Category Archives: Editor’s Choice

Discover hidden cybersecurity talent to solve your hiring crisis

Not having access to technical talent is a common complaint in the cybersecurity world. Folks with security experience on their resumes are in such high demand, CISOs need to hunt beyond the fields we know. To borrow a phrase from the ever-logical Mr. Spock, CISOs need to embrace Infinite Diversity in Infinite Combinations. By this I mean embracing diversity not only of bodies but of talents and experiences. First, focus on acquiring the key cybersecurity … More

GDPR quick guide: Why non-compliance could cost you big

If you conduct business in the EU, offer goods or services to, or monitor the online behavior of EU citizens, then the clock is ticking. You only have a few more months – until May – to make sure your organization complies with GDPR data privacy regulations. Failure to abide by GDPR means you could get hit with huge fines. Finding and investigating data breaches: Why it’s always too little, too late Personal data protection … More

Why do we need a risk-based approach to authentication?

20 years ago, everyone worked at a desktop workstation hardwired into an office building. This made network security simple and organizations felt they could depend on the time-tested method of the trusted perimeter. Firewalls were relied on to keep out external threats, and anything within the network was considered secure and safe. Today, however, the number of variables has skyrocketed. The move to the cloud, BYOD, and increased use of outside contractors means a legitimate … More

Love letters from a Black Hat to all the fools on the Internet

As an underground, “black hat” hacker, I don’t have time for significant others. I’m too busy earning stacks of cash to improve my Bitcoin mining rigs and working to pay off college loans. This Valentine’s Day I want to show my appreciation by sending love letters to all those ignorant and over-trusting fools on the Internet that pay my bills by making the same mistakes over and over. To Bob from the law firm Roses … More

Tackling the insider threat: Where to start?

Many organizations still believe the definition of an insider threat is limited to a rogue employee purposefully leaking embarrassing information, or nuking a couple of systems when he or she quits and walks out the door with internal or customer data to take to a new job. But not all insider threats have to be malicious to cause an incident. Perhaps someone on your marketing team wasn’t aware of their regulatory obligations in handling customer … More

How to ensure your IT and security teams stay aligned amid digital transformation

Even for sensitive industries, the movement to cloud-based technologies is generally accepted as a cost-effective and efficient infrastructure strategy and immediate priority. The migration to more agile products are occuring in nearly every department and physical security is no exception. New technologies make it possible for video surveillance data to shift from on-premise to the cloud, and provide additional insights to support larger digital transformation goals. In order to succeed, however, CIOs will need to … More

7 steps for getting your organization GDPR-ready

While the EU has had long established data protection standards and rules, its regulators haven’t truly commanded compliance until now. Under the General Data Protection Regulation (GDPR), financial penalties for data protection violations are severe – €20 million (about $24.8 million USD) or 4 percent of annual global turnover (whichever is higher), to be exact. What’s more is that GDPR does not merely apply to EU businesses, but any organization processing personal data of EU … More

Achieving zero false positives with intelligent deception

Cyber attacks are not single events. When attackers compromise an asset, they don’t know which asset is infected. They must determine where they are in the network, the network structure and where they can find valuable information. That means attackers carefully try to find out as much as possible about the organization. This is precisely the behavior that intelligent deception technology can exploit in order to thwart attackers and protect organizations. Breadcrumbs are clues for … More

It’s time to get serious about email security

In today’s hyper-connected world, email is the foundation of every organization’s collaboration, productivity, and character. And despite annual rumors of its demise, there’s no reason to believe we’ll be writing its eulogy anytime soon. With its ubiquity and universal appeal, email is a treasure trove of sensitive business information. That’s why emails leaks aren’t just data loss events. They’re direct attacks on your brand and reputation. Despite team collaboration and communication tools like Slack and … More

GDPR: Whose problem is it anyway?

With the GDPR deadline looming on May 25, 2018, every organization in the world that transmits data related to EU citizens is focused on achieving compliance. And for good reason. The ruling carries the most serious financial consequences of any privacy law to date – the greater of 20 million EUR or 4 percent of global revenue, potentially catastrophic penalties for many companies. Compounding matters, the scope and complexity of GDPR extends beyond cyber security, … More

Infosec expert viewpoint: Google Play malware

Researchers routinely discover a variety of malicious apps on Google Play, some of which have been downloaded and installed on millions of devices worldwide. Here’s what infosec experts think about the security of Google Play, what they think Google should do better, and what users can do in order to protect themselves from malicious apps on the official Android app store. Chris Boyd, Lead Malware Intelligence Analyst, Malwarebytes Google Play continues to have issues where … More

Meltdown and Spectre: To patch or to concentrate on attack detection?

Patching to protect machines against Meltdown and Spectre attacks is going slow, and the provided patches, in some instances, lead to more problems than just slowdowns. In fact, Intel has admitted that they have “received reports from a few customers of higher system reboots after applying firmware updates.” “Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center,” Navin Shenoy, general manager of Intel’s Data Center Group, confirmed. “We … More

Best Practices for Data Security

Most businesses have routine occasion to discard confidential data about their business operations or personal client information acquired through commerce. Data sets and reports such as customer lists, price lists, sales statistics by state or product line, drafts of bids, responses to RFPs, and internal correspondence contain information about business activity which would interest any competitor.

Every business is also entrusted with information that must be kept private in order to be in compliance of certain industry privacy policies. Employees and customers have the legal right to have their data protected, if it is not customers will certainly blow the whistle and flee to a competitor that can ensure proper data security.

Without the proper safeguards, paper based information ends up in the dumpster where it is readily, and legally, available to anybody outside of your organization. The trash is considered by business espionage professionals as the single most available source of competitive and private information from the average business. Organizations that discard private and proprietary data without first properly destroying the paper, exposes itself to the risk of criminal and civil prosecution, as well as the potential costly loss of business.

The following discussion offers creative solutions for crafting guidelines and policies that will minimize the risks previously discussed. Whether you are in charge of IT, HR, or business operations, your business will benefit through the implementation of sound data security practices.

The period of time that business records are stored should be determined by a retention schedule that takes into consideration their useful value to the business and the governing legal requirements. Ideally, no record should be kept longer than this established retention period.

Failure to adhere to a program of routine destruction of stored records exposes a company to the potential accusation it exhibits suspicious disposal practices. This could be negatively construed in the event of litigation or audit. Additionally, Federal Rule 26 of the Federal Law Code (Duty to disclose and general provisions governing discovery) requires, in the event of a law suit, each party provide all relevant records to the opposing counsel within 85 days of the defendants initial response. If either of the litigants does not fulfill this obligation, it may result in a summary finding against them. By destroying records according to a set schedule, a company appropriately limits the amount of materials it must search through to comply with this law. Limiting the scope of search for documents will minimize the cost of maintaining the repository of documents.

From a risk management perspective the only acceptable method of discarding stored records is to destroy them by a method that ensures that the information is obliterated. Documenting the exact date that a record is destroyed is a prudent and recommended legal precaution.

Trash based security breaches are more common today than ever before. In fact, one of the oldest security and privacy problems is the unsecure disposal of personal information. The rate of data growth both in digital and print formats is astounding. According to a recent IBM report, the exponential data growth increases the pressure on scarce IT resources. The typical enterprise experiences 42 percent annual increase in data volume. Very few organizations have reliable procedures or practices for disposing of data so that new information accumulates on top of generations of stale data.

As electronic data along with print information volumes continues to grow, there are more opportunities for disposal related data breaches to occur. To quantify and help assess the scope of the problem we simply need to look to the news for a few recent data breach events:

In Maine the Maine Veterans Hospital was investigated after confidential medical records were found in a dumpster.

In Indiana personal documents that contained prescriptions for a powerful pain medication and patient information were discovered in a dumpster near the Indianapolis Medical Center.

In Chicago a bankruptcy law firm dumped sensitive client information into a public dumpster where it was readily available to anyone.

In Phoenix a passerby found hundreds of documents from gym memberships with credit card information and other personal data overflowing a dumpster.

Paper based security breaches are also global in nature. In Australia, according to a recent study by the National Association for Information Destruction (NAID), 30% of organizations are unaware of their obligations when it comes to destroying personal information.

What are the most common information disposal security mistakes?

Organizations on occasion donate print documents containing personal information on them to outside groups, like pre-schools and community groups for use as scrap paper.

Organizations place print documents containing personal information into unsecured dumpsters without shredding them is an ongoing and perhaps the most problematic security breach.

The increasing frequency of security breaches due to poor disposal policies has led to a growing number of laws explicitly covering document disposal as well as specific legislative bills proposed at the state and federal level.

The Disposal Rule (part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) has been in effect since 2005. It has many very specific disposal requirements for all types of businesses conducting various types of credit checks.

Besides the fact that secure information disposal is now a legal requirement for all businesses of all sizes, it simply makes sense to dispose of information securely as an effective way to prevent privacy breaches. By having effective disposal policies, procedures, and supporting technologies in place businesses demonstrate reasonable due diligence. What should you do if the organization you work for currently has no disposal policies? Here’s an action plan get you started:

Assign overall responsibility for information security and privacy compliance to a position or department within your organization. This should include responsibility for disposal of information in all forms. The IT department is a likely candidate for most companies as they typically have direct access to data in all forms.

Perform a disposal risk assessment to determine exactly how your organization currently disposes of all types of information. Then craft new information disposal policies and procedures, or update existing ones, based upon the results of the disposal risk assessment.

Shred paper based documents, do not just toss it should be an important part of your overall data security management policy. When either customer information or employee information is ready for the trash, it should be properly shredded if it contains information your organization does not want made public. Documents that contain names, Social Security numbers, date of birth, savings account balances, credit card numbers, stated individuals’ health conditions, or other personal information should always be shredded.

Also shred trash bound documents that could potentially help your organization’s competition. Items such as customer lists, sensitive pricing information, strategic planning documents and trade secrets should be shredded, not tossed into the recycle bin.

Be especially diligent if you deal with information from consumer reports. The Fair Credit Reporting Act protects credit reports and credit scores as well as reports relating to employment background, check writing history, insurance claims, residential or tenant history, and medical history. Anyone who handles this type of information must follow strict disposal guidelines that may include burning, pulverizing, or shredding the paper documents so that the information cannot be read or reconstructed.

There are many options for shredding documents. There are cross cut shredders in the $60-$2500 price range. Alternatively there are outsourced shredding services that will pick up locked bins of sensitive documents, shred them onsite for a fee based on quantity. They will then cart away the shredded paper and provide a certificate of destruction.

If you choose to shred what features should you look for in an office shredder?

Next Generation In House Document Shredding

You want to look for a feature rich shredder that is simple for you and your organization to use. Ideally, the shredder should have superior auto feed technology built in so you do not have to sit there and hand feed the documents. The shredder should accommodate crumpled paper, double sided color printed paper, glossy paper, multiple sheets folder over, paper clips, staples, junk mail and DVDs. It should also be very quiet and secure with lock draw technology.

One shredder that works well is the AutoMax 500C Shredder from Fellowes. It can quietly and securely continuously shred 500 sheets of paper into 5/32” x 1-1/2” cross-cut particles. This provides a security level of P-4, high enough to safeguard most companies in most industries.

Recent investments in the development of new document shredding technology now makes the shredding process faster and more secure than ever before. Previously, organizations had to dedicate valuable employee resources to hand feeding documents into a single sheet shredder.

For example, the Fellowes organization has introduced document “load, lock and walk away” shredding capabilities to their AutoMax product line of large volume, auto-feed commercial shredders. These enhancements make the internal disposal of large quantities of confidential information a much easier task to accomplish. CIOs currently sending documents off-site for shredding should take a look at the potential cost savings and security benefits of shredding documents in house with a shredder such as the AutoMax 500C.

Related posts:

  1. Data Security Management for SMBs
  2. How to Manage Your Company’s Online Reputation in the Wake of a Data Breach
  3. Dropbox Corporate Usage Grows As Does Security Concerns

Data Security Management for SMBs

Data security management continues to be a top business challenge for CIOs, CTOs, and Senior IT professionals in small, medium, and large businesses across all industries. In fact, according to a recent survey by Gartner of more than 2,000 CIOs, data security remains a top ten CIO concern just as it has for the last decade.

Additionally, CIOs see some emerging technologies as fundamentally disrupting their business operations when looking forward over the next decade. These technologies include mobile, big data and analytics, social media, and public cloud to mention a few. The underlying data security management threat remains a significant challenge to IT professionals as each of these emerging technologies is deployed within their organization. The data security issues surrounding these technologies typically are most disruptive when they are deployed in combination within a SMB technology operating plan that is often challenged for competing IT resources.
So how can IT staff craft effective data security management policies in a SMB? Traditional data security management initiatives focus first on minimizing digital security threats. The most popular threats today include Malware, Botnets, BYOD, Cloud and Mobile Security. A comprehensive security policy will however include a plan for securing an organization’s non-digital assets as well at the digital ones. Think for example about your organization’s use of paper and the sensitive data contained in all those paper documents circulated throughout your organization.
What role should IT professionals play to protect sensitive corporate information printed within paper based documents? The information technology group in smaller companies and the CIO or CISO in larger companies must take the lead in providing company wide data security of both digital and non-digital assets. This implies that IT professionals take ownership of securing non-digital assets and provide mechanisms for employees to routinely shred sensitive paper based documents that are no longer active. The paper based assets should be viewed as an extension of the underlying digital data from which they were generated. When sensitive data is handled securely in this manner organizations achieve cradle to grave secure access to this data and minimize their liabilities associated with the data.
Properly securing these non-digital assets is critical to your organizations long term success. There are many news reports of negative press or leaked sensitive corporate information originating from a nosy garbage dumpster diving investigator or competitor. Many times searching through an organization’s trash is perfectly legal. Legality is based on the local laws and whether the trash that is thrown out and then picked up by collection trucks resides on public property.
It is difficult to believe but an individuals’ trash is not always protected by privacy laws. According to a 1998 Supreme Court ruling, Americans do not have a right to privacy when it comes to their personal trash. Once paper has been discarded it becomes part of the public domain. In addition, the Economic Espionage Act of 1996 made it a federal offense to steal trade information but it does not protect companies that fail to take reasonable steps to protect their information.
So what are considered “reasonable steps” that IT professionals should take in the securing of corporate information?
Organizations should hold onto paper documents only as long as they believe they are needed to produce, support, or maintain an organization’s products and services. The documents should also be retained as long as the law requires. At the point of document destruction employees should follow corporate policies for disposal. This is especially true in heavily regulated industries such as health care, financial services, and legal industries.
Every company’s IT department should have policies in place which dictate how long different types of documents should be kept available for recall. Some companies will digitize paper based documents, store them in a retrieval system, and then shred the original. These digital retrieval systems do safely secure the information contained in these documents. Unfortunately, this is a luxury that is beyond the budgets of many SMBs.
The biggest challenge for securing paper documents is to set up retention policies for documents the employees need to handle and access in order to perform their jobs. A second challenge is the execution of the proper disposal instructions as soon as the retention period has expired.
Shred it, do not just toss it should be an important part of your overall data security management policy. When either customer information or employee information is ready for the trash, it should be properly shredded if it contains information your organization does not want made public.
Documents that contain names, Social Security numbers, birth dates, savings account balances, credit card numbers, stated individuals’ health conditions, or other personal information should always be shredded.
Also shred trash bound documents that could potentially help your organization’s competition. Items such as customer lists, sensitive pricing information, strategic planning documents, and trade secrets should be shredded, not tossed into the recycle bin.
Be especially diligent when dealing with information from consumer reports. The Fair Credit Reporting Act protects credit reports and credit scores as well as reports relating to employment background, check writing history, insurance claims, residential or tenant history, or medical history. Anyone who handles this type of information must follow strict disposal guidelines that may reasonably include burning, pulverizing, or shredding the paper documents so that the information cannot be read or reconstructed.

There are many options for shredding documents. There are cross cut shredders in the $60-$2500 price range. Alternatively there are outsourced shredding services that will pick up locked bins of sensitive documents, shred them onsite for a fee based on quantity. They will then cart away the shredded paper and provide a certificate of destruction.

Next Generation In House Document Shredding


As the IT professional in a SMB you will most likely wish to shred sensitive papers in house in order to contain costs. You want to look for a feature rich shredder that is simple for you and your organization to use. Ideally, the shredder should have superior auto feed technology built in so you do not have to sit there and hand feed the documents. The shredder should accommodate crumpled paper, double sided color printed paper, glossy paper, multiple sheets folder over, paper clips, staples, junk mail and DVDs. It should also be very quiet and secure with lock draw technology.
One shredder that works well is the AutoMax 500C Shredder from Fellowes. It can quietly and securely continuously shred 500 sheets of paper into 5/32” x 1-1/2” cross-cut particles. This provides a security level of P-4, high enough to safeguard most companies in most industries.
Recent investments in the development of new document shredding technology now makes the shredding process faster and more secure than ever before. Previously, organizations had to dedicate valuable employee resources to hand feeding documents into a single sheet shredder.
For example, the Fellowes organization has introduced document “load, lock and walk away” shredding capabilities to their AutoMax product line of large volume, auto-feed commercial shredders. These enhancements make the internal disposal of large quantities of confidential information a much easier task to accomplish. Organizations currently sending documents off-site for shredding or just tossing sensitive documents in the trash should take a look at the potential cost savings and security benefits of shredding documents in house with a shredder such as the AutoMax 500C.

 

Related posts:

  1. 7 Mobile Device Management Steps to Keep Your Data Safe
  2. IBM Announces New Big Data Security Tool
  3. Key Considerations for Your IT Security Management Checklist

White House Appoints McAfee CTO to Cybersecurity Post

The Obama administration officially selected a senior executive from McAfee to be the Department of Homeland Security’s top cybersecurity official.

Phyllis Schneck, a vice president and CTO for the public sector at McAfee, a unit of Intel, will start in early September as the deputy undersecretary for cybersecurity, a DHS official said. Homeland Security takes a leading role in protecting U.S. networks from foreign and domestic hackers.

She steps into a position that has seen quite a bit of recent turnover. Her predecessor, cybersecurity professional Mark Weatherford, remained in the job for about 18 months and left in April. His interim replacement, Bruce McConnell, announced his departure in July.

Washington continues to evolve their official position on how to deal with the private sector on security issues effecting the general public. One unresolved issue is whether the government should set minimum standards that companies in key industries like banking and energy should meet in order to protect their networks from cyberattacks. Companies wish to establish their own criteria as they continually frustrated by federal regulation that stiffles their competitiveness while doing nothing to help secure their networks from Cyberattacks.

We recently reported that the war on cybercrime continues for many organizations and especially their IT departments and CISOs. The total number of  Computer viruses, trojans and web attacks is growing at their fastest pace in four years.

In its recent quarterly “Threats Report”, McAfee said that it had found more than 8 million new kinds of malware in the second quarter. This represents an increase of 23% from the first quarterly report. There are now more than 90 million unique strands of malware in the wild according to McAfee.

In a recent Norton Cybercrime Report, it was reported that breaches of various types claimed 431 million adult victims last year, with 73% of adults in the US alone incurring estimated financial losses of $US 140 billion.

As a criminal activity, cyber incursion is now almost as lucrative as the illegal drug trade. The total cost last year, including lost productivity and direct cash losses resulting from cyber attacks associated with viruses, malware and identity theft is estimated at $US 388 billion.

DHS has stepped up its involvement in the private sector in the past year. The department is increasingly sharing data on hacking attacks and other threats with private companies, including Internet service providers that can block those attacks, the Journal reported earlier this year. Those efforts are expected to continue under Schneck, who for eight years led a group at the Federal Bureau of Investigation that is tasked with helping the feds and private companies share information about cyberthreats.

“We have strengthened partnerships with the private sector to secure cyber networks and protect physical assets,” outgoing DHS Secretary Janet Napolitano said in a written statement. “I am confident that Phyllis will continue these efforts, and build upon the foundations laid by her predecessors, to create a safe, secure and resilient cyber environment and promote cybersecurity knowledge and innovation.”

Michael DeCesare, McAfee’s president, said in a written statement, “McAfee takes great pride in the strong partnership we have with the U.S. government and governments around the world.”

Published by myCIOview.com

Related posts:

  1. Is The Internet Really Safe? McAfee and Symantec Thinks Not
  2. Cybercriminals Increasingly Target Small Businesses.
  3. McAfee Works Hard to Secure Phones