Presentation: Helping Businesses Prepare for Computer Fraud and Data Breaches

Last night I had the wonderful opportunity to present to IMA – The Association of Accountants and Financial Professionals in Business on the topic of Helping Businesses Prepare for Computer Fraud and Data Breaches. Here are the presentation slides.

I was really impressed with the quality of this event on many levels — these folks really put on first class meetings so, for those of you who are accountants or financial professionals, I would encourage you to check them out. The facilities were great, the people were great, the food was great and it’s amazing how insightful and inquisitive a group can be when wine is served! Seriously, if you spend much time presenting to groups, you can tell when an audience is interested and paying attention or when they’d rather be some place else — this group was focused and their questions showed it. It was a real pleasure for me. The icing on the cake, however, was at the end when I was told that the organization would make an honorarium to my favorite charity — Cure JM of course! Much thanks!

We Are The Biggest Security Risk To Our Companies

“We are the weakest link.”

Wow, this is certainly the theme of the last few weeks — people are realizing that the biggest threat to companies’ security defenses are the people people inside the companies. You may recall that I discussed this issue in two blogs about this over the last couple of weeks:

Having written on this subject, I was delighted to see a very thorough and well written article in the Wall Street Journal by Geoffrey A. Fowler entitled What’s a Company’s Biggest Security Risk? You. Fowler starts with the premise that “we are the weakest link”, and I agree, and he goes on to explain the nature of the problem and provides several concrete examples of how hackers, spies, fraudsters, and phishers are praying on our own human weaknesses to find ways to penetrate companies elaborate security system through what is called social engineering. Fowler concludes that the solution to the problem is not more technology but, instead, human solutions such as increased employee vigilance and awareness.

My brief summary does not do Fowler’s article justice — it is a great article that is loaded with information on this subject that should be of interest to everyone engaged in business. Take a few minutes and go read the article.

Guarding Against the Inside Job (Part 1 of 2)

“You are only as strong as your weakest link”

It is becoming clear that the weakest link in most companies’ information security defenses is the people who work inside the company. The company must identify the most likely risks those people face, train them to minimize those risks, develop policies to protect against those risks, and implement systems to monitor the discipline of those people in adhering to their training and policies as well as to catch when they’re up to mischief.

In this, the year of data breach, the necessity for protecting the company against attack is now more important than ever. Many tend to think of this as primarily implementing technological barriers to protect the companies’ computer system. But, what many do not realize is that no matter effective the technology may be in theory, in practice it is only as good as those people in the organization who work within its confines.

A significant amount of the commentary about information security discusses the integral role people play in company security breaches — not just internal breaches, but external breaches as well. That is, the easiest way for a hacker to penetrate the companies’ defenses is for an insider to invite him in, either knowingly or unknowingly, and that is exactly what happens in many cases. What this means is there are at least 3 types of security breaches:

Insider Intentional — “the inside job”

Insider Unintentional — “idiocy” inviting outsider

Outsider Direct Attack

So much attention has been paid to the third, the outsider direct attack, that I do not intend to address that issue. In this post, Part 1 of 2, I am going to focuses on the first, the Inside Job. In my next post I will focus on the Idiocy Inviting Outsider type of breach.

The Inside Job

In a very insightful article entitled Understanding the Insider Threat Omar Santos (@santosomar) gives a very thorough explanation of the nature and harm caused by insiders who knowingly exploit their employers’ computer systems. The statistics are surprising and demonstrate insider-mischief is such a substantial problem. While the number of incidents of outside attacks versus inside attacks overwhelming favor the outsiders, the damage done is far different, according to Santos:

If you count damages, insider attacks often are far worse. They are more extensive and go undetected longer. It is all about the attack surface and how well you understand the level of exposure (internally and externally). The problem sometimes is not technical, but organizational. In other words, sometimes people tend to focus on building a fort that protects them from outsider threads (using the best security technologies and processes in their Internet edge), but then fail to implement the same level of protection internally and develop processes and procedures to audit and assess their internal network.

Clearly, based upon the weak links that Santos describes, companies need to focus on beefing up their technology to detect these types of internal breaches — the inside jobs.

Personal Data Privacy and Security Act of 2011

On June 7, 2011 Senator Leahy introduced bill S. 1151 in the Senate called the Personal Data Privacy and Security Act of 2011, which is linked HERE. The stated purpose of the bill is as follows:

To prevent and mitigate identity theft, to ensure privacy,
to provide notice of security breaches, and to enhance
criminal penalties, law enforcement assistance, and other
protections against security breaches, fraudulent access,
and misuse of personally identifiable information.”

The proposed bill would, among other things, amend the RICO Act to include violations of the Computer Fraud and Abuse Act (“CFAA”), thus adding a RICOesque twist to the CFAA which is a dream for any lawyer dealing with these issues. This is a significant piece of legislation that comes in at 70 pages and will require some analysis (did I mention I’m getting married this week?) that I fully intend to do … but I haven’t yet! At any rate, I’ll do this the “cheap way” for the time being and provide the Table of Contents of the bill so you can see what it does in general and whether it’s worth your while to dig any deeper. Or, you can just wait for me to dig into it for you! I am sorry for doing this but it is late and I have lots to do so, at any rate, here goes:

TITLE I—ENHANCING PUNISHMENT FOR IDENTITY THEFT AND
OTHER VIOLATIONS OF DATA PRIVACY AND SECURITY
Sec. 101. Organized criminal activity in connection with unauthorized access to
personally identifiable information.
Sec. 102. Concealment of security breaches involving sensitive personally identifiable
information.
Sec. 103. Penalties for fraud and related activity in connection with computers.

TITLE II—DATA BROKERS
Sec. 201. Transparency and accuracy of data collection.
Sec. 202. Enforcement.
Sec. 203. Relation to State laws.
Sec. 204. Effective date.

TITLE III—PRIVACY AND SECURITY OF PERSONALLY
IDENTIFIABLE INFORMATION
Subtitle A—A Data Privacy and Security Program
Sec. 301. Purpose and applicability of data privacy and security program.
Sec. 302. Requirements for a personal data privacy and security program.
Sec. 303. Enforcement.
Sec. 304. Relation to other laws.
Subtitle B—Security Breach Notification
Sec. 311. Notice to individuals.
Sec. 312. Exemptions.
Sec. 313. Methods of notice.
Sec. 314. Content of notification.
Sec. 315. Coordination of notification with credit reporting agencies.
Sec. 316. Notice to law enforcement.
Sec. 317. Enforcement.
Sec. 318. Enforcement by State attorneys general.
Sec. 319. Effect on Federal and State law.
Sec. 320. Authorization of appropriations.
Sec. 321. Reporting on risk assessment exemptions.
Sec. 322. Effective date.

TITLE IV—GOVERNMENT ACCESS TO AND USE OF COMMERCIAL
DATA
Sec. 401. General services administration review of contracts.
Sec. 402. Requirement to audit information security practices of contractors
and third party business entities.
Sec. 403. Privacy impact assessment of government use of commercial information
services containing personally identifiable information.