Human Error Leads to 3rd Strike for Sony
Posted In Financial, Financial, Information Privacy, Information Security, Validations on May 25th, 2011 Tags: Application Security, human error, Playstation Breach, security awareness training, Sony
Strike 1: The first incident occurred on April 26th, when SONY announced personal information had been compromised on their PlayStation Network exposing the personal information of 77 million users.
Strike 2: One week later, a second security breach occurred on a different SONY network compromising 24.6 million users.
Strike 3: A third incident took place with the leakage of 2500 users’ names and addresses. SONY admitted that this breach was due to human error on the part of their system management team.
In a recent study from Application Security and Unisphere Research, more than 50% of the respondents felt that human error (or malicious insiders) were the biggest risks to an organization’s security. Two-thirds of organizations experiencing a data breach in 2011 have reported it was either from human error or an insider attack.
Lessons learned continue to show:
- It is critical for organizations to be more proactive and implement ongoing processes. Reacting to breach incidents is much more expensive than preventing breaches.
- Organizations must conduct periodic routine checks on their systems AND their people AND their third-parties.
- Organizations who are unable to measure situational awareness at the individual level will continue to suffer expensive breaches. All individuals need to understand their individual roles and responsibilities for protecting sensitive and personal information.
- Once-a-year general training is not enough as the risks and threats to our information are constantly evolving.
Sony struck out this month…is your organization going to bat with situational awareness and accountability and ready to adapt to pitches coming your way?
No Comments
How are Organizations Managing Policies Ongoing?
Posted In Business Continuity, Financial, Financial, Information Privacy, Validations on May 3rd, 2011 Tags: Accountability, auditability, OCEG, policy management, status quo
OCEG recently announced poll results from a One Minute Poll about Policy Management. In their poll, 429 members replied to the following question:
How do you primarily manage lifecycle of internal policies, procedures and guidelines?
- 32% use an internally developed database or intranet system
- 24% have no formal structure
- 18% use file folders or centralized network drive
- 14% use document or policy management software
- 8% track changes in Word
- 4% use other methods
Lessons learned: Bad guys already know what the results from this poll clearly reveal…People are an organization’s weakest links. As long as 86% or more of organizations continue to use status quo methods that provide little or no accountability and little or no auditability to ensure situational awareness at the individual level, organizations will be vulnerable to attacks, mistakes, lawsuits, fines and disconnects that have a negative (potentially significant) effect on their bottom line.
No Comments
2010 – Massive Security Breaches…Lessons Learned
Posted In Education, Financial, Government, Health Care, Research on May 3rd, 2011 Tags: Awareness Training, data breaches, Security Awareness, Social Engineering
Check out this recent overview of 10 of the largest data breaches from 2010 resulting in the loss of millions of data records.
Lessons Learned: Is your organization providing ongoing situational awareness training? People are the weak link for the majority of data breaches which are caused by human error, lost devices, social engineering attacks and numerous other poor decisions. It is critical for organizations to educate their employees (and third-parties) ongoing as risks, threats, requirements, and ’next’ practices are constantly changing. Lessons learned clearly reveal that once-a-year general training is not enough.
No Comments
The Payback of Compliance: Organizations Save When They Focus on Security
Posted In Financial, Information Security, Research on May 3rd, 2011 Tags: Compliance, Ponemon, Security
A review of security practices and investments at 46 global organizations finds that compliance with industry security standards actually saves money over the long-term. A recent Ponemon Study revealed that companies that consistently comply with security requirements and standards save three times more in security-related expenses annually than non-compliant companies.
Lessons Learned: Compliance does not equal security, but security can benefit from compliance. Organizations investing in comprehensive compliance programs are better prepared to prevent expensive breaches, lawsuits, fines, etc. and save money and resources over time.
No Comments
AML Fine Sends a Message to Banks
Posted In Financial, Regulatory Compliance, Risk Management on May 3rd, 2011 Tags: AML, Bank Secrecy Act, bank security, Pacific National
Miami-based Pacific National was fined a $7 million penalty for violations to the Bank Secrecy and USA Patriot acts.
Lessons Learned: Fines for gaps in AML practices are becoming more severe. Financial organizations must ensure they have the appropriate policies and procedures in place and ensure their people are aware and accountable for their decisions to meet ongoing compliance requirements. Organizations also need legal-ready and audit-ready documentation to avoid expensive fines, lawsuits, and embarrassing headlines.
No Comments
286 Million New Threats in 2010
Posted In Financial, Financial, Health Care, Health Care, Information Privacy, Information Security on April 18th, 2011 Tags: internet security, Security Awareness, Symantec
According to Symantec’s Internet Security Threat Report, there were 286 million new threats in 2010 which equals an average of about 783,561 new threats per day. The report also points to dramatic increases in both frequency and sophistication of targeted attacks and continued growth of social networking sites to distribute attacks.
Lessons learned: Your people are under attack…how is your organization keeping your people up to date on new attacks and new threats?
No Comments
Preventing Online Fraud –Assumptions Versus Awareness
Posted In Financial, Information Privacy, Information Security, Regulatory Compliance on February 22nd, 2011 Tags: ACH Fraud, bank security, BankInfoSecurity, Identity Theft, Security Awareness, Tom Oscherwitz
I recently came across an interview on BankInfoSecurity entitled, “Banks Must Assume Customers Will Compromise Themselves”.
In this interview, Tom Oscherwitz, chief privacy officer and vice president of government affairs for ID Analytics, discussed why online security measures are failing due to basic authentication techniques. With the use of current social networking sites, such as Facebook, customers are often revealing all the information fraudsters need to figure out their log-in credentials.
Many experts (and vendors) are recommending banks increase their security measures and implement expensive fraud detection technology solutions and measures. Unfortunately this is merely reacting to a symptom rather than preventing the problem. The root of the problem is uneducated consumers and lack of situational awareness, so why not teach situational awareness and help bank customers work with banks to proactively protect their personal information?
If bank customers could make the connection between sharing their maiden name, pets’ names, nicknames, birth place, birthday, etc. on their Facebook profile and then using that same information as their authentication question for their online banking, they may be less inclined to do so.
And those Financial institutions implementing ongoing customer awareness programs will gain a competitive advantage by having customers who are more aware and working with the bank to mitigate risks involving:
- Email Security
- Online Risks (shopping, sharing music, online gaming)
- Viruses, Spyware, Crimeware and Bots
- Internet Safety (social networking sites)
- Password Security
- Information Disposal
- Mobile devices
- Home Networks
- Identity Theft
As risks, threats, regulations, etc. are constantly changing, it will be critical to maintain an ONGOING program. And financial institutions sharing lessons learned from current data breaches will help ensure copycat breaches do not happen at their institutions or to their customers.
Visionary Financial leaders providing situational awareness training for their customers will not only be helping their customers, but also preventing expensive data breaches and lawsuits and improving their ongoing customer relationships, customer trust and their institution’s reputation. Financial institutions should stop assuming things about their customers, realize more technology is not the answer, and start helping their customers make better decisions.
No Comments
