Mike Spinney's Blog
Legislating Social Privacy
July 30, 2010
There’s a great deal of talk these days about privacy and social media. Specifically, services like Google, Facebook, Twitter, and other popular social networking platforms are coming under increased scrutiny over their privacy policies and data sharing practices. As I write this issue has the attention of a number of politicians in Washington, DC as Congress mulls new legislation addressing privacy concerns.
The Ponemon Institute believes a big part of addressing issues of consumer privacy as they relate to social media platforms has to come through education.
Recently, and in partnership with Experian’s
ProtectmyID.com, we conducted a study entitled Identity & Privacy in Social Media. The results of this study were eye-opening and in many ways the challenges we uncovered fall beyond the reach of legislation. There were a number of troubling results from this study, and what they show strongly suggest a public eager to get in on the fun of social media, but less eager to take the simple steps necessary to protect against information shared through social sites being co-opted for the purposes of perpetrating identity theft.
Consider a handful of statistics that came out of our study:
· Of 698 individuals surveyed, 40 percent said they take no steps to protect their privacy or security while online;
· Only 8 percent said they have read the privacy policy of the social sites they’ve joined;
· While 60 percent said their social media password is known only by themselves, that suggests 40 percent share their passwords; and,
· Only 40 percent of those individuals we surveyed said they closely screen “friend” requests before accepting.
Sadly, we also surveyed a different set of 567 individuals victimized by identity theft and the numbers were not very different. Respectively the corresponding percentages were 41, 9, 62, and 41 respectively. Experience may be a harsh schoolmarm, but apparently not always an effective one.
This post is not meant to suggest that there may or may not be a need for some measure of legislation or regulation intended to reflect the realities of today’s online environment, but can Washington craft a law that will compel individuals to take better action on their own behalf to guard against misuse of personal information? The answer to that question is no. The human element will always be the weakest link in the security chain. This is reflected in fact that only 13 percent of social networking users said they believe they bear the primary responsibility for protecting their own privacy while using social media. Instead, they feel that responsibility lies with the social media service provider (41 percent) or even the government (34 percent) even though neither of those two parties are the ones updating statuses, posting photos, entering personal information into forms, “liking” posts or advertisements, or sharing any of the other kinds of information people choose to share in a highly public forum.
More needs to be done to help people understand the risks involved with sharing information online, to be more cognizant of the information they do share online, and to take better advantages of the tools made available to them to provide such protection. This has to be the responsibility of the social media entities themselves, but also that of each one of us who call ourselves privacy professionals.
What do you think?
Please let us know, and if you would like a copy of our study, drop us a line.
Posted by Mike Spinney at 2:20 pm
Permalink
Add Comment
(
0 Comments)
When Privileged Access is no longer a Privilege
July 19, 2010
I just read an interesting multi-part investigative report in the Washington Post about how intelligence gathering – and the bureaucracy that has risen since September 11, 2001 to facilitate the harvest and analysis of that information – has spun beyond the federal government’s control, not to mention its ability to make use of the sheer abundance of information.
The report,
Top Secret America, is frightening to a certain degree. In a country that reveres personal liberty, domestic intelligence (and surveillance) accounts for a large portion of the growth described by the
Post.
I won’t regale you with details from the report, which is worth reading in its entirety, but one fact jumped out at me that I want to share and think about.
According to the Post, there are currently more than 854,000 people – military and civilian – who hold a Top Secret security clearance.
Think about that figure for a moment. About three percent of our nation’s population – more people than live in San Francisco – has access to America’s most closely guarded secrets. When that many people are granted access to sensitive information, how much confidence can you have that the integrity of the information is intact? That the methods by which the information is gathered are lawful and ethical? That the information is being used in accordance with its intended purpose?
Top Secret America reveals that the bureaucrats and politicians with management and oversight responsibility all but admit that they cannot fully control the full scope of our nation’s intelligence gathering and analysis operations. It’s too big, too complex, and too often redundant.
Ironically, before this story was published I was considering writing a blog post that held the U.S. intelligence services as a model for corporate information security programs. As a former U.S. Naval Intelligence Specialist, I cut my teeth on the military’s approach to information security, which was based on strict need-to-know access, personal responsibility, multiple layers of accountability, constant education and awareness, and clear and severe penalties for any failure to maintain security.
Now I’m not so sure.
Based on what I’ve read, I have my doubts that our national secrets are truly secret anymore. How can they be? We’ve cheapened the value of privileged access by granting it to so many people that a security clearance is no longer a privilege – it’s an administrative necessity.
Posted by Mike Spinney at 2:59 pm
Permalink
Add Comment
(
0 Comments)
Car Talk and Compliance
July 14, 2010
Are you familiar with Click and Clack, the Magliozzi brothers of NPR’s hilarious auto repair show Car Talk? Tom and Ray are blessed with both an encyclopedic knowledge of automotive troubleshooting, and with an on-air chemistry that makes mechanics interesting and entertaining. By engaging their callers in seemingly inane banter (and laughing at each other's jokes), they are able to extract enough information to (most of the time) correctly diagnose car troubles over the phone.
If you are like me, the mass of metal and tangle of wires that sits under the hood of your car is a complete mystery. I’m intimidated when the magic light on my dashboard tells me I have to add more windshield fluid, so I have a great deal of respect for those people who understand and make a living fixing cars. The Magliozzi brothers completely astound me in that regard.
But this week, after starting a new Mass 201 CMR 17 compliance engagement and while moderating a new compliance workshop, I realized that the Click and Clack approach is not only broadcasting genius, it’s the right approach to helping organizations overcome their fear of the unknown and make progress addressing both compliance and information security strategy.
Talking to someone in plain language about their situation and putting them at ease, rather than causing them to feel inadequate and embarrassed about what they don’t know, will not only help to arrive at a better result, it will also help to reveal additional areas of concern that may need to be addressed in a comprehensive,
holistic information management strategy.
I have encountered too many experts and consultants who used their knowledge like a cudgel in an attempt to intimidate someone into spending money because only they have a brain big enough to solve the client’s or prospect’s problem. Creating more mystery around compliance isn’t helping anyone, and it may be counterproductive. Personally, I find it offensive and belittling in any context. The fact is, the client is the one with the information that the consultant needs to do their job. The best way to come to a productive understanding about how to address compliance challenges is through a dialog that dispenses with intimidation and helps the client to be a partner in the process.
Intimidation is not the Ponemon approach. If you are struggling with compliance issues, or if you need a partner to help craft a new strategy for managing and protecting your company’s valuable data, please give us a call. We’d love to help.
Posted by Mike Spinney at 11:14 am
Permalink
Add Comment
(
0 Comments)
Advanced Cyberthreats: Are You Ready?
July 6, 2010
Last September I had the privilege of addressing an audience of IT professionals from the chemical industry during the
ChemITC Annual Conference. My presentation focused on applying lessons learned by consumer-facing industries from five years of experience dealing with data breach notification regulations and what those lessons can teach an industry that, like many others, is beset by data security issues.
A number of high profile cases of corporate espionage in the chemical industry, including two instances involving the DuPont Company, illustrated the simple truth that any data that has value will be targeted by data thieves. In two separate events, former DuPont employees
Hong Meng and
Gary Min made off with trade secrets before moving on to new situations. In Meng’s case, the IP was headed back to his homeland in China. Min had accepted a job with a DuPont competitor.
Because theft of intellectual property does not require public disclosure, stories like these don’t make headlines as often as data breaches involving personally identifiable information (PII), but while I was at the conference representatives from the Department of Homeland Security were also on site making impassioned pleas to the attendees to cooperate with the federal government’s efforts to combat cybercrime. As producers of strategic, dual-use technologies, many companies in the chemical industry are targeted by persistent attacks from overseas organizations – governments and rogue elements – in an attempt to steal intellectual property that can be used in military applications.
The message to the industry was clear: we know you are being targeted and we desperately want to help, but we need your cooperation.
Today, the Ponemon Institute issued a new report that gives greater weight to the challenges addressing cybersecurity.
Sponsored by
NetWitness, our study produced some numbers that should give pause to anyone in the information security game. For example:
· Although 83 percent of respondents say they believe their organization has been targeted by an advanced cyberthreat, 41 percent said they don’t know how frequently they have been targeted.
· Half of respondents believed that proprietary data has been targeted by cyberattacks, while 48 percent said they believed the target to be PII such as customer or employee records.
· Although 58 percent of respondents said their organization had adequate policies in place for dealing with cyberthreats, the tools (32 percent) and personnel (26 percent) in place to deal were not up to the task.
· Perhaps most disturbing, 46 percent of respondents told us that detecting an attack by an advanced cyberthreat took at least 30 days!
Make no mistake – your enemies and our rivals are hard at work trying to gain illicit access to the valuable information stored within your enterprise. At best they may be hoping to play catch up with the pilfered fruit of your investments in R&D. At worst, they may have designs to do financial harm to individuals, or physical harm to people and property on American shores.
We urge you to arm yourself with more information and understanding about the realities of the advanced cyberthreats that are being used to access your information systems. And we urge you to learn how you can cooperate with the
Department of Homeland Security in order to better respond to such threats and, by sharing information, better prevent those threats in the future.
If you want a copy of our report, Growing Risk of Advanced Threats, it is
available by request through NetWitness. If you’d like more information about how your organization can better prepare for and respond to these threats, give us a call.
(
0 Comments)
Oil Spills and Data Drills
June 20, 2010
My heart sinks day by day as I watch events unfolding in the Gulf of Mexico. I doubt if anyone can begin to comprehend the potential extent of the devastation taking place as a result of the catastrophe. That massive oil leak is despoiling not only the visible beauty of the Gulf – water, beaches, marshes, wildlife – but is likely to result in enormous and long lasting damage to the region’s fragile ecology and economy as fisheries collapse, visitors stay away, and various industries curtail operations.
As all concerned parties grapple with containing and, eventually, stanching the flow of oil as well as dealing with a massive cleanup effort, I can’t help but think of analogies that can be applied to data protection and offer some lessons learned.
First, we learned that one of the factors contributing to the conditions leading up to the disaster was a lack of appropriate regulations addressing the risks inherent with deep water drilling. While the technology and strategies needed to get at deep ocean reserves advanced and made drilling in offshore depths viable, the safety measures required to mitigate the risks inherent with deep water operations lagged.
For information security we can see the advance and adoption of technological innovation outpacing processes and policies for safe operation. Some of our recent studies have shown this to be the case in cloud computing, payment cards, and mobile communications, to name a few. Yes there are advantages to all these things, but adoption without appropriate precaution is irresponsible.
Second, we have learned that many of the missteps in responding to the oil leak were a result of no clear measure of the actual flow of oil from the damaged well. The failure of efforts such as Top Hat, Top Kill, and Junk Shot were due in part because no one knew (or would disclose) the volume or pressure of the leak.
In addressing information security risks you must first know what you have, where you keep it, how it’s collected, who has access… In the event of a data breach, the ability to quickly identify the source of a leak is critical to a successful response. More importantly, regular audit and assessment of information systems and processes will help to identify risks and afford an opportunity to address those risks before a breach occurs. And when the authorities come calling, if you’ve got the proper documentation and can demonstrate a viable plan, you’ll be in a much better position.
Finally there’s the issue of crisis management. BP’s reputation has taken a serious hit since the Deepwater Horizon oil rig explosion on April 20 not necessarily because of the initial event or even because of the leak itself, but because there is a growing sense that the company has been incompetent and insensitive to the disaster. This perception has been because of statements, actions, and failures made by the company and its executives and spokespeople. If there was a crisis response strategy in place at BP, it seems like a number of its key executives felt at liberty to go off script – and with disastrous reputational results.
Responding clearly, factually, with reasonable speed, and with appropriate contrition – and backing up statements with action – is the best way to rebuild lost trust. Making things up as you go along can never work. Crisis contingency planning is invaluable, even if you never have to put such a plan into effect.
Posted by Mike Spinney at 1:06 pm
Permalink
Add Comment
(
0 Comments)
Cold War and a Hot Furnace
June 9, 2010
I was a U.S. Navy intelligence specialist assigned to VA-55 (go Warhorses!), a bomber squadron based at NAS Oceana in Virginia Beach, Virginia. In my position I handled a great deal of classified information and also had responsibility for the destruction of that information. Ashore, I took bags of discarded documents to the base intelligence center and tossed the paper into Igor, a massive pulverizing machine that rendered into a fine powder whatever slid down its chute.
Igor was loud, with a high-pitched industrial whir and its heavy steel spindles, bedecked with scores of sharp teeth, could grind up a pile of paper in seconds. You knew that the secrets that went into Igor’s fearsome maw were safe, for what came out the other end resembled confectioner’s sugar.
At sea the destruction of classified information was a different story.
VA-55 deployed to the USS Coral Sea, a conventional aircraft carrier whose keel was laid before the end of World War II and as such was regarded as old and small for that type of ship when I sailed on her in the mid-‘80s. The Coral Sea did not have space for an Igor; instead, classified information slated for destruction was burned in a furnace.
For a first-timer, assignment to a burn detail was welcome news. Life at sea could be monotonous and the prospect of spending some time tending to a roaring fire seemed like a fun way to break the routine. After all, what could be easier than burning bags of paper? It didn’t take long to realize that the task was difficult, uncomfortable, and thankless.
The Coral Sea’s furnace room was hot and cramped. Merely getting to the space was a chore, never mind doing so with twenty or more bags of classified information (requiring proper supervision and accountability) in tow.
Once inside and having lit the first bag, you learn that paper doesn’t burn as quickly and completely as you might imagine. Publications, especially, are slow to burn and require constant attention. Fire needs air to burn, and pages, pressed together, don’t accommodate the circulation needed, so raking and stirring are needed. As more and more paper is added, the accumulating ash suffocates the flame. Procedure requires that the destruction be complete, with no scrap of paper left intact, so sifting and poking are needed to make sure paper is not merely charred, but reduced to ash and mixed.
The job took hours. The furnace room would get exceedingly hot and smoky, and those assigned emerged covered in sweat and soot. No one ever volunteered to do it, and everyone grumbled when their turn came around.
But we all knew why it was necessary. The Cold War was still being waged; Soviet “trawlers” were never far behind our battle group; every bit of trash that went overboard that could be recovered by the enemy was; everything that the enemy could scoop out of the sea was regarded as a puzzle piece to be analyzed and used to bring pictures into clearer focus. Our job was to deny the Russian Bear an opportunity to obtain even seemingly innocuous information.
The importance of security was constantly drilled into our heads. The consequences of failure were potentially grave.
Does your organization think of information security with a similar mindset? Do your employees appreciate the value of the data they handle and do they understand the consequences of a data breach? Are they reminded of their responsibility as information stewards, or do they handle the information entrusted to them with a cavalier attitude?
Data privacy and information security may not be sexy – it may even seem like a difficult, thankless task – but it is as necessary for your business today as it was for a war ship on the high seas during the Cold War. Your enemy is lurking, snooping, waiting for an opportunity to scoop up whatever is carelessly tossed overboard.
If your security, privacy, training, and governance policies are lacking, give us a call.
Posted by Mike Spinney at 10:44 am
Permalink
Add Comment
(
0 Comments)
Facebook's Pioneering Privacy Path
May 26, 2010
Wow. Facebook seems to have rubbed a lot of folks the wrong way -- again. Time Magazine put the company on the cover this week following yet another privacy misstep and an admission by CEO Mark Zuckerberg that, perhaps, the company had made a few mistakes in calculating the public’s acceptance of its data use practices.
Even as Facebook implements simpler privacy controls in response to criticism, a growing number of users are upset at the moving target that has become privacy on the popular social networking platform. A mass exodus from Facebook has been called for on Monday, May 31 (Memorial Day here in the United States) in protest of the recent changes to Facebook’s privacy practices. How many people will abandon the popular service? According to a
recent poll by the computer security experts at Sophos, as many as 60 percent of Facebook subscribers are considering leaving.
In real numbers that means that the company’s user population should plummet by about 300 million before the calendar turns from May to June, but the number of people who have actually committed to the move only stands at about 11,000 – fewer than at times following other miscues, such as the ill-conceived Beacon advertising program.
I don’t doubt Sophos’ numbers. I can easily accept that 60 percent of Facebook’s subscribers are frustrated with recent changes, even if that frustration doesn’t translate to abandonment. And even if May 31 comes and goes without a significant drop in active Facebook subscribers, the very public nature of this episode and Facebook’s response offers a valuable lesson that is largely overlooked by the company’s legion of critics and commentators.
Facebook’s near constant tinkering with its privacy policy and user settings, while exasperating, is also commendable. I can’t think of any company that deals with a surfeit of personal information that has chosen a road as open to public scrutiny as the one Facebook has taken. Has Facebook made errors along the way? Absolutely, but the company has a right to try and make a profit from its service, just as the public has a right to join or un-join.
To dismiss Facebook outright would be a mistake. To express outrage without acknowledging the progress the company has made – and the lessons we’ve all learned as a result – would be an even bigger mistake. Progress demands bold pioneers willing to take risks for the sake of discovery.
I don’t expect Monday’s call for abandonment to result in a significant drop in Facebook’s subscriber rolls, but I do expect that Facebook, as it has all along, to adjust its sails as a result of the response. I also expect the process to continue. If the public becomes more aware of its role in managing personal privacy online ,and if the business community at large takes away positive lessons, how can that be a bad thing?
Posted by Mike Spinney at 11:47 am
Permalink
Add Comment
(
0 Comments)
Global Data Breach Costs Examined for First Time
April 28, 2010
Without a doubt the Ponemon Institute’s most popular study is our Annual Cost of a Data Breach study, a case study analysis of U.S. data loss incidents of varying size and cause, affecting a representative sampling of industries. Because we examine the actual costs incurred by companies as a result of discovering and responding to a data breach, we believe our figures are an accurate measure of the potentially devastating financial impact following a data breach.
As more and more states followed the model of California’s landmark notification law, SB 1386, the costs have risen steadily from a 2005 average incident cost of $4.5 million to a 2009 cost of $6.65 million.
As you might expect, every year we are asked by folks around the world, “Do you have figures for my country?” Because the regulatory regimes in Europe and elsewhere take a different approach to the classification and management of personally identifiable information, and because a data breach overseas often does not compel companies to make public disclosure of the event, our answer has been “no.”
We’ve had the honor of discussing the results with a number of excellent and respected journalists from the likes of
Networld World and
Forbes, so I won’t rehash what I’ve already told those publications.
What I will point out here is that, even though the European data protection community has traditionally taken a different approach to maintaining the personal privacy of its citizens, clearly the problem of data loss is as prevalent there as it is here in the U.S. Companies from Europe and elsewhere overseas have approached us for years to help them study and understand the causes and results of information security breakdowns, and even though this is the first time we’ve issued a report on the problem, it is far from new.
The notification model is changing, however. As we note in our report, Germany adopted a notification law midway through 2009. Not so coincidentally their costs are second only to the United States. In the UK just yesterday the
Information Commissioner’s Office predicted that country would have a data breach notification law within 18 months.
As this study continues, it will be interesting to observe how these new laws and changing regulations affect data breach costs. In the meantime, contact us with your questions as we continue to offer new and interesting insights into the issue of data privacy, information security, and responsible information management.
Posted by Mike Spinney at 12:13 pm
Permalink
Add Comment
(
1 Comments)
Littler Mendelson on Quon
April 19, 2010
Our good friend Phil Gordon, one of the sharpest minds on privacy and labor/employment law, offers an interesting view of today's oral argument before the U.S. Supreme Court today in the potentially landmark case of City of Ontario v. Quon.
Phil's blog on the case includes telling statements from Justice Sottomayor, Justice Alito, and Chief Justice Roberts which Phil believes point toward a more ruling "far narrower than anticipated by many."
To read the entire blog, click through to the Littler Mendelson privacy blog. And stay tuned for the ruling, scheduled to be issued in July.
Posted by Mike Spinney at 10:31 pm
Permalink
Add Comment
(
0 Comments)
Sit Down and Talk with your Kids
April 2, 2010
I've had a positive and heartening response to my recent post about my experience creating a bogus Facebook account to illustrate the ease with which someone can gain access to kids' accounts.
Parents have contacted me to let me know that the story helped them better understand the threats to themselves and their children. One even said he sat down with his son and together they went though and un-friended individuals with whom he had no real connection.
That's good parenting. Yes, we know that some kids are creating multiple Facebook accounts in order to throw parents off their trail. An account with their real name and info that they gladly to which they will gladly cede parental access, but which serves as a red herring. The real action may be on another account, but even if this is the case, discussing the genuine threats that exist online may have a postive effect on the decisions a child makes.
Even beyond the obvious issues of who is really behind the profile of the person who just sent a friend request, some fan pages provide an open forum for unsavory conversation or even a platform for the distribution of malware.
This is not a criticism of Facebook. I've said it before and I say it often -- I'm a big fan of Facebook. That service is a great way for people to reconnect, stay in touch, share information. I'm on Facebook every day and have used it to re-acquaint myself with many old friends and family members separated by time and geography. I respect Facebook's approach to privacy (in spite of the missteps) and think they get it right a lot more often than they get it wrong. But as with any application of technology, the user needs to do a better job of understanding how it works and deciding for themselves how they want to use the tools available to them.
If you have kids, sit down and talk with them about Facebook and any of the other things going on in their lives that may present a danger to them. And if you are interested in having an awareness seminar at your school, feel free to get in touch with me. I'd love to talk with you local school administrators about helping students, parents, and faculty better understand the risks and rewards of social networking.
Posted by Mike Spinney at 9:59 am
Permalink
Add Comment
(
0 Comments)
Entries 1 - 10 of 19 —
Jump to page
First
1
2
Last
RSS Feed
