Hackers Better At Connecting the Dots?

Posted In Information Privacy, Information Security, Risk Management on February 6th, 2014
Tags: ,


In my 30+ years of performing risk, vulnerability and threat assessments, I have always advised my clients to be really careful with whom they hire to for “maintenance and cleaning crews”.  This news about the Target data breach validates my advice.


According to news reports, the hackers that pulled off one of the largest and most expensive data breaches ever, did so by stealing/hacking credentials from Target’s HVAC subcontractor.  Once the hackers had the HVAC subcontractor credentials, they had access to Target’s network and were able to place their sophisticated malware…and you know the rest of the story.


This ‘Connecting the Dots’ wake-up call is for retail, financial, healthcare, government, education and others who work with personal, credit card, medical and financial data.


Is your organization connecting all the right dots? Does your organization have the right tools for all the right departments – Risk, IT, Facilities, Security, Compliance, Privacy, Threat Assessment and others –to connect all the right dots?



No Comments   

Human Error Leads to 3rd Strike for Sony

Posted In Financial, Financial, Information Privacy, Information Security, Validations on May 25th, 2011
Tags: , , , ,


Strike 1: The first incident occurred on April 26th, when SONY announced personal information had been compromised on their PlayStation Network exposing the personal information of 77 million users.

Strike 2: One week later, a second security breach occurred on a different SONY network compromising 24.6 million users.

Strike 3:  A third incident took place with the leakage of 2500 users’ names and addresses.  SONY admitted that this breach was due to human error on the part of their system management team.

In a recent study from Application Security and Unisphere Research, more than 50% of the respondents felt that human error (or malicious insiders) were the biggest risks to an organization’s security.  Two-thirds of organizations experiencing a data breach in 2011 have reported it was either from human error or an insider attack.

Lessons learned continue to show:

  • It is critical for organizations to be more proactive and implement ongoing processes.  Reacting to breach incidents is much more expensive than preventing breaches.
  • Organizations must conduct periodic routine checks on their systems AND their people AND their third-parties.
  • Organizations who are unable to measure situational awareness at the individual level will continue to suffer expensive breaches.   All individuals need to understand their individual roles and responsibilities for protecting sensitive and personal information.
  • Once-a-year general training is not enough as the risks and threats to our information are constantly evolving.


Sony  struck out this month…is your organization going to bat with situational awareness and accountability and ready to adapt to pitches coming your way?  


No Comments   

The Payback of Compliance: Organizations Save When They Focus on Security

Posted In Information Privacy, Information Security, Regulatory Compliance on May 3rd, 2011
Tags: , ,


A review of security practices and investments at 46 global organizations finds that compliance with industry security standards actually saves money over the long-term.   A recent Ponemon Study revealed that companies that consistently comply with security requirements and standards save three times more in security-related expenses annually than non-compliant companies.

Lessons Learned: Compliance does not equal security, but security can benefit from compliance.  Organizations investing in comprehensive compliance programs are better prepared to prevent expensive breaches, lawsuits, fines, etc. and save money and resources over time.

No Comments   

Consumer Awareness/Education…Potential Competitive Advantage for Banks?

Posted In Financial, Human Resources, Information Privacy, Information Security, Regulatory Compliance, Risk Management, Validations on May 3rd, 2011
Tags: , , ,


Recent attacks continue to show that spear phishing is quickly emerging as one of the society’s greatest threats.  Technology alone is NOT going to solve this problem.  It is critical for consumers to be more vigilant and aware of what they are clicking on, sites they are visiting, e-mails they are responding to, etc.

Lessons Learned:  Financial insitutions should make consumer education a higher priority.  Awareness training, handouts, seminars, etc. can be a great way for organizations to connect with their customers, improve trust, enhance reputations and help prevent potential incidents, breaches, lawsuits, etc. down the road.  Security awareness training and education can become a competitive advantage for those institutions willing to lead the way.

No Comments   

How are Organizations Managing Policies Ongoing?

Posted In Business Continuity, Financial, Financial, Information Privacy, Validations on May 3rd, 2011
Tags: , , , ,


OCEG recently announced poll results from a One Minute Poll about Policy Management.  In their poll, 429 members replied to the following question:

How do you primarily manage lifecycle of internal policies, procedures and guidelines?

  • 32% use an internally developed database or intranet system
  • 24% have no formal structure
  • 18% use file folders or centralized network drive
  • 14% use document or policy management software
  •  8% track changes in Word
  •  4% use other methods


Lessons learned:  Bad guys already know what the results from this poll clearly reveal…People are an organization’s weakest links.  As long as 86% or more of organizations continue to use status quo methods that provide little or no accountability and little or no auditability to ensure situational awareness at the individual level, organizations will be vulnerable to attacks, mistakes, lawsuits, fines and disconnects that have a negative (potentially significant) effect on their bottom line.

No Comments   

‘Tricked’ RSA Worker Opened Backdoor to APT Attack

Posted In Business Continuity, Information Privacy, Information Security on May 3rd, 2011
Tags: , , , ,


A targeted phishing e-mail with the subject line “2011 Recruitment Plan” tricked an RSA employee to open a document attached to an e-mail.  The document contained a virus that led to a sophisticated attack on RSA’s information systems.

Lessons Learned:  Are your employees aware of changing and more sophisticated risks?  Does your organization update employees with situational awareness as more and more attacks target your employees?  All employees must understand their individual roles and responsibilities for protecting sensitive information.  Organizations need to implement comprehensive and ongoing awareness programs to ensure all individuals understand changing risks, threats, best practices, etc.

No Comments   

State Attorneys Generals Trained to File Federal Civil Lawsuits

Posted In Health Care, Information Privacy, Information Security, Regulatory Compliance on April 19th, 2011
Tags: , , ,


OCR is offering HIPAA Enforcement Training to help State Attorneys General enforce the HIPAA Privacy and Security Rules and file federal civil lawsuits for HIPAA violations.

Lessons Learned:  HHS and OCR are serious about Privacy and Security in Health Care.   Policies and procedures play a critical role in an organization’s culture of privacy and security and need to be updated as requirements, risks, regulations, etc. change.  Health care organizations will need to conduct internal audits and assessments rather than waiting for the OCR or AGs to arrive.  All employees and business associates must understand how to safely handle patient information and maintain a culture of privacy and security.

No Comments   

Health Net Breach Exposes 1.9 Million Records

Posted In Health Care, Information Privacy, Information Security, Regulatory Compliance, Validations on April 19th, 2011
Tags: ,


Health Net exposed as many as 1.9 million customer records in a breach after its IT vendor misplaced nine server drives.  This is the second breach in two years for Health Net when a portable hard drive containing medical and financial information on 1.5 million customers disappeared from a facility in Connecticut.

Lessons Learned:  Technology is not the problem..People are the weak link and the solution.   Devices are often lost and misplaced due to People not being aware of or not being accountable for the policies and procedures that have been put in place by the organizational responsible for protecting customer information.  Organizations must ensure all appropriate personnel, including business associates, third-party vendors and contractors, are aware of and have acknowledged their accountability for appropriate policies and procedures and requirements for protecting sensitive patient data.

No Comments   

CVS Whistleblower Gets $2.6M and Pays Government $17.5M for Overbilling

Posted In Health Care, Incident Reporting, Information Privacy, Information Security, Risk Management, Validations on April 19th, 2011
Tags: , , ,


CVS Caremark Corp has agreed to pay $17.5 million to resolve claims that it overbilled Medicaid.  The case was brought to the Justice Department by a whistleblower in Minnesota, who will receive $2.6 million.

Which makes more sense to you and your bottom line?  A) Having employees report illegal and unethical situations internally so your organization can address situations and document them for legal and CYA purposes or B) having employees report illegal and unethical situations to the federal government and then dealing with expensive multi-million dollar fines, spending time and money and resources on repairing reputations and having the whistleblower get paid millions too?

Lessons Learned:  Now that the federal government is paying whistleblowers and now that we also have Wikileaks and other public web sites to report to, organizations need to make sure they have a more holistic and comprehensive platform to connect all the dots internally with documentation to prove that your organization can receive tips, investigates tips, takes appropriate actions, alleviates future concerns and documents the entire process.

No Comments   

Breaches Cost Health Care Industry $6B Annually

Posted In Health Care, Information Privacy on April 18th, 2011


Despite stricter privacy and security regulations, hospitals are struggling to protect patient information.  According to a recent Ponemon Study, breaches are costing the health care industry $6 billion annually.

The top three causes of breaches:

  • Unintentional employee action
  • Lost or stolen computing devices
  • Third-party accidents


Lessons Learned:  Failure to protect sensitive and personally identifiable information is expensive and damaging to a health care organization’s reputation.  Organizations need to complement their general awareness with ongoing situational awareness programs to ensure all employees (and third-parties) understand their individual roles and responsibilities for protecting sensitive patient information.  With mounting regulatory changes and the move to electronic records, it will be critical that all individuals understand risks, roles, responsibilities, policies, processes, protocols and regulatory obligations to prevent expensive and embarrassing breaches.

No Comments   

Older Posts >>

rss  facebook  twitter  linked in