The National Institute of Standards has released a new draft of recommended guidelines on cell phone & PDA security, helping companies to navigate this overlooked area of data security. Mobile devices pose an increasingly large risk to data security. Lost or stolen laptops are currently one of the main causes of data breaches, so the increased data access capabilities of even smaller mobile devices increases the risk of data breaches as the result of lost or stolen devices.

Publication SP 800-124 provides an overview of mobile devices in use today and insights on making IT security issues regarding their use. Threats increase for handheld devices due to their size & portability and the available wireless services. These two issues increase the risk for loss / theft, unauthorized use, malware, spam, electronic eavesdropping, electronic tracking, cloning and server-resident data.

The guidelines give many examples of these types of threats as well as safeguards that can be put in place. The safeguards suggested include:

• Central management of devices - have organization-issued devices with a system to centrally configure and manage devices & their updates
• User-oriented measures - teaching employees about procedures to follow using organization devices (understanding the security features & how to use them)
• Authentication - require user authentication with PINs and passwords
• Backup data
• Reduce data exposure - avoid sensitive information being on, or accessed by, any handheld device. Encrypt any sensitive data.
• Turn off wireless interfaces - minimize risk by only turning them on when needed
• Add security software such as firewalls, antivirus, VPN, etc.

There are very detailed suggestions about how to centrally organize devices and their capabilities. Download the study here [PDF]: “Guidelines on Cell Phone and PDA Security (Draft).” In addition, you may wish to review the “Performance Measurement Guide for Information Security” Study [PDF].

Absolute Software also provides security solutions for handheld devices with Computrace Mobile. Check it out here!

Hat tip to Dan Lohrmann Tags: mobile security, data security, mobile security policy, it security, cell phone security, pda security, handheld devices

The results of a survey that Osterman Research did for FaceTime Communicators indicates that nearly 40% of IT staff surveyed believe that unintentional leaks by employees pose a bigger threat to data security than spyware or malware. 57% of those surveyed believe their corporate data is not adequately protected from leaks via IM / unified communications.

Graph via: FaceTime Communications

And concerned they should be - the latest data indicates that data breaches are rising in 2008, not declining.

The new survey from Osterman & FaceTime surveyed 109 mid-to-large IT organizations in North America. The task of the survey was to understand current concerns and plans about about leak prevention in communications technologies.

The survey also indicates that data security is a top priority for most companies (though not all, sadly). 48.6% of respondents consider information leak prevention for communication technologies like IM to be a top priority or to have existing plans in place to address security issues.

As Matt Hines of eweek states:

So the big picture here appears to be that most IT departments are still scared as hell that they’re missing something in the old email, IM and FTP server world. And with the threat of physical theft of devices or people literally walking out the door with printed sheets or disks seemingly existing as the only other big areas for theft, one could assume that it seems that they’re pretty much still scared of messaging-based data loss in general.

For more resources & news on IM security, read up here:

• IM Security Appliances - Network Computing
• UK businesses ban IM over security concerns - Computerworld
• Facing up to security perils of outbound traffic - ComputerWeekly
• IT Needs More Security - ITWeb
• Companies still love and loathe IM - InfoWorld
• How safe is instant messaging? A security and privacy survey - CNet

Via eweek, market wire Tags: IM security, instant messaging, im, communications, business communications, data security, data breach prevention, breach prevention, it security, security

A new study from the Ponemon Institute has raised some major data security concerns in the UK. The study looked at email marketing practices and privacy, surveying more than 900 UK data protection and marketing professionals.

According to their study, the loss or theft of confidential data is “endemic” in the UK, with 61% of marketing professionals experiencing a data breach in the last 24 months. 90% of those data breaches went unreported. The survey indicates that people felt they were either not required, or were unsure, to report the data breaches to affected consumers.

Firms who outsource marketing functions have an increased risk of data breach incidents. The survey found that breaches were 42% more likely to be attributed to third parties than to in-house personnel. For those companies that outsource email marketing, the incidence of data breaches rises from 61% to 78%. This data highlights the importance of having a strong data security policy that extends to all third-parties.

Paul Bates, managing director of StrongMail UK, said: “A cavalier attitude towards outsourcing customer data to third-parties combined with complacent processes for keeping that data safe is a recipe for disaster. The fact is confidential customer data doesn’t travel well and providing it to third-parties for outbound marketing purposes can, as the research shows, be a risky proposition. This data is extremely valuable to most firms, and we advise them to think very carefully about how they keep it safe.”

Reducing costs was the primary reason to outsource online marketing campaigns, though firms admit that breaches have likely cost them new and existing customers.

The study indicated other troubling trends including the sharing of personal information with third parties (when not allowed).

View the Ponemon press release here [PDF] and the full study here.

Via computer weekly ; image: microsoft clipart ; Tags: email marketing, online marketing, marketing, breach, data breach, breach notification, notification, web marketing, consumer privacy

Verizon Business has released a comprehensive study based on 4 years of data entitled the “2008 Data Breach Investigations Report” [PDF]. They have also released a podcast to go along with their study (Part 1 here).

The study looks into 500 forensic investigations and 230 million records, looking into hundreds of corporate data breaches. The report is very detailed, revealing a lot of information that could help companies understand the nature of data breaches better.

The study found that:

• 73% of breaches result from external sources (39% from business partners, a number that is growing steadily)
• 18% of breaches result from insider threats
• Most breaches result from a combination of events, not a single hack or intrusion
• 62% of breaches were attributed to significant internal errors
• For deliberate breaches, 59% were from hacking and intrusions
• 90% of known vulnerabilities exploited in hack attempts had patches available for at least six months prior to the breach
• 90% of breaches involved an “unknown” system, data, network connection or user account
• 75% of breaches are discovered by a third party, not the victimized organization
• In 59% of data breaches, security policies and procedures existed but were not implemented
• 66% of breaches involved data the company did not know was on their system

The study indicates that many data breaches are avoidable, and steps should be taken to prevent them. Dr. Peter Tippett, VP of Research and Intelligence for Verizon Business Security Solutions, says that companies must be “proactive in their approach to security — [it is] the absolute key to safeguarding data.”

Have a policy and implement it. Know what data you have and who has access to it. Monitor event logs. And have an incidence response plan. Increase awareness and keep them well trained - run drills.

Via databreachwatch.org, CNet Tags: verizon, verizon business, data breach, data breach prevention, breach, breach prevention, security, it security, data security, business security

Barack Obama has been a leader in his use of “web 2.0” techniques in his presidential campaign. Now that he has the presidential nomination, his campaign has a larger target on it than ever. Now, Barack is hiring a web security expert.

Barack Obama’s website was built by Facebook co-founder Chris Hughes and hinges on social networking. While this has been important in driving the majority of the campaign’s contributions, it does open them up with more avenues for attack. The site was hacked two months ago, and a similar attack could cost the campaign millions of dollars if it was heightened to breach status. Such an attack would also tarnish the reputation of Obama and his staff in this crucial time.

“Attacks like SQL injection would be far more of a concern,” said Oliver Friedrichs, a director with Symantec Security Response who has written about computer security and the 2008 presidential election. “If I was able to get access to the database that houses their donor information, that would be very concerning.”

Although Internet security is taken seriously in all political campaigns, Obama has used his website (for the first time in political campaign history) to advertise for a web security expert. The expert would be responsible for analyzing network architecture, overhauling existing security systems, developing a strategy to respond to attacks, and managing “the security posture of the online campaign.”

If you were a supporter of Barack Obama, would you be deterred in your vote by any web attack or breach?

Does Barack’s advertisement of the job position help him appear more transparent or authentic?

Via intergovworld Tags: obama, barack obama, web security, hacking, hack, barackobama.com, website, data security

IT Pro put together a great feature on how to create a mobile data management policy. With the increase in smartphones into the marketplace, more employees will be looking for a way to use this convenient mobile technology for work. But that poses challenges for security that businesses must address. So, when it comes to mobile technology (from smartphones to laptops), having a security policy in place is of vital importance to data security.

Your security policy should be generic enough to be easily understood and followed by all employees. An audit of what kinds of devices are currently in use (and what information they’re accessing) is the first step to understanding what kind of security policy you need. The audit will also reveal the operating systems that your mobility security suite will need to manage. After that, you can expect your security policy to include things such as:

• What to do if a device is lost
• Incentives for people to report lost devices quickly
• Which devices can connect to office equipment / data, and which cannot
• What type of data can be accessed
• Support VPNs for mobile devices
• A procedure in place to wipe data off of lost devices
• Secure disposal procedures for old devices
• Allowance for users to register their own devices, if they are wiped when an employee leaves the company
• What applications can and can’t be installed
• Using strong passwords and encryption

A way that you can easily manage smartphones and follow these tips is by using Computrace Mobile. As part of the Computrace suite of products, it uses the same Computrace Agent that lets you inventory your mobile population, and it offers remote data delete capabilities. You can find out more about it here.

An effective mobile security policy will balance the benefits of productivity with costs and data security needs. You can read more great tips here.

image: dpawatts @morguefile Tags: mobile data, mobile security, it security, security policy, it security policy, business security, laptop security

Absolute Software will be holding a 1 hour webinar on June 11th about Laptop Management and Data Breach Prevention. The webinar will present first-hand experiences of Allina Hospitals and Clinics, including a 75% recovery rate on its stolen computers. Computer Manufacturer Lenovo will also discuss best practices for managing laptops.

Learning outcomes include:

• Gaps in current notebook security programs
• The importance of remote data delete and theft recovery capabilities
• Common misconceptions about encryption on laptops
• How notebooks can be managed when off the LAN
• How Computrace works on Lenovo notebooks

To register for the webinar, go here

Tags: absolute software, laptop management, laptop security, computrace, health care industry, lenovo, allina

A new survey released by Symark and eMediaUSA indicates the security vulnerabilities associated with orphaned accounts. Orphaned accounts are user accounts that remain active after an employee has left a company. The study reveals that 42% of businesses do not know how many orphaned accounts they have, and 30% have no procedure to locate and remove them.

800 security, IT, HR and C-level executives in all industries were surveyed about orphaned accounts and the processes in place to find and remove them. When an employee leaves an organization, IT and security administrators should make it a priority to shut down access immediately. However, many IT staffers are overworked and this step is overlooked. Failure to terminate employee access creates holes in security that hackers or malicious insiders can access.

Other findings from the survey:

• 27% of respondents say that >20 orphaned accounts exist in the organization
• 30% say it takes more than 3 days to terminate access, 12% say it takes more than a month
• More than 38% have no way to know if an orphaned account was used to access information
• 15% said an orphaned account has been used to access information at least once

The survey indicates, at the very least, that there is a hole in IT security that needs to be patched. In some cases, it is clear that orphaned accounts are still being used, and this is a significant risk to security.

“Controlling access to proprietary systems and information continues to present an IT security challenge… gaps in access and entitlements control — and the significant audit defects resulting from them — are one of the concerns most frequently mentioned in focus interviews,” said Scott Crawford, research director at Enterprise Management Associates.

Larger companies face more complex challenges in managing employee access. Limiting access, and revoking it when an employee leaves the company, is a vital step to ensuring data compliance. Policies and technologies should be put in place that can manage and revoke user access easily.

If your company were surveyed, how well would you fare with these questions? Are there orphaned accounts you may not even realize you have?

Via tech target, business wire ; image anitapatterson @morguefile ; Tags: it security, data security, data access, business security, orphaned accounts

CSO Online’s Michael Overly has a good article about businesses trusting their sensitive information to consultants, and what best practices to follow. The first guideline: do not let your consultant store any of the information on a laptop.

There are practical considerations that make it difficult to ban the use of laptops in all situations. Consultants may need to move from site to site easily, with constant access to the data. One solution is to provide laptops to the consultant yourself - that way you can be satisfied with the security systems in place. When that is cost prohibitive, here are some suggestions offered for a laptop security policy to enforce with contractors:

• WiFi access should be limited to approved secured means, and used only when necessary
• Hard disk must be encrypted
• All ports on laptops to be disabled
• Strong authentication required (e.g. biometric)
• Security software installed and kept up-to-date
• Secure and irreversible erasure of data to be enforced at end of data-use period
• Tracking software with remote data delete should be used (like Absolute Software’s Computrace products)
• Breach notification protocols should be in place in the event that the laptop goes missing

You can read more suggestions here.

Tags: breach, data breach, security, data security, laptop security, it security, business security, contractors, security policy

The number of data breaches in the health care sector could undermine the health care industry’s efforts to promote widespread adoption of Electronic Health Record Systems (EHRs).

The latest Wall Street Journal reports that the number of people who can quickly access EHRs has raised privacy concerns, but many hospitals have been reluctant to restrict access that would create barriers to care delivery.

"The internal [hospital] mistakes and the internal carelessness seem to be more prevalent than the stranger from the outside trying to crack into your system." - Jill Dennis, Senior VP, American Health Information Management Association

In order to increase security, while balancing the needs for fast and widespread access to information, many hospitals are encrypting their computers and increasing employee education about privacy. Other hospitals may limit the kinds of information that can be accessed by employees. As more information is available to more employees, time will tell how successful these efforts have been.

Some recent medical data breaches:

• Health Gloria Tam (April 25th) - 700 affected
• University of Texas Health Science Center (April 23rd) - 2000 affected
• Boots Dental Plan (April 22nd) - 34,000 affected

Via iHealthBeat, Wall Street Journal (4/29), Attrition.org ; image: wax115 @morguefile ; Tags: hipaa, health care, data breach, data breaches, ehr, ehrs, electronic health records, security, data security