For IT Pros Only

Lets be clear: this is for IT people. Not because IT people are better looking and drive cooler cars than the general populace (which is true: most IT departments look like extras from the set of The Fast and Furious), but because unless you're familiar with things like the dark blackness that grips your soul when you discover that two NICs have the same MAC address on your network - you probably aren't going to appreciate this at all.

Get Your Cards Now
Compliance & Regulation

[Podcast] Attorney Sara Jodka on the GDPR and Employee HR Data, Part I

In this first part of my interview with Dickinson Wright attorney Sara Jodka, we start a discussion of how the EU General Data Protection Regulation (GDPR) treats employee data. Surprisingly, this turns out to be a tricky area of the new law. I can sum up my talk with her, which is based heavily on Jodka’s very readable legal article on this overlooked topic, as follows: darnit, employees are people too! It may come as…
Compliance & Regulation

Canada’s PIPEDA Breach Notification Regulations Are Finalized!

While the US — post-Target, post-Sony, post-OPM, post-Equifax — still doesn’t have a national data security law, things are different north of the border. Canada, like the rest of the word, has a broad consumer data security and privacy law, which is known as the Personal Information Protection and Electronic Documents Act (PIPEDA). For nitpickers, there are also overriding data laws at the provincial level — Alberta and British Columbia’s PIPA — that effectively mirror…
Data Security

[Podcast] Varonis CFO & COO Guy Melamed: Preventing Data Breaches and ...

Recently, the SEC issued guidance on cybersecurity disclosures, requesting public companies to report data security risk and incidents that have a “material impact” for which reasonable investors would want to know about. How does the latest guidance impact a CFO’s responsibility in preventing data breaches?  Luckily, I was able to speak with Varonis’ CFO and COO Guy Melamed on his perspective. In part one of my interview with Guy, we discuss the role a CFO has in preventing insider threats…
Data Security

Is Your Company Prepared for a Cyber Attack?

In December of 2016, a researcher approached credit card reporting agency Equifax with a simple message: Your website is vulnerable to a cyber attack. The company did nothing to patch the flaw. They were breached six months later, in May of 2017, with hackers stealing the sensitive data of 145.5 million Americans. It’s an extreme example of an all-too-common business failing: that of cybersecurity preparedness. As hacks continue to proliferate the news cycle, targeting both…
Data Security
Are insiders compromising your security

Is Your Biggest Security Threat Already Inside Your Organization?

The person in the cubicle next to you could be your company’s biggest security threat. The large-scale attacks we’re accustomed to seeing in the news — Yahoo, Equifax, WannaCry ransomware — are massive data breaches caused by cyber criminals, state-sponsored entities or hacktivists. They dominate the news cycle with splashy headlines that tell an all-too recognizable story: one of name-brand corporations vs. anonymous cyber villains. We focus in outsider threats because they’re both terrifying and…
Data Security
fsmo roles hero

5 FSMO Roles in Active Directory

Active Directory (AD) has been the de facto standard for enterprise domain authentication services ever since it first appeared in late 1999 (in Windows Server 2000). There have been several enhancements and updates since then to make it the stable and secure authentication system in use today. In its infancy, AD had some rather glaring flaws. If you had multiple Domain Controllers (DC) in your domain, they would fight over which DC gets to make…
Data Security

[Podcast] Dr. Wolter Pieters on Information Ethics, Part Two

In part two of my interview with Delft University of Technology’s assistant professor of cyber risk, Dr. Wolter Pieters, we continue our discussion on transparency versus secrecy in security. We also cover ways organizations can present themselves as trustworthy. How? Be very clear about managing expectations. Declare your principles so that end users can trust that you’ll be executing by the principles you advocate. Lastly, have a plan for know what to do when something…
Compliance & Regulation

Another GDPR Gotcha: HR and Employee Data

Have I mentioned recently that if you’re following the usual data security standards (NIST, CIS Critical Security Controls, PCI DSS, ISO 27001) or common sense infosec principles (PbD), you shouldn’t have to expend much effort to comply with the General Data Protection Regulation (GDPR)? I still stand by this claim. Sure there are some GDPR requirements, such as the 72-hour breach notification, which will require special technology sauce. There’s also plenty of fine print that…
Data Security, IT Pros

Verizon 2018 DBIR: Phishing, Stolen Passwords, and Other Cheap Tricks

Like the rest of the IT security world last week, I had to stop everything I was doing to delve into the latest Verizon Data Breach Investigations Report. I spent some quality time with the 2018 DBIR (after drinking a few espresso), and I can sum it all up in one short paragraph. Last year, companies faced financially driven hackers and insiders, who use malware, stolen credentials, or phishing as attack vectors. They get in…
Compliance & Regulation
hipaa security rule

HIPAA Security Rule Explained

The HIPAA Journal estimates that a large data breach ( > 50k records) can cost the organization around $6 million – and that’s before the Office of Civil Rights (OCR) drops their own hammer. Over the last few years, we’ve seen more reports of breaches, an increase of HIPAA investigations, and higher fines across the board – all stemming from violations of the HIPAA security rule. What is The HIPAA Security Rule? The HIPAA Security…
Compliance & Regulation
hipaa privacy rule hero

HIPAA Privacy Rule Explained

It’s an unfortunate (but inevitable) fact of life: Laptops get stolen, and the consequences can be devastating. If those laptops have electronic protected health information (ePHI) on them, they fall under HIPAA regulations and the theft must be reported. Even if the thief doesn’t look at the data, the company can’t prove it: everyone should take precautions to protect themselves against not just fallout from lost data, but from the potential fines that can accrue:…
Compliance & Regulation

SHIELD Act Will Update New York State’s Breach Notification Law

Those of you who have waded through our posts on US state breach notification laws know that there are few very states with rules that reflect our current tech realities. By this I mean there are only a handful that consider personally identifiable information (PII) to include internet-era identifiers, such as email addresses and passwords. And even fewer that would require a notification to state regulators when a ransomware attack occur. Access Alone, or Access…