Tuesday, February 24, 2009

Catch Me Next Month

Catch me next month in New York at the Javits at the pharmatech trade event, Interphex. I'll be part of a panel discussing the use of RFID in the pharmaceuticals industry, offering some insight on the privacy implications of that technology. The panel includes:

· Louis Parks, President and CEO, SecureRF Corp.
· Andrew Strauch, Vice President, Product Marketing and Management, MIKOH Corp.
· Bikash Chatterjee, President and CTO, Pharmatech Associates Inc.
· Michael McCartney, Founder and Principal, QLM Consulting
· Mike Spinney, Principal, SixWeight (that's me!)

Our session takes place on Tuesday, March 17 from 3:00pm - 4:00pm, and is sponsored by Domino Amjet.

If you are thinking about attending Interphex and want to drop in for the discussion, let me know. Following this LINK will take you to a conference registration page that gives you a 15% discount.

Hope to see you there.

Mike

Monday, February 23, 2009

Data at Higher Risk During Down Economy?

Data loss due to the actions of insiders is a well-known problem. Every company has employees, and employees – being human – are prone to make mistakes. They email information to unauthorized recipients, they leave laptop computers in airports, they drop their PDFs in taxis, they take information home to get some work done over the weekend and they connect to non-secure networks or open their computer to the Pandora’s Box of peer-to-peer networks…

Consistently, research by the Ponemon Institute and other groups has confirmed this to be true. Insiders are responsible for the vast majority of all data breaches. The Ponemon Institute’s most recent Annual Cost of a Data Breach Study puts this figure at 88 percent.

My gut tells me that a foundering economy would exacerbate this situation, but my gut (and the collective gut of everyone who has thought about this situation) isn’t considered credible evidence by anyone making decisions in the corner office. That’s why the Institute has released a new study that examines this situation – and the results are pretty interesting.

Jobs at Risk = Data at Risk (sponsored by the good folks at Symantec) has a number of interesting findings. In short, 59 percent of employees who lost or changed jobs over the last year reported taking sensitive information with them when they left – 79 percent of whom knew they were doing so against company policy. In cases where the employee had negative view of their former employer the likelihood for data theft was 61 percent, but for those with positive view the rate of theft was only 26 percent.

One critical takeaway from this study has to be that this is a preventable problem. There’s a sentiment within the data security community that data loss at the hands of insiders is merely a cost of doing business. As they do with paperclips and ballpoint pens, employees are going to access and swipe information and there’s not much that can be done about it. That’s a defeatist conclusion that is simply not supported by these findings.

Most of the individuals stealing information are non-IT staff who lack the technical sophistication to effect clever schemes to defeat IT security protections. They are, by-and-large, administrative(16%), sales (30%), and contract employees (13%) who are motivated by financial pressure and job-loss anxiety.

Given the markedly lower rate of theft among employees who had positive feelings for their former employer, simply doing a better job building positive employee relationships would go a long way toward dissuading folks from making bad exit decisions. Such a program should include the development and communication of clear and enforceable policies related to data handling – including consequences for data theft.

Employees are stealing information because they recognize data has immense value in today’s economy. They regard this information as their “parting gifts,” but if they know that stealing information might put their severance package at risk, they’ll think twice.

Of course, a thorough data loss prevention program must include an investment in the appropriate technology tools. DLP technology, properly deployed, can prevent the vast majority of accidental and intentional data theft events.

Sunday, February 22, 2009

I'm Back...

Sorry for neglecting this blog for so long. I've got plenty to say but have been saying it in other, usually less public, forums. I've got a lot of work to do to bring folks back into the fold but I hope to be able to do so over time.

Mike