Curiosity Killed…Your Organization’s IT Security?
According to a recent survey released by the Messaging Anti-Abuse Working Group (MAAWG), about 1 in 6 consumers have at some point acted on a spam message. Those who admitted to opening a spam message said they “were interested in a product or service” or “wanted to see what would happen if they opened it.”
Wanted to see what would happen if they opened it!? These people are not 6-year olds wanting to see what would happen if they touched the hot stove or stuck their tongue to a flag pole during an ice storm!
Nearly 2/3 of the people surveyed felt they were very or somewhat knowledgeable in information security, however 80% felt their machines would never be infected with a bot or malicious software. This lack of awareness can only lead to one thing… expensive consequences!
Organizations need to ensure that Lessons Learned like this are being implemented down to the individual-level. Without ongoing education and awareness, many employees, customers, third-parties, etc. will not understand risks, threats, best practices, etc. By implementing an organization-wide awareness program with accountability and communicating organization-specific polices for passwords, anti-virus software, online safety, etc. your users will understand how to safely and securely navigate the online world.
I also recommend sharing internal lessons learned with your employees, such as a recent data breach or social engineering incident, so all appropriate personnel understand why they are being required to participate in an ongoing security awareness program. If employees understand that by opening a spam e-mail, they are responsible for their actions that may potentially cost your organization millions of dollars and loss of reputation because of a data breach, they may be more likely to actually read your acceptable usage policies regarding strong passwords, e-mail safety and social networking best practices.
How are you implementing your security program and ensuring your employees understand the risks and threats of spam and other online threats?
Strained Budgets Cut Funding for Technologies…Blessing in Disguise?
According to a recent article, because of tight budgets, many organizations plan to cut funding for technologies that would help to mitigate the main security threats they face.
The article went on to say that 72 percent of respondents have seen an increase in e-mail borne malware and phishing, but eight percent of respondents said they plan to cut previously allocated funding for messaging security, e-mail encryption, e-mail security or instant messaging security technologies.
The survey also revealed that although 40 percent of respondents noted lost or stolen devices as a top security challenge for the next 12 months, 15 percent said they will be cutting budget allocations planned for mobile encryption and wireless security.
Other surveys have offered some interesting numbers, too. A survey from Ponemon indicated that 88% of breaches in 2008 were due to negligence and a survey from Verizon revealed 90% of breaches could have been prevented with security basics.
So perhaps the strained budgets could be a good thing??
What if an organization implemented awareness and accountability instead of more technology?
What if an organization implemented better knowledge that led to better decisions, less duplication and more efficiency across their silos/departments?
The bottom line would be improved with cost savings. The bottom line would be improved by targeting negligence. The bottom line would be improved by addressing security basics.
The bottom line is that perhaps strained budgets are a blessing in disguise…
School and Campus Safety Training Forum Highlights the “Whats”
I am attending the 2009 Virginia School and Campus Safety Training Forum in Virginia and the speakers have been very informative providing the attendees with a whole lot of “what you should dos”…also called recommendations.
The “what you should dos” and recommendations are targeting serious challenges and obligations:
- Legal Gotchas
- Regulatory Updates
- Gang and Drug Abuse
- Search Guidelines
- Violence and Crime Prevention
- Bullying
- Establishing Relationships with School and Community
- Threat Assessment Team Recommendations
- And many other important topics…
In talking with several of the attendees, I have been asking which step is the most difficult:
- Performing Assessments
- Planning and Development of Programs
- Implementing Plans and Ongoing Assessment Results
The results have been unanimous…Implementing is the most difficult.
This is not a surprise based on numerous school related reports including the Virginia Tech Review Panel Final Report which stated:
“Had the recommendations in this report been implemented, many of the problems cited above might have been averted.”
I think one of the attendees summed up this challenge even better telling me:
“The conference is great and I am fired up to go back to my school and improve my safety program….but when I get back to my office I am not sure how to implement all this information with all the people that need to know.”
Of course I explained to him that using proven implementation tools was the key…
Twitter Lawsuit is Lesson Learned
Did you see the $50,000 defamation lawsuit filed by an organization against a “tweeter”?
The lawsuit is a lesson learned that you may want to use to better prepare your people and your organization about the potential legal liabilities associated with sending a tweet about someone else or about another organization.
While I am not going to argue whether it is right or wrong, I want to bring attention to the personal details that the lawsuit exposes and how a person’s reputation or an organization’s reputation can be exposed no matter what the outcome of the court case.
If you scroll down on the verified complaint, you will see the entire string of tweets made by the defendant, which in some cases are not all that flattering.
So what should you do if you are a manager? You can use this lawsuit to make sure your management and your personnel all understand your organization’s guidelines and ethics standards if they are tweeting about your organization or your customers or your partners. I would suggest that you do not just blast out an e-mail, but make sure that management and all personnel understand the potential risks and liabilities with tweeting up the wrong tree.
Lessons Learned…Lessons Implemented?
Keeping You Out of the Headlines and out of this blog…
Please take a moment to consider how these Lessons Learned could be implemented by managers within your organization to avoid expensive and embarrassing situations…
The New York Post reported that the New York City Police Department had signed a nearly $1 million contract with a vendor to purchase thousands of new manual and electric typewriters during the next three years. The NYPD’s typewriters are a shocking reminder of just how much more change needs to be implemented across government agencies and organizations to eliminate the status quo.
Kaiser Hospital Privacy Violation
Kaiser Permanente’s Bellflower Hospital received a second six-figure fine for failing to protect electronic medical record data from its own employees. The California Department of Public Health issued an administrative penalty of $187,500 against the facility after concluding that the hospital didn’t do enough to protect patient health information.
The Social Security numbers and other personal information of nearly 900 people were accidentally given to a resident who requested the information when an employee of the Hampton Redevelopment and Housing Authority printed a spreadsheet and mailed it, but forgot to exclude the personal information.
Lessons Learned are extremely valuable and must be implemented on an ongoing basis to ensure ongoing success and ongoing CYA! For more information on implementing lessons learned click here.
Worst Phishing Attempt Ever…
Received e-mail below this week…Wouldn’t it be great if all phishing attempts were this obvious?
How are you doing and your family?
I shall require from you , your full names, address and phone numbers to start the process of claim in this regard. Do send me these details to barwonglee@******.com.hk for prompt and needed action
Again I guarantee that all is under control and you have nothing to worry about, Just grant to me your full cooperation and keep this transaction close at heart.
Regards,
Wong Lee.
Of course many phishing attempts are more sophisticated and more professional looking and unfortunately more successful at tricking people into providing sensitive information. Managers at all levels would be doing themselves and their organization a lot of good if they shared examples of different types of phishing attempts so their people are prepared to protect personal and organizational information.
Poorly Kept Secret in Commercial Banking
An article in The Washington Post and comments from Avivah Litan, vice president at the market research firm Gartner Inc, regarding fraudsters targeting commercial business accounts caught my attention….and if you run a business, you should pay attention too.
Apparently the bad guys have figured out yet another way to steal real money and they are targeting business accounts rather than personal accounts.
The fraud involves mules and mule recruiters, some keylogger software planted on the PC of an unknowing person inside a bank, some social engineering and some fake, but real looking websites.
Notice how the bad guys are focusing on people and their lack of awareness??
For example, the mule recruiters are the bad guys with fake, but legitimate looking web sites who send out e-mails and recruit people to receive the money transfers and then pass the money along to the bad guys, who have convinced the mules they are a real and trusted company.
The scary part for businesses is their bank accounts are treated differently than consumer accounts. “If a company gets hacked and someone manages to clean out that firm’s bank account, the company’s bank is under no obligation to make that customer whole,” said Litan.
The bad guys are targeting two weak links: ACH (automated clearinghouse) systems and People.
This is a serious lesson learned and remember….lessons learned are not valuable until they become lessons implemented. Are you implementing new processes for your people and your systems?
Seeing the Light in Dark Reading Report
I was reading a report the other day (The Evolution of Data-Centric Protection) from InformationWeek Analytics presented by Security Dark Reading (requires registration) and written by technology expert Joe Hernick.
The report includes a survey of 384 business technology decision-makers at North American companies and the purpose of the report was to determine the role of endpoint protection in enterprise data security strategies. The opening line of the report was great:
“Think sophisticated attackers are your biggest problem? Our survey says clueless and malicious end users are more likely to stymie even the best-laid defensive plans.”
I have experienced and observed similar results for years, but to finally see “technology decision-makers” acknowledge the importance of awareness and accountability of end users in public is like seeing the sunshine break though after days of dark clouds.
Based on the survey responses, the report went on to say:
“If there ever was a problem that could be solved purely by the appropriate deployment of technology, data loss prevention isn’t it. People, policies, and products must all work together, or the exodus of information will surely continue. “
“Alerting end users to corporate policies and educating them about the importance of keeping information safe is perhaps the most crucial step in preventing data loss. For every wizard-level black hat infiltrating a data center, there’s a pile of good intentions gone bad. User education must be accompanied by sensible, well-thought-out policies, and those policies must be applied in a way that suits the business.”
As identity theft and data breaches continue to escalate, leaders and decision-makers in both technology and non-technology positions must learn to work together to address end user awareness and accountability for data protection.
Perhaps most importantly, organizational leaders need to see the light and realize that adding more technology is not the solution. Organizational leaders must also realize that as more regulations and mandates are created, the criticality of awareness and accountability at the individual-level will become even more important to avoid more stringent fines and expensive consequences.
Law To Require Implementation of School Security Plans
Great news! A pending New Jersey bill would mandate that all public and nonpublic schools conduct monthly school security drills for non-fire evacuation, lockdown and active shooter response. Why is this great news?
Currently, most schools probably have emergency security plans in place, but due to lack of implementation many schools are not comfortable with their level of preparedness. They have a plan, but because they are not actively implementing and practicing their plans, confusion exists regarding roles and responsibilities and what do actually do if an incident were to occur.
The status quo methods outlined below are not working:
You have an Emergency Plan.
You have a Message Blasting Notification System.
You have some cool Technology products.
You did some General Training.
SO WHAT?!
TJ Maxx, CVS, Heartland Payment Systems, New Orleans, Virginia Tech, FEMA and many others along the way had plans; unfortunately their plans were not implemented….
Lessons Learned have shown that a lack of implementation (lack of practice) can lead to critical gaps that can lead to expensive and embarrassing incidents. Just because a school or organization has a plan in a binder or does once-a-year general training, does not mean that the plan has been implemented. People (faculty, students, staff, partners, contractors, vendors, etc.) must understand and accept responsibility for implementing plans and policies so they can become a layer of security and preparedness rather than a gap or a weak link.
By requiring schools to implement monthly security drills, administrators will help to eliminate panic and confusion for students, faculty, staff, parents and third-parties.
As risks and threats, including campus violence, pandemic flu, terrorism, etc. continue to increase, schools must ensure that all appropriate individuals are aware and accountable for their individual roles and responsibilities. Serious challenges can lead to safety incidents, emergency situations, lawsuits, fines, breaches, damaged reputations, etc. and the cost of preparedness and prevention is far less than the costs related to the consequences and recovery.
Is your organization implementing your plans and Lessons Learned at the individual-level?
Weekly Update: Implementing Lessons Learned
Lessons Learned Review…Keeping You Out of the Headlines and out of this Blog…
Please take a moment to consider how these Lessons Learned could be implemented by managers within your organization to avoid expensive and embarrassing situations…
Law would require monthly school security drill
A new New Jersey bill would mandate that all public and nonpublic schools conduct monthly school security drills for non-fire evacuation, lockdown and active shooter response.
Currently, all schools have emergency security plans in place, but many schools are not comfortable with the procedures due to a lack of implementation.
According to a recent survey released by the Messaging Anti-Abuse Working Group (MAAWG), about 1 in 6 consumers have at some point acted on a spam message. Those who admitted to opening a spam message said they “were interested in a product or service” or “wanted to see what would happen if they opened it.”
Manufacturer cited for OSHA safety violations and $74,000 in penalties following a worker’s fatal exposure to hydrogen sulfite. The manufacturer is charged with a repeat violation for not properly labeling process vessels and for a failure to install monitors, as well as a lack of employee training.
Hundreds of documents containing information about financial projections and products for Twitter were hacked into and published by a number of blogs. Hackers gained access to the information by targeting and administrative employee and her personal e-mail account. From the personal account, the hackers were able to gain access to the employee’s Google Apps account which contained sensitive information.
Lessons Learned are extremely valuable and must be implemented on an ongoing basis to ensure ongoing success and ongoing CYA! For more information on implementing lessons learned click here.
