Another day, another massive computer hack that sets millions of people in a tizzy about something they can’t control.  The Anthem health data leak isn’t the Big One — that’s still coming, believe me — but it’s pretty big.  Perhaps 80 million people now have to worry that a criminal gang has their name, birthday, email, Social Security number, and perhaps even their employment history and salary.

It’s easy to imagine all the bad things that can happen to you if that data gets in the hands of a professional criminal. Sure, consumers will get *another* offer of free credit monitoring — handy, because the Target free monitoring just expired. But really, that’s a bit like telling a man to boil water when a pregnant woman’s water breaks. Busy work.

What’s broken here is the system.  What’s missing here is bold action.  While Washington D.C. bickers over a new privacy law that enacts technological-era change at a glacial pace, hackers are running circles around our nation’s companies. Nobody I know who works in cybersecurity thinks things are going to get better.  Last year’s Sony hack set the stage for this, and other stories you see this year. Computer criminals are about to abandon credit card database hacks. With the move to chip-enabled credit cards, stolen account numbers will soon have less value.  So that migration has already begun. As I often say, fraud is like a water balloon. Squeeze one end, and the other end just gets bigger.

But there’s more going on here than chip card change.  Sony taught hackers a valuable lesson: even data that might not seem valuable can be priceless if leveraged in the right way. The old thinking: Who cares about stealing a million emails? Most of them are boring drek. Get the payment card data.  The new thinking: Grab everything, and we’ll figure out how to monetize it later.  It only takes a few embarrassing emails to convince a CEO to stop a product launch, or cough up a few million dollars. Turning millions of credit card numbers into cash is hard work, involving an army of mules and real-world risk.  Turning private data into an extortion payout is much easier.

So we see with the Anthem hack that, according to the company, criminals didn’t even seem interested in the payment card data.  They wanted everything else. And now, like a hunter who uses every part of a dead pray, they will pick over the data and try monetize it in dozens of ways.  New account fraud. Phishing. Extorting consumers.  Perhaps, they’ve already tried to extort the company. Since victims do not have the option of canceling their birthdays or employment background, they will have to worry about this for a very long time.

Why? Anthem was warned. The FBI issued a warning last year that health care firms use archaic systems which are easy hacker targets.  Why would Anthem leave such data in an unencrypted state, lying around for the taking?  More important, why would Anthem have data on potentially millions of former customers, also sitting there for the taking?

The reason: Anthem didn’t see value in the data the way consumers do, and the way the hackers do. Notice that no medical information was stolen. That’s because it’s part of Anthem’s core business. Consumer information is not.  Maintaining that is merely a cost. You see this pattern again and again. Why was Target’s credit card database stolen? Because Target isn’t a bank, it’s a department store.  Why was Sony’s email stolen? Because it wasn’t a movie in production, it was just email.

Change must come.  Data is everyone’s core business now.  Firms need to actually take the protection of our data seriously, not merely say they do in letters revealing they’ve been hacked.  Meanwhile, it’s time to work with the reality that millions of Americans have now permanently been exposed to identity theft through heist of their Social Security numbers. The right way to deal with that is simple: We need to devalue the stolen information. One modest proposal you will hear is to simply make all Social Security numbers public, thereby ending once and for all their use as a unique and “secret” identifier.

That kind of fresh thinking is the only way through this problem. And that kind of bold step could only be taken with leadership from the federal government. We’re still waiting.

See you in another week or two when the next big hack hits.

Sign up for Bob Sullivan’s free email newsletter.

Technology is like money, it seems.  You need some of it…a decent amount, really…to be happy. But at a certain point, it might do more harm than good.

Microsoft released a fascinating global survey at Davos this week which unearthed another gap between the developed and the developing world.  Poorer countries have a lot more positive feelings about technology than rich countries, and the gap is widening.  In the developing world, tech has been a boon for journalism, social connections, and employment opportunities.  In the developed world, many folks feel just the opposite.

And it makes sense. Mobile phones have brought telecommunications to plenty of places that couldn’t afford to string landlines, for example. On the other hand, in the U.S. and other rich nations, mobile phones are often seen as communication killers — particularly by parents who can’t get the darn things out of their teen-agers hands.  A classic first-world problem.

I’ve written a lot of negative observations about the unintended consequences of technology as part of The Restless Project.   I hope no one misunderstands: I’m happy I can see my niece on Skype video calls, I can write books on the beach with my laptop, and I’m really thrilled by father has open heart surgery not long ago in the time it takes to get a tooth pulled.  Tech is good.  But tech also has its limits, and it’s become a bit of a false god.  It’s also really enabling some folks to take advantage of workers, like Uber.  There’s billions of dollars in marketing that extols the virtues of tech. Someone has to talk about the dark side. Microsoft’s survey suggests plenty of folks are concerned about that.

In fact, if there’s one thing consumers from all corners of the globe agreed on, it was this: Our very notion of privacy is at serious risk.  In eleven of the twelve countries surveyed, respondents said that technology’s effect on privacy was mostly negative. (India was the only exception.)

“Majorities of respondents in every country but India and Indonesia say current legal protections for users of personal technology are insufficient, and only in those two countries do most respondents feel fully aware of the types of personal information collected about them,” Microsoft said.

Countries included in the survey:  U.S., China, India, Brazil, Indonesia, South Africa, South Korea, Russia, Germany, Turkey, Japan and France

Here’s the data on the schism between developed and developing countries and their attitudes towards tech:

• Impact on Social Bonds. Fully 60 percent of respondents in developing countries think personal tech has had a positive impact on social bonds, compared to just 36 percent of respondents in developed countries.
• Sharing Economy Split. Fifty-nine percent of respondents in developing countries think technology-enabled, sharing-economy services — like Uber and Airbnb — are better for consumers than traditional services like taxis and hotels. But 67 percent of respondents in developed countries think the traditional services are better for consumers.
• In the Media We (Don’t) Trust. By a 2:1 margin, respondents in developing countries think personal technology has had a mostly positive effect on trust in the media. But in developed countries, the impression is the opposite: respondents believe by a 2:1 margin that the effect on trust in the media has been mostlynegative. These opposing views are born out in the two kinds of countries’ media habits: in developing countries, 70 percent of respondents get most of their news from social media, compared to only 31 percent in developed countries.
• Getting Fit. The difference in opinion about tech’s effect on fitness is striking: 57 percent of respondents in developing economies think personal technology has made people in their country more fit, thanks to apps for diet management, calorie counting, and exercise incentives – but 62 percent of respondents in developed economies think personal technology has made people in their country less fit, because of the amount of time people waste in front of their PCs, tablets, game consoles, etc.
• The Tug on Children. In developing countries, the majority of online parents (77 percent) want their children to have more access to technology, but in developed countries, the majority of online parents (56 percent) want their children to have lessaccess.
• STEM and Gender. Finally, there is a real split in engagement regarding the very topic of this survey: science and technology. Although large pluralities of respondents in all twelve countries believe the best jobs in the future will be in STEM, fewer than six in ten respondents in developed countries say they are interested in working in STEM, compared to 85 percent in developing countries. And while 77 percent of women respondents in developing countries feel encouraged to work in STEM fields, only a minority – 46 percent – of women respondents in developed countries do.

Bob Sullivan

Sony reminds me of the chaos theory in the hacking world. Yes, you should be very afraid of what’s happening at Sony right now. Here’s why.

Four years ago, I wandered the halls at the giant RSA security conference collecting scuttlebutt. Companies spend thousands, even millions of dollars, to make a splash at the annual geek-fest, but on this day, one company completely stole the spotlight. For free. And no one was jealous, because on that day, wanted to be government contractor HB Gary.

Hackers calling themselves members of the Anonymous group had hacked HB Gary servers, stolen the firm’s email, then made it public for all the world to see. Days of embarrassment and nightmarish news followed, from exposure of a less-than-comfortable relationship with Bank of America to incredibly uncomfortable personal emails from workers.

At the time, the smartest geeks on the planet were terrified over the news. These folks weren’t afraid of hackers hell-bent on stealing their intellectual property or their financial information. Most of them had fought off those attacks for decades. What they feared was chaos. The HB Gary hackers weren’t after money. They wanted revenge. And computer criminals who simply want to destroy things are the most frightening. Publishing entire email spools stolen from company servers gains hackers almost nothing. But it exposes everyone inside a company, and everyone who ever communicated with any of those workers, to tremendous embarrassment, or worse. It creates chaos.

It’s an unpopular thought, but it’s true: There is no absolute security. Spend money and time protecting this, and you will leave that vulnerable. That’s how it works at airports, and that’s how it works in networks. Folks who protect digital assets for a living are constantly making trade-offs. Email is often one of those trade offs. Most energy is focused on protecting money. A lot of energy is focused on protecting intellectual property. Four years ago, Anonymous realized email servers are often neglected. And they realized just how much chaos they could cause by publishing…and indexing for easy discovery…HB Gary’s email.

Back then, every confident security professional I knew had two burning questions in mind. One: was I in HB Gary’s email? And two: What about my email server? What would happen if someone published my all company’s email? How many ‘secret’ job searches … sexiest or racist jokes …illicit affairs…might be exposed with an email dump?

There was a great chill in the entire profession. People imagined the worst.

Now, the worst has happened. Execs have been forced to apologize to President Obama for racist comments. Sony has lawyers running around threatening journalists not to publish bits and piece of upcoming movie scripts. Journalists have been exposed for too-cozy chats with sources. Heck, Aaron Sorkin is actually attacking …not the hackers … but those who even looked at what was hacked.

Revenge. Chaos. A crisis that seems without end. Mission Accomplished.

Perhaps, these hackers ultimately have money in mind. Perhaps they are state-sponsored. Perhaps the attack is purely politically motivated. We’ll probably never know, though most certainly, someone in the middle of this simply wants money.

But clearly, the criminals here were out to wreak havoc. Folks who just want to break things are pretty hard to stop. And now the playbook, first established four years ago, has been darn near perfected. Out folks’ private communications, let curious onlookers go to town, and you have a full-fledged techno-disaster on your hands. The point can’t be overstated: In both HB Gary and Sony, hackers exposed their target companies and potentially anyone who had ever emailed with their employees. Publish the email of a big enough company, and you might very exposed a majority of Americans in one hack.

Stealing secrets and dumping them online is the hateful practice of “doxxing” — exposing private parts of victims’ lives online, such as their home address, with the intent to invite harassment — writ large. It’s pretty hard to stop doxxing. You should all just hope no one every finds a reason to do it to you. And it’s almost as hard to stop doxxing on a massive scale. Yes, shutting down a power plant or similar critical infrastructure hack could be a horrible disaster. But I think this kind of choas might ultimately be more damaging to the U.S. It’s certainly easier to fashion.

What’s the lesson here? I’ve said forever that any time you type anything into any kind of keyboard, you should be prepared for the world to see it one day, even if you think your communication is private. That’s good advice, but it has its limits. For starters, we all use chat tools, texts, and even email as casually as we talk now. It’s pretty hard to remember that you are always one co-worker’s stupid click away from your chatter being exposed to the world. A private note with one comment that could be described as racist, sexist, even elitist…..said to one person ….. could seriously tarnish your career or legacy. In that world, being 99.9 percent careful just isn’t good enough.

But the problem is scarier than that. Standards change all the time, but servers are forever. Imagine if we could read long email chats between political or corporate figures from 25 or 50 years ago. They’d all sound awful. It’s really, really hard to predict what something you say today might sound like 10 or 20 years in the future. The old “out of context” explanation doesn’t work any more. This is why the world of pack-rat programming alarms me. Companies (in the U.S.) reflexively save every piece of data for as long as possible. It will be the radioactive fallout of our time. We haven’t even begun to digest the implications of that.

Sony is a pretty good hint, however. Be very, very careful what you type.

Larry Ponemon

Consumers’ Perceptions about Privacy & Security: Do They Still Care? conducted by Ponemon Institute and sponsored by RSA is intended to understand what consumers think about privacy and information security. Specifically, how have recent mega-breaches affected consumer behavior and attitudes about privacy? Moreover, is the constant sharing of personal information online and with mobile apps diminishing the importance consumers place on their privacy?

We surveyed 1,020 consumers in the United States between the ages of 18 and 65+. Forty-nine percent of respondents say they have been victims of at least one data breach. However, 45 percent are not confident that they know of all instances when their personal information was lost or stolen in a data breach.

Read the entire study (PDF)

Based on the findings we conclude that consumers perceive a loss of control over their personal information because of data breaches, the lack of trust in the security of the mobile apps they continue to use and increased government surveillance. However, they still believe the privacy and security of their personal information is important.

The following seven findings reveal why consumers still care about privacy:

Privacy rights are believed to be at risk. Seventy-five percent of respondents worry that they will lose their privacy rights as the Internet progresses into the future and are very concerned about this happening. 

Privacy and security expectations are high for financial transactions. No matter what their privacy profile is, respondents have high expectations for privacy and security when filing a tax return, making mobile payments or banking.

Privacy and security on the Internet and when using social media is important.  Respondents are spending an average of 56 hours per week on the Internet and 27 hours using social networks, social messaging and other social media tools. They rate the importance of the security and privacy of these activities as very high.

Prompt data breach notification is important. Seventy-seven percent of respondents say prompt notification about the loss or theft of their personal information is either very important (56 percent) or important (21 percent).

Respondents worry about the theft of certain information. Most respondents are concerned about the theft or misuse of their Social Security numbers, passwords or PIN and payment information such as credit card number.

Strong online authentication procedures are very important. Fifty-four percent strongly agree or agree that the websites they use have strong authentication procedures that can be trusted to safeguard their sensitive or confidential information. They also do not trust systems or websites that only rely on passwords to identify and authenticate users or consumers (62 percent). Similarly they do not trust systems or websites when identity and authentication procedures appear too easy (62 percent of respondents).

Biometric authentication methods are viewed favorably. Seventy-eight percent of respondents say they would prefer authentication procedures that verify their identity without requiring them to share personal information such as a name, address, email and so forth.

You couldn’t get nine out of 10 Americans to agree that the sky is blue.  So it’s remarkable that nine out of 10 say they have lost control over how their personal information is collected and used by corporations, a new survey released Wednesday by the Pew Research Center has found. Virtually the same number feel like it would be “very difficult” to remove inaccurate information about them online. And roughly two-thirds believe the government should do more to regulate advertisers and how they use personal information.

On the other hand, more than half said they were willing to share “some information” about themselves in order to use online services for free, and about one-third say that surveillance can be beneficial for society.

The results show Americans’ feelings about privacy are varied and subtle, said Lee Rainie, director of the Internet Project and a co-author of the study.

“Far from being apathetic about their privacy, most Americans say they want to do more to protect it,” Rainie said. “It’s also clear that different types of information elicit different levels of sensitivity among Americans.”

The slew of data breaches at major retailers over the past year have put privacy concerns front and center in Americans’ minds. Credit monitoring, transaction alerts and general vigilance of where you share your data and who you share it with are all part of keeping your data footprint limited. It won’t necessarily prevent identity theft or fraud(two consequences of sharing your personal information broadly), but it can make dealing with it easier. Any large, unexpected changes in your credit score could be signs of new-account fraud. (You can use free online tools – including those at Credit.com – to monitor your scores for any changes in your credit scores. You can also get free credit reports once a year at AnnualCreditReport.com.)

Other findings in the poll, which questioned a representative cross section of Americans:

When they want to have anonymity online, few feel that is easy to achieve. Just 24% of adults “agree” or “strongly agree” with the statement: “It is easy for me to be anonymous when I am online.”

• 61% of adults “disagree” or “strongly disagree” with the statement: “I appreciate that online services are more efficient because of the increased access they have to my personal data.”
• 80% of those who use social networking sites say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.
• 70% of social networking site users say that they are at least somewhat concerned about the government accessing some of the information they share on social networking sites
• Generally, people trust old technology more than new for privacy. People trust old-fashioned telephones more than social media or text messages, for example. They even trust landline phones more than cellphones.
• 36% “agree” or “strongly agree” with the statement: “It is a good thing for society if people believe that someone is keeping an eye on the things that they do online.”

Privacy law expert Chris Hoofnagle, a teacher at Berkeley Law school was reviewed the study, noted that attitudes about surveillance were linked to citizens’ education levels.

“A sizable minority agrees with the idea that surveillance is beneficial for society. This group was characterized as younger and less well educated, with each step in more education resulting in less agreement of its beneficence,” he said. “I think there are very interesting class dynamics in privacy privacy and it is something that the Digital Trust Foundation is going to start funding research around this question in 2015. A question to ask here is why does this group find beneficence in surveillance? Could it be because they are heavily surveilled and simply do not have a choice over the matter?”

Here’s a few more of Hoofnagle’s observations.

“Trust in communications channels is based both on the age of technology and legal protections. The oldest and most legally protected technology (ECPA warrant standard) is the landline phone, followed by wireless phones. Email and text go over the wire in plain text, making them technologically inferior, and they are less protected as they fall under the SCA. Chat is the strange one—it is a newer technology, and so perhaps less trusted for that reason. But some chat is very strongly protected (iMessage).  And of course, no one should feel secure on social media sites because Facebook is crawling with investigators and Facebook itself is a privacy threat.

“Finally…many others have found that Americans are skeptical of both private-sector and government collection of information. (These) results are consistent with surveys going back to the 1980s that finds distrust of both government and commercial data practices.”

You couldn’t get nine out of 10 Americans to agree that the sky is blue.  So it’s remarkable that nine out of 10 say they have lost control over how their personal information is collected and used by corporations, a new survey released Wednesday by the Pew Research Center has found. Virtually the same number feel like it would be “very difficult” to remove inaccurate information about them online. And roughly two-thirds believe the government should do more to regulate advertisers and how they use personal information.

On the other hand, more than half said they were willing to share “some information” about themselves in order to use online services for free, and about one-third say that surveillance can be beneficial for society.

The results show Americans’ feelings about privacy are varied and subtle, said Lee Rainie, director of the Internet Project and a co-author of the study.

“Far from being apathetic about their privacy, most Americans say they want to do more to protect it,” Rainie said. “It’s also clear that different types of information elicit different levels of sensitivity among Americans.”

The slew of data breaches at major retailers over the past year have put privacy concerns front and center in Americans’ minds. Credit monitoring, transaction alerts and general vigilance of where you share your data and who you share it with are all part of keeping your data footprint limited. It won’t necessarily prevent identity theft or fraud(two consequences of sharing your personal information broadly), but it can make dealing with it easier. Any large, unexpected changes in your credit score could be signs of new-account fraud. (You can use free online tools – including those at Credit.com – to monitor your scores for any changes in your credit scores. You can also get free credit reports once a year at AnnualCreditReport.com.)

Other findings in the poll, which questioned a representative cross section of Americans:

When they want to have anonymity online, few feel that is easy to achieve. Just 24% of adults “agree” or “strongly agree” with the statement: “It is easy for me to be anonymous when I am online.”

• 61% of adults “disagree” or “strongly disagree” with the statement: “I appreciate that online services are more efficient because of the increased access they have to my personal data.”
• 80% of those who use social networking sites say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.
• 70% of social networking site users say that they are at least somewhat concerned about the government accessing some of the information they share on social networking sites
• Generally, people trust old technology more than new for privacy. People trust old-fashioned telephones more than social media or text messages, for example. They even trust landline phones more than cellphones.
• 36% “agree” or “strongly agree” with the statement: “It is a good thing for society if people believe that someone is keeping an eye on the things that they do online.”

Privacy law expert Chris Hoofnagle, a teacher at Berkeley Law school was reviewed the study, noted that attitudes about surveillance were linked to citizens’ education levels.

“A sizable minority agrees with the idea that surveillance is beneficial for society. This group was characterized as younger and less well educated, with each step in more education resulting in less agreement of its beneficence,” he said. “I think there are very interesting class dynamics in privacy privacy and it is something that the Digital Trust Foundation is going to start funding research around this question in 2015. A question to ask here is why does this group find beneficence in surveillance? Could it be because they are heavily surveilled and simply do not have a choice over the matter?”

Here’s a few more of Hoofnagle’s observations.

“Trust in communications channels is based both on the age of technology and legal protections. The oldest and most legally protected technology (ECPA warrant standard) is the landline phone, followed by wireless phones. Email and text go over the wire in plain text, making them technologically inferior, and they are less protected as they fall under the SCA. Chat is the strange one—it is a newer technology, and so perhaps less trusted for that reason. But some chat is very strongly protected (iMessage).  And of course, no one should feel secure on social media sites because Facebook is crawling with investigators and Facebook itself is a privacy threat.

“Finally…many others have found that Americans are skeptical of both private-sector and government collection of information. (These) results are consistent with surveys going back to the 1980s that finds distrust of both government and commercial data practices.”

Larry Ponemon

Organizations seem to be willing to sacrifice security to realize the benefits of a more efficient workforce that is “always connected”. A much better, but challenging, approach is to adopt a mobile strategy with technologies that enable the employee to work efficiently without putting confidential information at risk. Strategies also need to include training and awareness programs because of employees’ negligence and tendency to ignore security procedures. The research also reveals that the biggest barrier to achieving an effective mobile security strategy is employee resistance.

Ponemon Institute is pleased to present the findings of Security in the New Mobile Ecosystem, commissioned by Raytheon. The purpose of this research is to examine the impact of mobile devices, mobile apps and the mobile workforce (a.k.a. mobile ecosystem) on the overall security posture of organizations in the United States. In the context of this research, mobile devices are smartphones and tablets.

We surveyed 618 IT and IT security practitioners who are involved in their organizations’ mobile
and enterprise security activities. Most of the respondents are engaged in implementing
enterprise security (65 percent of respondents), managing mobile technologies and platforms (55 percent of respondents) and setting mobile strategy (47 percent of respondents).
Following are key takeaways from this research:

End-user productivity drives growth of mobile devices in the workplace. Sixty-one percent of respondents say mobile devices increase productivity, which is an incentive for employees to use them and organizations to encourage their use. According to the research, on average one-third of employees use mobile devices exclusively to do their work and this is expected to increase to an average of 47 percent of employees in the next 12 months.

More mobile devices must be managed but budgets fail to keep up with the growth. The
typical organization represented in this study must manage an average of almost 20,000 mobile
devices and this is expected to increase to an average of 28,000 in the next 12 months.

Only 36 percent of respondents say they have a budget sufficient to deal with the explosive
growth of mobile devices. The average budget that is considered adequate is approximately $5.5 million annually – or $278 per managed device.

Security is sacrificed for productivity. The majority of respondents (52 percent) say security
practices on mobile devices have been sacrificed in order to improve employee productivity.
Moreover, 60 percent believe employees have become less diligent in practicing good mobile
security. The two biggest mobile security risks are malware infections and end-user negligence.

Security in the new mobile ecosystem is critical. Thirty percent of respondents say their organizations have no mobile security features in place. However, 75 percent say it is important to secure employees’ mobile devices. A virtualized solution is popular with 57 percent of respondents. The methods most often used to secure mobile devices are mobile device
management and secure containers.

To receive the full report, click here.

Larry Ponemon

Here’s a surprise: The uncertainty about the location of sensitive and confidential data is more of a worry than a hacker or malicious employee.

We surveyed 1,587 Global IT and IT security practitioners in 16 countries (the research was sponsored by Informatica). A list of participating countries is presented in the appendix of this report. To ensure a knowledgeable and quality
response, only IT practitioners whose job involves the protection of sensitive or confidential structured and unstructured data were allowed to participate.

For purposes of this research, datacentric security assigns a data security policy at creation and
follows the data wherever it gets replicated, copied or integrated—independent of technology
platform, geography or hosting platform. Data centric security includes technologies such as data masking, encryption, tokenization and database activity monitoring. This research reveals,
however, that automated solutions would help improve an organization’s compliance and data
protection posture.

Key findings of this research:

1. Data in the dark keeps IT practitioners up at night. Fifty-seven percent of respondents say
not knowing where the organization¡¦s sensitive or confidential data is located keeps them up
at night. This is followed by 51 percent who say migration to new mobile platforms is a
concern.
2. Sensitive or confidential data is often invisible to IT security. Only 16 percent of the
respondents believe they know where all sensitive structured data is located and a very small
percentage (7 percent) know where unstructured data resides.
3.  Organizations mainly rely upon the classification of sensitive data to safeguard data
assets. The two most popular technologies for structured data are sensitive data
classification and application-level access controls. Only 19 percent say their organizations
use centralized access control management and entitlements and 14 percent use file system
and access audits.
4. Automated sensitive data-discovery solutions are believed to reduce the risk to data
and increase security effectiveness. Despite the positive perception about automated
solutions, 60 percent of respondents say they are not using automated solutions to discover
where sensitive or confidential data is located. Of the 40 percent of respondents who say
their organizations use automated solutions, 64 percent say they use it for discovering where
sensitive or confidential data are located in databases and enterprise applications. Only 22
percent use it to discover data in files and emails.
5. Specific automated solutions would improve the organization’s compliance and data protection posture. The most popular capabilities are automated user access history with real-time monitoring followed by policy workflow automation.

To read the rest of the report, click here.

Bob Sullivan

“You’re not liable for any fraudulent charges.” It’s a cheery phrase you’ve seen or heard dozens of times lately, usually said to help ease the blow of bad news: Your credit card has been hacked.  “But don’t worry!  A new card is on its way!  Everything is fine! Smiley face. =-)”

You recognize the language. It means you’ve been “Home Depot’d.”  Or “Target’d.” Or “Michael’d.”

And you know everything isn’t fine.

Consumers might be weary of news stories chronicling multi-million account hackings at major retailers like Target or Home Depot, but they are much more tired by the fallout: two, three, even four cards replaced in recent months, each one bringing with it a separate set of hassles and payment mixups.

Let’s call it, “Card replacement fatigue.” Consumers are starting to get pretty restless about all the new plastic they are getting in the mail.

(I am carrying three versions of the same card in my wallet right now as I sort through which one is the right one to use.  Both replacements arrived while I was traveling, hence the confusion).

“My credit card has been replaces 3 times this summer – I’m over it,” complained Melanie Web-Stelter. “I’m considering going back to checks and cash.”

Murray Lahn has had it even worse.

“At one point about 2 years ago, I went through 5 Mastercards in 20 months, and my most recent one was replaced just weeks ago before the Home Depot breach,” Lahn said. “I feel like I’m the king of card replacements.”

Most consumers are delighted to know their bank is looking out for them.  In fact, customer satisfaction ratings are high with phone calls warning that a consumers’ card might have been used for fraud.   Even new cards can provide some of that halo effect, partly offsetting the $5-to $10-per-card price tag of a reissue.

But there’s a limit to the good-will that can be earned with mass card cancelations, and it appears we are nearing that limit. There can be real costs associated with suffering a credit card hack. Not from the bank, or the fraud, but the hassle.

Automated payments are the best way to make sure the bills are paid and there’s no late fees. Consumer advocates (like me!) recommend using credit cards for lots of recurring bills — the electricity, the cell phone, the cable, and of course automated toll payments  — as a way to simplify your financial life.  It’s not simple however, when a bank gives you a new account number and you have to update all your automated payments.  Sure, you can look at last month’s statement and pluck them out, but what if you miss one?  Then the banks no-liability fraud policy won’t protect you from late fees.

And while many consumers say calling firms to update account information isn’t that much of a hassle, others report crazy situations.

“Time Warner Cable’s billing system … according to a customer rep has not been updated for decades,” said Dayle Henshel.  “Credit card changes, anything other than new expiration dates, are effectively hand-entered into their system and take 4-8 weeks to propagate into the system.”

Then, there’s EZ-Pass.

“Had to turn around on the Chesapeake Bay bridge/tunnel because EZ Pass triggered a reload on the old card number,” said Ron Urbanski. “After paying cash, we were able to update our account on the iPhone to allow us to pay the next tolls.”

In an informal poll, plenty of folks indicated their bank of credit union helped smooth the automated payment transition process, easing the pain considerably. Still, there is work involved — work consumers must do through no fault of their own.

“Got a letter from Chase identifying vendors that I interact with that I should contact based on reoccurring charges to account that may be auto pay or subscriptions,” said Mark Ladisky. “Helpful but I had to do the legwork.”

And there is one more hidden victim in the “victimless” crime of a massive credit card database hack: charities.

“I work with a little public radio station that’s pushing monthly ‘sustainer’ membership. More and more cards get declined due to replacements,” bemoaned Tom Lucci. “It’s a lot of extra time – that we don’t have – to track down new card info. Obviously we can’t charge a late fee or report to the credit bureaus. So if you do get breached, reach out to any nonprofits where you’re a sustaining contributor. Right thing to do, much appreciated.”

Larry Ponemon

Can a data breach in the cloud result in a larger and more costly incident? In short, yes. The more places where data resides, the harder it is to control, and the more it costs to clean up a compromise. The cloud multiplier calculates the increase in the frequency and cost of data breach based on the growth in the use of the cloud and uncertainty as to how much sensitive data is in the cloud.

We surveyed 613 IT and IT security practitioners in the United States who are familiar with their company’s usage of cloud services. The majority of respondents (51
percent) say on-premise IT is equally or less secure than cloud-based services. However, 66 percent of respondents say their organization’s use of cloud resources
diminishes its ability to protect confidential or sensitive information and 64 percent believe it makes it difficult to secure business-critical applications.

As shown in more detail in this report, we consider two types of data breach incidents to determine the cloud multiplier effect. We found that if the data breach involves the loss or theft of 100,000 or more customer records, instead of an average cost of $2.37 million it could be as much as $5.32 million. Data breaches involving the theft of high value information could increase from $2.99 million to $4.16 million.

Faith in cloud providers is not what it should be.

A lack of knowledge about the number of computing devices connected to the network and enterprise systems, software applications in the cloud and business critical applications
used in the cloud workplace could be creating a cloud  multiplier effect. Other uncertainties
identified in this research include how much sensitive or confidential information is stored in the cloud.

For the first time, we attempt to quantify the potential scope of a data breach based on typical use of cloud services in the workplace or what can be described as the cloud multiplier effect. The report describes nine scenarios involving the loss or theft of more than 100,000 customer records and a material breach involving the loss or theft of high value IP or business confidential.

When asked to rate their organizations’ effectiveness in securing data and applications used in
the cloud, the majority (51 percent) of respondents say it is low. Only 26 percent rate the
effectiveness as high. Based on their lack of confidence, 51 percent say the likelihood of a data
breach increases due to the cloud.

Key takeaways from this research include the following:
* Cloud security is an oxymoron for many companies.
Sixty-two percent of respondents do not agree or are unsure that cloud services are
thoroughly vetted before deployment. Sixty-nine percent believe there is a failure to be
proactive in assessing information that is too sensitive to be stored in the cloud.
* Certain activities increase the cost of a breach when customer data is lost or stolen.
An increase in the backup and storage of sensitive and/or
confidential customer information in the cloud can cause the most costly breaches. The
second most costly occurs when one of the organization’s primary cloud services provider
expands operations too quickly and information.

Certain activities increase the cost of a breach when high value IP and business
confidential information is lost or stolen. Bring Your  Own Cloud (BYOC) results in the
most costly data breaches involving high value IP. The second most costly is the backup and
storage of sensitive or confidential information in the cloud increases. The least costly occurs
when one of the organization’s primary cloud providers fails an audit failure that concerns the
its inability to securely manage identity and authentication processes.