Category Archives: Who Needs Information Security

Information Security – Who needs it? Law Firms Do!

You own or manage a law firm and have a lot of important cases. But are you taking information security seriously? If not, you are exposing your clients and your firm to potential negative ramifications as evidenced by several Atlanta law firms who failed to secure sensitive documents. Due to poor information protection practices several law firms dumped sensitive documents containing case information, W2 information, bankruptcy files, and old checks among other data directly into an insecure location. When some of the original documents were traced back to a firm it was learned that the employee who performed that action was instructed to dispose of the documents in a large dumpster that was believed to be a secure site.  The original article linked above quoted the employee as saying “My understanding is that once stuff goes in nobody can take anything out because it’s very deep.”

Business Risk

By failing to secure sensitive client information the law firm exposed themselves to liability lawsuits and a damage to their reputation of being trust worthy representatives of their clients

Information Security Lessons Learned

  • Sensitive information residing in physical form should not just be thrown out. More thorough destruction techniques such as shredding or incineration are necessary to safely eliminate records that have outgrown their usefulness. You could also consider hiring a firm that specializes in these activities but be sure to audit their compliance on occasion.
  • Sensitive electronic media should be secured by overwriting it as detailed in a previous article.
  • Once you have implemented effective techniques as outlined above educate your employees how to perform the desired actions and audit their compliance on a periodic basis.

Remember simply putting information in a dumpster does not equal information security!

Photo by http://www.flickr.com/photos/caterina/

Information Security – Who needs it? Colleges & Universities Do!

We have previously highlighted an information security incident where a laptop theft from a hospital caused significant data loss and negative publicity. You might be thinking what does that have to do with me? I am safe because I have a desktop and those don’t get stolen like laptops do. Think again! Desktops are also a frequent target of theft as City College of New York learned the hard way. A desktop computer was stolen that contained the personal information of 7000 students who are now at an increased risk of identity theft.

Information Security Lessons Learned

  • Desktops and laptops should utilize encryption when any sensitive data will reside on the machine. Often times it is not easy to know up front if the machine will be used to store sensitive data so it is best to default to a secure installation and install encryption every time.
  • Laptops are not the only devices that could benefit from a cable lock. Desktops and other computer equipment like portable projectors should also utilize them to add an extra dimension of physical security and theft deterrence.

Information Security – Who needs it? The Police Do!

Photo courtesy of http://www.flickr.com/photos/gadgetdude

The latest in our continuing series on real life information security incidents shows that even the police need information security. The Manchester Police Department recently experienced an information security incident and the negative publicity that results from such an event. The source of the incident was an unencrypted USB drive that was lost and was found to be holding sensitive records including information about officers and emergency response information including such gems as information about crowd control plans. Losing this information potentially puts the officers at undue risk and also gives groups seeking greater knowledge about internal workings of the police department a leg up in better understanding how the department works. This incident is especially troubling since the article mentions that this department also had an issue with worm problems awhile back, so it is clear a new security mindset is needed to keep data secure.

 Information Security lessons learned

  • Do not store sensitive information on USB drives
  • If you find recommendation #1 draconian be sure to utilize an encrypted USB device such as the IronKey device available at places like Amazon.com
  • Educate your users regarding information security to help make sure your security policies are not violated

PS: I realize the picture is not the Manchester Police department but same country and it was just too tempting to pass up!

Information Security – Who Needs It? Hospitals Do!

Photo courtesy of http://www.flickr.com/photos/shopxtreme/

Fraser Health Authority in British Columbia is the latest company to suffer an information security incident that could have been prevented. A laptop in their pulmonary function lab containing sensitive patient information was stolen resulting in 600 patients data being potentially compromised. Worse yet the laptop was not protected by encryption or password protected making the data readily available to the criminal.

 

Lessons Learned

  • Do not store sensitive data on laptops if a more secure mechanism is available
  • Utilize encryption when any sensitive data will reside on the machine and especially if you violate the rule listed above.
  • Utilize cable locks for all computer equipment to add a dimension of physical security and theft deterrence.
  • Implement audits to ensure compliance with any IT Security policies you have

Information Security – Who needs it? Consulting Firms Do!

Don't Mess with Delaware

I was browsing the latest information security incidents and noticed one from my home state of Delaware. The State of Delaware was affected by an information security incident due to careless data disclosure from their 3rd party service provider Aon Consulting. The end result was data disclosure of 22,000 state employees, putting them at a greater risk for identity theft. Since the data was related to health and benefits information the disclosure falls under the HIPAA regulations. Aon Consulting is notifying the individuals affected and offering credit protection services to those affected to help minimize the damage.

Lessons Learned from this Information Security Incident

  • Even if you do everything right from an information security standpoint your services providers must have a similar mindset and do likewise.
  • Think twice about providing sensitive data to 3rd party providers that likely have no specific need of that data
  • Regularly review your site for content that should not be disclosed (or even better do proactive reviews prior to making the information available on-line.

Information Security Crimes What Is The True Cost?

The true cost of what information security incidents cost businesses and the economy as a whole is impossible to quantify. Information security incidents often go unreported because many victims feel they will be hurt by negative publicity and be further punished. Other victims may never become aware that they have had an incident because they lack the proper security tools to detect the intrusion. A recent report by the Ponemom Institute and reviewed by Panda Security group showed the average cost of malware issues alone costs the average firm in the study millions of dollars a year.

Other notable findings from the study include:

  1. The average company experienced at least 50 successful malware attacks which is due to increasingly advanced malware and lack of comprehensive signature updates.
  2. It takes companies an average of 14 days to neutralize a cyber-attack at an average cost of $17,000 dollars per day. Check out our Top 10 tips on keeping your business secure to lesson your chances of becoming a victim.
  3. Malicious web sites are the most dangerous sources of cyber crime accounting for 90% of the volume of incidents. To lesson your chances of having an issue make sure you practice safe internet browsing and view only trusted sites to lesson your chances of having an issue.

Cyber-crime can affect any type of business as we have highlighted in our Who needs Information Security tidbits.  Stay informed and stay protected!

Information Security – Who Needs It? Restaurants Do!

Tino’s Greek Cafe located in Austin, Texas learned the hard way that negative information security exposure can get your business featured in unwanted headlines. Hacker’s compromised customer credit card data and fraudulent charges were noticed by multiple customer’s that had recently eaten at the restaurant. That correlation allowed investigators to determine the commonalities involved and point to Tino’s as the probable link.

What can you do to avoid suffering information security ruin like the Greek Cafe? Review our information security top 10 list and help ensure your company is protected.

Information Security – Who Needs It? Financial/Escrow Firms Do!

Village View Escrow Inc learned the hard way that online banking is not an activity that should be taken lightly by a business. Poor email discipline led to the company’s systems being compromised and sensitive online banking credentials being compromised. The thieves then utilized their network to wire the money across the world causing significant financial loss to the company.

Of particular note is the bank was no friend to the business and also failed in several critical controls including:

1. Not following up on suspicious account security changes

2. Allowing suspicious international wire transfers without validating with the business.

3. Allowing excessive irregular financial transactions to occur.

An important thing to note is the bank is not assuming any of the responsibility for the loss so it is up to you to protect your business if you choose to partake in online banking. Trusting that the bank will protect you can put you out of business!

Company Exposure: Catastrophic financial loss of nearly half a million dollars that threatens the survival of the company

Lessons Learned & Possible Preventive Measures:

1. Online banking for small/mid size businesses is a risky proposition and should not be engaged in without risk mitigation steps. And don’t count on your bank to be your advocate even though they should be on your side.

2. Practice safe email usage and only click on expected documents from known individuals. Scan the attachments prior to launching them on your machine for additional protection.

3. Certain online banking controls that could have helped mitigate the risk include:

  • Use of a dedicated PC for online banking that does this and nothing else (no email, no surfing, ever..)
  • Get written confirmation that only certain customers should be receiving payments and any international phone calls require verbal approval.
  • Configure bank balance and security change notices to go to a mobile device that will give you an additional safeguard if your other systems have been compromised.

Look for additional protection mechanisms in our upcoming online banking security guide.

Information Security – Who needs it? Pizza Shops Do!

You own a small pizza shop or a chain of them perhaps but you could not possibly be the target of internet thieves. Mary’s Pizza Shack thought the same so learn from their mistake before your become a victim. Russian hacker’s managed to infect the transaction terminal that processed credit card orders which exposed customer’s accounts to unauthorized transactions.

Company Exposure: Company was forced to announce embarrassing disclosure to it’s customers and pay for expensive analysis regarding the damage done by the incident.

Lessons Learned & Possible Preventive Measures:

1. Employee education regarding dangers of clicking unsolicited attachments (likely source of infection)

2. Avoid surfing Internet with sensitive systems that process credit card transactions (2nd most likely source of infection)

3. Stay current with anti virus and operating system patches