Blog

Archive for March, 2011

BP Loses Personal Data from Oil Spill Claims

Wednesday, March 30th, 2011

BP has the Midas touch…well, the anti-Midas touch. The fabled King Midas from Greek mythology was granted the gift of being able to turn anything into gold with a simple touch. BP, on the other hand, has an innate ability to turn anything it comes into contact with to crap.

As if cutting costs on maintenance and safety for its Deepwater Horizon off-shore drilling rig leading to the biggest marine oil spill in the history of the petroleum industry and pollution the Gulf of Mexico with millions of barrels of oil wasn’t bad enough, now BP has lost a laptop containing personal information on thousands of claimants affected by that disaster.

The missing laptop contained names, addresses, phone numbers, dates of birth and Social Security numbers for the 13,000 plus who had filed claims for damages related to the oil spill. Now, BP can start fresh accepting claims for damages related to identity theft and the compromise of personal information.

A PCWorld article about the missing BP laptop sums up by pointing out a painfully simple, yet obviously ignored reality. “Although numerous encryption technologies are readily available these days to mitigate the risk, many companies still don’t use them.”

Tags: , , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Protect Data Without Impeding Productivity

Monday, March 28th, 2011

It is a balancing act.

IT admins are tasked with striking this delicate balance between locking down the network to prevent data leaks, and staying out of the way so business can get done and profit can be made. When those two goals clash, security is sacrificed in favor of productivity, and eventually bad things happen and the data is breached. The IT admin ends up being the bad guy (or the fall guy as the case may be) either way.

For many organizations, the issue of writing data to USB thumb drives or other removable media is treated as a black and white, all or nothing matter. Either USB ports and other means of writing data are completely shut down–making it more difficult for employees to be productive, or they are left wide open–leaving the organization open to the risk of both accidental and intentional data leaks.

The beauty of Zlock when it comes to enforcing data protection policies and preventing data exposure or compromise, is that it provides the flexibility organizations need to be able to effectively straddle that line. Zlock provides much more granular control so it isn’t a black and white issue. IT admins can restrict USB port access so data can only be written to an approved brand of USB thumb drive. Or, for tighter control to ensure that users don’t bring personal USB thumb drives in and copy sensitive data to them, access can be limited to a specific, company-issused USB thumb drive.

Don’t choose between security and productivity–either way, you eventually lose. Choose Zlock and get security and productivity at the same time.

Tags: , , , ,
Posted in Data Storage Security | No Comments »

No Excuse for Lightning to Strike Twice at Health Net

Tuesday, March 22nd, 2011

There is a saying something to the effect of “Fool me once, shame on you. Fool me twice, shame on me.” Well–shame on Health Net for getting hit with its second massive breach of customer data in as many years. Thanks to nine unecnrypted drives getting “lost” during a move to a new data center, Health Net has potentially exposed sensitive data on 1.9 million customers.

Ericka Chickowski notes in an article on Dark Reading that, “According to the most recent Ponemon Institute figures, the average data breach costs healthcare organizations $345 per records. Using those numbers, this breach could cost Health Net upward of $655 million when all is said and done.”

I get it. On some level I understand that security is an expense and requires effort, and that it is easy to assume that security incidents and data breaches only happen to other companies. It is easy to rationalize gambling with sensitive customer data and assume that having information lost or stolen is about as likely as getting struck by lightning.

But, there isn’t really any excuse for getting struck by lightning twice. Health Net should have learned its lesson the first time around and taken steps to proactively encrypt and protect data on server drives and backup media. A solution from Zecurion would have cost Health Net a fraction of a percent of that estimated $655 million in damages from the data breach–virtually nothing in the grand scheme of things.

Don’t assume that lightning can’t strike at your organization. Your data, and the personal information of your customers, deserve better protection than keeping your fingers crossed and hoping for the best.

Tags: , , , , , ,
Posted in Security Breaches & Data Loss Incidents | No Comments »

Maybe the Backup Drive Should Be Encrypted?

Monday, March 14th, 2011

I know. It’s crazy talk.

A backup drive for one of Western Michigan University’s departments went missing. The school is not sure if the drive was stolen, or is just misplaced indefinitely, but it is notifying those whose personal data might be compromised should the data be accessed.

Here is the thing, though. If WMU had encrypted the data on its backup drives there would be no issue and no concern. Lost drive? No problem. Replace the drive and go on with life, comfortable and secure in the knowledge that the drive’s new owner can not possibly access the data it contains.

If it was some horrifically complex, costly, or cumbersome process, I could more easily understand why so many schools, hospitals, and other organizations fail at this one, simple thing. But, it’s not. It is simple, automatic, easy, and cost effective–significantly less than the cost of dealing with a data breach incident–to just put the right tools in place proactively and encrypt data on backup media.

Tags: , , , ,
Posted in Data Storage Security | No Comments »

Got a Spare $7.2 Million in Your IT Budget?

Saturday, March 12th, 2011

Does your IT budget have $7 million or so to spare? I think I can say with absolute certainty that no organization–regardless of size and revenue–has an IT budget with an extra $7.2 million of unallocated money.

The follow up question to that rhetorical lead-in is “why are you gambling with $7.2 million you don’t have?”

A new survey from the Ponemon Institute–sponsored by Symantec–found that the average cost of a data breach for a company in the United States has increased to $7.2 million. That breaks down to an average of $214 per individual exposed or compromised data record. The kicker is that the survey also reveals that the number one cause of data breaches is negligence.

Don’t gamble $7.2 million you don’t have. Don’t let you organization be negligent. Invest proactively in the tools your organization needs to prevent sensitive information from leaving your network and make sure your company isn’t tomorrow’s data breach headline.

It will cost you $7.2 million to react to a data breach incident after it’s too late. It will cost you a fraction of a percent of that $7.2 million to prevent the data breach in the first place.

Tags: , , , , , ,
Posted in Data Storage Security | 3 Comments »

Cord Blood Registry Learns Hard Lesson

Friday, March 4th, 2011

What happens when you leave a laptop and backup tapes holding unencrypted sensitive customer data in your car? Simple–someone breaks into aforementioned vehicle and steals them–leading to a data breach affecting 300,000 customers.

Cord Blood Registry, the world’s largest stem cell bank, learned this lesson the hard way. Hopefully, your data is already protected–especially on laptops and backup media. If not, hopefully you will learn from CBR’s mistake and won’t have to go through the painful process of learing the lesson the hard way as well.

The lax data protection is a combination of a false sense of security, combined with being oblivious to the risk, mixed with a healthy dose of feeling like the solution is too complex or costly. CBR should have had policies in place mandating that data on laptops and backup media be encrypted to prevent exposure or compromise. More importantly, it should have had tools in place that simplifiy and automate that process so that data protection isn’t reliant solely on an individual user’s ability to follow that policy.

Tags: , , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »

Gigabytes of Data Gone in a Flash

Thursday, March 3rd, 2011

Have you ever lost a USB thumb drive? I have so many, I am not even sure I would notice if one was missing. I am positive that some have been misplaced over time. Thankfully, none of my USB thumb drives have any private or sensitive information I care about on them. Lost thumb drive? No sweat. The next tech conference or event I go to, I am bound to get three or four new ones.

For many companies, unfortunately, thumb drives also get lost–but contain sensitive data that is not properly protected. For example, an employee of the Henry Ford Health System in Michigan recently lost a USB flash drive containing unencrypted information on nearly 3,000 patients.

Apparently, Henry Ford Health System has a policy in place mandating that such data be encrypted. The article states, “The device is not encrypted as required to protect individual patient information.” It also says, “hospital officials said it’s still unclear how the flash drive was lost.”

I think this brings up two valuable points. First–it is only marginally relevant how the flash drive was lost. Maybe it was stolen. Maybe it got left in a pair of pants and washed with the laundry. Maybe it fell out of the employee’s pocket. The bottom line is that determining how the USB flash drive was lost is unlikely to yield any useful results to prevent a similar occurrence in the future.

Second, it demonstrates that an unenforced policy is about as effective as not having a policy in the first place. Whether the employee intentionally ignored the policy, or made an honest mistake, the fact is the policy wasn’t followed and now personal information on almost 3,000 patients is assumed exposed or compromised as a result.

Establishing a policy is an important step, but it is just a first step, not the end of the journey. IT admins need to have tools in place that can monitor systems and ensure the policy is followed and enforced as well.

Tags: , , , , ,
Posted in Data Storage Security, Security Breaches & Data Loss Incidents | No Comments »