Archives For breach

Interview On Cloud

December 17, 2015 — Leave a comment

This event closed 100% of the Attendees!

The above video comes from an interview I did with Randy Sklar, President of Sklar Technology Partners.  

Whenever you do an event, it is best to video it!

These video clips and interviews can then be used as promotional pieces for your next event – as well as catalyst for setting up meetings with companies that did not attend the event!

Try This and other great strategies presented in my latest book, The House & the Cloud.

$1 HC Book Ad

© 2015, David Stelzl

boardroomWhat Question is Most Often Asked of the CISO, By The Board Of Directors?

And What Questions Should They Be Asking?

The big question being asked, according to Kim Nash, columnist for the WSJ, is; “Whether their company is vulnerable to breaches similar to those at Target Corp., Anthem Inc. and the U.S. Office of Personnel Management (OPM)?” There’s two things to consider here – First, who can answer this question? Second, is it the right question?

According to Kim, it’s not the right question – but let’s go to my first concern which is, “Who can answer this question?”

Will We Be Hit Like Target, Home Depot, or OPM?

Most executives can’t answer this question honestly. And their security team doesn’t really have a clue either. If they did, we wouldn’t be reading these stories every day.  And, if you look at the stories being published, it’s the big guys – yet we know statistically, 60% of the breaches are hitting the SMB market.  Most of these breaches never make the news.  So the board can ask, but they’re not likely to get the real answer.

If you didn’t see my comments on OPM, you might want to take a look (Read about Donna Seymour and OPM’s failure to protect our nation’s critical personnel data.) The board is missing the mark here because they misunderstand risk.  In my book, The House & The Cloud (2nd Edition), i’ve given a lot more attention to the impact vs. likelihood graph than I did in the 2007 version – it’s a model I use to communicate risk to business leaders.

If you know security, the concept is pretty simple. The missing link in most assessments is a measure of likelihood.  And that’s what the board is really asking – although they are asking it incorrectly.  What they really need to know is, where’s our data, and what are the top 3 to 5 threats we are facing right now. Given these threats, what are the odds we’ll be hit over the next 12 months?  (More detail on how to figure this out, starting on page 194 in The House & The Cloud.) As I said in my latest speaker promo video, risk needs to be presented in simple business language – in terms everyone who uses and depends on data can understand.

One thing everyone must comes to grips with is, every company is vulnerable just like Target, JP Morgan, Home Depot, and most recently Ashley Madison.Check Point Training Ad

The question isn’t “Can they get in like they did at Target?” Rather, they should be asking, “Can we detect a breach in time to stop the damage?” Remember, like a house or bank physical robbery, hacking does take some time, and it does make noise – but you won’t hear it with your ears. You’ll need detection technology in place and the people with the skills and understanding to turn that data into intelligence.

So what’s the right question? Can we detect and respond before it’s too late?

Are You Getting To The Board?

Have you ever been invited to meet with or present to a board of directors? It’s a powerful moment in the sales cycle if you have something meaningful to say.  Yesterday I was working with a rep on some strategy, as part of the SVLC Security Mastery Sales Program. We were discussing strategies to get a CEO or Board level meeting.

Most are still working at the IT Director Level. Remember, the IT Director is low on the liability list for security. They might lose their job – but getting a new one, if they know security, won’t be hard. In fact, they may take a pay raise.  On the other hand, people like Donna Seymour of OPM are in trouble. (Again, read my post and consider Donna’s situation – is it her fault, or is there something bigger going on here?)

Now is the time to move up – company leaders need more security insight right now and the WSJ is backing you on this. The CISO cannot possibly figure all of this out in a vacuum. And aside from some of the largest accounts out there, their people won’t have the experience to do it either. Managed services (with a security focus), backed by skilled security experts is needed to collect and analyze the data, repackaging it into something business leaders can use – intelligence.

What About SMB Companies?

Don’t let the Board of Directors thing keep you from your SMB accounts. The SMB is under fire right now – and the owner of that business is similar to the Board. They need to know the same things, they just have less resources to figure it out.

© David Stelzl, 2015

shadow

32 Million Important Records

Are you up on OPM? 18 Million personnel records breached in the Office of Personnel Management.  It’s the latest in a string of high-profile data breaches our government has suffered. There’s been some reporting on this, but not nearly enough.  The number was first reported around 4 million, then 18, and now, after a recent congressional hearing, the number may actually be as high as 32 million.  But there’s more…

Here’s what you need to know…

1. L. Gordon Crovitz, columnist for the Wall Street Journal writes, “The Chinese hackers managed to gain “administrator privileges,” allowing them full access to the computers …among other things, they were able to download confidential forms that list “close or continuous contacts,” including those overseas.” He goes on to report, “That’s not the worst of it. The administration disclosed a separate intrusion that gave Beijing full access to the confidential background-check information …that includes the 4.5 million Americans who currently have access to the country’s top secrets. The potential for blackmail is chilling.”

2. Much blame is being cast on the Chinese for this attack, however Crovitz points out that, given the opportunity, any government who has access to another government’s records is going to take them; the US included. It’s up to the US government to make sure our data isn’t available to other countries.  We saw fines and personnel changes when Home Depot and Target were hit – what happens when the Government, the ones who impose these fines on private sector companies, make the same mistakes?  It’s an interesting question…

3. The fallout is potentially big.  While a recent Wall Street article suggests that the US data has not shown up in online chat rooms yet, Crovitz calls this issue a much bigger problem than Edward Snowden’s breach. He writes, “Millions of patriotic Americans entrusted with national secrets are going to lose much of their privacy because their government was unable to protect their confidential personnel records…That loss of privacy dwarfs the hypothetical risks from the NSA that have dominated the headlines.”

4. Other reports discuss national security… These “hackers accessed not only personnel files but security-clearance forms, current and former U.S. officials said. Such forms contain information that foreign intelligence agencies could use to target espionage operations.” WSJ. Apparently the government officials announced the personnel attacks, but held back on the security-clearance theft for at least a week.

Stay on top – learn the sound bites… in my book, The House & the Cloud, chapter 6, I discuss the power of sound bites and how to effectively use them (and how not to use them) in a sales call.

© 2015, David Stelzl

New York Times posted  this recently – And thanks to Fred at HP for sending this.  Yahoo email hacked!  Again, China is mentioned as the hacker’s origination.  For those of you fighting against people moving to the cloud – keep these articles in front of your clients!  I spoke about this in an interview a few posts down…creating large targets like Google and Yahoo, with all of our data, just doesn’t seem prudent to me.  Read more here: http://www.nytimes.com/2010/04/01/world/asia/01china.html

They’re all headed that way – EMR.  Is it safe?  Of course not.  What makes this data at risk? There are two things; first people want it and they know where it is…with the doctor and with the insurance company.  Second, the people creating it, using it, and responsible for it are generally clueless as to the importance of what they have and how easily it will be lost.

Case in point, 1.5 Million Health Net customers exposed through a misplaced hard drive.  The funny thing about this report is that the people responsible for the data did not report it at first, because they didn’t know what was on the hard drive.  How can that be?  Well it can’t, but who wants to admit they exposed 1.5 million social security records in a for profit business?

Health care is a great vertical right now if you understand security.  I just completed an educational marketing event and had the privilege of sitting with several doctors over dinner. They didn’t want to talk about buying products – no surprise there, however they did want to learn about their liability and how to protect their reputation!

Following the event,  most of them were  open to having my client come in to review their risk levels.  Read about Health Net – it’s just one more example of Data@Risk due to uneducated users. http://www.courant.com/health/hc-healthbreach1119.artnov19,0,1798384.story

 

Where is your data?

October 30, 2009 — 2 Comments

I received this from one of my colleagues while sitting in the Las Vegas airport, heading home from last night’s Seattle event.   One of our event topics addressed the whereabouts of your client’s data…where is it?  It’s everywhere.  And that includes home.

In an article from Today’s Washington Post (Thanks to my official DC Correspondent Tim), sensitive data from the ethics panel (one of the most secretive panels in Congress) is now in the hands of, who knows who?  Inadvertently placed on a public network drive, an unnamed government employee was able to access and forward this information to the Washington Post!

“The committee’s review of investigations became available on file-sharing networks because of a junior staff member’s use of the software while working from home, Lofgren and Bonner said in a statement issued Thursday night.”

“Peer-to-peer” technology has previously caused inadvertent breaches of sensitive financial, defense-related and personal data from government and commercial networks, and it is prohibited on House networks. “

While it may be prohibited in government, it isn’t in most organizations. And the likelihood of the average user knowing that their kids have loaded this on home networks is small.  This is just one more reason your clients should be constantly assessing, and putting technology I place to control data leakage.

The ITRC – Identity Theft Resource Center is a nonprofit organization that exists to “Educate consumers, corporations, government agencies and other organizations on best practices for fraud and identity theft detection, reduction and mitigation.”  They put out a report each year summarizing who was breached and how many records were exposed (if known).  2008’s statistics came out last week…The first link points to the 200+ page report, however it is organized by company or organization so you don’t actually have to read it.  Instead, look for companies that are either clients or prospects.  The second is a summarized listing of records taken, sorted by company.  A couple of things worth noting:

  • When the “exposed record” count is zero, the comment under “Was data stolen” is almost always “unknown”, so don’t take zero literally.
  • The ITRC report also indicates that 95+ percent of these companies did not have some of the critical security measures in place such as proper encryption and access control. Might be a sales opportunity.
  • If you call on government, you’ll notice that government breaches are declining – this may be a result of NIST requirements including two-factor authentication, encryption, and regulations against using social security numbers.

 

http://www.idtheftcenter.org/BreachPDF/ITRC_Breach_Report_2008_final.pdf

 

http://www.idtheftcenter.org/BreachPDF/ITRC_Breach_Stats_Report_2008_final.pdf