As confirmed by PriceWaterhouseCoopers, attacks against small and midsized businesses (SMBs) between 2013 and 2014 increased by 64 percent. Why? Low price, high reward.

Attackers can break through millions of poorly defended SMBs through automation, gaining access to a treasure trove of data. Small-business vulnerability assessments can identify your weaknesses, but they take time away from daily operations. Is a security vulnerability assessment really worth the resources? These five questions will help you decide.

What Does It Entail?

A vulnerability assessment identifies precious assets as well as how attackers could steal them from you. Not surprisingly, 2014’s most common attack vectors were:

  • Software exploit (53 percent).
  • User interaction, such as opening a malicious email attachment or clicking through an unsafe URL (44 percent).
  • Web application vulnerability, like SQL injection, XSS or remote file inclusion (33 percent).
  • Use of stolen credentials (33 percent).
  • DDoS (10 percent).

It’s impossible to patch every vulnerability. “You can scan and patch 24/7, 365 days a year,” says Forrester security researcher Kelley Mak, “and still not take out a significant chunk.” The key is to identify vulnerabilities that will result in the most damage to your bottom line.

How Frequently Should We Assess?

Frequency depends on what kind of data you store and what kind of business you operate. If you can say yes to the following, you should assess more often:

  • You’ve never assessed security vulnerability before, or it’s been a while. In either case, establish a baseline with frequent assessments for a year or so. Then dial back the frequency.
  • You’re subject to regulatory compliance. If you’re just checking boxes, you’re only getting a limited security picture. Compliance is a baseline, not an effective defensive posture.
  • You’re a contractor for a government agency or valuable enterprise target. Cybercriminals love to use SMB vendors to break into higher-value targets. If one of your employees’ stolen authentication creds cost an enterprise millions of dollars, you’d kiss your contract goodbye.

Can Ops Do It?

Give another sysadmin the SANS 20 recommended list of security controls. If he can understand them, evaluate the business for them and remediate all associated issues, let them handle it.

Already too busy to take on the project? Bring in a specialist. Keep expenses down by getting an initial third-party assessment, drafting an action plan and joining the entire ops team in implementing it.

What Does a Top-Notch Third-Party Assessment Look Like?

Before you hire someone, ask them to explain how they conduct a security vulnerability assessment. According to Robbie Higgins, CISO of AbbVie and author for SearchMidmarketSecurity, their services should include:

  • Information and infrastructure evaluation. The consultant should look at your information systems, stored data, hardware and software. Critical systems like billing, HR, CRM, legal and IP repositories are vital, but you should also focus on minor systems accessible by your own vendors.
  • Current threat landscape. In addition to knowing today’s common exploits and malware trends, your consultant should tell you what types of data attackers are after as of late and what kinds of organizations they’re currently targeting.
  • Awareness of internal soft spots. Attacks don’t always happen because employees are disgruntled. Simple incorrect data entry can expose you to an SQL injection.
  • Estimated impact. Your vendor should explain the degree to which each security vulnerability would affect data integrity, confidentiality and availability of your network resources.
  • Risk assessment. A good vendor combines weaknesses, threat landscape and potential impact to extrapolate your risks in priority order.
  • An action plan. Again, save on security consultation by letting your team execute this roadmap.

Is It Worth It?

Assessments and remediation could cost you in short-term payroll or a third-party consultant’s fee. But if they prevent a data breach that could shut down your business, almost any price is worthwhile.

mm

One night you find yourself watching the news and – surprise! – Another company has reported a data breach. The next day at Starbucks the cashier swipes your card, but the card doesn’t work. Now you have to take a detour to the bank. At the bank you find out that your card has been deactivated because the card number had been compromised in the data breach you just heard about the night prior. They apologize for the inconvenience and say that you’ll get a new card in the mail within 7 business days. They give you a temporary card in the meantime.

This is the average scenario of what a consumer goes through when affected by a data breach. The worst part is the annoying stares you get at places like Starbucks and the time wasted at the bank, so it’s really just an inconvenience. First world problems, nothing more.

But there is an extreme version of this that goes beyond our replenishing credit cards. This scenario is where your entire personal and private information is sold on the online black market and your identity is effectively stolen from you. Even worse is that they know everything about you: where you live, when you got that scar on your head, that embarrassing surgery you got when you were 12, and your social security number.

Cyber Crime and Your Healthcare Data

Medical data is more valuable to cyber criminals than credit card numbers because medical records have far more information. There is enough information on medical records to gain access to any account a cybercriminal sees fit. Information that can be found in your medical records are date of birth, social security number, address, birthplace, and even some of your parents’ information. This information can be used to access bank accounts, open new accounts, and even file insurance claims on your behalf. This information can be used to answer security questions to change passwords on your most important accounts.

But that isn’t even why your medical data is so lucrative to cyber criminals. The most important reason that cyber criminals would go after healthcare records instead of credit card numbers is that the healthcare industry is easier to hack. Criminals can spend less time attaining that information.

HIPAA and Healthcare Data Security

A recent report by BSIMM shows that the healthcare industry isn’t protecting data as well as it should be. Unfortunately, it’s not surprising. The healthcare industry is behind most other industries when it comes to data security. The Anthem breach earlier this year should have been a big indicator that our information isn’t being safeguarded as much as we like to believe.

Healthcare IT departments have been slower than other industries to adapt, but the blame cannot be placed solely on IT. In many cases, the issues lie within weak IT budgets and general lack of awareness from healthcare staff. What’s worse is that due to the lack of security measures in place, it is hard to detect data breaches if and when they do happen. In addition, when the breaches are detected, that business has a 2 month window to notify anyone who is affected by the breach as regulated by HIPAA.

A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. –HIPAA, Breach Notification Rule

Another reason that healthcare IT teams may be slow to adapt is that they may be taking a “good enough” approach. If covered entities are protecting themselves in accordance to the HIPAA regulatory guidelines then IT has done its job. Simply, HIPAA does not go far enough to hold the healthcare industry liable when data breaches are detected. Healthcare organizations get away with not implementing the proper security measures, and the patients are the ones to lose.

Healthcare IT Policies To Minimize Risk

Since budgets fall too short and businesses have no incentive to go beyond the data security measures required by HIPAA, IT can at least protect itself in creative ways. It would not be unreasonable to consider that most of the users in the healthcare industry are not diligent about data security. All that it takes to compromise an IT infrastructure is a simple phishing attack or a hacked personal device connected to the same network as millions of health records. Educating employees on the most common forms of cyberattacks will go a long way in ensuring that a data breach does not happen.

Creating stricter policies around personal device usage on healthcare networks may also be a strong step in the right direction, however being more strict means more time policing the policies that have been put in place. Expecting employees to follow these rules, more likely than not, will become an employee trust system.cartman

Of course there are several ways IT can be creative in keeping employees informed of the threats and asking them to be diligent, but at the end of the day healthcare IT departments need more cash to implement more secure infrastructure.  And unless HIPAA is changed to push for these stronger security measures, healthcare companies are not going to give IT the budget they need to keep their data safe.

What privacy issues began with a few high-profile celebrities has turned into a laundry list of famous folks whose phones (and selfies) have been hacked and exposed across the Internet. Leaked photos of Oscar winners and pro wrestlers alike continue to make headlines. It all reinforces the critical need for data security in both our private lives and in our workplace.  Selfie privacy

Businesses in particular should acknowledge the importance of these privacy breaches in highlighting the rise in cyber attacks and growing risks of theft and data loss. Data has value and will always be a target for would-be hackers and adversaries. But data is also the lifeblood of most organizations. Managing risk by recognizing and shoring up points of vulnerability is the difference between using data as a competitive advantage and being the victim of a catastrophic data loss.

Data that is safely locked away in business systems can be protected by establishing IT security controls. Data that is moving beyond the firewall introduces risk factors into the equation that can be difficult, if not impossible, to control.

For businesses that are forced to deal with compliance and legal implications, transferring information is even more complicated. Many businesses are turning to a managed file transfer (MFT) system. This system enables the reliable and secure transfer of files between third parties across the Internet. MFT offers end-to-end encryption, guaranteed delivery, and centralized logging to allow administrators to always know where files are located, with accuracy.

Unlike traditional or manual file transfer options, MFT incorporates much higher levels of security, scalability, integration, reporting and other features. With MFT, organizations can bring order, predictability and security to file movement. This improves business performance and reduces risk. (Check out “5 Must-Haves for File Transfer Compliance” to learn more about a clear framework to improve compliance processes and infrastructure in borderless enterprises.)

Ensuring that files arrive at the intended destination securely and without incident will never create the level of excitement generated by the news of celebrity hacks. That is a good thing. Avoiding security related headlines is the goal of every organization. The results of a breach or hack can be devastating from both a financial and reputation perspective. Anyone who doubts this need look no further than Sony or Home Depot. So when it comes to securing critical assets in motion and keeping intellectual property under organizational control, MFT should find its way onto everyone’s A-list.

 

 

Internet crime and electronic banking security

The already-infamous Anthem data breach has put personal information belonging to 80 million health insurance customers at risk after hackers gained access to their network. Customer names, birth dates, home addresses and Social Security numbers are reported to be stolen. The sheer reach is astounding. The breach at Anthem is the world’s largest within the healthcare industry. And it now ranks as America’s third largest after Heartland in 2009 (130M records stolen) and TJ Maxx in 2007 (94M records stolen).

There’s no such thing as perfect security and my heart goes out to the IT team at Anthem. They’re working 24/7 to  batten down the hatches. Hackers will always find vulnerabilities to get what they want. They’ve got plenty of motivation. The monetary value of the data stolen from Anthem could be worth hundreds of millions of dollars on the hacker black market.

Anthem responded quickly

A fast response is a good response when you are in crisis mode. Over the course of one day, Anthem:

  • Emailed customers to share the news, pledging support
  • Launched a site called AnthemFacts to address concerns
  • Published an open letter from CEO Joe Swedish apologizing for the incident
  • Offered free credit monitoring services

Anthem is getting praise for being proactive and transparent. But some of the company’s security practices have come under fire.  Security and compliance in healthcare is a journey, not a destination. IT teams need to do their best to manage and protect the high-volume of files related to Protected Health Information (PHI).

Managed file transfer helps healthcare organizations become more secure and compliant

Our healthcare customers have told us that a managed file transfer solution have helped them in the following ways:

  • Manage and control all file transfer activity from a central point of control; automate processes
  • Transfer patient files reliably and securely
  • Enable employees to easily send files using IT approved methods
  • Gain complete control over file transfer activity
  • Guarantee delivery (non-repudiation and file integrity)
  • Integrate with existing IT security systems
  • Reduce cost and time to achieve and maintain HIPAA compliance
  • Improved reliability and availability for data back-up

Additionally, a cloud-based MFT solution uniquely offers the additional benefit (since the facility and systems are directly managed) of being certified HIPAA compliant by a 3rd party auditor.  Always make sure a hosted solution has a signed HIPAA Business Associate Agreement with explicitly defined responsibilities to help achieve HIPAA compliance quickly.

Bottom line; don’t take chances when it comes to your IT security. Make sure your critical information is kept safe. Use tools and technology are put to use when data is on the move or stored within your network.

PS – Check out how our customer VIVA Health successfully and securely transfers healthcare data, demonstrates regulatory compliance, and automates manual tasks with Ipswitch MOVEit managed file transfer.

Dropbox IpswitchYesterday Dropbox posted an update at the end of their 10/13 blog that noted their servers were not hacked. Apparently the compromised credentials in question were stolen from a different source. At the end of the day, Dropbox isn’t to blame. The stolen credentials were used to access multiple services, including theirs.

So let’s leave the folks at Dropbox alone. Every organization that holds personally identifiable information (PII) is a target. And I agree with Dropbox’s advice to their users should use unique passwords across different sites, and when possible, add a layer of security to make things a lot safer.

Like everyone else, I just want to keep all my work and personal stuff online safe. So the Dropbox brouhaha got me thinking about how hard it is to remember and manage all my user account names and passwords. I’m a Mac guy and have found Apple iCloud Keychain to be helpful for managing my personal login credentials, but it has limitations.

Identity management in the enterprise world

IT pros who are responsible for security and compliance around managed file transfer and/or file sharing security should work with an identity management provider to evaluate solutions integrated with SAML 2.0. These vendors’ products can provide single sign-on (SSO), data loss prevention and two-factor authentication – any and all of which will add layers of security to protect personal and business information.

At the end of the day, security should be accessible to everyone in the borderless enterprise composed of employees, customers and partners.

 

FileTalkIf your files could talk, I guarantee that they would have a lot to say. With larger quantities of data being shared across more devices than ever before, we often mismanage our files and lose critical information.

Nearly half (42 percent) of IT professionals report their organization does not mandate secure methods for transferring corporate information according to a recent Ipswitch survey. In addition, 18 percent of IT professionals admit they have lost a critical file and 11 percent have spent more than an hour trying to retrieve that file.

Organizations need to reevaluate their file transfer strategy because let’s face it – our files are not happy with the way they are handled. Here are five things they would tell us if they could:

  1. I don’t feel safe. I need more protection: Cyber incidents occur at an alarming rate and cost the economy billions of dollars each year. It’s important for IT professionals to protect the file transfer server by running frequent penetration tests, vulnerability scans, static code analysis and storing files encrypted so they cannot be easily executed in the servers host OS. Additionally, file transfer solutions must incorporate rigorous control and security measures to meet Service-Level Agreement (SLAs) and compliance requirements. In the healthcare industry, for example, compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) has fueled businesses to find ways to securely transmit protected health information (PHI) and meet the law’s requirements. Managed File Transfer (MFT) systems are a key component to enable secure file transfer and auditing to support compliance.
  2. If I were to go missing, would anyone care?: Not only are lost files a huge headache for IT, they are also a huge risk for an organization. Losing sensitive information, whether it is patient or financial data, can result in costly damages and cause an organization to fail an audit for non-compliance. MFT systems guarantee delivery of data and track files so IT professionals are aware of their locations and who accessed them at all times.
  3. I want to make my mark in the world: Files want to be seen and leave their imprint in the system. When employees use unauthorized applications, such as Dropbox, to share or download files for personal use, there is a true lack of visibility or audit trails. It’s important that businesses maintain control of company data and keep the flow of data transparent. It’s not just the employee that gets into trouble for sending a file in an unsecure manner; it’s the entire company that suffers, particularly if there is a breach as a result.
  4. I have places to be and little time to spare: In another survey conducted by Ipswitch this year, more than 100 IT professionals highlighted just how stressful a manual approach to file transfer can be: 61 percent equated manual file transfer processes to sitting in traffic. Manually transferring files can slow the transfer process and cause more interruptions for IT. Automated MFT solutions allow for efficient transfers and give back time to the IT department and make them look like heroes when they can quickly automate repetitive transfer-related tasks for business users. MFT allows files to get where they need to be much more quickly and securely.
  5. I want to feel cared for: If your car breaks down, you have AAA come repair your car onsite or take your car to a service station. Files want that same assurance with high availability and disaster recovery features. In addition to the soft costs, such as time and reputation, there are also hard costs that come with being unable to reliably transfer files between employees, partners and customers, including missed SLA penalties, lost business opportunities and impact on supply chain. By leveraging high availability, horizontal scaling, and disaster recovery as part of file transfer processes, organizations can ensure that critical files are delivered consistently and reliably.

I think it’s time IT professionals start listening to their files to understand the existing problems with their file transfer processes. MFT gives files what they want – security, reliability and visibility.

crime scene no keyboardNews broke yesterday afternoon that a group of hackers had compromised file transfer servers at several leading organizations after obtaining credentials for thousands of FTP sites. According to the report, hackers were even able to upload several malware program files to an FTP server run by the NYT and picked up a list of unencrypted credentials from an internal computer. A big concern there – and in particular for an organization with a large email database like NYT’s – is that those files could be incorporated into malicious links that could be used in spam messages.

My initial reaction: how is FTP security still making headlines in 2014? And secondly: hacks like this are exactly why people are more carefully evaluating their use of file transfer and in some cases, moving away from FTP to other versions of file transfer that more clearly suit their needs.

FTP servers are online repositories where users can upload and download files, and they’re designed to be accessible remotely via login and password. In some FTP set-ups, files remain there unencrypted and susceptible to foul play should credentials be obtained by the bad guys, which is the case here.

Reading deeper into the story, we can glean a few things about the compromised data in the FTP servers:

1) It was unencrypted, and therefore an immediate leak would not require much additional work by hackers. Any organization transferring sensitive data should use encryption while data is in motion and at rest.

2) Once one server gets hacked, others follow  – What was hacked was most likely an application that housed the credentials insecurely or maybe a programmer who was working on that application clicked a link that scraped his machine for the passwords.  Then the hackers could access new sites using those passwords and so on, and so on.

3) It’s unclear if the data was used for destructive purposes, i.e. the spamming example I mentioned above. Because most FTP servers offer poor reporting and auditing features, it can be difficult to piece back together what the attackers did once inside the FTP.

Additionally, the FTP passwords must have been stored in clear text or encrypted with a sloppy algorithm or lazy key management. This is inexcusable in today’s digital age. These organizations could have salted and hashed its passwords, greatly improving their security.

In summary, there are a few critical steps your business can take to decrease file transfer risk:

1)      Make sure to store credential information securely and encrypted with diverse, complex, and numerous keys.

  • Only use secure protocols for transfer
  • Salt and Hash passwords, never store the actual password
  • Disable anonymous access (if allowed at all)
  • Require multi-factor authentication (with certificates, smart cards or IP address limits)

2)      Check the file’s payload.

  • Scan files for viruses and malware on upload
  • Limit the file types that can be uploaded (no .htm, .php, .vbs, .exe, etc.)

3)      Make sure to have good reporting and auditing of suspicious logins.

4)      Protect your file transfer server

  • Frequent penetration tests
  • Frequent vulnerability scans
  • Static code analysis
  • Store files encrypted so they cannot be easily executed in the servers host OS

5)      Ensure your teams, all of them, are aware about security and not to click on things from dubious sources. All it takes is one click on one bad link to create a breach.

FTP has been around for more than 40 years, and we continue to see breaches like these on a regular basis. Simply put, companies need to carefully evaluate their systems to make sure their usage of technology maps to their needs. I guess I shouldn’t be surprised that data breaches via FTP still occur today, but more organizations should understand the risks involved, and seek solutions that improve all aspects of file transfer.

There is so much to absorb at RSA Conference.  The largest gathering of security vendors, solution providers and practitioners in the U.S. certainly didn’t disappoint as the Moscone Center was buzzing with security education and of course lots of thought provoking conversations.

Many of the people I spoke with shared similar concerns of data breach risk, tighter compliance and auditing requirements, and their lack of visibility and control over the tools that people are using inside their organization to share files and data with other people.  IT leaders are feeling pressure (and rightfully so) to regain control over how people share files with other people.  It was also great hear so many people talking about migrating to the public and private clouds in order to take advantage of benefits such as quick provisioning and elasticity.

My favorite conversations at conferences are usually the ones I have with current customers…. And RSA was no exception.  Quite frankly, the key insights I learn from talking with customers help me do my job better.  Many thanks to the dozen or so Ipswitch customers that stopped by our booth and shared stories of how they have successfully consolidated and replaced the various homegrown file transfer tools and scripts, various vendor products, and manual processes they had been relying on with an Ipswitch MFT solution, resulting in improved efficiencies in their business processes as well as a simplified way to demonstrate compliance and consistently enforce security policies for all their file transfer and file sharing activities.

Looking back at 2011, we saw more and more employees using consumer-grade (and often personally owned) file sharing technologies such as USB drives, smartphones, personal email accounts, and file sharing websites to move sensitive company information.  We’ve learned that employees will “do what they need to do” to be productive and get their job done… And if IT doesn’t provide them with the right tools, they will find their own.

2011 was also a record-breaking year for data breaches.  Coincidence?   Perhaps.  But there is no denying the fact that the increased use of non-sanctioned technology in the workplace has created a security loophole in many organizations.  It will become increasingly important for organizations to mitigate this risk to avoid a failed security or compliance audit or worse, a data breach.

Ipswitch can help your organization meet the security, usability and visibility requirements for file sharing.  For example, our Ad hoc Transfer module for MOVEit DMZ enables organization to enforce consistent policies and processes around person‐to‐person file transfers ‐ email encryption, attachment offloading, secure messaging, eDiscovery, and more.  It not only gives companies unparalleled governance, but it also allows end users to send information, with anyone, in a fast, easy, secure, visible, and well managed way.

We will be talking a lot more about the topic of people person-to-person file sharing in 2012, so stay tuned….

This morning I was asked if I recommended using transport encryption or file encryption to protect company files and data.

My answer:  “Use both of them, together!”

For starters, here’s a real quick summary of both encryption types:

  • Transport encryption (“data-in-transit”) protects the file as it travels over protocols such as FTPS (SSL), SFTP (SSH) and HTTPS.  Leading solutions use encryption strengths up to 256-bit.
  • File encryption (“data-at-rest”) encrypts an individual file so that if it ever ended up in someone else’s possession, they couldn’t open it or see the contents.  PGP is commonly used to encrypt files.

I believe that using both together provides a double-layer of protection.  The transport protects the files as they are moving…. And the PGP protects the file itself, especially important after it’s been moved and is sitting on a server, laptop, USB drive, smartphone or anywhere else.

Here’s an analogy:  Think of transport encryption as an armored truck that’s transporting money from say a retail store to a bank.  99.999% of the time that armored Brinks truck will securely transport your delivery without any incident.  But adding a second layer of protection – say you put the money in a safe before putting it in the truck – reduces the chance of compromise exponentially, both during and after transport.

One last piece of advice:  Ensure that your organization has stopped using the FTP protocol for transferring any type of confidential, private or sensitive information.  Although it’s an amazing accomplishment that FTP is still functional after 40 years, please please please realize that FTP is does not provide any encryption or guaranteed delivery – not to mention that tactically deployed FTP servers scattered throughout your organization lack the visibility, management and enforcement capabilities that modern Managed File Transfer solutions deploy.

Hey SEC, it’s Frank Kenney at Ipswitch. I don’t mean to rock the boat but I had a few quick questions regarding your recent announcement that you are requiring companies to notify their customers of a breach or risk of breach.

  1. What’s a “breach”? Does it mean the bad guys came in and took the data? Or maybe the data was left unencrypted? Or perhaps an executive lost his or her BlackBerry?  Wikipedia talks about breaches of confidence, breaches of contract and breaches of faith. Is it all or none of the above?
  2. What does “notify” mean? Email? Snail mail? SMS? Press release? Facebook status update? Tweet? We just don’t know. And when do they need to send that out? When it happens (or it happened?) When it was discovered? When it was fixed? This is key and I say this because the breaches that happened were reported months after they actually happened. So when?
  3. And by “customers”, do you mean people who pay for my services? What if my services are free like social networks? Does free = exempt? What if I give you my email and contact info, does that make me a customer?
  4. What in the world is “risk of breach” and why shouldn’t I just fix it instead of telling my customers?

If you don’t mind I’d like to give the public in general my 2 cents…

The real story is this: we should all take these breaches seriously because at some point they will impact us individually. We must make it crystal clear to our service providers, our Internet providers and in some cases our employers that there needs to be policies and enforcement around the proper use and retention of our private information. We must also make clear that these same providers must put processes in place to better communicate and resolve any future data breaches. In much the same way we now see consumers making purchase decisions based on the carbon footprint of their suppliers/providers, the same approach will be taken when it comes to private confidential information. We at Ipswitch believe putting a secure managed file transfer solution in place will allow these suppliers to stem breaches by giving them visibility into how data is being accessed and for what purpose BEFORE these breaches happen.

As George Hulme recently wrote, the vision of Senator Richard Blumenthal’s data breach legislation is simple enough:  Protect individuals’ personally identifiable information from data theft, and penalize firms that don’t adequately secure their customers’ information.

Clearly, there’s a need for organizations to better secure confidential and private customer information.  It seems that a week rarely passes without a new high-profile data breach in the news.  In fact, 2011 is trending to be the worst-ever year for data breaches.  And that is despite many U.S. states introducing legislation that expands the scope of state laws, sets stricter requirements related to notification of data breaches involving personal information, and increases penalties for those responsible for breaches.

The need to protect customer data is unanimously shared by honest people worldwide…. The issue is HOW to effectively govern and enforce the various data protection requirements and laws?

I agree with Senator Blumenthal’s concept of establishing “appropriate minimum security plans”…. But color me skeptical on the government’s ability to appropriately monitor and enforce those plans, especially after witnessing the mighty struggles at effectively governing the dozens of state laws already on the books.

My skepticism is shared by many, including Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation:  “The devil is in the details with these laws.  We’ve had regulations, from Gramm-Leach-Bliley to HIPAA, that purport to help protect consumer data.  Companies are already victims in these attacks, so why are we penalizing them after a breach?  I think that’s because it’s easier to issue fines than it is to track down the criminals and go after them.”

In my opinion, business leaders need to prioritize their own internal efforts to properly protect sensitive information rather than wait on the government to catch up.  First order of business is to identify where confidential files and data live in your organization and ensure visibility of that info (after all, how can you protect what you don’t know about?).  Fortunately, there are technology solutions available to help organizations better manage and govern their critical files and data as they are being moved and consumed both internally and with business partners and across people, systems and various business applications.