Archive for February, 2010

« Older Entries

Banks Distribute Free Security Software to Customers

February 28th, 2010

HSBC has recently started providing its online banking customers with free Rapport software, a service from Trustee that helps protect Internet browsers. The bank joined several other financial organizations, such as Bank of America and Barclays, which offer complementary or low cost security software to their clients. This move by HSBC highlights the importance of online safety in the current environment. If companies are willing to dedicate resources to protect their customers, they should equally invest in protecting company information and data.

Businesses like HSBC are doing the right thing by looking out for their customers’ safety. Additionally, the move has generated lots of free positive press and helped put the bank in a positive light. The promotion is also low cost and affordable, making it a smart business decision. HSBC’s actions are commendable, however, it’s unclear whether the organization is fully protecting itself. Security experts are questioning some of the bank’s website features and the choice of Rapport as the security provider. The criticisms serve as a reminder- it’s crucial for businesses to defend themselves in every way possible to be fully prepared for the future. When it comes to a business’s security, there’s no such thing as being over-prepared when dealing with the Internet.

Spreading Your Resources

A company like HSBC usually has several separate budgets to cover expenses. These range from amounts allocated for administrative costs to figures backing the latest marketing campaign. HSBC’s move showed an in-depth understanding for business strategy. It’s important for companies to work on promoting a fully integrated message- one which shows how all of its different areas work together to create a great product. HSBC spent money to provide customers with free security software and the purchase helped decrease the need for spending in marketing, advertising, public relations, and even recruiting! After the media picked up the story, HSBC can sit back and enjoy its investment.

However, it appears the company standpoint on security fell short- an analyst at a rival firm crictized HSBC in an interview with eWeek Europe:

Cluley …questioned HSBC’s decision to allow banking customers to save their user ID on their browser. Rather than entering the ID every time they access the site, user’s can choose to have their browser remember the code.

“Certainly I wouldn’t feel comfortable if my online banking password was being remembered for me in this fashion,” he told eWEEK Europe UK. “A home computer may not be ‘public’ or ’shared’, but it can still be stolen or a dodgy workman might have access to it. My suspicion is that security and usability have once again had a wrestling match, with those who want less support calls from forgetful consumers winning.”

It’s unclear whether Cluley’s claims are well-founded; a representative of HSBC explained that the ID saved requires an additional password and exists as added convenience. Nonetheless, organizations need to evaluate how their budgets are being spent and make sure that security is well funded. A firm protected by Alertsec Xpress would be able to use advertisements to promote its business’s high level of security and market itself as a safe organization which uses encryption to protect customers. Companies should explore how their security spending is connected and find the strings which can be cut.

1 comment »

Posted in Uncategorized

Tags:

Security Breach at Shell Reveals Personal Employee Information

February 27th, 2010

Security breaches can happen anytime, anywhere, and can affect practically anyone in an organization. In the past, we’ve covered several examples where breaches revealed customer’s passwords and social security numbers. Today, we explore a different type of breach- one which leaked the personal details of 170,000 employees and contractors of Royal Dutch Shell. This incident is important because it provides a perfect example of how storing unencrypted data on company computers can be dangerous and have serious consequences that can strike a company from the inside.

The situation is particularly difficult for the infamous oil corporation- the database of names and personal contact details has been e-mailed to several non-governmental organizations, including Greenpeace, Friends of Earth, and Shell Guilty. Shell has attempted to prevent the NGOs from publishing the information, explaining that in doing so, they would be breaking the law. Additionally, Shell is launching a full scale investigation in an effort to figure out how their employee information ended up accessible to third-parties. While it’s difficult to guess at the techniques used by the hackers involved, one thing is clear- Shell computers aren’t protected by full disc encryption services and, as a result, are much more vulnerable to online threats.

Shell’s Information is a Serious Problem

Understandably, Shell is trying to prevent the security breach from being seen as a serious problem. An article from TimesOnline included a statement from the company:

Yesterday Shell sought to play down the leak. A statement said: ‘Certain data concerning Shell employees and other individuals on our internal address list has been disclosed to some external parties. The data is mainly business-related.’

While there may be some truth in the statement’s claims about much of the information being publicly available and not damaging the company, it’s likely that Shell’s employees feel differently. According to a report by the BBC, some of Shell’s workers had their private home telephone numbers leaked. Even if no personal telephone numbers were leaked, the breach brings attention to the poor status of computer security at Shell. Employees can’t work well knowing that their personal details aren’t well-protected. This last complication is troublesome, at least for Shell, which will need to improve the way it does business in order to reassure its employees that their private information is safe. Dealing with the aftermath of a crisis, such as Shell’s security breach, can be extremely costly and in many cases, a damaged reputation can’t ever truly be recovered, regardless of how much money is spent.

Lessons to Learn

Ironically, Shell’s security breach came at a convenient time- had Shell discovered the breach in April, a new set of laws (covered here and here) would have allowed the company to be charged fines of up to £500,000. However, even without the monetary cost, Shell lost something extremely valuable: the trust of its employees. Shell workers are much less likely to remain loyal to a company which isn’t proactive about protecting its internal information.

In order to earn and maintain the trust of its workers, a company needs to employ solutions which are easy to use and keep data secure. Had Shell been using our Alsertsec Xpress computer security software, the company may have avoided the embarrassing security breach and kept its positive reputation among employees. Our software is specifically designed to keep all business parties happy and secure- it encrypts data, making it much more challenging for the others to access it.

Further Reading
 Shell investigates posting of personal data [TimesOnline]
Shell security breach reveals employee details [BBC]

Reblog this post [with Zemanta]

1 comment »

Posted in Data Protection, Encryption, Lawsuits and settlements

Tags:

Massachusetts Enforces New Security Laws for Consumer Protection

February 26th, 2010

As we predicted earlier this month, more legislation is being passed by governments to hold companies accountable for data breaches and increase overall security of businesses. Massachusetts is the latest to join this trend- starting March 1st, businesses in the Commonwealth will be held to a much higher standard when dealing with protecting their customer’s personal data. Organizations which fail to comply with the new law before the start of next month can face fines and be liable for civil lawsuits.

The new legislation is extremely important because, even though it only applies to companies in a specific state, it have many global implications. The main one is that governments are taking note of security breaches and considering them a serious threat. The new laws demonstrate that businesses which fail to protect their internal data will face punishment. Data encryption needs to be a part of every corporation’s security strategy- the law specifically mentions that personal customer information has to be encrypted!

A Look at the New Laws

Massachusetts Privacy Law – 201 CMR 17 Compliance [PDF] was created to protect customers from identity theft and other troubles that result from a company revealing personal information to outside parties. The law outline the measures businesses need to take to keep customer data secure. An article from Bank Info Security summarizes the new rules:

The new law, Massachusetts identity theft regulations, 201 Code of Massachusetts Regulations 17.00, applies to any individual, company or organization that handles personal information in connection with employment or the sale of goods or services. Under the law, Massachusetts will require any entity that stores or transmits residents’ personal information to encrypt the data when it’s stored on portable devices or transmitted via the Internet. The personal information is a combination of customers’ or employees’ names and their Social Security, bank account or credit card numbers. The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) says it is trying to create a culture of security around personal information.

The articles points out that the law may be difficult to enforce- in fact, the original deadline for compliance was pushed back from August 2009. However, Massachusetts businesses shouldn’t rest easy- those found in violation of the law can face severe penalties under Regulation of Trade, chapter 93A, section 4, including:

  • Civil penalty of $5,000 per violation
  • Payment of the costs of investigation and litigation of such violation (including attorney’s fees)
  • Payment to victims of security breach

How to Respond

Businesses, particularly those in Massachusetts, need to develop comprehensive longterm security plans for protecting their company’s customers. The new laws aren’t meant to penalize companies for experiencing data breaches; rather, they’re supposed to encourage companies to practice smart security protocol. Organizations worldwide can follow the laws voluntary and enjoy a higher level of security and, ultimately, better relations with customers.

In order to avoid unnecessary costs associated with data breaches, companies need the right technology. Our Alertsec Xpress full disk encryption service helps businesses comply with new laws by securing customer data. We offer encryption software that’s extremely easy to use and a must-have for any company which wants to be protected from online threats.

Further Reading
Mass. Data Privacy Law: Are You Compliant? [Bank Info Security]
Massachusetts raises the bar for personal data protection, globally [Ovum]

Reblog this post [with Zemanta]

No comments »

Posted in Data Protection, Encryption, Lawsuits and settlements

Tags:

Computer Security Issues in Organizations

February 26th, 2010
Credit Card Theft
Image by Don Hankins via Flickr

If we are to go by the estimates and statistics of the world leader in security provision, the present scenario is really the most horrible one concerning the cyber security of the organizations all throughout the globe. Just a few days back Symantec Corp released the findings of it’s global State of Enterprise Security Study, a study that surveyed over 2000 enterprises from 27 countries out of which 125 from Australia and 75 from New Zealand.

The study says that security is top issue for 43% organizations in both countries i.e. the ones in the ANZ region,  Australia and New Zealand and for 42% globally. Out of the overall ompanies surveyed in both nations, the cyber attacks in 12 months were experienced by  89% and 75%  globally. As a result the attacks cost the organizations individually an astounding $2million every single year at an average, which is surely asking for trouble and is extremely non salubrious for top officials of all organizations.

The major losses reported are corporate data, customer info theft that is generally customer credit card or other financial information and identity theft. So translated to aggregate cost form, the top three costs were productivity, revenue, and loss of customer trust. As Vice-president and managing director for the Pacific region of Symantec Corp Craig Scroggie said the results reinforced that organizations were concerned about security. “It’s not only the financial impact to consider then, but the damage to brand and reputation,” Mr. Scroggie added.

A sudden augmentation in attacks is observed according to security experts because of three major specific reasons:

  1. The security departments are understaffed according to organizations despite being assigning an average of 120 staffers to security and IT compliance.
  2. ‘IT compliance’, which for obvious reasons has proved appalling at times
  3. Organizations going on board with new IT initiatives which asks for new security measures every time.
  4. Another revelation that comes from the statistics of the survey says that 94% of the organizations are predicting changes in technology, which is no incongruous, and almost half that number about 48% are expecting major changes in the time to come. At a time when organizations like “Abu Dhabi Commercial Bank” are going with the thumb rule of ‘precaution is better than cure’ by establishing an infrastructure that provides 24-hour protection, Symantec has come up with certain recommendations for all the organizations which make imperative the protection of infrastructure by securing messaging and web development. It also suggests companies to have visibility and security intelligence to respond to threats.

About Alertsec’s Computer Security Software

Alertsec Xpress offers computer security software from Check Point as a fully customizable and pre-packaged data encryption software solution.

Reblog this post [with Zemanta]

1 comment »

Posted in Data Protection

Tags:

Computer Security Demands Tech Savvy Employees

February 25th, 2010

You have probably noticed a common theme in all our posts- the importance of security for businesses. It’s no secret that practically any company which uses computers is at risk of becoming a victim of cyber attacks and hacking. Organizations need to invest in the correct blend of security software which increases their protection and helps keep intruders away from their data. Unfortunately, there’s another consideration which has to be taken into account: computer security demands employees who understand technology.

Studies continually show that  people are still the weakest link in computer and Internet security. Poor password choices, combined with a weak understanding of technology, are usually the culprits which allow massive data breaches and attacks to succeed. Employers have to work out a security strategy which takes the computer knowledge of their employees into consideration.

Computers Jargon is Complicated

There’s no denying that computers aren’t always the easiest to understand, particularly for some older generation workers. Many have trouble figuring how to use a computer for its basic functions and don’t even take security into consideration. Even more advanced users can find computer terminology tricky and not bother to learn anything about it. An article from Reuters captures the problem perfectly:

Computer jargon, a “tick box” culture and unimaginative advertising are discouraging Internet users from learning how to protect themselves online.

Faced with such gobbledegook, many of the world’s nearly 2 billion Internet users conclude that security is for “experts” and fail to take responsibility for the security of their own patch of cyberspace — a potentially costly mistake.

Some developers are making a move towards creating more user-friendly computer software but this doesn’t mean it’s time to relax. A lot of proprietary and specialized software is still challenging to understand. Occassionally, developers can even add to the confusion- take for example the troubles caused by Adobe’s security updates. Companies need to take charge and face the problem head.

Solutions for Companies

Unfortunately, there’s no easy fix to the problem. Companies will have to explore several solutions to find which one works best for their employees.

  1. Hire tech savvy employees
  2. Run educational workshops
  3. Choose the correct mix of security software

Ideally, businesses would be able to implement all three solutions to create an extremely secure business environment. However, most organizations have a specific budget in place and need to work within its constraints. Exclusively hiring tech savvy workers can be costly as in many cases, they’ll require a higher salary. It also may be complicated to find workers with an in depth understanding of security for certain jobs. Educational workshops can be effective but often have mixed results. It’s challenging, if not impossible, to quantify their value; there’s no real way to measure if an employee is truly ready for the dangers of the Internet after training. Additionally,these workshops usually have to be outsourced and can be costly.

Using the correct type of computer protection is usually the most affordable and reasonable option. By choosing the correct products, businesses can use software which requires minimal interaction yet fully protects users. It’s important to implement encryption software as part of the security package and we feel that Alertsec Xpress is a top candidate for the role. Our full disk encryption service is easy to install and manage; it also require very little additional use from employees. Best of all, it’s affordable and can complement hundreds of other anti-virus suites perfectly. To start countering employees who don’t understand computer security, start a free trial now!

Further Reading
 People Are Still The Weakest Link In Computer And Internet Security, Study Finds [Science Daily]
Computer jargon baffles users, hinders security [Reuters]

No comments »

Posted in Data Protection, Encryption

Tags: