By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Legal, Regulatory Compliance, Risk Management

In this Network World article, a US District Court Judge in California ordered Google to deactivate the Gmail account of a User who accidentally received personally identifiable information.  An employee of Rocky Mountain Bank sent an e-mail to the User’s account in error containing names, Social Security Numbers and loan information of more than 1300 bank customers.  Once the employee realized their mistake, they quickly sent a follow-up e-mail requesting that the recipient destroy the previous e-mail and contact Rocky Mountain Bank as soon as possible.  After receiving no reply from the recipient, the bank contacted Google and asked for information on the Gmail accountRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Legal, Regulatory Compliance, Risk Management

Two recent headlines caught my attention: Construction Company Sues Bank for Money Lost in Cyber Scam Couple’s Lawsuit Against Bank Over Breach to Move Forward In both of these cases, banks are being sued for not taking adequate precautions that could have prevented cyber thieves from stealing money from the customers’ accounts.  The customers claim that the banks did not offer two-factor authentication and also failed to notice suspicious and anomalous behavior.  Therefore, the customers are claiming that the banks breached their duty to protect account holder information. These lawsuits could have significant ramifications and I will be curious to see the final outcome.  ShouldRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Risk Management

An article in The Washington Post and comments from Avivah Litan, vice president at the market research firm Gartner Inc, regarding fraudsters targeting commercial business accounts caught my attention….and if you run a business, you should pay attention too. Apparently the bad guys have figured out yet another way to steal real money and they are targeting business accounts rather than personal accounts.  The fraud involves mules and mule recruiters, some keylogger software planted on the PC of an unknowing person inside a bank, some social engineering and some fake, but real looking websites.  Notice how the bad guys are focusing on people and theirRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Risk Management

I was reading a report the other day (The Evolution of Data-Centric Protection) from InformationWeek Analytics presented by Security Dark Reading (requires registration) and written by technology expert Joe Hernick.  The report includes a survey of 384 business technology decision-makers at North American companies and the purpose of the report was to determine the role of endpoint protection in enterprise data security strategies.  The opening line of the report was great: “Think sophisticated attackers are your biggest problem?  Our survey says clueless and malicious end users are more likely to stymie even the best-laid defensive plans.”  I have experienced and observed similar results for years,Read More →

By:
On:
In: *Connecting the Dots Blog*, Emergency Management, Incident Reporting, Risk Management

You may have seen the scary story reporting investigators were able to carry liquid bomb-making materials past security at 10 federal building in 10 cities. Members of Congress blasted “disturbing” and “outrageous” security failures in the nation’s federal buildings.  According to the article, Sen. Joe Leiberman blamed the Federal Protective Service Security for failing to provide adequate security and proper training to its 13,000 security guards during a hearing earlier this week on Capitol Hill. The GAO report found that he Federal Protective Service is not doing enough to make sure it’s 13,000 guards are qualified and trained for their jobs – and doing whatRead More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Human Resources, Risk Management

Numerous lessons learned reveal the Achilles Heel for most managers (and organizations) is the Lack of Implementation Tools.  The lack of implementation tools has become THE principal weakness for all levels of managers that eventually will lead to their downfall. So let’s discuss some of the details surrounding implementation. First, the lack of implementation tools for implementing what you may ask? Implementing Processes.  Processes include:  procedures, policies, plans, regulations, specifications, roles, responsibilities, strategies, priorities, etc.  Numerous Processes need to be implemented in every Department in an organization.  Numerous Processes need to be implemented to meet requirements in Regulations and Mandates, which continue to mount.  NumerousRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Risk Management

A CNN article recently caught my attention regarding a new study by antivirus software company McAfee that identified the most dangerous Internet search terms that can lead users (your employees, vendors, contractors, business partners, etc.) to web pages with a higher likelihood of cyber attacks. The study examined more than 2500 popular keywords on five major search engines – Google, Yahoo, Live, AOL and Ask – and analyzed 413,000 web pages.  The categories that had highest risk of leading to malware infested web sites included: screen savers, free games, work from home, Olympics, videos, celebrities, music and news.  The riskiest terms included: word unscramble, lyrics,Read More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Risk Management

Lessons Learned continue to identify new and changing threats, but are organizational managers helping their organization’s personnel keep up with ongoing awareness or are they falling farther and farther behind? For example, a recent article highlighted an attack that hit Twitter and may be one of the first time hackers to use the micro-blogging site for profit.  So why do hackers love social networking? Because unaware users (Boards, management, employees, vendors, contractors, consultants, business partners, etc.) will click on interesting links to things like “Best Video” or “Funniest Video” and unknowingly end up on a Russian domain that serves up malware or other exploits thatRead More →

By:
On:
In: *Connecting the Dots Blog*, Business Continuity, Information Security, Risk Management

Step 7 is: Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity. Wow…this is a very complex step when you consider the Cyberspace Policy Review described cybersecurity policy as: cybersecurity policy as used in this document includes strategy, policy, and standards regarding the security of and operations in cyberspace, and encompasses the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missionsRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Security, Risk Management

Step 6 of President Obama’s Cybersecurity plan is a great idea and it states: Step 6 – Initiate a national public awareness and education campaign to promote cybersecurity. Lessons Learned from national public awareness and education campaigns show that they can work very well with “simple and straightforward” issues such as drunk driving, seat-belts or forest fires.  For example, most of us have heard of “over the limit, under arrest” or “click-it or ticket” or “only you can prevent forest fires”.  But cybersecurity is not “simple and straightforward”. Lessons Learned, experts and reports unanimously agree that cybersecurity related attacks are becoming more and more sophisticatedRead More →