Tag Archives: Information Security

Information Security – Who needs it? Law Firms Do!

You own or manage a law firm and have a lot of important cases. But are you taking information security seriously? If not, you are exposing your clients and your firm to potential negative ramifications as evidenced by several Atlanta law firms who failed to secure sensitive documents. Due to poor information protection practices several law firms dumped sensitive documents containing case information, W2 information, bankruptcy files, and old checks among other data directly into an insecure location. When some of the original documents were traced back to a firm it was learned that the employee who performed that action was instructed to dispose of the documents in a large dumpster that was believed to be a secure site.  The original article linked above quoted the employee as saying “My understanding is that once stuff goes in nobody can take anything out because it’s very deep.”

Business Risk

By failing to secure sensitive client information the law firm exposed themselves to liability lawsuits and a damage to their reputation of being trust worthy representatives of their clients

Information Security Lessons Learned

  • Sensitive information residing in physical form should not just be thrown out. More thorough destruction techniques such as shredding or incineration are necessary to safely eliminate records that have outgrown their usefulness. You could also consider hiring a firm that specializes in these activities but be sure to audit their compliance on occasion.
  • Sensitive electronic media should be secured by overwriting it as detailed in a previous article.
  • Once you have implemented effective techniques as outlined above educate your employees how to perform the desired actions and audit their compliance on a periodic basis.

Remember simply putting information in a dumpster does not equal information security!

Photo by http://www.flickr.com/photos/caterina/

Information Security – Who needs it? Colleges & Universities Do!

We have previously highlighted an information security incident where a laptop theft from a hospital caused significant data loss and negative publicity. You might be thinking what does that have to do with me? I am safe because I have a desktop and those don’t get stolen like laptops do. Think again! Desktops are also a frequent target of theft as City College of New York learned the hard way. A desktop computer was stolen that contained the personal information of 7000 students who are now at an increased risk of identity theft.

Information Security Lessons Learned

  • Desktops and laptops should utilize encryption when any sensitive data will reside on the machine. Often times it is not easy to know up front if the machine will be used to store sensitive data so it is best to default to a secure installation and install encryption every time.
  • Laptops are not the only devices that could benefit from a cable lock. Desktops and other computer equipment like portable projectors should also utilize them to add an extra dimension of physical security and theft deterrence.

Information Security – Who needs it? The Police Do!

Photo courtesy of http://www.flickr.com/photos/gadgetdude

The latest in our continuing series on real life information security incidents shows that even the police need information security. The Manchester Police Department recently experienced an information security incident and the negative publicity that results from such an event. The source of the incident was an unencrypted USB drive that was lost and was found to be holding sensitive records including information about officers and emergency response information including such gems as information about crowd control plans. Losing this information potentially puts the officers at undue risk and also gives groups seeking greater knowledge about internal workings of the police department a leg up in better understanding how the department works. This incident is especially troubling since the article mentions that this department also had an issue with worm problems awhile back, so it is clear a new security mindset is needed to keep data secure.

 Information Security lessons learned

  • Do not store sensitive information on USB drives
  • If you find recommendation #1 draconian be sure to utilize an encrypted USB device such as the IronKey device available at places like Amazon.com
  • Educate your users regarding information security to help make sure your security policies are not violated

PS: I realize the picture is not the Manchester Police department but same country and it was just too tempting to pass up!

Information Security – Who Needs It? Hospitals Do!

Photo courtesy of http://www.flickr.com/photos/shopxtreme/

Fraser Health Authority in British Columbia is the latest company to suffer an information security incident that could have been prevented. A laptop in their pulmonary function lab containing sensitive patient information was stolen resulting in 600 patients data being potentially compromised. Worse yet the laptop was not protected by encryption or password protected making the data readily available to the criminal.

 

Lessons Learned

  • Do not store sensitive data on laptops if a more secure mechanism is available
  • Utilize encryption when any sensitive data will reside on the machine and especially if you violate the rule listed above.
  • Utilize cable locks for all computer equipment to add a dimension of physical security and theft deterrence.
  • Implement audits to ensure compliance with any IT Security policies you have

Information Security Awareness – Educate, inform, secure

Photo courtesy of http://www.flickr.com/photos/septuagesima/

Photo courtesy of http://www.flickr.com/photos/septuagesima/

Educate your employees about information security or all the security tokens in the world won’t save you.

A company may have a decent size security budget and spend it effectively on firewalls and other protection devices but if you fail to educate your end-users all that investment can be for nothing. Hackers, spammers and other evil doers regularly target end-users because it is often the easiest method of attack and is extremely effective. Targeted spam emails and malicious web sites are two of the most common threats but it is important to implement a general awareness campaign that covers a wide range of information security issues from what makes a good password to the importance of physical security. Here are some of the important factors to consider when implementing an information security awareness program.

Be Consistent – Develop a weekly or monthly routine and stick to it. Send out the email on a consistent day so the user will come to expect it and perhaps even look forward to it if you follow the other recommended steps below. Always send it from the same account to minimize the likelihood for confusion which could assist targeted spam attempts.

Keep It Simple – Do not use overly technical language that will confuse or turn off users. Speak in the communications like you would talk in a conversation and

Do I not entertain you?  – Try to write in an interesting style and even use humor to keep your users entertained. Entertaining material is more likely to be read and absorbed then stuff that would put an insomniac to sleep.

Provide Examples – Many people learn best from examples and there are plenty of those readily available. Find a recent incident that demonstrates the point you are trying to make and it will make it more real and less theoretical. People listen more when they no others have fallen for a trick and are more likely to absorb the information.

Be relevant – Providing examples that they can use at both work and home is a great way to keep people interested. Examples include safe internet surfing, avoiding spam emails, and the importance of having up to date anti-virus signature files.

Consider Posters – Emails are great but they are often times easily ignored. Utilizing posters in high traffic areas in addition to email is a great way to mix it up and capture the attention of people who otherwise might not care.

Make it a job requirement – Security is only as strong as the weakest link. It is everyone’s responsibility to follow good information security practices and keep the company secure.

In the very near future we will be offering a weekly information security email newsletter so stay tuned and stay secure!

Information Security – Who needs it? Consulting Firms Do!

Don't Mess with Delaware

I was browsing the latest information security incidents and noticed one from my home state of Delaware. The State of Delaware was affected by an information security incident due to careless data disclosure from their 3rd party service provider Aon Consulting. The end result was data disclosure of 22,000 state employees, putting them at a greater risk for identity theft. Since the data was related to health and benefits information the disclosure falls under the HIPAA regulations. Aon Consulting is notifying the individuals affected and offering credit protection services to those affected to help minimize the damage.

Lessons Learned from this Information Security Incident

  • Even if you do everything right from an information security standpoint your services providers must have a similar mindset and do likewise.
  • Think twice about providing sensitive data to 3rd party providers that likely have no specific need of that data
  • Regularly review your site for content that should not be disclosed (or even better do proactive reviews prior to making the information available on-line.

Information Security Crimes What Is The True Cost?

The true cost of what information security incidents cost businesses and the economy as a whole is impossible to quantify. Information security incidents often go unreported because many victims feel they will be hurt by negative publicity and be further punished. Other victims may never become aware that they have had an incident because they lack the proper security tools to detect the intrusion. A recent report by the Ponemom Institute and reviewed by Panda Security group showed the average cost of malware issues alone costs the average firm in the study millions of dollars a year.

Other notable findings from the study include:

  1. The average company experienced at least 50 successful malware attacks which is due to increasingly advanced malware and lack of comprehensive signature updates.
  2. It takes companies an average of 14 days to neutralize a cyber-attack at an average cost of $17,000 dollars per day. Check out our Top 10 tips on keeping your business secure to lesson your chances of becoming a victim.
  3. Malicious web sites are the most dangerous sources of cyber crime accounting for 90% of the volume of incidents. To lesson your chances of having an issue make sure you practice safe internet browsing and view only trusted sites to lesson your chances of having an issue.

Cyber-crime can affect any type of business as we have highlighted in our Who needs Information Security tidbits.  Stay informed and stay protected!

Information Security – Who Needs It? Restaurants Do!

Tino’s Greek Cafe located in Austin, Texas learned the hard way that negative information security exposure can get your business featured in unwanted headlines. Hacker’s compromised customer credit card data and fraudulent charges were noticed by multiple customer’s that had recently eaten at the restaurant. That correlation allowed investigators to determine the commonalities involved and point to Tino’s as the probable link.

What can you do to avoid suffering information security ruin like the Greek Cafe? Review our information security top 10 list and help ensure your company is protected.

Information Security – Who Needs It? Financial/Escrow Firms Do!

Village View Escrow Inc learned the hard way that online banking is not an activity that should be taken lightly by a business. Poor email discipline led to the company’s systems being compromised and sensitive online banking credentials being compromised. The thieves then utilized their network to wire the money across the world causing significant financial loss to the company.

Of particular note is the bank was no friend to the business and also failed in several critical controls including:

1. Not following up on suspicious account security changes

2. Allowing suspicious international wire transfers without validating with the business.

3. Allowing excessive irregular financial transactions to occur.

An important thing to note is the bank is not assuming any of the responsibility for the loss so it is up to you to protect your business if you choose to partake in online banking. Trusting that the bank will protect you can put you out of business!

Company Exposure: Catastrophic financial loss of nearly half a million dollars that threatens the survival of the company

Lessons Learned & Possible Preventive Measures:

1. Online banking for small/mid size businesses is a risky proposition and should not be engaged in without risk mitigation steps. And don’t count on your bank to be your advocate even though they should be on your side.

2. Practice safe email usage and only click on expected documents from known individuals. Scan the attachments prior to launching them on your machine for additional protection.

3. Certain online banking controls that could have helped mitigate the risk include:

  • Use of a dedicated PC for online banking that does this and nothing else (no email, no surfing, ever..)
  • Get written confirmation that only certain customers should be receiving payments and any international phone calls require verbal approval.
  • Configure bank balance and security change notices to go to a mobile device that will give you an additional safeguard if your other systems have been compromised.

Look for additional protection mechanisms in our upcoming online banking security guide.

Information Security – Why is it Important?

Viruses, worms, hackers, and cyber thieves Oh My. The electronic universe is loaded with bad guys targeting you, your company, and your data. Computers and the Internet are such an important part of your business that you do not have the option to disengage or ignore the threat and hope it never affects your operations in a negative way so it is important to ensure you understand there are people out there seeking to do you and your business financial harm and then take the necessary preventative measures to minimize your chances of becoming a victim.

In the early days of the internet viruses and worms were primarily nuisances that caused minor annoyance and hackers defaced web sites for “bragging rights”. Those days are gone now and more advanced criminals have focused their attention towards online crime because it is lucrative and minimizes their chances of being caught and imprisoned vs. more traditional criminal enterprises. Businesses that have been victimized often fail to report the crime for fear that the negative publicity will do more reputational harm then the incident itself.

Our mission at Informationsecurityhq.com is to help build awareness of the threats facing your business and offer practical solutions that can be implemented to help minimize the likelihood that you will become a victim.