2009 Data Breach Investigations Report

verizon-report

285 Million records were compromised in 2008. The Verizon Business RISK Team conducted a study of first hand evidence collected during data breach investigations of 90 confirmed breaches as part of their caseload. This 2008 caseload of more than 285 million records, exceeded the combined total from 2004 to 2007.

2009 Data Breach Investigations Report pdf_logo.

Investigators concluded that 87 percent of breaches could have been avoided through the implementation of simple or intermediate controls. All of these were the standard practices in the industry. In only 13 percent of cases were costly controls (in terms of effort and expense) recommended as the most efficient and effective means of avoiding the breach. Most of these were standard security controls, even though they are costly.

They conclude with these recommendations:

Align process with policy: Many organizations set security policies and procedures yet fail to implement them consistently. Controls focused on accountability and ensuring that policies are carried out can be extremely effective in mitigating the risk of a data breach.

Achieve essential, and then worry about excellent: We find that many organizations achieve very high levels of security in numerous areas but neglect others. Criminals will almost always prefer the easier route. Identifying a set of essential controls and ensuring their implementation across the organization without exception, and then moving on to more
advanced controls where needed is a superior strategy against real-world attacks.

Secure business partner connections: Basic partner-facing security measures as well as security assessments, contractual agreements, and improved management of shared assets are all viewed as beneficial in managing partner-related risk.

Create a data retention plan: Clearly, knowing what information is present within the organization, its purpose within the business model, where it flows, and where it resides is foundational to its protection. Where not necessitated by valid business needs, a strong effort should be made to minimize the retention and replication of data.

Control data with transaction zones: Based on data discovery and classification processes, organizations should separate different areas of risk into transaction zones. These zones allow for more comprehensive control implementations to include but not be limited to stronger access control, logging, monitoring, and alerting.

Monitor event logs: All too often, evidence of events leading to breaches was available to the victim but this information was neither noticed nor acted upon. Processes that provide sensible, efficient, and effective monitoring and response are critical to protecting data.

Create an Incident Response Plan: If and when a breach is suspected to have occurred, the victim organization must be ready to respond. An effective Incident Response Plan helps minimize the scale of a breach and ensures that evidence is collected in the proper manner.

Increase awareness: Delivered effectively, training that educates employees about the risks of data compromise, their role in prevention, and how to respond in the event of an incident can be an important line of defense and discovery.

Engage in mock incident testing: In order to operate efficiently, organizations should undergo routine IR training that covers response strategies, threat identification, threat classification, process definition, proper evidence handling, and mock scenarios.

Join me at 12:30 (July 29, Boston Time) for a free webinar on Preparing for the Strictest Privacy Law in the Nation: MA Privacy Law 201 CMR 17 hosted by Knowledge Management Associates.
INSIGHT_headerforweb3

Enterprise 2.0 by Andrew McAfee

mcafee

I just read an early preview chapter from Andrew McAfee’s forthcoming book Enterprise 2.0: New Collaborative Tools for Your Organization’s Toughest Challenges. The book is scheduled for release later this year from Harvard Business Press. You can also download and read the preview chapter: Introduction of Enterprise 2.0.

Much like Professor McAfee, I too was a skeptic of how web 2.0 tools could be used inside a business. I started exploring these tools when my old law firm started to consider an upgrade of their intranet platform to SharePoint 2007. That software package has some basic enterprise 2.0 tools. If we upgraded, we would have blogs, wikis and RSS feeds as part of intranet platform. But I didn’t really know what they were or how they could help a law firm. At the time, the terms sounded like something out of a Dr. Seuss book. But I looked a little closer and saw that they had some potential.

I quickly discovered that two people I knew had blogs: Ron Friedmann’s Strategic Legal Technology and Joy London’s Excited Utterances. Originally, I thought they were just websites. (Does it really matter anymore?) I did a little more research and decided to try setting my own blog. I set aside an afternoon to set up a blog. Google claimed their Blogger platform was easy to set up and it was free. Instead of an afternoon, it took me ten minutes to set up the blog. Five minutes was spent figuring out a name and four minutes was spent choosing colors. That left a lot of time that afternoon to think about the implications of what I had done. This was the birth of my first blog, KM Space, in February of 2007.

I first encountered Professor McAfee at the Enterprise 2.0 Conference 2007.  Since then, we have had a few opportunities to talk about the implication of these tools inside a business.

I see transformational change in the availability of information. For decades it was business that had the powerful internal network that allowed them to share information across the enterprise. Now with the increasing ubiquity of internet access, the internal business network and tools that run on it are becoming inferior to the tools available through the internet for finding and dealing with information. There are many lessons for a business to learn from the consumer tools for handling information. This is big change.

The other aspect is email. Most businesses rely on email and attachments as their collaboration platform. If you look back 20 years, email was barely a factor in the way business teams collaborated. So there is no reason to think that email is either the endpoint or the zenith of the way business team collaborate.

Like Professor McAfee, I see a transformation change. I am looking forward to reading the Enterprise 2.0 when it is finally published.

Cloud Computing and Compliance

kelly-matt-smallCompliance Week editor Matt Kelly and I talked  about “cloud computing” and how such IT systems can affect compliance. Listen to the conversation. (Time: 8.5 min.; file size: 7.7 Mb)

Let’s try to define cloud computing a little better. It really encompasses a broad swath of services that can be put into three main groups. Infrastructure as a service provides virtual servers and data storage that users can configure. Platform as a service that lets developers write applications using hosted software and development tools. Software as a service which provides hardware and software applications So the provider hosts both the application and the data. that range from specialized functions, such as supplier information management, to desktop applications, such as word processing and spreadsheets.

You will listen to hear about the compliance issues:

Compliance for Enterprise 2.0 at Lockheed Martin

mcafee

Andrew McAfee, Associate Professor at Harvard Business School lead a discussion with Christopher Keohane, Social Media Program Product Manager at  Lockheed Martin IS&GS – CIO – Architecture Services and Shawn Dahlen, Social Media Program Manager, Lockheed Martin IS&GS CIO Office to talk about their Unity enterprise 2.0 platform at Lockheed Martin.

The Lockheed Martin guys really caught the attention of the crowd in their smaller session at the 2008 edition of the Enterprise 2.0 Conference. This earned them a seat on the big stage.

Business Case

They started with the business case. The 9-11 Commission noted that one of the problems was that information was siloed at the intelligence agencies. As a government contractor, Lockheed pays close attention to the government’s position. The appeal of a enterprise 2.0 / collaboration platform was the ability to create content and share it among the team.

In addressing the ROI concern, they made it easy by making a small investment. There was a budget available of a few thousand dollars for experimental projects. They got up and running in a small group with that small investment. [If your investment is small, the return does not have to be big to find a positive ROI. Start small.]

Legal Concerns

They knew legal would have questions and raise concerns. Christopher and Shawn approached them early to help with approval and buy-in. Legal was unfamiliar with the tools. But they were familiar with export laws, data privacy limitations and other considerations that needed to be in place.

Legal was able to help design the controls, processes, and procedures that would need to be in place to make Unity compliant with the laws that affect the internal operations of the company. They did not leave legal as a last minute approval to check the box. They got them engaged to help identify risks and problems.

[If you don’t bring legal into the process and leave them with a late in the process “yes” or “no” decision. You’re going to get a “NO!” Inevitably you will not have addressed an internal policy or regulatory concern. Especially if the project is being run out of the IT group, where they are often not involved in the business processes.]

Evolution versus Revolution

To echo the keynotes on Tuesday, Shawn and Christopher took an approach that was both evolutionary and revolutionary. Migrating from MS Word documents to blogs and wikis is evolutionary. Opening up the information for sharing is revolutionary.

The Generational Issue

Shawn and Christopher pointed out that the generational issue runs both ways when using 2.0 tools. They acknowledge that their team was a bunch of 20-somethings. They had trouble figuring out how to use these tools in the business setting. They had trouble using them to collaborate among themselves.

The older generation and managers of the business understand the business process. They were surprised that heir most prolific bloggers are 40-something senior managers. ( I am not surprised. I had the same experience at my old law firm when we started deploying 2.0 tools. The partners and senior attorneys contributed more information than the younger associates.) It is the seasoned workers who have the knowledge and understand the business needs.  If the tools are easy enough to use, they will use them.

Technology

They used Microsoft’s SharePoint as the platform for Unity. When pushed, they neither endorsed the product nor said anything bad about it. They did acknowledge the difficulty in trying to customize the platform for different groups. The users found the tools easy to use and easy to see the migration from Word to blogs and wikis.

[I had a discussion with Mary Abraham of Above and Beyond KM about the Snake Oil of Social Media.  As we became seasoned in our businesses, we learned to silo information because the technology siloed it for us. Email became our information source and collaboration tool. Email is inherently siloed. Trying to make it open does not work. My theory is that if you want to change the culture, you also need to change the technology tools.]

Summary

Sean and Christopher also found that you need to ground enterprise 2.0 in the needs of the business. Don’t be afraid of social media. Embrace it. Apply it to your business challenges.

McAfee Update

Professor McAfee is leaving Harvard next month to become a Principal Research Scientist within the Center for Digital Business at the Sloan School of Management. And his book, Enterprise 2.0, is coming out in the fall. You can download the first chapter for a sneak preview.

Other Coverage

Photo Credit

Thanks to Alex Howard of Digiphile and SearchCompliance.com for giving me permission to use his photo in this blog post.

Enterprise 2.0 Keynotes on Tuesday

evening in the clouds panel

After Monday night’s Evening in the Cloud (That is me in the middle of the picture during the Evening in the Cloud), Tuesday turned to social media and collaboration in the keynote presentations on the big stage.

It was a mixed bag of presentations. There were glimpses of how organizations can use enterprise 2.0 and web 2.0 tools to further the goals of the organization. What was missing, was the compelling case for adopting the tools and devoting the resources to that adoption. There were a few points from the compliance perspective that popped up in the presentations. I thought I would share some of my thoughts and notes from these presentations.

my.barackobama.com: The Secrets of Obama’s New Media Juggernaut

Jascha Franklin-Hodge, Chief Technology Officer & Founding Partner, Blue State Digital started off talking about some of the success of the presidential campaign:

  • 1 billion emails to 13 million addresses
  • Over 1 million text message subscribers
  • 200,000 offline events planned through the website
  • 145 YouTube viewing hours
  • Of the $770 million raised, 65% came through the website

Although this presentation was interesting I was hard-pressed to see how the lessons learned from the presidential campaign could be applied to the use of these tools inside an enterprise. (Although the bleeding heart liberal in me enjoyed seeing the great success story.)

He did emphasize the need for measurement, which is dear to the hearts of compliance professionals. They measured everything, tested their assumptions and redesigned the visuals and tools based on the data.

Throwing Sheep in the Boardroom: How Online Social Networking Will Transform Your Life, Work and World

I don’t have much that’s nice to say about this presentation. So I won’t.

Hello from Booz Allen Hamilton

Booz Allen won the Innovation Award from the Open Enterprise 2009. Walton Smith gave his insights on their enterprise 2.0 platform. It looked great! (In the interest of disclosure, Booz Allen is a large tenant in my employer’s portfolio.)

Walton started with the business case. They need ways to better capture the tacit and explicit knowledge in the organization. There is a tremendous need to identify expertise and allow people to find that expertise. They are looking to add thousands of employees over the next few years and need to get those employees up and running quickly. On a typical day, over half of their people are working at client sites. Outlook was their de facto collaboration tool.

They deployed Hello, their enterprise 2.0 tool, to address these concerns. It sounds like a success. Over 40% of the firm has added content. Another 1% to 2% of new users are adding content each week. The technology is mash of technologies, many of which are open source platforms.

Given the short time allotted, we were not able to see much detail about the operations of Hello. From what I saw, it was just what I thought a large professional services firm needed. Walton’s description matched up with the vision I had for the redesign of Goodwin Procter’s iNet (before I left).

Walton did address some of the compliance concerns. In responding to a question about posting inappropriate content, Walton had this great statement: “I can’t prevent you from being stupid, but now I can see how stupid you are.” As to EU data privacy, they had lots of discussions with legal on what people could post about themselves. Legal wanted to exclude all non-US from Hello. They came to a compromise, but I am not sure what it was. For departed employees, they keep the content and the profile. They merely add a banner that the person has left the company. They want to preserve the intellectual capital footprint.

Enterprise 2.0 Reality Check – What’s Working, What’s Not, What’s Next

Matthew Fraser was back to moderate a panel of Christian Finn, Director of SharePoint Product Management, Microsoft, Nate Nash, Senior Manager, BearingPoint, Neil Callahan, Executive Vice President, mktg, and Ross Mayfield, President, Chairman and Co-founder, Socialtext. There was lots of talk of whether enterprise 2.0 was an evolution or revolution. One commenter in the crowd said the panel was an I’m a Mac, I’m a PC ad. There was a fair amount of discussion about the ROI for enterprise. Some panelists and audience members were dismissive of needing a monetary ROI. They likened it to email. Nobody asks for the ROI on email.

I don’t agree with these thoughts. When email was first adopted in the enterprise there was an ROI calculation. It was cheaper and faster to send an email, than to send a message through the post office. There is a reason we get so much spam. It is cheap and easy. Businesses may no longer calculate the ROI, but they did as part of the adoption process. Event though now it is just an assumption that you have email in the business. There was a compelling reason to adopt.

Meeting People

Web 2.0 is not about sitting in your basement. It is about meeting people. Besides the presentations it was able to run into and chat with a bunch of great people. I had a great lunch with David Hobbie of Goodwin Procter and Rachel Happe of The Community Roundtable in the fake Irish restaurant.

It was great to spend some time talking with Carl Frappaolo and Dan Keldsen of Information Architected. Unfortunately, I missed the session but I was able to chat with Jessica Lipnak and Jeff Stamps of NetAge. Alex Howard of Digiphile and SearchCompliance.com was there covering the conference and having great conversations. I apparently got Mark Masterson fired up about compliance because we chatted about it for a while.

I also had some short chats with Luis Suarez of IBM, Joe Wehr of DBMI, and Ming Kwan formerly of nGenera and now at Nokia.

Michael Idinopulos of SocialText gave me a great tour of the latest release of their product. Their new marketing strategy is to offer SocialText free for less than 50 users. Chris McGrath and I talked about Thought Farmer. I kind of beat him up over records management and wikis. Cheryl McKinnon gave me a great presentation on some compelling OpenText products.

I will back on Wednesday for a few sessions and will try to distribute any insights.

Evening in the Cloud and Compliance

enterprise2

The The Evening in the Cloud session at the Enterprise 2.0 Conference was fun. David Berlind Editor-At-Large and General Manager of TechWeb was the moderator. I sat in the customer role beside Christopher Reichert of the MIT Sloan CIO Symposium. Sean Poulley VP Online Collaboration Services of IBM, Rajen Sheth Senior Product Manager of Google Apps, and Mike Feinberg Senior VP, Cloud Infrastructure of EMC each gave an eight minute pitch for their product.

If you read yesterday’s post (Compliance and Cloud Computing at Enterprise 2.0), you knew what my questions would be for the vendors. These three vendors represented big guns who I am sure have been asked those questions before. The session was obviously driven by vendors. Hopefully, my list of questions can be used by other attendees to quiz the vendors.

Google, IBM and EMC focused on the infrastructure aspect of cloud computing. From a compliance perspective, the application piece of cloud computing poses more of the issues. Maybe I will be able to tackle some of those issues with vendors when the Exhibition Hall opens on Tuesday.

Brenda Michelson live-blogged the session on her elemental links blog: @ Enterprise 2.0 Evening in the Cloud Panel discussion. It is as good a summary as I could have written.

The session was recorded and will be available on line at some point. I’llpost and update when I come across the recording.

Compliance and Cloud Computing at Enterprise 2.0

enterprise 2.0 conference

Monday night, I am heading over to the The Evening in the Cloud program at this year’s Enterprise 2.0 Conference. They asked me to help grill the vendors on compliance issue

More software and business operations are being pushed into the cloud.  Why buy the hardware and software when someone else will run them for you?

I thought I would put together my thoughts on some of the compliance issues I think about when it comes to cloud computing.

Records Management.

One aspect of records management is ensuring that important records are kept. Importance can be either because of a business need or a regulatory requirement. The other aspect is data destruction. Once that record is not important and no longer required to be kept, you want to make sure it is destroyed and destroyed forever. Multiple backups in multiple places of old records is huge headache when forced into e-discovery and the delivery of records as part of litigation.

Compliance Logs.

Whether you’re in the midst of an audit or an investigation, thorough logs are the key to proving compliance. So how do you prove your organization is (or was) compliant when you aren’t able to maintain logs? Audit trails must be auditable.

Terms of Service.

Consumers are used to clicking through the Terms of Service without reading it. Businesses will read it and want to negotiate it. If the vendor’s Terms of Service has a typical consumer provision allowing the vendor to unilaterally change it, throw that vendor out the door and don’t bother talking with them.

Investigations

You need to address how a forensic examination of the systems can be run as part of government or internal investigation of wrongdoing.

Geography

It is not truly a cloud. There are physical servers that are sitting in a building somewhere. That physical location subjects them to the law of that jurisdiction. There are obviously some countries that you do not want. (Anyone in North Korea?) There are also some questionable locations. There are some companies that don’t want their operations being run on servers located in China. You should not be surprised that some companies do not want their servers in the United States because of the confiscatory provisions of the US PATRIOT Act.

Data Privacy

Geography also implicates personal data privacy. If you are using the cloud service to host information about people (employees or customers) you need to think about how the service compliance with the multitude of personal data privacy laws. The most difficult is probably the EU Data Protection Directive.

Multi-User

If your information is combined with another company’s information on the same server, you risk being subject to their wrongdoing. There was a well-publicized raid of a server farm, with law enforcement seizing servers, shutting down businesses with their operations running on those servers.

Credit Card Processing

If you are processing payments, you need to be PCI DSS compliant. If the vendor asks what PCI means, throw them out.

Vendor should have a SAS 70 Type II Audit.

SAS 70 was designed to provide a highly specialized audit of an organization’s internal controls to ensure the proper handling of client data. SAS 70 Type II certification ensures that client data is protected in a data center that is using industry-leading best practices in information technology and security. Vendors that undergo a SAS 70 Type II audit are stringently evaluated on such elements as systems, technology, facilities, personnel management, and detailed processes for handling client data. At the end of a six-month process, vendors receive a comprehensive audit report that includes a description of their operational controls and a description of the auditor’s tests of operating effectiveness. At regular intervals after the initial audit, vendors go through additional audits to maintain their SAS 70 Type II status. In brief, SAS 70 provides assurance that a vendor has put in place comprehensive systems to ensure data security.

Of course, there are other issues.  Depending on your industry, some of these may be more of a concern than others.

References:

Join Me at the Enterprise 2.0 Conference in Boston

enterprise 2.0 conference

I have been spending less time in the Enterprise 2.0 movement as a result of switching my career from knowledge management to compliance. Steve Wylie thought it would be a nice fit to have me bring my compliance perspective to The Evening in the Cloud program at this year’s Enterprise 2.0 Conference.

Any vendors presenting are forewarned that they had better be ready to answer questions on how their product deals with data privacy, records retention policies, and government regulation.

What Blogging Brings to Business

This post is republished from my original post on KM Space on June 10, 2008: What Blogging Brings to Business.

Enterprise 2.0 Conference Boston 2008

Blogs are powerful communication platforms that allow you to capture information you find interesting and to share it with an “audience” who can talk back to you. This panel of five business bloggers with a combined blogging lifetime of 19 years has generated business, communicated the concerns of its customers, experimented, and broken new ground through their blogs. Topics we’ll cover include: Blogging as knowledge management, Blogging as a conversation, Blogging for “fame and fortune”, Blogging as a platform for experimentation, and Blogging to reduce internal spam. Come join us to share your experiences and have the chance to speak at length with experienced bloggers.

  • Moderator – Jessica Lipnack, CEO, NetAge
  • Speaker – Bill Ives, Web 2.0 Consultant and Writer, Portals and KM
  • Speaker – Cesar Brea, Partner, Force Five Partners
  • Speaker – Doug Cornelius, Knowledge Management Attorney, Goodwin Procter LLP

My Notes:

I was on this panel, so I have limited notes, but will try to reconstruct some information. You should also checkout some other blog posts about this panel:

  • Enterprise 2.0 Blog post by David Spark
  • I will add any others in the comments. You should feel to also link to your blog posts in the comments.

As Jessica posted [Bloggers at Taste], the panel got together to discuss an agenda. We had a great conversation and thought it would translate well to the audience.

Our audience was very interactive. Maybe too interactive. It was hard to keep pulling the discussion back to the topic. The participants seemed to be looking at two different aspects: What external blogging can bring to business and what internal blogging can bring to business. My take is that internal blogs (at least in the classic sense) are just limiting their audience. But blogs are flexible tools that you can do lots of things with inside the enterprise.

The session started with an introduction by the panel about their blogs:

Then Jessica asked the bloggers in the audience to introduce themselves and their blog. I was not able to grab the whole list, but here are some:

We moved onto why we blog and who we blog for. One common theme among the panel was blogging as a personal knowledge management tool. We all found the blog to be a great way to capture information in a way that is easy to categorize, where it is easy to find the content. As a personal knowledge management tool, I blog for me. These notes are for me to reuse. That you are reading is a by-product.

We spent some time off on a tangent about who should blog, who should be forced to blog and who should not blog. I spent a fair amount of this conversation time in the back-channel on the Enterprise 2.0 Community site for the Conference.

A blog is an excellent way to display expertise, whether the blog is internal or external. It is one thing to paint yourself as an expert. It is much more effective to prove your expertise through your writings and information you push out.

We ran out of time, but here are some other thoughts I wanted to get out:

Internally, the blog can act differently. Scott Niesen, Director of Marketing, Attensa brought this up nicely earlier today in the Enterprise RSS session when he said you should draw a distinction between what “need to respond” and “need to know.” A blog is a communication tool. It is well suited to what you need to know. Email is better for information that has a need to respond. Take a look at you email flow and think about how much of this you need to react to. Most of it is just information you need to know. But by the information being pushed into email, my inbox is acting as my content management system. A blog or a collection of blogs makes a much better content management system. It is easier to search, easier to find content and easier to add content.

Other commentary and notes from the panel:

Enterprise 2.0 at Goodwin Procter

goodwinprocter_logo

Can law firms jump on the Enterprise 2.0 bandwagon? Lawyers are generally seen as conservative users of technology, preferring to use a quill and inkwell over a web-based publishing platform. David Hobbie shares some of the successes he has encountered in the adoption of Enterprise 2.0 at Goodwin Procter (.pdf – page 13) in the June 2009 issue of KM Pro Journal (.pdf)

Goodwin Procter was one of the early adopters of collaboration and knowledge sharing tools and has begun adopting the internal use of blogs and wikis as tools. This is a great article, summarizing some of the theory behind Enterprise 2.0, comparing it to knowledge management, and giving practical uses of these tools in a legal environment.

“More knowledge has been captured and stored because communications have been opened up to more authors and have been moved out of email “silo” and into public spaces. More knowledge transfer has occurred because the Enterprise 2.o tools are built to communicate, whether through alerts of new information, easy browseability through user-created structure, or through better search.”

I had the pleasure of working with David at Goodwin Procter during the initial deployment of the tools. I am happy to see that they continue to grow and succeed. You can read more from David at his blog: Caselines.