Larry Keating2013-05-26T02:00:29-04:00Larry Keatinghttp://www.huffingtonpost.ca/author/index.php?author=larry-keatingCopyright 2008, HuffingtonPost.com, Inc.HuffingtonPost Blogger Feed for Larry KeatingGood old fashioned elbow grease.Privacy Regulators and the Media Can Make a Bad Data Breach Worsetag:www.huffingtonpost.com,2013:/theblog//3.32865552013-05-16T16:03:33-04:002013-05-16T16:04:02-04:00Larry Keatinghttp://www.huffingtonpost.com/larry-keating/technology is readily available to prevent the breach or make the loss of a device irrelevant. Combine that with Canada's inadequate privacy protection legislation they have to work with to protect individuals from the irresponsible handling of personal information, and it must be frustrating.
PII (Personally Identifiable Information) is valuable to cybercriminals. The Internet enables a great variety of profitable criminal activities so PII, fresh PII, is worth a lot. So much of it now resides in black-market websites the per record price has fallen, but new financial or health record profiles still command a lucrative price.
Let's say a USB stick is lost containing 20,000 records with financial details of individuals including name, address, bank account information, social insurance and driver's license numbers. A bargain price for those profiles on the Internet black-market would be $10 a record. It's basically a $200,000 memory stick for the thief that gets his hands on it. It's worth every penny in the years to come to the criminals who buy those stolen records because millions could be bilked from the bank accounts and credit cards of individuals those records involve.
So the stakes are high. Consequently, the privacy commissioners hammer down hard on those high profile losses when thousands of records go missing. They want disclosure of the incident and protection for the individuals. The media piles on, always on the hunt for the details, to splay the true extent of the incident for their readers.
But the disclosure of certain details and the sensationalizing of them can possibly ensure just the kind of damage to individuals the privacy commissioners wish to avoid.
Let me explain.
Limiting the publication of certain details, when for example a device is lost or stolen, is critical in protecting the interests of the potentially affected individuals. In the recent loss of a laptop containing financial profiles, while the device was still unrecovered, the media was reporting the device type, details about the nature, quality and number of records it contained, and the specific geographic area in which it was lost. It made for one very hot, sought-after property in criminal circles.
If it was not a targeted theft, just a misplaced device or in the hands of a petty thief simply interested in the device itself, as the majority of lost or stolen devices are, publishing the details no doubt set-off a criminal treasure hunt. The forums where these things are bartered and sold, as well as Kijiji and eBay, must have been lit up that week.
Organizations that carefully and thoughtfully release only need to know details are right to do so. Until the status of the device or evidence the data it contained has been breached, and until the proper advice to the affected individuals and protection for them is in place, controlling the availability of certain details is important.
Savvy privacy commissioners know this. But not all. And organizations that withhold advising the commissioners promptly really annoy the commissioners, then everyone is off on a bad foot. Both of these reasons are why, in this new and complex digital age, once a breach or loss is discovered it is well-advised to work with qualified counsel and notify as soon as possible. In every event, though, all parties need to think hard about what they are saying and when, lest a potentially bad situation is driven to a genuinely bad situation, on the back of the details made available.
Don't get me wrong. I think every jurisdiction should have a law that requires the reporting of the loss of PII in virtually every instance and especially require prompt advice to the affected individuals to allow them to protect themselves as soon as possible. Bill C-12, an update to our Federal Personal Information Protection and Electronic Documents Act that underwent first reading in 2011 and now seems lost in process, does only a little to change that, if it passes. But individuals do have a right to know when their personal information has been mismanaged, as soon as possible, to protect themselves.
If advice to the affected individuals can only be done through the media due to the size of the breach, so be it. But the trade-off in alerting the criminal elements to a device or cache of data that may or may not be in their hands needs to be carefully considered.
In some jurisdictions, Ontario for example, a strong encryption standard exists that allows an organization to skip the whole public flogging and notification process if the device was properly secured and encrypted. It is a tough standard to meet and basically creates military-grade security on the device. Given the strength of encryption algorithms today, when professionally applied there is only a negligible chance that data could ultimately be read, even though in the case of a lost device it is out of the control of the custodian of the data.
Class action lawsuits from the loss of data through poorly managed endpoint devices are surfacing, most recently against an Ottawa-area hospital. My guess is that while the plaintiffs may not have to prove actual damages to get a payout, the court will have to consider the true potential for damage given the uncertainty of whether the device fell into nefarious hands or was just kicked down a sewer. Beyond that, I think on this scale, in this digital age, a court would award very little for the anxiety aspect. But then again, this all goes to prove that protecting yourself from data loss and managing any data loss event carefully is an issue with potentially major impact on your business, rather than just a regulatory requirement.
_______________________________________________________________________]]>Bring Your Own Device: Beware the Hype, Stay Securetag:www.huffingtonpost.com,2013:/theblog//3.27366942013-02-24T08:53:02-05:002013-04-26T05:12:01-04:00Larry Keatinghttp://www.huffingtonpost.com/larry-keating/
At the end of a shift one day an employee was seen pushing a wheelbarrow of sand, a plentiful byproduct of the tar sand extraction process, out a gate. At the time Syncrude was already producing tens of thousands of barrels of oil a day, so as you can imagine they end up with a lot of sand. Security assumed he was doing a little landscaping and let him walk by numerous times with hardly a question.
Problem was he wasn't taking sand. He was stealing wheelbarrows. It was a different wheelbarrow every time. Everyone assumed he was just borrowing the wheelbarrow to haul the sand. After all, who would be audacious enough to walk right past security stealing a wheelbarrow, with only a lame story about needing the sand as your cover?
BYOD or Bring Your Own Device, this growing phenomenon that allows employees, even encourages them, to bring their own connected devices to the workplace reminds me of this story.
I get why BYOD is attractive. We are in a wildly progressive stage of mobile device deployment. According to the GSMA, a global association of more than 800 mobile communications operators, there are now more than six-billion mobile connected devices on the planet. That number is expected to double by 2020. I know it can be difficult for companies, large or small, to keep up with the onslaught. Staff wants to use the devices they are excited about, and their employers are happy to download the capital expense. Companies divest the problem of not being able to keep up with the latest and greatest technology their staff wants to brandish. Candidly, and I hate to rain on the parade, it sometimes seems like a bit of surrender.
Organizations need to be careful about the implementation of BYOD and the reasons for allowing it. Data already indicates the money savings are somewhat mythical; costs increase from IT having to support a greater variety of devices, productivity gains can be offset by the constant distraction from personal apps, and security breaches in BYOD companies are on the rise. As well, asking a user to figure out whether he should or should not have a Java plug-in enabled on a web browser is a distraction you may not want him to have.
At the least we should match this fundamental change in how we work with equally progressive management techniques. Organizations should employ an MDM (mobile device management) strategy or expertise in the IT industry at a speed and intensity similar to the penetration of the staff-owned devices. Most of the time, though, staff's efficiency for acquiring new devices surpasses management's empowerment of IT to keep up, in-house or outsource, to make this explosion of personal IT deployment, well, not an explosion.
But beyond just managing the variety of devices popping up around the organization, even in a controlled manner through proper MDM, I still think about that Syncrude employee fooling security by covering his tracks with something the company deemed worthless. If both the sand and the wheelbarrow were valued it would have been immediately clear something was being stolen. As we devalue devices in the information management equation, we make it less clear that what is on them is of great value, and who owns it. And the opportunity for undetected insider data theft takes a quantum leap ahead when an employee knows more than the company does about the device he is using to steal information. She may also feel less obligated to protect or return the data on her device, in spite of policy, as it is, after all, her device...
Of course the best solution is the reserve of those elite thinking companies who have figured out that some of the most competitive weapons of the 21st century are mobile devices. Rather than count the pennies saved from trying to pass down that relatively minor capital expense to their most expensive assets, their people, and then play a strange game of corporate roulette around data ownership and security risks, they take a different route.
First, they employ directly and indirectly the best, most progressive IT professionals they can find. People who know more about leading edge devices and how to get the most out of those devices than the staff they serve. They look hard and compete to get these people because they know that these IT Pros end up being the biggest productivity enablers in the business. Next they facilitate orders of magnitude of improved productivity and employee satisfaction by funding a respectable IT spend to acquire an assortment of the absolute sexiest, kick-ass, cool new technologies to be found. They cleverly integrate, secure and support it all, then go look for the next leading edge stuff to delight, and improve staff efficiency all over again.
They own the wheelbarrow, the sand, and the certainty.]]>Happy Data Privacy Daytag:www.huffingtonpost.com,2013:/theblog//3.25621962013-01-28T10:21:00-05:002013-03-30T05:12:01-04:00Larry Keatinghttp://www.huffingtonpost.com/larry-keating/
Marshall McLuhan said "publication is a self-invasion of privacy." Even with his remarkable foresight in mass media and its future, including his eerily accurate description of the Web some 30 years before its arrival, I wonder if he saw coming the breadth and depth of the personal information we now "publicize" to function in this Web-connected society. So much of what makes us unique, our education, personal health, finances, social activities, buying habits, are all stored in a multitude of servers and systems available for slicing, dicing, analysis and targeting. We are well publicized. And businesses today can barely operate without it.
While we are apt to publicize, the issue of control is implicit in McLuhan's statement. McLuhan's words still echo an effect on each of us when something we value is taken from our control. We feel invaded. While the Internet and technology has become an extraordinary medium for commercial and personal publication, and we embrace it with abandon at times to satisfy our varying degrees of narcissism, or as we must in the course of work and play, we really don't like it when we lose control of what we think is ours and ours alone.
People care about privacy; evidence the effect of miscalculating that principle on some of the most successful companies in recent times. In 2011 Mark Zuckerberg of Facebook declared the age of privacy at an end. Facebook loosened up a few controls as to who could see what, as he publicly grappled with the balance between social disclosure on Facebook, and the amount of control offered the discloser. Wrath ensued from many users and privacy commissioners, not the least of which was our own Federal Privacy Commissioner Jennifer Stoddart, who in my mind rather successfully led the charge. It culminated with some "coaching" from both Stoddart and the U.S. Federal Trade Commission causing Facebook to retrace some steps and tighten user privacy controls, as well as 20 years of biennial audits. That can't be happy.
I'm willing to bet if Zuckerberg had his time back he would save himself some grief and put privacy where it belongs, in the hands of the owner, while still executing his social media and advertising mission. How much more loved would Facebook be.
Eric Schmidt, former CEO of Google, also made a rather curious statement about privacy in late 2009 saying "If you have something you don't want anyone to know, maybe you shouldn't be doing it in the first place." Google's $22.5 million fine in 2012 for bypassing web browser privacy controls to harvest ever valuable user data for ad targeting, while chicken-scratch for Google, might now also cause them to re-think how they manage the trust placed in them by those who use their service.
If you run a business that collects pretty much anything more than name, address and phone number, today's a good day to think about how you manage that trust you have been given. Using information security strategies, robust privacy compliance, and a healthy respect for who owns the darn stuff in the first place can be a key to an untroubled, successful business, and not just because legislatively we get asked to. As McLuhan suggested, self-invasion of privacy may be OK, but no one wants anyone else doing it for them.
If you would like something to put up around the office or send to the staff, here's an infographic on data security attitudes and behaviors we created for just this occasion that can be instructive to you and your staff about protecting private data.
Enjoy.]]>A Concrete Way to Protect Your Kids Onlinetag:www.huffingtonpost.com,2013:/theblog//3.25167852013-01-22T17:04:57-05:002013-03-24T05:12:02-04:00Larry Keatinghttp://www.huffingtonpost.com/larry-keating/
This past holiday season there was an abundance of electronic devices for the kids under the tree, in the stockings, and handed out during Hanukkah. Galaxy S3s, iPads, HTCs on Windows 8, gorgeous HP Envys, first-time computers and next step ups.
As great as it was to see those excited tweener smiles and to spend the next few hours trying to figure out which end of the USB cable to plug in, we have to give some thought to the risks those devices present. With just the wrong choice of words innocently searched, the most salacious and egregious search results from Bing, Google or Yahoo, in spite of some of the filtering controls they have built in, can appear on our children's devices. Aggressive and deceptive marketing practices of pornographic content marketers can wreak havoc on our children. According to an article published in the Journal of Adolescent Health by the Crimes against Children Research Center at the University of New Hampshire, 34 per cent of youth aged 10-17 years old had experienced unwanted exposure to Internet pornography.
As well, social networking sites can be risky public environments. Without adequate controls, before we know it, our children can be in electronic conversations with strangers of unknown intentions.
I have heard over the years some noble attempts to monitor and manage these threats, from having computers only in the family room to removing the web browser completely, but there is a better way. I have no relationship with nor do any of my companies have any interest in Blue Coat Security. Either way, I don't feel one bit of compunction in recommending their child Internet security product, K9, because they offer it for free for the home. Not free trial or free basic version, but free. They protect nearly 4-million homes.
Blue Coat makes its living selling content filtering and something called Application Delivery Network Infrastructure to corporations. As I understand it they do a pretty darn good job making a pretty big living at it. Somewhere along the line Blue Coat decided to put their enterprise-level content filtering technology to work to protect our children. Bravo, Blue Coat.
I first put this product on our family computers almost a decade ago. My now 18-year-old-son, a whiz with all things technical, has said it never failed to protect him from the shock of an inappropriate search result. It also blocks the social media sites that are generally wide open and all kinds of inappropriate thinking and language can end up on the screen. Everything starts off blocked until you decide your kids can handle an open search or conversation. K9 is as good as it gets in providing a simple to install tool that restricts access to the bad stuff out there -- pornography, hate sites, gambling, you get it.
There are tens of thousands of these kinds of sites created every month. Blue Coat constantly updates the K9 filtering to keep up with it.
Here's the link: www.k9webprotection.com. I know there are plenty of other products and strategies. I hope to see them in the comments below.
Safe computing to you and yours in 2013.
]]>Is Your Business in Denial About Tech Security?tag:www.huffingtonpost.com,2013:/theblog//3.23333142013-01-04T08:19:50-05:002013-03-06T05:12:01-05:00Larry Keatinghttp://www.huffingtonpost.com/larry-keating/ Bill C-12 is meandering along at government speed and will require us to go public in almost every instance of the loss of anything more than name, address and phone number that we have on anyone else. I will address why I think this about C-12 in an upcoming post. But for now, sticking one's head in the sand in the event of a data loss is about as uncommon as filing your expenses late.
Late this summer my company, NPC, commissioned a study on information security by Angus Reid, the pre-eminent collector in Canada of facts, figures and people's opinions on all sorts of things. Most IT security studies focus on the types of breaches that occur, the technology involved or lack thereof, and the resulting impact. This study focused on the attitudes and behaviours of employees and business owners concerning information security that lead to data breach.
I think because of its focus on mainly attitudes and behaviours towards information security this study skirted some of the typical disclosure fear and captured some insights. It not only caught my attention with these insights, but wow, does it show a real disconnect between the fantasy of what businesses think they are doing and what is really happening when the boss isn't looking, and sometimes, by the boss himself.
BLOG CONTINUES AFTER SLIDESHOW
We surveyed 1,045 business people, well distributed across Canada, employees and owners, in virtually every industry segment. Less than 1 per cent were in companies greater than 500 people. On the surface, all sounds good.
83 per cent, both employees and the business owners said they were adequately protected from cybercrime and data loss
67 per cent of business owners said IT security is one of the most important components of their business, not just of the businesses' IT function, but of the business overall
87 per cent said they trust employees to adhere to their IT security rules and practices
95 per cent of employees believe practicing safe computing is an important part of their job
Well, here's the hitch.
In the same survey one in six employees admitted they do not adhere to IT security policies. They confessed they engage in a whole spectrum of safe computing no-nos from mismanaging passwords in ridiculously inappropriate ways (taped to the device itself or a password so weak a six-year-old could guess it) to copying company files to a personal USB stick (over 25 per cent do this). And for business owners, while we had the smarts not to ask them if they adhered to their own security policies, they did reveal their own poor attitude towards security in the specific activities they engaged in, sometimes in percentages that exceeded their own staff's behaviour (see ridiculous password activity above).
As a result, more than one business owner in seven said there had been an incident in their company where confidential information was put at risk from the loss or theft of a laptop, one out of every six said they have had a data breach due to employee negligence, and one out of 15 a breach due to employee maliciousness. One in 12 said they have already lost money due to a data breach. So why is there such a disconnect between what employees and business owners say is going on and what is really going on, even in the face of losses and embarrassment?
The first consideration is the speed with which we adopt and change technology, now incredibly powerful and compelling to use, and its complexity. It changes so fast and sprouts new capability so quickly it's just plain hard to keep up with securing the stuff. But mostly I think we have so little time most days to do anything but scramble, any extra steps beyond what we must do next just falls down the priority list. And the more security we apply, the more we tend not to make it simple. In this frenetic, hyper-competitive age of 24/7, when something isn't fast and easy, we work around it.
While we know information security measures need to be as complex, effective and persistent as the virtual attacks that threaten us, it also has to become near-transparent to the user. Our electronic technology requires way too much effort on our part to secure and protect. I sometimes wish Steve Jobs was around to fix this. I can just imagine the depth and simplicity of what he would have drove his engineers to create. But in fact his legacy in the security department isn't stellar. One company that has had it right is RIM, but they fell behind in the design department. Here's hoping they catch up with Blackberry 10 and have remembered their brilliant history of making device security powerful yet so simple it gets used.
The NPC study showed that adopting technology with security controls, bolting it on later, or relying on policy and education is a senseless game if no one can easily adhere to the requirements. Transparency and simplicity is the key.
]]>Surfing the Web's Like Driving a Car: Buckle Up Your Infotag:www.huffingtonpost.com,2012:/theblog//3.21665962012-11-21T12:46:58-05:002013-01-21T05:12:01-05:00Larry Keatinghttp://www.huffingtonpost.com/larry-keating/
The logic of his argument is much the same as what I hear from professionals operating their personal computing and communication devices, including CIO's of law firms with hundreds of lawyers brandishing devices that can grant access to hundreds of thousands of sensitive documents. I see their lips moving, but my dad's words coming out:
"Why do I need to be told to do this?"
"I know it's hurt other people but nothing ever happened to us."
"I'd rather spend money on core business functions than something that may or may not provide a benefit." "What we've always done has been good 'enuf."
Good grief. How hard is it to see that what we do on computers today is the business? We would no more let our children, our most important personal assets, drive around without a seat belt than we would let them play in traffic. But we still resist the idea that an appropriate amount of effort and investment is critical in securing our most important business asset, our information. We guzzle devices in such copious amount it has made a tech company, not an energy company, the most valuable company in history. Then we drive business at the speed of light without a seat belt.
Too far on the analogy? You don't think seat belts that save lives are in the same league as security and backup tools that prevent data loss? Surely they are not. But you should hear the calls I get from folks fleeced of their real estate deposit that never made it to the lawyer because of spyware on their computer, or a 15-year-old business that failed for the lack of a decent offsite backup when a disgruntled employee (no one knows who) had walked off with the backup drives. Within weeks, suspiciously, the accounting server failed.
As big business has become relatively more secure given their substantial resources, (IDC reports financial institutions spend in the aggregate $25 billion annually on security, and most of it actually works), it is abundantly clear in the numbers that small business and individuals have become cybercriminals' easy money.
So what to do. Take a minute now to ponder your data protection situation. As of today, with all of the changes and challenges of the past year, what is on your computers that you really, really depend on? Is it sufficiently protected? And what about all those new mobile devices, especially the ones the staff bought themselves and are suddenly a constant fixture for them at the office, what do they have on them? Are they little unprotected gateways to the network? Think mechanical component failure, malicious software, Internet attacks, and internal threats.
Has your data protection strategy kept pace with your growing treasure-trove of information? In every scenario you play out, fire, flood, theft, data corruption, do you get back up to where you were in at least a couple of days, or are you flying down the freeway without your belt on, thinking since you didn't have an accident yesterday you won't today?
In upcoming posts I will cover why I think the importance of the data we collect has flown way past the effort we take to protect it. Why companies from five to 5,000 increasingly put their capital, reputations and sanity at risk because of a failure to recognize the growing gap between the value of their data and the action they are taking to protect it. And why we are facing new federal legislation in Bill C-12 that will compel us to openly face the consequences of mismanaging the information we invariably stockpile on other people?
I will also explore why some actions we take to protect our data creates a false sense of security that is as dangerous as no security at all, why any form of local backup is already a dinosaur, and why, to a hacker, your system password alone is as about as good as wrapping your data in a big red bow. Cybercrime, among many other serious criminal activities through the Internet, is predominantly the criminal act of stealing financial assets. It has become the most valuable criminal activity on the planet. I'll talk about some ways to keep you out of the fray.
Early adopters who wore their seat belts when they figured out it would save lives fared remarkably better than those who stayed with their practice of the past. There is already no question your business will fare better too if you take heed of the data threat warning signs already around us.
Taking the time to secure access, put up barriers, and encrypt everything in sight, right at the beginning of the design or deployment of a system is essential to protecting your businesses today. An organized and effective process to do this is ingeniously described as Privacy by Design by Ontario's technically savvy and ever-passionate Privacy Commissioner, Dr. Ann Cavoukian. You can find out a lot about Privacy by Design here . It's a good idea not just for privacy protection, but for business protection.
From server to cloud to endpoint devices, data protection is putting on a seat belt before you start the engine. Like seat belts, it needs to become common sense. Oddly, I'm sure my dad would think so too.