Archive for the ‘Consulting’ Category

California law

California has toughened up its data disclosure law, pioneering legislation enacted in 2003 that directs companies and organizations to inform individuals when their personal data is compromised.

An amendment, this week, has added three additional requirements that could have an immediate impact on your business and how it secures sensitive organizational and customer information:


3C Privleged Accounts

Companies have been distributing privileged accounts to employees and vendors for the past 20 years without considering the security ramifications.

Privileged accounts are logons that open access to desktops, laptops, servers, firewalls, databases, printers—any device with a microprocessor that’s connected to a company network.

But hackers and data thieves are abusing privileged accounts to breach highly protected networks and steal mountains of sensitive data. In fact 86 percent of large enterprise organizations either do not know or underestimate the number of privileged accounts incorporated into their networks, according to a survey from password security vendor CyberArk Software.

Follow these best practices for securing privileged accounts and sensitive data from .

1.  Reduce the number of privileged accounts. Every company has too many. This creates opportunities for accidental damage and breaches. And it increases the odds of an intruder gaining a foothold in your network.
2.  Reduce privileges of authorized users. Allow authorized users to make changes only to the parts of the infrastructure that they are assigned to manage. That is far better than giving them rights to make changes more broadly.
3.  Monitor, monitor, monitor. Record all logons and all activities. This process helps maintain compliance and ensures an easily reviewable audit trail exists. It also helps quickly identify intruders, as well as rogue insiders, or even sloppy or incompetent employees. Look into implementing advanced monitoring that will automatically alert you to anomalous activity.
4.  Use strong authentication and robust passwords. At one time it was ok for a limited group of people to share a single account password, but no longer, especially for systems carrying sensitive data.
5.  Get to know your data.  Account for sensitive data that may be backed up in multiple locations, or that may be stored in stray locations due to poor data hygiene practices.
6.  Assume you’ve been breached.  Begin with the assumption that a thief is in your midst.  Structure your network to reduce the impact of an attacker in any one area. Watch for unusual behavior of both people and systems. Focus on the people granted access to the sensitive data.
7.  Control physical access. Lock up desktops and take home or lock away laptops after hours. Locate servers in secure data rooms, not in branch offices, kitchens or closets. Monitor and manage access to data rooms.
8.  Regularly review access rights.  Assign managers and supervisors to periodically check subordinates’ access rights to assure users only have access to appropriate systems.
9.  Enforce Encryption. Apply appropriate levels of encryption to data at rest and data in motion.

Sources: IDT911 interviews with Brad Hibbert, Vice President, Product Strategy and Operations, BeyondTrust, a Phoenix-based supplier of vulnerability and privileged accounts management system, and Geoff Webb, Solution Strategy Senior Director at Houston-based identity management vendor NetIQ.


Nowadays, you don’t have to be a large corporation to attract the wrath of hackers. Limousine companies, escrow firms, and even hay-compressing companies have become the target of cyber attacks in recent years. According to an , 20 percent of small businesses are victims of cyber crime each year, and of those, some 60 percent go out of business within six months after an attack.

Fortunately, there are actions that companies of all sizes can take to help keep their information systems safe. In February, I wrote about what I call the “Three I’s” of computer virus protection: Install, Inform, and Insure. The first “I” is for installing antivirus software (AVS), and the last “I” is for insuring your company. Today, though, is just about the second “I”—which stands for informing staff.



More British organizations are likely to experience security breaches—and the costs are going up, according to a survey from the Department for Business Innovation and Skills. Learn more in this handy infographic that reveals five key takeaways for businesses.



The recent high profile breach that caused cloud based service provider to shutter its doors illustrates, in a very painful way, how a single compromised administrative credential can make incident response planning and preparation irrelevant.


shutterstock_89604598Small businesses make risky choices every day by gambling that their business will fly below the radar of cyber criminals and not become a target for data theft. Businessowners are misguided in thinking their business is too small and their data is not valuable enough to a hacker. (more…)


ISO, a leading source of information about property/casualty insurance risk, announced today a strategic collaboration with IDT911, the nation’s premier consultative provider of identity and data risk management, resolution, and education services. ISO is a member of the Verisk Insurance Solutions group at Verisk Analytics.

As part of the collaboration, IDT911 has become the ISO Businessowners Program vendor of choice for data breach avoidance and remediation services. ISO’s Businessowners Program is a package policy providing broad property and liability coverage for small and midsize businesses. ISO filed an optional businessowners cyber insurance endorsement on a multistate basis this month for a March 2015 implementation date.


Healthcare organizations can save time and money by taking steps to comply with government regulations such as HIPAA and HITECH before a data breach happens. Learn how to get your security program in line with these tips assembled by .


shutterstock_137427692 Do you ever wonder how large corporations that have a mature and robust information security program still suffer a data breach even after spending millions of dollars on security experts and cutting-edge technology?

If a sinking ship has five holes in its hull and the crew only plugs three of them, the ship will still sink. If you view the holes in the ship’s hull the same as you would a threat to your network, information systems, and data, you know you must plug all of the holes to prevent the potential for a breach.  If not, you risk your ship sinking and potentially taking your crew (and reputation) down with you.



We’re proud to share some good news: Our Privacy XChange Forum has earned a Bronze Stevie® Award for Best Corporate Image Live Event!

The award was presented at the American Business Awards traditional awards banquet recently held in Chicago, Illinois. Other winners in the Live Event category included Levi’s, PepsiCo, American Express, Swiss Re, and more.