Log in

Archive for July, 2009

Educating Educators to Secure Their Data

July 31st, 2009

school-computers Any organization or business that has computers should be securing their data. However, that statement is even more true (if that is even possible) if your organization has computers that are accessed by a wide number of people. A prime example is schools – from elementary schools to universities, school computers typically can be accessed by a wide range of people.

However, many schools also have restricted budgets and overworked staff and security is all too often not a focus. Consider these recent examples in schools in the United States.

Laptops stolen from Springfield schools

Ten laptop computers were stolen from the Keifer Alternative School in Springfield, Ohio on June 30th. These laptops all contained information about students with disabilities, but not social security numbers, Springfield City Schools Interim Superintendent Don Thompson claimed. The school district sent letters home to parents of students who were affected following the theft.

The laptops belonged to employees of the district’s special education department, including psychologists. These employees had relocated from the South High School building to the Alternative school. Clearly the new school didn’t have adequate physical security. Having disk encryption installed on computers would have solved the data breach problem. While the schools would have had the monetary loss, there would have been no loss of secure data.

Employee data stolen from school

Canyons School District officials in Utah are investigating the disappearance of a drive that very likely contained the personal information of more than 6,000 current and recent employees. The lost information includes addresses, phone numbers, birth dates and Social Security numbers.

The Canyons School District (CDS) is a new district in the state of Utah. Originally part of another School District, CDS broke off on their own and was scheduled to go live this summer. Work, however, is still in progress, with technical staff still installing computers and phones; installing wiring; etc. Amidst this chaos, the drive was lost. The drive should have been encrypted – which it might have been, the school actually has no idea if it was or not.

The district reported the incident to police. But absent evidence of foul play, police have no plans to investigate. This is one more reason to secure your data – the support from law enforcement will be limited because often they have no evidence to work with in solving the crime and locating the data. Full disk encryption secures the data even if the disk is removed and loaded into a controlled machine. Now (also known as “too late”) the district is taking steps to safeguard sensitive information, developing new policies and procedures and building a secure network for file transfers.

Alertsec for Schools

Alertsec Xpress administration is designed to offer hassle-free deployment and set-up. Alertsec Xpress is pre-configured with a “best practice” setting to offer a secure, yet user friendly, implementation. The low cost of Internet based encryption, combined with administrative ease makes it perfect for school systems!

1 comment »

Posted in Data Protection, Identity and Information loss

Tags: computer encryption software data encryption data theft prevention desktop encryption software disk encryption drive encryption hard drive encryption laptop encryption laptop encryption solution laptop security software prevent data leakage

Around the World in 80 Unencrypted Days

July 27th, 2009

disk-encryption From the capital city of the United Kingdom to the capital city of California. It doesn’t matter if you are in London or Sacramento – you need to encrypt your disk drives. At one level it seems so obvious. But as these stories show – it’s much easier said than done! They are both not only examples of the need for encryption but the need for just outright deleting and destroying old information.

In London, the Jubilee Managing Agency which is part of Lloyds and the parent of automobile insurance provider Jubilee Motor Policies, breached the Data Protection Act (DPA) by misplacing an unencrypted disk containing the personal details of around 2,100 UK policyholders. The Information Commissioners Office (ICO) is the UK’s independent authority set up to promote access to official information and to protect personal information. The have required that Jubilee agree to complete a formal undertaking in which it promises to take reasonable measures to keep personal information secure in the future.

The ICO said that Jubilee suffered from a lack of detailed data security procedures and policies, and insufficient staff training. Insurance companies are particularly vulnerable to data theft because they have to keep information for many years to help them calculate their insurance charges. But the need to keep the data and the need to keep the data unencrypted on personal computers should be two different things.

Sally-Anne Poole, head of enforcement and investigations at the Information Commissioner’s Office (ICO), said that since November 2007, 161 data security breaches have been reported to the ICO in the private sector. Poole notes “We urge all CEOs and their senior management teams to ensure data protection is treated as a corporate governance issue affecting the whole organisation. All organisations need to make sure that safeguarding the personal information of customers and staff is embedded in their organisational culture.”

Meanwhile, thousands of miles away, 6,000 current and former employees at Sutter Health in Sacramento, California are being notified that they should keep an eye on their credit reports. This breach is a clear example where had a data security measure like laptop encryption software been used; the entire incident could have been avoided.

This leak was discovered by a computer repair shop which found the data on an old laptop that had been brought in for repair. Until they were contacted by the computer repair shop, Sutter Health’s records had shown that the computer was in the possession of a Sutter employee since 2007. Fortunately for Sutter, when a computer repair shop employee realized that sensitive information on the computer, the company immediately contacted Sutter.

The solution seems so obvious – but only in hindsight was it obvious to this company. Sutter is quite belatedly starting to use encryption software on all its laptop computers. Furthermore, training has been established so all employees know not to save files locally, on hard drives, but to save them instead on network drives that can be monitored and secured by the company.

While full details were not released in the London case – both instances appear to be dealing with disk drives that quite simply had fallen off the active inventorying by the company. It’s just another reason for laptop encryption software- even when mistakes happen, this software will keep an “organization” or an “organisation” covered around the world.

2 comments »

Posted in Data Protection, Identity and Information loss

Tags: data protection act file encryption hard drive encryption

HITECH Highlights Security Risks from Third-Party Data Handling

July 22nd, 2009

While the HIPAA act jump started the trend towards the security of medical data, a trend that now includes many other countries, the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed into law in February 2009, is taking security to new levels. HITECH includes new privacy requirements that represent the biggest change to the health care privacy and security environment since the original HIPAA privacy rules.

HITECH includes provisions that lower the thresholds, shorten the time lines and require more attempts to ensure that the people impacted by data breaches are truly made aware of the event. Standing behind these changes are increased and sometimes mandatory penalties with fines ranging from $25,000 to as much as $1.5 million. The increased fines are accompanied by more aggressive enforcement including authority to pursue criminal cases against HIPAA-covered entities or their business associates.

That last word is very key “business associates” which is also known as third party companies that also have access to the secure data. While all the changes above add more teeth to HIPPA, by extending accountability from healthcare providers to their business associates this act also means that many more organizations are at risk of being bitten by this law!

Alertsec has written and talked about this many times, about how security does not stop at your firewall. What your partners do matters – from lawyers, to Software-As-A-Service vendors who host your data to the company that carries your backup tapes to a vault. The actions of your partners matter and HITECH is among a growing number of government regulations that are making this relationship crystal clear.

No doubt, the HITECH Act raises the stakes for a data breach. But regulations aside, data breaches can hurt your organization’s credibility and can carry huge medical and financial risks to the people whose data is lost. We’ve managed hundreds of data breaches and helped thousands of identity theft victims. Through this we’ve learned firsthand that compliance doesn’t necessarily equal low risk for data breach. For the well being of the business and patients, health care organizations and their partners need to take the most comprehensive approach to securing PHI.

A recent study by PriceWaterhouseCoopers, CSO Magazine and CIO Magazine (The 2008 Global State of Information Security Study) found that only 5% of data breaches are caused by malicious cyber-attacks. In 2008, 44% of breach incidents were due to third-party handling of data. With HITECH, organizations will now be held responsible for a third party’s handling of your data.

Many of the healthcare-related data breaches that have made the news have actually resulted from weak security practices at a third-party service provider. In one instance, a medical center used a courier to transport patient files and the files were lost somewhere in transit. The medical center was held accountable and financially responsible even if the courier was at fault.

The recommendations that are being made to health care companies to ensure they meet the HITECH standards are in fact just common sense for all businesses that house confidential data – regardless of the industry or current government regulations. Do a risk-based assessment, thorough, risk-based assessment of practices related to your data assets that contain confidential data. This includes creating an accurate inventory of the data you hold and all internal and external work flows where the information is used and at what stages is that data encrypted or unencrypted. You need to be sure that not only is your organization securing all the data – but all your third party associates have taken the same steps.

No comments »

Posted in Encryption, Identity and Information loss, Lawsuits and settlements

Tags: confidential personal data Encryption government regulations HIPAA HITECH

Classified SHOULD equal Encryption

July 17th, 2009

Locked Mobile Computer From the “you think you have problems” file comes news that The United States State Department does not have an accurate accounting of its laptop computers, including laptops with classified data, and has failed to encrypt machines as it is supposed to do by July 2008 in order to protect sensitive information. This is from a new report by the department’s inspector general.

State Department Laptops Not Encrypted

According to this report released by the Inspector General for the Department of State, half of the laptops issued at the State Department are not encrypted. To add insult to injury, eight percent of the laptops cannot even be located! More problematic is that the State Department had issued its own mandate to have all of their laptops secured with laptop encryption software by July 1, 2008 – a goal they clearly missed!

This data was collected by a study of a sample of laptops – so the real numbers could be even higher! A study of a sampling of 334 State Department laptops revealed that 27 laptops were missing (8%), and that 172 of them were not encrypted. Included in the unencrypted group were 14 classified laptops, of which 9 were actually identified as potentially containing “secret” data!

The report notes that it’s not possible to tell whether the missing 27 laptops were protected via hard disk encryption or not, since there is no system in place to track which computers were protected. Officials, of course, claim that there was no sensitive information on these missing computers – but there is no actual documentation or tracking to be sure.

Administering Encryption – Alertsec Xpress Value

The State Department is no different than most large organizations. They have so many computers – especially mobile computers – that it is just hard to track everything! They have systems designed to track static equipment and with today’s technology it is easily movable. They have over 30,000 employees and so that means even more computers (labs, training rooms etc) and probably half of those are portables or netbooks.

Keeping track of 15,000 of laptops is not an easy task managing encryption keys could well be nothing short of impossible. An encryption solution like Alertsec Xpress offers a great solution to companies and organizations with laptops galore – especially those with staff in multiple locations.

With encryption over the Internet, Alertsec Xpress makes it easy to distribute the encryption software. The laptop user/owner can simply download the Alertsec Xpress software while connected to the internet, and with just a few clicks ensure that their computer is encrypted. This distributed installation model means IT staff do not need to actually visit the computers to install the encryption software.

Alertsec is then your centralized hub for controlling the encryption status of machines. Alertsec and your staff with administrative access can identify whether a machine has been encrypted. When you subscribe to Alertsec Xpress, a customer account is created on the Alertsec Xpress website through which the coordinator will deploy and manage his users. The coordinator will also be able to uninstall the security software on specific users through this account

Encryption Lessons

In 2000, disciplinary action was recommended against six State Department employees in connection with the disappearance of a classified computer from the department’s Bureau of Intelligence and Research. Clearly the State Department has not learned its lessons when it comes to laptop security.

Meanwhile thousands of users at businesses worldwide are being safely and easily protected with Alertsec Xpress. The solutions are available and affordable for those organizations that are ready to step up and make security a priority.

4 comments »

Posted in Data Protection, Encryption

Tags: alertsec file encryption hard drive encryption

Remote Workers Present Another Source for Data Breaches

July 13th, 2009

remote-worker We’ve written about numerous laptop thefts that have highlighted poor corporate security practices and privacy protection in recent months. However, while many companies continue to struggle with how to secure the data on laptops they may be overlooking another a source of potentially serious data leaks – remote employees – those employees who work at home often using their own PCs.

A recent article in the irishtimes.com, shows how second-hand hard drives sold on on-line auction sites often still have enough information on them to make identity thieves very successful. The twist on this Irish tale is that some of these drives have been being traced back to employees who work at home on their personal computers. Certainly data encryption software would help prevent such leaks but this brings us to the tricky area of what a company can and cannot dictate an employee to do on their own home computer.

Many of us are still suffering from not being able to smoke in the local pub due to second hand smoke and now we have to deal with the ills of second hand hard drive sales. The Dublin office of Ernst & Young revealed that their research has shown that used drives bought for a couple of Euro (and not too many dollars or pounds if that’s your currency of choice) have been found to contain extremely sensitive information such as bank account details, confidential e-mail and more.

While many, but not all businesses, have gotten smart about hard drive disposal – many consumers just sell off or donate their PCs. In many parts of the world new laws on recycling of equipment is leading to more of the equipment being turned in during recycling drives. Most recyclers offer the best of the equipment for resale before actually destroying/recycling the equipment – it’s more about reusing than just recycling.

Some consumers don’t even erase all their files since they are assuming that the PC is destined for the dump and the furnace. Even on those drives where the data was erased or even reformatted – it’s still easy to relatively easy to retrieve the data. Erasing and reformatting are far less than most folks realize. Imagine you have a book with an index. You want to delete the story on pages 56-60. Following the PC model, erasing the data simply erases the entry in the index. Pages 56-60 still exist – it’s just that the index doesn’t know about them. A variety of utilities can quickly help to recover this data – even if it is deleted and often times even if the hard drive is reformatted.

There are industrial strength programs that will not just delete the file, but will write over the existing data with new data. Run a utility like this once or even twice and the old data–the sensitive e-mails, bank account numbers, etc.–will no longer be recoverable.

But with these remote workers the data is on their home PC. Companies have three simple choices:

Put their secure data at risk and let employees use home PCs to connect to the corporate network
Only allow secure data to be used on company owned PCs and train employees not to use Flash drives or email to transfer secure files to their home computers
Purchase encryption software that employees have to place on any personal/home PCs that will connect to the corporate network. Hosted solutions like Alertsec can make this both inexpensive and easy to support.

The issues are out there. IT managers can face up to it as noted above or just pull the ostrich approach and bury their heads in the proverbial sand while confidential data is put at risk.

No comments »

Posted in Data Protection, Encryption

Tags: Encryption hard drive encryption remote security remote workers telecommuters web workers