Winter Road Construction SignsYou may have a top-notch security incident response plan and a crack team for data breach response…but have you checked to be sure that your company’s HR policies are on the same team with you? Personnel Management is one of the most important—yet often overlooked—of the 10 activity channels for effective data breach response. In the crunch of handling an actual data security incident, your company’s HR policies will either pave or block the road to a nimble, successful response.

Of course, various policies are important for prevention of data security breaches, including policies for such matters as authorized computer systems, e-communications, and Internet use; authorized data and system access; strong passwords; use of encryption and encryption keys; mobile device safeguards; precluding or limiting storage of company data on home or other personal devices; and the like. But other policy provisions are essential for effective security breach response:
Continue Reading Your HR policies should help, not hinder, data breach response

santaiStock_000017337503_LargeFor those who observe it, the Christmas season (secular version 2.0) is definitely here. As a child, I cherished the thought of a man with a red suit accessing our house through the chimney. For those of us concerned about computer system security, we worry about a person with a black hat accessing our data through phishing, hacking, and malware. I hate to mention, well, you know who, but someone out there loves the thought of taking your Whoville roast beast.

Enjoy the next few days with your family and friends, but remember, it’s also time to consider your data security for 2016. Knowing you, once you’ve opened all the presents, eaten dinner, and just settled down for a moment of quiet sanity, your thoughts will inevitably turn to the new year. So, here are six holiday-themed recommendations for your consideration. If you don’t recognize the quotes below, that means you didn’t spend your childhood binge-watching classic holiday programs. Not a worry – simply unwrap the answer key at the bottom.
Continue Reading I’m making a list, securing it twice…

plumberiStock_000045982828_LargeWhile data breaches have become a common occurrence, the epic breach of the Office of Personal Management (“OPM”) records stands out for many reasons. The hackers obtained PII on at least 21.5 million people and accessed highly confidential background check and security clearance information, including personal details such as fingerprint data and financial history. But what is most shocking is that the federal government was aware of security flaws within OPM’s computer system for years before the breach, yet never addressed those vulnerabilities.
Continue Reading Failing to fix is fixing to fail (or get hacked)

bored-maniStock_000012493520_LargeWhile advising the board of directors of a company to pay close attention to data security issues is akin to your dentist telling you to floss, the stakes are too high for a board to ignore. The board of any company must constantly monitor and assess its company’s data security procedures and potential risks. Although there is no strategy to prevent a security breach, each member of a board must exercise its fiduciary duty to consider the risks to a company. To the credit of many companies in the last several years, the assessment of data security risks has achieved a more pronounced position.
Continue Reading Board to Tears: Director oversight of data security issues

Couple with relationship problems - Two stylish lovers having couple problems

Do data breaches cause lasting reputational damage for organizations? We all know breach response is expensive –  just ask Target, which posted data breach-related costs of $162 million through fiscal year 2014, plus another $129 million for the first half of FY2015, all net of $90 million in cyber insurance. That’s a lot of zeros, and it’s not over yet. According to Ponemon’s 2015 Cost of Data Breach study, the average U.S. cost of a “malicious or criminal breach” is $230 per compromised record, $210 per record for a “system glitch” breach, and $198 per record for “human error” breaches. The U.S. breaches in the study averaged more than 28,000 compromised records and an average total cost of over $6.5 million.

But beyond response hard costs, the X factor for many companies is a fear of crippling reputational damage in the wake of a large-scale data breach. As it turns out, such fears may be unfounded, and may also be unhelpful.
Continue Reading Will you still love me tomorrow, post-breach?

Hacker at workAt DEF CON you’ll often hear that “every company is receiving penetration testing, but some companies pay for the pleasure.” My take is that every company pays for penetration testing – some companies pay in planned expenditures, but others pay in response costs, reputation loss, business interruption, legal liability, and increased insurance premiums. Or as Claus Moser observed, “Education costs money, but then so does ignorance.”

Last week’s DEF CON post shared insights from DEF CON 23 presenters on the fast-moving threat environment. Below are post-DEF CON observations on strengthening an organization’s cyber risk management strategy.
Continue Reading DEF CON 23—Part II: cyber risk management strategy

Hacker at workFaces lit by computers, the hackers’ objectives were clear — attack and defend. At this year’s DEF CON, the largest hacker convention in the United States, pre-qualified teams of hackers from around the globe faced-off in a network-security simulation that combined network sniffing, cryptanalysis, programming, reverse-engineering, and other tactics that would make Lisbeth Salander blush. Back in 1993, the first DEF CON had roughly 100 participants. This year, badges dangled from the necks of nearly 20,000 attendees, including hackers, lawyers, academics, journalists, and government officials.

DEF CON has an edgy narrative — it’s notorious for criminal exploits, wild parties, and Mohawk-fitted outcasts. But that story line is much too simple. And “too simple” is what security researchers—or hackers, depending on your sensibilities—proclaim after they expose the vulnerabilities in products and infrastructure we rely on daily.

Below are highlights and insights from presentations at DEF CON 23 that illustrate the evolving cyber risks and policy dilemmas facing governments, individuals, and the private sector.
Continue Reading DEF CON 23—Part I: Hackers highlight evolving cyber threats

spinningPlatesiStock_000011904878_LargeIt’s a dangerous world for protected information, with major breaches in the news and a challenging cyber-threat environment behind the scenes. Organizations must be prepared to respond to data breaches, but effective response is no small matter. There are 10 different channels of response activity for an organization that has suffered a security breach: Security, Legal, Forensic, Law Enforcement, Regulators, Insurance Coverage, Public Relations, Stakeholders, Notification, and Personnel Management. Most of these activities are involved in every breach, and all must be dealt with in significant breaches. These activities are not sequential. They play out in parallel, with interrelated effects… and with the response clock ticking.
Continue Reading The 10 key activities for effective data breach response – Are you prepared?

jensen_jeffWith North Korea’s hacking of Sony, the FBI recently stated more than 90% of companies are vulnerable to the same attack. Recent hackings have resulted in bad publicity, confidential information leaks, damage to clients, and heavy monetary damage. It’s important to prepare before an attack to minimize the risk of both being a victim and