It’s no wonder then, that businesses are talking more about data breach insurance. This coverage is designed to provide businesses with compensation for legal costs and other expenses incurred in the aftermath of a data breach, such as identifying the source of the leak and notifying those whose information may have been compromised.

But at the same time, insurance should not be considered a replacement for adequate preparation and security. You should already have other security measures in place. In fact, many businesses are subject to regulations that mandate security—for instance, some regulations require encryption of sensitive information, greatly reducing the losses when incidents do occur.

If your security measures are less than robust, however, consider for a moment what damage would be done if your customers’ personal information was exposed through a data breach. The insurance would help with some of the costs, such as contacting your customers to make them aware of the problem. But there’s more at stake than court fees and downtime of your network. The loss of trust is one thing that can’t adequately be measured or accounted for by an insurance policy. Once your customers feel betrayed, they will immediately look to your competitors, and they’ll tell their friends to do the same. This abnormal customer churn is the number one cost associated with a data breach, according to the U.S. Cost of a Data Breach study.

While the CFO may ask ‘wouldn’t insurance be cheaper,’ the organization needs to look at the cost of a data breach in terms of customer churn – in this case, mitigating the risk of a data breach is the better choice. Your best bet, then, is to ensure that you do everything you can to prevent such a breach from ever happening in the first place.

In order to protect your organization from data breaches that are becoming all too common these days, consider the following preventive measures.

• Assess risks by identifying and classifying confidential information
• Educate employees on information protection policies and procedures, then hold them accountable
• Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints
• Deploy data loss prevention technologies which enable policy compliance and enforcement
• Proactively encrypt laptops to minimize consequences of a lost device
• Implement two factor authentication
• Integrate information protection practices into businesses processes

These common sense measures will help reduce your chances of losing sensitive corporate information. With the right preparation, you may never have to find out just how effective data breach insurance actually is.

1. Very late nights in the past resolving a security incident
2. Stalking (i.e. hackers breaching free Wi-Fi hot spot services at local coffee shops)

I strongly believe there should be a third:

3. Leveraging a simple cup of coffee as a mechanism for breaking the ice and building a relationship with the leaders of business units within your organizations

Too many times I’ve walked in early to a customer meeting to find the IT Security group introducing themselves to the leaders of other departments within their own organizations for the first time.

This event is typically driven by an upcoming project to secure item “XYZ” which involves a new application or process.  Although this is a less than perfect situation, it is better than the alternative where the business does not consult IT security until the organization suffers a breach, possibly from this new project.

With the explosive growth of new technologies such as mobile devices and the Cloud, for example, the likelihood that your organization is introducing new processes, applications, and devices without the security team’s knowledge is rapidly becoming a reality. The value of the Cloud itself provides the business benefit of easy migration of applications and seamless sharing of data. This seamless infrastructure has an imminent impact on the risk to your organization’s information.  The ease of adding cloud computing and/or storage makes their introduction into an organization’s IT infrastructure without IT security’s knowledge a distinct possibility. In fact, recent research from the IT Policy Compliance Group notes that 54 percent of organizations do not know how many cloud computing projects are underway in their organization.

In regards to mobile devices, many organizations are rewarding employees for their loyalty and hard work with tablets and upgraded smartphones. This class of device is presenting new challenges to IT and their adoption adds another attack vector within your environments.  So how do you protect or manage a device that you are not aware of?

This is where leveraging a simple cup of coffee can have a great impact on the security posture within your environment.

Most organizations recognize at some level that the impact of a breach or data loss both from a financial and corporate reputation perspective is traditionally more costly than initially implementing controls and processes to manage the exposure and risk. However, early discussions revolving around securing future and upcoming projects rarely occur in the pre-planning stages.  This is where the price of coffee comes into play.  Something as a simple invite of a colleague to share a cup of coffee can forge cohesive business relationships. This can have a long term impact on the notification and inclusion of IT security being aware of new projects, applications and devices being stood up in the organization.

So the next time you are considering a run to Starbucks, recognize a simple invite could make a difference between being included or excluded from key conversations that affect the security posture of your organization all for only a few dollars over their choice of coffee.

Is this just human nature? Is the line from the television program, Futurama, true, “TV audiences don’t want anything original. They wanna see the same thing they’ve seen a thousand times before.” And does it apply to all media forms?

If it does apply, then what about software? I started to think about malware. The research of others, including Symantec, has shown that most malware is a variation of another malware. Even replicating and varying itself without human intervention. Is this just human nature at work again? Are the creators of this malware creative or is it engrained in us that slight variation is good and that the familiar is comfortable. If the writers of the malware get too creative, Stuxnet aside, they set off alarms and sensors and get caught? The people who write the toolkits and those that buy them want slight variations; if you completely change the application you might confuse the buyer and they might go somewhere else for their wares. For the writers, the time and investment in making a significant change is enormous, will they make the money back? Easier to make a slight variation and get enough buyers to spend again? How do you stop this if it is human nature? Does it take great innovation?

The answer is a resounding YES. Technology like Symantec Insight is one example of great innovation. Through testing we have seen that the reputation component of Symantec’s Norton and Endpoint Protection products has amazing success against these varied versions of malware. By analyzing these and generating protection based on many criteria including frequency of installation, Insight can capture a slight variant and prevent it from executing. This is powerful when you consider that the majority of malware is varying at a very high rate and that these threats are targeted at 50 people or less.

Insight is a major step forward in the fight against malware albeit a variation in itself of profiling. Insight’s massive database of identified software and a very large install base coupled with the other technologies within the product makes it the best defense against infection from malware. It’s a single product that provides depth-in-defense.

Maybe variation is a universal law, there is a Universal Law of Economic Variation, our children are slight variations of us, our cars are slight variations of previous models, movies and TV are variations. Maybe we can’t escape it.

In order to assess this often underrated threat, Symantec asked forensic psychologists Eric D. Shaw and Harley V. Stock to examine various factors leading to insider IP theft. While most research is put into the development of technology-based security measures, their white paper focuses on the behavioral and environmental issues that can lead to theft of corporate data.

Who Is the Typical IP Thief, and What Are They Stealing?

The average data thief is 1) a current employee; 2) male; and 3) 37 years old, on average. They serve mainly in technical positions such as programmer, engineer or scientist. [ii]

In about half the cases the employee stole trade secrets, followed by business information such as billing information or price lists. In other cases source code or proprietary software was taken, as well as customer information or business plans. Of particular note is the fact that in 75 percent of cases the thief had authorized access to the data they stole[iii], making it more difficult to solve the problem simply by strengthening security measures.

The thefts typically occur during working hours at the work site. About two-thirds of the time, the IP thief has already secured other employment, and in some cases has already given notice to the employer.

The $250 Billion Question: Why?

What CISOs want to know is, why are they stealing IP to begin with? Research shows that there is no simple answer. Part of it seems to stem from personality traits that may predispose certain people to theft. When combined with the proper motive and opportunity, this potential transitions into action. Outside stresses such as family or financial troubles also appear to contribute to thefts.

The research identifies two archetypical IP thieves with differing motivations and attitudes:

• The entitled, disgruntled thief: This employee was at least partially involved in developing the information he stole, and has become unsatisfied with his position or the company. In some cases this led him to feel he was entitled to take the information with him as he left the job. In other cases, he may have intended to use the information to further his career. About a month before leaving, he would copy the information using his authorized access, using it to either get or perform at his new job. He rationalized his actions by convincing himself that other employees were doing the same, or that the company would be unable to trace the theft back to him.
• The Machiavellian leader: The primary motivation of this thief is ambition. He has specific plans to use the information, either selling it to another organization or using it to develop a new, competing product. Unlike the disgruntled employee, he plans the theft carefully, perhaps even creating a new business and recruiting fellow employees to assist in the theft. He may have begun to steal the information more than a month before leaving the company and is less likely to show outward signs of dissatisfaction or impulsive behavior.

In the full report, Drs. Shaw and Stock go on to delve deeply into the psychology of these individuals and what leads them to commit these thefts. It discusses how the thefts were detected, what might indicate risk of this behavior in an employee, and how the potential becomes intent. This paper is essential reading for executives looking to keep their intellectual property safe.

The full report can be downloaded here.

[ii]Moore, A., Cappelli, D., Caron, T., Shaw, E., Spooner, D. and Trzeciak, R. (2011)“A Preliminary Model of Insider Theft of Intellectual Property,” Technical Note CMU/SEI-2011-TN-013, June. Available at www.sei.cmu.edu/library/abstracts/reports/11tn013.cfm

[iii]Moore, A., Cappelli, D., Caron, T., Shaw, E., Spooner, D. and Trzeciak, R. (2011)“A Preliminary Model of Insider Theftof Intellectual Property,” Technical Note CMU/SEI-2011-TN-013, June. Available at www.sei.cmu.edu/library/abstracts/reports/11tn013.cfm

Now imagine that, for convenience, you had previously rekeyed every other lock you have so you could use that bike lock key in all of them. Your front door, your car, your mailbox and your safe deposit box at the bank are only secure if you keep that one key safe. Now how would you feel if you lost it?

Of course, nobody would be so careless as to make one key fit every lock, right? Well, take a moment to consider how many dozens of online accounts you have. How many of them use the same password? Think about what would happen if just one of those sites was hacked, and someone got a hold of your login information.

Even in the workplace, many users are likely to employ the same password to access any number of personal and business resources. With website credentials being constantly exposed, that poses a big problem. Just last week, in fact, more than 210,000 user passwords were compromised in Sweden. What if one of these users worked for you?

Businesses can lose millions of dollars if just one of their employees’ accounts is compromised, leading to the loss of sensitive corporate data. They face the increasingly difficult challenge of making information more accessible, which aids in employee productivity, without putting themselves at increased risk of data loss.

Given the sheer number of criminal activities going on across the Internet, the loss of corporate or personal data seems inevitable. But there are several steps that both businesses and individuals can take to improve their level of protection. The following best practices can help you keep your sensitive information as safe as possible.

1. The longer the password is, the better. Mandate a minimum of eight characters. Have them use phrases that will be easy to remember, substituting symbols for some of the letters.
2. Instruct users to employ a mixture of capital and lower-case letters.
3. Have them add in foreign words, texting terms, slang and nonsense words.
4. Create a system, rather than a password. One formula might yield dozens of passwords, making them all easier to remember while maintaining security.
5. Encourage users to create different passwords for different resources, and never to use the same passwords for personal and business use.
6. Instruct them to immediately notify the appropriate person in your organization if a breach is suspected.

While attacks on your network are not likely to decrease anytime soon, taking these steps will greatly improve your overall security level and reduce your exposure to costly data breaches. A varied, comprehensive approach to overall security will ensure that the “keys” to your sensitive corporate information are safe.

Today, not only are patient lives on the line, but also, their information is increasingly online—on the hospital’s IT system, on private networks and even on the Internet. Mishandling of this data, or unauthorized use of it, can result in the wrong medical treatment, identity theft, data breaches and more. At the same time, more people need access to this information than ever before and from a variety of devices. The proper administration of healthcare data should be taken very seriously.

Just as clinicians use the “Five Rights of Medication Administration” to ensure proper patient care, the digitization of healthcare records and patient information means healthcare providers need to adopt best practices for ensuring proper security and privacy for patient data. To help organizations better understand their role in the administration of patient data Symantec has outlined specific best practices to ensure that patient information is kept secure regardless of where it is.

The following infographic, entitled “The Five Rights of Data Administration,” was created to help Health IT staff and users answer important questions about the use, access, and availability of critical patient data.

Organizations handling sensitive patient data would do well to consider the following important points.

Right Time – Data should be available to authorized personnel whenever they need it
Ask yourself:

• Are my systems backed up and secure, and is access from certain locations at certain times suspicious?

Right Route – Users need access to data regardless of where they are or the device they’re using
Ask yourself:

• Is the data on the doctor’s iPhone as secure as the data on the hospital’s PC on a nursing floor?

Right Person – Ensure only the right people have access to certain information
Ask yourself:

• Can I verify who is accessing the data?

Right Data – Prevent unauthorized tempering or accidental corruption of data
Ask yourself:

• Is this data the user is entitled or authorized to have access to?

Right Use – Ensure only the “minimum necessary” information is provided
Ask yourself:

• Beyond treatment, payment and operations, has the patient signed a notice of privacy practices, and does this use fall within its scope?

Symantec encourages healthcare providers and IT staff to carefully evaluate these points to ensure that patient data is being administered safely and securely. Are there additional steps healthcare IT should be taking to protect patient data – leave a comment and let us know your thoughts.

Join the discussion on Symantec’s healthcare user group: http://www.symantec.com/connect/blogs/protecting-patient-data-5-rights-data-administration

110 people took the time to complete the survey we hosted on Facebook, and one issue jumped out at me: there seems to be little organization around supplying tablets to employees. A significant majority of respondents – 74 percent – selected and purchased their tablets entirely on their own, only 20 percent were issued their tablets by their employers. That reflects the so-called “consumerization of IT” trend that continues gaining traction as people want (even demand) to use their smart phones and tablets for both personal and business use. There’s nothing wrong with that, it enables people to choose their favorite devices and spares IT the time and effort required to issue and manage devices. But doing so also creates an increased security risk.

We asked what type of sensitive or confidential business-related information respondents have accessed or stored on their tablets, and allowed them to choose more than one answer. 78 percent of respondents selected intellectual property, 39 percent chose financial data, 38 percent selected customer records and 20 percent indicated employee records. 86 percent said the either regularly or occasionally access business-related information that could be considered sensitive.

Despite the fact a majority of tablet users are accessing sensitive information, security protocols are lacking. More than half of the respondents have not received any communication regarding policies and/or best practices regarding the security of their work-related tablet activities, and only 55 percent are aware of any mobile device security and/or management software or tools their companies use in connection with their tablets.

The key to eliminating this security gap is not to deny employees the use of their tablets, or force IT departments to manage programs where they are responsible for the purchasing and distribution of locked-down tablets that employees cannot use for personal reasons like watching movies or reading. IT departments do need to develop security policies and best practices for accessing or storing sensitive information on their tablets, just as they do on their laptops or PCs. IT should also implement a data loss prevention solution to prevent unauthorized persons from accessing that data if a tablet is lost or stolen. On October 4th, we will unveil a new tool to help IT do just that.

# # #

By the numbers, it would seem that the healthcare industry is in crisis when it comes to protecting patient data, and it’s costing them. According to the Ponemon Institute 2011 U.S. Cost of a Data Breach study, sponsored by Symantec, health data breaches cost $301 per lost record, which is 40 percent higher than average. Contributing to the higher cost is compliance with data protection regulations that requires health organizations to do more to find, disclose and fix breach-related problems. In addition to disclosure laws in 49 states, healthcare organizations also must comply with HIPAA and HITECH.

Understandably, healthcare organizations like financial institutions face stricter regulation and disclosure requirements, which may contribute to perception that there are more breaches in these industries. What’s more likely is there are simply more ‘reported’ breaches and more headlines. But that’s not to say that the problem is overstated.

Curious Insiders and Health Data Breaches

Another report announced last week indicates that 71 percent of healthcare providers reported at least one medical records security breach in the prior year. What’s even more interesting, the majority of breaches were insiders snooping into the records of coworkers, friends and family. The same report found that loss or theft of equipment containing PHI caused 20 percent of breaches.

On the other hand, nearly half of the major data breach incidents, those affecting more than 500 records, reported to HHS resulted from theft, including stolen electronic equipment such as network components, laptops or hard drives.

Rx to Reduce Risk of Breach

For all the good that healthcare IT systems and electronic medical records bring to patients and providers, they also bring significant risk if not managed appropriately. Mishandling of patient data can lead to identity theft, regulatory issues, fines and more. Healthcare organizations need to make sure that the right people have access to the right data for the right use.

By creating a culture of security through training, policies and actions, organizations can help to reduce their risk of data privacy violations. At the same time, it’s important that organizations avoid demonizing the individual and assuming his or her actions were malicious. Instead, the organization should help to educate the insider on proper security procedures and policies.

A complete prescription to avoid data loss will also include technology solutions. Symantec recommends healthcare organizations consider the following to further reduce their risk of data breach:

1. Assess risks by identifying and classifying confidential information
2. Educate employees on information protection policies and procedures, then hold them accountable
3. Implement an integrated security solution that includes reputation-based security, proactive threat protection, firewall and intrusion prevention in order to keep malware off endpoints
4. Deploy data loss prevention technologies which enable policy compliance and enforcement
5. Proactively encrypt laptops to minimize consequences of a lost device
6. Implement two factor authentication
7. Integrate information protection practices into businesses processes

What has been your biggest challenge in protecting patient health data?

John Gobron is the national healthcare director at Symantec and has more than 15 years of experience in the healthcare industry.

Like smartphones before them, tablet devices are making their way into the enterprise whether IT wants them or not.  They are yet another tool that keeps us connected both personally and professionally.

What’s unique about tablets is that they give us greater computing power on a smaller device that can be just as effective as a desktop or laptop computer. Tablets certainly increase worker productivity, but they can cause headaches for IT departments. Particularly, the comingling of our personal and corporate data is not without risk.

Symantec has developed a short survey to get tablet end users’ perspectives on this trend in business computing. We’d like to learn more about how you use your tablet for work, for personal use and how your employer is managing the growing use of tablets. The quick three minute survey can be found here.

Click to Tweet: Do you use your tablet for both personal and business purposes? Take this short survey: http://bit.ly/nu7JMi

Once you’ve taken the survey, please stay tuned to this blog as we’ll be sharing the results once the survey is complete.

All good right?

Unfortunately, her smartphone did not require a passcode to access the apps. Ugh. I asked her about this and she replied back that it was no big deal because she didn’t have any really private information on there, and if so, the phone had no 3g access anymore to send anything off of it. Also her password would be required to sync the data off of it.

No worries then?

This is a common thought with consumers I think, and perhaps an even more sophisticated answer than most users might give.

The reality of course, is that someone could simply put the smartphone on free Wi-Fi and use her email app to reset most of her important passwords. Online bank password? Click “Forgot Password”; approve change via smartphone app. Done.

To combat things like this many sites require that you answer security questions in addition to having access to an email account. There have been some high profile arrests however in cases where people use publicly available information to defeat that too.

The fact is, if you have email access on your smartphone using a mail app that does not require a password to open it (i.e. all of us) then having access to your smartphone is pretty much game over for identity theft and much worse.

At work, we all sort of know this intuitively and most customer IT teams require a passcode for this very reason. But I HIGHLY recommend you make sure your family and friends understand this as well. Until the smartphone vendors start making a required password a default, your friends and family may be at great risk.

It’s worth pointing out though that while passwords will deter curious people finding a smartphone in a cab or airport, passwords like 1234 don’t help much beyond that. The requirement for at least seemingly random passwords is still a must.

When I talk about this with most of my friends and family, nearly 100% of them are using a visual pattern to easily remember a password. The 4 numbers in the corners? A “Z” pattern across the dial pad? A reverse “Z” pattern? An “L” pattern? There are only a number of these and any attacker trying to get to your smartphone will certainly try them.

On a related note, I found a pretty good blog posting about picking secure passwords. The author suggests dividing up sites by risk, and applying harder passwords to the riskier sites. This would allow you to have “throwaway” passwords for sites with little-to-no risk that are easy to remember, yet still protect the important stuff.  I had been following this method intuitively. My online bank password for example is not written down or saved anywhere and is completely random. But, on less risky sites, I use PasswordSafe on my work machine and 1Password on my Mac.

The only thing I would add though, even though many email systems still send the password in clear text, is to put email into the “Banks” zone of risk. Getting access to your email pretty much leads to owning everything else about you since most “Forgot Password” systems can still be used simply by having access to someone’s email account.

I advised my friend to go IMMEDIATELY change her email password. This would cause the app on the smartphone to fail authentication and prompt the new owner of her phone for the correct password and likely mitigate at least this issue. She had thought of the risk of the data on the smartphone. She had thought of the risk to her phone bill. But something as simple as her email password wasn’t a thought at all.

Be safe.  But make sure your family and friends are too.