Data Breaches: Stop the Insanity!

10 05 2010

In a recent article by the Identity Theft Resource Center (ITRC), entitled, “Data Breaches: The Insanity Continues,” the ITRC discusses the highlights of 2009 data breaches:

  • Paper breaches account for nearly 26 percent of known breaches (an increase of 46 percent over 2008)
  • Business sector climbed from 21 percent to 41 percent between 2006 to 2009, the worst sector performance by far
  • Malicious attacks have surpassed human error for the first time in three years
  • Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

What will the stats be for 2010? Take Preventative Measures.

The article goes on, stating, “Insanity might well be defined as repeating the same action again and again, and expecting a different outcome.” So, the ITRC compiled a list related to how businesses are addressing data breaches and security:

  • Insanity 1 – Electronic Breaches: After all the articles about hacking and the ever-growing cost of a breach, why isn’t encryption being used to protect personal identifying information? Proprietary information almost always seems to be well protected. Why not our customer/consumer personal identifying information (PII)?
  • Insanity 2 – Paper breaches: Why aren’t more state legislators passing laws about rendering paper documents unreadable prior to disposal if they contain PII? Do we dare ask that those laws be actually enforceable? Perhaps we are waiting for paper breaches to reach 35% of the total.
  • Insanity 3 – Breaches happen: Deal with it! You will get notification letters. Breach notification does not equal identity theft. Let’s stop the “blame game” and instead require breached entities to report breach incidents via a single public website. This would allow analysts (and law enforcement) to look for trends and link crimes to a single ring or hacker faster.
  • Insanity 4 – A Breach is a Breach: Let’s not kid ourselves. “Risk of harm” is not a useful standard for determining if the public and consumers should be notified about a breach, especially if the company involved gets to define “risk of harm.” If it is your #$@%2 SSN that is out on the Internet, do YOU think there is “risk of harm?” Some companies might say “no.”
  • Insanity 5 – Data on the Move: You will notice that statistically this is a bright spot, with a decreasing incidence in the past 3 years. But, really! This is 100% avoidable, either through use of encryption, or other safety measures. Laptops, portable storage devices and briefcases full of files, outside of the workplace, are still “breaches waiting to happen.” With tiered permissions, truncation, redaction and other recording tools, PII can be left where it belongs – behind encrypted walls at the workplace.

So how are you protecting your data internally and externally?


Why Tax Day and MFT Depend on You

14 04 2010

Tomorrow (4/15)  is tax day in the United States.  Thus, there will be plenty of checks running through the mail, all destined to reach their respective IRS offices.  This entire process is a parallel to the managed file transfer process.  Sure, I don’t want to have to send out a bunch of money either, but if I have to, then I should hope that it gets into the proper hands.

It all starts with the end in mind.  Destination address scrawled across the front of your envelope, you’re ready to “click the send button” and drop it into the mailbox.  Here is where the important part starts.  If your bank is keeping you secure, then your check should be safe; encrypted in a sense.  Sure, someone could manage to get to your check (it’s not a steel envelope after all), but that check then must be “hacked.”  With proper encryption, attempts will be futile.

Assuming that your check reaches its final destination, the IRS then has the password to open your check: permission.  This same concept is used in ad-hoc managed file transfer solutions by ensuring that only those who need access to the file will have it in the form of password protection and user verification.

As you drop your check into the mailbox on tomorrow’s tax deadline (you daredevil, you!), remember this analogy and notice that your role never changes.  As users, we are still responsible for ensuring that files are being sent to the proper destinations and through the proper methods.  Without you, security is merely something we wish we had.  Tax day and managed file transfer: both depend on you!  Who knew you were such a hero?

Endpoint Security: Is Your Data Protected?

25 03 2010

In a recent study by the Ponemon Institute, “State of the Endpoint,” IT security and IT operations practitioners were surveyed to determine if they believe the endpoint is more or less secure today. Of those surveyed, some of the reasons for endpoint vulnerability included:

  • Employees connecting their own computing devices, such as laptops and PDAs to the organization’s network or enterprise system
  • The complexity of endpoint management systems – on average, 3.7 software agents are installed on each endpoint to manage security
  • A lack of skill or knowledgeable personnel
  • The misalignment of IT and business objectives
  • Difficulty integrating multiple technologies

41 percent of respondents do not believe their organizations are proactive in managing privacy and data protection risks.

Let’s go back to the misalignment of IT and business objectives as well as the difficulty of integrating multiple technologies. Multiple and disparate technologies within an IT infrastructure lead to complexity. It also leads to multiple points of failure and delays in supplying the business with the information it needs to competitively operate.

Additionally, unnecessary complexity leads to more money spent on IT. Granted, there are always investments made in new technology that the business needs to stay current and compete. The problem is that the money available to IT is limited. The money spent on operating a complex environment depletes the budget for future technologies.

The effort required by IT to maintain disparate technologies requires it to focus resources on the day-to-day instead of preparing for the evolving needs of the business.

So how do you meet these challenges?

Platform/Vendor/Application-independent technology enables you to integrate multiple systems to provide end-to-end visibility of your endpoint security from infrastructure to people. Whether, it’s in the data center or an application used by an employee, an integrated platform provides the necessary protocols, processes and security to ensure your data is protected.

Repeat Data Breaches Not Always a Result of Negligence – Spotlight: Wyndham Hotels

5 03 2010

Wyndham Hotels has been hit with the third data breach in a year and has once again compromised sensitive customer data.  While frustration sets in for Wyndham, as well as it’s customers, one thought comes to mind: why?  Why is it that, after two data breaches, the organization is still facing hackers and their onslaught of effective attacks?  Well, as with anything of this magnitude, there are many possible answers.

People point fingers at organizations and their lack of security.  Or, perhaps its negligence from insiders who fail to control their data exchange and management.  Human error is a leading cause in data breaches, but perhaps it’s more than that.  It’s time to stop pointing fingers and start analyzing where the root of the problem lies.

Wyndham communicates with franchisees and managed communities, which puts countless people in charge of sensitive data.  Simply put, there are too many points of entry.  Sure, it’s great to have free flow of data from a convenience standpoint, but when that puts data out for nearly anyone to access, convenience then becomes a hassle.  Luckily, there are plenty of ways to prevent this and still maintain multiple points of entry.

Encrypting data so that it remains secure when at rest, in motion or even in the deleted file can put a huge barrier against hackers even after they enter one’s database.  Thus, it’s important to have detailed security on each file, rather than just on the database.  What may seem tedious can actually be quite simple with the right solution.

Using streamlined encryption tools, users can then have peace of mind knowing that their data will remain secure, no matter who can access it.  While human error will never be completely eradicated from data exchange, these security measures can make this margin of error shrink to a miniscule amount.

Got Encryption?

27 01 2010

From State to Federal? Massachusetts Regulation 201 CMR 17.00 mandates that all personal information of Massachusetts residents must be digitally encrypted and other states as well as the national government are taking notice. Senator Patrick Leahly is sponsoring a bill entitled, The Personal Data Privacy and Security Act of 2009 that  if passed would require private and government entities ensure that personal data is kept confidential. In addition, they would be tasked with developing measures for controlling access to sensitive information, detecting and logging unauthorized personal information access and protecting personal data both at rest and in transit.

So why is it important to encrypt data at rest and in motion?It ensures your data is encrypted before it leaves your computer and is only decrypted once it is delivered to the recipient’s machine. There are no “man in the middle” attacks and your business and organization will be compliant with regulations that are becoming increasingly strict in the healthcare, financial services, legal and insurance industries.  Will you be ready if the federal law is passed?

Send Big Files & Communicate Securely for Free!

23 12 2009

Ever since the launch of Scribbos at our annual conference, Innovation in Amsterdam, the team has been hard at work working with our customers and their business partners.  So what have we been up to?  We launched a successful campaign to support the Susan G. Komen foundation, we’ve delivered 3 new versions of the SaaS platform with new features, we’ve been talking to media about security needs in healthcare, finalized several key partnerships and our MFT platform Infitran was recognized in the Gartner Magic Quadrant as a Visionary for Managed File Transfer.  More or less, we’ve just been having a fun time since the launch of Scribbos.

We’ve definitely been busy and the community of users grows bigger every day.    Even though we’ve had this much excitement, we continue to look at ways to improve the service and every month we are bringing new capabilities and customer driven enhancements to the platform.  When working with our customers, we have identified a need for our customers who only send a few messages and files a month to better support our current user community.  To that end, a new slimmed down free version has been launched to accommodate users who need to send large files quickly and communicate with all of our customers easily.

This new offering isn’t just to benefit our existing users.   This new option is available for anyone, including users who aren’t using Scribbos with our customers and provides access to our secure communications offering to a whole new community of users who may not be using secure solutions for large files and messages.   After working with our customers who were previously using other free services for sending files, it became apparent that other services don’t encrypt your data at rest or provide the tracking capabilities to ensure your file was received by the intended recipients which is an issue for everyone who sends confidential information.

When Would You Need to Use a Secure Messaging Service?

The simple answer is anytime you need to keep the information you are sending confidential and when you need to ensure they received the message or file.  Many users of Scribbos today leverage the platform for sending big files which can’t be sent through email or they need to move sensitive information for their business such as healthcare plan enrollments for new employees, tax information to your CPA or other regulated information such as that covered by HIPAA or PCI information.

Scribbos for Free provides the same level of security and auditing as our other plans with some usage limits.  Scribbos leverages SSL encryption of the session and encrypts all your data at rest within our secure cloud platform which is not the case from many providers who you may send files with today for free.   If you need to send files bigger than 200MB or need more than 25 messages a month, Scribbos provides other upgraded options for your use which include the following capabilities:

  • Company and Detailed Usage Reporting for all your users
  • The ability to send files up to 2GB through your browser
  • Managed users and recipients
  • Group Management and Reporting for Internal Departments chargebacks
  • Ability to export all the auditing and reporting information for internal analysis and long term retention
  • Block Domains to ensure no information is sent to unauthorized users/receivers
  • Customize your Messages and Notifications for your Company’s needs
  • Custom message signatures
  • Detailed message tracking

To find out all the options, features and plans for your business to securely send information you can look at our plan chart.  Enjoy the holidays!

Did you budget for the lawsuit?

9 11 2009

Moving files from work to home is a pretty normal thing in this telecommuting world. Many do it via email, while I we are all finalizing our budgets for 2010 you might want to put in something to help ensure the security of your files as they are sent inside and outside of the business. Why? Well because your company could be held liable for not taking the right care of personal information.

A group of Michigan employees recently broke new legal ground when a jury awarded them $275,000 for the disasters that befell their lives when their union neglected to safeguard their Social Security and driver’s license numbers. The verdict against Michigan Council 25 of the American Federation of State, County, and Municipal Employees (AFSCME) is the first in the nation to find that a custodian of employee information has a duty to guard the data with scrupulous care.
As reports of high-profile security breaches across the country continue to escalate, and the number of victims burgeons, many experts think that, with the Michigan case as a benchmark, courts across the nation are poised to find employers liable for the consequences of their failures to keep personal data private. And in the state capitols, lawmakers are starting to create new duties for employers, making them responsible for safeguarding sensitive information. Here’s a look at what’s going on in the courts and the state legislatures.

“The Michigan case is the first I’ve seen that affirms the imposition of liability on the person who negligently handled sensitive information,” says attorney Philip Gordon of law firm Littler Mendelson. “It’s a national precedent that opens the door to employer liability for workplace identity theft in other jurisdictions that likely will follow Michigan’s example.”

“We know that identity theft is escalating,” says Judith Collins, director of the Michigan State University-Business Identity Theft Partnerships in Prevention, suggesting that more decisions like Michigan’s are waiting to happen. “Our phones are ringing off the hook. And we know that the majority of identity thefts happen in the workplace,” said Collins.