Thoughts about the “Study: Frequent password changes are useless” article on Yahoo News

17 04 2010

I recently read the article Frequent password changes are useless

After giving this some thought, a couple of things struck me as being very important but easily overlooked. Both are related to this paragraph,

“Rather, frequent password changes are simply a waste of time and, therefore, money. According to the Microsoft researcher’s very rough calculations: To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm. No one can cite a real statistic on password changes’ averted losses, but few would estimate it’s anywhere approaching $16 billion a year.”

The article says “frequent password changes are simply a waste of time” and it does not define frequent. By frequent do they mean daily, weekly, monthly? I would not think that changing passwords once a quarter would qualify as frequent.

Note that that $16 billion is not for each company! It’s for the national aggregate. If your company only looses $1 million, that’s simply a small piece of the aggregate pie; but, for many companies, it could mean bankruptcy or, potentially, years of expensive, personal data breach litigation. If memory serves correctly, defense against this type of litigation depends heavily on having taken every ‘reasonable’ precaution. If one of those reasonable precautions is deemed to be frequent changes of passwords, then never changing passwords or changing them only once per year could mean additional loss of millions in court battles. Oh, one must also remember the fines and penalties if data protection laws are violated and loss of credibility in the market place when it’s your company that gets compromised.

Something to think about.


Does a Visit to the Optometrist Put Me at Risk?

22 03 2010

Recently, I was at the optometrist for my annual eye exam. I was  greatly surprised that all of their patient information was currently in manila file folders with some sort of coding system. At one point in the paper work, I was asked to include my Social Security number for insurance purposes. I looked up at the receptionist and asked if this was really necessary.

“Do I need to enter that information? I can tell you, but I don’t want it printed in my file.”

She had no problem with it, but it made me wonder what other PHI (personal health information) and confidential information about myself, I had filled out at a doctor’s office over the years. Even for a simple visit for new contacts, I was asked many questions about my physical health and family history. I started to wonder how this particular office keeps the information protected.

This image does not make me think my PHI is secure.

My Personal Health Information (PHI) was in a file behind the reception desk. While I know they need certain information for insurance reasons, how do they keep this secure? If I had written down my SS number, who had access to it? My first thought was identity theft.

While I know EMR (electronic medical records) and solutions that help transfer these records securely are on the rise, I had to ask myself why my optometrist was so behind the times. Why can’t they send my information to my insurance company electronically? It would be more simple, make me feel more secure and increase their overall customer satisfaction. Moreover, they would comply with new HITECH and HIPAA mandates.

The next time I am at a doctor’s office, I will be much more aware of how they store they PHI.

“You Can’t Handle the Truth!”

20 01 2010

This iconic quote from the film A Few Good Men is brought to mind when discussing data breach notification laws.  But, as Tom Cruise demands, we want the truth!

So, what’s the big deal about data breach notification?  Your information is compromised and someone tells you, right?  Wrong.  While we would like to think that all companies are responsible enough and have the ability to bring such awareness, that is not always the case.  Without proper legislation to ensure that all data breaches are given decent exposure, you may very well have been compromised without even knowing it.

According to this nifty little graphic and article from CSO Online, there are still 6 states in the US without any legislation regarding data breach notification.  Furthermore, Wisconsin, Ohio and Florida are the only three states with specified deadlines for notification.  So, what’s being done?

In short: not a lot.  But, there’s hope.  We have to look to the bottom (geographically) to see who’s on top!

Florida seems to be setting the standard as far as data breach notification laws are concerned.  The notification deadline policy reads: without unreasonable delay, within 45 days for owners of data, within 10 days for those who don’t own data.  Civil and criminal penalties can be assessed upon a failure to be prompt about notification.  I believe that this solid number makes all the difference because it gives a tangible time line for such issues when they arise.  Urgency becomes necessary, not just preferred.

So, how do we get the truth that we demand?

Well, for starters, President Obama’s appointment of a cyber-security “czar” will hopefully begin to bring correct perspective to the problems that arise within data security.  Also, demanding better legislation from your Representatives and Senators could bring about some action.  Ultimately, it’s up to the corporations to become accountable.  One thing is certain, as customers become more and more aware, the gap between responsible and irresponsible companies will widen.  And that, as a customer, is where you hold the power.

Data Breach Costs for 2009 – Looking Ahead by Looking Back

5 01 2010

84 percent of companies that reported a breach in the past year stated that it was not the first incident according to the Fourth Annual US Cost of Data Breach Study: Benchmark Study of Companies conducted by the Ponemon Institute.  The report also found that more records compromised meant more money for the company under scrutiny with 80,000 – 100,000 records costing around $32,000,000.

Data breaches not only cost money, but they are also a detriment to any customer base.  The average churn rate last year, which was measured by the loss of those customers that were directly affected by data loss, increased from 2.7 to 3.6 percent.  Customers lose trust quickly when their personal data is compromised.  Regaining that trust can take a lot more time and effort than it would to take the steps necessary for securing your data in the first place.

Getting Secure

88 percent of all cases in the study were a result of insider negligence.  Complicated processes make things more difficult than they need to be.  A streamlined, easy-to-use solution would alleviate problems and aid users that are striving to stay secure.  Also, compliance standards set by organizations such as HIPAA and CPI help with security, as long as organizations are able to maintain compliance.  Ultimately, it is up to the company to decide whether or not they want to make security a priority.  With statistics like these, it seems an easy decision to make.

A New Year’s Resolution Worth Keeping

31 12 2009

Image courtesy of PhiLAWdelphia

New Year’s Eve is all about old friends, new beginnings  and pretending you know the words to “Auld Lang Syne.”  The holiday is also about resolutions.  With 65% of people making their resolutions between December 28 and January 31, it’s pretty obvious that this is an important time for change.  84% of people make resolutions to start new habits, leaving a measly 16% who plan on breaking an old one.  This is it!  It is your chance to make a change for the better.

Whether you’re cutting out excess snacking or taking time to read more at night, remember that all resolutions are positive ones.  Of course, we know that those holiday cookies will linger during the first few weeks of your membership at the gym and, while reading is important, it might be tough to stay up and read after a long day at work.

Luckily, there’s a resolution that everyone can keep.  It falls into both categories: forming new habits and breaking old ones.  It’s Scribbos!

Drop that broken, old FTP with its lack of security and lack of capacity.  Scribbos offers 1 GB of storage, 200 MB file capacity and encryption and compliance of the highest standard, for free.  Now, you can show off to all of your friends when you tell them that you’ve already reached your New Year’s resolution.

Oh, and here are the lyrics to “Auld Lang Syne” if you really want to impress them.

Why move to Managed File Transfer when FTP works for me today?

15 12 2009

This is a question often heard in the market and on the surface it looks pretty straightforward.  If it’s not broke, don’t fix it!

When you dive deeper into the purpose of a file transfer operation a bigger picture becomes clear.

Is the only purpose of a file transfer to get isolated data from point A to point B?  Or perhaps, is the purpose part of a much bigger business process impacting the success of the company?

All data movement should be looked at as being part of something bigger than itself.  There is no isolated movement of data in an organization.  Even backups are the final step in a business process ensuring recoverability.  The process of moving data from the creating application to the next application that requires it until the business at hand is complete and the data rests must be managed.  It must be part of an integrated process that is secured, timely, guaranteed, optimized, automated, auditable, and visible to the organization.  The success of the business depends on it.

While products such as FTP provide the ability to move a single file from point A to point B, only a true managed file transfer solution can offer the necessary means to guarantee the data is managed as part of a bigger picture directly related to the business.

In addition to getting the data from point A to point B in a secure manner, a managed file transfer product should offer:

  • Guaranteed delivery
  • Integration to pre and post processing of the data transfer operation providing streamlined workflow execution
  • Event triggered file transfer operations ensuring timely and automated execution
  • Logic based decision making during data transfer operations
  • Customized logging to satisfy any internal or external audit requirements
  • Central visibility to data movement
  • Bulk and wildcard file transfers optimizing implementations and operations
  • A portable application means faster on boarding regardless of platform

When it comes down to the big picture when looking at file transfer the answer becomes clear.  Staying with a product like FTP because it is ‘not broken’ means missing the importance of data movement as an integral part of your business process impacting your success.

Don’t get all legal on me and stuff

18 09 2009

So Gartner’s Frank Kenney’s intro to his latest blog post is spot on!

Every CIO must ask Chief Counsel and all of the workers reporting to Legal (including internal and external attorneys, paralegals and administrative executives) how the information that flows in and out their department is governed and controlled.

The challenge for many law firms is they don’t have the IT staff or technical solution in pace to adaquetly support secure communications and data exchange, so email is the next best best.  The recent launch of Scribbos, the latest data exchange and secure communications solution for easily exchanging confidential messages securely is about filling that gap for eDiscovery as one of the commenters on the post cited:

E-discovery is something that has been on the minds and the lips of the email guys for a long time. Unfortunately, not enough people listen to the email guys, and it’s important that, with the convergence of all the MFT interaction patterns—from email to system-to-system to B2B and all the different permutations—you’re able to lay a level of governance (i.e., “Who sent what to whom?”), the auditability aspect (i.e., the reporting of “Did they actually get it?”) and the compliance aspect (i.e., “Can you prove it?”).

So quickly the question of “where’s my file?” is morphing for legal staff, users and business in general to be more about Who sent what file and to whom.   So how are you communicating with your personal and corporate lawyers?

Any chance you have a big disclaimer at the bottom of the email or you had to sign something to authorize the use of email to communicate with your attorney?  I gues if email was secure or not error prone there wouldn’t be disclaimers like the following on the bottom of your real estate agents, CPA or attorney’s email.

The information transmitted is intended solely for the individual or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this email in error please contact the sender and delete the material from any computer.

So who has your file? Your legal agreement? Your mortgage application or other confidential document again?