Archive for the ‘Data Breach’ Category

« Older Entries
Newer Entries »

Cloud Killer – Qu’est-ce Que C’est

Wednesday, November 17th, 2010

What are the 3 surefire ways to kill a cloud project:

  1. Not understanding compliance
  2. Betting on the wrong horse
  3. Not including IT

Thanks to David Linthicum for his recent excellent short article “3 surefire ways to kill a cloud project.”

These 3 cloud killers are particularly relevant to deployment of secure file transfer in the cloud.  I thought it would be worth reviewing how Accellion defends against these cloud killers:

1. Not understanding compliance – It’s all about compliance

From Accellion’s perspective it’s all about compliance.  Ensuring compliance is foremost in any secure file transfer deployment, whether it be on-premise or in-the-cloud.  Since Accellion secure file transfer deployments can span on-premise and in-the-cloud we have implemented comprehensive data protection features to provide the control, tracking and reporting necessary to demonstrate compliance.

• Data in Motion - To protect the data moving through the Accellion secure file transfer system Accellion provides not only business level authentication but also encryption for data in motion.  Data is transferred using the Secure Socket Layer (SSL) protocol including 128 bit encryption, and Accellion includes additional file encryption capabilities before upload using the AES 128 bit encryption scheme.
• Data at Rest - Accellion provides disk encryption using 128 bit encryption to protect stored data. File names are de-referenced when stored by the Accellion secure file transfer system to ensure that files are inaccessible on the server.

2. Betting on the wrong horse – Betting on the right horse

Accellion utilizes the Amazon Web Services AWS Cloud Computing Platform to deliver our hosted Cloud Accellion Secure File Transfer service.  We picked Amazon Cloud because of its SAS70 Type II Certified Data Centers, 99.5% annual uptime service levels and its global distribution of data centers designed to anticipate and tolerate failure while maintaining service levels.  We think we are betting on the right horse, however we also give our customers the option to deploy Accellion secure file transfer in the cloud of their choice, either public or private.

3. Not including IT – Including IT

Accellion believes that ensuring data security and compliance should not be left to business users.  We don’t support adoption of rogue applications, in fact we think they are particularly hazardous for file transfer. Allowing business users to utilize free online file sharing services provides no visibility or control of the flow of enterprise information. At Accellion we work closely with IT organizations to deploy secure file transfer systems and provision business users to keep enterprise data transfer safe.

Thanks again David for the tips on staying away from 3 common cloud killers.

Posted in Accellion, Cloud, Data Breach, Data Security | No Comments »

Facebook e-mail – a new security loophole

Tuesday, November 16th, 2010

Yesterday’s announcement by Facebook that they are introducing email capabilities should provide organizations with yet one more reason for banning the use of Facebook at work.  In the hope that it will raise additional awareness of the security and compliance risk with unmanaged data transfer I posted the following comments at cio.com:

In case you missed it, today Facebook announced the addition of e-mail capabilities for its users. The initial rollout (US only) starts today and will continue over the next few months. One of the most alarming things to note, Facebook says it doesn’t have a set limit on the size of files that can be sent/received via its e-mail. So, if you don’t have a secure, easy way for employees to share large files… watch out, Facebook e-mail can easily become the next insecure IT workaround.

Let’s face it, smart people will find a way to get the job done, and unfortunately, security is often of secondary concern when evaluating IT workarounds. To keep your employees away from the temptation of using insecure IT workarounds – like Facebook – to share confidential corporate files too large to be sent over the e-mail network, deploying an enterprise solution for managing file transfer solution is essential.

Posted in Accellion, Data Breach, Data Security, Email Attachments | No Comments »

Accidentally-sent email could end up costing UBS $10 million

Monday, November 15th, 2010

Ouch.  That headline is just not good, anyway you look at it.  As reported in an SC Magazine article today “An email sent in error that contained details of General Motors’ upcoming flotation could have cost Swiss Bank UBS an estimated $10 million.”

This data security lapse appears to have resulted in UBS being dropped as an underwriter for the plan by GM’s owners to sell $10bn in common stock on November 18, to partially payback some of the $50bn US Government bail-out the company received during the financial crisis.

This mistake should never have been allowed to happen.  While humans do make mistakes, there are any number of IT security systems that could have prevented or reduced the risk of this mistake.  Let’s review some obvious ones:

•  Any communications on such a large financial deal should have been sent securely, requiring user authentication.
•  Content monitoring and filtering software could have flagged the email for sensitive information and quarantined the email until it had been approved for sending.
•  Sending sensitive financial information via secure file transfer would have allowed the download link to be deactivated once the error was detected.
•  Sending sensitive information via secure file transfer would also have resulted in a return receipt from any unintended recipients allowing earlier detection and reduction of further downloads.

It’s very hard to understand why at least one of these data security systems was not in place to mitigate the risk. With the size of financial transactions that are at stake, it seems a wise and prudent investment for financial institutions to put in place IT safeguards against human error.  While email is wonderfully accessible and easy to use for business users, it is far too easy to make an inadvertent mistake that unfortunately can have significant financial implications.

At Accellion we help a large number of financial institutions, including the Bank of Scotland, Houlihan Lokey Howard & Zukin and Deloitte & Touche, protect their confidential information with secure file transfer solutions that reduce the financial risk of business user mistakes.  We understand that to err is human.

Posted in Accellion, Data Breach, Data Security | No Comments »

Data Breach Disease Strikes NHS – Again

Tuesday, August 24th, 2010

Yet again, an NHS trust is hit by a data breach, as reported in SC magazine today.  This time a CD of patient data was found at a bus stop. This is not to be confused with the data breach from the USB stick containing medical records that was found in a UK car park.

It is barely a month since we blogged on this topic, NHS Trusts Failing to Protect Information, and the Information Commissioner’s Office (ICO) issued a press release with the ominous title Poor Data Security in the NHS.  Earlier in June, Mick Gorrill, head of enforcement at the ICO, said: “Everyone makes mistakes, but regrettably there are far too many within the NHS. Health bodies must implement the appropriate procedures when storing and transferring patients’ sensitive personal information. We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law. We will continue to do so.”

Looks like Mike and the ICO have their work cut out for them. Here is a checklist of to-don’ts that the ICO might find helpful in their data protection enforcement efforts with the NHS trusts.

• Don’t use USB sticks for transferring confidential patient data
• Don’t use CDs for transferring confidential patient data
• Don’t post confidential patient data on unsecure FTP sites
• Don’t allow use of P2P file sharing on NHS computers

Also our earlier blog posting Top 3 File Transfer Security Mistakes should be required reading for all NHS trusts.

Posted in Accellion, Data Breach, Data Security, FTP, Healthcare, P2P, UK | No Comments »

Healthcare CIO Puts USB Ports on the Disabled List

Thursday, July 29th, 2010

Finally a story about a CIO who takes on the data security threat from USB sticks and thumb drives. Earlier this week, in Health Data Management News, appeared a short article entitled “Data Security is The CIO’s Constant Challenge”.  This is the story of Chuck Christian, CIO at Good Samaritan Hospital, Vincennes, Indiana and his IT department, and their efforts to protect private healthcare information and ensure HIPAA compliance.

Chuck explained “Earlier this year, Good Samaritan went well beyond its laptop policies, disabling USB ports across the computers connecting to its network.  It was a pre-emptive move to preclude inappropriate data transfers to easily lost devices.”

Chuck Christian explained that disabling the USB ports definitely resulted in changes in behavior.  Not least being the purchasing manager from the hospital who wanted to purchase thumb drives in bulk.  Chuck’s response – “I said no.” To the credit of Chuck and his IT department they implemented a number of secure alternatives to enable staff at the hospital to get their jobs done.

It’s as simple as that.  If you are in charge of data security “Just say no” when someone even suggests using a USB stick or bringing it into the workplace, and give them a secure alternative, such as Accellion secure file transfer.

Chuck Christian you are our Accellion Hero of the week.

Posted in Accellion, Data Breach, Healthcare, HIPAA | No Comments »

New Data Breach Report – Portable Media Fastest Growing Data Breach Sector

Tuesday, July 27th, 2010

The Digital Forensics Association just completed a fascinating new report ominously titled “The Leaking Vault – Five Years of Data Breaches”.  The report analyzes over 2,800 data loss incidents from publicly accessible sources and is the largest study of its kind.  It’s a great read if you have a strong stomach for forty two pages of data breach data.

One eye popping data point is that during 2005 – 2009, 148.6 million records have been reported lost due to use of portable media.  This source of data breach is second only to data hacks. Perhaps most alarming is that loss of data from portable media represents the fastest growing data breach sector.

The security risks from portable media is a topic we’ve covered several times in the past year in the Accellion Managed File Transfer Blog.  Just in case you missed the earlier posts here they are again.

• Health records found on USB stick in UK Car Park

• Top 3 File Transfer Mistakes

• Another reason why file transfer via a USB stick is not a good idea

In addition to sharing the unpleasant truths regarding data breaches the Leaking Vault report also offers some good recommendations on steps to take to increase data security.  Recommendations for securing Portable Data is one of their four focus topics.

Here’s Accellion’s recommendation for reducing the risk of data breach from portable media  - Don’t use USB memory sticks for file transfer, use a secure file transfer solution.

Posted in Accellion, Data Breach, Data Security | No Comments »

NHS Trusts Failing to Protect Information

Thursday, July 15th, 2010

National Health System (NHS) organizations in the UK have accounted for more than once quarter of the data security breaches reported to the Information Commissioner’s Office (ICO). If this keeps up the ICO could become a profit center with their new powers, approved in April, to impose penalties up to £500,000 on offending organizations.

The ICO issued a press release on June 15 announcing Poor Data Security in the NHS.  NHS Stock-on-Trent and Basingstoke and North Hampshire NHS Foundation Trusts were the latest NHS bodies found in breach of the Data Protection Act (DPA). Mick Gorrill, Head of Enforcement at the ICO was quoted “Everyone makes mistakes, but regrettably there are far too many within the NHS.”  He went on to add “We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law.”

But wait a sec, just yesterday, July 14, there was another press release announcing Birmingham Children’s Hospital NHS Foundation Trust found in breach of the Data Protection Act (DPA).  Did the folks at Birmingham Hospital NHS Trust not get the message from the ICO?

Posted in Accellion, Data Breach, Data Security, Healthcare, UK | No Comments »

An Ounce of Prevention is Worth a Pound of Notification

Friday, July 9th, 2010

The recently introduced C29 amendment to the Canadian Personal Information Protection and Electronics Documents Act (PIPEDA) is a sign that the Canadian government is stepping up its efforts to raise the visibility of data breaches through expanded data notification requirements.  This week’s SC magazine article entitled “Canada’s newly introduced data breach is a start, but it lacks teeth” raises the question of whether this legislation goes far enough.  Under the C29 amendment, banks, retailers and other companies are required to report any “material breach of security safeguards involving personal information under their control.”  In the amendment, the focus is on notification not specifically prevention.

While it is some consolation to the individual to know that they will be informed if their personal information has been breached, it would be a lot more reassuring to hear that corporations are required by law to implement safeguards to protect their information. The recently introduced Massachusetts legislation CMR-17 is a good model for legislation that goes significantly further than setting regulations for notification and extends to requirements for data breach prevention.

While data breach notification regulations are a good step in the right direction, an ounce of prevention is worth more than a pound of notification.

Posted in Accellion, Data Breach, Data Security | No Comments »

HIPAA Hazard – Shipping CDs via FedEx

Wednesday, July 7th, 2010

This week Lincoln Medical and Mental Health Center of NY suffered an embarrassing data breach resulting from a lost FedEx shipment of CDs. More than 130,000 medical records were exposed in this breach and it is small consolation to read that “Siemens was promptly directed to suspend further transport of CDs by the carrier.”  Of particular note in this data breach is the fact that both Siemens and Lincoln Medical and Mental Health Center thought it was an okay idea to ship CDs of unencrypted healthcare data as part of a standard business process, until of course a shipment went astray.  Did the word HIPAA never come up?  Why would anyone think it is a good idea to ship CDs of unencrypted healthcare data when there are readily available secure file transfer solutions?

DataLossDB the Open Security Foundation tracks data breaches and lists 134 data breaches from Snail Mail affecting 2729 Organizations in its database. This week’s Lincoln data breach adds one more organization who has experienced the security hazards of shipping sensitive information unencrypted via the mail.

Posted in Accellion, Data Breach, Data Security, Healthcare, HIPAA | No Comments »

Vegas and Security?

Thursday, June 3rd, 2010

A few weeks ago my daughter and I went to Las Vegas so I could attend a security conference. It just so happened that her school was having Spring Break the same week. Luckily I had a friend who was going there at the same time so they could play all day while I attended sessions on securing Enterprise data. Not sure who got the better deal :-)

It turned out that the conference was really interesting. One of the sessions I attended had 4 CIOs from 4 different verticals (Healthcare, Law, Technology, and a major University) on a panel where attendees could ask questions regarding how they secured data within their Enterprise. They discussed many subjects including the difficulties of managing data leaving the Enterprise, managing a work force that is geographically dispersed and working more and more from home, and trying to keep up with the new generation of workers who expose themselves on social sites but get very upset if any part of their financial or personal data gets confiscated or used for purposes they did not approve.

The location of the conference was also interesting. It just so happens that Nevada was the first state to require businesses to secure personal data. Nevada State legislation Chapter 603-A was introduced in 2005 and an amendment was added late last year. This amendment added 2 significant changes: (1) a requirement to comply with the Payment Card Industry Data Security Standard (PCI); and (2) requirements to encrypt personal information in certain contexts.

This year Massachusetts followed suit with their own legislation, CMR-17. Part 3 of the Computer Systems Security Requirements requires:  (3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

It is good to see State Government taking an interest in controlling the transmission of sensitive personal data. Accellion Secure File Transfer helps businesses in these States comply with these new laws. Not only does Accellion send files encrypted, but also stores these files encrypted.

Vegas and Security? I guess these guys are ahead of the pack! I wonder when the rest of the world will catch up?

Mary Nicknish, Accellion Product Manager

Posted in Accellion, Data Breach, Data Security | No Comments »

« Older Entries
Newer Entries »