Aujas US

An IDG Ventures Company

Data-Breach Risk Is Not Only from Insider Threats

Data Breach Risk

Consider the threats and risks involved when you share data outside your company.

There’s a very large push within the last few years for many organizations to spend their data protection efforts mainly on the “Insider Threat” – the employee or temp with access who decides to misuse or abuse those privileges. While this needs to be addressed; it is possible that some of us may be losing sight of what may be happening on the outside.

The question to consider is: “What about the critical data assets businesses willingly send out to external organizations?”

Delivering data to external parties is, after all, a necessary part of doing business. A bank, for instance, needs to share information with auditors, regulators, suppliers, vendors, and partners. Sharing data is quite a risky activity, with an elevated probability of data loss, and can potentially have a huge negative impact on a firm’s reputation, when not properly controlled.

Here’s what you need to consider when you share data outside your company:

  • Threats

–    What or who is placing the data at risk?

–    The data, as it flows externally from your firms’ environment, is subject to many threats ranging from man-in-the-middle attacks while in transit, to social engineering hacks while stored at the 3rd party’s network.

  • Risks

–    The threats mentioned above create serious risks around a firm’s critical data assets. One is the obvious loss or breach of confidentiality or data. If your firm doesn’t have the proper data transmission controls, such as TLS, SSL or sFTP, the man-in-the-middle threat can successfully materialize the risk of data loss.

–    Such loss can then compound the risks and impact to an organization or entity, via such things as revenue loss, negative reputation, remediation cost, customer notification expense, and loss of client trust.

  • Security Controls

–    The set of controls to consider for countering threats and mitigating risks are not only those pertaining to electronic data protection, such as software/hardware encryption.

–    Think beyond technology – to Social, Governance, Operational and Process controls, to protect against such things as Social Engineering and to ensure other factors are in place including Password Policy, User-Access/Entitlements processes and Data-Security Awareness activities.

The bottom line is that once your firm’s information leaves its own environment, most of the controls you had no longer apply. Your firm’s data is now sitting on a third party’s infrastructure, and is now dependent on their data security controls and processes. This isn’t just about whether the data is being encrypted in transit to the third party, but very much about how that data is safeguarded all throughout its lifecycle. Here are some relevant questions to ask:

  • Have the proper Confidentiality or Non-Disclosure agreements been executed with the third party receiving the data from your firm?
  • Who and how many people will have access to your data while sitting out at a third party?
  • Do you know the third party’s process for giving only the limited and necessary group of people in their environment access to your data? What about the access rights to people outside their organization (such as their partners or vendors)?
    • How are the servers and firewalls at the third party configured to adequately protect your data while in their environment?
    • Does the party receiving the data have the technology and processes in place to respond to and sufficiently investigate a data-loss incident?

These are only a handful of many questions to ask before sharing sensitive information. You also need to take into account various perspectives including technological, operational and process controls.

As an example, a bank business manager decides one day to send the firm’s tax data to their CPA via plaintext email, instead of the approved sFTP or PGP encrypted email transmissions. The email is intercepted at the CPA’s ISP mail server. A rogue administrator at the ISP sees the email with critical valuable data and uses it to tap into the bank’s equity funds to steal $1.2 million.

Per the Open Security Foundation’s DataLossDB (http://datalossdb.org/statistics ) data loss statistics for YTD 2011:

“…a trend that indicates that data loss incidents involving third parties, on average, result in a greater number of records lost than incidents that do not involve third parties. This may be as a result of the type of data handled by third parties, the process of transferring the data between organizations, or other hypothesis, mostly all speculative as little data exists to establish one cause as dominant. The trend is, however, concerning.”

In the end this supports the fact that the riskiest environment for data is one that is not controlled by the enterprise owning that data. Though an insider with the access and intent can cause havoc with data on the inside, the enterprise should be able to implement the proper technical, process and operational/people controls to safeguard its own data. It is when the data leaves that environment where we’re truly no longer in control. That’s when the proper audits, interrogations and testing will assist as much possible.

Concerned about the external risks your company is facing? Let Aujas help. Contact Karl Kispert, Aujas VP of Business Development, at karl.kispert@aujas.com.

Advertisements

April 1, 2011 Posted by | Cyber Crime, Data governance, Data Leak Prevention, Data protection, IT security, Risk management | , , , , , | 1 Comment

Data Protection and Controls – Does Format Really Matter?

Identity and Access RiskNo one can argue that the most valuable asset for any enterprise, regardless of industry (whether military, finance, healthcare) is its Data. Whether that data includes an investment strategy/portfolio, personal identity, healthcare history or national security, it must be safeguarded and controlled.

We’re all familiar with the data lifecycle and related security controls, including storage transfer encryption and effective destruction. But do we also consider the format of the data? Data lives in many forms outside of the regular electronic email, Internet, PC, server or mainframe types that we normally work with. Unfortunately, some of our biggest vulnerabilities live in many other forms.

Printed paper is not the least of those. Scribbled notes, copied material, casual conversations on an elevator, voicemails or even a fellow passenger’s laptop (with the curious snooper watching over) are other forms of sensitive data. The main issue here is that most of us may not view these as “data types”. The truth is they can cause the same amount of harm as a DVD, USB or PC packed with information, and can just as easily land you on the front page. Let’s take a look at an unfortunate use-case to bring this all into context.

Henry S., a database administrator, was working over the weekend to get a presentation finished for his board of directors. His area of focus was his firm’s strategy on the proprietary development of a database-software that would revolutionize the storage and sharing of information with clients. Henry’s developments were ahead of all others in the enterprise and possibly the industry. What wasn’t being thought about was how valuable the information being prepared could be to competitors or thieves for profit.

It was late Sunday night and Henry was just happy finalizing and saving everything. Now he just had to print it. At about 11:30 that evening he found himself printing 20 color copies of his “master presentation” at the neighborhood copier. He felt the data he was bringing with him was safe since he brought it on an encrypted USB drive. At one point Henry’s copying streak went awry – after about 10 copies the machine began spitting out green paint. Henry wasn’t panicking – he knew there was plenty of time and his current set of copies were safe. After getting assistance and finishing the job on another machine, he found himself in the middle of a chaotic frenzy of paper crazily thrown all around his area. He was able to get things cleaned up, but what he wasn’t aware of was the 5 copies he’d left at the malfunctioning printer. Though a good multi-tasker, Henry was exhausted, yet practically livid with the thought of next day’s presentation and the effects it would have on his career and department. All he could think about was getting the deck right and being well prepared for the audience.

He got home with all the paperwork in his backpack and passed out. The next day at the presentation all went well, the crowd loved it and Henry was on top of the world. There’d been a slight mishap though, since there weren’t enough hard copies to go around for everyone at the meet. That was weird – he was sure he’d made enough. Everything had gone well, except for those 5 mysteriously missing copies of the presentation. What then seemed to be a small loss, within the next few days landed Henry and his firm on the front page of the paper.  The headline read “Leading Financial Firm’s Innovative Software Idea up for Grabs at Local Print Shop” – not quite the fabulous outcome he’d hoped for. Turns out that whoever got a hold of the lost copies managed to re-engineer the software and get it to market. To make things worse, the data-loss incident was widely publicized; the fall-out including Henry’s suspension and investigation, a full 10 point drop in his firm’s stock price and a long-term negative reputational impact for his firm.

Data in any format is an extremely critical asset and liability when not controlled or secured properly. The effect of negligence over that asset can be detrimental to a career, an innovative idea and possibly an entire franchise. Proper due diligence and controls for the entire lifecycle of the data; be it either encryption while in storage or transit for electronic material, or locks/safes for storage and shredding for destruction of hardcopy material.

Had Henry only given a bit of thought to these things as a top priority, reputations and careers may have been saved (and likely excelled astoundingly). Instead everyone had to run for cover, hope to not get hit by the shattering fallout, and hope to keep their shirts on their backs.

Need help with your company’s data protection programs? Contact Karl Kispert, Aujas VP of Sales, at karl.kispert@aujas.com.

March 8, 2011 Posted by | Data protection, IT security | , , , , | Leave a comment

Data Governance – What We Need to Think About

These are some risk areas that you might want to think about when discussing Data Governance with your team: 

1. Disparate sources of data across the organization’s applications, producing incomplete and incorrect production data used in key decision making processes for capital investment. (Accuracy)

2. Trading ledger for risk management review is typically delayed because of multiple data feeds, the availability of which is impeded by network speed due to file size in two custom applications. (Availability)

3. Inability to solve data quality issues in the sales division because data is spread across multiple systems and owners, resulting in a blame game. (Agility)  

4. Customer service representatives are not presented a single view of a customer account, and have to use multiple programs to achieve unified profile presentation, requiring more time to solve issues, and increased call center costs. (Access)

A Data Governance Methodology That Works

Building Blocks for Success

Analyze

* Perform data governance readiness assessment

* Define guiding principles

* Identify decision making bodies

Design

* Determine focus of data governance program (security/privacy, data quality, architecture, etc.)

* Design data governance program (standards, policies, strategy)

* Determine cross functional teams and data stewards

* Define decision areas and decision rights

Transform

* Conduct employee training and awareness

* Enact data governance program

* Deploy data governance mechanisms and tools

Sustain

* Monitor and adjust key performance metrics

* Ensure accountability and ownership through periodic review

Need help with your company’s data governance programs? Contact Karl Kispert, Aujas VP of Sales, at karl.kispert@aujas.com.

March 8, 2011 Posted by | Data governance, IT security | , , , | Leave a comment

Cloud Computing – Security Threats and More…

Privacy and security in the CloudCompanies that struggle to maintain their IT infrastructure often look to cloud computing to provide a significant cost savings. However, you must look into the clouds and understand what risks are swirling around when it comes to storing your data.

In a recent survey by CIO Research, respondents rated their greatest concerns about cloud adoption. Security was their top concern, with loss of control over data number two:

  • Security  45%
  • Loss of control over data  26%
  • Integrations with existing systems 26%
  • Availability concerns 25%
  • Performance issues 24%
  • IT governance issues 19%
  • Regulatory/compliance concerns 19%
  • Dissatisfaction with vendor 12%
  • Ability to bring systems back in 11%
  • Lack of customization opportunities 11%
  • Measuring ROI 11%
  • Not sure 7%

Is there security in the cloud?
Security is often an afterthought for cloud service providers. It isn’t built into their applications and is often added as a plug-in. What’s more, if a cloud storage system crashes, millions and millions pieces of information can be lost, often in spite of backup procedures.  In contrast, when we are in the thick client world, the information that is lost can be more easily tracked by the number of PCs or notebooks affected or stolen.

How different should security be in the cloud world?
Business technologies may change, but security fundamentals and lessons learned are still applicable. Some areas to consider for the cloud:

Physical security is a must for any strong security program. The data centre should have a high level of physical security. If sensitive data is being stored, consider deploying biometrics, surveillance camera monitored by professionals, and very stringent policies for physical access to the system.

Authentication is crucial, whether cloud or corporate individual network authentication will remain the same. Given the processing power of the cloud, you may choose to implement two-factor authentication, one-time passwords or other authentication tools. In spite of a highly secured processing environment, a weak password has the potential to ruin other safeguards. Maintaining password standards is a must.

Access rights are critical for all the objects inside the cloud. This part of the security will not change in the user’s point of view. There are some levels of changes required to manage multiple corporate accesses inside the single cloud service provider’s organization.

Strong firewalls are another integral part of today’s security. Even in the cloud, the same rule applies: cloud clients should secure their own networks. The only advantage is they have less information to be secured within their network. The cloud service provider should secure their network with firewalls.

Data integrity is one of the key aspects in security. Today for example, it’s hard for every notebook to implement a cryptographic checksum or hash. But in cloud service this could become commonplace.

Security threats in the cloud

Security threats can come in all forms; let’s consider some of them here.  In the cloud-based service, the provider decides where your data is stored and how your data is accessed. If your provider offers virtual boxes, a mischievous user can gain control over a virtual box, attack your data and exploit it. Another security threat in cloud computing is the attack on the perimeter of the cloud. This may be a simple ping sweep to DoS. A cloud service provider must ensure the data of each company is properly isolated and partitioned, if not, data leakage can be expected.

Another important factor that has to be addressed in the cloud world is the privileges of the power user. How do we handle the administrators and data access? The administrator’s rights are not part of the customer anymore; it is part of the cloud service provider. There should be clear transparency and access records to prevent any misuse by an administrator.

Implementing security in the cloud environment is different than what we are used to in a traditional environment.  However, remembering the fundamentals of information risk management and lessons learned along with an understanding of cloud provider risks, may help you to weather the storms looming in a dark Cloud.

Why should the cloud customer implement security?

Though the cloud promises high security, it’s essential for the cloud customer to implement their own security and maintain standards. An unsecured customer network will attract hackers and is an easy entrance to the cloud.

Data transfer between the cloud service provider and customer should be on a secured connection and the customer should take necessary steps to secure his network from attacks such as the Man in the Middle (MITM).

The applications hosted on the customer network should also be secured. Customers using the cloud to deploy applications should ensure that their software is secured. Unsecured applications can be dangerous for both the cloud service provider and customer.

Cloud security can help a little if there is a vulnerable system unmaintained or not patched.

Virus attacks are not going to change in-spite of moving your data into the cloud.

How can you do business securely over the cloud?

Before you decide to buy a cloud service, go security shopping. We always bargain based on price, but that is not enough here. You need to bargain for security rights, transparency and privacy.

The legal agreement is the first level of security that you will always require, no matter where you do business. A well prepared agreement can provide all the legal benefits over your data in the cloud. Make sure to include the ownership of the following:

  • Data
  • Data backups
  • Log files

Your day-to-day business runs with the help of data. It’s essential that the cloud service provider shows transparency in his data centre location, physical security, containment measures, and time taken to recover in case of any catastrophe.

End-to-end encryption is must in cloud computing to ensure the security of data transfer. The customer should require this capability from the provider.

Authentication and proper access rights must also be secured. Given that you can access the applications in cloud from anywhere, it’s essential to block the entire user account for former employees. This has to be an integral part of the customer’s HR policies.

Patch management is also very important. Though cloud acts like a versionless world, it is essential that the service provider either informs you about the patches required to access his network or provide automatic patch management. If you use third party clients to access the customer application, you should ensure that these clients are up-to-date with security-related patches.

You should also require log analysis reports, user accounts and privileges reports, uptime/downtime reports, and penetration test/vulnerability assessment reports from the service provider on a regular basis. To ensure more transparency, require that these reports be provided by a third party security company. You should also demand real time security alerts from the service provider.

The last level of security that is often exploited is the application security. How secure is the cloud service provider’s application? There is no real way of knowing it. There are third party security companies and tools available to certify application security. This should be done on a routine rather than a one-off basis.

Social engineering is another threat that has to be addressed. It is essential for the cloud service provider and customer to be aware of such threats and educate their employees.

Phishing attack will also target the cloud consumers. Strong phishing filters should be deployed.

You will also want to involve third party security companies as partners to verify the cloud service provider’s security policies and verify his reports.

Summary

Security should be built as an integral part of the cloud. This is a must for the cloud service provider to gain trust from their customers. Gaining customer trust is the key to winning the cloud service game. Security is an ongoing measure to protect and deal with everyday threats. No matter where you do business you should secure yourself with the best practices.

February 23, 2011 Posted by | Cloud Security, Data Losss Prevention, IT security | , , , | Leave a comment

Right to Internet Use

social networkingThe United Nations advocates making “Right to Internet Access” a human right, one which countries such as Estonia, France, Finland, Greece and Spain have already implemented. This got me thinking about how we would look at “Right to Internet Use”, e.g., social networking.

We all know the power of social networking, its adaption and growth. According to Facebook, more than 500 million users spend over 700 billion minutes per month on the site. However, not many of us could have imagined its impact on reshaping the political landscape of countries. Perhaps the most talked about example is that of a 26-year-old woman, worried about the state of her country, who wrote on Facebook, “People, I am going to Tahrir Square”. The message soon snowballed into a movement to oust Egyptian President Hosni Mubarak. As another example, China’s reaction to what is called the “Jasmine Revolution” was swift, with filtering and monitoring on popular social media websites and services.

The buzz is about the CSM (Cloud, Social Media, Mobile) phenomenon which is reshaping the Internet world. It’s already established that social networking has overtaken search as the primary reason for users to access the Internet. Facebook has more than 200 million active users who use mobile for access, and these users are twice as active as non-mobile users.

Consumerization of the Enterprise, combined with the CSM phenomenon and recent political events, make me feel that this is not just about adaption of new technologies but more about changes and impact on the history of mankind. It’s not just about using new technologies and models to provide better services at lower cost to a larger user base. It’s about a medium to communicate, participate and influence changes in the world.

One can think of several positive and negative uses of this phenomenon. If used well, it can bring about necessary changes and revolutions. But it can also be used to spread panic and lead to concepts like “social networking terrorism”.

The CSM phenomenon is too strong and important to be ignored. Would censoring of this medium be possible? Like the Internet, CSM could be considered as a human right, leading to positions on “Right to Internet Use”.

At an Enterprise level, blocking and not adopting CSM is a risk management control which is not sustainable. Users and business would not accept this posture. We need to find answers for the two main reasons why some Enterprises are staying away from adoption of CSM, which are “Confusion and Fear”.

February 23, 2011 Posted by | Cloud Security, Enterprise Security, Social networking | , , , , , , , | Leave a comment

Security Breaches Continue to Grow

Identity TheftWhat do Tulane University, South Carolina State Employee Insurance Program, National Guard Headquarters – Santa Fe NM, BlueCross/BlueShield –Michigan, Seacoast Radiology, and University of Connecticut -HuskyDirect.com have in common?  They were just a few of the companies that reported security breaches in January 2011.

Information management is critically important to all of us – as employees and consumers. For that reason, the Identity Theft Resource Center has been tracking security breaches since 2005, looking for patterns, new trends and any information that may better help us protect data and assist companies in their activities.

In prior issues of Risky Business, I posted this brief article and supporting statistics about security breaches.  I was curious to see how the data changed.  You can see for yourself below in the last line.

The following data was collected from Identity Theft Resource Center® website idtheftcenter.org and refers to the number of total data breaches that were reported with an estimate of how many records were exposed:

2005 Breach List: Breaches: 157 Exposed: 66,853,201
2006 Breach List: Breaches: 321 Exposed: 19,137,844
2007 Breach List: Breaches: 446 Exposed: 127,717,024
2008 Breach List: Breaches: 656 Exposed: 35,691,255
2009 Breach List: Breaches: 498 Exposed: 222,477,043

2010 Breach List: Breaches: 662 Exposed: 16,167,542

You must understand that the majority of the reported breaches do not reveal the actual number of exposed records so therefore the number is MUCH larger than what is listed here.

Your call to action is to ensure your Information Risk Management Program is as secure as you think it is and as secure as your stakeholders, customers, Board of Director’s believe it to be.  Aujas is helping organizations manage risk and enhance information value with practical, innovative solutions!

January 31, 2011 Posted by | Data Losss Prevention, Identity Theft, IT security | , , | Leave a comment

Effective Data Protection Requires More than Technology

Data protectionMore companies are finding that despite their technology investments, effective data protection remains elusive. Data protection technology has become as commonplace as anti-malware technologies and most organizations implement it as a standard desktop endpoint and gateway security. The technology works using a combination of document ‘fingerprinting’, key words, and policies defined around what is allowed and what is not. The technology has matured to support endpoints and email data leakage risks as well as social networking risks. However, even with a mature technology and rigorous implementation, organizations often can find their data protection is ineffective.  

IT departments are able to quickly implement a data protection technology, but struggle with effectiveness. They are unable to bridge the gap between implementation and effectiveness, and end up with large numbers of data leakage ‘incidents’, which usually turn out to be false positives.  In many cases, organizations end up operating DLP tools in ‘audit only’ mode which completely defeats the tools’ purpose. 

This gap is usually due to the approach taken to data protection and not to the organization itself. Most organizations identify data protection as a risk and IT/IS department choose a vendor for implementation. The vendor usually ‘scans’ the file stores for ‘important’ files and policies are created to safeguard those files deemed important. While this approach seems simple enough, it is the root of the problem. IT organizations are basing policies on their own interpretation, rather than on what is important or appropriate for the business. 

Data, even if critical, may need to be exchanged with outsiders for valid business reasons. The challenge is to establish policies that allow the business to operate seamlessly while stemming the data leakage.  Another challenge is to build an ecosystem that supports this on an ongoing basis. The solution ideally integrates technology, process and a governance framework.  

 The first step is a data classification policy that clearly establishes how to classify data within the organization; the users should be made aware of how the classification policy applies. Next, the data flow within business processes should be understood to identify the type and nature of data, its classification and authorized data movement of ‘important’ data across organizational boundaries. Also, the important files, templates and data base structures that were identified during this exercise should be ‘fingerprinted’. The policies should then be configured and applied based on the authorized movement of data.

 Taking these two steps will help improve data protection technology effectiveness because it incorporates business rules for data. However, it still is a point-in-time exercise that does not address the fluid business data environment. To sustain the data protection, a governance process is required. One approach is to integrate with the data governance framework if one exists within the organization. If a data governance framework does not exist, a similar structure can be created. An additional benefit of this approach is close integration with data governance when such a framework is actually created. 

The governance function should be responsible at a high level for both the strategic and operational management of data protection. At a strategic level, the function should look at how data flows and is managed and its impact on data protection technology employed.  At an operational level, the function should look at how data protection incidents are managed, false positives reduced, user awareness on classification and protection improved.  Many organizations also employ active data protection with the use of data/digital/information rights management tools which require users to ‘protect’ based on allowed rights, time limits and expiry dates. Though the above approach remains the same for these technologies too, organizations have to spend more efforts on user awareness as their cooperation defines the success or failure of the technology. 

Though data protection technologies have changed the data confidentiality playing field completely, effective data protection cannot be achieved by the technology alone. It requires a focused lifecycle management approach for it to be more effective and sustainable.

January 24, 2011 Posted by | Data Leak Prevention, Data Losss Prevention, Risk management | , , | Leave a comment

What Is Needed for Data Protection?

Data protectionA more holistic approach is needed for protecting data that goes beyond individual tools and addresses data at its source: the business. The principles of data governance, data classification and the DLP tool need to work as one solution to effectively protect data in an organization.

Approach

  • Develop a strategy – Start by developing an organization-wide data protection strategy
  • Set up a data classification policy and a program – Individual business processes should identify and document all forms of data, its classification and its authorized movement.
  • Create a governance program – Establish accountability, roles and responsibilities for data protection and data ownership.
  • Create and ensure awareness and training for business users – To ensure that the data protection remains a strong focus within the organization, management should ensure users are made aware of their roles and responsibilities around data protection.

The Aujas Data Protection Service helps organizations extract maximum value from their investment in security technology and solutions. We build the governance framework, data protection strategy and data protection program. Then we assist organizations with data flow analysis to identify data movement within and between processes, the forms data takes, and user awareness levels. Our data flow analysis results in effective DLP policies while the governance framework and strategy translates into continuous data protection for the organization.

To learn more about the Aujas Data Protection Service, and our complete portfolio of services, please contact Karl Kispert, our VP of Sales at karl.kispert@aujas.com or at 201.633.4745.

January 24, 2011 Posted by | Data Leak Prevention, Enterprise Security, IT security, Risk management | , , , | 1 Comment

5 Hot Topics in Information Security for 2011

Hot topics in information securityAccording to the Aujas information security experts, these are the five crucial security topics that should be on the radar for business executives in 2011:

Data Governance and Data Leakage Prevention (DLP) – Some executives believe their employees know exactly what data should be protected and what data can be shared via website, conversation or social media.  These executives have a false sense of security. Many companies still do not have a strong data classification program or policy in place to educate employees on what is critical to an organization and what is not.  Some execs may also think that having a DLP tool and plugging it in is the answer. That’s like plugging in a power saw and saying you can build a house! Having a tool and knowing how to use it effectively are two different things.

Tip: Find a champion to drive your data governance and loss prevention initiative.  If your company has a CISO, this person is the most logical one to take on this role. If not, you can assemble a small team of stakeholders to work with guidance from a third party who specializes in information risk management.

Application Security – With so many applications being developed and used in companies of all sizes, some are being created without security in mind.  Some technology companies have a need to be the first on the street with a new application and are bypassing Security Development Lifecycle (SDL) protocol. They are thinking about security after the application is released and, sadly, are finding that they are spending more money to fix the application.

Tip: First perform a penetration assessment on your company’s critical applications to identify vulnerabilities. Then be proactive!  Create a framework in which security is part of the SDL.

 Social Media – The intentional and unintentional release of sensitive information via Facebook, Twitter, etc. can affect your company’s bottom line.  Your intellectual property may wind up on an underground website or, if your secrets are shared with the world, you may not be first to market with your new product or service. 

Tip: You don’t need to declare social media off limits to your employees. It is an important business tool that is not going away.  You do, however, need to understand the risks of social media, and make users aware.

 Cyber Security – Over the past year, more organizations have come to understand that there is a very real cyber security threat in the US and that the US Government cannot take care of every threat-related issue. Your company needs to develop a strong internal and external security programs to protect it.

Tip: Putting in place a robust information risk management (IRM) program is essential so that your stakeholders understand the people, process and technology risks and how they can affect your access, availability, and agility to conduct business.

Phishing – Hackers continue to use phishing, a type of social engineering, to solicit information from individuals.  Though the incidents of phishing were down in the second half of 2010, the attacks continue to get more and more sophisticated. 

 Tip: Perform a phishing diagnostic so that you are aware of the threat, specifically who in your organization is susceptible to this type of attack.

Aujas can help your company manage risk from these threats. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

January 24, 2011 Posted by | Data Leak Prevention, IT security, Phishing, Risk management, SDL, Social Engineering | , , , , , , | Leave a comment

Aujas and RSA 2011 – Come by Our Booth

Visit Aujas at RSA

Aujas is exhibiting at the upcoming RSA Conference on February 14 – 18, 2011 in San Francisco. This is an opportunity for Aujas to expand its knowledge and increase its network of industry peers and influencers. 

Please stop by booth number 343 to say hello and discuss Information Risk Management topics with Aujas co-founder Sameer Shelke and Vice President of Sales Karl Kispert.

January 24, 2011 Posted by | Enterprise Security, IT security, Risk management | , | Leave a comment