E-mail Spoof Defeats Technology…Are Your People Prepared?
According to news reports, a spear-phishing experiment conducted over the past few days has revealed some disturbing new risks for organizations using enterprise e-mail products and services: Most major enterprise e-mail products and services were unable to detect a fake LinkedIn invitation that looked like it was from Bill Gates inviting people to join his professional network. Once the ‘victim’ clicked on the ‘invite’ link, they were sent to the phishing site where information about the ‘victim’ was captured.
The article in Dark Reading detailed comments from CEO of PacketFocus including: “I tested the spoofed e-mail on six different enterprise networks using the latest e-mail security technology from most of the major vendors, and not a single one picked up on the spoofed e-mail”.
Why should this story be important to organizational leaders? Your people (employees, managers, board members, partners, service providers, etc.) could be the ‘victim’ if they are not aware of risks and threats that technology cannot prevent.
What can organizational leaders do to proactively prevent risks that cannot be stopped by technology? Because this is a social-engineering attack on people’s lack of awareness, organizational leaders must implement faster, simpler and better tools to help ensure ongoing awareness at the individual-level.
This experiment represents a ‘red flag’ for organizational leaders to take immediate action before the next phishing e-mail with a fake link leads to a real threat rather than an experiment.
Does Your Organization Send PII and PHI Through the Mail?
Did you see the story today involving CalOptima (a Medicaid managed care plan) who has notified 68,000 of their members of a potential loss of past medical claims information?
According to CalOptima, the information includes substantial identifying information, such as member names, home addresses, dates of birth, medical procedure codes, diagnosis codes and member identification numbers and even some Social Security numbers.
Do you wonder how many other organizations are sending personally identifiable information (PII) and protected health information (PHI) in packages through parcel carriers?
Do you wonder how many organizations are sending YOUR personal information through the mail?
This story is one of hundreds of lessons learned that can help organizational leaders improve their culture of awareness, their culture of accountability and their culture of protecting personal information. Hopefully this blog and this lesson learned will help organizational leaders take action to prevent future breaches, lawsuits, penalties, fines and expensive knee jerk reactions in reputation management that proactive efforts can prevent.
Weekly Update: Implementing Lessons Learned
Lessons Learned Review…Keeping You Out of the Headlines and out of this blog…
Please take a moment to consider how these Lessons Learned could be implemented by managers within your organization to avoid expensive and embarrassing situations…
DDoS Attacks On Twitter, Facebook Result Of Massive Attack On One Person
A pro-Georgian blogger called “Cyxymu” was apparently the intended target of the massive DDoS attack that knocked down Twitter and caused major slowdowns on Facebook and LiveJournal. A botnet blasted waves of traffic at the blogger’s accounts on the sites simultaneously.
File Sharing Banned on Government Networks
Rep. Edolphus Towns introduced a bill to ban file-sharing software from all government and contractor computers and networks due to the recent disclosures of sensitive government and personal information.
Internet Hackers Steal $219K from City Bank Account
Internet hackers cracked into the City of Sherwood’s bank account and took $219,000 from the city’s checking account at Eagle Bank. The illegal withdrawal happened in December 2008, but the FBI warned the city not to say anything at the time.
LA Fitness Center Shooting In Pennsylvania Leaves 4 Dead
A man entered the L.A. Fitness Club, turned out the lights on a aerobics class filled with women, and opened fire with three guns, killing three women and wounding nine others before committing suicide.
U.S. Bank Failures Rise to 72 With Collapses in Florida and Oregon
U.S. bank failures rose to 72 in 2009 with the collapse of two lenders in Florida and one in Oregon. Regulators are closing banks at the fastest pace in 17 years as losses mount from unpaid real-estate debt.
Court rules employer did not violate workers’ privacy
The California Supreme Court ruled that an employer that installed a hidden camera in an employee office did not invade the workers’ privacy because the camera was turned on only when the workers were away. This decision left privacy rights intact for employees in the workplace, but made it possible for courts to throw out lawsuits before trial if surveillance was limited and conducted for legitimate purposes.
Lessons Learned are extremely valuable and must be implemented on an ongoing basis to ensure ongoing success and ongoing CYA! For more information on implementing lessons learned click here.
Worst Phishing Attempt Ever…
Received e-mail below this week…Wouldn’t it be great if all phishing attempts were this obvious?
How are you doing and your family?
I shall require from you , your full names, address and phone numbers to start the process of claim in this regard. Do send me these details to barwonglee@******.com.hk for prompt and needed action
Again I guarantee that all is under control and you have nothing to worry about, Just grant to me your full cooperation and keep this transaction close at heart.
Regards,
Wong Lee.
Of course many phishing attempts are more sophisticated and more professional looking and unfortunately more successful at tricking people into providing sensitive information. Managers at all levels would be doing themselves and their organization a lot of good if they shared examples of different types of phishing attempts so their people are prepared to protect personal and organizational information.
White House Provides Lesson Learned – Lack of Implementation
A recent story made headlines in The Washington Post, providing an excellent example of how a lack of implementation can lead to embarrassing headlines and illegal and costly results.
This story came up because of a previous story The Washington Post (and other media outlets) reported involving Obama officials being invited to intimate dinners at the home of Post publisher Katherine Weymouth, each sponsored at a cost of $25,000.
In response to the initial story, White House counsel Greg Craig reportedly sent out an e-mail (megaphone management) with the 9-page White House policy attached that covered dos and don’ts involving gifts, relationships and invitations to events.
Lessons Learned from White House’s Failure to Implement:
- Just because a memorandum is blasted out does not mean that anyone read it or understood it
- Just because an e-mail with an attachment is blasted out again still does not mean anyone read it or understood it
- Blasting out memorandums and e-mails provides little or no accountability with individuals
- Blasting out memorandums and e-mails provides little or no audit-ready documentation if an employee or vendor or partner violates the policy
- Not including key partners and vendors can lead to serious compliance and legal liabilities
- Not including key partners and vendors lacks accountability, transparency and audit-ready documentation
- What about personnel that started after March 20, 2009 and missed the memorandum blast?
- What about personnel that will start after July 02, 2009 and missed the e-mail blast?
The GAO Congressional and Presidential Transition page states the following:
Although agencies have made progress in improving their operations in recent years, they often lack the basic management capabilities needed to address current and emerging demands. Accordingly, GAO has identified key government wide capacity building and management challenges. These challenges must be addressed to effectively and efficiently implement new policy and program initiatives.
The lack of implementation is obviously a very serious challenge facing managers today.
Smart managers use proven implementation tools…smart managers click here.
Swine Flu: U.S. Declares “Emergency of Preparedness”
On Sunday, Secretary Napolitano declared an Emergency of Preparedness, stating, ‘…we’re preparing in an environment where we really don’t know ultimately what the size or seriousness of this outbreak is going to be.’
I agree that this declaration is needed because most organizations are not well prepared for a Pandemic flu outbreak. Studies show that organizations need to have pandemic plans that address workforce absenteeism rates of 40 percent or higher.
What if 40% of your employees were staying home because:
1) They are home sick
2) Family Members are sick
3) Schools are closed
4) Employees fear becoming sick
What if your vendors are unavailable due to travel restrictions/sick employees?
What if your partners are unavailable due to travel restrictions/sick employees?
What if your employees are unable to travel and make sales calls due to quarantines/border restrictions?
If your organization allows employees to work remotely, how do you know if people are receiving communications?
How can you ensure that all appropriate personnel have access to pandemic flu plans and procedures and understand their roles and responsibilities?
Gaps in communications and coordination efforts must be addressed sooner than later. Has your organization reviewed or updated your pandemic flu plan recently? Are you prepared?
CVS’s Expensive Trash
I recently blogged about the Veterans Affairs and the lost laptop that cost Veterans Affairs (tax payers) $20M to settle a lawsuit against them. Now we have some very expensive trash.
Attention all public and private organizational leaders! Did you see the FTC charges released last week against CVS Caremark Corporation? The costs of not establishing, implementing and maintaining a comprehensive information security program to protect the security, confidentiality, and integrity of personal information it collects from consumers and their employees is expensive! The FTC order requires CVS to pay $2.25 million to HHS to settle HIPAA violations and CVS is required to obtain independent, third-party audits every two years for the next 20 years.
I would strongly encourage all executive management personnel take a few minutes to review the information and then immediately use CVS’s lesson learned to proactively assess your organization’s information security and privacy practices – policies, procedures, processes, etc.
The FTC Complaint noted CVS employees were discarding materials containing personal information in clear readable text in unsecured, publicly-accessible trash dumpsters on numerous occasions and at multiple CVS Pharmacy locations. Materials included prescriptions, prescription bottles, pharmacy labels, computer printouts, prescription purchase funds, credit card receipts, and employee records.
According to the FTC Complaint, CVS Pharmacies failed to (1) implement policies and procedures to dispose securely of such information, including, but not limited to, policies and procedures to render the information unreadable in the course of disposal (2) adequately train employees to dispose securely of such information (3) use reasonable measures to assess compliance with its established policies and procedures for the disposal of such information; or (4) employ a reasonable process for discovering and remedying risks to such information.
Unfortunately most organizational leaders will not take the time to understand what this FTC order really means and will not use the FTC order to help their organization. For example, many organizations do not have a reasonable process for discovering and remedying risks and have no way to measure or assess whether employees understand or are in compliance with established policies and procedures. Too many organizations say “we have policies and procedures”, but they have no way to implement and maintain the policies and procedures as situations and risks change because most organizations think once-a-year “event” training is good enough….which is definitely not the case and can be very expensive to your organization.
NGKM….Disciplineware, Accountabilityware and Transparencyware all-in-one…
I was exchanging e-mails with my daughter the other day and she told me about a magazine called Campus Technology and how she thought it might be good for me to review due to Awareity’s successful solutions for schools and colleges.
My daughter is a very smart young lady and she is the one that told me I needed to start blogging too… so I clicked on the web link she provided to see what types of stories they covered. When I landed at the Campus Technology web page, I went straight to the current issue to see what types of stories were available to review online.
Looking down the list of featured articles, I saw one called To the Cloud and Beyond and saw it was a virtual roundtable of experts weighing in on the evolution of ‘worldware’ – from desktop software of two decades ago, to today’s Web 2.0 and social ‘cloud’ technologies, and on to the discipline-specific tools of the future.
Wow…this looked really cool so I clicked on the link to read the full roundtable discussion and was glad to read that these experts were talking about some very important issues that I believe are critical to the success of schools, governments and organizations of all sizes as we move into 2009 and beyond. They were talking about how “Web 2.0 is not on the desktop – rather, it is in the cloud” (Colleen Carmean from ASU) and how if the goal is to “cultivate and develop citizens who can be productive knowledge workers in different areas, setting out to solve problems of society, we have to go beyond the simple ability to interact and communicate easily and efficiently with each other. We need to have tools to solve problems that have specific foci. That’s why we’ll begin to develop ‘disciplineware‘, which, alongside other worldware, will leverage Web 2.0 technologies in the cloud.” (Phillip Long from University of Queensland Australia)
The next question made me laugh out loud (or should I type LOL here?) because the moderator then said “That sounds great, Phil, but is this just a futurist, pie-in-the-sky type of thing? How will the rise of disciplineware come about?”
I laughed in a comforting way because Awareity has been ahead of the curve for over 5 years developing our Next Generation Knowledge Management solutions provide disciplineware, accountabilityware, transparencyware and much more.
So thanks to my lovely daughter, I think I need to immediately contact President Obama to let him know that we are “the risk-takers, the doers, the makers of things” and we can help President Obama deliver on two of his promises we keep hearing over and over… accountability and transparency in federal government.
Anyone know how I can contact President Obama so we can get started sooner than later??
