Tag Archives: Security Breach

Immediate Vault Immediate Access

IT Pros Not Protecting Sensitive Data

Posted on by

A recent survey by Credant Technologies shows that IT professionals really don’t have the time to be bothered with protecting their company’s sensitive data. The survey focused on mobile usage among 227 IT professionals — the majority of which hold a position at companies that employ more than 1,000 people.

Thirty five percent revealed they just don’t get around to using a password on their business phones and smartphones, even though they know they should as they contain sensitive and confidential information! Surprisingly, IT professionals are only marginally better at using passwords than the general population, as a survey conducted earlier in the year by CREDANT found that 40% of all users don’t bother with passwords on their mobile phones.

The sorts of information that IT professionals are storing on their smartphones and mobiles, many of which are totally unprotected with a password, include:

  • 80% Business names and addresses
  • 66% Personal names and addresses
  • 23% Business emails
  • 16% Personal emails
  • 12% Bank account details
  • 12% Business diary with details of all their appointments and meetings
  • 7% Personal diary
  • 5% Credit card information
  • 4% photos
  • 1% Passwords and Pin numbers

Andrew Kahl, Sr. VP of Operations & Co-Founder from CREDANT Technologies explains “It is alarming to note that the very people who are responsible for IT security are not much better at protecting the information on their business phones than most of their co-workers, who don’t necessarily know any better. If a mobile or smartphone goes missing and isn’t protected with a password, and contains business names and addresses and other corporate data such as business emails, then the company is immediately in breach of the data protection act by failing to meet some of its principals on electronic data.”

A scary thought, considering that last year alone saw 656 different security breach incidents, an increase of 47% over 2007’s total of 446, according to the Identity Theft Resource Center. ITRC also claims that the bulk of breached data was unprotected by encryption or passwords.

If IT professionals are failing to protect sensitive data, who is succeeding?

CredantIDTHEFTcartoon

Security Breach Sentence: $9.75 Million

Posted on by

On January 17, 2007, an individual hacked into the computer systems of TJX Companies (parent company of T.

online pharmacy anafranil with best prices today in the USA

J. Maxx and Marshalls) and stole credit card information on at least 94,000,000 individuals. It ranks as the largest security breach ever recorded, according to DataLossDB.org.

And as reported today, the company has agreed to pay $9.75 million to 41 states as part of its settlement.

Framingham, Mass.-based TJX Cos. said Tuesday it will pay $2.5 million to create a data security fund for states as well as a settlement amount of $5.5 million and $1.75 million to cover expenses related to the states’ investigations.

online pharmacy tamiflu with best prices today in the USA

But TJX stressed that it “firmly believes” that it did not violate any consumer protection or data security laws.

Under the settlement, TJX must also prove that its computer systems meets stringent data security requirements.

online pharmacy solosec with best prices today in the USA

Eleven people were charged with hacking into the systems of TJX and other retailers to steal credit card information. The legal proceedings for those individuals are still under way.

Hiscox Studies Privacy & Data Security

Posted on by

On Monday at RIMS 2009, Hiscox unveiled its new study “Data Privacy and Corporate America: Who’s Recognizing the Risk.” So I sat down earlier today with one of the report’s authors Jim Whetstone, who is the company’s senior VP of technology E&O.

The chief finding is that 38% of Fortune 500 companies surveyed do not explicitly mention privacy/data breach in the risk factors section of their SEC 10-K filings, which when broken down by sector is even more alarming: 46% of diversified financial companies, 50% of telecommunications firms and an astounding 80% of utilities. 

Worse still is that, according to Whetstone, many of even those that do realize the financial and reputational risks associated with a potential security breach deem the easiest solution, encryption, to be too cost-prohibitive to use even though they realize it would largely mitigate the threat altogether. You see, currently around 45 states now have laws that require any organization that loses confidential consumer/patient/student/etc. data to notify anyone who was affected. And that’s when the lawsuits, complaints and horror stories of identity theft begin. Not only is this a huge financial burden — the costs of hiring computer forensic specialists, mailing notifications, setting up call centers and offering free credit monitoring adds up very, very quickly — but the comparable reputational fallout is nearly impossible to quantify.

All this could be averted in most cases, however, with data encryption since almost all those same state laws also include a “safe harbor” provision that allows companies who safeguarded the data to forego the onerous notification process.

To put this all in proper perspective, all Whetstone had to do was ask me one question: “You know why a car has brakes?” 

Since I learned this fact around first grade, I thought to myself “I got this one…to stop, right?”

But before I said anything he answered his own question: “So it can go fast.”

Most companies are prioritizing innovation — and rightly so. They’re trying to gather as much consumer data as possible to put this to use in sales, development and improved customer relations. But in making these technological advances, it’s also important to ensure you have the right safeguards in place. “It’s a constant battle between technology and the brakes on the car,” said Whetstone. “Companies are trying to be innovative — they’re trying to push the envelope — and that’s always dangerous.”

Whetstone has no delusions that any company should stall innovation for the sake of encryption and data security, however. On the contrary, he thinks gathering all this data is huge advantage for companies. They just have to be careful and understand their vulnerabilities. And all it takes is glancing at a few of the colorful charts in Hiscox’s report to realize that most companies are failing at the latter endeavor. In TJ Maxx’s infamous data breach, for example, the company was attempting to improve its store’s operations by implementing a wireless network yet it failed to realize that sub-par security opened up the location to nefarious data thieves.

Of course, it is indeed true that encryption is still expensive in some cases — back-archiving old legacy systems, for instance. But using encryption doesn’t have to be an all-or-nothing proposition and Whetstone believes that, at a minimum, companies need to at least encrypt the data stored on laptops, USB drives and back-up tapes. He includes this in what he calls a “defense-in-depth approach” to IT security. By securing those physical items that can be left at an airport or in a taxi cab, you allow risk managers and legal counsel to rest easy knowing that their employees at least won’t be giving confidential data away. Hackers can still breach the network and that will remain a concern, but protecting the physical storage devices provides a first level of defense.

And most importantly, risk managers need to be involved in the IT discussion. The ideal balance between the legal team, IT and risk management is unique for each company. But unless everyone is talking and understands the priorities and recommendations of the others, data breaches are only going to happen more often.

Hiscox found that only 7% of US companies have implemented end-to-end encryption on their confidential personal data.

Hiscox found that only 7% of US companies have implemented end-to-end encryption on their confidential personal data.