What’s with all these security breaches anyways?

Posted by Jim Van on June 10, 2011 under data security, entrepreneur, security, small business, Uncategorized | 5 Comments to Read

Like all of us, you’ve probably heard or read about a spate of major security breaches in recent weeks, in which data on millions of users was leaked to unauthorized sources. Chances are pretty good that data would include sensitive information on most everyone who reads this posting. Are cyber-criminals getting better? Is software protection less effective? Just what’s the reason? I have some thoughts, and (of course) some advice….

I have a friend who was recently let go from her job as an IT desktop pro. She has 20 years experience, certifications up the wazoo, and thinks outside the box. She can’t get a job. She’s too expensive.

I bring up my friend’s plight to illustrate what’s happening across the industry as a whole: paychecks are shrinking, sometimes as much as 66%. For example, a security architect with whom I’ve worked over the years was laid off in 2009 by his Fortune 500 employer of 12 years. His position is now held by a much younger, less experienced person, who does have some security certification, but apparently works at 1/3 of the salary of my friend. The company was one of the ones that was hacked in the past two weeks. In my friend’s 11 years there, they never experienced a single data breach.

The above story is repeated across the corporate world. Turns out the insurance premiums are, in most cases, the same whether one puts a 10-year certified veteran at a $110,000 annual salary vs. a 3-year relative newbie, who has basic certification, at $45,000/year. Makes good sense from a corporate bottom-line point of view, but what about the committment to the customers’ privacy and sensitivity of their data?

Of course, there’s not a company out there that will admit to the above practice, and many will declare just the opposite. But, for a list of probable suspects, just read the headlines and note the companies. For hackers, the world is their oyster.

What to do?

1. Create a strong password – At LEAST 8 characters, a combination of numbers, symbols, uppercase and lowercase letters. Avoid names and words that are easily recognizable. Change your password every 3 months.
2. Don’t share your information – Sure, your local cable company offers autopay, as do most utility companies. However, if you do business with three utility companies and use autopay, that’s three sources of sensitive information that can be breached. Use your bank’s bill pay service. Most banks offer the service for free, and it keeps your data (or at least some of it) contained within the bank’s IT infrastructure, which is often tighter than most companies from a security perspective.
3. If your credit card issuer offers ‘virtual’ single-use credit card numbers, use them – We pay our company bills through American Express and use such a service. Your card # is safe, and your virtual number is only good for the single transaction, which gives you double protection.
4. Keep your data private – We all have a tendancy to freely provide data on a variety of websites, and leave data in an unencrypted area on our hard drives. Perfect for those who REALLY want to know more about you. Password-protect the directory in which you store documents containing sensitive information, and encrypt the data. There are plenty of free, easy-to-use encryption programs available from sites such as http://www.download.com
5. Use GOOD security software

and keep it updated. Free or cheap anti-virus programs available for download from the web are generally inadequate for protection from today’s threats. If you must go free, stick with AVG or Kaspersky, but be aware that the free versions of these apps are somewhat crippled, and you still might get infected. The best ones I’ve found over the years are ones that you may not have heard of:

1. Kaspersky – yep, the ones who seem to advertise a lot on late-night TV. Not bad, and at around $40, a decent value. Generally in the VT100 (testing lab) top 5.
2. ESEC – Most people haven’t ever heard of this Australian company, yet for the past eight years, they’ve scored in the top 3 in VT100 testing.
3. Trend Micro – most likely many of you have heard of this Japanese company. They offer a broad array of security apps, three of which Logicomm offers in its managed security product. They no longer participate in the VT100, but still do a fantastic job protecting systems. If you’re a smaller or home-based business, go for the Titanium 2011. At between $40 and $70, it’s the closest to bulletproof that you can get without going to a managed security solution.

I also make it a point NOT to do business with companies that don’t clearly have a rock-solid security policy. If they won’t spend the money and make the committment to safeguard my data, why on earth would I give it, or any money, to them? Hint: smaller businesses (I’m not talking the corner store here) tend to take security more seriously than some corporate manager who spends most of the workday in mindless corporate meetings…

Anybody else have some ideas on preventative security, or on other subjects touched upon in this post? I’d love to have a discussion going….