Tag Archives: Who Needs Information Security

Information Security – Who needs it? The Police Do!

Photo courtesy of http://www.flickr.com/photos/gadgetdude

The latest in our continuing series on real life information security incidents shows that even the police need information security. The Manchester Police Department recently experienced an information security incident and the negative publicity that results from such an event. The source of the incident was an unencrypted USB drive that was lost and was found to be holding sensitive records including information about officers and emergency response information including such gems as information about crowd control plans. Losing this information potentially puts the officers at undue risk and also gives groups seeking greater knowledge about internal workings of the police department a leg up in better understanding how the department works. This incident is especially troubling since the article mentions that this department also had an issue with worm problems awhile back, so it is clear a new security mindset is needed to keep data secure.

 Information Security lessons learned

  • Do not store sensitive information on USB drives
  • If you find recommendation #1 draconian be sure to utilize an encrypted USB device such as the IronKey device available at places like Amazon.com
  • Educate your users regarding information security to help make sure your security policies are not violated

PS: I realize the picture is not the Manchester Police department but same country and it was just too tempting to pass up!

Information Security – Who Needs It? Financial/Escrow Firms Do!

Village View Escrow Inc learned the hard way that online banking is not an activity that should be taken lightly by a business. Poor email discipline led to the company’s systems being compromised and sensitive online banking credentials being compromised. The thieves then utilized their network to wire the money across the world causing significant financial loss to the company.

Of particular note is the bank was no friend to the business and also failed in several critical controls including:

1. Not following up on suspicious account security changes

2. Allowing suspicious international wire transfers without validating with the business.

3. Allowing excessive irregular financial transactions to occur.

An important thing to note is the bank is not assuming any of the responsibility for the loss so it is up to you to protect your business if you choose to partake in online banking. Trusting that the bank will protect you can put you out of business!

Company Exposure: Catastrophic financial loss of nearly half a million dollars that threatens the survival of the company

Lessons Learned & Possible Preventive Measures:

1. Online banking for small/mid size businesses is a risky proposition and should not be engaged in without risk mitigation steps. And don’t count on your bank to be your advocate even though they should be on your side.

2. Practice safe email usage and only click on expected documents from known individuals. Scan the attachments prior to launching them on your machine for additional protection.

3. Certain online banking controls that could have helped mitigate the risk include:

  • Use of a dedicated PC for online banking that does this and nothing else (no email, no surfing, ever..)
  • Get written confirmation that only certain customers should be receiving payments and any international phone calls require verbal approval.
  • Configure bank balance and security change notices to go to a mobile device that will give you an additional safeguard if your other systems have been compromised.

Look for additional protection mechanisms in our upcoming online banking security guide.