Patching User Risks in the 21st Century
Posted In Information Security, Risk Management on August 9th, 2011 Tags: Risk Management, Security Awareness
I saw a discussion last week that was asking for input on ways to reduce employee risk. Most of the responses offered a technology solution…which is interesting considering most studies and trends show employee risks and weaknesses are getting worse and more alarming even though organizations have spent thousands, millions and billions on technology solutions. Does this seem weird to you?
One of the responses from one of the participants caught my attention when they said “it is difficult to patch a user”.
Interesting comment and I responded by saying it is NOT THAT DIFFICULT to patch users/employees….IF you are using the right resources.
For example, you wouldn’t get very good results trying to watch HDTV (21st century) on a black and white analog TV (20th century). Like the TV analogy, organizations are not getting good results trying to “patch their users” using 20th century resources.
Organizations can “patch and validate” a user’s awareness, ensure a user’s accountability and help user’s with adaptability…but this cannot be accomplished using 20th century user solutions like binders, intranets, shared drives, memos, e-mails, spreadsheets, once-a-year general training, etc.
Numerous studies involving hundreds and hundreds of lessons learned and incidents clearly reveal that 20th century user approaches are inefficient and ineffective, period.
As a matter of fact, most organizations are wasting lots of time, lots of money and lots of valuable resources trying to make these old 20th century resources address user/employee risks.
Did you know proven 21st century resources actually exist for “patching users” with situational awareness, accountability, adaptability, measurability, auditability and more?
With the right user/employee focused resources, organizations can help and ensure all appropriate users understand why, how, when, what, what happens if I do, etc. Organizations can also reduce their costs, improve their results and ensure adaptability in a continuously changing world.
Attention all organizational leaders…this is a lesson learned and a valuable tip you should look into!
No Comments
Email This Post
Human Error Leads to 3rd Strike for Sony
Posted In Financial, Information Privacy, Information Security, Risk Management, Validations on May 25th, 2011 Tags: Application Security, human error, Playstation Breach, security awareness training, Sony
Strike 1: The first incident occurred on April 26th, when SONY announced personal information had been compromised on their PlayStation Network exposing the personal information of 77 million users.
Strike 2: One week later, a second security breach occurred on a different SONY network compromising 24.6 million users.
Strike 3: A third incident took place with the leakage of 2500 users’ names and addresses. SONY admitted that this breach was due to human error on the part of their system management team.
In a recent study from Application Security and Unisphere Research, more than 50% of the respondents felt that human error (or malicious insiders) were the biggest risks to an organization’s security. Two-thirds of organizations experiencing a data breach in 2011 have reported it was either from human error or an insider attack.
Lessons learned continue to show:
- It is critical for organizations to be more proactive and implement ongoing processes. Reacting to breach incidents is much more expensive than preventing breaches.
- Organizations must conduct periodic routine checks on their systems AND their people AND their third-parties.
- Organizations who are unable to measure situational awareness at the individual level will continue to suffer expensive breaches. All individuals need to understand their individual roles and responsibilities for protecting sensitive and personal information.
- Once-a-year general training is not enough as the risks and threats to our information are constantly evolving.
Sony struck out this month…is your organization going to bat with situational awareness and accountability and ready to adapt to pitches coming your way?
No Comments
Email This Post
Consumer Awareness/Education…Potential Competitive Advantage for Banks?
Posted In Financial, Information Privacy, Information Security, Risk Management, Validations on May 3rd, 2011 Tags: consumer awareness training, Phishing, Security Awareness, spear phishing
Recent attacks continue to show that spear phishing is quickly emerging as one of the society’s greatest threats. Technology alone is NOT going to solve this problem. It is critical for consumers to be more vigilant and aware of what they are clicking on, sites they are visiting, e-mails they are responding to, etc.
Lessons Learned: Financial insitutions should make consumer education a higher priority. Awareness training, handouts, seminars, etc. can be a great way for organizations to connect with their customers, improve trust, enhance reputations and help prevent potential incidents, breaches, lawsuits, etc. down the road. Security awareness training and education can become a competitive advantage for those institutions willing to lead the way.
No Comments
Email This Post
2010 – Massive Security Breaches…Lessons Learned
Posted In Education, Financial, Government, Health Care, Information Security, Validations on May 3rd, 2011 Tags: Awareness Training, data breaches, Security Awareness, Social Engineering
Check out this recent overview of 10 of the largest data breaches from 2010 resulting in the loss of millions of data records.
Lessons Learned: Is your organization providing ongoing situational awareness training? People are the weak link for the majority of data breaches which are caused by human error, lost devices, social engineering attacks and numerous other poor decsions. It is critical for organizations to educate their employees (and third-parties) ongoing as risks, threats, requirements, and ’next’ practices are constantly changing. Lessons learned clearly reveal that once-a-year general training is not enough.
No Comments
Email This Post
The Payback of Compliance: Organizations Save When They Focus on Security
Posted In Financial, Financial, Information Security, Regulatory Compliance, Research, Validations on May 3rd, 2011 Tags: Compliance, Ponemon, Security
A review of security practices and investments at 46 global organizations finds that compliance with industry security standards actually saves money over the long-term. A recent Ponemon Study revealed that companies that consistently comply with security requirements and standards save three times more in security-related expenses annually than non-compliant companies.
Lessons Learned: Compliance does not equal security, but security can benefit from compliance. Organizations investing in comprehensive compliance programs are better prepared to prevent expensive breaches, lawsuits, fines, etc. and save money and resources over time.
No Comments
Email This Post
‘Tricked’ RSA Worker Opened Backdoor to APT Attack
Posted In Financial, Information Privacy, Information Security, Risk Management, Validations on May 3rd, 2011 Tags: Human Factors, Phishing, RSA, RSA breach, Security Awareness
A targeted phishing e-mail with the subject line “2011 Recruitment Plan” tricked an RSA employee to open a document attached to an e-mail. The document contained a virus that led to a sophisticated attack on RSA’s information systems.
Lessons Learned: Are your employees aware of changing and more sophisticated risks? Does your organization update employees with situational awareness as more and more attacks target your employees? All employees must understand their individual roles and responsibilities for protecting sensitive information. Organizations need to implement comprehensive and ongoing awareness programs to ensure all individuals understand changing risks, threats, best practices, etc.
No Comments
Email This Post
CVS Whistleblower Gets $2.6M and Pays Government $17.5M for Overbilling
Posted In Health Care, Incident Reporting, Information Security, Validations on April 19th, 2011 Tags: CVS Caremark, Incident Reporting, Medicaid, whistleblower
CVS Caremark Corp has agreed to pay $17.5 million to resolve claims that it overbilled Medicaid. The case was brought to the Justice Department by a whistleblower in Minnesota, who will receive $2.6 million.
Which makes more sense to you and your bottom line? A) Having employees report illegal and unethical situations internally so your organization can address situations and document them for legal and CYA purposes or B) having employees report illegal and unethical situations to the federal government and then dealing with expensive multi-million dollar fines, spending time and money and resources on repairing reputations and having the whistleblower get paid millions too?
Lessons Learned: Now that the federal government is paying whistleblowers and now that we also have Wikileaks and other public web sites to report to, organizations need to make sure they have a more holistic and comprehensive platform to connect all the dots internally with documentation to prove that your organization can receive tips, investigates tips, takes appropriate actions, alleviates future concerns and documents the entire process.
No Comments
Email This Post
Breaches Cost Health Care Industry $6B Annually
Posted In Health Care, Health Care, Information Privacy, Information Security, Research, Validations on April 18th, 2011 Tags: healthcare data breaches, Information Privacy, Ponemon
Despite stricter privacy and security regulations, hospitals are struggling to protect patient information. According to a recent Ponemon Study, breaches are costing the health care industry $6 billion annually.
The top three causes of breaches:
- Unintentional employee action
- Lost or stolen computing devices
- Third-party accidents
Lessons Learned: Failure to protect sensitive and personally identifiable information is expensive and damaging to a health care organization’s reputation. Organizations need to complement their general awareness with ongoing situational awareness programs to ensure all employees (and third-parties) understand their individual roles and responsibilities for protecting sensitive patient information. With mounting regulatory changes and the move to electronic records, it will be critical that all individuals understand risks, roles, responsibilities, policies, processes, protocols and regulatory obligations to prevent expensive and embarrassing breaches.
No Comments
Email This Post
286 Million New Threats in 2010
Posted In Financial, Health Care, Information Privacy, Information Security, Research, Validations on April 18th, 2011 Tags: internet security, Security Awareness, Symantec
According to Symantec’s Internet Security Threat Report, there were 286 million new threats in 2010 which equals an average of about 783,561 new threats per day. The report also points to dramatic increases in both frequency and sophistication of targeted attacks and continued growth of social networking sites to distribute attacks.
Lessons learned: Your people are under attack…how is your organization keeping your people up to date on new attacks and new threats?
No Comments
Email This Post
Preventing Online Fraud –Assumptions Versus Awareness
Posted In Information Privacy, Information Security, Risk Management on February 22nd, 2011 Tags: ACH Fraud, bank security, BankInfoSecurity, Identity Theft, Security Awareness, Tom Oscherwitz
I recently came across an interview on BankInfoSecurity entitled, “Banks Must Assume Customers Will Compromise Themselves”.
In this interview, Tom Oscherwitz, chief privacy officer and vice president of government affairs for ID Analytics, discussed why online security measures are failing due to basic authentication techniques. With the use of current social networking sites, such as Facebook, customers are often revealing all the information fraudsters need to figure out their log-in credentials.
Many experts (and vendors) are recommending banks increase their security measures and implement expensive fraud detection technology solutions and measures. Unfortunately this is merely reacting to a symptom rather than preventing the problem. The root of the problem is uneducated consumers and lack of situational awareness, so why not teach situational awareness and help bank customers work with banks to proactively protect their personal information?
If bank customers could make the connection between sharing their maiden name, pets’ names, nicknames, birth place, birthday, etc. on their Facebook profile and then using that same information as their authentication question for their online banking, they may be less inclined to do so.
And those Financial institutions implementing ongoing customer awareness programs will gain a competitive advantage by having customers who are more aware and working with the bank to mitigate risks involving:
- Email Security
- Online Risks (shopping, sharing music, online gaming)
- Viruses, Spyware, Crimeware and Bots
- Internet Safety (social networking sites)
- Password Security
- Information Disposal
- Mobile devices
- Home Networks
- Identity Theft
As risks, threats, regulations, etc. are constantly changing, it will be critical to maintain an ONGOING program. And financial institutions sharing lessons learned from current data breaches will help ensure copycat breaches do not happen at their institutions or to their customers.
Visionary Financial leaders providing situational awareness training for their customers will not only be helping their customers, but also preventing expensive data breaches and lawsuits and improving their ongoing customer relationships, customer trust and their institution’s reputation. Financial institutions should stop assuming things about their customers, realize more technology is not the answer, and start helping their customers make better decisions.
No Comments
Email This Post
