Much of the focus in recent news is on attacks on retailers and the financial industry. It is easy to see the results of these money-motivated attacks in the form of large thefts of money or credit cards. As a result, it may surprise you to know your health care information is under attack. You are mistaken if you think that HIPAA’s data security protections are working to protect it. Health care organizations are not meeting the security table stakes. By rushing to implement electronic health records without minimum viable security, health care organizations are leaving the door wide open for criminals. How Bad Is It? A recent study by the Ponemon institute revealed that 94% of medical institutions have[…]

I have spent my day in a forum dedicated to the security of classified information. Individuals attending are facility security officers, defense security service employees, and others caught in the orbit of U.S. Government classified information. One of the speakers made a comment that made me immediately jump to post something on Twitter: "I want you to walk away from this presentation with one thing you can do to prevent risk." <- I don't think you understand risk. — Peter Hesse (@pmhesse) March 14, 2014 Why did I say that the esteemed gentlemen who was presenting didn’t understand risk? Let’s break it down. The Definition of Risk Risk can be either a noun or a verb. Consider these definitions found[…]

Business leaders and gamblers know risk. Success means managing risks effectively. The better they do, the better the returns. Often overlooked is another similarity: table stakes. Gamblers have to pay to play, certain games have minimum table stakes you must ante to participate. For business, the ante is investing enough time, money, and effort in efforts. That applies to security, too. In fact, businesses must meet the security table stakes before implementing even minimum viable security. This article addresses the six things every organization needs, regardless of size, industry, and budget. To be clear, this is not the one-size-fits-all prescription for security. These are the common barriers that prevent minimum viable security. For many, these represent the barrier to entry.[…]

At the RSA conference, I attended a panel discussion entitled “Changing User Behavior: The Science of Awareness.” The panel focused on explaining the failure of traditional awareness efforts, and made suggestions about what improved solutions might look like. During the panel, surrounded by a room full of security professionals, it hit me: we are technologists trying to figure out how to solve a communication problem. Maybe security’s “people problem” is relying on the wrong people to solve this challenge. Are People The Problem? Our industry is quick to put the blame on “users” when security problems occur. Whether it is the takeover of CNN and the AP’s twitter feeds, or a hack of Target’s HVAC contractor leading to their breach, people are[…]

How do you buy groceries? Do you buy based on brand, what you know? Do you consider the price? Or do you have someone else handle it for you? Making An Investment While routine, groceries aren’t expensive. When we consider larger investments, however, the calculus changes. Most hesitate a bit when buying a new computer or tablet. We’d want to make sure the system meets our requirements and we’re not paying too much. Since they are a commodity item, you can shop around without difficulty. Buying a car or a house requires more time to be spent in the due diligence process. At some point it becomes less about “buying” and more about “making an investment”. Smart entrepreneurs consider their exit.[…]

Around this time of year, many of us are filing–or procrastinating about filing–our taxes. So you finally get around to filing your taxes, and your return is rejected because someone has already filed for that social security number. Uh-oh! What now? You know you haven’t filed your taxes already, and you’ve double checked your social security number to make sure you typed it in right. Then you find out your worst fear is true: someone else has already filed a tax return using your social security number – otherwise known as IRS Tax Return Fraud. Immediate Actions To Take There are three things you need to do as soon as you can: First, file a police report for identity theft.[…]