Social Media Center

Did you know that 90 percent of all companies experienced some type of data breach within the last year? And that 64 percent happened while employees were outside of the corporate headquarters? We predict it will only get worse as more people use mobile devices and tablets.

Join me this Wednesday, July 11 at 3 p.m. ET/12 Noon PT to discuss...

Before we begin, I recommended reading Getting Ready For Data Loss Prevention (DLP). Go ahead, I’ll wait for you…

Back? OK, now let’s talk what comes after; the “How” to implement DLP part.

As a next step, and at the risk of blowing my own horn, consider watching the recording of a webcast I did on April 5 here. You’ll get recommendations on how to deal with issues that are often overlooked in DLP deployments as well as some critical “how to” advice. This I position as an antidote to the all-too-common and none-too-helpful “just do it” approach to DLP advice. Because, on the path to DLP success, there are two deadly pitfalls to watch out for: 

The first is in understanding where to start your data protection strategy using DLP (and why). Where to start influences your program’s effectiveness compared to how much risk you are hoping to eliminate from the business.

The second pitfall is in understanding how to execute. The "how" may be the most important  part as it ultimately determines how soon you will benefit from DLP and determines the amount of resources that are required.

Surviving one of the pitfalls is hard enough, but trying to get through both on your own is nearly impossible.

Unfortunately, much of the historical “how” started with massive data-discovery projects, which usually meant at least six-months of project consulting before any data is protected.

Not every DLP vendor has the same vision for how to make DLP work, so make sure that you understand your vendor’s approach and agree with it.

Have a listen and let me know what you think.

With the hectic travel schedule of first quarter wrapping up I had some spare time to think about advocating a fresh approach to security for the spring. I know it’s not the beginning of the year, but if your schedule is anything like mine, this may be the first time you’ve had a minute to spare since the calendar moved to 2012. With everything in the threat landscape changing so frequently, it’s important to reassess your current status and plan for the coming year, whenever we can come up for air. So, I came up with the following nine tips to help you get a fresh start this spring:

<CONTINUE>

Do you think data breaches are up or down in 2011 compared to 2007 or 2008? The official answer may surprise you. According to DatalossDB and the 2011 Data Breach Investigations Report by Verizon, the number of records compromised per year has been decreasing since its 2008 peak. But these reports are missing something very important. It all comes down to what is reported. Last year I met with more than 450 CIOs and CSOs, and almost all of them said that incidents are way up. New breaches are constantly making headlines, so why is there a discrepancy between our perception and what these reports are finding?

Many industry reports focus on the never-ending stream of leaked or stolen personally identifiable information (PII). Most laws and industry standards, such as PCI DSS, also concentrate on PII. But there is something that could be more dangerous to lose than PII and that isn't getting enough attention in data breach reports—intellectual property (IP).

(More)

As we conduct business in an increasingly cloudy, mobile, and social world, it’s more important now than ever to take data security and privacy into consideration. Data is everywhere and its value is growing exponentially. But with data moving in and out of your organization so quickly—how can you keep it safe? 

This is the perfect time of year to ask that question—today is Data Privacy Day. The National Cyber Security Alliance has coordinated various events in the United States and Canada to help facilitate discussions and raise awareness of data privacy and security issues.

In my opinion, the public and private sector must work together to combat the rising tide of data-hungry cyber criminals. Government legislation is and has been making strides toward mitigating cyber crime. In the U.S., 48 out of 50 states now enforce data breach notification laws, which require companies that collect or store personal identifiable information to notify customers if their information is compromised.

And, in Canada, mandatory data breach notification may soon become federal law. The Canadian Parliament is currently reviewing Bill C-12, a proposed update to Canada’s existing privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). At present, PIPEDA currently does not contain any breach notification provisions.

However, as we all witnessed in 2011, legislation alone cannot protect data. According to an upcoming study from the Identity Theft Resource Center (ITRC), previewed in advance by Information Week, in 2011, there were 419 breaches publicly disclosed in the U.S., affecting a staggering 22.9 million records.

This means we still have A LOT of work to do. And, consumers are losing patience. They hold businesses directly accountable for the loss of their personal data and continue to bring class action lawsuits against organizations. This consumer unrest is likely to fuel additional legislation that may punish companies financially for losing customer data. Corporations have to take responsibility.

Here are three key recommendations for protecting customer data:

(more)

Your worst nightmare has come true: your business has been hacked! What do you do? Today, the Wall Street Journal published an article addressing this worst-case scenario with an insightful to-do list for companies facing a data breach.

While a breach will likely set a company back financially, there are steps a business can take to take to reduce the damage and prevent the event from having a long-lasting impact. The article calls for multiple steps. One in particular is to determine if the breach is still open – companies are warned not to assume that just because one infected computer has been cleaned up or removed the attack is over. The intruder could have taken control of multiple machines. Patrik Runald, Senior Security Research Manager at Websense is quoted in the article on this subject:

“Hackers often send data to so-called dynamic hosts that constantly change their Internet addresses. Most legitimate websites don't use this kind of addressing. If data are still being sent to these types of addresses, it's a possible sign that a breach is still happening.” – Patrik Runald, Websense

The Wall Street Journal cites the Identity Theft Resource Center, which reports that last year, 662 organizations publicly disclosed data breaches. However, the actual number is likely much higher than that, since not all hacking incidents are disclosed. With all of the major security breaches we’ve seen in the last year, it is impossible to ignore the need for organizations to tighten up their security strategy. Cybercrooks are using every possible vector to penetrate your networks and traditional security solutions just don’t cut it. Find out how to protect your organization from the latest targeted attacks here.

In my last post I discussed a push toward a more unified security strategy within the public and private sector. Today, I want to discuss why companies need to change their security strategy to stay ahead of the threats they face. This topic was something that came up a lot last week at the Austin NG security summit.

Ten years ago a great security program consisted of anti-virus, IDS, and firewalls – but now those protections have lost their effectiveness. Unfortunately, those three outdated security technologies now make up a huge portion of InfoSec spend. And the remaining small pittance is allocated to deal with the most advanced threats we have seen. Doesn’t seem like a fair fight does it?

Research from Poneman says 90 percent of all companies have been compromised in the last year. Many were targets of advanced malware that compromised web and email channels. Traditional signature-based security measures DO NOT catch these threats. They are too complex and change too fast for those old security measures to keep up.

Compound that with the fact that IT security is now on the CEO’s radar and the board is asking questions about security strategy. I’ve spoken to hundreds of CISOs and CSOs over the last year and the recent data breach headlines are catching their attention. More than ever the IT team is being asked: What is our current risk posture? How do we reduce risk? What is our situation? Are we going to be compromised? What is our strategy? This is our chance. Using this momentum and interest we must change the way we operate and the way executives think about security programs.

The first step is acknowledgement: You have to realize that at some point you will be compromised and the bad guys will get in. It’s not a matter of IF an APT or a targeted attack will strike; it’s a matter of WHEN. There is no silver bullet. 

But, all is not lost! Once you’ve accepted this, the next step is to begin to change the way you plan. You need to be able to get the tools in place to be able to communicate to executives:  

“I am going to prevent X amount of attacks. And of the guys that get in, I’m going to know in X amount of time, and I will have them contained in X amount of time. We can significantly reduce the probability that they will be able to access, our most important data.” Make sure you have the technology, people, and processes to back up your claims.

This is the new strategy we have to adopt and share. In the next blog, I’ll share the successful strategies I’ve seen from some of the best organizations and CSOs who have adopted this approach. We’ll look at the most common entry and exit points of attacks and how these successful CSOs are focusing their technology investments in those areas.

In the meantime, how many of you have had conversations with your executive team about your security posture? Has this increased in frequency in the last year? Let me know in the comments below.