1. Business data is everywhere – and it’s on the move
2. Exposed data carries high costs & consequences
3. Only encryption can secure all your data, wherever it is
4. An enterprise-wide data encryption strategy reduces the risk of data breaches
5. Enterprise data protection liberates your business

As we’ve said before, encryption is only one piece of the data security puzzle and is not the only solution to all your security needs. For example, Absolute Software’s Computrace Complete can provide additional security in the form of IT Asset Management & Data & Device Security, such as tracking and remotely wiping missing devices. A comprehensive security policy will do a risk assessment and decide on which security tools are important to your corporate needs.

My favorite section in the brochure deals with the 5th Truth, and how a comprehensive security system will enable a business to protect all its data, all the time, wherever it is stored and however it travels. You can get the guide here.

Heartland CEO, Robert Carr, is now opening up about the security breach, hoping other companies can learn from their experiences.

Carr believes that PCI compliance auditors failed the company, that they believe it was right to inform customers of the breach before the media, and how other companies can learn from all these issues.

Essentially, Carr says the QSA (Quality Security Assessor) audits of their systems were of no value, since they were unable to detect the security holes that were exploited.

“To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware.”

Carr was surprised to learn that others knew of this attack vector and that the information had not been shared. Carr says he now understands the “limitations of PCI” and the assessment process. The problem with any set of standards, in any industry, is that it can lead companies to a false sense of security, meeting those compliance measures, if those measures are not kept up to date. Heartland learned the hard way that “PCI compliance doesn’t mean secure.”

In the rest of the interview, Carr shares how Heartland has spent $32 million to upgrade their security at all levels, making sure that data is secure and encrypted wherever it resides. Heartland shares that their best advice to other companies experiencing a breach is to be up front with customers. After their breach, all Heartland employees were advised to tell customers what the breach meant for them, to be the point of contact for customers (vs the press). “Being candid has been key.”

Image: clipart

Ben points out that the sheer volume of paper and digital media that accumulates over time requires effective information destruction policies and practices. Every company has information that needs to be destroyed, though regulations may require that certain data be archived for a few years or permanently.

The discussion talks about why hoarding data records can be a liability, gives a list of information that can be shredded when no longer needed, and talks about the regulatory environment regarding data retention and destruction. Just tossing things into the garbage is not the answer, as trashing of records without appropriate destruction can be dangerous. The article suggests that destruction of data be done on a formal (documented) and regular basis.

While the discussion of physical data continued in Part 1, Part 2 of the series looked at electronic information. The destruction of data here includes the importance of sanitizing unwanted hardware (computers, backup tapes, etc) so that no information can be recovered. Computrace Data Delete capabilities can help you do this as part of your asset life cycle. If for some reason it’s not possible to delete the data (maybe it’s from an extremely old computer), the hardware should be destroyed. Various acceptable and unacceptable methods of sanitation and destruction are discussed.

The whole series is a great read and may help you establish or refine your own data policies.

Image: ppdigital @morguefile

Airports are a prime location for the loss or theft of laptops; London’s Heathrow airport has up to 900 devices going missing per week, for example. Though some of these laptops may be password-protected or encrypted, data security concerns still exist. And with good reason – the data could be worth far more than the lost device.

Bill offers several pieces of advice, from laptop tracking software such as Computrace to beefing up security policies so that employees understand how to protect their devices against loss or theft. Basic airport security precautions include: not checking your laptop as luggage, using an inconspicuous bag, always watching your bag, adding identification to your bag, and being extra wary when going through security checkpoints. You can read more here.

Some other great reading for you:

• PCI DSS compliance: You can’t just check the boxes
• Survey: 37% of employees would become insiders given the right incentive
• Nine steps to halt data breaches

Image: clipart

Sophos conducted a poll in February 2009 with 709 respondents. Of those, 63% of system administrators worry that employees share too much information on their social networking profiles. They believe this puts the corporation, and its data, at risk (since cybercriminals have access to more information for identity theft, malware or spam). A quarter of the businesses had been the recipients of spam, phishing or malware attacks via sites like Twitter, Facebook, LinkedIn and MySpace.

Over 40% of companies don’t control access to any of these major social networking platforms – for those that do, productivity still represents the largest share of concern, but security concerns are on the rise.

“We’re seeing more incidents of unwanted adverts and malicious links being spammed out, particularly to Facebook users, from their friends’ compromised accounts. Although social networking sites are going some way to mitigate threats to users – activating pop-up windows to confirm if a user really wants to visit that external link for example – unfortunately it’s just not enough. Organisations need to incorporate defences into their IT security policy, and a key part of this is to educate individuals to choose strong passwords and to take good care of them to prevent cybercriminals taking over online accounts which could provide an entry point to the IT infrastructure.” – Graham Cluley, senior technology consultant at Sophos

Sophos summarizes their study with the top 5 tips to combat social networking perils in the business environment, which include:

• Educate your workforce about online risks
• Consider filtering access to certain social networking sites at specific times
• Check the information that your organisation and staff share online
• Review your Web 2.0 security settings regularly
• Ensure that you have a solution in place that can proactively scan all websites for malware, spam and phishing content

Read more here.

Also, beware of an increase in Swine Flu pill spam!

It’s been a while since I’ve done a major highlight of any recent data breaches. They keep happening, to be sure, but the details often start to look the same. However, this one caught my eye from it’s magnitude. The Oklahoma Department of Human Services (OKDHS) is notifying more than 1 million residents of the state that their data has been breached as the result of a stolen, unencrypted, laptop.

According to their press release, a password-protected OKDHS laptop was stolen from an employee vehicle (a far too common theft location). The laptop contained names, Social Security Numbers, dates of birth and home addresses for clients who received Medicaid, Child Care assistance, and other program assistance. The laptop was stolen on April 3rd with a press release going out from OKDHS on April 23rd. Letters to affected clients started to go out in the same week.

OKDHS Director Howard H. Hendrick believes the “risk of the data being accessed is low because the computer uses a password protected system,” which is only a very minor security protocol. There’s no guarantee the password was strong and, even with strong password-protection, systems with no additional security precautions pose a high risk for being easily accessed. It is believed that the employee was not violating any policy in place, indicating that the current information security policy does not deal with taking data home or with proper data asset handling.

According to the Security Incident FAQ, OKDHS believes they have “numerous security measures” in place already to ensure client data is safeguarded, but plan to review all policy, procedures and training methods. Let’s hope this sheds some light through the entire organization about how much more can – and should – be done to protect sensitive information.

You can help prevent data breaches such as these, or recover from them more easily, with strong computer security policies, enforcement and training and software such as Computrace from Absolute, which offers many layers of security protection.

Via SC Magazine

1. Dozens of files with Social Security Numbers for public housing residents were dumped on the street in New York. People were seen picking up the loose papers, raising concerns of identity theft. The New York Housing Authority has policies to shred documents for disposal, but that policy was overlooked. [read more]
2. Medical records were found discarded in a trash bin at a convenience store in Shreveport; Social Security Numbers were included. A Doctor has admitted to his mistake in improperly disposing of the files. [read more]
3. Files about seriously ill patients at a New York hospital were found 2 miles away on the pavement. The files contained name, age and medical history, breaching confidentiality though not risking identity theft. [read more]
4. A Dallas man found a box of medical records, including Social Security Numbers, the the parking lot at a storage business. The storage unit belonging to a doctor was broken into and the records left out. [read more]

I think we can learn some important things from these breaches of trust and data. Most indicate a lack of awareness about the data and how it should be treated for storage and disposal. Policies to restrict how data moves about – whether paper or electronic – should be considered. The data retention policy should define how information is disposed of, which can include policies on shredding or purging electronic devices. In terms of data storage for physical papers, standard consumer storage facilities may not have enough security; try looking for companies that specialize in business data storage.

As we shared in a report earlier this month, data breaches at small companies often go unreported. There’s a great deal of education that needs to be done to small business owners – including those practicing in the medical fields – about how to securely handle confidential data in all stages of its life cycle.

Hat tip to databreaches.net ; image: clarita @morguefile

Laptop Security Is a Three-Legged Stool – Intel

This list fits in snugly with our own motto of “mutli-layered laptop security” at Absolute, which we talk about here. For now, check out the “3 legs” of laptop security:

1. Physical Security
2. Data Protection
3. Protection Solution

9 Dirty Tricks: Social Engineers’ Favorite Pick-Up Lines – CSO Online

These are tactics employed by criminals (cyber and otherwise) to scam you out of personal information or money or to gain access. The list had 8 tricks, not 9, but who’s counting? ;)

1. “I’m traveling in London and I’ve lost my wallet. Can you wire some money?”
2. “Someone has a secret crush on you! Download this application to find who it is!”
3. “Did you see this video of you? Check out this link!”
4. “This is Chris from tech services. I’ve been notified of an infection on your computer.”
5. “Hi, I’m from the rep from Cisco and I’m here to see Nancy.”
6. “Can you hold the door for me? I don’t have my key/access card on me.”
7. “You have not paid for the item you recently won on eBay. Please click here to pay.”
8. “You’ve been let go. Click here to register for severance pay. “

5 Tips for Managing Security in a Recession – CSO Online

Another great look at how to prioritize your security spending and planning this year.

1. Prioritize based on risk/reward
2. Have the right mix of people on your team
3. Build repeatable processes
4. Create an optimal shared cost strategy
5. Automate and outsource wisely

Top 5 Security Resolutions for New PCs – InformIT

If you’ve just bought a new computer, take some quick security steps before you start using it! Here are 5 resolutions to take:

1. I Will Patch My Systems
2. I Will Use Common Security Tools
3. I Will Back Up My Data
4. I Will Secure My Wireless Router
5. I Won’t Write Down My Passwords

And to end off the great tips offered in these articles, walk the lighter side with this ID-theft-themed Dilbert comic.

In 2008, insider theft accounted for 15.7% of data breaches and that 43% of surveyed companies had experienced fraud, theft or losses as a direct result of employees with access to sensitive data.

Bruce Schneier recently addressed the issue of insiders, which he points out are a perennial problem for organizations. Insiders have the means and opportunity to breach data – intentionally or not. The issues coming up lately refer to an increase in intentional data theft or fraud.

“With 1.5 million predicted job losses in the US alone, there’s an increased risk and exposure to these attacks. This is one of the most significant threats companies face” – Microsoft’s Doug Leland

So, given that you need to trust your employees in order to keep your company running, how do you go about addressing the problem of inside threats? Schneier recommends 5 basic techniques, many of which we’ve talked about here on the Absolute blog:

1. Limit the number of trusted people
2. Ensure that trusted people are also trustworthy
3. Limit the amount of trust each person has
4. Give people overlapping spheres of trust
5. Detect breaches of trust after the fact and prosecute the guilty

You can read these recommendations in detail here. Hopefully it will give you some ideas about how to prepare for insider issues. Just like with all security planning, it’s about being prepared and about having multiple layers of security in place.

—-

In other news, there have been a high number of data breaches thus far in February (see latest incidents). One getting a lot of attention is from the Federal Aviation Administration (FAA) that affects 45,000 FAA employees.

Image anitapatterson @morguefile

Just as Absolute Software recommends a multi-layered security solution, Bill Brenner notes that any solid security defense plan is built upon a multi-layered approach involving technology, policy and practice. The technology layers are just one piece there, but only account for part of the network security sins listed here:

1. Not measuring risk – failing to identify and protect important information assets, while doing so within the parameters of business needs and requirements
2. Thinking compliance equals security – regulations like HIPAA and PCI DSS are only a starting point for strong (and evolving) data security practices
3. Overlooking the people – the ‘people problem’ is a common thread on this blog. People who access data & technology pose a large risk to it – losing laptops, falling for phishing attacks, downloading rogue software, etc
4. Too much access for too many – having access controls set in both policy and in management technology
5. Lax patching procedures - the latest Verizon report showing that 90% of known vulnerabilities exploited in hack attempts had patches available for at least six months prior to the breach
6. Lax logging, monitoring – like with the first item, one must know what’s going on in the network prior to security it
7. Spurning the K.I.S.S. – ‘keep it simple, stupid’ or ‘keep it simple for security’ is often overlooked if security is approached without planning and ’solutions’ are tacked on one after the other.

The article looks at common issues that have led these seven items to becoming “sins” in network security terms. This can include, in the case of the first sin, a lack of understanding of business needs and requirements that results in end users circumventing security protocols and risking data even further. Continue reading it here.