Posts Tagged ‘Protect Personally Identifiable Information’

Privacy Reform Starts with You, or Rather Your Pocketbook

by FireHost Evangelist on June 29th, 2010

Blippy, Facebook, and Lifelock, oh my! Each of these companies have come under scrutiny lately for mishandling, misusing, divulging, or otherwise playing a smoke and mirrors game with confidential information. This vignette is dedicated to conveying a different perspective on each situation, one that will hopefully convince you:

  • that security controls will only be as tight as consumers demand, and
  • that things can be different (better) with your help.

We just want to get this “disclaimer” out of the way, here and now in the first paragraph before you have a chance to form an opinion about our suggestions. We’re not condoning the actions or otherwise diminishing the liability of these companies (or any company for that matter) who has caused consumers or businesses time, harm, and any other loss because of a breach and subsequent leak of personally identifiable information (PII). The spirit of this article is to create awareness of the risks and to help everyone reading (consumers and business owners) understand that taking steps toward prevention is a collaborative effort in which consumers and companies alike must embark to see results. And so with that…

Blippy’s Security Blip

Synopsis: Credit card numbers for a limited number of beta users leaked into Google search results.

Blippy’s responsibility: Breaking this down to the most simple terms, Blippy’s dev team should have secluded all test data into a non-production environment. Furthermore, per PCI guidelines for SDLC dictate that all sample data must be purged from all accounts prior to launching the production environment. If you’ve visited the Blippy website or signed up for an account however, you’ll notice that there is no mention of PCI compliance or a PCI compliance badge… anywhere.

That’s because (arguably) Blippy isn’t governed by the payment card industry data security standard since they don’t directly collect or store credit card data. When the data leaked, all fingers pointed at Blippy (and rightfully so, I mean anyone who can read saw the cc numbers available in the statements associated with each user’s account.) The bigger problem however seems to be the fact that the issuing bank or credit card company allowed full, unencrypted, unmasked credit card numbers to be printed and/or stored on public statements.

Personal responsibility: Consider this. Participants in a clinical drug trial assume a large amount of risk by ingesting the pharmaceuticals under investigation. Wouldn’t a similar principle of risk apply when technology users participate in a beta, alpha, or electronic test of any kind?

Perhaps language in the warnings about unregulated pharmaceuticals is more ominous (or the risks more personal) prompting consumers take caution. Should commercial business ventures be more blatant about their warranties and have stronger indemnification policies so early adopters will think twice before signing on?

Consumers must realize that they are “swimming at their own risk” when participating in pre-releases of new, untested technologies. Blippy adopters who confidently linked bank accounts, retail payment card accounts, and credit card accounts to the service can’t be completely shocked when something goes awry with the system. Can they?

Bottom line: It is every business’ responsibility to take all measures possible to prevent problems like this from arising. It’s the consumer’s responsibility to perform due diligence and maintain our confidential information in higher regard and think twice before divulging information that could cause them harm.

(more…)

Tags: , , ,
Posted in: Security | No Comments »

Empower Your Employees and Protect Your Online Business in Five Easy Steps

by FireHost Evangelist on May 25th, 2010

True story – visiting a client one time, our CEO Chris Drake came across a sales guy who had his computer access credentials taped to the palm rest of his laptop. It turns out the company’s entire customer information database was synced to the sales person’s laptop. If he lost it (or if it was stolen) you can only imagine the consequences.

This vision has haunted us ever since. The responsibility of keeping your company’s data safe is one that’s shared by the whole team, and should make them feel empowered. Hacker prevention for companies that store data and/or transact business online isn’t as simple as hiring a secure web host, it’s a 24/7 job that requires good physical and virtual housekeeping from everyone. Luckily, it’s not as tedious, time consuming, or boring as cleaning your actual home, and it doesn’t require you to pat down your employees each time they walk out the door.

Here are five best practices that every one on your team should put into action to keep the company safe from cyber criminals.

#1 Mobile Security
Whether you’re a swanky, MacBook Pro toting executive or a lowly intern who has company email syncing to your phone, you’re responsible for data security when working remotely. Password protecting your mobile devices, and your software, is a ridiculously easy and yet commonly overlooked step that can prevent a world of loss. Password protect everything that your employees work on and access remotely. And we mean everything – mobile phones and laptops, email accounts, VPN connections, and SaaS programs used for business. In addition, don’t store or “remember” passwords for critical services. Require that every employee manually type his or her credentials every time. It’s really not as daunting as it sounds. It takes just a moment to enter a password.

(more…)

Tags: , , ,
Posted in: Compliance, Security | No Comments »