I’m compelled to write once more about the biggest information security, privacy and compliance vulnerability businesses face, the human factor, after reading in SearchCIO, "Insider Security Threats: Watch Out for the Quiet Ones."

This story, however, pointed out that not only do businesses face significant risks of personnel purposefully deciding to do bad things, but that more often than not it is lack of policies, enforcement and training that lead to security incidents.

Yes, you definitely need technology, as the report indicates, but you also need strong policies, executive support, enforced sanctions, and ongoing awareness and training.

Yes, and this is also worth a deja vu…

Technology alone will not protect your business data; you also need strong policies, executive support, enforced sanctions, and ongoing awareness and training.

Technorati Tags
information security
IT compliance
policies and procedures
data leakage
encryption
awareness and training
privacy

I saw a press release today about the Credant Technologies report, "Mobile Data Breach Report 2006: ‚ÄúWhat’s at Stake? Who’s the Victim?"

Despite the vendor’s view that the results are surprising, based upon the actual incidents that have been occurring, and comments from large numbers of CISOs and CPOs trying to get budgets, the results really are not that surprising.  I did not view the actual report and study details; you have to send an email to the Credant folks for that.

Some of the statistics to note that were given in the press release…

• "The CREDANT laptop survey was conducted in July 2006, with emails sent to nearly 17,000 Global 2000 IT professionals. Of those, four hundred and twenty six respondents from around the world completed the questions that make up the final outcome of the survey."

So this is just a 2.5% return on the survey.  The actual demographics were not given either, and that is definitely a significant consideration for the findings.  However, there is still points to note within the resulting data.

• "88% of respondents know that volumes of sensitive data resides on mobile devices; 72% state that encryption is required for compliance, yet less than 20% have implemented encryption."

This points to problems with non-support of policies by executives, and no sanctions for noncompliance.  Business leaders need to realize that their policies will not be effective unless they clearly and actively support and enforce them.  They must also know that having policies that are not enforced will hurt their organization in any litigation they get into that can be related to the policies.  For example, as a result of an incident involving PII; which organizations should consider is a very likely possibility with "volumes of sensitive data" on their mobile computing devices.

• "52% of respondents state that personally identifying information such as Social Security, driver’s license numbers and financial, medical or other confidential personal information is stored on mobile devices. While 62% stated that up to 25,000 accounts would be impacted if a laptop were stolen, 30% percent reported that between 25,000 and 2 million accounts would be impacted; and 5% had no idea of how many accounts were vulnerable."

Why do organizations continue to allow entire databases of personally identifiable information (PII) to be loaded onto mobile computing devices and storage devices?  Where are their access controls?  What are the real reasons they continue to allow such vulnerable data to be loaded onto these devices?  It seems access control has gotten very lax over the past decade as the numbers and types of information sharing technologies have exploded.  It seems trying to keep a handle on maintaining access control, and enforcing minimum required access to data that so many regulations require, is just too mind-boggling to try and manage, resulting in a virtual PII gone wild onto enterprise laptops, PDAs, USB thumb drives, and other end-user-controlled technologies.

If there is a legitimate business need to copy such huge amounts of PII onto mobile computing devices, then companies must encrypt them not only to provide protection to the PII, but also to demonstrate due diligence. 

I think the 5% number not knowing is way low; I believe that a much higher percentage of companies do not really know where all their PII resides.  It is important to have a policy against copying PII to mobile computing devices, but you also have to implement procedures to check, in one more more ways, on an ongoing basis, where PII truly resides to ensure the policies are being followed. 

• "However, when asked to identify the top three reasons why encryption, considered the primary data privacy and protection option was not implemented, the number one reason cited by 56% of the respondents was lack of funding. The second place response by 51% of the respondents was that encryption was not an executive priority. Limited IT resources was cited by 50% of the respondents as the third obstacle in getting the job done."

Yes, I hear lack of funding often.  If there is no money for encryption, though, business leaders must find a way to keep PII off mobile computers. 

Information security and privacy due diligence is not free. 

Another very effective activity that businesses need to do that is comparably inexpensive, but still they do not do enough of, even though it probably has the greatest positive impact on information security and privacy, is providing ongoing information security and privacy awareness and training to their personnel.

Technorati Tags
information security
IT compliance
policies and procedures
laptop security
encryption
data breach
awareness and training
privacy

I needed a good laugh today…and I got it from the Channel Register story "The Cat Peed on my Laptop…"

If you need to relieve a bit of stress, perhaps the following will make your frown turn upside down…

"By John Leyden 20 Sep 2006 13:09
The cat peed on my laptop…
and other bizarre data recovery disasters

It’s not only IT Help Desks that get strange queries and requests. Data recovery specialists at UK-based firm Disklabs have compiled an illuminating list of the oddest requests for assistance it receives from the 50,000 cases a year it deals with involving people needing to get their data recovered.

Disklabs said that recovery of data is nearly always possible, even from the extreme cases it highlights. "It seems that each year this list gets more and more bizarre," Disklabs director Simon Steggles said.

Disklabs top ten data recovery disasters

*  My cat urinated on my laptop – Disklabs technicians had to thread gingerly in handling a Toshiba laptop which had been urinated on by a client’s pet Persian Blue."

Talk about a bad review…sounds like the computer literally pissed him off!

"*  It fell off the roof of the car – A salesperson in a hurry placed his laptop on the roof of his car, while he placed all his demo products into the vehicle. He forgot the laptop on the roof and drove off. He stated: "I was doing about 40mph when I saw it in the rear view mirror"."

I know of *2* CEO’s who lost their laptops off the top of their cars!  This is a common occurrance I think.

"*  I accidentally drove over it – An MP3 player was the victim of this roadside mishap. The client didn’t realise that the MP3 player had fallen out of her pocket, and accidentally drove over the offending device. "

Not really surprising…more roadkill…

"*  We just sacked the IT manager and he started kicking the server – The IT manager wasn’t up to the job so he was fired. The man in question threw a wobbler, deciding the server had to go before he did. He achieved this by kicking the server until it stopped working, causing data corruption and hardware damage to the hard drives. "

What’s a wobbler?  Is that like a hissy-fit?  Or more like a having a cow?

"*  There was a bit of oil on it – Quite an understatement. One Disklabs’ client had approximately 120 barrels of crude spilt over his laptop, which was in use on an oil rig at the time. "

Wow!  Trying to visualize where on the rig they put him to have his computer covered with all the oil.  Gosh…what kind of job did he have on that rig…

"*  I accidentally threw it out of a window – A student claimed he was ‘messing around’ with his roommate’s laptop. But instead of pretending to throw the laptop out of the window, he chucked it for real ‚Äì much to the dismay of his roommate. "

Yes, this is very credible.  If you know college students, you KNOW this could happen!

"*  She just got stroppy and snapped it in half – A client’s wife thought he was playing away from home and snapped his mobile in a fit of pique. The phone, a Motorola V3 Razor, was literally snapped in half. Disklabs only received one half of the phone and was still able to retrieve all the SMS messages and contacts. "

Hey, I learned another new word, "stroppy"!  Of course I had to look it up…"touchy"…"belligerent".    I don’t know, sounds more like she was throwing a "wobbler" to me.

"*  The dog has had a go at it – a Staffordshire bull terrier took a liking to its owner’s camera and bit into it. The memory card inside sustained some damage and arrived still wet from dog saliva. "

Whew!  I was afraid of what that last word in the sentence was going to be.

"*   I was showing my friend how to delete data on the spare hard drive, but I deleted the wrong one – Enough said. "

Yeah, ‘nuf said.

"*  My wife threw my laptop down a well – Another marital dispute. Excuses offered failed to placate an irate wife who took her revenge by throwing her husband’s laptop into a 60 foot well. "

LOL…we have a 120 foot well…with a true throw, I can imagine the laptop bumping and ricocheting against the sides…thwank…bwonk…thunk…all the way down until you hear the deep, plonking splash, following by the lyrical echoes.  Or, if was a straight drop down, the waiting silence…finally broken by the big, SPLOSHing water crash.  Hope they didn’t have to drink that water…you’ve seen those reports about all the bacteria on computer keyboards, haven’t you?  😉

"Disklabs swears all the anecdotes above come from real jobs undertaken by its data recovery service. Disklabs was able to save data in all the above instances.  Which is nice."

Wonder if the husband or the wife climbed down the well for the retrieval?  Yeah, I think most definitely the husband, too…

Technorati Tags
information security
IT compliance
policies and procedures
data recovery
awareness and training
privacy

A subcontractor was charged with stealing the VA laptop in July that contained billing information on 38,000 VA patients. 

This highlights the importance of ensuring controls exist for all individuals you entrust with access to your information…going beyond your employees, and also doing activities to ensure the business partners to whom you have outsourced data handling of any kind are adequately securing your information.  You also need to ensure they do not then pass your information on to yet another entity without your knowledge and approval.

I talk about the threats and suggested controls for outsourcing in a couple of recent papers, "Addressing the Risks of Outsourcing" and "Security and Privacy Contract Clause Considerations" which I co-wrote with Christopher Grillo.

I’ve had great and interesting discussions with CISOs from many companies, and a significant number of them have experienced information security incidents from the employees to whom they have given authorized access to sensitive information and systems, as well as many incidents with their outsourced business partners, vendors, contractors and so on.  I believe that, even with the majority of states having breach notification laws, most incidents still never get reported.  If the incident was "handled" quickly and the company believes the culprits did not have time to actually do anything with the data, then it does not get reported.

In more than one case the insider doing bad things was a systems security administrator who was unhappy with his or her work situation…not enough pay…not enough respect…no promotion…no recognition…no perceived importance or appreciation… 

Information security and privacy incidents so often result from the actions of trusted insiders…information security and privacy practitioners need to make sure they keep that in mind and expand their scope of concern from just the physical and ether issues and try to inject some human psychology considerations into their information assurance activities.  Information security programs benefit from considering the human factor and recognizing and being aware of the motivations that lead to security incidents.

Technorati Tags
information security
IT compliance
policies and procedures
insider threat
laptop theft
patient privacy
awareness and training
privacy

A subcontractor was charged with stealing the VA laptop in July that contained billing information on 38,000 VA patients. 

This highlights the importance of ensuring controls exist for all individuals you entrust with access to your information…going beyond your employees, and also doing activities to ensure the business partners to whom you have outsourced data handling of any kind are adequately securing your information.  You also need to ensure they do not then pass your information on to yet another entity without your knowledge and approval.

I talk about the threats and suggested controls for outsourcing in a couple of recent papers, "Addressing the Risks of Outsourcing" and "Security and Privacy Contract Clause Considerations" which I co-wrote with Christopher Grillo.

I’ve had great and interesting discussions with CISOs from many companies, and a significant number of them have experienced information security incidents from the employees to whom they have given authorized access to sensitive information and systems, as well as many incidents with their outsourced business partners, vendors, contractors and so on.  I believe that, even with the majority of states having breach notification laws, most incidents still never get reported.  If the incident was "handled" quickly and the company believes the culprits did not have time to actually do anything with the data, then it does not get reported.

In more than one case the insider doing bad things was a systems security administrator who was unhappy with his or her work situation…not enough pay…not enough respect…no promotion…no recognition…no perceived importance or appreciation… 

Information security and privacy incidents so often result from the actions of trusted insiders…information security and privacy practitioners need to make sure they keep that in mind and expand their scope of concern from just the physical and ether issues and try to inject some human psychology considerations into their information assurance activities.  Information security programs benefit from considering the human factor and recognizing and being aware of the motivations that lead to security incidents.

Technorati Tags
information security
IT compliance
policies and procedures
insider threat
laptop theft
patient privacy
awareness and training
privacy

The FTC announced today:

"FTC, Partners Will Hold Hispanic Fraud Prevention Forum in New York City

Members of Hispanic Communities Invited to Discuss Consumer Fraud Issues

The Federal Trade Commission, United States Postal Inspection Service (USPIS), U.S. Attorney’s Office for the Southern District of New York, and Manhattan Hispanic Chamber of Commerce are hosting a day-long Hispanic Fraud Prevention Forum in New York City. The Forum, which will be held September 27, 2006, from 8:30 A.M. until 3:30 P.M. at the Alexander Hamilton U.S. Custom House at One Bowling Green, New York, NY 10004, is open to Hispanic community leaders, representatives from community organizations, and local, state, and federal law enforcement and consumer protection agencies that work with Hispanic consumers. The goals are to discuss consumer fraud in Hispanic communities in the New York area and develop law enforcement and consumer education strategies to address it."

Go to the link to find out more.

This struck me as quite interesting.  I wonder what studies or statistics they have about all the demographic groups?

Searching through their site I found a 283 page report, "Fraud and Identity Theft Complaints Received by the Federal Trade Commission from Consumers Age 50 and Over" from May 2005, but no other reports about a specific demographic.

Okay, the mathematician in me is now thirsty for some demographic identity theft information…

I found the Better Business Bureau (BBB) Online identity theft study from January 2006.  "One Surprising Finding: the Core Demographic – 25 to 34 – Has the Highest Rate of Identity Fraud Rather Than Seniors"  Interesting…

Javelin Strategy & Research did the BBB Online study.  They also did another one in August 2006 that costs $950 (nope!  I’m not shelling out that kind of dough just to pique my curiosity).  Their overview provided an interesting statement: "Misunderstanding data breaches and their effect on identity fraud may lead to incorrect guidance to consumers, mistakes regarding protective measures companies employ, and overly burdensome legislation. Armed with facts, industry leaders must ensure that the data breach ‚Äúcure‚Äù is not worse than the affliction. This report is the first ever to show the actual impact that data breaches have on known-cause cases of identity fraud." 

First ever to show how data breashes impact identity fraud???

Hmm…definitely good bait to get some sales…I take these types of statements with several grains of salt without knowing what kind of meat they have to support their gravy statements… 

It all comes down to implementing the correct controls and safeguards around personally identifiable information (PII) to reduce risks to a reasonable and acceptable level to help prevent the compromise of PII to begin with. 

It would be very interesting to see the mistakes they found companies make; there are so many to choose from!  And yes, of course some legislation can be overly burdensome, and I agree that many laws should have been written better.  But, without legislation I wonder how many companies would decide that, since they aren’t legally required to protect PII that they won’t cut into their revenues by implementing controls at all…or just implementing the minimum they think they can get away with?  Data protection laws and information security intiatives are both double edged swords that often clink in battle within many organizations.

Technorati Tags
information security
IT compliance
policies and procedures
corporate governance
identity theft
awareness and training
privacy

Today Information Week reported that a man hacked into the University of Southern California computers in 2005 and stole personal information on up to 270,000 individuals apparently because he was rejected for admission. He was just sentenced to a 6-month home detention sentence, and must pay $37,000 in restitution for this crime.

So many times I read about and I hear business leaders say that they are not that concerned with the potential of a hacker or cybercrime because they do not have a business that would be a target of an attack, or they are not in an industry that would be targeted for an attack.  "Why, we only make O-rings for engine pistons…no one would be interested in attacking our systems!" 

It would nice to think that you’re safe just because you aren’t a financial or healthcare company, but that is completely unrealistic.  Any company system that is attached to the Internet, or to another organization’s system that is attached to the Internet, or has personnel using the Internet, is subject to some kind of malicious code or hacker attack.

Motivation for cyber crime is a very interesting topic.  The rejected USC student perhaps also wanted to show that he would have been a very good computer student.  Or, he also may have just wanted to get even with an organization that he felt had done him wrong or was unfair.  Or, perhaps he wanted to sell the personal information he stole to be able to afford a more expensive university.  There are unlimited possibilities.   

It is important to educate business leaders not only about the regulatory requirements for information security and privacy, and the many different domains of information security that impact your business, but they also need to understand the motivators for cybercrime so that they can help to eliminate the presence of those motivators within the business environment as much as possible, or at least incorporate security safeguards to help prevent motivated individuals from doing bad things.

Donn Parker has done a lot of research and related work with cyber crime motivation.  Some of the motivators he lists in his book "Fighting Computer Crime" can be used to help business leaders understand these very real human threats.  At a high level the motivators he lists include:

• The Robin Hood Syndrome:  Stealing from the rich companies because, in the criminal’s mind, they can afford the loss.
• The Differential Association Syndrome:  The criminal wants to deviate from accepted practice among his/her peers or associates in only small ways, such as stealing computer services by using them for personal use.  Such small successful crimes lead to larger more significant crimes as confidence builds from not getting caught.
• Fear of Getting Caught:  Because criminals are afraid of getting caught doing "normal" crimes, the complexity and seeming anonymity of computers and networks may lure them to cybercrime.  It is interesting to note, however, that complexity is also a deterrent to them since, according to Parker, they may end up avoiding the complexities inherent in using computers unless there are no other options.
• The Personification of Computer:  Criminals do not have to physcially confront their computer victims, or witness resulting anguish from computer crimes, so it is easier for them to commit crimes against computers.
• The Higher Ethic Motive:  The cyber criminal often justifies his or her actions by rationalizing that they need to do the crime for a greater good, such as stealing personal data and selling it to make money for a family member’s operation.

Understanding that various human motivators can make your business a target just as much as the type of industry your business is in will help business leaders understand that ALL organizations need to implement a strong and effective information security and privacy program.

Technorati Tags
information security
IT compliance
policies and procedures
corporate governance
cybercrime
hacker
awareness and training
privacy

Today Silicon.com reported some interesting statistics about the increased number of computers being found in  the UK now that those airports do not allow for electronics basically of any kind to be taken onboard.

Heathrow reportedly obtains an average of 120 laptops monthly from travellers who misplaced them, and around 15 go unclaimed, ending up at auction.

The story makes a good point about how it seems travellers just assume that their laptop was stolen, so they don’t even check with the airport’s or airlines’ lost and found to see if their computer is indeed within the custody of the airline management.

From the report, "Research out last week suggested 40 per cent of all electronic devices lost at UK airports go unclaimed, with mobile phones more likely to be left unclaimed than laptops and PDAs."

A good lesson for travellers in and through countries with the onboard electronics restriction:  If your computer, cell phone, PDA, etc. goes missing, check with the airport security or lost and found department.  If you’re lucky it may be there.  If you’re even luckier none of the data on it will have been compromised.

Just one more reason to encrypt sensitive and personally identifiable information (PII) on mobile computing devices, to use boot and login passwords, and to use tracking labels and services, such as StuffBak, 4found, IMFound, STOP, Huzizit, or Yellowtag.

Technorati Tags
information security
IT compliance
policies and procedures
asset tracking
stolen laptop
lost laptop
airport security
awareness and training
privacy