In November, some of my friends contacted me, saying they thought I did a pretty good job with my 2015 predictions, and wanted to know what I am predicting for 2016. So here are some good possibilities for the year to come, along with a rewind to see how close I hit the 2015 predictions. (more…)
Posts Tagged ‘Rebecca Herold’
A childhood friend of mine, who does not have a technology or information security background, recently asked me whether or not apps that promise messages, photos, videos, and anything else sent through them will completely disappear were to be trusted. She referenced several different proclaimed “disappearing messages” apps that are currently available and asked, “So what do you think of these disappearing apps? The messages are not really gone?” She is responsible for the care of an adult relative, and wanted to be able to communicate with his healthcare providers securely, and to not have any of the communications to linger and had been using one of these apps. (more…)
Businesses must be aware of risks with outsourcing to other countries activities involving personal information. Over the past couple of months I’ve heard over a dozen organizations express their opinion that if they hire organizations outside the U.S. to do work for them, then those organizations are not bound by U.S. laws. Most were from small to midsized organizations and startups. But it was somewhat surprising to hear also hear this sentiment from an organization with multiple locations and thousands of employees. This has been an incorrect belief of far too many organizations for decades.
I’ve also had clients in other countries ask about the need to comply with U.S. laws, such as for HIPAA compliance, when they provide services for U.S individuals and/or businesses. Many believe they do not need to. (more…)
Do you know how well your vendors, business associates, contracted third parties (who I will collectively call “contractors”) are protecting the information with which you’ve entrusted them to perform some sort of business activity? You need to know.
Late last year, a study of breaches in the retail industry revealed 33 percent of them were from third party vendor access vulnerabilities. The largest healthcare breach in 2014 was from a business associate (the contractor of a hospital system) and involved the records of 4.5 million patients.
The list of breaches caused by contractors throughout all industries could fill a large book. The damage that your third parties can cause to your business can be significant. Do you know the risks that your contractors and other third parties bring to your organization? Or, will your contractors take down your business because of their poor security and privacy practices? (more…)
The expanding use of smart gadgets in the Internet of Things (IoT) is creating many more privacy risks than ever before encountered. Many businesses are also (finally!) starting to address privacy. And interest in how to establish privacy programs and how to perform privacy impact assessments (PIAs) to identify privacy risks are increasing. The privacy risks to the business that can occur include such things as: (more…)
What does the past teach us about how to #befutureready in BYOD?
During the last half of the 1990s there was concern for the growing use of employees’ own home desktop computers to dial-in to the corporate network from home. Thousands of articles and hundreds of conference sessions discussed the associated risks, and then how to mitigate them through documented policies and the use of new tools. Soon after 2000 passed the concerns expanded to employees using their personally owned laptops, not only outside of the office, but even bringing them into the facilities to use instead of the corporate-issued computers. Thousands more articles, and hundreds more conference sessions discussed how to address the risks. (more…)
I started my career as a systems engineer at a large multi-national financial and healthcare corporation. I identified a vulnerability in how one of the major back office systems was designed and had an idea for how to mitigate it. I went to my new manager at the time, described my idea and sketched it out on the whiteboard in his office. He wasted no time telling me that it was a horrible idea, that none of the business unit heads would ever agree to do something so drastically different that had never before been done, and that they would likely view it just as more work for them. So I explained how it would actually be less work for them, after which he literally yelled at me, “Stop! Your idea is bad! Quit wasting my time!” I considered quitting that day, but didn’t. Two months later at the IT-wide quarterly meeting the IT Director announced a great new innovative idea that my manager had proposed to the business heads, who embraced the idea and were already doing actions to get it implemented. They also announced my manager had been promoted and would be moved to a different department for his fabulous idea, which they described…and turned out to be my idea, right down to the drawings I made on his white board. I learned many valuable lessons from that situation. I have often wondered since then how often similar types of situations have occurred. (more…)
“Everyone knows that hackers only go after big organizations!” the wearable medical device representative shouted at me after my presentation on the need to build security and privacy controls into such devices, as well as having policies and procedures governing their use within the business organization. “It is a waste of our time, effort and money to establish and build in such security and privacy controls!”
This one person’s strong opinion is one that I’ve heard many times over the years about implementing security and privacy controls in general. And it is becoming more dangerous from a security and privacy perspective to not only those using wearable devices of all kinds (medical, fitness, tracking, etc.), but wearables also bring significant risk to the organizations whose employees are wearing them. (more…)
Still relevant lessons in security economics
I started working in the information security and privacy space in 1988 at a large multi-national financial and healthcare organization. Imagine trying to get security and privacy controls implemented at a time when there were no regulations requiring organizations to do so. Yes, I faced some challenges. And many since. Some examples: (more…)