To cloud or not to cloud? That is the question. And while there’s no questioning the convenience and benefits of cloud storage – you can access your data from multiple devices and save space on your own servers – there are questions regarding how secure cloud storage really is.

Given recent hacking incidents at bigger-than-big companies and popular cloud services, here are a few things you need to consider when using a cloud provider:

Look for robust authentication: If a cloud provider offers a one-step login, i.e. password-only security, that’s a red flag. If there’s just a single password standing between your sensitive data and hackers, how long until that password gets cracked? Or it could be accidentally or maliciously shared with the wrong person or written down on a piece of paper that’s later lost. The bottom line is, you need more than a password. Look for and use a cloud provider that has a robust login and authentication process. Yes, it takes longer every time you log in. But it also helps to keep hackers out. Be sure to change your passwords and other authentication data regularly. And remember that not everyone in your organization needs to know how to access the cloud.

Take your time: It’s good to be cautious when you’re talking data storage, especially when it’s an outsourced service. So take your time choosing a cloud provider. Ask questions about what security measures are in place and how they are maintained. A dependable cloud provider should be able to answer all of your questions quickly. That likely means they know their service well and have anticipated your concerns. If you’re getting the runaround or don’t feel confident with the answers you’re receiving, look elsewhere. There’s not just one cloud in the sky.

Sign on the dotted line: You’ve thoroughly vetted a cloud provider’s security and authentication measures and have determined you’ll actually have a higher level of security using the cloud than with internal, on-site storage. You’ve asked about risk management, documented policies, incident preparedness, encryption levels, employee training and all of your other concerns. You’ve conducted a thorough audit and you’re happy with what you’ve found. Then and only then enter into a service agreement with a cloud provider.

Just remember that any type of cyber security is never foolproof and new threats constantly emerge in the cyber world. So keep up with what’s going on at your cloud provider and keep access to the cloud restricted only to individuals in your organization who really need it. If one of those individuals leaves your organization, change all of your cloud passwords and authentication data at once.

The fewer people who have access to your sensitive data – both inside and outside your organization – the more secure it is.

Our guest blogger this week is Gant Redmon, General Counsel & Vice President of Business Development at Co3 Systems.

Working for a company that navigates 46 different state breach notice laws and a plethora of sector based federal breach notice laws, I’m often asked what I think the likelihood is that the Federal Government will pass a comprehensive data breach notification law that supersedes all the state laws. While I don’t rule out a federal law passing at some point, I see it setting a floor of breach response responsibility rather than superseding everything already in place.

Put yourself in the shoes of a legislator trying to harmonize all the different state laws. That legislator is going to have three big political challenges.

The first challenge is choosing a single standard in the face of wildly different state standards. How will affected states feel about the Federal government imposing a different standard than the one they’ve settled on? Changing the rules in dozens of states will cause upheaval with political fallout.

The second challenge will be dealing with state attorneys general and treasurers. State AG’s are becoming more and more active in tracking breaches and cracking down on companies that don’t provide proper notice or have adequate security procedures. Part of that crackdown includes fines collected that go to the state treasury. A federal law will strip those AGs of the rule of privacy protectors and redirect funds to the federal government and away from the states.

The third challenge is that some states, like California and Virginia, go above even Federal notice requirements. What legislator wants to be known as the one who diluted people’s privacy rights by pre-empting strong protections and replacing them with weaker ones?

When trying to solve a problem, the first thing I ask is if I’m dealing with a problem worth solving. Privacy professionals and law firms have become well versed in the different state laws. Software solutions also exist that track all the different laws and provide incident response plans that are easy to follow. If the problem here is the complexity involved in dealing with disparate state breach notice laws, then we don’t have a problem worth solving.

“The opinions reflected in this article are solely those of the author and do not reflect the views of Experian Data Breach Resolution or any of its sister companies.”

How important is cyber security? October is National Cyber Security Awareness Month for the ninth consecutive year and each year, the designation seems to become more important.

So important that a top U.S. cyber warrior is recommending that his cyber command division be elevated into a top-level military unit under the Department of Defense. The Cyber Command, created two years ago, is currently under the U.S. Strategic  Command, which is responsible for U.S. nuclear and space operations.

Rear Admiral Samuel Cox, the cyber command’s top intelligence officer, believes his unit needs more power to combat the growing number of cyber threats facing the nation, according to Reuters. Many of those threats come from foreign hackers who are trying to pierce the Pentagon’s computer networks to obtain highly-classified information.

But cyber attacks aren’t just a threat to the military. Look at the numerous banks that experienced online outages due to cyber attacks in the past few weeks. And what about the flurry of data breaches reported this year by healthcare organizations?

The fact is that no organization – large or small – is immune from cyber attacks, hackers or simply the loss of a portable device containing the personal identifying information of consumers. Every organization and – every individual for that matter – needs to take cyber security seriously. And what better time to check on your security measures than during National Cyber Security Awareness Month. So here’s a checklist to help you keep your data safe.

•  Install the most up-to-date firewall, anti-spam and anti-virus software.
• Establish policies for handling sensitive data, mobile devices and computers. Educate everyone from C-suite executives to employees to contractors and vendors.
• Upload patches to fix any problems with your software programs.
• Use passwords on laptops, computers and mobile devices. Educate employees and contractors on the importance of using long, strong passwords.
• Encrypt laptops and mobile devices. Also encrypt sensitive files.
• Back up sensitive files and properly dispose of files you no longer need. Store backup data in a separate location – ideally off-site – from your main servers. To dispose of sensitive data, you should physically destroy the hard drive that contains the data. Otherwise, someone may be able to retrieve that data if the computer is sold or donated.

Get ready, Connecticut. A new data breach law is now in effect that brings the Office of the Attorney General (OAG) into the reporting loop.

The new law requires notifying the OAG by email no later than when affected consumers are notified. Previously, businesses were only required to report a breach to consumers. Yet Attorney General George Jepsen and his office were tasked with enforcing state breach laws – hard to do when you don’t know about the incidents.

But that’s all changed. Assistant Attorney General Matthew Fitzsimmons and the office’s Privacy Task Force will monitor the incoming emails. The new reporting requirement and newish task force (it was created last year) give the OAG more oversight of breach activity that may be putting consumers at risk. With more oversight comes better enforcement – at least that’s certainly what the OAG hopes.

Connecticut requires consumer notification when a breach involves unencrypted, computerized personal data. The state’s definition of “personal data” includes someone’s first and last names in combination with at least one of three data types: a Social Security number; a driver’s license or state identification number; or a financial account number, such as a credit card number, along with the access code for the account.

Businesses that don’t comply with the new law may find themselves in violation of the state’s Fair Trade Practices Act. Remember that sooner is better than later when it comes to breach reporting. At least if you want to avoid fines and violations.

Here’s the new email address for reporting breaches in Connecticut: ag.breach@ct.gov.

Internet safety isn’t just for the employees who handle your most sensitive data. It’s for each and every one. With June being National Internet Safety Month, it’s the perfect time to brush up on exactly what that means for your employees and business.

In a recent study, 78% of organizations had experienced at least one data breach due to the actions of a careless or malicious employee.¹ It’s important to educate and empower your employees to do their part for data security, and that means being safe online.

Anyone who uses the Internet in your office needs to be mindful of Internet safety. Even if someone doesn’t handle sensitive data directly, his/her actions could infect your network with a virus that leads to data loss.

One of the obstacles to Internet safety is that cyber risk is so intangible it doesn’t seem like an immediate threat at all.  Cyber threats are oftentimes the opposite. A virus could slowly siphon data from your network for weeks, months or longer without anyone knowing.

Because cyber risk is often veiled, regular educational sessions with your employees are vital. Be sure they know and follow your Internet usage policy. Don’t have one in place? National Internet Safety Month is the perfect time to organize and implement your guidelines. You can find examples online to help shape your own policies.

Here are a few things to consider addressing:

Personal Internet Use
Blocking employees from logging in and using their personal accounts at work isn’t just an issue of lost productivity. It’s also a security issue. Links, videos and attachments online and in emails can contain unseen threats, such as a virus or malware that undermines the security of your data. That could include your employees’ own personal data. Be sure they understand that the precautions are for their benefit as well as for the stability of the business and their jobs. You can use the honor system for off-limit sites or use software that blocks unsecure and other URLs.

Software Downloads
Have your IT team handle all software downloads and ensure operating systems and software are updated regularly. Automatic updates implemented across the entire network at once help ensure there isn’t a weak link, an outdated computer, in your system. Again, you can use the honor system and ask employees not to install any software themselves or block them from doing so for added security. After all, accidents and human error do occur.

Email Dos and Don’ts
Some employees handle a hundred or more emails a day. Considering the high volume and the ease of communicating by email, mistakes are bound to occur. Sensitive data sent to the wrong email address could be detrimental for your business and customers. Be sure your employees understand what type of data is and isn’t permissible to send by email. And that they don’t open any attachments, click on any links or respond to any requests for sensitive data if the source is not verified.

As part of your Internet usage policy and National Internet Safety Month, impart on your staff the importance of not only being mindful and careful but also sounding the alarm when anything goes wrong. The sooner you know about threats to your network, the sooner you can protect your data and business.

1 The Human Factor in Data Protection, Ponemon Institute (2012)

Our guest blogger this week is Tom Bowers. While well-known for years as the Managing Director of Security Constructs LLC, he is now the Chief Information Security Officer (CISO) for the Virginia Community College System.

I’ve been actively involved in InfraGard for many years. InfraGard is a public/FBI partnership with a primary mission of protecting critical infrastructure.  Because of this partnership, I began to wonder if the U.S government had anything I could leverage in my own business operations. The answer is, “yes.”

I’ve used the guidelines from the National Institute of Standards and Technology (NIST) for many years as a basis for building information security programs around the world. While these are excellent building blocks, they don’t address my training needs in preparing for a cyber attack. So I also leverage resources from the Department of Homeland Security (DHS) and other agencies.

Here’s a look at some of the resources I find useful in testing and training for a data breach:

NIST Computer Security Handling Guide
In the back of this document (special publication 800-61) are table-top exercises to help train your incident response team.
While a bit limited in scope, they are an excellent starting point at no cost to you.

DHS/FEMA Certified Cyber Security Training
The online Domestic Preparedness Campus is a portal for
10 courses that address three demographics of your enterprise: Non-technical, Technical and Business Professional. While they are perhaps a bit broad and general at times, they are an excellent starting point for your enterprise.

The different courses include:

• Information Security for Everyone
• Cyber Ethics
• Cyber Law and White Collar Crime
• Information Security Basics
• Secure Software
• Network Assurance
• Digital Forensics Basics
• Business Information Continuity
• Information Risk Management
• Cyber Incident Analysis and Response

Homeland Security Exercise and Evaluation Program

This program from the DHS provides a standardized method of creating cyber security exercises. You work with a member of the DHS team to create and ultimately execute a testing program. My organization is currently setting up a tabletop exercise with DHS for all 23 of our organizational Information Security Officers next spring. For your company, I expect that the Training Exercises portion will prove the most valuable.

In total, they offer seven exercise types broken down into training and operational exercises.

Training Exercises
1. Seminar – A seminar is an informal discussion designed to orient participants to new or updated plans, policies or procedures.
2. Workshop – A workshop resembles a seminar but is employed to build specific products, such as a draft plan or policy.
3. Tabletop Exercise (TTX) – A table top exercise involves key personnel discussing simulated scenarios in an informal setting.
4. Games – A game is a simulation of operations that often involves two or more teams, usually in a competitive environment using rules, data and procedure designed to depict an actual or assumed real-life situation.

Operations-based Exercises
5. Drill – A drill is a coordinated, supervised activity usually employed to test a specific operation or function within a single entity.
6. Functional Exercise (FE) – A functional exercise examines and/or validates the coordination, command, and control between various multi-agency coordination centers. A functional exercise does not involve any “boots on the ground.”
7. Full-Scale Exercises (FSE) – A full-scale exercise is a multi-agency, multi-jurisdictional, multi-discipline exercise involving functional and “boots on the ground” response.

Cyber Storm
Cyber Storm is a biennial exercise that provides the framework for a government-sponsored cybersecurity exercise. It is a combination of international government agencies, national and state government agencies and private industry. Its stated aims are to:

• “Examine organizations’ capability to prepare for, protect from, and respond to cyber attacks’ potential effects
• Exercise strategic decision making and interagency coordination of incident response(s) in accordance with national level policy and procedures
• Validate information sharing relationships and communications paths for collecting and disseminating cyber incident situational awareness, response and recovery information
• Examine means and processes through which to share sensitive information across boundaries and sectors without compromising proprietary or national security interests.”

Cyber Storm III was used to hone and tune the latest U.S National Cyber Incident Response Plan released early in 2011. The 2010 exercise had 60 companies participating across many industry sectors.It also tested the newly formed National Cybersecurity and Communications Integration Center, which is the “boots on the ground” hub for national cybersecurity coordination.

Managing your enterprise security and privacy risk posture can be a daunting task at times. Hackers are more sophisticated and coordinated in their attacks. It’s pretty tough out there right now but new tools, processes and procedures will ultimately gain the upper hand. You are not alone. There are a wide range of resources freely available to help build the skill sets of our teams. I remain encouraged and look forward to the battle with new hope and fortitude.

Hopefully very few us have fallen victim to a phishing scam, but we’ve come across these scams or heard about them in the media. Fortunately, because of this awareness, less than 1% of customers are being foiled by these nefarious attempts, according to a recent report that focused on customers of major US and European banks. However, of those who were lured to these phishing sites, 45% entered in their personal information that resulted in up to $9.4 million in losses.

Phishing attacks are on the rise.  According to a Panda Security investigation, scammers are creating 57,000 fake websites a week to falsely represent 375 popular brand names. As you can imagine, this large volume of phishing scams has serious implications for businesses as they strive to shield sensitive data from data breach and protect their customers from misrepresentations of their business.

A recent study by SpamTitan found that 75% of IT managers responded that the biggest source of phishing attempts for business users is email spam. An employee may receive an email that appears to be from a legitimate source requesting personal or sensitive business information.  When the employee clicks the link, that action may trigger the download of malware that could access or destroy sensitive data.  As phishing attacks present a clear danger to businesses, it is very important that company leadership establishes and implements strict network security measures to filter spam.

Another effective tool to fight phishing is to know the facts and educate the workforce of how avoid falling victim to these scams.

Despite stringent new breach notification laws, the number of reported data breaches has sharply increased. According to the Open Security Foundation, the number of reported breaches shot up from 141 in 2005 to over 500 each year since 2006. These breaches not only result in a loss of customer trust, but also have a significant financial impact as well.  The average cost per company record has increased by over 45% to $204 according to a 2009 Poneman Institute study.  That could turn into a lot of money fast for a large breach.

Unfortunately, data breaches are not specific to just one type of company in a particular industry.  Breaches occur in companies both large and small and in a myriad of industries. What can a business do to minimize the risks and damages of a data breach?

A recent article in the New Hampshire Business Review outlines a series of steps a company can follow to minimize the risks associated with a data breach.  Featured measures include steps I’ve touched on in previous blog entries, including reviewing the data security practices for all third party vendors and ensuring wireless connections are secured.  The more you know the facts, the better prepared your company will be.

Nevertheless, none of these precautionary measures can guarantee that a company will not experience a data breach. Cybercriminals are very adept at identifying and exploiting security gaps in company IT systems and data policies. Learn more about what your company can do to stay ahead of cyber-criminals and protect your customers. Your company policies are the first line of defense.

Recently I addressed the importance of having plans in place to protect personal health information in light of the sharp increase in healthcare data breaches.  Unfortunately, research studies are finding that incidents of fraud resulting from exposed healthcare data are on the rise. A recent Javelin Strategy and Research study noted that fraud resulting from exposed health data has more than doubled over the past year.

This sharp spike is due to the extensive personal information available on an individual’s health record.  According to a recent RSA Online Fraud Report, the types of fraud that can be committed using full information profiles are limitless. Not only is the individual a potential victim, the healthcare providers, insurers and the pharmaceutical companies are as well.

The RSA Report sites examples where a cybercriminal steals personal health information (PHI) to file false patient claims to an insurer.  A second example includes making false prescription orders to fuel the underground prescription drug trade.  Unfortunately, the consumer whose PHI is being abused may incur damages beyond being a victim of someone stealing their medical information.  Consumers may come under criminal investigation for defrauding the insurer or buying prescriptions illegally.  That doesn’t sound fair, does it?

It is of paramount importance to develop policies to deter and detect data breach threats.  However, it is of equal importance to keep customers informed of how to protect their health privacy themselves. National Cyber Security Awareness Month begins October 1 this year. Please consider informing your clients and customers of how they can remain safe online.