Proofpoint: Security, Compliance and the Cloud

42 posts categorized "Privacy"

April 14, 2011

Video: Password Security Tips from Proofpoint Customer Tony Hildesheim, Redwood Credit Union

Recently, Proofpoint customer Redwood Credit Union was kind enough to host me at their headquarters in sunny Santa Rosa, California, where Senior Vice President of IT, Tony Hildesheim took time out of his busy schedule to talk with me about how his organization uses Proofpoint to keep both employees and credit union members secure.

As part of that interview, Tony talked about some of the most serious threats that he sees to his members' security. In this excerpt, Tony gave some terrific advice about one of the most important things that web users can do to protect their safety: Use best practices for passwords.

 Check out this short video and feel free to share it with your friends, staff, users, etc.

In this short video, Tony explains how phishing attacks (and variations like vishing and smishing) attempt to get users to give up account credentials by appealing to greed, fear and/or charity.

Using best practices for your passwords can help protect you from these attacks. Tony recommends the following: Use strong passwords (that combine alpha, numeric and special characters), change them often and always use different passwords for different accounts.

Great advice, especially in light of some of the big security breaches we've seen in 2011 (for more on this topic, see my posts State of Texas Exposes Personal Information on 3.5 Million Residents - More Serious than Epsilon Breach? and Stay Safe from Email Threats in the Wake of Epsilon Email List Breach).

I've got more video with Tony talking about how his organization uses Proofpoint, too. Will post those to the blog shortly, but you can also go see them right now at http://www.proofpoint.com/youtube(along with many other interesting Proofpoint videos).

April 12, 2011

State of Texas Exposes Personal Information on 3.5 Million Residents - More Serious than Epsilon Breach?

Regular readers of this blog realize that inadvertent exposures of personal and/or confidential data and violations of regulations (and best practices) for data protection are far from rare (see our annual statistics about data loss, for example), but lately we've seen some huge ones.

In the wake of the recent Epsilon data breach — which exposed only email addresses — comes news of a potential data exposure at the State of Texas involving the email addresses, physical mailing addresses, Social Security Numbers and possibly dates of birth and driver's license numbers of 3.5 million residents.

Kevin Fogarty over at ITworld has a great summary in a blog post from late yesterday (see, "Texas Security Gaffe Dwarfs Epsilon Data Breach"). In short, the Texas state comptroller's office discovered that the records in question had been inadvertently placed on a publicly-accessible server — completely unencrypted — and had been there for as long as a year before being discovered.

As Fogarty notes in his post, this exposure is potentially much more serious than the Epsilon breach, since so much more personally identifiable information was exposed — potentially making those residents prime targets for identity theft, phishing attacks or other forms of fraud. He writes:

"Lost data is often, as with Epsilon, only partial - emails, street addresses or whatever.

Putting full employment and retirement records on a public server, with all the relevant data an identity thief would need to clone and reuse you, and leaving them there for a year?

Texas wins this one hands down over Epsilon. (Although, serendipitously, Epsilon is based in Irving, Texas.)"

As reported by Reuters (see "Private Records of 3.5 Million People Exposed by Texas"), Texas State Comptroller Susan Combs said that there was no indication that any of the information had yet been misused. However, all affected people are being sent letters this week, notifying them of the potential breach.

"I deeply regret the exposure of the personal information that occurred and am angry that it happened," said Combs. "I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered, and was then moved to a secure location."

See my previous post on the Epsilon breach for a recap of Proofpoint's "Seven Simple Rules for Staying Safe Online."

February 24, 2011

Kids, Privacy and SSNs: Why Children are a Top Target for Identity Theft

Over at the Huffington Post this week, there have been a couple of posts about Google having collected partial Social Security Numbers of children as part of the entry requirements for the company's "Doodle-4-Google" contest. (Helpful to start with Larry Magid's post today, "Why Google Stopped Collecting the Last 4 Digits of Kids' Social Security Numbers" which is a follow-up to Bob Bowdon's article, "Why Has Google Been Collecting Kids' Social Security Numbers Under the Guise of an Art Contest?").

As Bob Bowdon pointed out, collecting even partial SSNs can be a pretty big data security and privacy issue since the complete, accurate SSN can often be guessed based on other data such as the person's city and year of birth (which, apparently, Google was also requesting). See this Datamation article, "Social Security Numbers Easy to Hack", which talks about some really interesting research about predicting social security numbers from publicly-available data.

Apparently what the Google contest organizers were trying to do is use partial SSNs as a way of uniquely identifying contest entrants and "de-duplicating" duplicate/multiple entries. Yeah, probably a bad idea on several levels and I won't belabor that point.

Of course, there are many organizations that do have to collect and ensure the security of private identity, healthcare and financial information about children. Recently, I had the chance to interview Proofpoint customer Matt Johnston,who is the senior security analyst for Children's National Medical Center, a leading pediatric hospital based in the metro Washington DC area.

One of the most interesting things that he told me is that children are one of the top targets for identity theft. I hadn't really thought about this before, but it makes sense.

As Matt told me, children have new or "clean" records. They don't have established credit histories and outside of core identifiers like a social security number and birth record, there aren't many other public records associated with a child's identity. This makes that data easier to use in identity theft/fraud and, as a result, personal identity information about children fetches a premium on the black market.

So organizations like Children's National Medical Center have to take privacy protection and data security extremely seriously. As a healthcare organization, CNMC has to comply with HIPAA healthcare privacy regulations, but as Matt explained to me, they go to great lengths to protect their patients' data not just because its required by law but because its part of their core mission of protecting and caring for children.

Matt talks about these issues, how his organization uses Proofpoint's SaaS email security and email encryption solutionsand why he chose Proofpoint (and why deploying those solutions in the cloud was the right decision for CNMC) in this short video:

My thanks once again to Matt for graciously taking the time to share his insights with us!

February 22, 2011

Email Security & Compliance for Healthcare: Customer Case Studies, HIMSS 2011 Conference

Proofpoint-Email-Security-and-Compliance-Healthcare-Case-Study-Scottsdale-HealthcareRegular Proofpoint followers and readers of this blog are familiar with the many email security and compliance concerns around private healthcare information ("PHI").

Ensuring compliance with the data security and privacy rules of HIPAA (and the more recent "HITECH" updates to the HIPAA regulation) is critical for healthcare organizations, obviously, but these rules also apply to many other organizations that also handle healthcare information.

Today's Proofpoint press release, "Demand for Proofpoint’s Security and Compliance Cloud Solutions Grows in Healthcare" highlights three healthcare industry customers who use Proofpoint's SaaS security and compliance solutions to secure inbound email, detect and protect (or encrypt) private healthcare information in outbound email and archive email to meet compliance and eDiscovery requirements.

Proofpoint is (not coincidentally) also exhibiting this week at the HIMSS 2011 conference (the leading healthcare IT conference and exhibition) in Orlando, Florida. If you're attending that event, do visit the friendly and knowledgeable staff at Proofpoint's booth (#4001) to learn more about how Proofpoint can help your organization with HIPAA/HITECH compliance and data security.

For example, our announcement today explains how Scottsdale Healthcare, a not-for-profit healthcare system based in Arizona, uses Proofpoint's SaaS solutions for anti-spam as well as for email encryption, ensuring that HIPAA-regulated healthcare information is protected in outgoing email. Scottsdale Healthcare is also the subject of a new case study (PDF format), which you can download via this link: "Case Study: Scottsdale Healthcare Relies on Proofpoint to Cure Spam and Email Encryption Challenges."

Mike Gleason, director of information services at Scottsdale Healthcare, explains, “For our organization, if any information in the body of an email or an attachment contains a social security number, a credit card number, patient identifier, or other sensitive data, it will be captured and secured. These types of data are automatically encrypted, and then forwarded on, which helps us avoid sending out emails that contain sensitive information or patient privacy data to domains outside our organization.”

Another organization, Kelsey Seybold Clinic of Houston, Texas, is moving its deployment of the Proofpoint Enterprise Protection email security solution from an on-premises deployment to Proofpoint's cloud-based (SaaS) offering.

Martin Littmann, director IT systems for Kelsey Seybold Clinic, says, “After comparing costs between different deployment types, we were convinced that moving Proofpoint’s protection solution to the cloud would save us time and money, and that our resources would no longer be stretched.”

And at Community Memorial Health System (Ventura County, California), Proofpoint's entire suite of SaaS security and compliance solutions guards against inbound threats, ensures patient privacy and  archives email for 2000 mailboxes.

Explaining his organization chose Proofpoint, Thomas Kniss, CMHS's director of clinical information systems, noted that, “Proofpoint has a very impressive list of current healthcare customers, and it was important that our vendor have experience and a successful track record of providing security solutions to healthcare organizations. Proofpoint’s knowledge and capabilities of smart identifiers and HIPAA dictionaries was a key deciding factor as well.”

Another good resource for healthcare organizations is the Proofpoint whitepaper, HIPAA and Beyond: An Update on Healthcare Security Regulations for Email (click the link to register).



February 16, 2011

Live Webinar: Social Media Risks in the Enterprise - Mitigating Data Loss, Compliance and Discovery Dangers

Social-media-risks Our live web seminar series continues on Wednesday, March 9th at 11 AM Pacific Time, 2 PM Eastern Time, with "Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers."

We post here about social media risks, policies and trends fairly regularly here (see the social media category), and our annual research on data loss issues shows that social media channels (including Facebook, LinkedIn, Twitter and other sites) are increasingly the source of data breaches (see this post for a video overview of our 2010 findings).

In response, about half of organizations simply prohibit access to popular social media sites. But over the long term, that approach will be less effective as social media becomes more and more ingrained into how companies do business. So our feeling is that companies need to address social media risks in the same way that most of them address email security risks—via a combination of policy and technology.

In addition to data loss and compliance issues, one very new area of concern is the archiving, retention and discovery of social media content. In many cases, social media communications such as corporate tweets, Facebook posts/messages, etc. can be considered business records and could be subject to the same sorts of discovery rules as corporate emails.  (See this recent CIO article for an interesting overview and introduction to this topic, "Why Your Records Retention Policy Should Include Social Media").

Our upcoming webinar will have both Robert Cruz, our director of eDiscovery solutions, and Rami Habal, our director of product management and expert on all things DLP, on hand to talk about the many dimensions of social media risk and how you can apply today's security technologies (including cloud-based security solutions) to address these issues.

To register, visit this link—Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers—or simply fill out the form below:

January 13, 2011

Top Ten Privacy Predictions 2011: Follow-up and Links from Yesterday's Live Web Seminar

Crystal-Ball-2011-iStock_000014994170SmallThanks to the hundreds of you that tuned in for our first live web seminar of the new year, "2011 Predictions: Top 10 Privacy Issues" where co-presenter Ken Liao and I looked into the crystal ball to expose the cultural, policy, technology and regulatory trends that will dominate privacy discussions this year! My thanks especially for all of the great questions and feedback on the seminar.

If you missed it, or if you'd like to refer back to the web seminar, it's now available as a replay. For those of you who registered for the live event, a direct link to the replay file has been sent to you via email, as usual.

In our presentation, Ken and I shared quite a few links to various privacy-related resources that I promised to share with you here as clickable links, so here they are, by prediction:

Intro: Why Privacy Matters Today

Privacyrights.org's running list of data breaches can be found here:
http://www.privacyrights.org/data-breach

Proofpoint's 2010 research on data loss events was referenced multiple times during the presentation. You can download a copy of our full report, Outbound Email and Data Loss Prevention in Today's Enterprise, 2010 here:
http://www.proofpoint.com/outbound

Proofpoint-Top-Ten-Privacy-Webinar-2011-Slide-1 Prediction 1: Mobility & Location-based Info Becomes a Major Concern

We had a little extra comedy in yesterday's webinar as our slide on this first prediction had mysteriously disappeared. Click the image at left to see the slide we had intended to display!

Predictions 2-4: At Least One Major Social Media Site Will Experience a Serious Breach, Evolution of Social Media Policies, More Organizations will Formalize Acceptable Use Policies

The data/charts in these slides on social media data loss events, social media/web services that large organizations prohibit access to, and acceptable use policy adoption are all from the aforementioned Proofpoint research at http://www.proofpoint.com/outbound.

Prediction 5: Blended Threats Will Continue to Increase

For more on the VBMania outbreak and other recent blended threats, see my blog post about "Blended Threats Old and New." On the topic of spam's holiday vacation and subsequent return, see "Spam Volume Makes a Comeback After Holiday Hiatus."

Prediction 6: New, Stricter Privacy Regulations Will be Adopted Worldwide

Not mentioned in the slide, but here's a good article explaining the European reactions to privacy implications of Google Street View.

Prediction 7: Expect a US National Data Breach Notification Law

Here's the link to the Federal Trade Commission's report on Protecting Consumer Privacy. And here's information on the new White House "Enhancing Online Trust and Privacy" initiative.

Prediction 8: At Least One Enforcement Action Under Massachusetts 201 CMR 17

Links for the State of Massachusetts FAQ on 201 CMR 17, and interesting ThreatPost article about a possible 201 CMR 17 test case in 2011.

Prediction 9: More Organizations Will Encrypt More Data

Find more product information about Proofpoint Encryption here. Also, http://www.proofpoint.com/outbound is referenced again (data on adoption of data loss prevention technologies).

Prediction 10: Increased Adoption of Secure/Managed File Transfer

Statistic about level of concern around FTP as a source of data loss risk is, once again, from http://www.proofpoint.com/outbound. And visit this link for information on the Proofpoint Secure File Transfer solution

Q&A Session

In my comments, I mentioned recent email breach of personal information of all GSA personnel.

Thanks again to everyone who joined us for this web seminar. If you missed it and would like to see the replay, please visit:

 http://www.proofpoint.com/id/top10privacy/index.php?id=6



December 22, 2010

Put Social Media Policies on Your List of New Year's Security and Privacy Resolutions

Over at Baseline magazine this week, writer Nick Wreden has a good article on "Social Media Policy Development," summarizing that organizations need to develop firmly written, clearly communicated policies around all types of electronic communications, including those conducted via social media channels.

This is still a sometimes-overlooked area of policy development and, if your organization hasn't yet communicated specific policies around keeping confidential (or regulated) information secure over social media channels, I'd suggest you put this on your "to do" list for the new year.

Nick quotes our oft-cited statistics about data loss and social media in large enterprises, noting that our 2009 research found that "34 percent reported that a loss of sensitive information had affected business. The same study found that 13 percent had investigated troublesome Twitter usage, and 15 percent had disciplined employees for unauthorized posting of videos on YouTube and similar sites."

Note that these numbers increased in 2010 (and you can get a copy of our latest report, "Outbound Email and Data Loss Prevention in Today's Enterprise, 2010" at http://www.proofpoint.com/outbound. Our report also shows that, while acceptable use policies for email are almost universally adopted, there are still a substantial number of organizations that do not yet have formal policies in place around the use of social media sites (including blogs, message boards, social networks, short message services like Twitter and media sharing sites like YouTube).

As I always suggest when considering acceptable use policies for email, when creating these sorts of policies for social media, I'd encourage organizations to focus on the data loss and compliance risks associated with social media sites, not just the "time wasted" aspects of same.

Keep in mind that the cost of a single low-performing employee (who, for example, spends too much time at work engaged in non-work-related social media) is completely bounded by that employee's salary (and such problems are fairly easily addressed). However, a single data loss/breach incident can cost hundreds of thousands or even millions of dollars in remediation costs, potential fines, brand damage and lost business.

The article over at Baseline has some other good suggestions around social media policy development and some real-world examples of what enterprises such as EMC, Xerox and Mel-O-Cream are doing to address the risks associated with social media.

Note also that I'll be touching on this topic a bit in our next live web seminar (January 12th), "Top 10 Privacy Issues for 2011." Do join me! You can register here: http://www.proofpoint.com/id/top10privacy/index.php

December 17, 2010

Taking a Deep Breath: Analyst Rich Mogull Puts Recent Security Breaches in Perspective

Analyst Rich Mogull (follow him on Twitter as @rmogull) of Securosis has an interesting byline in DarkReading's "Hacked Off" blog today, commenting on several of the latest info security incidents including Wikileaks exposures, McDonalds mailing list exposure, Gawker password theft, "cyberwar" and a lot more.

Check out Rich's post, "Take a Deep Breath: In the midst of the recent surge of security hype and angst, a dose of perspective"

The net-net of Rich's argument is that "security isn't failing." Yes, there have been some high-profile IT security incidents lately, and security as a concept and concern is getting a huge amount of exposure in both business and popular media lately, but the sky's not falling (which one might think, if one read every article that's been published lately involving security risks).

I especially agree with his points about eliminating incidents like WikiLeaks... "Yes, the DoD made Bradley Manning's crime easier than it should have been due to some lax controls, but even with the best security in place leaks like this will happen."

Of course, this doesn't argue against deploying data loss prevention and related technology—the vast majority of breaches could be described as non-malicious, inadvertent or the result of careless but well-intentioned actions (see for example, this email-related breach of healthcare information at Connecticut's Department of Public Health, which should have been blocked by a gateway DLP solution)—but reminds us that improving IT security involves policy, technology and human factors.

Rather than cribbing Rich's entire article, I encourage you to read it here.

 

December 14, 2010

Email Privacy Protected by Fourth Amendment, Says US Sixth Circuit Court of Appeals

Smilin-bob

The EFF (Electronic Frontier Foundation) claimed a victory today as the US Sixth Circuit Court of Appeals ruled on the so-called Warshak case (United States of America versus Steven Warshak, Harriet Warshak and TCI Media, Inc.) finding in essence that the government must have a search warrant before it can seize and search email messages stored by email service providers.

The court ruled that, in the absence of a search warrant, email users have a reasonable expectation of privacy of their email messages (similar to that afforded to postal email and telephone calls) when it comes to government/law enforcement scrutiny. The EFF's announcement excerpted this part of the court's opinion:

"Given the fundamental similarities between email and traditional forms of communication [like postal mail and telephone calls], it would defy common sense to afford emails lesser Fourth Amendment protection.... It follows that email requires strong protection under the Fourth Amendment; otherwise the Fourth Amendment would prove an ineffective guardian of private communication, an essential purpose it has long been recognized to serve.... [T]he police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call--unless they get a warrant, that is. It only stands to reason that, if government agents compel an ISP to surrender the contents of a subscriber's emails, those agents have thereby conducted a Fourth Amendment search, which necessitates compliance with the warrant requirement..."

Somewhat ironically, this ruling stems from  the criminal case of Steven Warshak, founder of a company best-known for its Enzyte "male enhancement" pills, widely advertised using the "Smilin' Bob" character pictured here.

The Six Circuit Court's ruling doesn't vacate Warshak's conviction on 93 counts of fraud, conspiracy and money laundering, but other reports say that the finding may reduce the 25-year prison sentence he previously received.

The full text of the court's ruling contains a rather extensive summary of the fraudulent activities in which Warshak was engaged including false advertising, phony testimonials and scientific studies, etc.

Note that the court's ruling applies to government search and seizure of email. It doesn't change other expectations of privacy around email, such as the privacy of one's email sent from or through an employer's computer systems. Neither does the ruling impact the efficacy of "male enhancement" products. Caveat emptor.

December 14, 2010

Live Web Seminar: Top 10 Privacy Issues for 2011

Email-privacy-webinar-crosley

Hard to believe another year has almost come to a close... Proofpoint's live web seminar series will kick off another terrific year of programming on Wednesday, January 12th, 2011 with:

2011 Predictions: Top 10 Privacy Issues »

I'll be making one of my occasional webinar appearances, discussing the top policy, technology and regulatory trends that will dominate privacy discussions in the coming year with our resident email security and data loss prevention expert, Ken Liao.

In addition to our top 10 privacy predictions for 2010, we'll also be sharing some actionable advice about what organizations should do today, to better protect sensitive information in the coming year.

As regular readers of this blog know, data loss risks are generally on the upswing and your customers and business partners are more concerned than ever about how you handle their private data. I'm sure this will be a lively presentation — touching on diverse topics including social media, email, encryption regulations, acceptable use policies and a lot more — and as always, we'll answer your questions during the live Q&A period. 

Register here (and, as usual, all registered attendees will receive a link to the webinar replay).

I hope you'll join me... In the meantime, have a happy and safe holiday season!

Archives

Blog Search

Email Security Gateways, 2012

Magic Quadrant

Tweets

What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption