• Bad press
• Government investigations and fines
• Credit monitoring services to the victims
• Law suits and legal services
• New security technologies and policies to implement
• And then, how productive will employees be with all these changes being implemented.

It is ironic that this theft is going to cost ECMC millions of dollars in direct and indirect costs when there are solutions available for under $100 per user. My intent is not to add more blame onto ECMC, but rather to give a wake up call to other companies about data theft so they can learn from this incident. With the average cost of a data breach now reported at $6.7 million per incident, your company can’t afford to sit back and think this will never happen to me.

First, all data needs to be encrypted. There are programs like SafeHouse that are inexpensive and can encrypt data stored on hard drives, memory sticks, CD-ROMs, etc. If it can store data, it can be encrypted. But encryption is only one part since many of these programs requires a password to decrypt the data. Most people – left to assign a password – will use something easy, repeat something used elsewhere, or write down the password on a sticky note by their computer. Any one of these acts defeats the security of encryption.

Second, by adding a smartcard based password manager, now the data safeguards are elevated exponentially. Because the smartcard can store a complex, 20-charater long password that no one has to remember or type, key loggers can’t pick up the passwords and a brute force attack will be too time consuming to make it a viable attack. With the smartcard protected by a limited number of acceptable false entries and with card data encrypted, a lost or stolen smartcard is useless unless someone knows the PIN. Finally, the combination of data encryption plus smartcard implements what I call the “Seven Levels of Assurances”:

• Something you have – The card
• Something you know – The PIN to the card
• Something you are – Fingerprint, iris, biometric
• Something the card has – Account URL’s, passwords, user names, etc.
• Something the card knows – The card’s decryption keys
• Something the card is – Chip Specific Serial Number (CHUID)
• Something the card knows about you – User’s Classification Code

No single technology or solution will protect any company 100% from a potential data theft. The goal of any security officer is to put in enough barriers that drive the would-be attackers to find easier prey, while at the same time maintaining user convenience so they don’t circumvent security with bad practices. The use of firewalls, anti-virus software and secure logon policies are necessary, but these alone are no longer sufficient to comply with the many new privacy protection laws. As businesses add high tech safes to safeguard their data warehouses, frequently the strength of the lock is overlooked. Don’t install a screen door to protect your data vault.

Power LogOn by Access Smart^® has proven itself to secure cloud application access without the high cost of ownership found in other security solutions. The cloud has helped make businesses more competitive, employees more efficient and consumers more connected. Cloud solutions are available for almost every business need: legal forms to healthcare patient records, accounting data to word-processing, CRMs to order processing.  With so much valuable data out in the clouds data, the allure is too great for cyber thieves.

Cyber attacks are becoming an epidemic. While companies are trying to add more backend security like firewalls, encryption and CAPTCHAs to protect their data, the user’s access point or “front door” is still being locked with a virtual hook and eye latch.

User name and password authentication is still the easiest and most cost effective way for users to access electronic data. The weak link, however, is how we choose and manage those passwords. As new privacy laws place security responsibilities directly on companies, they in turn try to mitigate their risks by implementing cumbersome authentication policies that force employees to circumvent security for their own convenience.

Power LogOn combines security, low cost and convenience so the three work together. Imagine implementing complex passwords with no backend server modifications and employees never have to remember or type another password!  IT can even update passwords without the user caring – or even knowing.

 “Recently, for example, large corporations like Microsoft, Google and Intuit have all announced Personal Heath Information (PHI) cloud application”, said Dovell Bonnett founder and CEO of Access Smart. “While the cost benefits may be huge to patients and care givers, the risk is also huge since all this confidential data is only secured by other cloud applications like LiveID or OpenID where the user types in their user name and password for access. Spyware, keyloggers and phishing scams have already made these access portals insecure. The first time a PHI gets hacked because of careless password management, the whole service may come down like a house of cards.”

Real security requires many different levels of authentication and authorizations. That is why Power LogOn implements the “7-levels of assurances.” Not only is the individual authenticated to the smartcard, but the smartcard is authenticated to the cloud application and the individual to the data by what Access Smart calls “Double, multi-factor authentication”.

 “If you make security cumbersome, even honest people will circuvent it for their own convenience; and if you make security too expensive to deploy, very few companies will implement it”, said Mr. Bonnett. “That’s why we developed Power LogOn and have formed alliances with a number of other security companies to address security, convenience and cost of ownership.”

Cloud computing has made it so easy to manage all our electronic data. Now Power LogOn secures access to that data. It’s time to replace the latch and upgrade to a 21^st century smartcard solution to secure your data’s front door.

SOLUTION: Invest in a secure password manager that is based on smartcard technology.

JUSTIN WILLIAMS: Twitter hacking points out need to secure information

Back in May, Twitter was hacked by someone who got into the accounts of several of the company’s employees. The hacker also gained access to the Twitter accounts of several high-profile users.

Besides just snooping around, the hacker gathered hundreds of documents from Twitter’s Google Docs account — including employee lists, credit card numbers, contracts, meeting notes and salaries. Last week those documents ended up in the hands of TechCrunch, a popular Internet blog, which posted many of the documents outlining Twitter’s business strategies and financial forecasts.

How did the hacker gain access to this information? Relatively easily, actually. He acquired a Twitter employee’s Google password, which gave him access to e-mail, Google Docs and more. He didn’t use a dictionary attack or guess the password. Instead, he used the password recovery features of Gmail which will e-mail the password to a secondary e-mail account. In this case, the secondary account was an expired Hotmail account that, when reregistered, had the recovery e-mail from Google waiting there.

While your e-mail and secrets may not be as tantalizing as Twitter’s, this episode should serve as a reminder to think hard about how secure your computing practices are.

First and foremost you want to make sure you have a good password — a mixture of letters, numbers and symbols. It also should have a mixture of upper and lowercase letters. You want to avoid common words and names because they can be cracked fairly easily by trying to log in using every word in the dictionary.

You also should have a unique password for each Web site you visit. Having a unique password per site gives you an extra layer of protection should that account be compromised because the intruder won’t be able to access any other sites you may use.

Remembering dozens of passwords isn’t practical, so I recommend using a password manager that integrates with your Web browser. On the Mac, I swear by 1Password (agilewebsolutions.com/products/1Password). I let it generate and manage all my passwords, personal information and online credit cards. I also use 1Password to fill out online forms for me through its integrated browser plug-in. RoboForm (www.roboform.com) offers an excellent alternative to 1Password for the Windows platform. It seamlessly integrates with both XP and Vista machines and works in Firefox and Internet Explorer.

Twitter’s misfortune is a reminder of good password practices, but it also may be a warning sign of what the future holds for cloud computing. The blow to Twitter would have been much less if the company had not been storing all of its sensitive documents and information in Google Docs, an online equivalent to Microsoft Office. If you can’t imagine something getting in the hands of wrongdoers, it is probably better to keep it stored locally in your home or office instead of on a server somewhere on the Internet.

Justin Williams is the owner of Second Gear, a local Web and software development firm. He can be reached at justin@secondgearllc.com.

If you have any specific questions you would like me to ask, please click here to submit your questions.

Reader what Kim Zetter of Wired Magazine writes on how hackers have crossed into new frontiers by devising sophisticated ways to steal large amounts of personal identification numbers, or PINs, protecting credit and debit cards.  Click here to read the entire Wired article.