More than ever, businesses, government agencies and consumers are learning costly lessons about due diligence in privacy and data security.
In recent years, more than 100 million Americans have been victimized, according to the Privacy Rights Clearinghouse, a consumer rights organization.
The epidemic is caused by hacking, theft, and unscrupulous employees.
Indeed, five years of research by Carnegie-Mellon University’s CERT Coordination Center, and the U.S. Secret Service shows employees and former employees are responsible for much of the information technology sabotage.
Some 80 percent of incidents were caused by workers already known by managers to be discontented.
The individual costs have ranged from $500 to millions of dollars.
In other words, we’re in a state of crisis and it’s time for an update on solutions from a trusted source I’ve quoted in years past, Stan Stahl, Ph.D., a nationally known security expert (SecureTheVillage.org).
Security trend concerns
He has three major concerns in security trends:
The first of which is organized crime, which he calls cyberscum. “Credit cards with pin numbers go for $100 on the black market,” said Dr. Stahl. “With such cyberscum, you have people who spend their days looking for vulnerabilities in software and they build botnets. The Secret Service uncovered one of the botnets that invaded and controlled 150,000 computers.
“Secondly, it used to be that the perimeter was well-defined because it was basically the corporate network,” he explained. “But now Blackberries, smart phones, and remote workers and all of that, the perimeter is no longer well-defined.”
His third concern? “It used to be you just needed anti-virus software, firewalls and passwords, but hackers are attacking anti-virus security so you really need to step back to take a big-picture look of protection to develop a secure program in your technology and culture,” he added.
Although convenient, confidential offsite storage is not guaranteed. Dr. Stahl recommends verifying the security of Web sites. “That’s one of the places the bad guys are looking.”
Small Business Security Checklist
His checklist advice for micro businesses:
- Know what information you have that needs to be protected.
- Understand the risks that your information is under.
- Structure your networking to provide what’s called defense-in-depth. That’s a tiered architecture with network segmentation.
- Watch the network.
- Train your people.
- Perform personnel background and physical security checks.
- Manage the security of your third party vendors.
For success in reaching objectives in information-security control in financial institutions, other large companies and public agencies, Dr. Stahl believes a security program is necessary for seven critical success factors:
- Executive management responsibility: Senior management has responsibility for the firm’s information security program, and this program is managed in accordance with the enterprise’s information security policies.
- Information security policies: The enterprise has documented its management approach to security in a way that complies with its responsibilities and duties to protect information.
- User awareness training and education: Information users receive regular training and education in the enterprise’s information security policies and their personal responsibilities for protecting information.
- Computer and network security: IT staff and IT vendors are securely managing the technology infrastructure in a defined and documented manner that adheres to effective industry information security practices.
- Physical and personnel security: The enterprise has appropriate physical access controls, guards, and surveillance systems to protect the work environment, server rooms, phone closets, and other areas containing sensitive information assets. Background investigations and other personnel management controls are in place.
- Third-party information security assurance: The enterprise shares sensitive information with third parties only when it is assured that the third-party appropriately protects that information.
- Periodic independent assessment: The enterprise has an independent assessment or review of its information security program, covering both technology and management, at least annually.
His list of credentials is voluminous, and he has a client portfolio ranging from small to large clients in the public and private sectors. He’s also president of the Los Angeles chapter of the Information Systems Security Association (ISSA). Nationwide, ISSA has 15,000 members.
For consumers, he recommends reconciling credit card and bank statements every month. For online security, he also likes the following software: SpySweeper, ZoneAlarm and Sandboxie for special protection for provocative sites like gambling. “Some are becoming more proactive, but they’re just now beginning to emerge and I haven’t had a chance to test them,” he said.
To check your credit report for fraud, here:
From the Coach’s Corner, here are more of Dr. Stahl’s insights:
5 Safety Measures to Thwart Mounting Social-Network Attacks — Sally, the accounting manager of a medium-sized business, regularly checked her Facebook account while at work. One day she received an e-mail. The e-mail said that a long-lost friend, Bob, had added her as a friend in Facebook. “How great.” thought Sally. “An email from Bob. Let me just follow this link and we can be friends again.” You’ll never guess what happened afterward.
Security Precautions to Take Following Citibank’s Second Reported Online Breach — Citibank’s admission that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers in 2011, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps. The bank’s May 2011 security breach wasn’t reported until weeks later. Originally, Citibank said 200,000 accounts were affected.
“You can’t hold firewalls and intrusion detection systems accountable. You can only hold people accountable.”
– Daryl White
__________
