Monday, February 23, 2009

The ex-employee threat

We all suspected it, some might have done it as well. According to the latest Ponemon survey, apparently nearly 60% of terminated employees take some company sensitive data with them. But the most troubling aspects are the ability for ex-employees to access company data even after they were let go!

I would think the majority of these can be prevented via good and simple baseline security. Some, of course, will need more sophisticated tools such as DLP etc that can track documents based on content. The hardest part will be stopping malicious users from taking a small set of extremely sensitive documents - for eg. taking a photograph of the document on his PC! If there are a lot of documents, it might be hard for the employee to do these manual tasks.

At the end of the day, one has to trust employees and be able to track documents and prosecute. If one or two high-profile cases end up in court, deterrence will become a good security policy!

Tuesday, February 10, 2009

Breaches: The collective yawn

Are the breach laws not effective at all? Are the public not concerned or not paying any attention? Not sure what we should expect - outrage, public demonstrations, letters to senators? But as the recent article from NetworkWorld points out, folks don't seem to much care...

Possibly this apathy is picked up by organizations and combined with the multitude of complex regulations and data protection solutions - and the result is folks not knowing how to address these issues. The challenges may seem too much.

I think the right way to approach the problem is take a risk based approach - what is the most vulnerable area, how do we protect that. Start with something small, since inaction does not help at all. For many organization worried about losing assets outside the organization, protect the mobile data - that which goes outside the organization. This would mean laptops, USB devices to start out with and go from there.

Obviously if the threat is internal negligence, maybe look at DLP solutions that can, based on policy, protect sensitive data from leaking outside the enterprise.

The main point it, start on the path. Don't wait to develop a comprehensive plan that takes a year to study and setup - look for quick hits and gains. As you deploy you will be able to develop the right plan for the enterprise.

Thursday, February 5, 2009

Breaches - up, up and away!

The news around breaches seem exactly like that of the current economy - gloom and doom all around. The latest in the fusillade is the analysis from Jon Oltsik from ESG. Looks like the number of breaches every year have been increasing - and this year it seems worse. Seems like with all the stuff hapenning (Heartland, the VA settling, the recent Ponemon report, the McAfee trillion dollar news), this new research is on expected territory.

However, one interesting nugget from Jon - 61% of small organizartions had a breach in the last 12 months while 49% of large ones succumbed in the same timeframe. One would have expected the difference to be much higher. Larger organizations have the resources and the security technologies in place to prevent such breaches - much more than do smaller organizations. Could be many reasons for the smallish gap - large companies are bigger targets, have more employees, have stringent disclosure requirements,have more data, etc. All valid reasons...

While this might be true, my hypothesis is that current security measures are also not working in large organizations. Breaches do not just happen in one areas (say laptops), but wherever data goes. And multiple, device-centric approaches to data protection do not mitigate breaches as much as folks would like to think.

One needs a better and more logical approach to data-protection. I firmly believe the information-centric approach is the way to go - protect data once, keep it protected wherever it goes - on any device and for any application.

Wednesday, February 4, 2009

BNY Mellon settles after breach

One more organization is now settling after a breach affected over 600 thousand customers. Apparently BNY Mellon will pay for 3 years of credit monitoring (initial 2 years and now an additional 12 months). At a very conservative estimate of say $10 for each person for three years, this comes to $6M - at $50 it is about $30M.

Amazing that folks dont take protecting data more seriously as opposed to making the three credit agencies wealthy!

Tuesday, February 3, 2009

Heartland and end to end encryption

Interesting to note that Robert Carr, CEO of Heartland is now calling for end to end encryption. In his words...

"I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed"

How this encryption will be implemented is another story - do we go with one product to protect data at rest (not one but one for each device!), one for networks, etc? I think this is a bad move - each time you move sensitive data from one device/network to another, you go through a decrypt/encrypt cycle - and guess what happens when you decrypt?

I think only a data or information-centric approach to data protection can truly give you this end to end protection for data. Protect your data once, the protection remains with the data wherever it goes - is this not what you really want?

Monday, February 2, 2009

Cost of a breach - redux

More fun news about the cost of breaches. While everything in this economy is on a firesale, seems like the cost of breaches continue to escalate. First McAfee came out with a study that costs to fight and repair data breaches last year were about one trillion dollars! From the report:

McAfee made the projection based on responses to a survey of more than 800 chief information officers in the U.S., United Kingdom, Germany, Japan, China, India, Brazil, and Dubai.

The respondents estimated that they lost data worth a total of $4.6 billion and spent about $600 million cleaning up after breaches, McAfee said.

I think the numbers are very high - I calculated 14B/year based on extrapolating the number of breaches since 2005 (~250M from attrition.org) with the average cost per breached record (~$200 from Ponemon). But this seems like a larger survey sample size - so I may be wrong.

Hot on the heels of the McAfee survey is the new report from Ponemon - costs are going up, average cost of a breach is $6.6M, and similar interesting numbers..

The bottom line to all this - I think - costs are high and it is better to protect your data than to deal with the breaches and lost business that comes with it.