Pratum Blog

Are you worried about PRISM and other government programs designed to monitor electronic communications?  You should be.  The privacy implications are far reaching.  The 4th Amendment to the U.S. Constitution was ratified because we wanted to control what the government can find out about its citizens without cause.  The funny thing is I’ve heard very little commotion about what hackers and organized criminal networks can find out about you.

Here’s a list of some of the common ways we use smartphones and tablets today.  This list is in no particular order.  You may not do all of these things, but I’m sure you do at least a few.

  • Read company and personal email with sensitive information detailed in the message

  • Download email attachments with confidential information enclosed

  • View sensitive client or patient information via a web application

  • Check banking or investment accounts online

  • Use VoIP technology (Skype, FaceTime)

  • Use GPS to find directions to our friends, vacation spots, stores, etc.

The information security and privacy controls on smartphones and tables are weak, at best.  They are laughable at worst.  There are very few security controls in place today to stop an attacker from getting access to everything on that device.  Yet we routinely download every free app regardless of what the privacy settings are.  We freely use these devices knowing that every conversation can be recorded and played back.  We surf the web and enter passwords into applications with no idea who the developer is or if they have good intentions.

Anyone else see the hypocrisy here?  We shout to the mountain top about the little information the government collects but there is hardly a whisper about the plethora of information we are freely giving to hackers.  Think about it.  Which is the bigger risk?

Here are the new statistics released this month from the Ponemon Institute's annual survey of breach costs.

$188 per record lost – Average cost in 2012 for a data breach in the US

28,765 – Average number of records per data breach in the US

$5,403,644 – Average cost of a breach in the US

$565,020 – Average cost to notify clients of a data breach in the US

$3,030,814 – Average cost of lost business from a data breach in the US

The costs figures are plain and simple. They are verified. They speak for themselves. If you are having trouble getting executives to buy into the notion that no security is more expensive than a little security, float these numbers past them. A breach of just 500 records will likely cost you $94,000. Information security is critical to survival. Ironically, the smaller you are, the worse a breach will hurt from a financial perspective.

Ask your executive team if they would consider not having a fire extinguisher or casualty insurance for your office. If they say no, ask why they are willing to take such large risks with information security. You're probably far more likely to suffer a security breach than to have a fire. Put into proper perspective, most executives will follow your logic and begin to appreciate information security activities.

The definition of a data "breach" is a murky quagmire to many of our clients. For some it's defined as ""any unauthorized access or view of patient information outside an employee's job scope."  For another it’s defined as "a successful external cyber-attack which results in actual financial loss to a customer."

Those are pretty different approaches to determining when a breach has occurred.  Things like company culture, regulatory compliance and insurance claims requirements will drive an organization’s definition of a data breach.

It is important for a business leader and security professional to be on the same page when it comes to defining the term "breach".  If they have different opinions, their approach to IT risk management and information security will be vastly different.

Having defined criteria for what constitutes a data breach will be critical to ensuring your incident response plan addresses actual incidents.  It also helps to filter out the busy work of creating a report for issues that, while they may be of value to address within the organization, do not reach the level of a breach and would not be reportable to regulators, investors or other interested parties.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.