In my many travels visiting customers and IT professionals around the world, I ask a simple question, “What do you do when you have to send a file to someone that’s just too big?”  They ask me how big is big?  I say too big for your email or even worse, something that is too big for the receiver’s email.  These attachments are typically large powerpoint files, spreadsheets, uncompressed images, media files or even databases.  With a sheepish grin people usually tell me they use one of the free email services, like GMail, MS Live or Yahoo.  However, recently the answer has shifted.  I’m now being inundated with business users and IT professionals professing their love for Cloud services such as DropBox.

In all fairness if you look at my iPad (peeling it from my cold dead hands) you will see my Dropbox app and PAID Dropbox account.  So it’s unnerving for me to think about the four hours on Sunday when Dropbox left user accounts unlocked and you could access anyone of the 25 million users’ accounts and data… Including mine.  Yep, just type in an email address and use any password you want and it’s all yours.

According to Dropbox there wasn’t any nefarious activity but if YOUR COMPANY’S information was on there – legitimately or illegitimately – you just had a data breach.  So I was a breach victim… And if I had any Ipswitch IP on the servers, the breach is extended accordingly.  To Dropbox’s credit, their business is all about collaboration and file syncing, not governed file transfer or managed data at rest.  In the end, some of these types of Cloud services will eventually get enough of it right to secure their future.  Some will last, many won’t.

Regardless, how are you going to handle your data breach this morning?  I’m headed over to my bosses office to explain my brazen disregard for corporate data.  He’ll probably buy me a new iPad2 that’s locked down (wishful thinking) and order IT to set up a more secure way for me to be mobile with my documents (more wishful thinking).

Last week’s Sony data breach shattered TJX’s longstanding record for the largest customer data theft ever, a dubious honor that TJX has held since 2007.

The massive Sony breach leaves millions and millions of credit cards at risk.  Details still aren’t clear yet, but the Sony breach *may* have included the theft of customer credit card information, as well as other personal information such as billing addresses, usernames/passwords, email addresses, birthdays, and transaction histories.

Did Sony take reasonable care to protect, encrypt, and secure the private and sensitive data of its users?

Did Sony take too long to notify customers that their personal information had been exposed?

Looks like these questions will be answered in a courtroom as the first lawsuit resulting from the Sony security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed.

The class action lawsuit seeks seeks a trial by jury and fitting monetary reimbursement…. And the case’s Overview cites “breach of warranty, negligent data security, violations of consumers’ rights of privacy, failure to protect those rights, and failure and on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information” as cause enough, noting Sony’s “failure to maintain adequate computer data security of consumer personal data and financial data.”

For more information, take a look at the post on the Sony PlayStation blog.  I’m sure we’ll be learning more as further breach details are disclosed and as court proceedings advance.

Many thanks to the Verizon RISK Team (along with the U.S. Secret Service and the Dutch High Tech Crime Unit) for publishing their 7th annual analysis of data breaches.  Compromised data continues to plague organizations worldwide, and studies like the 2011 Data Breach Investigations Report can help us all avoid becoming a victim – both as individuals and also as corporate citizens.

Here are a few noteworthy data points:

  • Nearly 800 data breaches were reported in 2010, a sharp increase from the 900 breaches reported in the previous six years combined
  • 4 million records were compromised in 2010  which is significantly less than the 144 million compromised in 2009
  • Many breaches involved sending data externally – Take this as a warning to pay more attention to information leaving your organization
  • 89% of companies suffering credit card breaches were not PCI compliant at the time of the breach, indicating that organizations with rigorous compliance efforts are less likely to be breached
  • Only 17% of breaches implicated insiders (down from 31% last year) and 29% had a physical component

A key takeaway is that while the quantity of data breaches quintupled in 2010, the number of compromised records actually dropped.  This data is consistent with the growing belief that attackers are increasingly targeting smaller companies (which tend to have less focus and expertise on IT security) simply because they are easier to exploit.

As the Verizon team points out, in the world of cyber crime, knowledge is power.  Not only do companies require visibility into the  files and data that are being transferred around an in/out of their organization, but they also need the management and enforcement capabilities to control, govern, and protect the growing number of mission-critical and confidential files that are being accessed every day by internal and external systems, applications and people.

Security researcher Derek Newton and a few Dropbox users have found a significant security hole in Dropbox. They published their results and Dropbox responded.

Dropbox’s response is not adequate.  It’s not enough for them to bury their head in the sand and to say that this security gap is not their problem if a hacker has physical access to the computer. The very nature of Dropbox lets its users increase their physical presence onto many more computers.  As such, these users are increasing the risk of their information being stolen and their businesses being compromised.

Instead, Dropbox needs to say what steps they are taking to close this security gap.  If Dropbox wants to minimize the impact to their business and to increase their presence as a responsible corporate citizen, Dropbox needs to make this security issue theirs to resolve.

Encryption is the best way for Dropbox to proceed right now.  Encrypting their configuration files would be the first and best place to start.  Second, Dropbox (like Google or my credit card company) should monitor users’ accounts for unusual activity.  Whenever they notice a blip or a change in user’s activity, they should send the user an email or SMS.

Third, no application or user should be given implicit access to a user’s files.  All access needs to be explicit.  An end user needs to specify each application and user that has permission to view, update, copy or remove their files. 

As all our transactions become electronic, it’s more important than ever that securing the data, securing access to the data without compromising usability and authorized access is the number one requirement for software vendors.

Did you know that the average cost of a data breach is $7.2 million dollars?

Or that the cost of each compromised record is $214, an increase of 7% over last year?

A data breach resulting in the loss or theft of protected personal data will have serious financial consequences on an organization – the least expensive breach reported in 2010 was $780,000 (and the most expensive one was over $35 million).  You can read more about the cost of data breaches in the Ponemon Institute’s 2010 U.S. Cost of Data Breach survey results.

Here are a few other key takeaways:

  • For the 5th year in a row, data breach costs have continued to rise
  • Lost business accounts for over 60% of data breach costs, the remaining amount is data breach detection, escalation, notification and response
  • Escalating data security threats and compliance pressures are driving rapid responses to data breaches, resulting in higher costs
  • Criminals now account for 31% of data breaches and they are significantly more expensive to contain and fix
  • Negligence remains the most common threat, and an increasingly expensive one

What is your organization doing to ensure the privacy and confidentially of your information, including when it’s sitting on your servers, being shared between systems and business partners, and shared between people?  And don’t spend all your time combating criminal threats…. Negligence now accounts for 41% of data breaches, you must safeguard against negligence too.

Go ahead, estimate the data breach risk to YOUR organization.  First, ballpark how many pieces of sensitive files and data are floating around your company today…. Then multiply that number by $214.  I’m sure you’ll agree that the ROI on the time, technology and resources spent to protect company data are well worth the investment and risk avoidance effort.

Would you be surprised if I told you that nearly 40% of all data leaks within the past 3 years have happened between January 1st and April 15th?

According to the DataLoss Database there have been 2,402 data loss incidents reported between 2007 and 2010, and 916 of them happened during tax season.

Coincidence?  Maybe…

Tax season is upon us, and auditors are making the rounds.  So what are companies doing to prevent sensitive information from walking out the door?

Important questions companies should consider:

  • What kind of access is being granted to third parties, like auditors?
  • How are third parties handling and protecting your business-critical information?
  • What tax-related documents are being sent internally and externally – without a lock-and-key?

There is a critical need for visibility and security when handling sensitive documents either internally or with third-party providers – or with anyone else, for that matter.  Organizations must make it a priority to first identify the confidential information floating around its systems, people and between partners.  Then carefully consider where that data lives, who has access to it, and what policies should be implemented to ensure that it’s handled safely.

This week’s NASDAQ data breach has raised serious questions about the security of the US stock exchange and clearinghouses – not to mention further shaken an already fragile investor confidence.

My head is spinning just contemplating the possible ramifications if this network breach had resulted in the theft of non-public inside information that could be used illegally to gain a stock trading advantage!

Ipswitch’s Frank Kenney shares some additional thoughts on this week’s NASDAQ breach, including why it’s so critical that your software/service providers be held accountable for the security and privacy of your files and data.   The confidentiality of your information may very well depend on it.

Does it feel like you’re hearing about a new data breach almost every day?

Well guess what — you likely are.  The Identity Theft Resource Center recorded 662 data breaches on its 2010 ITRC Breach List.  That averages to over a dozen reported breaches per week…. And a whopping total of over 16,000,000 reported exposed records in 2010.  The fact that social security numbers and/or credit card information is included in the majority of breaches just makes things even more alarming!

Denise Richardson
lays out a solid argument for mandatory data breach reporting, as well as some key takeaways from the ITRC Breach List, including:

  • Malicious attacks still account for more breaches than human error, with hacking at 17% and insider theft at 15%
  • 39% of listed breaches did not identify the cause — Indicating a clear lack of transparency and full reporting to the public
  • 49% of breaches did not list number of potentially exposed records — A clear sign of inaccuracy and incompleteness of reporting
  • 62% of breaches reported exposure of Social Security Numbers
  • 26% of breaches involved credit or debit cards

As I’ve blogged about before, I firmly believe that breached individuals have the right to timely notification.  Delays are unacceptable, and hiding it is unthinkable.  Afflicted people deserve quick notification so they can ensure their credit report isn’t showing strange activity and that their social security number isn’t being used to open new credit cards or being used to fraudulently report wages.

Mandatory disclosure would provide the structure, discipline and enforcement required for consistent and transparent breach information.  Compliance would require a very high level of visibility and control of all files that enter, bounce around and exit an organization.  This would benefit not only breached individuals, but also the organizations and their business partners.

Data breaches, confidentiality and privacy will remain key areas of concern in 2011, and these topics fuel many of Ipswitch’s 2011 security predictions.

2011 will be the year that smart companies shift their focus away from tactical (and often reactive) security tools and instead focus strategically on policy creation, management and enforcement.  More organizations will shift their approach from quick-fix to preventative.

Four more 2011 predictions:

  • Enterprises will start monitoring and managing the information flowing to and from personal email, IM and cloud-based services.
  • The largest data breach of 2011 will hit the retail sector.
  • A major data breach with further reaching diplomatic consequences than WikiLeaks will be the direct result of a lost smart phone or USB drive.
  • Organizations in the financial, media and health sectors will gain larger market share by leveraging company investments in MFT, specifically those that offer visibility, analysis and analytics.

I’ve blogged a bunch on Ipswitch’s 2010 research that unveiled startling trends about employee access and use of company information.  Our 2011 predictions are in part fueled by some of these facts:

And here is a fun video by Frank Kenney on top IT policies that WILL BE INGORED by employees:

Let’s do a news recap of yesterday. Some tax legislation was passed, lame-duck Congress, celebrity mishaps, missteps and gossip as usual. Oh and there was also notification of a few data breaches; most notably McDonalds, University of Wisconsin and the Gawker website (the folks that bought a prototype of the iPhone 4 after it was lost by an Apple engineer.). Unlike the “it’s been two weeks and it’s still in the news” WikiLeaks data breach, expect McDonalds, UW and Gawker to melt into the ether of public consciousness along with the Jersey Shore, AOL and two dollar a gallon gas prices.

Lately, we are seeing more companies and institutions admitting to data breaches. Passwords get hacked and ATM cards, identities and cell phones are stolen all the time. Expect to here about more breaches as companies move ahead of legislation that forces them to admit security breaches and expect the media to pick up on the stories and run wild with them. What this forces the public to do is look closer at the type of data breach, the type of data that was stolen and what the company or institution did to cause the breach.

 For example:

  • the McDonalds breach was about third-party contractors and not enough governance around customer e-mail
  • the UW breach was about unauthorized access to databases over a two-year period… again not enough governance around data storage and access
  • the Gawker breach was about outdated encryption mechanisms and a rogue organization purposely trying to embarrass that community.

Of these three things, the Gawker breach is most troubling because of the organized and intentional motivations of a rogue organization. This is why the FBI is involved. For the past year I’ve been telling you to classify your data, assign risk to your data and mitigate that risk appropriately. Old news.

The new news is this: even something like a breach involving low risk information can actually damage your brand. And damage to the brand can be costly to repair. So when classifying risk be sure to consider not just the loss of the data but the nature of the media hell-bent on reporting any and all data breaches.

This just in… I’m getting that watch I always wanted for Christmas because I compromised that space in the attic where we hide all the gifts. Happy holidays!

Two months ago we posted about the massive data breach at South Shore Hospital in Weymouth, Massachusetts, “800,000 Reasons Why MFT is Important“.

Well, the drama and the headaches continue.

What originally happened was that computer files containing personal information of about 800,000 people, information such as names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits had been misplaced, possibly lost or maybe even stolen.

Aspirin worthy.

On September 8th, 2010 Wickedlocal.com reported that “South Shore Hospital initially informed the Attorney General’s Office and the public that it would send individual written notice of the data breach to each affected consumer.”

Aspirin worthy, but the legal and responsible thing to do…that is until a brilliant idea occurred:

However, South Shore Hospital has informed the Attorney General’s Office that it does not plan to send individual written notice to affected consumers. Instead, South Shore Hospital has chosen to invoke a provision under state law to notify consumers through the ‘substitute notice’ process, which means rather than receiving individual letters at their homes, consumers who are affected by the breach will be generally notified of the data loss through a posting on South Shore Hospital’s website, publication in newspapers throughout the Commonwealth, and by e-mail for those consumers for whom South Shore Hospital has e-mail addresses.”

So the move here is that to notify the people who’s data they lost, they’ll put that information in a place where everyone can see it. Isn’t that counter-intuitive? 

In a related story on Healthdatamanagement.com – Joseph Goedert reports that:

Massachusetts Attorney General Martha Coakley ‘has objected to South Shore Hospital’s revised notification plans and maintains that affected consumers should receive individual notification as originally represented by South Shore Hospital in its prior public announcements concerning the data loss,’ according to a statement from her office.”

What are your thoughts on how South Shore Hospital is handling this? Am I the only one reaching for the Anacin?

A top Pentagon official has confirmed a previously classified incident that he describes as ‘the most significant breach of U.S. military computers ever,’ a 2008 episode in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan.”

Brian Knowlton, in a NYTimes.com article gives us the rundown on what happened, and what this all means to the military and to the future of cyberdefense and the U.S. Cyber Command.

Deputy Secretary of Defense, William J. Lynn III, referred to the breach as “…a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” and he also describes it as “a digital beachhead, from which data could be transferred to servers under foreign control.”

The nightmare of this happening to the military is enough to keep you awake at night, and thinking of this closer to home doesn’t make sleep come that much sooner.

Think of your own office where USB flash drives, removable disk drives and cell phones are making it easier than ever for employees who need to transfer large files. It’s harder than ever for companies to monitor and protect sensitive information.

Portable devices are far too easily lost or stolen, and while most employees have good intentions, USBs are one of the easiest ways for insiders to compromise business-critical information. IT managers need to make it easier for people in their organization to move information securely. By decreasing reliance on transferring physical media and focusing more on easy-to-use browser-based or email plug-in solutions, information will be better governed.”
Frank Kenney, VP of Global Strategy at Ipswitch File Transfer.

Last year (2009) there was a study by the Ponemon Institute of nearly 1,000 recently terminated individuals. The study revealed that 42% of them used USB memory sticks to take business data and that 38% sent documents as attachments to personal email accounts.

Digital beachhead” is such a great way to put this, especially coming from Deputy Secretary of Defense, William J. Lynn III. The images one can conjure up of storming the “digital beach” and imagining the data security version of those first 15 minutes of “Saving Private Ryan” is truly powerful stuff and should keep us up a little later at night.

Give Knowlton’s article a read and if you’re interested in hearing more from Frank Kenney on this topic, check out his surprised reaction at a recent RSA event.