HAPPY 2012 to All!

The end of one year and the start of another is a good time to both reflect and plan.  We should look back a little at what happened in the past year and use that to look ahead into the new one.  To paraphrase the famous quote by George Santayana, “Those who don’t learn from the past are doomed to repeat it.” 

In many ways, 2011 was a booming year for the Cybersecurity industry.  Many organizations realized the need for better security practices and tools.  Unfortunately, this was due to the multiple breaches.   According to the Privacy Rights Clearinghouse (PRC), there were 535 breaches during 2011, involving 30.4 million records containing sensitive information.   (See the full story here: https://www.privacyrights.org/top-data-breach-list-2011.)  Jim Lewis, a co-blogger on this site, posted a short list of major events from 2011 with his post Major cyber security events of 2011.  

My list is similar, but takes a different perspective:

• Sony PlayStation Network (SPN) – Sony disclosed in April an external intrusion where the thieves stole millions of online IDs and passwords and gained access to account holders credit cards.  A concise history of the Sony hacks can be found here.
• Epsilon, an email service provider for other companies reported the largest security breach ever with at least 60 million names and email addresses compromised.
• The group Anonymous seemed to have their way on any system.  While they didn’t cause massive breaches, they did show how most organizations (like the BART subway system) are vulnerable to attack.  It forces the question, is anyone safe?
• Sutter Physicians Services, HealthNet, & TriCare/SAIC.  I’ve combined these breaches of medical systems, although they each have their own story and lessons to be learned. These show how having lax policies for many years are now leading to breaches of sensitive medical information.  Despite the HIPAA security rules, our personal medical information continues to be vulnerable. For some it’s cheaper to risk paying fines than it is to secure the data.

As we move into 2012, we need to reflect on these breaches and their root causes. Here are some of my thoughts on their lessons learned:

• Approximately 30% of users reuse passwords across Internet sites.  If a thief discovers one password (like at SPN), then it can be used at many others. We need to educate our users to have different passwords, especially for sites containing their sensitive information.  Better yet, we need to encourage the use of tokens or other forms of multi-factor authentication.
• It may seem innocuous when our names and email addresses are disclosed, but that can open us up to spear phishing attacks. This is when a criminal directly focuses fraudulent email at us to try to deceive us into disclosing more personal information.  The end result is identity theft.  There are two things to remember: (1) protect your name and email and (2) be on the look-out for any type of phishing attack.  If you’re unsure about a text, tweet, or email, contact the sender offline (telephone if possible) to confirm the message.
• Policies and laws are in place, but are not consistently followed.  There are often no repercussions for failure to follow the policies and procedures to protect our personal information.  Compliance and governance would solve this issue for many organizations and could help prevent future breaches.

In 2012, we’ll continue to see the move to anytime, anyplace computing as more people move to smartphones and tablets for their basic business. Data will continue to be pervasive as more people trust cloud services.  It provides great convenience, but at what cost?  Diligence will continue to be the key for both individuals and organizations. If you can develop and keep a security mindset, it may save you many headaches in both 2012 and years to come.

What do you think will happen in 2012?     

Have a happy, safe, and secure 2012.