Archive for November, 2011

Survey: 75% of SMBs Do Not Understand Threats Posed by Reliance on Mobile …

AVG Technologies’ annual SMB Market Landscape Report, which tracks the security attitudes and practices of companies with up to 100 employees, has revealed that almost 75 percent of respondents did not realise the dangers of having outdated security regimes in place for the mobile devices they provide to staff, or those owned by employees and used at work.

Michael McKinnon, Security Advisor at AVG (AU/NZ), said: “New mobility technologies are providing tremendous opportunities for flexibility and efficiency but they also expose businesses to the very costly impacts of hacking and Internet malware.”

He stresses how vital it is to acknowledge that, despite their size, smartphones and tablets are powerful, Internet-connected mobile computers, with vital business and personal information being carried on them. And, because of their size, can be easily misplaced, lost or stolen. Combine this with a 273 percent* rise in mobile malware in the first half of 2011 and such devices are a growing security risk that SMBs must address quickly.

From the Report, one in ten of the organisations surveyed has deployed business applications on tablet devices, a threefold increase on figures from the 2010 survey. The fast-paced development of Android mobile technologies over the past year appears to have filtered down to SMB level, where almost one in five companies are now using these devices.

Half the responding organisations give employees remote access to their networks, with the typical telecommuting worker spending one day a week away from their office. Most popular locations for remote working are from home (71%), while on the move (47%) and from wireless hotspots (35%) which open businesses to the highest level of risk.

McKinnon strongly advises properly securing smartphones and tablet devices with purpose-designed security solutions, such as AVG’s Mobilation package for Android.

McKinnon says “Awareness of common features such as those available in AVG Mobilation that allow lost or stolen devices to be easily located or remotely wiped, is still not widely adopted, yet is vital for all SMBs to protect important data.”

And, anti-virus and Internet protection offered by AVG’s Internet Security Business Edition 2012 should be kept current for all computers and mobile devices that are brought in or taken home by staff, contractors, clients and visitors.

*According to a study conducted by G Data Security Labs,

AVG SMB Market Landscape Report 2011

This annual report, commissioned by AVG and undertaken by GfK NOP, collated the online responses from 1,000 ICT managers in the USA and the UK during August 2011. Further reading: AVG SMB Market Landscape Report 2011 (16 pages, 1.4 Mb, PDF)

Keep in touch with AVG (AU/NZ)

• For breaking news, follow AVG (AU/NZ) on Twitter at twitter.com/avgaunz

• Join our Facebook community at www.facebook.com/avgaunz

• For security trends, analysis, follow the AVG (AU/NZ) blog at resources.avg.com.au

### ENDS ###

About AVG Mobilation

The same threats that are a problem for PCs – viruses, malware and identity theft – are also threats to mobile devices. AVG Mobilation combats viruses and malware, and also provides loss and theft protection through the ability to track and control your smartphone remotely if you should become separated from it. Mobilation is easy to use and works on all versions of Android OS, v1.6 onwards.

About AVG (AU/NZ) Pty Ltd — www.avg.com.au

Based in Melbourne, AVG (AU/NZ) Pty Ltd distributes the AVG range of anti-virus and Internet Security products in Australia, New Zealand and the South Pacific. AVG software solutions provide real-time protection against the malware, viruses, spam, spyware, adware, worms, Trojans, phishing and exploits used by cyber-criminals, hackers, scammers and identity thieves. AVG protects everything important and personal inside computers — documents, account details and passwords, music, photos and more — all while allowing users to work, bank, shop and play games online in safety.

AVG provides outstanding technical solutions and exceptional value for consumers, small to medium business and enterprise clients. AVG delivers real-time protection across desktop, and notebook PCs, plus file and e-mail servers in the home and at work in SMBs, corporations, government agencies and educational institutions.

Talk to Us

Media Contacts:

Michael McKinnon AVG (AU/NZ) 03 9581 0845 mmckinnon@avg[email protected]

Shuna Boyd BoydPR 02 9418 8100 [email protected]

Media resources, including logos, box shots, screen shots etc., are available online at: http://www.avg.com.au/media/

Join the AVG Community for information, video content and pictures: http://www.flickr.com/photos/officialavg/sets/

Article source: http://www.cso.com.au/mediareleases/13386/survey-75-of-smbs-do-not-understand-threats-posed/

, ,

No Comments

Mobile Spyware Raises Ethical, Legal Questions

In 2003, Atir Raihan began work on a product that has gone on to gain infamy in the world’s security industry. His idea: to build a spyware program for mobile phones that would allow people to catch a cheating spouse.

“I remember eight years ago, having a drink with friends and telling them about my personal situation. It involved infidelity with an old girlfriend,” Raihan recalled recently. Wouldn’t it be good, he thought, if there were a technology that could help him get to the bottom of it?

Seeing a potential business opportunity, as well as a solution to his relationship dilemma, Raihan and his Thailand-based company, Flexispy, developed a product of the same name that can secretly track calls and texts made to and from a mobile phone.

Flexispy can’t be installed remotely, so the user has to get hold of the phone and download the software to the device. Once it’s there, the program logs all texts and calls on the device. It can also allow a remote party to listen in on a conversation, and to use the GPS to track a person’s location.

Since its release in 2004, similar products have cropped up from companies such as Mobile Spy, which is marketed as a way to spy on children and employees, and MobiStealth, aimed at parents, employees and law enforcement agents.

While the products are used worldwide, they seem to have been doing particularly well in China. About 10,000 users there are being “infected” with Flexispy each month, estimated Zou Shihong, vice president with mobile security firm NetQin.

Within a small monthly sample of the company’s Chinese clients, 1,000 users were found to have Flexispy installed on their phones, Zou said. In contrast, the company found about 300 cases in a sample of clients in the U.S., according to a NetQin chief scientist.

Products like Flexispy raise obvious ethical and legal questions. While simply buying such software is not illegal in most countries, how it is used can put users on the wrong side of the law. Wire-tapping is illegal in most countries without a court order, for example. Tampering with a person’s phone might also lead to trouble.

“These products violate privacy,” said Zhang Qiyi, a lawyer in China, where the government has tried to ban Flexispy with mixed success.

Once the program is installed, data from the handset is secretly routed to a server operated by Flexispy. The user can log into the server to read messages and check call logs. The software can also activate the phone’s microphone, so it can be used as a bugging device to listen in on nearby conversations.

An annual subscription costs between US$149 and $349, depending on the features. It is available for most major phone OSes, including Apple’s iOS, Google’s Android and Nokia’s Symbian.

In 2007, a year after it went on sale in China, authorities there stopped one of its distributors from selling the product. The word “Flexispy” has even been blocked from searches on China’s popular Sina Weibo social networks.

But Flexispy says numerous websites in China are selling imitations of its software. “In a most amazing case, we found a perfect Chinese clone of our website, selling a cracked version of our product,” said Marc Harris, a Flexispy spokesman.

Spyera, a similar product, has also been doing well in China. Chinese users account for 18 percent of its customers, up from 6 percent just two years ago, according to the company’s owner, Mihat Oger. In contrast, the U.S. accounts for 38 percent of its customers.

“Our sales increased 17 percent from 2009 to 2010 and increased 32 percent from 2010 to 2011,” Oger said, adding that much of the growth has been driven by increased smartphone sales.

Flexispy and Spyera said they have taken steps to keep their products legal, such as designing them so they can’t be installed remotely. Flexispy warns customers that using its product without the consent of the person being targeted could be illegal, and it highlights what it says are legitimate uses of its product.

“Our marketing is focused on the legitimate uncovering of a cheating partner or the protection of a child’s activities on a mobile,” Harris said. “However, it is a fact of life that virtually everything can be used illegally. … The responsibility is with the user, not the product.”

Security vendor F-Secure has labelled Flexispy as malware in the past. Still, while such programs have the potential for misuse, in most cases that have been investigated Flexispy was being used to spy on a spouse rather than something like industrial espionage, said Mikko Hypponen, the chief researcher at F-Secure.

Tyler Shields, a researcher with security firm Veracode, noted that because the data from phones is sent back to a server operated by Flexispy, its usefulness for criminal enterprise is limited. “If I were a malicious hacker, I wouldn’t want all the stolen data to be sent to a Flexispy server. For a criminal, it’s not as much of a useful tool.”

In China, Flexispy and its variants are better known as “XWodi“, which translates as “X-Undercover.” Online searches reveal a long list of sites claiming to sell Flexispy and similar products. Most of these sites, however, are scams, and selling fake spyware products, said Li Tiejun, an anti-virus engineer with Chinese security vendor Kingsoft.

“Some are real,” he said.

The danger of Flexispy being secretly installed on a user’s phone, however, is minimal compared with more malicious spyware reaching handsets in China, he said.

Each month, Kingsoft is finding more sophisticated spyware coming out of the country, Li said. In August it discovered a program that comes buried inside an apparently innocuous Android application, and which recorded phone calls and text messages without the user’s knowledge. It’s unclear why the program was developed. The creators might have been using it to collect data for marketing, which they could then sell to interested parties, Li said.

Several vendors of China’s XWodi were contacted for this story, but all declined to be interviewed. Flexispy and Spyera would not reveal their exact sales figures. But aside from catching cheating spouses, the companies say their spyware products are generally used to monitor employees or track the activities of young children, teenagers, and elderly people unable to care for themselves.

Raihan maintained that he never intended his product to be used for illegal purposes. “There’s enough business in the legitimate market. There’s no need for it to be used in other situations,” he said. Raihan later sold his Flexispy business to another company.

Whatever its merits, he is proof that the software can achieve its goal. After helping to build Flexispy, he gave his girlfriend at the time a mobile phone with the software installed on it. “Yes, she was cheating,” he said. “I’ve used it ever since. It really opened my eyes.”

Article source: http://www.pcworld.com/businesscenter/article/245219/mobile_spyware_raises_ethical_legal_questions.html

, ,

No Comments

Better awareness brings down AIDS rate

NAGPUR: A renewed fight against HIV/AIDS was recognized as one of the millennium development goals by the United Nations. Earlier last month, the World Health Organization declared that since 2007, the number of new infections has remained the same, indicating a fall in the number of new incidences of the virus. The Nagpur District AIDS Prevention and Control Unit (DAPCU) confirms the prevalence of the trend in the city as well.

Of the total general population tested for the presence of the virus in 2002, 33.55% tested positive while in 2011 the figure dropped to 3.31%. Similarly, among the pregnant women who were tested, 1.10% were found positive in 2002 as against only 0.29% in 2011. Surveys conducted by National AIDS Control Organization (NACO) showed a drastic surge in the number of citizens who approached to test themselves for HIV. In a statistical study, 5,047 people tested positive for HIV in 2002 with 20% testing rate. In 2010, patients as high as 1,17,915 approached these centres with a testing rate of 2.99% indicating a drastic fall in the number of infected patients, according to the recent survey.

“The government has the facility for providing free ART (anti-retroviral therapy), counselling, medical treatment, white blood cells count and tuberculosis cure among other things. NACO carries out routine checkup and awareness programmes to exterminate ignorance about the disease from the society,” said Ganesh Parihar, programme officer of DAPCU. He added that many 24/7 testing and helpline centres have been started under the banner of ICTC (Integrated Counselling and Testing Centres). “21 standalone centres and 29 ICTCs are 24/7 helpline centres working in the city,” he said.

District manager of Avert society Nitin Bhowate said, “Awareness about STDs and sexual health has increased manifold in the general populace, thanks to a rise in NGOs that have worked to help AIDS-affected people. Mobile vans of ICTC centres have enabled us to help the hard-to-reach population which is why the general awareness has increased.”

Another project that is being run by NACO Children Affected By AIDS (CABA) that looks after the children infected by AIDS and the unborn who may be genetically predisposed to the virus. Madhuri Giri, project coordinator of CABA, told TOI, “We have received 180 registrations for treatment of AIDS so far and have already started treating 58 children,” informed Giri.

Though private practitioners also treat people living with HIV (PLHIV), the cost of treatment goes up manifold in a private set up. “It is a common view that government hospitals are not sanitized and the procedure of registration is cumbersome. To provide a solution to this, we personally request and fix an appointment with tehsildars. We act as a catalyst in receiving consent from patients and to carry out treatment as early as possible” said Babita Soni, president of Sanjeevan Bahudeshi Samaj Seva Sanstha that promotes access to care and treatment for AIDS affected people.

Despite the optimism shown by most volunteers and activists, some believe that the cloud does have a silver lining. “There are many hidden cases among the general population that are not coming out on their own. Many of them may not even be aware of themselves being carriers of the virus. I don’t see much happening in that direction. The figures only speak the story of those willing to be tested, not the others. With their inclusion, the picture may not be as rosy as it looks,” said Anand Changrani, project director of Saarthi Trust, an NGO working for the LGBTQ community in the city.

Article source: http://timesofindia.indiatimes.com/city/nagpur/Better-awareness-brings-down-AIDS-rate/articleshow/10937833.cms

, ,

No Comments

Poor Encryption Key Management Leads to Unrecoverable Data, Survey Finds

Enterprises are using encryption in more places than ever,
but they are not properly securing the keys or using consistent products, a
recent report found.

Despite using encryption, poor key management and lack of
control over the technologies being used can cost the organization an average
of $124,965 a year, according to the 2011 Enterprise Encryption Trends Survey
report released by Symantec on Nov. 30.

Most of the costs were related to reduced stock price and
brand damage. The cost of improperly securing data does not include the cost of
a data breach but reflects the expenses organizations bear because of the time
it takes IT to try to find and recover the business data or the key used to
secure the data, Tim Matthews, senior director of product marketing at
Symantec, told eWEEK.

About 48 percent of the survey participants reported their
organization had increased their use of encryption over the past two years,
with one third reporting “somewhat to extremely frequent” deployments
of “rogue” projects without any centralized management oversight,
Matthews said.

Business groups and employees are often independently
encrypting the data without involving the IT department, according to Matthews.
While the move to encrypt is a good thing, these unauthorized deployments are a
challenge for IT because the data is lost and irretrievable if the employee
loses the key, forgets the passphrase or leaves the company without passing on
custody of the encryption keys. If IT doesn’t have the key, it also becomes
harder to properly backup the data or to access the information as part of an
e-discovery request, he said.

Rogue projects pose a “recovery issue” for
organizations since that’s data the IT department has no control over and if
told by the courts to hand over data, the “enterprise can’t really say ‘I
can’t,’” Matthews said.

The costs of improper key management and fragmented
encryption deployments result in the organization not being able to meet
compliance requests, said 48 percent of the respondents in the survey. Others
named the inability to respond to e-Discovery requests and to access important
business information.

About 52 percent of the respondents said they have had
serious key management problems, with about a third claiming that keys were
lost or misplaced keys and another third citing key failure. A little over a
quarter, or 26 percent for the participants, said former employees refused to
hand over keys when they left the company, according to the survey.

Organizations need to think about the “employee
lifecycle” and consider what happens to business data when an employee
leaves, Matthews said. It’s not enough to just think about the data lifecycle, he
said. There needs to be a consistent process for how keys are generated,
deployed and managed within the enterprise, according to Matthews.

About 40 percent of the enterprises in the survey were less
than somewhat confident they would be able to retrieve keys and 39 percent were
less than somewhat confident they would be able to protect data from
disgruntled employees, the survey found.

“As the Enterprise Encryption Trends survey
demonstrates, encryption needs to evolve from a fragmented protection
historically implemented at the line of business level to a capability that is
managed as a core component of organizations’ IT security operations,”
said Joe Gow, director of product management at Symantec.

It has become fairly easy to get encryption software online
and users are becoming more aware of encryption, according to Matthews.
Malicious insiders may encrypt some files to hide their activities.

There may also be a “shadow IT” situation in place
where the business has to comply with regulations because of a partner company,
Matthews said. For example, regulations may require an insurance company to
encrypt certain types of data. The insurance company may in return require
partners that handle payments or other business functions to have a system in
place to decrypt and encrypt transaction data. With that system from the
insurance company in place, the employee at the third-party provider may be
encrypting other types of data used internally without IT knowledge, Matthews
said.

The survey examined encryption use at 1,575 enterprises
around the world. Matthews said this was the “largest sample size”
he’s ever had for this annual survey. The survey is usually conducted by
encryption vendor PGP, which was acquired by Symantec last year.

 




Article source: http://feeds.ziffdavisenterprise.com/~r/RSS/eweeksecurity/~3/wv8h-8kk8pM/

,

No Comments

Facebook’s FTC Deal: 8 Things To Expect

How will Facebook’s privacy and security settings change?

The Federal Trade Commission (FTC) announced Tuesday a proposed settlement with Facebook. The action stems from allegations that the social network “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public,” according to the FTC.

Facebook had labeled some of those privacy changes as its response to consumers who were clamoring for a simpler way to control their privacy settings. But the Electronic Privacy Information Center (EPIC) and other consumer-rights group saw it differently and filed complaints with the FTC, which investigated Facebook and hit it with an eight-count indictment.

“Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” said Jon Leibowitz, the chairman of the FTC, in a statement announcing the settlement. “Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.”

[ Can consumers' privacy interests be balanced with Web companies' requirements for user data? Learn more in W3C Proposes Do Not Track Privacy Standard. ]

Here, then, are some security and privacy changes to expect from Facebook in the wake of the settlement:

1. Privacy settings won’t revert: Privacy groups, including EPIC, had called on the FTC to “restore users’ privacy settings to pre-2009 levels,” and then obtain explicit consent from users to change those settings. Instead, Facebook gets to keep its most recent privacy settings, which expose most private information by default, in place.

2. Consumers will opt-in to future changes: Going forward, according to the FTC settlement, Facebook will be “required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences.”

3. Breaking up will be easier: The FTC settlement also requires that Facebook “required prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account.”

4. Little contrition: Commenting on the settlement, “I’m the first to admit that we’ve made a bunch of mistakes,” said Facebook founder and CEO Mark Zuckerberg in a blog post. But he argued that on balance, Facebook had offered a good balance of “transparency and control over who can see your information,” despite a few missteps. “In particular, I think that a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we’ve done,” he said.

5. Internal processes get more privacy-centric: “The FTC also recommended improvements to our internal processes,” said Zuckerberg in his blog post. “We’ve embraced these ideas, too, by agreeing to improve and formalize the way we do privacy review as part of our ongoing product development process. As part of this, we will establish a biannual independent audit of our privacy practices to ensure we’re living up to the commitments we make.” That’s necessary, since Facebook must submit to third-party audits beginning in 180 days, followed by once every two years, to ensure that its privacy program complies with the FTC settlement requirements.

6. Facebook faces $16,000 fines: The FTC settlement says that Facebook will be hit with a $16,000 fine for every violation. For a company that’s valued at about $100 billion, that’s pocket change. But multiplying the number of affected users by the violation could result in steep penalties, not to mention bad publicity.

7. Facebook adds privacy executives: Zuckerberg announced that attorney Erin Egan will fill the company’s new “chief privacy officer for policy” role, while Facebook’s current chief privacy counsel, Michael Richter, will become its “chief privacy officer for products.” According to Zuckerberg, Richter and his team “will work to ensure that our principles of user control, privacy by design, and transparency are integrated consistently into both Facebook’s product development process and our products themselves,” which paraphrases what the FTC settlement requires.

8. Facebook likely won’t stumble again: Did the government get a fair deal out of Facebook? Will Facebook learn to not run afoul of the FTC in the future? In response to both questions, it’s interesting that the social network now counts former FTC chair Timothy Muris as a lobbyist, while former FTC commissioner Mozelle Thompson is Facebook’s “chief privacy adviser,” reported Gawker. The implication: One way or another, don’t expect Facebook to get caught over future privacy changes.

In today’s uncertain and highly scrutinized financial services industry, achieving effective risk management is vital for survival. The report examines the need for enterprise risk management, the benefits of holistic data management, and ERM best practices. Download the report now. (Free registration required.)

Article source: http://feeds.informationweek.com/click.phdo?i=add3a8d62477243f015e40a7e6aecc94

No Comments

RIM Responds To PlayBook Jailbreak

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don’t need an ending tag.

br Defines a single line break

hr Defines a horizontal line

Matching tags

These require an ending tag – e.g. iitalic text/i

a Defines an anchor

b Defines bold text

big Defines big text

blockquote Defines a long quotation

caption Defines a table caption

cite Defines a citation

code Defines computer code text

em Defines emphasized text

fieldset Defines a border around elements in a form

h1 This is heading 1

h2 This is heading 2

h3 This is heading 3

h4 This is heading 4

h5 This is heading 5

h6 This is heading 6

i Defines italic text

p Defines a paragraph

pre Defines preformatted text

q Defines a short quotation

samp Defines sample computer code text

small Defines small text

span Defines a section in a document

s Defines strikethrough text

strike Defines strikethrough text

strong Defines strong text

sub Defines subscripted text

sup Defines superscripted text

u Defines underlined text

Article source: http://feeds.informationweek.com/click.phdo?i=3296e2fd359de89217cbce3d065799cc

No Comments

U.S. Cyber Command Practices Defense In Mock Attack

Slideshow: Next Generation Defense Technologies
(click for larger image and for full slideshow)
The military command in charge of U.S. cyber-warfare activities has successfully completed its first major exercise in its mission to protect the Department of Defense (DOD) from cyber attacks.

The U.S. Cyber Command performed the exercise, called Cyber Flag, over a week’s time at the Air Force Red Flag Facility at Nellis Air Force Base in Nevada, and through a virtual environment pulled in participants from other locations, according to a press statement.

The Cyber Command, part of the U.S. Strategic Command, went into action last September specifically to protect DOD networks and oversee federal cyber warfare activities. It’s based in Ft. Meade, Md., and led by National Security Agency Director Gen. Keith Alexander.

Establishing the Cyber Command was one of the Obama administration’s many efforts to shore up cyber security and protect U.S. military networks from cyber attacks as well as mitigate the effects of any.

[The commander of the nation's cyber-defense efforts makes Information Week's list of top government CIOs. See 50 Most Influential Government CIOs.]

Three hundred participated in the exercise to practice their cyber defense skills on a private virtual network in which participants were split into two sides that engaged in offensive and defensive cyber tactics, said Col. Rivers J. Johnson of the command’s public affairs office.

He said there were two cyber teams–the “good guys” and the “bad guys”–and those on the opposing forces tried to infiltrate the Cyber Command’s networks with malware and other forms of network intrusion.

“There were a variety of scenarios based on what we think an adversary would do in real world events and real world time,” Johnson said. “It was a great exercise.”

Event participants held daily briefings on the day’s events and assessed the performance of Cyber Command to defend against attacks.

Johnson said that although the Cyber Command was not always 100% successful in mitigating attacks, the majority of threats were quickly identified and deflected “in a timely manner.”

Cyber Command chief Gen. Alexander agreed that the exercise showed that his command has developed effective cyber-security defense capabilities. In a press statement, he deemed the exercise a success, saying it “exceeded” his expectations and showed a team effort, with respective cyber commands from the Army, Navy, Air Force and Marines also participating.

“There was tremendous participation from the service components that included active, guard, reserve, civilian and contractors as well as from the combatant commands and DoD agencies,” he said.

Our annual Federal Government IT Priorities Survey shows how agencies are managing the many mandates competing for their limited resources. Also in the new issue of InformationWeek Government: NASA veterans launch cloud startups, and U.S. Marshals Service completes tech revamp. Download the issue now. (Free registration required.)

Article source: http://feeds.informationweek.com/click.phdo?i=1330acd0b230e50e8b420ff1d0e338da

No Comments

Poor Encryption Key Management Leads to Unrecoverable Data, Survey Finds

Enterprises are using encryption in more places than ever,
but they are not properly securing the keys or using consistent products, a
recent report found.

Despite using encryption, poor key management and lack of
control over the technologies being used can cost the organization an average
of $124,965 a year, according to the 2011 Enterprise Encryption Trends Survey
report released by Symantec on Nov. 30.

Most of the costs were related to reduced stock price and
brand damage. The cost of improperly securing data does not include the cost of
a data breach but reflects the expenses organizations bear because of the time
it takes IT to try to find and recover the business data or the key used to
secure the data, Tim Matthews, senior director of product marketing at
Symantec, told eWEEK.

About 48 percent of the survey participants reported their
organization had increased their use of encryption over the past two years,
with one third reporting “somewhat to extremely frequent” deployments
of “rogue” projects without any centralized management oversight,
Matthews said.

Business groups and employees are often independently
encrypting the data without involving the IT department, according to Matthews.
While the move to encrypt is a good thing, these unauthorized deployments are a
challenge for IT because the data is lost and irretrievable if the employee
loses the key, forgets the passphrase or leaves the company without passing on
custody of the encryption keys. If IT doesn’t have the key, it also becomes
harder to properly backup the data or to access the information as part of an
e-discovery request, he said.

Rogue projects pose a “recovery issue” for
organizations since that’s data the IT department has no control over and if
told by the courts to hand over data, the “enterprise can’t really say ‘I
can’t,’” Matthews said.

The costs of improper key management and fragmented
encryption deployments result in the organization not being able to meet
compliance requests, said 48 percent of the respondents in the survey. Others
named the inability to respond to e-Discovery requests and to access important
business information.

About 52 percent of the respondents said they have had
serious key management problems, with about a third claiming that keys were
lost or misplaced keys and another third citing key failure. A little over a
quarter, or 26 percent for the participants, said former employees refused to
hand over keys when they left the company, according to the survey.

Organizations need to think about the “employee
lifecycle” and consider what happens to business data when an employee
leaves, Matthews said. It’s not enough to just think about the data lifecycle, he
said. There needs to be a consistent process for how keys are generated,
deployed and managed within the enterprise, according to Matthews.

About 40 percent of the enterprises in the survey were less
than somewhat confident they would be able to retrieve keys and 39 percent were
less than somewhat confident they would be able to protect data from
disgruntled employees, the survey found.

“As the Enterprise Encryption Trends survey
demonstrates, encryption needs to evolve from a fragmented protection
historically implemented at the line of business level to a capability that is
managed as a core component of organizations’ IT security operations,”
said Joe Gow, director of product management at Symantec.

It has become fairly easy to get encryption software online
and users are becoming more aware of encryption, according to Matthews.
Malicious insiders may encrypt some files to hide their activities.

There may also be a “shadow IT” situation in place
where the business has to comply with regulations because of a partner company,
Matthews said. For example, regulations may require an insurance company to
encrypt certain types of data. The insurance company may in return require
partners that handle payments or other business functions to have a system in
place to decrypt and encrypt transaction data. With that system from the
insurance company in place, the employee at the third-party provider may be
encrypting other types of data used internally without IT knowledge, Matthews
said.

The survey examined encryption use at 1,575 enterprises
around the world. Matthews said this was the “largest sample size”
he’s ever had for this annual survey. The survey is usually conducted by
encryption vendor PGP, which was acquired by Symantec last year.

 


Article source: http://www.eweek.com/c/a/Security/Poor-Encryption-Key-Management-Leads-to-Unrecoverable-Data-Survey-Finds-673838/

,

No Comments

Sutter Health Data Breach Affects 4M Patients

Your question will be referred to an attorney near you. If your question is of a legal nature, then by submitting this form you agree you are not forming a formal attorney / client relationship. Read our full privacy policy.

Article source: http://philadelphia.injuryboard.com/miscellaneous/sutter-health-data-breach-affects-4m-patients.aspx?googleid=296428

,

No Comments

Privacy group reports alarming data breach statistics in public sector

Local councils have suffered more than 1,000 data breaches in the last three years, according to
research carried out by the lobbying group Big Brother Watch, and data suggests the real figure
could be a lot bigger.

Even in 2011,
only 52% of respondents 
were using 
encryption 
to protect 
data on 
their laptops.

Terry Greer-King
Check Point Software Technologies

Data
breach statistics
from a new report published by the London-based privacy advocacy group show
that of the 1,035 incidents reported by 132 local authorities, at least 244 laptops and portable
computers were lost. In addition, at least 98 memory sticks and more than 93 mobile devices went
missing.

The researchers also investigated how local councils responded to the breaches. Only 55 of the
incidents were actually reported to the Information Commissioners Office (ICO), and nine of the
cases resulted in the person responsible losing their job.

The group sent requests under the Freedom of Information Act to 434 local councils, asking them
about any information breaches they had suffered between August 2008 and August 2011.  It
received responses from 395 councils — a response rate of 91%. 

Only a third (132) of the councils reported breaches, while the remaining 263 authorities
claimed they had had no data losses at all. “It does seem surprising that in 263 local authorities,
not even a single mobile phone or memory stick was lost,” the group said in the report, suggesting
the reason for this disparity may be because councils may have different internal thresholds for
reporting and logging data losses.

The councils with the highest level of reported breaches were Kent and Buckinghamshire (72
apiece), followed by Essex (62), Northamptonshire (48) and North Yorkshire (46).

Most of the breaches were accidental, such as USB sticks being lost, emails sent to the wrong
address, or laptops stolen from parked cars; some involved paper files going astray.

However, some of the cases involved deliberate action, such as former employees stealing data
when they had been dismissed, disclosing information to unauthorised third parties and information
being accessed without proper cause. In one case in Kent, scanned case notes relating to children
were uploaded to Facebook.

ICO warns public and private sectors

ICO issues
warnings
about breaches at NHS.

Private companies can expect
more fines
.

Roger Gough, cabinet member for business strategy, performance and health reform at Kent County
Council (KCC), claimed in a statement that his county had come out badly because of its size. “It
is no surprise that we come out on top as we are the largest shire authority in the country, which
means we handle a proportionally larger amount of information,” he said.

Gough also took issue with the Facebook case. “The Facebook example cited was the
 result of a family member posting scanned images of social service case notes
(obtained via court proceedings) onto the Web. The Information Commissioner’s Office
considered KCC blameless in that case,” he said.

The Big Brother Watch
report
recommended councils make better use of virtual private networks, so staff working from
home would not be tempted to load information on USB sticks and then transfer it to their own
computers.

It also suggests a much stricter policy on the use of external data storage devices and the
transfer of information to personal equipment, which would eliminate many of the incidents of data
loss due to thefts and carelessness.

In a separate, written statement issued at the same time as the report, Big Brother Watch said:
“The growing volume of personal information held by local authorities is a significant threat to
personal privacy and civil liberties. This report highlights how, despite data protection law, not
enough is being done to ensure sensitive information is held securely and protected.”

Security companies were quick to offer their views on the report. Terry Greer-King, UK managing
director of Check Point Software Technologies with international headquarters in Tel Aviv, Israel,
blamed the poor uptake of encryption on local authorities. “We’ve surveyed the use of data
encryption in UK public and private sector organisations every year since 2007, and encryption
deployments have been consistently under 50% until now,” Greer-King said. ”Even in 2011, only
52% of respondents were using encryption to protect data on their laptops.”

David Fowler, senior VP of products and marketing for identity management company Courion in
Manchester, said closer monitoring of who has accessed information would help control the problem.
“Public organisations need to create a culture of shared responsibility for data security among
their employees,” Fowler said. “To achieve that, they need effective security policies and access
risk management solutions that enable organisations to maintain control of who is accessing
sensitive information and how it is being used.”

Chris Mayers, chief security architect at Santa Clara, Calif.-based Citrix Systems Inc., said
councils need to apply a risk-based approach to guarding sensitive data. “IT needs to be able to
enable different classes – or risk levels – of data to be handled securely, but with a
solution that won’t unduly restrict access or productivity,” Mayers said. “When budgets are
constrained, this will be achieved through spending money on technology that is proportionate to
the risk involved and tiering access accordingly.”

Earlier this year, Big Brother Watch carried out similar
research
into the NHS
and police authorities and found a similar catalogue of problems, including incidents of patient
information and medical records being shared on social networking sites, and police officers and
staff abusing their access to sensitive data.





Article source: http://searchsecurity.techtarget.co.uk/news/2240111769/Privacy-group-reports-alarming-data-breach-statistics-in-public-sector

,

No Comments