Human Error Leads to 3rd Strike for Sony
Posted In Financial, Information Privacy, Information Security, Risk Management, Validations on May 25th, 2011 Tags: Application Security, human error, Playstation Breach, security awareness training, Sony
Strike 1: The first incident occurred on April 26th, when SONY announced personal information had been compromised on their PlayStation Network exposing the personal information of 77 million users.
Strike 2: One week later, a second security breach occurred on a different SONY network compromising 24.6 million users.
Strike 3: A third incident took place with the leakage of 2500 users’ names and addresses. SONY admitted that this breach was due to human error on the part of their system management team.
In a recent study from Application Security and Unisphere Research, more than 50% of the respondents felt that human error (or malicious insiders) were the biggest risks to an organization’s security. Two-thirds of organizations experiencing a data breach in 2011 have reported it was either from human error or an insider attack.
Lessons learned continue to show:
- It is critical for organizations to be more proactive and implement ongoing processes. Reacting to breach incidents is much more expensive than preventing breaches.
- Organizations must conduct periodic routine checks on their systems AND their people AND their third-parties.
- Organizations who are unable to measure situational awareness at the individual level will continue to suffer expensive breaches. All individuals need to understand their individual roles and responsibilities for protecting sensitive and personal information.
- Once-a-year general training is not enough as the risks and threats to our information are constantly evolving.
Sony struck out this month…is your organization going to bat with situational awareness and accountability and ready to adapt to pitches coming your way?
No Comments
Email This Post
Consumer Awareness/Education…Potential Competitive Advantage for Banks?
Posted In Financial, Information Privacy, Information Security, Risk Management, Validations on May 3rd, 2011 Tags: consumer awareness training, Phishing, Security Awareness, spear phishing
Recent attacks continue to show that spear phishing is quickly emerging as one of the society’s greatest threats. Technology alone is NOT going to solve this problem. It is critical for consumers to be more vigilant and aware of what they are clicking on, sites they are visiting, e-mails they are responding to, etc.
Lessons Learned: Financial insitutions should make consumer education a higher priority. Awareness training, handouts, seminars, etc. can be a great way for organizations to connect with their customers, improve trust, enhance reputations and help prevent potential incidents, breaches, lawsuits, etc. down the road. Security awareness training and education can become a competitive advantage for those institutions willing to lead the way.
No Comments
Email This Post
AML Fine Sends a Message to Banks
Posted In Financial, Information Privacy, Legal, Regulatory Compliance, Validations on May 3rd, 2011 Tags: AML, Bank Secrecy Act, bank security, Pacific National
Miami-based Pacific National was fined a $7 million penalty for violations to the Bank Secrecy and USA Patriot acts.
Lessons Learned: Fines for gaps in AML practices are becoming more severe. Financial organizations must ensure they have the appropriate policies and procedures in place and ensure their people are aware and accountable for their decisions to meet ongoing compliance requirements. Organizations also need legal-ready and audit-ready documentation to avoid expensive fines, lawsuits, and embarrassing headlines.
No Comments
Email This Post
‘Tricked’ RSA Worker Opened Backdoor to APT Attack
Posted In Financial, Information Privacy, Information Security, Risk Management, Validations on May 3rd, 2011 Tags: Human Factors, Phishing, RSA, RSA breach, Security Awareness
A targeted phishing e-mail with the subject line “2011 Recruitment Plan” tricked an RSA employee to open a document attached to an e-mail. The document contained a virus that led to a sophisticated attack on RSA’s information systems.
Lessons Learned: Are your employees aware of changing and more sophisticated risks? Does your organization update employees with situational awareness as more and more attacks target your employees? All employees must understand their individual roles and responsibilities for protecting sensitive information. Organizations need to implement comprehensive and ongoing awareness programs to ensure all individuals understand changing risks, threats, best practices, etc.
No Comments
Email This Post
Health Net Breach Exposes 1.9 Million Records
Posted In Health Care, Information Privacy, Regulatory Compliance, Validations on April 19th, 2011 Tags: Health Net, HIPAA compliance
Health Net exposed as many as 1.9 million customer records in a breach after its IT vendor misplaced nine server drives. This is the second breach in two years for Health Net when a portable hard drive containing medical and financial information on 1.5 million customers disappeared from a facility in Connecticut.
Lessons Learned: Technology is not the problem..People are the weak link and the solution. Devices are often lost and misplaced due to People not being aware of or not being accountable for the policies and procedures that have been put in place by the organizational responsible for protecting customer information. Organizations must ensure all appropriate personnel, including business associates, third-party vendors and contractors, are aware of and have acknowledged their accountability for appropriate policies and procedures and requirements for protecting sensitive patient data.
No Comments
Email This Post
First HIPAA Civil Fine $4.3M
Posted In Health Care, Information Privacy, Regulatory Compliance, Validations on April 18th, 2011 Tags: Cignet Health, HIPAA, HIPAA Violation, HITECH Compliance
Cignet Health is facing a $4.3 M civil penalty after violating the HIPAA Privacy Rule and failing to cooperative with HHS’s subsequent probe. This is the first civil money penalty for a violation of HIPAA.
Lessons Learned: The Feds mean business and there will be more fines and lawsuits and more embarrassing headlines for health care organizations that do not take compliance, risk assessments and incident management seriously. Is your organization meeting all HIPAA/HITECH compliance requirements? Do you have the necessary documentation in place to provide HHS with information in the event of an audit? Does your documentation help your organization demonstrate all appropriate employees and business associates were aware and accountable for making the right decisions in different situations?
No Comments
Email This Post
OCR Requests More Funding for HIPAA Enforcement
Posted In Health Care, Information Privacy, Regulatory Compliance, Validations on April 18th, 2011 Tags: HHS Office for Civil Rights, HIPAA, HITECH, Information Privacy
The HHS Office for Civil Rights is asking for $46.7 million in funding, an increase of $5.6 million over the current level. 76 percent of the new funds will be for increased enforcement of health information privacy and security rules.
Lessons Learned: Increased enforcement of existing and new regulatory requirements are on the way. Is your organization prepared and meeting all compliance requirements for HIPAA/HITECH or are you willing to take your chances? Based on numerous other lessons learned stories in this blog (search the Lessons Learned Blog for your sector or other keywords), getting your compliance program in shape sooner than later makes a lot of sense.
No Comments
Email This Post
OCR Tightens Requirements and Increases Financial Penalties
Posted In Health Care, Information Privacy, Regulatory Compliance, Validations on April 18th, 2011 Tags: HHS, HIPAA, HITECH, OCR
The HHS Office for Civil Rights plans to use powers authorized under the HITECH Act to tighten up privacy requirements, as well as exponentially increase the penalties for HIPAA privacy and security violations.
Lessons Learned: Organizations will need to ensure they are meeting all requirements and documenting actions under the HIPAA/HITECH Act and maintain a a high level of CYA – compliance year around! All employees (and third-parties) must be aware of and accountable for their individual requirements as a single data breach or violation can cost an organization up to $50,000…which is much more expensive and costly than new compliance and risk platforms that are proving to be extremely effective and valuable in preventing compliance related fines and penalties.
No Comments
Email This Post
Breaches Cost Health Care Industry $6B Annually
Posted In Health Care, Health Care, Information Privacy, Information Security, Research, Validations on April 18th, 2011 Tags: healthcare data breaches, Information Privacy, Ponemon
Despite stricter privacy and security regulations, hospitals are struggling to protect patient information. According to a recent Ponemon Study, breaches are costing the health care industry $6 billion annually.
The top three causes of breaches:
- Unintentional employee action
- Lost or stolen computing devices
- Third-party accidents
Lessons Learned: Failure to protect sensitive and personally identifiable information is expensive and damaging to a health care organization’s reputation. Organizations need to complement their general awareness with ongoing situational awareness programs to ensure all employees (and third-parties) understand their individual roles and responsibilities for protecting sensitive patient information. With mounting regulatory changes and the move to electronic records, it will be critical that all individuals understand risks, roles, responsibilities, policies, processes, protocols and regulatory obligations to prevent expensive and embarrassing breaches.
No Comments
Email This Post
286 Million New Threats in 2010
Posted In Financial, Health Care, Information Privacy, Information Security, Research, Validations on April 18th, 2011 Tags: internet security, Security Awareness, Symantec
According to Symantec’s Internet Security Threat Report, there were 286 million new threats in 2010 which equals an average of about 783,561 new threats per day. The report also points to dramatic increases in both frequency and sophistication of targeted attacks and continued growth of social networking sites to distribute attacks.
Lessons learned: Your people are under attack…how is your organization keeping your people up to date on new attacks and new threats?
No Comments
Email This Post
