Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Data security

Is the concern for data protection making half of all employees less productive?

In 2010, the Visual Data Breach Risk Assessment Study revealed that two out of three working professionals are displaying sensitive information on their mobile devices, such as social security numbers, credit card numbers and other non-regulated but sensitive company information, when outside the office. This points to the insight that in certain circumstances people value productivity over data protection when working. However, in circumstances when an individual values data protection, is the company potentially losing productivity due to visual privacy concerns?

The 2013 Visual Privacy Productivity Study, conducted by The Ponemon Institute, revealed that companies can lose more than data as remote working increases, with 50% of employees answering that they are less productive when their visual privacy is at risk in public places.

The Visual Privacy Productivity Study showed that employees are forced to either trade-off working and risking private data being overlooked by nosy neighbours, or stop working altogether. Based on these findings, lost productivity due to employee visual privacy concerns is potentially costing a US business organisation with more than 7,500 people over $1 million dollars per year.

While many companies realise that snooping and visual privacy presents a potential data security issue, there has been little research regarding how the lack of visual privacy impacts a business’ bottom line,” says Larry Ponemon, Chairman and Founder of The Ponemon Institute. “As workers become more mobile and continue to work in settings where there is the potential for visual privacy concerns, companies need to find solutions to address productivity as it relates to computer visual privacy in addition to dealing with the fundamental security issues of mobile devices

The study of 274 US individuals from 5 organisations in a variety of sectors. More than half stated that their visual privacy had been violated whilst travelling or in other public places such as cafes, airports and hotels, and two out of three admitted to exposing sensitive data on mobile devices whilst outside the workplace. When asked how their organisation handles the protection of sensitive information in a public location, 47% did not think any importance was put on this and that no adequate policies were in place.

Other interesting findings include:

  • Employees are 50% less productive when their visual privacy is at risk and lost productivity costs an organisation approximately £350 per employee per year
  • Visual privacy impacts on transparency as users that value privacy are less likely to enter information on an unprotected screen.
  • Women value privacy more (61%) than men (50%), and women’s productivity is more positively impacted than men’s when the screen is protected with a privacy filter.
  • Older employees value privacy more, with 61% of over 35s compared to 51% of under 35s placing importance on privacy.

Productivity loss is a major discovery in this survey and will hopefully encourage companies across all sectors to consider employee working practices and behaviours,” said Rob Green, Marketing Executive at 3M’s Speciality Display & Projection Division

According to the survey the devices used for work-related activities were:-

  • Smartphone 65%
  • Laptop computer 65%
  • Desktop computer 45%
  • Tablet computer 29%
  • Netbook computer 14%
  • Other 2%

The 2010 Visual Data Breach Risk Assessment survey revealed that visual privacy on computer screens was an under-addressed area in corporate policy. Seventy percent of working professionals said their organization had no explicit policy on working in public places and 79% said that their company had no policy on the use of computer privacy filters.

The 2012 Visual Privacy Productivity Study reinforced these findings with

  • 47% of those surveyed saying they were unsure or did not think their company placed an importance on protecting sensitive information displayed on a screen in public places
  • 58% were unsure or did not think other employees were careful about protecting sensitive information on computer or mobile device screens in public places. Corporate policy and education on that policy continues to be areas for improvement as it relates to visual privacy.

The full study is very informative about how the sponsor’s (3M) privacy filters can improve productivity and reduce risk and can be read here.

.

Advertisements

The growing threat of insider fraud not a top security priority for organizations

ponemonAn Attachmate sponsored Ponemon Survey indicates the growing threat of insider fraud is not a top security priority for organizations which is proving to be a costly mistake.

On average, organisations experience approximately one fraud event per week, according to information from the second annual Attachmate and Ponemon Institute survey, “The Risk of Insider Fraud

However, only 44% of respondents say their organisation views insider fraud prevention as a top security priority, a perception which has declined since 2011.

The average cost of a data breach in a 2011 study was $194 per lost or stolen record

The survey reveals some alarming data security trends:

  • On average, it takes 87 days to first recognize that insider fraud has occurred and more than three months (105 days) to get at the root cause of the fraud.
  • 79% of respondents say that in their organization a privileged user has or is very likely to alter application controls to access or change sensitive information and then reset the controls.
  • 73% of respondents, an employee’s malfeasance has caused financial loss and possibly brand damage.
  • 81% say they already had an employee use someone else’s credentials to gain elevated rights or to bypass separation-of-duty control
  • 48% of respondents say that BYOD has resulted in a significant increase in fraud risk
  • 77% of respondents say the lack of security protocols over edge devices presents a significant security challenge and risk

This data demonstrates the invisibility of employee actions across an enterprise,” said Larry Ponemon, chairman and founder of Ponemon Institute. “While organizations may have policies and procedures to thwart insider fraud, it doesn’t mean employees will remain compliant, particularly with the rise of Bring Your Own Device (BYOD) practices

Data security and insider threats continue to be a challenge for organizations, particularly as BYOD brings complexity to enterprise risk management,” said Christine Meyers, director of Attachmate’s enterprise fraud management solutions. “Next-generation enterprise fraud management solutions, such as Attachmate Luminet, are able to correlate cross-channel activity, score risk and provide a screen-by-screen replay of what actually occurred. Add to that the proven deterrence factor that arises from being able to see and monitor use and abuse, and you can see why customers choose to deploy this technology for fraud detection

Fraud statistics

  • On average, organizations have had approximately 55 employee-related incidents of fraud in the past 12 months
  • More than one-third say that employees’ use of personally owned, mobile devices has resulted in malware and virus infections that infiltrated their corporate networks and enterprise systems and another 26% it is very likely to occur
  • 61% rate the threat of insider risk within their organization as very high or high
  • 23% say insider fraud incidents existed six months or longer before being discovered and 9% could not determine when they occurred.
  • 55% of organizations say their organization does not have the ability/intelligence to determine if the off site employee’s non-compliance is due to negligence or fraud

Threats from BYOD, Mobility & Edge Devices

For the first time the study asks questions about the effect Bring Your Own Device (BYOD), mobility and edge devices have on the risk of insider fraud. We define BYOD as the employees’ use of their personally owned mobile devices (typically smart phones, tablets and laptops) for both work and non-work activities.

An edge device is a physical device that can pass packets between a legacy network (like an Ethernet network) and an ATM network, using data link layer and network layer information. An edge device does not have responsibility for gathering network routing information. It simply uses the routing information it finds in the network layer using the route distribution protocol. An edge router is an example of an edge device.

Edge devices and BYOD make it difficult to identify insider fraud

58% agree that BYOD makes it more difficult for the security or compliance department to have complete visibility of employees’ access and computing activities. The majority of respondents (78%) do not agree that employees’ access and possible misuse of edge devices is completely visible to the security or compliance department (100% – 32% of strongly agree/agree responses).

The study defined insider fraud as the malicious or criminal attacks perpetrated upon business or governmental organizations by employees, temporary employees and contractors. Typically, the objective of such attacks is the theft of financial or information assets, which include customer data, trade secrets and intellectual properties. Sometimes, the most dangerous insiders are those who possess strong IT skills or have access to an organization’s critical applications and data.

With this research, we want to reiterate that organizations are not immune,” said Meyers. “The threat of insider fraud is a growing risk that can result in tangible financial loss to businesses. And the longer an organization takes to address it, the more costly it can become

The insider fraud survey includes results from more than 700 individuals at leading global organisations.

.

Survey reveals companies are taking risks whilst outsourcing consumer data

Experian Data Breach Resolution and the Ponemon Institute survey results identify opportunity for improved data oversight.

The study, “Securing Outsourced Consumer Data”, reveals that many organizations (46%) do not evaluate the security and privacy practices of vendors before sharing sensitive or confidential information.

The survey of almost 750 individuals in organizations that transfer consumer data to third-party vendors. The survey’s aim was to increase understanding of data breach frequency when consumer data is outsourced, to determine what steps are taken to ensure vendors’ data stewardship, and to evaluate privacy and security practices between companies and outsource vendors.

Many companies have higher standards for their in-house data security practices than they have for vendors that they enlist to hold customer information,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “The standards should be consistent, because not adhering to the same policies leaves companies vulnerable.

When sharing sensitive and confidential consumer information, 49% said that they do not monitor or are unsure whether their organization monitors vendor security and privacy practices.

Additional key findings from the survey include:

  • 56% of respondents acknowledged incidents when their organizations did not act on a vendor’s data breach
  • Outsourcing consumer information demands oversight survey results indicate that organizations that transfer or share consumer data with vendors experience data breaches more often than not
  • 65% of respondents said their organization had a data breach involving the loss or theft of their organization’s information
  • 64% of respondents reported their organization has experienced more than one data breach
  • Training is essential to protect against data breaches. Causes for data breaches can be reduced significantly through enforcement of policies and effective training
  • 45% of respondents reported negligence as the root cause of third-party data breaches
  • 40% of data breaches were the result of lost or stolen devices
  • Security and control procedures need improvement
  • 56% said their organization learned about a data breach accidentally
  • Only 27% said the organization’s security and control procedures uncovered the incident
  • 23% said the vendor’s security and control procedures alerted the organization to a breach

It is imperative that businesses and organizations place a priority on evaluating a vendor’s ability to secure sensitive data said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.

.

What happens after a data breach?

A report by Solera Networks and Ponemon reveals rise in security breaches, with organisations taking months to detect and contain them.

The Ponemon report “The Post Breach Boom”’ commissioned by Solera Networks polled 3,529 IT and IT security professionals in eight countries to understand the steps they are taking in the aftermath of malicious and non-malicious data breaches over the past 24 months.

Highlights of the research include:

Data breaches are on the rise and organizations are unprepared to detect them or resolve them:

  • 54% of respondents said data breaches have increased in both severity
  • 52% said the frequency had increased

Additionally

  • 63% say that knowing the root causes of breaches strengthens their organization’s security posture
  • 40% say they have the tools, personnel and funding to pinpoint the root causes
  • Breaches remain undiscovered and unresolved for months. On average, it is taking companies nearly three months (80 days) to discover a malicious breach and then more than four months (123 days) to resolve it.
  • Security defences are not preventing a large portion of breaches. One third of malicious breaches are not being caught by any of the companies’ defences they are instead discovered when companies are notified by a third party, either law enforcement, a partner, customer or other party or discovered by accident.
  • 34% of non-malicious breaches are discovered accidentally
  • Malicious breaches are targeting key information assets within organization. 42% of malicious breaches targeted applications
  • 36% targeted user accounts

Details of Impact and the cost of breaches from the report

  • On average, malicious breaches cost $840,000, significantly more costly than non-malicious data breaches at $470,000.
  • The average cost of a data breach per compromised record is $194
  • However, if the root cause is the result of a malicious insider or attack the average per record cost climbs to $222
  • While breaches attributed to a negligent insider averages far less at $174 per compromised record

For non-malicious breaches, lost reputation, brand value and image were reported as the most serious consequences by participants. For malicious breaches, organizations suffered lost time and productivity followed by loss of reputation.

Following a malicious breach, organizations more often invested in enabling security technologies (65% vs. 42% of respondents). More often they also made changes to its operations and compliance processes to better prevent and detect future breaches (63% vs. 54%).

Endpoint security and encryption tools were the most popular following a non-malicious breach and SIEM and encryption tools were most frequently purchased following a malicious breach. Breaches drive increased spending on data security, according to 61% of respondents. The average increase is 20%.

52% of respondents say the breach resulted in an increase in spending on forensic capabilities. Among those organizations that spent more the increase was an average of 33%. This represents 13% more than the increase in data security funding.

Security breaches continue to occupy the headlines on a daily basis, making it clear that there is still much work to be done before companies are prepared for the inevitability of today’s advanced targeted attacks,” said John Vecchi, vice president of marketing, Solera Networks. “In a post-prevention world, organizations must shift their focus toward attaining the real-time visibility, context and big data security analytics needed to see, detect, eradicate and respond to advanced malware and zero-day attacks

“Our study confirms that organizations are facing a growing flood of increasingly malicious data breaches, and they don’t have the tools, staff or resources to discover and resolve them,” said Larry Ponemon, chairman and founder, Ponemon Institute. “Meanwhile, months are passing as their key information assets are left exposed. The results demonstrate a clear need for greater and faster visibility as well as a need to know the root cause of the breaches themselves in order to close this persistent window of exposure

.

midata kicks off with the support of government and businesses

The UK Government has announced a ground-breaking joint venture with 26 organisations to empower consumers to have more control over their personal data.

midata, launched on the 3rd November 2011, is a voluntary scheme that will allow consumers to access their data in a safe and secure way and make better decisions reflecting their personal wants and needs. New services made possible by midata will further assist consumers, whether it be in getting the best deal on their mobile phone contract or energy tariff, or managing their lives more efficiently.

Launching the midata vision, Consumer Affairs Minister, Edward Davey said:

“Currently, most consumer data is held by service providers, meaning only one side of the customer-business relationship is empowered with the tools of information management. midata seeks to redress that balance.

“This is the way the world is going and the UK is currently leading the charge. We see a real opportunity here, but others, including the US and EU, are also showing real interest in the programme and the economic benefits it can deliver. So if we want to continue leading the way, we need to develop a platform upon which the innovation and services that drive growth can be built. midata aims to do just that.

“I’m delighted that so many organisations are supporting our vision and I look forward to working with them closely as the programme progresses.”

The midata programme marks a non-regulatory approach to consumer empowerment and is in keeping with the Government’s broader focus on transparency and openness.

The next step will include setting time lines and developing online ‘personal data inventories’ (PDIs) in each sector, which will describe the types of data an organisation holds about each customer.

Protocols will also be established to handle any issues relating to privacy, data security and consumer protection. midata is also working with companies to develop common approaches that will allow customers to access their data including their contact details, current tariffs and contracts, etc and update basic information about themselves.

The PDI and access work will precede the release of data back to customers in an electronic format. The goal is to enable the first releases in the first half of 2012.

Businesses and organisations that have so far committed to working in partnership with Government to achieve the midata vision are:

  • Avoco Secure
  • billmonitor
  • British Gas
  • Callcredit
  • EDF Energy
  • E.ON
  • Garlik
  • Google
  • Lloyds Banking Group
  • MasterCard
  • Moneysupermarket.com
  • Mydex
  • npower
  • RBS
  • Scottish Power
  • Scottish Southern Energy
  • The UK Cards Association
  • Three
  • Visa

The other organisations involved are made up of government agencies and consumer groups

The Government’s vision for midata
Consumer Data Empowerment midata is a voluntary partnership between the UK Government, businesses, consumer groups, regulators and trade bodies to create an agreed, common approach to empowering individuals with their personal data.

midata recognises and supports the principle of individuals using their own customer information to gain an insight into their own behaviour, make more informed choices and better decisions, to manage their affairs more efficiently, and to obtain the products and services that best meet their needs.

midata is part of the Government’s growth agenda. It will help achieve economic growth by improving information sharing between organisations and their customers, sharpening incentives for businesses to compete keenly on price, service and quality, building trust and facilitating the creation a new market for personal information services that empower individuals to use their own data for their own purposes.

Organisations can help realise the goals of midata by providing customers with the ability to access and re-use their ‘customer data’ – including data about customer transactions, interactions and usage behaviours that organisations collect.

The aim of the midata project is for organisations that collect, store and use customer data to endorse and work towards the following goals and principles.

Organisations collecting, using and holding customer data should:

Maintain and make available to customers accurate and up-to-date descriptions of the types of personal data they hold about these customers. (Consumer Data Transparency)

Develop, support and promote ways to release customers’ data back to them in a safe, privacy-friendly, portable and re-usable manner. This data should be made available to them online for free and to use as they see fit. (Consumer Data Access) minimise risks of data breaches and invasions of privacy.  This includes

a) working to ensure that all personal information is accessed and released safely and securely

b) helping to create a personal data environment that enables individuals to hold, use and share their data in ways they understand and can trust, which protects their interests and empowers them to use their data for their own purposes. (Consumer Data Security) • work with other organisations via the midata project to encourage the innovation of new consumer information services that deliver midata goals. (Consumer Data Innovation)

Consumer Data principles

The following principles will guide the project:

  1. Data that is released to customers will be in reusable, machine-readable form in an open standard format.
  2. Consumers should be able to access, retrieve and store their data securely.
  3. Consumers should be able to analyse, manipulate, integrate and share their data as they see fit – including participating in collaborative or group purchasing.
  4. Standardisation of terminology, format and data sharing processes will be pursued as far as possible across sectors.
  5. Once requested, data will be made available to customers as quickly as possible.
  6. The focus will be to provide information or data that that may be actionable and useful in making a decision or in the course of a specific activity.
  7. Organisations should not place any restrictions on or otherwise hinder the retention or reuse of data.
  8. Organisations will work to increase awareness amongst consumers of the opportunities and responsibilities that arise from consumer data empowerment.
  9. Organisations will provide customers with clear explanations of how the data was collected and what it represents, and who to consult if problems arise.

.

Top 10 tips to avoid the Information Commissioner’s wrath

Christopher Graham, the UK Information Commiss...
Image via Wikipedia

Sophos White Paper.

The UK Information Commissioner’s Office can levy fines of up to £500,000 for data breaches, which proves data security is essential. And while it’s not illegal in the UK to lose data – regulators understand there is no 100% in security – you do need to demonstrate you’re managing information risks responsibly. Read this paper to get the key items you should cover to avoid the ICO’s wrath in 2011.

Download the White Paper here – registration is required.

.

The State of Data Security a report by Sophos

Sophos has published its first report focused on data security, “The State of Data Security”.

The report is excellent read with 25 pages packed full of information and advice.

The report provides advice and guidance to businesses interested in protecting their data, including “Today’s IT and business managers must take a hard look at the risks and costs of potential data loss. Creating a proactive data security plan arms you with the knowledge you need to manage the risk and helps you to stay compliant with data protection rules and regulations.”

Some statistics and quotes from the report:-

  • The U.S. had the highest cost per compromised record at $204, followed by Germany at $177, France at $119, Australia at $114 and the U.K.at $98
  • CSO magazine’s 2011 CyberSecurity Watch Survey found that 81% of respondents’ organizations experienced a security event during the past 12 months, compared with 60% in 2010.Twenty-eight percent of respondents saw an increase in the number of security events as compared with the prior 12 months
  • In a survey of 1,000 people in the U.K., 94% ranked “protecting personal information” as their top concern, equal to their concerns about crime, according to The Telegraph.
  • according to security expert Rebecca Herold, you’ll cover roughly 85 to 90% of compliance regulations if you practice effective data protection
  • About 85% of all U.S. companies have experienced one or more data breaches, according to the Ponemon Institute
  • In 2010, malicious attacks were the root cause of 31% of the data breaches studied, according to the Ponemon Institute – up from 24% in 2009 and 12% in 2008
  • According to the Identity Theft Resource Center, at least 662 data breaches in the U.S. occurred in 2010, which exposed more than 16 million records. Nearly two-thirds of breaches exposed Social Security numbers, and 26% involved credit card or debit card data
  • With over 500 million U.S. records of data breaches and loss since 2005, it’s no surprise that these data loss stories are headline news.

The report can be downloaded here.

.

PCI DSS Compliance Trends Study, 2011

PB Visa Gold Credit Card
Image by liewcf via Flickr

Imperva and Ponemon 2011 PCI DSS Compliance Trends Study. Survey of IT & IT security practitioners in the U.S.

The Payment Card Industry Data Security Standard (PCI DSS) continues to be one of the most important regulations for all organizations that hold, process or exchange cardholder information.

In 2009, Ponemon Institute, with sponsorship from Imperva, conducted the first study to determine if IT and IT security practitioners believe PCI compliance improves organizational security and how it affects the ability to respond to security threats affecting payment account data.

In this study, 2011 PCI DSS Compliance Trends Study, we (Imperva and Ponemon) continue to examine how efforts to comply with PCI affects the organization’s strategy, tactics and approach to achieving enterprise data protection and security and how the state of PCI compliance has changed since the first study. We also consider the reactions of IT and IT security practitioners in different-sized organizations have about compliance with PCI.

A total of 670 US and multinational IT and IT security practitioners who are involved in their companies’ PCI compliance efforts were surveyed on the following topics:

  • What is the state of PCI DSS compliance in the organization?
  • Who is most responsible in an organization for ensuring compliance with PCI DSS requirements?
  • What technologies are preferred to achieve compliance with PCI DSS requirements?
  • Does PCI DSS contribute to a decline in data breaches?
  • Where are the greatest threats to the security of cardholder data located?
  • What is the value PCI DSS compliance provides to the organization?

 This year’s report shows that:

  • 55% of respondents say their organization’s data breach incident did not concern the loss or theft of cardholder data 
  • 39% say one of the data breach incidents involved cardholder data and 6% report two to five incidents involving cardholder data 
  • The percentage of respondents reporting that their organization had a data breach in the past 24 months increased from 79% in 2009 to 85% in 2011 
  • The majority of PCI compliant organizations suffer fewer or no breaches, most practitioners still do not perceive the mandate to have a positive impact on data security 
  • About 64% of PCI-DSS compliant organizations reported suffering no data breaches involving credit card data over the past two years, while only 38 percent of non-compliant organizations reported suffering no breaches involving credit card data over the same period 
  • Certain technologies are adopted more quickly than others to comply with PCI. For example, code review saw the biggest decline in adoption 
  • The percentage of non-compliant companies decreased from 25% to 16%. Correspondingly, the percentage of fully compliant companies increased from 22% to 33% 
  • 38% of the compliant organizations say their organizations had two or more breaches in the past 24 months versus 78% of respondents in the non-compliant group 
  • 66% of respondents say their organizations retain and store primary account numbers for various reasons 
  • 33% of respondents see PCI DSS compliance costs as adding more value than other IT security expenditures. Another 35% say these expenditures are at about the same level of value. Finally, 32% see PCI DSS compliance costs as adding less value than other IT security expenditures made
  • 58% of respondents say that their organization has conducted or is in the process of conducting an audit or assessment by a bona fide QSA professional. Of those who have completed such an audit or assessment, 68% say that it helped the organization achieve its PCI DSS compliance requirements

Download the Imperva and Ponemon Report here

.

Where do security breaches occur? What type of data is stolen and who makes the discovery?

Credit card
Image via Wikipedia

Trustwave has published its Global Security Report 2011 and it has some very interesting research.

The research is from incidents investigated by the company. Specifically, a total of 220 investigations, undertaken against suspected breaches, 85% were confirmed with 90% resulted in data theft.

The headline statistics are:

Industry breakdown of where the incident happened

  • Food and beverage   57%
  • Retail   18%
  • Hospitality   10%
  • Government   6%
  • Financial   6%
  • Education   1%
  • Entertainment   1%
  • Construction   1%

 Types of Data stolen

  • Payment Card Data   87%
  • Sensitive company data   8%
  • Trade Secrets   3%
  • Authentication Credential   2%
  • Customer records   2%

It could be that Trustwave is a Payment Card Industry Forensics and Incident Investigator or it is further proof, if we needed it, that the bad guys are after the money.

Who found out that there had been an incident?

  • Regulatory detection   60%
  • Self detection   20%
  • Public detection   13%
  • Law enforcement   7%

Is it any wonder why the credit card issuers are strictly enforcing Payment Card Industry Data Security Standards (PCI DSS) when Merchants find 1 in 5 Account Data Compromises (ADC), also known as a breach.

Previous research found that the majority of cards are used in multiple frauds.

Merchants come out on top in the time to detect a breach

  • Regulatory detection  156.5 days
  • Public Detection   87.5days
  • Law Enforcement   51.5 days
  • Self Detection   28 days

This is interesting, 1 in 5 breaches were found first by a Merchant which means the majority of breaches take over 100 days to be discovered.

Trustwave www.trustwave.com

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: