Tag Archives: breach

Will 2016 Be The Year Of The Board?

This year has exploded out of the gate, starting on Jan 4 (the first business day of the year) with a flurry of activity. Sure, some of this is just new budget money that is available. However, I’m seeing a lot of organizations in my part of the world (California, Oregon, Washington, Idaho, Montana, Alberta, British Columbia, and Alaska) asking for help on the topic of communicating to executive management and the board of directors.

It’s about time.

Really, though, this makes sense.  Boards of directors aren’t interested in fads in business management. They rely upon their tried-and-true methods of managing businesses through board meetings, audit and risk committees, and meetings with executives. Until recently, board members perceived information security as a tactical matter not requiring their attention. However, with so many organizations suffering from colossal breaches, board members are starting to ask questions, which is a step in the right direction.

Let me say this again. Board members’ asking questions is a big sign of progress. And it doesn’t matter, mostly, what those questions are. It’s a sign they are thinking about information security, perhaps for the first time. And they’re bold enough to ask questions, even if they fear they are asking stupid questions.

The National Association of Corporate Directors (NACD) has an excellent publication on the topic of boards of directors attention on information security, called the Cyber Risk Oversight Handbook. Last I checked, a soft copy is free. Whether you are a board member or an infosec staffer, I highly recommend this for your reading list in early 2016.

Advertisements

Security: Not a Priority for Retail Organizations

Several years ago, VISA announced a “liability shift” wherein merchants would be directly liable for credit card fraud on magstripe card transactions. The deadline for this came and went in October, 2015, and many merchants still didn’t have chip reader terminals. But to be fair to retailers, most of the credit/debit cards in my wallet are magstripe only, so it’s not ONLY retailers who are dragging their feet.

My employment and consulting background over the past dozen years revealed plainly to me that retail organizations want to have as little to do with security as possible. Many, in fact, even resist being compliant with required standards like PCI DSS. For any of you who are unfamiliar with security and compliance, in our industry, it is well understood that compliance does not equal security – not even close to it.

I saw an article today, which says it all. A key statement read, “There is a report that over the holidays several retailers disabled the EMV (Chip and Pin) functionality of their card readers. The reason for this? They did not want to deal with the extra time it takes for a transaction. With a standard card swipe (mag-swipe) you are ready to put in your pin and pay in about three seconds. With EMV this is extended to roughly 10 seconds.” Based on my personal and professional experience with several retail organizations, I am not surprised by this.  Most retailers just don’t want to have to do security at all. You, shoppers, are the ones who pay the price for it.

Don’t let it happen to you

This is a time of year when we reflect on our personal and professional lives, and think about the coming years and what we want to accomplish. I’ve been thinking about this over the past couple of days… yesterday, an important news story about the 2013 Target security breach was published. The article states that Judge Paul A. Magnuson of the Minnesota District Court has ruled that Target was negligent in the massive 2013 holiday shopping season data breach. As such, banks and other financial institutions can pursue compensation via class-action lawsuits. Judge Magnuson said, “Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur.” I have provided a link to the article at the end of this message.

Clearly, this is really bad news for Target. This legal ruling may have a chilling effect on other merchant and retail organizations.

I don’t want you to experience what Target is going through. I changed jobs at the beginning of 2014 to help as many organizations as possible avoid major breaches that could cause irreparable damage. If you have a security supplier and service provider that is helping you, great. If you fear that your organization may be in the news someday because you know your security is deficient (or you just don’t know), we can help in many ways.

I hope you have a joyous holiday season, and that you start 2015 without living in fear.

http://www.infosecurity-magazine.com/news/target-ruled-negligent-in-holiday/

Healthy Skepticism Required When Using Online Storage

When online backup solutions such as box.net, idrive, and dropbox came on the scene, I was skeptical. Store my data on some service provider’s system? Only with caution.

When news of the dropbox scandal was made public, I was not surprised. The promise, “only a customer has access to their own data”, evaporated. Not that it was ever a promise that could ever be kept.

Recommendation: if you insist on storing your data on someone else’s system, encrypt it locally and store the encrypted data on the other system. That is the only way to truly guarantee that no one else can see your data.

Reference:

http://techcrunch.com/2011/06/20/dropbox-security-bug-made-passwords-optional-for-four-hours/