Archive for October, 2006

Humans Are the Weakest Info Security Link: Technology Alone Cannot Guarantee Compliance Nor Prevent All Information Leaks

Tuesday, October 3rd, 2006

Today a press release came from an information security vendor from my neck of the woods, Palisade Systems

The press release discussed the results of a survey performed by the vendor that "concluded accidental or malicious data leaks by employees pose the biggest data security, monetary and compliance threat to organizations."

Indeed.  Humans always have been and always will be the biggest vulnerability and threat to basically any type of business function, including information security and privacy compliance. 

I did not contact the company to request a copy of the study results.  However, I found it very ironic that they used the study results, concluding that people are the weakest link in information security and compliance, to then have the vendor CEO basically state that his technology product will prevent sensitive data leaks.

"By combining our content monitoring and blocking technology with ZixCorp’s encryption service, we will now be able to guarantee another level of content security to organizations that require their confidential data remain confidential to only authorized personnel," said Kurt Shedenhelm, CEO and president of Palisade Systems. "While competing vendors provide pieces of an overall content security solution, Palisade and ZixCorp deliver a completely integrated solution that ensures private content is protected even after its been checked and approved internally for outbound delivery."

It bothers and concerns me when vendors make guarantees, especially about security and compliance.  It bothers me when I see claims that a technology product alone "ensures private content is protected."

Just quickly off the top of my head I can think of two situations in which technology is probably not going to be able to stop the leakage of sensitive data from a network.
1)  Sensitive data within encrypted files
2)  Sensitive data transferred out of the network via a network user’s personal email account via a browser front end and webmail

I know these two situations happen within organizations all the time.  I know that even if an organization has blocked access to the most common types of webmail, such as Yahoo, AOL and so on, it is trivial for people to have their own domain name on their own ISP and mailserver using webmail that is not blocked by the filters on the network.

I admit, I know nothing about the Palisade product other than what was written in the press release. And, perhaps there is something it could do about the webmail issue…but I’m not sure…

The situations I mentioned are only two possibilities; there are many more covert, and overt, ways in which data leakage can occur from a network, as well as, of course, non-network ways.

Yes, using good information security technologies to help prevent the leakage of sensitive data will lesson the leaks, and it will also demonstrate due diligence on behalf of the organization.  Yes, it will help to meet a subset of compliance requirements for many different data protection laws and regulations.  But, that is just part of the complete solution for preventing as many data leaks as possible, and for meeting all compliance requirements.

Information security, privacy and compliance take much, much more than technology.  I’ve seen too many SMBs and, frankly, gullible organizations of all sizes, purchase technology products and install them thinking they are then in complete compliance with data protection laws and regulations, only to have a rude awakening later when they get audited, being told they also need policies, procedures, training, awareness and other administrative requirements from the regs.  Or, worse yet, discovering after an incident occurred that the technology alone was not the complete solution after all.

Technology alone will not make any organization completely compliant with any data protection law or regulation.

That’s worth a deja vu…

Technology alone will not make any organization completely compliant with any data protection law or regulation.

Technorati Tags






Humans Are the Weakest Info Security Link: Technology Alone Cannot Guarantee Compliance Nor Prevent All Information Leaks

Tuesday, October 3rd, 2006

Today a press release came from an information security vendor from my neck of the woods, Palisade Systems

The press release discussed the results of a survey performed by the vendor that "concluded accidental or malicious data leaks by employees pose the biggest data security, monetary and compliance threat to organizations."

Indeed.  Humans always have been and always will be the biggest vulnerability and threat to basically any type of business function, including information security and privacy compliance. 

I did not contact the company to request a copy of the study results.  However, I found it very ironic that they used the study results, concluding that people are the weakest link in information security and compliance, to then have the vendor CEO basically state that his technology product will prevent sensitive data leaks.

"By combining our content monitoring and blocking technology with ZixCorp’s encryption service, we will now be able to guarantee another level of content security to organizations that require their confidential data remain confidential to only authorized personnel," said Kurt Shedenhelm, CEO and president of Palisade Systems. "While competing vendors provide pieces of an overall content security solution, Palisade and ZixCorp deliver a completely integrated solution that ensures private content is protected even after its been checked and approved internally for outbound delivery."

It bothers and concerns me when vendors make guarantees, especially about security and compliance.  It bothers me when I see claims that a technology product alone "ensures private content is protected."

Just quickly off the top of my head I can think of two situations in which technology is probably not going to be able to stop the leakage of sensitive data from a network.
1)  Sensitive data within encrypted files
2)  Sensitive data transferred out of the network via a network user’s personal email account via a browser front end and webmail

I know these two situations happen within organizations all the time.  I know that even if an organization has blocked access to the most common types of webmail, such as Yahoo, AOL and so on, it is trivial for people to have their own domain name on their own ISP and mailserver using webmail that is not blocked by the filters on the network.

I admit, I know nothing about the Palisade product other than what was written in the press release. And, perhaps there is something it could do about the webmail issue…but I’m not sure…

The situations I mentioned are only two possibilities; there are many more covert, and overt, ways in which data leakage can occur from a network, as well as, of course, non-network ways.

Yes, using good information security technologies to help prevent the leakage of sensitive data will lesson the leaks, and it will also demonstrate due diligence on behalf of the organization.  Yes, it will help to meet a subset of compliance requirements for many different data protection laws and regulations.  But, that is just part of the complete solution for preventing as many data leaks as possible, and for meeting all compliance requirements.

Information security, privacy and compliance take much, much more than technology.  I’ve seen too many SMBs and, frankly, gullible organizations of all sizes, purchase technology products and install them thinking they are then in complete compliance with data protection laws and regulations, only to have a rude awakening later when they get audited, being told they also need policies, procedures, training, awareness and other administrative requirements from the regs.  Or, worse yet, discovering after an incident occurred that the technology alone was not the complete solution after all.

Technology alone will not make any organization completely compliant with any data protection law or regulation.

That’s worth a deja vu…

Technology alone will not make any organization completely compliant with any data protection law or regulation.

Technorati Tags






Survey Forecasts Increasing Numbers of Data Breaches: Business Leaders Need to Support and Invest in Security

Monday, October 2nd, 2006

I saw a press release today about the Credant Technologies report, "Mobile Data Breach Report 2006: ‚ÄúWhat’s at Stake? Who’s the Victim?"

Despite the vendor’s view that the results are surprising, based upon the actual incidents that have been occurring, and comments from large numbers of CISOs and CPOs trying to get budgets, the results really are not that surprising.  I did not view the actual report and study details; you have to send an email to the Credant folks for that.

Some of the statistics to note that were given in the press release…

  • "The CREDANT laptop survey was conducted in July 2006, with emails sent to nearly 17,000 Global 2000 IT professionals. Of those, four hundred and twenty six respondents from around the world completed the questions that make up the final outcome of the survey."

So this is just a 2.5% return on the survey.  The actual demographics were not given either, and that is definitely a significant consideration for the findings.  However, there is still points to note within the resulting data.

  • "88% of respondents know that volumes of sensitive data resides on mobile devices; 72% state that encryption is required for compliance, yet less than 20% have implemented encryption."

This points to problems with non-support of policies by executives, and no sanctions for noncompliance.  Business leaders need to realize that their policies will not be effective unless they clearly and actively support and enforce them.  They must also know that having policies that are not enforced will hurt their organization in any litigation they get into that can be related to the policies.  For example, as a result of an incident involving PII; which organizations should consider is a very likely possibility with "volumes of sensitive data" on their mobile computing devices.

  • "52% of respondents state that personally identifying information such as Social Security, driver’s license numbers and financial, medical or other confidential personal information is stored on mobile devices. While 62% stated that up to 25,000 accounts would be impacted if a laptop were stolen, 30% percent reported that between 25,000 and 2 million accounts would be impacted; and 5% had no idea of how many accounts were vulnerable."

Why do organizations continue to allow entire databases of personally identifiable information (PII) to be loaded onto mobile computing devices and storage devices?  Where are their access controls?  What are the real reasons they continue to allow such vulnerable data to be loaded onto these devices?  It seems access control has gotten very lax over the past decade as the numbers and types of information sharing technologies have exploded.  It seems trying to keep a handle on maintaining access control, and enforcing minimum required access to data that so many regulations require, is just too mind-boggling to try and manage, resulting in a virtual PII gone wild onto enterprise laptops, PDAs, USB thumb drives, and other end-user-controlled technologies.

If there is a legitimate business need to copy such huge amounts of PII onto mobile computing devices, then companies must encrypt them not only to provide protection to the PII, but also to demonstrate due diligence. 

I think the 5% number not knowing is way low; I believe that a much higher percentage of companies do not really know where all their PII resides.  It is important to have a policy against copying PII to mobile computing devices, but you also have to implement procedures to check, in one more more ways, on an ongoing basis, where PII truly resides to ensure the policies are being followed. 

  • "However, when asked to identify the top three reasons why encryption, considered the primary data privacy and protection option was not implemented, the number one reason cited by 56% of the respondents was lack of funding. The second place response by 51% of the respondents was that encryption was not an executive priority. Limited IT resources was cited by 50% of the respondents as the third obstacle in getting the job done."

Yes, I hear lack of funding often.  If there is no money for encryption, though, business leaders must find a way to keep PII off mobile computers. 

Information security and privacy due diligence is not free. 

Another very effective activity that businesses need to do that is comparably inexpensive, but still they do not do enough of, even though it probably has the greatest positive impact on information security and privacy, is providing ongoing information security and privacy awareness and training to their personnel.

Technorati Tags