You are here: Home / Archives for Blog

Kaliber Data Security Blog

Read posts from the Kaliber Data Security Blog focusing on data protection, cyber security and more.

Five Habits Of Highly Secure Organizations

March 15, 2013 by Leave a Comment

There are five habits of highly secure organizations, according to Ben Rothke, Manager – Corporate Services Information Security at Wyndham Worldwide.

Rothke was about to give a presentation on this topic at the 2013 RSA Conference in San Francisco, but he gave Tripwire’s David Spark (link here) a sneak preview on the show floor just beforehand.

  • Have a CISO: Somebody needs to drive security. For example, a Chief Financial Officer is critical for driving finances. Similarly, a Chief Information Security Officer is critical for spearheading the company’s security practice.
  • Risk Management: Risk drives everything. The CISO understands the risks and threats the organization faces and designs a security program around that. This must be customized and not a series of standard “best practices.”
  • Invest in people not products: “The cost of hardware and software purchased has no corresponding effect to the level of security,” said Rothke. A company that has great talent using open source products will be more secure than a company that spends millions on proprietary tools but doesn’t intrinsically know how to use them.
  • Policies and procedures: It’s very important to have standardization across all business units and processes. You want the firewall installed and managed in one location to be installed and managed the same way in another location. “If things aren’t done via standard processes you’ll have inconsistencies and that’s where security breaches and mistakes happen. When you don’t have common procedures and common practices things are done ad hoc, and ad hoc is the enemy of good security,” warned Rothke.
  • Awareness – People have to have situational awareness of what they’re doing. For example, if you don’t have effective key management all the security you have will go up in smithereens, said Rothke.
Filed Under: Blog Tagged With: , ,

Companies take 80 days to Discover a Data Breach

February 28, 2013 by Leave a Comment

Solera Networks has published the results of a global study based on the answers provided by over 3,500 IT and IT security professionals whose organizations suffered at least one data breach in the past 24 months.

Made by the Ponemon Institute on behalf of Solera, “The Post Breach Boom” report shows some interesting things about data breaches.

It turns out that, on average, it takes a company 80 days to discover a malicious breach and over four months to address it.

The study also reveals the fact that data breaches increased in both severity and frequency by 53 percent in the past 24 months.

63% of the respondents admitted that it would help them strengthen the security posture of their organization if they knew the root causes of a breach. However, only 40% have the necessary resources to determine the causes of a security incident.

Worryingly, in one third of the cases, the data breach is not detected by the company’s security systems. Instead, it’s reported by a third party.

As far as costs are concerned, malicious breaches cost almost double compared to non-malicious breaches. In the case of non-malicious incidents, loss of reputation, brand value and image are the most serious consequences.

“Security breaches continue to occupy the headlines on a daily basis, making it clear that there is still much work to be done before companies are prepared for the inevitability of today’s advanced targeted attacks,” said John Vecchi, vice president of marketing at Solera Networks.

“In a post-prevention world, organizations must shift their focus toward attaining the real-time visibility, context and big data security analytics needed to see, detect, eradicate and respond to advanced malware and zero-day attacks.”

 

Filed Under: Blog Tagged With: ,

Does IT align with Maslow’s “Hierarchy of Needs”?

February 6, 2013 by Leave a Comment

In a recent blog post, Dwayne Melancon, CTO of TripWire explored the notion of aligning the value provided by IT with  the well known psychologic theory, “Maslow’s Hierarchy of Needs”.  In Maslow’s paradigm he postulates that, as humans, we  must cover the basics (breathing, food, water, procreation, sleep, critical bodily functions, etc.) before we can move to some of the more discretionary needs, like creativity, love and belonging, etc.

Melancon, in turn, asks the question, “What is the Maslow’s hierarchy of needs for business?”  For some, the ‘must haves’ are things like revenue, profit, business availability, etc; while the discretionary things may be giving back to the community, employee satisfaction, company parties, etc.   [Read more...]

Filed Under: Blog, Data Escrow

Is your Firm Spending too much on Information Security?

January 23, 2013 by Leave a Comment

In many organizations  an environment exists where awareness about the need to protect critical information is high but uncertainties persist around the necessary, practical steps required to truly better protect an organization. Without a cyber security strategy in place, companies often fall victim to mis-allocating their investment in cyber security, over-protecting non-sensitive data or under-protecting critical data.

A report (http://www.thalescyberassurance.com/white-papers.htm) suggests businesses may be spending too much on IT security by over-protecting non-sensitive data.

Ross Parsell, director of cyber strategy at Thales UK, warns that, while the volume and scale of cyber-attacks show no signs of slowing down, there is a danger that resources are sometimes assigned to areas that do not need them.

[Read more...]

Filed Under: Blog, Latest News Tagged With: , , ,

How Cyber Criminals Make Money from Hacked Computers

January 9, 2013 by Leave a Comment
You are a Target

This poster identifies and explains different ways cyber criminals can make money from a hacked computer. This helps ordinary computer users understand why they are a target and how they are worth money. This is an excellent resource to actively engage people in your awareness program. This poster is based on the original work of Brian Krebs. [Read more...]

Filed Under: Blog, Featured Posts

Appearance on Entrepreneur Radio

December 7, 2012 by Leave a Comment
RE

Click this Link to hear Ken’s Interview with Jon Freedman and Greg Stoller

Filed Under: Blog Tagged With: ,

Thinking About Data Privacy in Outsourcing

December 5, 2012 by Leave a Comment

Two forces are shaping privacy and security in outsourcing: Companies’ increased use of outsourcing driven by the desire to achieve greater efficiency coupled with a rapidly evolving privacy and security environment.

What your vendor partner does with your company’s data (or that of YOUR customers) and how it protects—or fails to protect—it can put your  company at risk vis-à-vis data protection laws not to mention putting the reputation of your firm at risk, as well.  It is your responsibility to assure that your vendor partners have good policies and practices in place to protect your firm’s image in the marketplace as well as shield you from legal liability.

Some things to consider:

1.  Do your vendor agreements have specific language obligating them to protect the confidential information of your firm and your clients?

2.  Do you perform “due diligence” to assure that your vendor/partners have implemented good security policies and procedures and are not merely paying lip service to your security obligations in order to gain/retain your business?

3.  Do you share privacy practices with your partners?  As outsourcing grows, the need for collaborative interaction where both parties share information and improve processes and procedures becomes increasingly important.

4.  Do you maintain a compliance log?  A useful tool, a compliance log will maintain a list of vendors with whom you share confidential information and track the status of your agreements, status of your due diligence, and renewal dates and terms.

Filed Under: Blog, Latest News Tagged With: , , ,

Small Companies – Weak Link in Security Chain

November 19, 2012 by Leave a Comment

In a recent article for BBC News,  Professor Alan Woodward outlines the vulnerabilities imposed on cyber-security by weak security practices at smaller organizations.

“They may not think they have any data worth stealing but even the smallest company can be custodian to information that represents hard cash to criminal gangs: credit card details, customers’ names and addresses, or the designs vital to an innovative start-up – all have a ready criminal market,” writes Professor Woodward.

Over the past 12 months a number of surveys have emerged which suggest that in excess of 60% of these small businesses have suffered some form of successful malware attack.

It’s not entirely surprising that small businesses are quite so poorly defended.

Someone running a small business is not necessarily going to have security as their main priority.

They are typically entrepreneurs not security experts. Money is always tight and there is a natural dynamic tension between need and cost and nearly 20% of small businesses only concern themselves with cyber-security following an intrusion. More worrisome still, one report indicates that 10% of small businesses would have no way of knowing if they had been successfully attacked.

Criminals also recognize that smaller businesses can often be a way of extending their reach to larger firms.

Take for example a manufacturer which designs on the cutting-edge.

Today, they typically don’t fabricate themselves but pass the designs to smaller manufacturers who in turn may subcontract elements of the manufacture.

That cutting-edge design, worth considerable sums in intellectual property, can end up with a relatively small business and is then protected using only their security, not that of the larger manufacturer.

An emerging trend is for those who disseminate valuable intellectual property to large distributed supply chains to track and audit who has access to what data. If the smaller business proves to be a source of a leak then they will not be in that supply chain for very long.

If a small business is looking for an advantage to join one of these large supply chains, they can differentiate themselves from the competition by demonstrating that they can protect the intellectual property entrusted to them.

With the perception that it will “never happen to me”  smaller businesses have put off what they see as a significant expense for what they see as a very remote eventuality. But small businesses cannot afford to put off considering cyber-security any longer.

Just as they hire outside expertise for accounting, there are many who can advise on the best way to protect them and their clients’ valuable data.

Failure to do so will ultimately cause the business to fail either through direct losses from an attack, or from being dropped by customers who feel their data is inadequately protected.

Filed Under: Blog, Home Page, Latest News Tagged With: ,

Did Sandy knock out your Corporate email?

October 31, 2012 by Leave a Comment

Kaliber is a Premier Reseller of  Perimeter E-Security’s Archive Anywhere product which provides online access to email history PLUS access to corporate email even if your corporate or email hosting servers are unavailable.

The cloud-based Archive Anywhere service provides an alternative to remote Web portal access, helping organizations of all sizes provide easy, safe and secure messaging for their employees while reducing legal liability and ensuring business continuity.

“Customers want their email archives integrated into the app they use every day: their email client,” said John Viega, EVP, Perimeter E-Security. “Perimeter’s revolutionary Archive Anywhere service lets users search, save and see their archives just like the rest of their email. Perimeter’s solution eliminates the pain of password juggling, separate search boxes and proprietary portals.

Additionally, in the event of a global Exchange interruption, users are assured the ability to send and receive email – thereby ensuring critical messaging continuity.”

Archive Anywhere enhances its existing Messaging Continuity and Messaging Compliance Manager services, and is available as a feature to existing customers, as well as customers of other hosted mail solutions and in-house email. The service is also available as part of Perimeter’s suite of secure cloud messaging solutions.

Any Device, Anywhere: Supports archive browsing and search across all desktop computing platforms including Windows, Apple and Linux, and email-enabled mobile devices including iPhone, iPad, BlackBerry, Android and Windows phones.

Archive Anywhere can be up and running in under 30 minutes, for 100 or 100,000 users, without the need for additional software, costly on-premise hardware, or technical support.

Eliminates the burdensome task for Exchange users to export and store emails to PST files.

Support: 24/7/365 network operations center provides monitoring and support to ensure organizations have consistent protection.

With more than one million secure messaging users, including 300,000 on Hosted Exchange, Perimeter E-Security is an enterprise security services provider offering both threat management and secure messaging, underpinned by compliance expertise.

Filed Under: Blog, Home Page, Latest News

Protecting Corporate Information

October 30, 2012 by Leave a Comment

A business’s information is as important an asset as anything physical it owns.  Many breaches of privacy or releases of sensitive information are inadvertent and can be prevented by educating employees about confidentiality and then checking in frequently to confirm compliance.

Ensuring that employees follow the right procedures will:
Protect your business by keeping trade secrets and valuable information from your competitors
Keep your customers happy by safeguarding their private information
Defend your company against losses from data theft or fraud
Project an image of responsibility and professionalism

Set Policies on Confidential Information

First, identify what information your business needs to protect (customers’ private information, financial data, trade secrets, and so forth). Second, determine who handles that information, and how it should be protected. Your policy should clearly state that the company owns its information and identify the types of information that must be kept confidential, the processes by which data security will be ensured, and the consequences for violating the policy.

Educate your Employees about Privacy and Ownership of Information

Communicate your policy at hiring and reinforce it regularly. Provide stand-up or web-based training programs. Implement a Policy Portal that will demonstrate that employees have read your important policies.

Have your employees sign Nondisclosure Agreements

A nondisclosure or confidentiality agreement is a legal contract between employer and employee that binds the employee to keep the company’s information confidential. These should be implemented wherever practical.

Monitor Employees

Trust but verify! The more valuable your confidential information is, the more your business must guard against data theft and fraud. For most employees, letting them know what is expected of them is generally sufficient but tools are available for DLP (Data Loss Prevention).

Control Electronic Communications, Internet Use and Data Transfer

Emphasize that all data on company computers is company property and subject to filters and monitoring. Use passwords and access permission to limit the right to see confidential information to only those employees who need it. Implement email encryption programs to protect sensitive information when it is sent outside the organization.

Remember, company employees who inadvertently violate data security policies continue to be a factor in  the largest population of data breaches. According to a recent Verizon report, 67 percent of breaches were aided by “significant errors” on the part of well-meaning insiders.

Set Policy. Provide Training. Implement Controls. Monitor Compliance.

 

Filed Under: Blog Tagged With: , ,