Small Businesses Must Address Security and Privacy

September 18th, 2015

I’ve been working with hundreds of businesses over the past fifteen years, and I’ve found many common challenges that they are always trying to address, as well as some common, dangerously incorrect, beliefs about security and privacy. There are some common misconceptions that are unique to one-person to small businesses.

Here are four common recurring incorrect information security and privacy beliefs of small businesses, and the facts that these businesses need to know: Read the rest of this entry »

Use Movies to Raise Privacy and Security Awareness

September 1st, 2015

I’ve noticed an uptick in online discussions about information security and privacy awareness ideas. I don’t know what provoked the increased buzz, but I’m happy to see it, and more sincere consideration of actually doing activities to truly raise awareness.

  Read the rest of this entry »

Organizations Must Stay Vigilant Against Insider Threats

September 1st, 2015

I started my career as a systems engineer at a large multinational financial and healthcare corporation. I was responsible for creating and maintaining the applications change management system. The purpose of the system was to ensure that after the programmer finished coding, the code could be moved, with the approval of the manager, to a different area to test. After testing was complete it would be moved back to the development area if changes were needed, or a different manager would approve it to be moved to the live/production area for widespread use.

By requiring different individuals/roles other than the programmer (who did her own testing while creating the program) to test the program, it accomplished two primary goals: Read the rest of this entry »

Never Judge an Information Security Professional Solely by their Security Certifications

July 30th, 2015

Recently I attended a gathering where a litigation lawyer was giving a presentation and made the statement, “The defendant’s information security officer did not have any type of security certification, such as a CISSP (Certified Information Systems Security Professional) or CISM (Certified Information Security Manager), which demonstrated lack of qualification for her position, and negligence on the part of the hospital system that had hired her to fill that position.” Read the rest of this entry »

Stay Alert for Stegoloader and Rombertik Malware Threats

July 17th, 2015

Recently a friend of mine sent me a photo of the image on his computer screen. It was a Windows firewall warning message that his computer had been infected with malware. He said that when he tried to re-boot the computer it got into an endless loop and he could not get it to do anything. He finally took it to the computer repair shop, and they had to reload a new system. Thankfully he had a complete, clean, backup of all his files, so he didn’t lose anything. I asked what the repair folks said the problem was, and he indicated that they didn’t tell him anything specific, only that he “probably had bad malware.” Read the rest of this entry »

Hey, Developers! Save Privacy in the IoT Explosion

July 2nd, 2015

I’ve been concerned with and writing about the information security and privacy risks involved with the data created, transmitted and processed by smart devices in the Internet of Things (IoT) for several years since they first started emerging (e.g., here) and will likely be writing on it even more in the coming months and years. According to a new IDC research report, the IoT market will grow from $655.8 billion in 2014 to $1.7 trillion in 2020 with a compound annual growth rate (CAGR) of 16.9%. Will privacy die in this IoT explosion? If IoT developers and manufacturers take action now, I’m optimistic that they can save privacy in the IoT explosion. Read the rest of this entry »

It is Time to Set Social Media Rules

June 28th, 2015

Over the past couple of weeks, I have spent a lot of time speaking with one of my clients about social media and posts from employees and contractors that may have a negative impact on the business. And the client is right to be concerned.

Most businesses are now using social media sites to communicate with their customers, potential customers, patients, employees, and everyone in between. However, such communications can often go awry at best, and result in privacy and security violations at worst. Here are just a few examples of what can go wrong. Read the rest of this entry »

Change Controls Are Still Necessary

June 5th, 2015

In the past week I helped a client whose programming staff had just caused a business disruption for the fifth time in two months because of the changes they made in the program code of their online service. The programmers, and so many of my other clients, have expressed the opinion that they can just code something and plop it out into production, without testing. And then they try to tell me that is “agile programming.” No, it is not. It is unsecure and, quite frankly, lazy programming. Read the rest of this entry »

Will Your Contractors Take Down Your Business?

May 21st, 2015

Do you know how well your vendors, business associates, contracted third parties (who I will collectively call “contractors”) are protecting the information with which you’ve entrusted them to perform some sort of business activity? You need to know.

Late last year, a study of breaches in the retail industry revealed 33 percent of them were from third party vendor access vulnerabilities. The largest healthcare breach in 2014 was from a business associate (the contractor of a hospital system) and involved the records of 4.5 million patients.

The list of breaches caused by contractors throughout all industries could fill a large book. The damage that your third parties can cause to your business can be significant. Do you know the risks that your contractors and other third parties bring to your organization? Or, will your contractors take down your business because of their poor security and privacy practices? Read the rest of this entry »

Organizations Must Consider Privacy Harms

May 12th, 2015

The expanding use of smart gadgets in the Internet of Things (IoT) is creating many more privacy risks than ever before encountered. Many businesses are also (finally!) starting to address privacy. And interest in how to establish privacy programs and how to perform privacy impact assessments (PIAs) to identify privacy risks are increasing. The privacy risks to the business that can occur include such things as: Read the rest of this entry »