Monthly Archives: October 2014

Dancing in the Dark with your data

Up At Nigjt

 

Larry Ponemon

Larry Ponemon

Here’s a surprise: The uncertainty about the location of sensitive and confidential data is more of a worry than a hacker or malicious employee.

We surveyed 1,587 Global IT and IT security practitioners in 16 countries (the research was sponsored by Informatica). A list of participating countries is presented in the appendix of this report. To ensure a knowledgeable and quality
response, only IT practitioners whose job involves the protection of sensitive or confidential structured and unstructured data were allowed to participate.

For purposes of this research, datacentric security assigns a data security policy at creation and
follows the data wherever it gets replicated, copied or integrated—independent of technology
platform, geography or hosting platform. Data centric security includes technologies such as data masking, encryption, tokenization and database activity monitoring. This research reveals,
however, that automated solutions would help improve an organization’s compliance and data
protection posture.

Key findings of this research:

1. Data in the dark keeps IT practitioners up at night. Fifty-seven percent of respondents say
not knowing where the organization¡¦s sensitive or confidential data is located keeps them up
at night. This is followed by 51 percent who say migration to new mobile platforms is a
concern.
2. Sensitive or confidential data is often invisible to IT security. Only 16 percent of the
respondents believe they know where all sensitive structured data is located and a very small
percentage (7 percent) know where unstructured data resides.
3.  Organizations mainly rely upon the classification of sensitive data to safeguard data
assets. The two most popular technologies for structured data are sensitive data
classification and application-level access controls. Only 19 percent say their organizations
use centralized access control management and entitlements and 14 percent use file system
and access audits.
4. Automated sensitive data-discovery solutions are believed to reduce the risk to data
and increase security effectiveness. Despite the positive perception about automated
solutions, 60 percent of respondents say they are not using automated solutions to discover
where sensitive or confidential data is located. Of the 40 percent of respondents who say
their organizations use automated solutions, 64 percent say they use it for discovering where
sensitive or confidential data are located in databases and enterprise applications. Only 22
percent use it to discover data in files and emails.
5. Specific automated solutions would improve the organization’s compliance and data protection posture. The most popular capabilities are automated user access history with real-time monitoring followed by policy workflow automation.

To read the rest of the report, click here.

What? *Another* replacement credit card? Why database hacks are becoming a real, and costly, hassle

Bob Sullivan

Bob Sullivan

“You’re not liable for any fraudulent charges.” It’s a cheery phrase you’ve seen or heard dozens of times lately, usually said to help ease the blow of bad news: Your credit card has been hacked.  “But don’t worry!  A new card is on its way!  Everything is fine! Smiley face. =-)”

You recognize the language. It means you’ve been “Home Depot’d.”  Or “Target’d.” Or “Michael’d.”

And you know everything isn’t fine.

Consumers might be weary of news stories chronicling multi-million account hackings at major retailers like Target or Home Depot, but they are much more tired by the fallout: two, three, even four cards replaced in recent months, each one bringing with it a separate set of hassles and payment mixups.

Let’s call it, “Card replacement fatigue.” Consumers are starting to get pretty restless about all the new plastic they are getting in the mail.

(I am carrying three versions of the same card in my wallet right now as I sort through which one is the right one to use.  Both replacements arrived while I was traveling, hence the confusion).

“My credit card has been replaces 3 times this summer – I’m over it,” complained Melanie Web-Stelter. “I’m considering going back to checks and cash.”

Murray Lahn has had it even worse.

“At one point about 2 years ago, I went through 5 Mastercards in 20 months, and my most recent one was replaced just weeks ago before the Home Depot breach,” Lahn said. “I feel like I’m the king of card replacements.”

Most consumers are delighted to know their bank is looking out for them.  In fact, customer satisfaction ratings are high with phone calls warning that a consumers’ card might have been used for fraud.   Even new cards can provide some of that halo effect, partly offsetting the $5-to $10-per-card price tag of a reissue.

But there’s a limit to the good-will that can be earned with mass card cancelations, and it appears we are nearing that limit. There can be real costs associated with suffering a credit card hack. Not from the bank, or the fraud, but the hassle.

Automated payments are the best way to make sure the bills are paid and there’s no late fees. Consumer advocates (like me!) recommend using credit cards for lots of recurring bills — the electricity, the cell phone, the cable, and of course automated toll payments  — as a way to simplify your financial life.  It’s not simple however, when a bank gives you a new account number and you have to update all your automated payments.  Sure, you can look at last month’s statement and pluck them out, but what if you miss one?  Then the banks no-liability fraud policy won’t protect you from late fees.

And while many consumers say calling firms to update account information isn’t that much of a hassle, others report crazy situations.

“Time Warner Cable’s billing system … according to a customer rep has not been updated for decades,” said Dayle Henshel.  “Credit card changes, anything other than new expiration dates, are effectively hand-entered into their system and take 4-8 weeks to propagate into the system.”

Then, there’s EZ-Pass.

“Had to turn around on the Chesapeake Bay bridge/tunnel because EZ Pass triggered a reload on the old card number,” said Ron Urbanski. “After paying cash, we were able to update our account on the iPhone to allow us to pay the next tolls.”

In an informal poll, plenty of folks indicated their bank of credit union helped smooth the automated payment transition process, easing the pain considerably. Still, there is work involved — work consumers must do through no fault of their own.

“Got a letter from Chase identifying vendors that I interact with that I should contact based on reoccurring charges to account that may be auto pay or subscriptions,” said Mark Ladisky. “Helpful but I had to do the legwork.”

And there is one more hidden victim in the “victimless” crime of a massive credit card database hack: charities.

“I work with a little public radio station that’s pushing monthly ‘sustainer’ membership. More and more cards get declined due to replacements,” bemoaned Tom Lucci. “It’s a lot of extra time – that we don’t have – to track down new card info. Obviously we can’t charge a late fee or report to the credit bureaus. So if you do get breached, reach out to any nonprofits where you’re a sustaining contributor. Right thing to do, much appreciated.”