data security

Subscribe to data security via RSS

Bean of Chicago Millennium Park, Illinois, USAIt happens every day.  A company spends a huge amount of money on a new technology system, without fully addressing the information implications.  Maybe the decision (to move on-premise operations to a cloud SaaS or PaaS, or to retire and replace an enterprise database, or buy a comprehensive new tool suite) was reactive, driven by an impending crisis.  Maybe the decision-making was siloed, with IT not clearly hearing what the rest of the business truly needs (or more likely, the rest of the business not speaking up).  Or maybe IT just responded literally to a business directive of the moment (let’s get into IoT, or Big Data, or Blockchain!).  Regardless, the green light is lit, the dollars are spent … and problems ensue, painfully multiplying the procurement’s all-in cost.

What was missing? Strategic consideration of repercussions for information compliance, risk, and value for the organization as a whole, including privacy, data security, retention/destruction, litigation discovery, intellectual property, and so forth.  In other words, Information Governance.  And when was it missing?  Before the decision was made and the dollars were spent.

So, what if something could be hard-wired into the procurement process, a trigger that timely prompted decision-makers to call time-out; get focused input from all stakeholders; assess the repercussions for information compliance, risk, and value; and align the procurement requirements and purchase decisions with organizational strategy for governing information?Continue Reading X Percent for Information Governance

Ship engine trottle, full speed aheadNews reports today indicate that Verizon is pushing ahead with its purchase of Yahoo’s core internet business, despite Yahoo’s massive data breaches.  Yahoo suffered a breach of 500 million user accounts in 2014, on the heels of a one billion account compromise in 2013 (names, telephone numbers, birth dates, passwords, and security questions), reputedly the largest data breach in history.

Speculation swirled for months about whether Verizon would simply walk away from the deal, originally set at $4.83 billion, or would proceed with a drastically reduced acquisition price.  And the result, as of today’s announcement?  Full speed ahead, after lowering the purchase price by $350 million.

Verizon will gain personal data on Yahoo’s over one billion users, which will no doubt boost its digital media and targeted advertising revenues, and the deal will help Verizon expand beyond the crowded market for wireless services.  So, the value of user information is not in doubt.  But what about the value of privacy?

$350 million is a lot of money.  And apparently Verizon and Yahoo will share certain costs related to governmental investigations and breach litigation, with Yahoo remaining on the line for SEC and shareholder litigation fallout.  But still, the results of simple division are stark – $350 million against up to 1.5 billion affected persons … yielding 23 cents.
Continue Reading What’s our privacy worth? According to the Verizon/Yahoo deal, about 23 cents.

Endless book tunnel in Prague libraryAs the information tide relentlessly rises, many organizations simply see an IT problem, to be fixed with a purely IT solution – more storage capacity, more tools, or both.  But merely adding more storage is a reaction, not a strategy.  And adding technology tools without the right governance rules invariably makes things worse, not better.

This is not a criticism of your IT team.  Instead, the problem lies in a misunderstanding of the fundamental challenge.  Just as you shouldn’t bring a knife to a gun fight, you shouldn’t merely bring more storage capacity and IT tools-without-rules to your fight to regain control over your organization’s information.  What’s needed is governance.

Continue Reading Why govern your information? Reason #7: Merely adding more storage and more tools won’t solve your data problems

Chained wallet. Conception of blockchain, finance security and protection

I had been thinking about writing a post on Blockchain when I happened across the Washington Post’s In/Out List for 2017, and that sealed the deal:

Out:  Not being able to explain Bitcoin.

In:     Not being able to explain Blockchain.

So, feeling up to the challenge, here goes.

Blockchain is really just a distributed, shared database technology. Its use demands that multiple, untrusted entities (such as different companies in a supply chain) write transactions to multiple, duplicate copies of the database that propagate through peer-to-peer protocols.  Each node (or copy) of the database verifies the transaction independently by requiring the transaction to be confirmed in a blockchain.  The blockchain is chronological, and the database can only be changed when there is consensus among the participants.  Most important for the discussion here, however, is that the transactions and the distributed database are claimed to be immutable and permanent.  And that’s a real problem for information governance.Continue Reading Blockchain – “Shiny Object Syndrome”?

aerial view of forestAs the calendar year turned there were several great posts highlighting lessons learned in 2016 from notable HIPAA breaches and enforcement actions.  It’s also useful to climb up out of the trees and view the forest.  The HHS Office of Civil Rights publishes information each year on reported HIPAA security breaches affecting 500 or more persons, and this database offers a unique, multi-year dataset on such breaches of protected health information.

Here’s a forest-altitude look at significant HIPAA breaches suffered by healthcare providers (setting aside health plans and clearinghouses), looking for key trends emerging during the five years from 2012 to 2016.

Continue Reading HIPAA trends emerge from five years of provider breaches

A metal cattle brand with the word brand as the marking areaThe “business case” for information governance often focuses solely on quantifying specific costs for data management and exposures for data security and ediscovery.  Number crunching is of course important, but it misses something bigger, more strategic, and ultimately more crucial to the organization – its brand.  Companies, regardless of industry, are fundamentally in the information business.  It follows that how an organization manages its information assets reveals how the organization manages itself.  And that matters, a lot, because companies that align themselves with their brand, achieving brand discipline, are more successful.
Continue Reading Why govern your information? Reason #8: It can build – or bust – your brand

One Bullet in Gun Barrel Having too much data causes problems beyond needless storage costs, workplace inefficiencies, and uncontrolled litigation expenses.  Keeping data without a legal or business reason also exacerbates data security exposures.  To put it bluntly, businesses that tolerate troves of unnecessary data are playing cybersecurity roulette … with even larger caliber ammunition.
Continue Reading Why govern your information? Reason #9: Unnecessary business data multiplies data security exposures

Feeling sick and tired. Frustrated young man keeping eyes closed while sitting at his working place in officeMost enterprise information governance initiatives are event-driven: an expensive lawsuit, a system migration, a board or regulatory inquiry, a corporate move, and so on. Though there’s nothing wrong with being opportunistic in making IG progress, it can sometimes be too little, too late when a cybersecurity breach or some catastrophic event shines the light on decades of inattention.  How then do we become more proactive in improving how we manage information—arguably any company’s most valuable asset?

Inertia is a powerful thing. It keeps us from exercising regularly, from cleaning the garage, and myriad other “honey do’s.”  Not to mention the personal distractions of football, basketball, kids’ soccer, social media, Internet surfing, and just plain hanging out.  When we translate this combination of inertia and distraction to the workplace, however, our “home” selves get in the way of our “business” selves and organizational best interest.  It’s just too easy to put off examination of what is an increasingly consequential business need: ensuring compliance, managing risk, and extracting value from our information.  Effort is required.Continue Reading The crystallization of discontent: Finding the uber-ROI for information governance

Phishing emailReports indicate that in mid-March of this year, John Podesta and various Clinton campaign staff members received individual notifications from Google like this one, telling them to change their Google passwords, pronto.  Just one problem – the security alerts weren’t from Google.  Months later, a barrage of Mr. Podesta’s hacked emails were published by WikiLeaks, serving up yet more artillery shells in this war zone of a presidential election.

Let’s look at this through a different lens. What if there was a bank, Podesta Savings & Loan, and the bad guys scammed their way in, emptied the vault, and then scattered the currency all over Main Street.  You’re a bystander, and you see the bank’s cash being strewn on the street in front of the bank – is it OK for you to pocket the money?Continue Reading Our complicity in the Clinton campaign email hacks

Depiction of the outages caused by Friday’s attacks on Dyn, an Internet infrastructure company.
Depiction of the outages caused by Friday’s attacks on Dyn. Source: krebsonsecurity.com.

On Friday, a series of massive distributed denial of service (DDoS) attacks caused internet outages across much of the US, and also in parts of Europe.  The epicenter was Dyn, an Internet performance management company that provides Internet services to some of the web’s most-visited sites.  In three separate attack waves on Friday, tens of millions of IP addresses pelted Dyn with junk packets, resulting in Internet access outages at such popular destinations as Amazon, Netflix, Reddit, Spotify, and Twitter.

The culprit?  My DVR box.  Or maybe yours.Continue Reading My DVR shut down the Internet