Archive for the ‘Breach Risk’ Category

Data Breach Response Plans: Yours Ready ?

October 11, 2011 Leave a comment

The smart money treats data breaches as a ‘when’ not an ‘if,’ proposition. Don’t wait until the last minute to do this homework.

By Mathew J. Schwartz InformationWeek
October 04, 2011 10:45 AM

What’s the best way to handle a data breach? Ideally, the information security practices of businesses, government agencies, and their contractors would be so refined that a single record would never be exposed. But data breaches are a fact of life, and furthermore even the best security program in the world wouldn’t defeat a determined, malicious insider.

How many businesses, however, even have a world-class security infrastructure? Last week, for example, saw the exposure of personal details on 4.9 million people, including names, social security numbers, and addresses, thanks to the theft of unencrypted backup tapes containing TRICARE data that were left in the care of a Science Applications International Corporation (SAIC) employee. In the annals of information security best practices, failing to encrypt stored data ranks as an amateur–if not uncommon–mistake.

More Security Insights

White Papers




Pacific Northwest National Laboratory CIO, Jerry Johnson, provides some lessons learned from the attacks on his organization in July -- a highly publicized attack on an organization that provides cyber security services for the Dept. of Engergy.TechWebTV catches up with Whisper Systems' CTO and co-founder Moxie Marllinspike to discuss and demo WhisperCore -- a mobile security solution that brings BlackBerry-like centralized enterprise-grade security to Android devices.Richard Bejtlich, CSO and VP of managed services, sits down with Dark Reading's Kelly Jackson Higgins at Black Hat USA to talk about the two hats he wears at the incident response company, and trends in attacks against enterprises and security firms.

Pacific Northwest National Laboratory CIO, Jerry Johnson, provides some lessons learned from the attacks on his organization in July — a highly publicized attack on an organization that provides cyber security services for the Dept. of Engergy.

That’s why the smart money on data breaches is to treat them as a “when,” not an “if,” proposition, especially when it comes to dealing with state attorneys general, as well as any relevant regulatory body. “Don’t wait until a breach occurs to think about how you will deal with the regulators. A data breach event does not necessarily mean that you are doomed in the eyes of the regulators, but they do have expectations,” says Theodore J. Kobus III, an attorney at Baker Hostetler, in a blog post.

When a breach does occur, businesses must gather as much information as possible, stay transparent, and proactively manage the situation. “Data breach prevention and mitigation is a C-suite issue and not an IT-only issue,” he says.

Also think about and make plans for how a breach will shake customer confidence. That’s because a recent study from Ponemon Institute found that the leading cost of data breaches was the resulting customer churn. While the average quantity of customers lost after a data breach was 4%, some industries–healthcare and pharmaceutical companies–saw average churn rates of 7%.

To keep customers, preparedness and cool heads pay off. Timing-wise, for example, don’t assume that immediately disclosing a breach should be the first step. “I’ve seen organizations that totally jumped the gun–We’ve got to do it— and they’ve notified, but have no response mechanism in place for the individuals who have been affected, so it’s adding insult to injury,” Brian Lapidus, chief operating officer of Kroll Fraud Solutions, tells me. “We always tell our clients that if they’re going to notify about the problem, say what the solution is at the same time, and give them avenues to call or contact you back.”

Delivering the “we’re aware of the problem and working to fix it” message–and meaning it–requires planning. Start by identifying who will be in control of the data breach message, have premade scripts ready to deploy to call centers, and draw up a list of personnel who will be drafted to help manage the situation. Planning helps frontload some of the logistical detail work related to notifications, such as having up-to-date address information for as many current or former customers as possible.

Regulations, however, will require constant minding. Each of the 48 states has its own data breach laws on the books, and they can differ. Massachusetts, for example, doesn’t want to see a lot of detail in the notification letters sent to its residents, while New Hampshire does.

Data breach disclosures, correctly executed, can help businesses not just forestall customer defections, but also defuse class-action lawsuits in cases where customers can’t prove that they’ve been directly harmed by the breach, says Lapidus. But courts want to see businesses respond in a proactive and forthright manner, whether investigating the breach, notifying authorities, or alerting customers and extending identity theft protection.

Ideally, any data breach response plan would include an internal forensic investigation to identify exactly which records had been exposed, and how, not least to strengthen future information security defenses. Owing to time and cost, some businesses skip this step–according to a study sponsored by SAIC. But they may be doing themselves a disservice. “We had a client who thought it had a breach of 1.5 million people’s records–that would be extremely costly. But forensically, they were able to prove that the network had not been compromised,” says Lapidus. “What looked like an intrusion on the outside, wasn’t.”

While that outcome might be rare, with a little data breach planning and by putting a good breach-response strategy in place, it’s at least a possibility.

Security professionals often view compliance as a burden, but it doesn’t have to be that way. In this report, we show the security team how to partner with the compliance pros. Download the report here. (Free registration required.)


Categories: Breach Risk

Data breach issues can’t be solved by IT departments alone

September 19, 2011 Leave a comment

Dave Jevans, chairman of IronKey and the Anti Phishing Working Group, looks at why locking down internal systems is not enough to combat sophisticated cyber criminals.

Although the threat from cyber criminals has existed for decades, the sheer volume of successful attacks on high profile brands during the last six months has highlighted an urgent need to protect against data breaches.

Having read a recent Gartner blog which stated that many of the of the IT security improvements they’ve seen over the past five years are fast becoming obsolete in the face of more sophisticated cyber attacks, turning the tables on the bad guys won’t be easy. Read more…

Disaster recovery and data protection

September 9, 2011 1 comment

An effective backup strategy takes equal account of both perspectives.

Companies generally pursue two different directions when it comes to strategies concerning the backup and recovery of their data. While disaster recovery strategies, on the one hand, are directed towards protecting the whole system, by contrast the area of data protection addresses individual data. An effective strategy takes equal account of both perspectives.

Small and medium-sized companies can gain more flexibility through integrated solutions, which unite disaster recovery and data protection.
Read more…

Yale warns 43,000 about 10-month-long data breach

September 2, 2011 Leave a comment

FTP server on which data was stored became searchable by Google in September

Computerworld – Yale University has notified about 43,000 faculty, staff, students and alumni that their names and Social Security numbers were publicly available via Google search for about 10 months.

All of the victims were affiliated with Yale in 1999, and are being offered identity theft insurance and free credit monitoring services for two years, the university said in a statement last week.

The breach resulted when a File Transfer Protocol (FTP) server on which the data was stored became searchable via Google as the result of a change the search engine giant made last September, the Yale Daily News reported

Read more…

Data breaches – to prepare or not to prepare? The answer is simple.

September 1, 2011 Leave a comment

All data breaches have two things in common: the need for prompt resolution and the need for a robust preparedness plan. Healthcare institutions especially should heed the call for an incident response plan because it provides the best preventive medicine to minimize financial and reputational risks.  So PLAN, keeping in mind:  People, the Law, and Action, with No time to waste.

People – Define the responsibilities of a coordinated incident response team. Don’t act alone. A good response team should include key internal players (In-house Counsel, IT, Compliance/Security, HR and Public Relations), as well as outside experts who confront data breaches on a regular basis (trusted Attorneys, Forensic Analysts and Fraud Monitors). These external experts can help restore key business functions, preserve crucial forensic evidence, strengthen data security, address victims’ needs, and communicate effectively with regulators and the public.

Read more…

Employees are ‘comfortable’ with data theft

Employees are much more willing to steal the information stored in records management systems than organizations may have thought.

New research by Harris Interactive of 3,400 employees in the US, UK and Australia found that a significant proportion of them would be happy to do something with their employer’s or client’s private data.

A staggering  staggering 48 per cent of Brit,  would feel comfortable using private or sensitive information, compared to just under a quarter of Americans , and a 29 per cent of Australians. Read more…

Digital Agenda: Commission consults on practical rules for notifying personal data breaches

Brussels – The views of telecoms operators, Internet service providers, Member States, national data protection authorities consumer organisations and other interested parties are being sought by the European Commission on whether additional practical rules are needed to make sure that personal data breaches are notified in a consistent way across the EU. The revised ePrivacy Directive (2009/136/EC), which entered into force on 25 May 2011 as part of a package of new EU telecoms rules, requires operators and Internet service providers to inform, without undue delay, national authorities and their customers about breaches of personal data that they hold (see IP/11/622 and MEMO/11/320). The Commission wants to gather input based on existing practice and initial experience with the new telecoms rules and may then propose additional practical rules to make clear when breaches should be reported, the procedures for doing so, and the formats that should be used. Contributions to the consultation are welcome until 9th September 2011. Read more…

%d bloggers like this: