By:
On:
In: *Connecting the Dots Blog*, Financial, Human Resources, Information Privacy, Information Security, Regulatory Compliance, Risk Management

  Recent attacks continue to show that spear phishing is quickly emerging as one of the society’s greatest threats.  Technology alone is NOT going to solve this problem.  It is critical for consumers to be more vigilant and aware of what they are clicking on, sites they are visiting, e-mails they are responding to, etc. Lessons Learned:  Financial insitutions should make consumer education a higher priority.  Awareness training, handouts, seminars, etc. can be a great way for organizations to connect with their customers, improve trust, enhance reputations and help prevent potential incidents, breaches, lawsuits, etc. down the road.  Security awareness training and education can become aRead More →

By:
On:
In: *Connecting the Dots Blog*, Health Care

  Check out this recent overview of 10 of the largest data breaches from 2010 resulting in the loss of millions of data records. Lessons Learned: Is your organization providing ongoing situational awareness training?  People are the weak link for the majority of data breaches which are caused by human error, lost devices, social engineering attacks and numerous other poor decisions.  It is critical for organizations to educate their employees (and third-parties) ongoing as risks, threats, requirements, and ’next’ practices are constantly changing.  Lessons learned clearly reveal that once-a-year general training is not enough.Read More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Information Privacy, Information Security

  A targeted phishing e-mail with the subject line “2011 Recruitment Plan” tricked an RSA employee to open a document attached to an e-mail.  The document contained a virus that led to a sophisticated attack on RSA’s information systems. Lessons Learned:  Are your employees aware of changing and more sophisticated risks?  Does your organization update employees with situational awareness as more and more attacks target your employees?  All employees must understand their individual roles and responsibilities for protecting sensitive information.  Organizations need to implement comprehensive and ongoing awareness programs to ensure all individuals understand changing risks, threats, best practices, etc.Read More →

By:
On:
In: *Connecting the Dots Blog*, Financial, Health Care, Information Privacy, Information Security

  According to Symantec’s Internet Security Threat Report, there were 286 million new threats in 2010 which equals an average of about 783,561 new threats per day.  The report also points to dramatic increases in both frequency and sophistication of targeted attacks and continued growth of social networking sites to distribute attacks. Lessons learned:  Your people are under attack…how is your organization keeping your people up to date on new attacks and new threats?Read More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Regulatory Compliance

  I recently came across an interview on BankInfoSecurity entitled, “Banks Must Assume Customers Will Compromise Themselves”. In this interview, Tom Oscherwitz, chief privacy officer and vice president of government affairs for ID Analytics, discussed why online security measures are failing due to basic authentication techniques.  With the use of current social networking sites, such as Facebook, customers are often revealing all the information fraudsters need to figure out their log-in credentials. Many experts (and vendors) are recommending banks increase their security measures and implement expensive fraud detection technology solutions and measures.  Unfortunately this is merely reacting to a symptom rather than preventing the problem. Read More →

By:
On:
In: *Connecting the Dots Blog*, Emergency Management, Incident Reporting

  Airline security is a hot topic and it reminded me about my experiences flying to Israel earlier this year. Have you ever flown into or out of Israel?  I flew in and out of Tel Aviv this past year and the differences between airline security in the USA and Israel were like night and day in so many ways. Have you heard of Isaac Yeffet? For those of you who do not know, Isaac Yeffet is the former head of security for El Al of Israel.  In an interview I listened to last night, Yeffet said…”technology in general can never replace a qualified andRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security

  One of my last blogs discussed the risks of third-party contractors and their responsibilities for protecting information.  This blog will address yet another third-party risk – your janitors. A janitor was recently arrested for removing boxes of records from a Southern California health care clinic.  Interested only in getting money for the paper, the janitor sold 14 boxes of patient records to a recycling center for $40.  This janitor was not interested in identity theft, but the next one might be… In an earlier case, a janitor stole personal information from patient files at a Chicago hospital, participating in an identity theft ring thatRead More →

By:
On:
In: *Connecting the Dots Blog*, Human Resources, Information Security, Legal

  In a recent incident, a man called a 24-hour Wal-Mart in Ohio and explained to an associate that he was with Wal-Mart’s IT department and needed the associate to activate several gift cards, read to him the card numbers and then provide the authorization codes from the back of the cards.  The associate willingly did so – and not until $11,000 in online fraud later, did the store realize they had been tricked. This is a great lesson learned to share with your employees (and third-parties).  Do your employees understand your organization’s policies on providing/protecting information in different situations? The Wal-Mart caller did notRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Information Security, Regulatory Compliance

  Did everyone see this ultimate lesson regarding lessons learned but not implemented? Remember back in February 2009 when the Federal Trade Commission (FTC) issued a settlement against CVS Caremark?  According to the settlement, CVS Caremark violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information and pill bottles that had patient information on them.  The settlement resulted in a $2.25 million fine and they must ensure their security program meets the standards of the settlement [including ongoing audits] for the next 20 years. Now roll the clock ahead to July 2010 and another pharmacy chainRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security

  One of the first things security professionals recommend when you install new programs, systems or hardware is that you change the default password immediately.  And, if a system has been breached or is vulnerable to a potential breach, most security professionals recommend your Users change their passwords as a precaution. Now, what if the password was hard-coded into the system and could not be changed without throwing all systems into chaos and disrupting or halting operations? And what if the default password for your software had been shared in online forums since 2008? That would never happen, right…? Unfortunately this is exactly what hasRead More →