Now that your data breach response plan is in place and you’re confident that your company is safeguarded from malicious  data breach attempts, what can possibly be still the biggest threat to your data breach protection plan?  Answer: the plan itself. All the planning and preparation in the world won’t protect your business from a data breach if the response plan fails to work.  The business world is ever changing so it’s necessary to ensure that your response plan stays current and functional.

That is why it’s imperative that you regularly audit, test and update your plan on preferably, a quarterly basis.

Here are 7 checklist items to keep in mind when auditing your response plan:

1) Update your data breach response team contact list – Employees come and go therefore it’s important that the contact information for the members of your internal and external breach response team is current.  Make sure department heads are noted and once updated, re-distribute the list to the appropriate people.

2) Verify that your data breach response plan is comprehensive – Revise the plan to include any major company changes, such as new departments or adjustments in data management policies.  Check in with each response team member to ensure their department understands its role and what they need to do during a data breach.  Set up a mock breach of data scenario so that your response team can practice trial runs. Practice a full scale rehearsal annually so the plan is fully vetted and any adjustments can be made before an event occurs.

3) Double check your vendor contracts – Check that your contracts with your forensics firm, data breach resolution provider and other vendors are current and easily accessible.  Review your vendors and contracts and make sure they both still match your data protection and security needs.

4) Review notification guidelines – Verify that the data breach notification section of your response plan reflects the latest state legislation and that your notification letter templates address any new laws.  Ensureyour contact list of attorneys, government agencies and media is updated so you can easily notify them after a breach.  For medical data breaches, healthcare providers need to verify that Department of Health & Human Services contacts are updated and their response team understands data breach information reporting procedures.

5) Check up on third parties that have access to your data – Evaluate how third parties are managing your data and if they are following your data protection rules.  Educate them on any new legislation that may affect you during a data breach.  Stress to third parties the importance of reporting a data breach to you immediately and what is expected in the resolution process. Healthcare companies need to meet HIPAA requirements and should check that business associate agreements (BAAs) are established.

6) Evaluate IT Security – Ensure proper data access controls are in place. Check that automated software and operating system updates for the entire company are installed properly. Verify that any automated security monitoring and reporting system is up to date and working.  Store backup copies of data securely.

7) Review staff security awareness – Verify that your staff is up to date on company policy regarding data security procedures, including what digital and paper documents to keep and how to securely discard what is not needed.  Train staffto identify signs of cyber security threats in their daily work life and know the proper course of action in reporting a breach.  Check that employees are keeping their work related laptops, mobile and digital devices secure at all times and remind them to change passwords every three months.

We’re all familiar with well-known causes of data security breaches and identity fraud; phishing, malware attacks, and lack of cyber security protection are some of the most popular.  A lesser-known but just as lethal culprit in the world of data breaches is surprisingly, a person’s typing skills due to the fact that a simple typo can lead to typo-squatting also known as URL hijacking.

Typo-squatters count on accidental misspellings and typing errors of web addresses in a web browser’s address bar to get people to their page which can often be unscrupulous hacker sites designed to extract a person’s private information.  Typo-squatters buy up domains that are similar to popular domain addresses to lie in wait for web surfers to make typing mistakes which is now even more widespread with the popularity of touch screen devices.  For example, instead of typing dot-com, you mistakenly type dot-org and are transferred to an authentication or login page that asks you to input your account information and password before proceeding.  These pages are actually typo-squatted pages that were created to not only steal your information but they can also make you vulnerable to a computer virus or identity theft.  The most dangerous scenario is when a person uses the same user name and password for every website since a hacker then can access financial information such as banking and credit cards accounts using the stolen log-in information.  

Typo-squatters can also cause a business data breach by creating doppelganger domains for large companies that use subdomains for their various worldwide offices.  Business emails are intercepted when a user mistypes a recipient’s e-mail address.  Using a doppelganger domain, a hacker configures an email server to intercept any correspondence addressed to a person with that name.  Extra large companies with many subdomains are at the biggest risk since they have more employees with more email addresses which means more chances for typos.

A key way to practice data breach protection in preventing typo-squatting is to use a search engine to find a website instead of directly typing in the web address especially if you are searching for a financial institution.  All the big search engines will have companies’ legitimate web addresses as well as data protection and security software to scan for malware and prevent hacking.  Common sense is also another powerful tool to prevent a breach of data; if a site doesn’t look right, it probably isn’t so exit quickly and try again through a search engine.

To cloud or not to cloud? That is the question. And while there’s no questioning the convenience and benefits of cloud storage – you can access your data from multiple devices and save space on your own servers – there are questions regarding how secure cloud storage really is.

Given recent hacking incidents at bigger-than-big companies and popular cloud services, here are a few things you need to consider when using a cloud provider:

Look for robust authentication: If a cloud provider offers a one-step login, i.e. password-only security, that’s a red flag. If there’s just a single password standing between your sensitive data and hackers, how long until that password gets cracked? Or it could be accidentally or maliciously shared with the wrong person or written down on a piece of paper that’s later lost. The bottom line is, you need more than a password. Look for and use a cloud provider that has a robust login and authentication process. Yes, it takes longer every time you log in. But it also helps to keep hackers out. Be sure to change your passwords and other authentication data regularly. And remember that not everyone in your organization needs to know how to access the cloud.

Take your time: It’s good to be cautious when you’re talking data storage, especially when it’s an outsourced service. So take your time choosing a cloud provider. Ask questions about what security measures are in place and how they are maintained. A dependable cloud provider should be able to answer all of your questions quickly. That likely means they know their service well and have anticipated your concerns. If you’re getting the runaround or don’t feel confident with the answers you’re receiving, look elsewhere. There’s not just one cloud in the sky.

Sign on the dotted line: You’ve thoroughly vetted a cloud provider’s security and authentication measures and have determined you’ll actually have a higher level of security using the cloud than with internal, on-site storage. You’ve asked about risk management, documented policies, incident preparedness, encryption levels, employee training and all of your other concerns. You’ve conducted a thorough audit and you’re happy with what you’ve found. Then and only then enter into a service agreement with a cloud provider.

Just remember that any type of cyber security is never foolproof and new threats constantly emerge in the cyber world. So keep up with what’s going on at your cloud provider and keep access to the cloud restricted only to individuals in your organization who really need it. If one of those individuals leaves your organization, change all of your cloud passwords and authentication data at once.

The fewer people who have access to your sensitive data – both inside and outside your organization – the more secure it is.

It’s that time of year again when people near and far get ready to celebrate the most wonderful holiday of them all.

OK, perhaps it isn’t exactly Christmas, but Data Privacy Day – observed on January 28th in 2012 – is no less a celebration; it’s just that this one is designed to promote best practices and awareness around privacy.  The “holiday” was begun in Europe in 2007 and continues to be observed in 30 countries as Data Protection Day.  In the U.S., National Data Privacy Day is managed by the National Cyber Security Alliance (NCSA), a non-profit public-private partnership which estimates that through media and other activities its messages regarding cybersecurity reached 175,000,000 people last year, all in the service of promoting a digital society that can best leverage the five c’s: content, community, communication, commerce and connectivity.

As our world becomes ever smaller and more networked, Data Privacy Day provides information to consumers about the ways in which personal information is collected, stored, used and shared. The international privacy promotion also helps businesses understand the laws and regulations to which they’re subjected and offers guidance about how to best shield themselves from risks.  Above all, the event is designed to foster a dialogue between different entities – citizens, private organizations and public institutions – about how to balance innovation, progress and growth with the need for privacy protection.

Since privacy is our shared responsibility, how can you contribute to this security festivity?  Train your employees, or consider hosting an event or sponsoring NPD.  If you have kids or teach them, turn to the Teens and Young Adults page, the Parents and Kids page, or the Educators page, which offer guidelines such as how to update your Facebook privacy settings, resources such as videos on how to protect your personal information and privacy, as well as your children’s.  Data Privacy Day activities will include presentations, conferences, technology demonstrations, webpage and video competitions, instructional videos, workshops, and regional events, so there are plenty of ways to get involved; for more information, turn to  www.dataprivacyday.org.

And remember to stay tuned to Experian’s Data Breach Resolution blog, where every day is data privacy day.

Within the world of cyber security, a great deal of attention has been focused lately on the escalating hazards and frequency of data breaches, with considerable discussion on the high cost of such breaches.  But as the industry has assessed the financial toll of breaches, it has never taken into account the impact breaches have on a company’s brand image and, consequently, its bottom line.

Until now.

A recently released Ponemon Institute study, sponsored by Experian’s Data Breach Resolution and believed to be the first of its kind, explores the “Reputation Impact of a Data Breach” to provide more context for the full scope of data breaches.  The findings draw enlightening conclusions around the financial toll that data breaches wreak upon harmed corporate reputations, including these key takeaways:

Reputation is one of an organization’s most important and valuable assets.
Reputation and brand image are perceived as very valuable…and highly vulnerable to negative events, including a data breach.

Calculating the value of reputation and brand reveals how valuable these assets are to an organization. The average value of brand and reputation for the study’s participating organizations was determined to be approximately $1.5 billion.  Depending upon the type of information lost as a result of the breach, the average loss in the value of the brand ranged from $184 million to more than $330 million. Depending upon the type of breach, the value of brand and reputation could decline as much as 17 percent to 31 percent.

Not all data breaches are equal. Some breaches are more devastating than others to an
organization’s reputation and brand image, with the loss or theft of customer information ranked as the most devastating (followed by confidential financial business information and confidential non-financial business information).

Data breaches occur in most organizations represented in this study and have at least a moderate or a significant impact on reputation and brand image. According to 82 percent of respondents, their organizations had a data breach involving sensitive or confidential information.  Fifty-three percent say the data breaches had a moderate impact on reputation and brand image and 23 percent say it was significant.

Most organizations in the study have had a data breach involving the theft of sensitive or confidential business information. On average these types of breaches have occurred 2.9 times in surveyed organizations, with the theft or loss of confidential financial information having the most significant impact on reputation and brand.

Respondents strongly believe in understanding the root cause of the breach and
protecting victims from identity theft. When asked what their organizations did following a
breach to preserve or restore brand and reputation, the top three steps are: conduct investigations and forensics, work closely with law enforcement and protect those affected from potential harms such as identity theft.

The Ponemon study clearly shows that when data breaches occur, the collateral damage of a company’s brand and reputation become significant hard costs that must be factored into the total financial loss.

It was only a matter of time before a flood of class action lawsuits began to wash over breached companies. In general, these suits allege that a company: 1) did not adequately protect the sensitive data entrusted to it and 2) did not notify consumers of the breach in a timely enough manner. In 2011, after one of the biggest breaches of the year went public, it took just one day for the first class action lawsuit to be lodged.

The avalanche of recent breaches has been worrisome for consumers, causing lawyers, as well as lawmakers, to take note. Moving into 2012, businesses will want to carefully watch the changing landscape of litigation and legislation.
Two recently submitted bills would require companies to inform affected customers, the Federal Trade Commission and law authorities of a data loss within 48 hours of completing a breach assessment.

No matter the outcome of these bills, companies that delay making their breaches public will continue to face the consequences. In 2011, a large financial institution found itself in hot water after waiting weeks to notify customers of a breach. The controversial delay prompted a leading industry group representing the country’s largest financial institutions to testify before congress. The testimony suggested that banks should immediately notify federal officials and affected customers of a breach.

While the outcome of recent litigation remains to be seen, many lawyers expect these suits to inevitably increase in size – and rewards. To date, Internet privacy-related lawsuits have yet to yield the hefty settlements of securities fraud cases. Still, with the escalating breadth of data breaches, higher profile law firms, ones known for mounting successful security fraud litigation on behalf of shareholders, are getting involved.

The challenge for plaintiffs’ lawyers in security breach cases is not in proving liability but establishing damages. Judges must determine whether the compromise of personal data represents a loss of value or if there should be additional proof of tangible harm.

With the recent spate of data breaches and accompanying class action lawsuits, businesses have constant reminders that an ounce of prevention is worth a pound of cure. The best way to protect your business against the high costs of data breaches is to ensure your security practices and fraud resolution plans are strongly built to ward off malicious attacks and the complications that follow.

Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

I’ve been actively involved in InfraGard for many years. InfraGard is a public/FBI partnership with a primary mission of protecting critical infrastructure.  Because of this partnership, I began to wonder if the U.S government had anything I could leverage in my own business operations. The answer is, “yes.”

I’ve used the guidelines from the National Institute of Standards and Technology (NIST) for many years as a basis for building information security programs around the world. While these are excellent building blocks, they don’t address my training needs in preparing for a cyber attack. So I also leverage resources from the Department of Homeland Security (DHS) and other agencies.

Here’s a look at some of the resources I find useful in testing and training for a data breach:

NIST Computer Security Handling Guide
In the back of this document (special publication 800-61) are table-top exercises to help train your incident response team.
While a bit limited in scope, they are an excellent starting point at no cost to you.

DHS/FEMA Certified Cyber Security Training
The online Domestic Preparedness Campus is a portal for
10 courses that address three demographics of your enterprise: Non-technical, Technical and Business Professional. While they are perhaps a bit broad and general at times, they are an excellent starting point for your enterprise.

The different courses include:

• Information Security for Everyone
• Cyber Ethics
• Cyber Law and White Collar Crime
• Information Security Basics
• Secure Software
• Network Assurance
• Digital Forensics Basics
• Business Information Continuity
• Information Risk Management
• Cyber Incident Analysis and Response

Homeland Security Exercise and Evaluation Program

This program from the DHS provides a standardized method of creating cyber security exercises. You work with a member of the DHS team to create and ultimately execute a testing program. My organization is currently setting up a tabletop exercise with DHS for all 23 of our organizational Information Security Officers next spring. For your company, I expect that the Training Exercises portion will prove the most valuable.

In total, they offer seven exercise types broken down into training and operational exercises.

Training Exercises
1. Seminar – A seminar is an informal discussion designed to orient participants to new or updated plans, policies or procedures.
2. Workshop – A workshop resembles a seminar but is employed to build specific products, such as a draft plan or policy.
3. Tabletop Exercise (TTX) – A table top exercise involves key personnel discussing simulated scenarios in an informal setting.
4. Games – A game is a simulation of operations that often involves two or more teams, usually in a competitive environment using rules, data and procedure designed to depict an actual or assumed real-life situation.

Operations-based Exercises
5. Drill – A drill is a coordinated, supervised activity usually employed to test a specific operation or function within a single entity.
6. Functional Exercise (FE) – A functional exercise examines and/or validates the coordination, command, and control between various multi-agency coordination centers. A functional exercise does not involve any “boots on the ground.”
7. Full-Scale Exercises (FSE) – A full-scale exercise is a multi-agency, multi-jurisdictional, multi-discipline exercise involving functional and “boots on the ground” response.

Cyber Storm
Cyber Storm is a biennial exercise that provides the framework for a government-sponsored cybersecurity exercise. It is a combination of international government agencies, national and state government agencies and private industry. Its stated aims are to:

• “Examine organizations’ capability to prepare for, protect from, and respond to cyber attacks’ potential effects
• Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures
• Validate information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information
• Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.”

Cyber Storm III was used to hone and tune the latest U.S National Cyber Incident Response Plan released early in 2011. The 2010 exercise had 60 companies participating across many industry sectors.It also tested the newly formed National Cybersecurity and Communications Integration Center, which is the “boots on the ground” hub for national cybersecurity coordination.

Managing your enterprise security and privacy risk posture can be a daunting task at times. Hackers are more sophisticated and coordinated in their attacks. It’s pretty tough out there right now but new tools, processes and procedures will ultimately gain the upper hand. You are not alone. There are a wide range of resources freely available to help build the skill sets of our teams. I remain encouraged and look forward to the battle with new hope and fortitude.

A recent data breach discovery serves as a reminder that even when you’re on vacation, cyber criminals never sleep.

Vacationland Vendors, a company that supplies vending machines and video games to entertainment venues, recently reported that an unknown intruder penetrated its point of sale systems, resulting in a data breach affecting approximately 40,000 customers at waterland resorts in Tennessee and Wisconsin.  Although credit card and debit information was apparently stolen between December 2008 and May 2011, Vacationland Vendors did not state how the breach was discovered or whether affected customers have been notified.  The company did issue a general recommendation to anyone who visited the affected resorts within the targeted time frame to remain vigilant for fraud activity on their bank and credit card statements and to consider adding a fraud alert with the major credit bureaus.

The Vacationland Vendors data breach highlights the continued vulnerabilities of point of sale technology to crafty cyber criminals.  Heartland Payment Systems, a leading payment processing company, discovered this several years ago when it was hit by a historically large breach that exposed the accounts of as many as 100 million cardholders.  The same kind of breach affected CardSystems Solutions when a breach exposed the accounts of 40 million debit and credit card holders, leading to the sale and ultimate closure of the company.  Indeed, the theft of credit card data is one of the most common forms of fraud and the very reason that the Payment Card Industry Data Security Standard strengthened its requirements of payment card device vendors last year.

The debate about how to best secure credit card transactions has continued this year with the burgeoning introduction of end to end encryption technologies that can better protect cardholder data throughout the entire transaction process.  An example of improved safety mechanisms in the POS process is newer chip and PIN technology, as evidenced by Visa’s recent announcement that it is accelerating chip migration and adoption of mobile payments.

Until the technology around POS systems is more bulletproof, it’s especially important for companies to implement added safety measures around its current credit card payment processes.

The winter holidays are upon us and that means the travel season is pivoting into high gear.  Employees everywhere are preparing to trot off hither and yon, likely with their laptops and mobile devices in tow – and, accordingly, with your company’s data, as enticing to prowling cyber-thieves as overstuffed Christmas stockings.  While holiday travelers unwind and turn their focus to hearth and family, fraudsters focus on snatching precious data from unwary targets at airports, wi-fi hotspots, hotels and beyond.

What can companies do to mitigate the risk to their holiday-traveling data?

First, remind employees about the importance of protecting their laptops and other data-carrying devices. According to the Ponemon Institute, close to 637,000 laptops are lost each year, most commonly at security checkpoints.  Ponemon notes that 10,278 laptops are reported lost every week at 36 of the largest U.S. airports, and 65 percent of those laptops are not reclaimed.  The airports with the highest number of lost, missing or stolen laptops include (in this order) Los Angeles International, Miami International, Kennedy International, and Chicago O’Hare.  While Atlanta’s Hartsfield-Jackson International is the busiest airport in the U.S., it is tied for eighth place (with Washington’s Reagan National) for lost, stolen or missing laptop computers.

The average value of a lost laptop is $49,246, a number based on several factors: replacement cost, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.  Given the damage associated with laptops that go MIA, it might be wise to restrict access to corporate information while employees are traveling.  If full access to server information isn’t needed, consider using other systems such as read-only export files.  Suggest that employees transfer sensitive data from laptops to your company’s secure central server, or move it to a disk that may be stored safely until they return.  And don’t forget that encryption can serve as an endpoint protection, which allows employees to perform a remote data erase if a device is lost.

A few other tips:

• Encourage the use of privacy filters, which block the ability to view computer screens from an angle.
• Guard against open wi-fi prowlers by setting computer defaults to require owners’ authority before connecting to a new network.
• Discourage the use of public computers.  Many of them contain “keylogger spyware” that can monitor every keystroke.

With the flood of online shoppers comes the accompanying tidal wave of fraudsters washing over the cheerful holiday landscape.  Hidden behind the online mistletoe, cyber-thieves lurk with seasonal scams, virtual Scrooges with plans to spoil holiday shopping for consumers and retailers.

Here, according to McAfee, are 12 common holiday scams to beware of:

1. iPad scams.  Watch out for bogus offers for free iPads on social media sites and via spam.

2. “Help! I’ve been robbed” scam. Fraudsters send emails appearing to come from the account of friends which state that they’ve been robbed while traveling abroad and need money to be wired in order to get home.

3. Fake gift cards. With these scams, cybercriminals promise fake gift cards in exchange for personal information that can be used for identity theft.

4. Holiday job offers. Fake, high-paying, work at home jobs are offered in exchange for personal information.

5. “Smishing.” Scammers “phish” via text message, or smish, often posing as a bank or online retailer requesting personal information to address a problem with a target’s account.

6. Holiday rental scams. Fake, attractive rental properties at low prices are advertised on phony websites in order to lure deposits via wire transfer.

7. Recession scams.  Financial “help” is offered to targets in the form of pay-in-advance credit schemes and pre-qualified low-interest loans, all in exchange for an upfront processing free.

8. Grinch-like Greetings. Fake e-cards are loaded with links to computer viruses and other malware.

9. Low price traps. Auction sites and phony websites are used to offer too-good-to-be-true prices on holiday gifts; the scammers walk away with information and/or money.

10.  Charity scams. Solicitations for phony charities play on the spirit of holiday giving and philanthropic generosity.

11. Dodgy holiday downloads. Watch out for holiday-themed jingles, screensavers and animations distributed via downloads, spam or dubious websites – they could contain malware.

12. Hotel and airport Wi-Fi. During this season of high travel, Wi-Fi hotspots are criminal hangouts, with scammers eager to hack into unprotected networks.

This holiday season, make sure that you, your employees and your customers are on high alert for the seasonal scams that turn up with the regularity of fruitcake…and are just as unwanted.