Archive for Business Security
Found USB Drive in Parking Lot
Posted by: | CommentsI was recently told of a story of an incident that happened a few weeks ago. However, this is not the first time I have heard the tale. An employee is walking through the parking lot and finds a USB stick on the ground. Fearful that it might be important information of a colleague, the employee picks up the stick and takes it back to his office. To determine who is the owner, the employee inserts the drive into his computer and opens up the folders thinking that its contents will identify the owner.
WAM – the entire company’s network is infected with a new virus that the anti-virus program did not recognize.
The dropping of virus seeds in the way of USB drives is a very common attack. Drives are left in corporate lobbies, doctor’s offices, parking lots, restaurants, any place where people gather. The thieves are counting on Good Samaritans to help their follow man or woman.
Employers need to inform their employees of the following procedures:
1. If they find a USB drive never have them put it into their computer
2. They should give the drive to IT to determine what they want to do with it.
3. If there is no IT dept either drob the drive into the garbage or first smash it with a hammer before dropping it into the garbage.
4. Don’t worry that someone will loose important data. They probably have backup and if they don’t they soon will; and if there was confidential data on the device you just saved the company’s customers from a data breach.
Medical ID theft is nothing to sneeze at
Posted by: | CommentsBelow is a report from the Smart Card Alliance on Medical Identity Theft. While the info is staggering the walk away points for me is the migration to PHRs, EHRs and HIEs. Security has to start at the very beginning and that is where a secure token and password manager combination work well together.
Medical Identity Theft in Healthcare
Publication Date: March 2010
While identity theft is a global issue that garners much media attention, most do not realize that medical identity theft is a serious and growing threat. Many authorities consider medical identity theft one of the fastest growing crimes in America. With the Read More→
How Secure are the Secure Email Programs?
Posted by: | CommentsHITECH is the latest requirement to secure HIPAA. And while there are many parts to these regulations, the latest question I have been getting is finding a good secure email and encryption document attachments application. Well, it turned out to be like asking me for a good flavor of ice cream. It really depends on your taste. There are many different ways companies have implemented security.
In the world of secure emails the choice may be based around your preferred communications channel (smart phone, PC, netbook, etc), what is convenient to you, are you more of a cloud person or a PC based email app user, price per user, number of emails that can be sent, and so forth. But the number one perspective you have to have in evaluating any of these different products is how convenient is it to your recipients. I am a firm believer that if you make security cumbersome, then users will always find ways to circumvent security for their own convenience. However, you can’t make something so convenient that security is thrown out the window. It’s a balancing act. Read More→
Email marketing is a waste of time and money
Posted by: | CommentsNot for reason you might think. Internet security or the lack there of, has made users suspicious and distrustful to all unsolicited emails. Let’s first take the argument from the personal perspective. We all have been hit with spam in our email accounts. We may have also experiences are own email address being hijacked by email spoofers. All with the intent to get the recipient to click a link or open a file to start the process of identity theft. Read More→
Identity Theft Affects Email Marketing
Posted by: | CommentsThe economy, layoffs, fear and everything else that are making people nervous about the future has also lead to a rapid increase in small internet businesses popping up. With today’s tools a person could potentially have a business up and running in hours. However…
Identity theft has raised the bar in blocking access to your new and existing customers using email marketing campaigns. In the past we may have found spam annoying as it filled up our in box, but with phishing, pharming, social media spying, etc. all being used to steal one’s personal information, it’s gotten to the point of customers not opening, blocking and erasing all correspondences (legitimate or not). Hey, better safe than sorry.
All the so-called business cost savings that can be achieved using electronic media may be flying out the window. Aweber, Constant Contact, and others all have great products and these attacks are not their fault. Just realize that their identity has also been stolen: their brand. But as a business owner do you want to pay monthly service fees if all your marking efforts only end up in eTrash.
So, before starting a large, expensive email marketing campaign, determine if your customers will even read or click onto anything you send them. Maybe the new way to keep your customers informed is by creating a blog and posting your information and stories there. This strategy forces your customers to come to you and keeps them in control.
Technology Companies Must Incorporate Security Engineers
Posted by: | CommentsAll technology developing companies must incorporate security engineers before bringing new products to market. Anything less is just plain irresponsible and greedy. It pains me to criticize my fellow technology brethrens, but privacy theft has to be stopped. Read More→
The Cloud Goes Green, but is it Secure?
Posted by: | CommentsRecently I received an invite to a webinar discussing how companies are transforming their business by using more cloud-like infrastructure. The argument is that it saves the company’s enery and reduces their carbon footprint.
While I am not here to dispute these claims, I do warn any company that migrates to more cloud infrastructure to make security of the data paramount in their plan. Especially with the many state and federal privacy protection laws on the books. As been blogged about before, the average cost on a company from a data breach in 2009 was $6.7 million per incident. Read More→
It’s 10pm, do you know where your PII is?
Posted by: | CommentsThe federal government recently published a guide on protection Personal Identifiable Information (PII). There are two aspects to PII that every company must be aware of:
1) What information information is considered confidential, &
2) Where this information is stored in the company. Read More→
The law may consider your business a bank!
Posted by: | CommentsThere’s an interesting post over at Krebs On Security talking about some poor company that is going bankrupt because TD Bank allegedly will not give them their money back after it was stolen out of their account. Now, I wish I could say this concept is totally foreign to me, but unfortunately this isn’t the first time I’ve heard this story. I’m under NDAs not to describe the people involved, or the bank involved, but the important details are nearly identical to this story. Why is this happening?
There is a little known code call the UCC (Uniform Commercial Code) that essentially says that if you are a business and you want to do wire transfers you are essentially to be treated as a bank. You are probably wincing right now, because it’s just as stupid as it sounds. Note that this is not true for consumers – but even if your business consists of even one person, you still are treated as a bank. As such, if your company has money wired out of it’s account, the bank isn’t to be held liable – or at least that’s been their argument. This is happening all the time, so why aren’t we hearing about it all the time? Well that leads me to the worst part of this story.
The banks have essentially two options if a company takes them to court. They can win the case, or they can lose the case. If they win, that leaves the company in question free to say and do whatever they want (as is the case with TD Bank above). If they loose the case, it essentially creates precedence and can open the bank to class action lawsuits to overturn the UCC. Either way, it’s a bad day for the bank. So they opt for the third choice which is to delay the inevitable. They make these poor businesses wait for sometimes years before they will begrudgingly settle for somewhere shy of the full amount. Sometimes companies just give up, and sometimes they take the money and sign the NDAs. Either way, that’s a much better outcome than letting something get litigated. So yes, those poor companies are getting the run around, and we don’t get to hear about it because at the end of the day they are all signing NDAs.
So, if you run a company, be prepared for the worst when it comes to how the bank is going to treat you if someone steals your money. There don’t appear to be any safeguards other than individual contracts you might be able to get your bank to sign and agree to. However, if anyone happens to work for a bank, and can guarantee that money held there will be treated just like physical cash (and reimbursed just like if it is stolen out of the vault), I’m sure companies would flock to you – I know a lot of small businesses that would like to know that their money is safe, and right now, it just isn’t with TD Bank and their ilk. In the meantime, I sort of hope some lawyer is salivating at the prospect of a class action suit.
