there is another area of concern. Customs officials have the right to review your laptop’s data, download it, and keep it indefinitely.

From the New York Times:

• At U.S. Borders, Laptops Have No Right to Privacy
• To Do List: Rename Laptop Files ‘Grandma’s Favorite Recipes’

A court ruled in July that US Customs Officials can seize and hold laptops, indefinitely, without probable cause or a warrant for the purposes of "forensic analysis." At least one federal court, in California, has spoken out against this and ruled that reasonable suspicion be determined.

The Association of Corporate Travel Executives met in October to ask the government for better guidelines so that corporate travel policies can be redeveloped. Where is the data kept? Who has access to it? Is it ever destroyed? These are important questions when it comes to proprietary data.

The ACTE recommends that companies cut back on the amount of proprietary information that employees carry on laptops when traveling. Encrypt your data to protect against theft. Minimize your data to protect against seizure.

Via PC Blade Daily ; Tags: laptop security, airports, laptop inspection, data breach, acte, laptop seizure, laptop customs

A report by the IT Policy Compliance Group looked at the leading causes for data loss. Human error accounts for 75% of these losses – half of these by user error, a quarter by policy violations. One in seven losses is due to laptops being lost or stolen.

Nearly 68% of 201 companies audited by the IT Policy Compliance Group are breaching data more than 6 times a year and 20% of companies are breaching data at least 22 times per year.

The survey found that those companies which considered security data the most highly had the least chance of breaching sensitive data – their priorities simply indicated a greater attention to security threats. Companies that prized financial data first, placing security data at a lower regard, had higher sensitive data losses.

They’re using everything but the kitchen sink to protect data, including Internet threat controls, network access controls, database access controls, IT asset management tracking and configuration management. – eWeek.com

The report examined the "real" cost to losing data. A company that has had to publicly report a data breach has had to pay 8% per customer to report the loss – $100 per customer on average – and an additional 8% is lost in revenue earned.

Not all companies, clearly, are taking security seriously enough. Priorities need to shift. Security and data breach prevention should be considered vital – customer data, employee data, financial data, and security data is all private, and every means possible to keep it that way will help prevent losses.

Tags: it policy compliance, itpcg, sensitive data, data loss, data breach, security, data security