Prevention begins at home.  As kids we all heard this phrase over and over.  It could pertain to drugs, fire, heart attacks or crime.  So when I think about how to reduce the incidents of data breaches in business, I think about starting at home.

According to a recent data breach report by Verizon, 48% of breaches were attributed to people who abused their access rights.  That means they had access to confidential information and they stole it or somehow misused it.  Most of us think that the majority of problems with data and document leaks are from outside hackers, but a large majority are from people on the inside.

Think about that for a moment.  If you are in a large organization, there might be strict rules about what you can access.  HR has access to employee information, including salaries and social security numbers (or equivalent national IDs).  Finance has access to salary numbers and budgets.  IT usually doesn’t have access to this information, although since they manage the systems where the information lives, this is possible.  In small organizations, you may not be that strict about divisions of labor, because a few people may wear numerous hats.  In my business, I will function as finance, marketing, sales and IT on the same day.  That means I am mixing my data access rights.

Read the rest of this entry »

A new 2010 comprehensive report on data breaches by Verizon and the US Secret Service shows that most of the breaches occurred on internally located and managed systems.  Many of these are database and application servers.  The report says that based on their data and analysis they cannot conclude if using cloud computing and SaaS makes it less likely that a data breach will occur.  This is clearly an area that requires more study.

Most of the hacking and cybercrime target systems that are worth money and easy to access.  Large institutions are not the only ones at risk.  That may be the largest payoff, but larger institutions tend to have more money and personnel to throw at the problem.  Some smaller organizations may not have the staff or technical expertise to shore up their systems.  This makes them vulnerable.

Read the rest of this entry »

Below is a highlight video from the Data Privacy, Governance and Business Ethics summit that we sponsored on the campus of Seattle University on June 17, 2010.  We are still getting a lot of compliments from all who attended.

Ed Drosdick, a partner at Moss Adams LLP said, “The Data Privacy, Governance and Business Ethics – People, Process and Technology Summit was quite an affair. I was so impressed with the content and the quality of the program on data security.  I do not know what my expectation was going in, but it far exceeded any expectation I may have had, and quite frankly made me change the way I think.  Well Done!!!”

Thanks to Litigation Media Group for their outstanding work in creating this video. 

Stay tuned as we start ramping up these events.

Technology is important for information security, but if people ignore it, it doesn’t work very well.  You can have the best technology in the world, but if people don’t understand its importance, it may be a waste of time and money.  You also need to educate people on its use and value.  A strong education program improves overall information security over time.

Think of how we educate our children.  We teach them their native language starting in grammar school and continue through high school.  This constant education improves their ability to read, write and understand their language.  We can apply the same techniques to information security awareness.

Unfortunately, education is a slow process, but can be helped by example.  If a school teacher is reviewing proper sentence structure, she or he should use proper sentence structure when they speak and write.  If the teacher says “I want to show you how I does that.”, a child may start questioning what she’s being taught.  The teacher is violating her own rules, so the child thinks it must not be important.  The teacher is setting a bad example.

Read the rest of this entry »

Do you remember the Cone of Silence in the old Get Smart TV show?  It was great.  The Chief and Max would lower the cone so no one could hear what they said.  It was a funny, but effective, way of keeping a conversation secure.

The best part was that most of the time it didn’t work.  The mechanism would break.  The cone would go up and down when it wasn’t supposed to.  Half the time the cone was so silent, no one could hear each other.  Or there was a tremendous echo in it.  My favorite was an episode where Max asked for the cone of silence only to report that he had nothing to report.

We are all lazy when it comes to security.  If the technology is easy to use, we’ll use it.  If it takes a lot of effort, we won’t.  The cone of silence, when it worked, was easy to use. 

Read the rest of this entry »