Group items tagged

Too many companies leave themselves vulnerable to employees' ignorance or purposeful flouting of the rules when it comes to information security, suggests a survey conducted by (ISC)2. Focused on the 'basics' of policy management, the survey revealed that organisations are becoming confident in their ability to comply with the policies and procedures set out to secure their organisations. Analysis of the results, however, reveal education efforts to be immature, with most concerns relating to accountability and company-wide understanding of what is required. The survey questioned 737 information security professionals last month about their organisation's efforts in policy and awareness management. A great majority, 80 percent, said their company's ability to comply with security policy was satisfactory, good or very good, leaving only 20 percent saying they were dissatisfied. However, this confident stance was tempered by concerns from nearly half of the respondents over a lack of training (48 percent) and poor employee understanding of policy (46 percent); a lack of defined accountability (42 percent); and an unsupportive company culture (48 percent). These obstacles to compliance with policy were cited by significantly more respondents than other issues of traditional concern, including a lack of budget, which only 22 percent were concerned about, and the ability to procure the latest technology, which concerned only 19 percent of respondents. "The challenges are shifting from the systems to the people," says John Colley, CISSP, managing director for EMEA (Europe, Middle East, Africa) for (ISC)2. "The relatively little concern expressed over budgets suggests security continues to be viewed as a business imperative, even in the current economic climate. Unfortunately, security requirements are not yet well understood, or worse flouted, often with management support, in order to get a job done. There is a colossal task ahead to ensure all emplo

Ignorant People are a big security risk.

Things to think about for auditors during a downturn

As IT environments are becoming more complex, enterprises are relying on them more than ever before, said Michael Juergens, principle at Deliotte & Touche, told attendees at an ISACA CACS audit and compliance conference. He identified 10 areas in which complexity makes IT more difficult to monitor. "This list is designed to get you thinking about your environments and if currently scheduled IT audit procedures will evaluate this risks," Juergens said. "The list is in no particular order, is by no means a comprehensive list, and will vary by environment. There may be a greater or lesser risk depending on your industry, technology, business processes, and other factors," he added. He said that auditors should make a careful risk assessment at any enterprise that uses external cloud computing solutions. A key risk for compliance is simply keeping track of the data and recovering it if part of the cloud goes down. IT administrators must have insight into the cloud to enable forensics if an investigation is required. Juergens added that virtualization, often a key component of private clouds, carries the same risks as public clouds. The key issue is finding and tracing data, which can move to different servers within a virtualized environment. During this economic downturn, many companies will face disgruntled employees and will need to be able to control their access. "Specific attention items should be: timely removal of access, periphery security, internal security architecture, physical security and badge location, help desk procedures, workstation security and IDS management," Juergens said. Layoffs can harm an organization even without disgruntled employees. Many help desks and incident response teams will be understaffed, and Juergens advised that now is a good time to re-examine security procedures. A related risk could occur if an employee takes on the responsibilities of another, combining tasks that were previously segregated for compliance purposes. En

Over the past six months, many of us have become desensitized to the staggering number and size of layoffs that continue to occur almost daily. But the reality for the IT industry is that layoffs have a different effect on those of us in the industry whose mission it is to protect the company's reputation, intellectual property, confidential data (both electronic and hard copy) and business operations. Knowledge Center contributor Gregory Shapiro outlines seven steps IT professionals can take to protect their company's data before a layoff is implemented. Unlike individual employee terminations, which are customarily unannounced and immediate, layoffs present a larger threat to corporations because they leave the door open to both intentional and unintentional data loss, leakage and integrity problems. When employees sense impending layoffs or are told in advance and kept on for a limited time to transition, that is when rumors and panic consume the employees. It's then that the company's sensitive data can be compromised. For this reason, the strategy for any corporation planning a layoff should include setting policies and making sure practices are in place to secure their sensitive data now. Steps to protect company data before a layoff is implemented

Ironic

The Interior Department's inspector general has found widespread mishandling and erratic tracking of special passports issued to department officials traveling overseas, alleging that in numerous instances employees violated federal privacy laws by improperly securing passports and passport application forms. In some cases, officials couldn't account for expired passports of former employees, and could not locate a passport once issued to former Interior secretary Gale Norton. The inspector general's report warned that such mismanagement and lax protection could result in cases of fraud or identity theft impacting current and former employees. "Given the risk of misuse that missing and unsecured passports, visas and passport applications pose, we cannot understate the importance of acting swiftly to address these violations and prevent their recurrence," Acting Inspector General Mary L. Kendall wrote in a memo sent with a copy of the report last week to Interior Secretary Ken Salazar.

A former IT analyst at the Federal Reserve Bank of New York and his brother were arrested Friday on charges that they took out loans using stolen information, including sensitive information belonging to federal employees at the bank. Prosecutors allege that Curtis Wiltshire, 34, took out student loans totalling US$73,000 using the stolen information. His brother, Kenneth Wiltshire, 40, is charged with using the identities of two federal employees to try and obtain a loan for a 2006 Sea Ray 340 Sundancer speedboat. The charges (pdf) come two months after federal investigators found two 2006 student loan applications on a thumb drive attached to the work computer of Curtis Wiltshire, who had worked at the Reserve Bank for nearly eight years as an information and technical analyst. According to court documents, that investigation was unrelated to the fraud charges. Wiltshire was dismissed soon after the drive was found on around Feb. 15, prosecutors said. The charges were filed in the federal court in Manhattan. The two men could not be reached for comment Friday and the names of their lawyers were not included in the court documents. Curtis Wiltshire had "access to computer files containing information about employees of the [federal bank], including their names, dates of birth, Social Security numbers, and photographs," U.S. Federal Bureau of Investigation Special Agent Cordel James said in an affidavit filed in the case. Curtis Wiltshire was charged with bank fraud and identity theft and faces more than 30 years in prison if convicted. His brother was charged with mail fraud and identity theft and faces a maximum of 22 years in prison.

Imagine this nightmare scenario: You've contracted with a vendor to enter personnel data into a new computer system. You give the vendor confidential data regarding your employees, including their Social Security numbers, addresses, names of dependents, health records and bank account routing numbers. Then the vendor notifies you that employee data was somehow stolen or lost. What do you do? It happens more often than anyone would like to admit. The Federal Trade Commission estimates that 9 million Americans have their identities stolen each year. More than 262 million records have been breached since January 2005

" One of the biggest security risks that companies face is employees who fall victim to phishing e-mails, which can lead to stolen log-in credentials and virus infections. SocialPET is a simple Web-based testing tool that lets businesses run their own phishing tests to find out which employees understand security procedures and which are at risk to falling prey to real phishing scams. "

"CRM systems are full of data that's valuable to your company. Or at least, it better be. But CRM systems are not at the top of the list for external hackers, so why should it be on your priority list for an ILP/DLP system? Let's start by clearing up a misconception: the external hacker is rarely your biggest concern, particularly for a CRM system. The most dangerous breaches come from your own employees, particularly the disgruntled ones. Given the number of layoffs and the turnover of sales reps these days, the risk has grown. Your employees not only have access to a significant amount of data, but also know what the data means and how to separate the marginal from the important."

"In light of a spike in identity theft and the frequency with which personal information is stored on portable devices, the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) have expanded Generally Accepted Privacy Principles (GAPP) to include protocols for securing and disposing of personal information. "Safeguarding personal information is one of the most challenging responsibilities facing an organization, whether such information pertains to employees or customers," said Everett C. Johnson, CPA, chair of AICPA/CICA Privacy Task Force and a past international president of ISACA, a global information technology association. "We've updated the criteria of our privacy principles to minimize the risks to personal information." GAPP offers guidance and best practices on securing portable devices, breach management and ensuring continued effectiveness of privacy controls. The guidance additionally covers disposal and destruction of personal information. The principles are designed for chief privacy officers, executive management, compliance officers, legal counsel, CPAs and CAs offering technology advisory services. "Portable tools such as laptops and memory sticks provide convenience to employees but appropriate measures must be put in place to secure them and the data they contain," said Donald Sheehy, CA.CISA, CIPP/C, associate partner with Deloitte (Canada) and a member of the AICPA/CICA Privacy Task Force. "We must stay abreast of technological advances to assure that proper measures are put into place to defend against any new threats." Created by the AICPA/CICA Privacy Task Force, GAPP is designed to help an organization's management team assess an existing privacy program or address privacy obligations and risks. The principles provide a framework for CPAs and CAs to offer privacy services to their clients and employers, such as advisory services, privacy risk assessments and attestation or

"Facebook tightens security as it deals with the continuing fallout over changes to its privacy settings." ...Earlier on May 13, Facebook had a meeting where employees asked executives questions about privacy. Facebook officials would not comment on exactly what was said. "We have an open culture and it should come as no surprise that we're providing a forum for employees to ask questions on a topic that has received a lot of outside interest," a spokesperson said.

Hey Zuck! Privacy & security are NOT the same thing. Misdirection is not the response FB users are seeking.

"A New York computer technician has been charged with stealing the identities of more than 150 Bank of New York Mellon employees and using them to orchestrate a scheme that netted him more than $1.1 million, prosecutors said this week. Adeniyi Adeyemi, 27, of Brooklyn was indicted Wednesday on charges of grand larceny, identity theft and money laundering for crimes allegedly committed between Nov. 1, 2001 and April 30, 2009, according to a news release from Manhattan District Attorney Robert Morgenthau. According to prosecutors, Adeyemi, who was employed as a computer technician working at the headquarters of Bank of New York, stole the personal information of dozens of bank employees, primarily from individuals in the information technology department. He then used the identities to open bank and brokerage accounts, which served as "dummy accounts" to receive stolen funds. Adeyemi then stole money from the bank accounts of numerous charities and nonprofit organizations, and transferred the funds into the dummy accounts, which he later withdrew or transferred to other accounts, prosecutors said."

A Swiss insurance worker lost her job after surfing popular social network site Facebook while off sick, her employer said Friday. The woman said she could not work in front of a computer as she needed to lie in the dark but was then seen to be active on Facebook, which insurer Nationale Suisse said in a statement had destroyed its trust in the employee. "This abuse of trust, rather than the activity on Facebook, led to the ending of the work contract," it said. The unnamed woman told the 20 Minuten daily she had been surfing Facebook in bed on her iPhone and accused her employer of spying on her and other employees by sending a mysterious friend request which allows access to personal online activity. Nationale Suisse rejected the accusation of spying and said the employee's Facebook activity had been stumbled across by a colleague in November, before use of the social network site was blocked in the company.

A typical lost or stolen laptop costs employers $49,246, mostly due to the value of the missing intellectual property or other sensitive data, according to an Intel-commissioned study made public Wednesday. "It is the information age, and employees are carrying more information on their laptops than ever before," according to an analysis done for Intel by the Michigan-based Ponemon Institute, which studies organizational data-management practices. "With each lost laptop there is the risk that sensitive data about customers, employees and business operations will end up in the wrong hands." The five-month study examined 138 laptop-loss cases suffered over a recent 12-month period by 29 organizations, mostly businesses but also a few government agencies. It said laptops frequently are lost or stolen at airports, conferences and in taxis, rental cars and hotels. About 80 percent of the typical cost - or a little more than $39,000 - was attributed to what the report called a data breach, which can involve everything from hard-to-replace company information to data on individuals. Companies then often incur major expenses to prevent others from misusing the data. Lost intellectual property added nearly $5,000 more to the average cost. The rest of the estimated expense was associated with such things as investigative costs, lost productivity and replacing the laptop. Larry Ponemon, the institute's chairman and Advertisement founder, said he came up with the cost figure based on his discussions with the employers who lost the laptops. When he later shared his findings with the companies and government agencies, he said, some of their executives expressed surprise at the size of the average loss. But he noted that one of the employers thought the amount could have been even higher.

Six out of every 10 employees stole company data when they left their job last year, said a study of US workers. The survey, conducted by the Ponemon Institute, said that so-called malicious insiders use the information to get a new job, start their own business or for revenge. "They are making these judgements based out of fear and anxiety," the Institute's Mike Spinney told BBC News. "People are worried about their jobs and want to hedge their bets," he said. "Our study showed that 59% of people will say 'I'm going to take something of value with me when I go'." The Ponemon Institute, a privacy and management research firm, surveyed 945 adults in the United States who were laid-off, fired or changed jobs in the last 12 months. Everyone that took part had access to proprietary information such as customer data, contact lists, employee records, financial reports, confidential business documents, software tools or other intellectual property.

Cash-squeezed privately held companies are facing another threat in this struggling economy: rising employee fraud. Employee fraud -- from check-forgery schemes to petty-cash theft -- tends to rise during tough economic times, when workers are feeling financial pressure in their personal lives, experts say. And small companies are especially vulnerable because they often lack stringent internal controls to prevent fraud. Sometimes, managers at affected companies attribute lost funds to lower sales -- never even suspecting foul play.

Woonsocket-based CVS Caremark Corp., the largest U.S. drugstore chain, has agreed to pay $2.25 million to settle federal charges that company employees compromised customer privacy by throwing prescription records and drug bottles into open trash bins. The Federal Trade Commission said its investigation with the Health and Human Services Department followed media reports that trash bins behind CVS pharmacies contained pill bottles bearing patient names, credit-card and insurance information, and Social Security numbers. The company also did not have adequate policies for disposing of that information, and did not sufficiently train employees to dispose of the information properly, the agencies said. The items that were not properly discarded included pill bottles, medication instruction sheets, computer order forms, payroll information, job applications and credit-card and insurance information. Those labels and forms contained personal information including Social Security numbers and credit card and insurance information, and in some cases, driver's license numbers and account numbers. Names of the patients' doctors were also included. The settlement "will restore appropriate privacy protections to tens of millions of people across the country," FTC chairman William Kovacic said in a statement. "It also sends a strong message" that organizations "are required to secure consumers' private information," he said.

Times are tough, and we all continue to hear about the heightened risk of the insider threat. Granted, unauthorized insider access to data has always been a concern. But the concern is increased now because of the tremendous changes that we are seeing in the economy. The term "disgruntled employee" now has a whole new meaning because there are more and more folks concerned about 'What if my job disappears? What kind of information can I keep? What kind of information can I have access to?' As one who's dealt with the insider threat, I have some questions of my own: What do you really mean by an insider? In our borderless world, the terms "insider" and "outsider" overlap. "Insiders" are not just employees and staff, but also service providers, business partners, consultants, contractors -- any number of parties who may work for companies we deal with. What do we really mean by an authorized versus an unauthorized insider? If you take a look at the Societe Generale situation, allegedly a fraud was committed by an authorized user with privileges he was not supposed to have. How? Well, the horribly overused cliché is that if you work with a company long enough, eventually you will have access to everything, and no one will know it. Bottom line: As people change jobs within a company, we are not good at updating their roles and responsibilities. If you look at all the efforts that have been spent on identity and access management products, the biggest challenge is trying to understand: What are the roles and responsibilities you are trying to apply to people? How do you develop these roles and responsibilities and how do group them? How do you really deal with people who have to change roles and responsibilities? How do you add and delete roles and responsibilities as people change jobs?

There were only two of us on the graveyard shift. "If it's not locked up," a colleague at my first newspaper declared as he snatched a folder of papers from our boss' desk and strode towards the office copying machine, "Xerox it." (Old-tongue for photocopy.) That was long before CDs, and USB drives and, certainly, iPods, but the lesson was the same. If you are stupid about protecting company information, shame on you. I guess that's the message behind the "revelation" released in a survey this week that the majority of people who leave their jobs, voluntarily or otherwise, are taking company information with them. Lots of it. My reaction was the same as when I watched my fellow journalist grab and copy whatever it was that had been so carelessly left in the open. I shrugged. (We are by nature an overly curious species, and that overrides our normally dominant ethics gene.) Data Loss Risks During Downsizing conducted by the Ponemon Institute and sponsored by Symantec, was apparently designed to test the hypothesis that in this dire economy (ominous music in background), former employees are going to take important company information out the door. And, in fact, the poll of 945 former employees who left their jobs or were dismissed in the last 12 months showed that 59% stole company data. What kind of data? Email lists, non-financial business information and customer information, including contact lists. Not the secret formula for Coke, not the clinical trial reports on a cure for cancer, no insider information on proposed mergers and acquisitions. Not even a few thousand credit card numbers. Hardly worthy of shock and dismay. This is what a lot of people do when they leave jobs. Are they supposed to? No. Is it wrong? Yeah, but it's sort of like cheating on taxes. Folks rationalize it in a variety of ways, or it just doesn't weigh heavily enough on their conscience to set off an internal alarm. Most of the people who took data - 79% â

70 percent of UK risk managers have declared that making sure the employees in their organization are risk savvy is their biggest challenge in light of new pitfalls according to research conducted by Aon. "The risks companies are facing, such as increased company insolvencies, less access to credit and increased levels of fraud, need to be dealt with by employees throughout the organization rather than just at senior management levels," said the bulletin. According to the survey of UK businesses the key risk management challenges they face in 2009 are: -- Embedding ERM in the culture of the organization 70 percent -- Keeping 'risk registers' real and relevant 47 percent -- Making the link between ERM and strategic planning processes 34 percent -- Gaining senior executive sponsorship 19 percent -- Making business continuity plans relevant to line managers 13 percent -- Credit rating agency scrutiny of ERM 6 percent Alex Hindson, head of enterprise risk management at Aon Global Risk Consulting commented: "When the markets are literally crashing down around us and we don't know what is just around the corner it is extremely tempting to focus just on the problems of today, rather than look at the issues and factors that are going to help us survive tomorrow, but this short term view can often be counter-productive.

As I mentioned two weeks ago, a recent survey indicates that more than half of large companies have limited knowledge of which systems or applications their employees have access to. This marks a system access problem, and a growing risk during a period of frequent and large layoffs. If a company needs to turn off access manually (which is often the case), it may miss several user accounts that they don't realize exist. This leaves the door open for past employees, and others, to access important data, including financial information and customer information. To learn more about these open-door system risks, I asked Courion vice president Kurt Johnson about his firm's research.