Security is a pipe-dream

Security Pipe Dream for many

Security is a pipe-dream,  few enterprises are fully protected from events that have occurred in the past several months.  All one has to do is to look at the recent cyber attacks at Uber and Experian. In both of those cases, the CIO and/or  CSO were blamed and left the organization.

Not many CIOs and CSOs feel they have 100% of their security risks covered. In a recent survey that was published in NetworkWorld:

  • 55% said that was the case
  • 40% said they hope the had all of their security bases covered
  • 6% said that they did

With only 6% saying they had all of their bases covered there are many opportunities for security hackers and data breachers to attack the systems in place.

Now that we know that a security breach may occur, how sure are these same CIOs and CSOs that they will be able to react in time? The first step is detection that a hack or breach has occurred. In another survey by Janco Associates, we found that in midsized and large enterprises:

  • 35% had a detection solution in place and they automatically quarantined the server(s)
  • 43% had a detection solution in place but had to “manually” quarantine the server(s)
  • 23% had to “manually” put the server(s) offline when they found out they had a problem

When you put these two sets of data together, you conclude that less than 2% of enterprises are protected adequately enough to prevent a major security hack or breach occurs.

Disaster Recovery / Business Continuity &
Security Template Bundle

ISO 27000, Sarbanes-Oxley, and HIPAA Compliant
PCI-DSS Compliant

Order DRP BCP SecuritySample DRP Security Manual

Experts Agree You Should Update Your Plan Annually

Security is a critical concern during the recovery process

It goes without saying that every company, regardless of size, needs a concise business continuity plan in case of an emergency. If you don’t have a disaster recovery plan or haven’t updated yours recently, now is the time to take this critical step to protect your business.

At Risk e-Mail Accounts

At risk e-mail accounts are Gmail, Yahoo, and Hotmail

Security Manual Template
Security Manual Template contains all of the procedures needed to support a world class security infrastructure. Contain BIA and Threat Assessment Tools.

At risk e-mail accounts according to the University of California (Berkeley) and Google are, and  Users who use those email  account have the highest probability of being  victims of hacking attacks. The types of attacks are credential exposure, phishing, and keylogging.

Much of the expose is due to the multitudes of “unsophisticated” users who are not well trained in how to avoid those attacks.  In addition, there is the exposue they face due to the loss of their credentials because of a lack of adequate security at hosting sites from where their credentials and personal data can be extracted.  The cases in point are the recent massive hacks at Yahoo and Experian.

The summary results of the study are:

At Risk e-mail accountsThe data does NOT reflect the victims of the Yahoo and Experian attacks.

Read on SecurityOrder Security ManualDownload Selected Security Manual Pages



Threat and Vulnerability Tool – Best in Class according to IT Productivity Center

Threat and Vulnerability Tool – Best in Class according to IT Productivity Center

Threat Vulnerability Assessment Tool Best in class
The purpose of a Threat Risk Assessment (TRA) is to categorize enterprise assets, examine the different “threats” that may jeopardize them, and identify and correct the most immediate and obvious security concerns.

Threat and Vulnerability Tool – Best in Class award concurrent with the release of Version 4.o.  Janco is proud to announce it has recieved a Best in Class by the IT Productivity Center.  This is the third time the IT Productivity Center has issued an award to Janco for this tool.

One of the added features of version 4.0 is that it now comes not only in MS Word and PDF formats, but it also comes as an ePub (eReader) document that can easily be distributed to smartphones, tablets, and desktops.

The Tool comes with a work plan that can be used to conduct the Threat and Vulnerability Assessment as well as a definition of the components of the process including:

  • Administrative Safeguards
  • Logical Safeguards
  • Physical Safeguards

One of the additional features of this template is that it can be used as the core of an enterprises compliance program.

This tool is also included with the Disaster Recovery / Business Continuity Template and the Security Manual Template.

Minimize breach response cost

Minimize breach response cost with operational strategy

Minimize breach response cost
Policies and procedures need to defined and be in place in order to minimize breach response cost

While the costs of a data breach can vary widely on a case-by-case basis, CIOs who understand the drivers behind the expense will be better positioned to take steps needed to protect their organization.

Here are 6 way to minimize breach response cost:

  1. Eliminate data you do not need.
    You can potentially dramatically reduce your exposure by destroying records of past customers.  You cannot lose data if you do not save it. In 2015 one company served 69 million customers, yet when they were breached that year, they exposed 78 million records. The extra nine million records most likely come from former customers. Each of these individuals had to be notified and offered credit monitoring, driving up costs.
  • Do not store street address if there is no real business requirement.
    When a breach occurs, companies are typically required to notify affected individual via old-fashioned, handwritten “snail mail.” But they can use alternative methods of notification, such as email or public announcement if they do not have a valid mailing address. Physical, written notifications can cost up to $2 per person, and the cost quickly adds up. It may be worth asking twice what the business need for those customer addresses is and considering not capturing these addresses to reduce the exposure to notification requirements.
  • Utilize logs to prove proof a breach or data loss did not occur.
    One industry study shows that in 44% of incidents, public notification is not required. To avoid notification, companies must prove that, even if they were attacked, no records were improperly accessed. To do so, they use systems logs. Without logs, a company may be forced to assume a breach occurred because it cannot prove otherwise.
  • Follow PCI rules and protect credit card data.
    For breaches that involve credit card data, reimbursing card companies for fraudulent transactions can amount to a staggering cost, from $3-$30 or more per card. New chip cards are designed to reduce fraud, and early data show they are having the intended effect – MasterCard reported a 54% reduction in counterfeit card fraud costs at retailers who have switched to chip cards.
  • Use experts who know the breach response landscape.
    Your breach response effort is not a good time to reinvent the wheel. Missteps happen fast and have serious consequences. Credit monitoring alone can cost $5 to $30 per person. Data breach specialists, such as PR consultants or data privacy lawyers, often have seen as many as hundreds of data breaches and are highly practiced at helping you craft a genuine story that keeps confusion – and costs – down.
  • Be prepared for additional audits and compliance reviews.
    In the wake of a breach, a company may be audited and investigated by a number of regulatory agencies. While it’s not guaranteed to occur, it is likely, and there are simple steps you can take to prevent sensational fines if it does. To start, CIOs and  CFOs should be strong advocates for the implementation of the security controls recommended by external auditors or by regulators themselves.

Top 10 tips to minimize wild fires

Top 10 tips

Fire season is just around the corner. With the wet winter, when the ground days out this summer the danger to life and property will be great. These are must follow tips.

Top 10 tips that business can follow to minimize the risk of wild fires around their sites and remote offices.

  1. Have a clear area of at least 100 yards around the business park.
  2. Keep lawns hydrated and maintained. Dry grass and shrubs are fuel for wildfire.
  3. Landscape with native and less-flammable plants. When landscaping, choose slow-growing, carefully placed shrubs and trees so the area can be more easily maintained.
  4. Create a ‘fire-free’ area within ten feet of the property, using non-flammable landscaping materials such as rocks, pavers and/or high-moisture content annuals and perennials.
  5. Have no tall vegetation immediately adjacent to structures.
  6. Clear leaves and other debris from gutters, eaves, porches and decks. This helps prevent embers from igniting the property.
  7. Remove dead vegetation from around the property, especially within 50 feet of the premises.
  8. Remove flammable materials from within 50 feet of the property’s foundation and outbuildings.
  9. If you have trees on your property, prune so the lowest branches are 6 to 10 feet from the ground and none overhang the structure.
  10. Don’t let debris and lawn cuttings linger. Dispose of these items quickly to reduce fuel for fire.

Order Disaster Recovery Business Continuity Template Download Selected Pages Disaster Recovery Business Continuity Template

IT Related Fraud issues addressed by Janco

 IT related fraud occurred in over 70% companies

Malware exposure is high in many enterprises

IT related fraud and alware infections cause a number of problems. Machines become unresponsive or sluggish resulting in users become frustrated and administrators spending precious time trying to find the problem.

Once an attacker is on the inside, his or her work is significantly easier since on most networks, systems on the inside are trusted.   To that end, in a review of over 300 security audits Janco has found a list of the greatest security weaknesses.

Enterprise Wde Security Weaknesses

The weaknesses are:

  • Using only single level verification for access to sensitive data
  • Having “public” workstations or access point is connected to a secure network
  • Sharing login credentials
  • Data validation for forms is contained in client-side JavaScript
  • Connect to network from an unsecure access point
  • Corporate web site is encrypted but the login process is not
  • Using weak encryption for back end management
  • Using unencrypted or weak encryption for Web site or Web server  management

Order Security Policies and ProceduresDownload TOC security policies

New York Security Compliance

New York Security Compliance Mandates added

New York Security Compliance – The State of New York announced a series of new rules strengthening cybersecurity requirements for financial firms. This is the latest in a series of announcement aimed at protecting clients, consumers and financial entities from the “ever-growing threat of cyber-attacks.

New York Security ComplianceThe Governor of New York said, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from … state-sponsored organizations, global terrorist networks, and other criminal enterprises.” Even if your firm isn’t directly subject to these new regulations, it’s safe to assume that this approach will be rapidly adopted by similar regulatory bodies domestically and around the world.

The current draft calls for the “encryption of all nonpublic information held or transmitted”, but because they tie it tightly to access control, acceptable usage policy, and data retention. Simple encryption won’t be enough to comply with the New York mandates.

To comply with New York Security Compliance mandates CFOs, CIOs, and CSOs, and firms should:

  • Implement more dynamic ways to protect data. Enterprises will need to deploy more dynamic forms of data protection that extend beyond their current systems. When the requirement for encryption and data-loss protection spans not just records and managed systems, but anywhere data can travel, traditional means of encryption and monitoring are scale able. Organizations will need to enforce granular limitations on access privileges, implement new audit systems to document data governance, and be able to remotely apply data disposition and destruction rules.
  • Tie access control and privilege management to identity. In a complex technology ecosystem, it’s no longer feasible to define access and privilege at the system, device, or perimeter. Identity is the one attribute that crosses on-premises, cloud, and un-managed services, and provides a consistent way to set, audit, and control access to confidential information. Ultimately, encryption, access controls, and data-in-use protections must persist independent of the kinds of data protected, where it’s stored, or how it’s shared.
  • Prioritize solutions to balance simplicity and security. Too often, risk and security teams have simply added new solutions to their portfolio in response to regulations and enforcement. Unfortunately, this has often created a complex, hard-to-navigate forest of tools, hurdles, and collaboration dead-ends for employees. The downside of that is it creates incentives for otherwise well-intentioned people to avoid following policy, increasing the risk of a material breach.
  • Make audit a primary concern. In the past, the requirement for an audit trail on data access was seen as an add-on. In the worst case, it was an afterthought, something built last as a reaction to risk and compliance needs. But, by thinking differently about this rich trove of data, you can improve your visibility into data use and your ability to identify dangerous behavior in advance. In many cases, you will be able to proactively stop data loss before it happens. With a strategy that protects data directly, by deploying identity-driven access controls and dynamic permissions, you can use the data from each user interaction to build a better picture of where data is traveling, and to whom.
  • Take a more dynamic approach to data protection. Adhere to mandates and be ready to tell any auditor about your enterprises ability to protect the confidentiality, integrity, and availability of your enterprise’s information.

Order Security ManualDownload Selected Pages

10 Security Assessment Questions

10 Security Assessment Questions

Security Assessment and Compliance Management
Security Assessment and Compliance Management

Security Assessment Questions

  1. To stop a breach tomorrow, what does the enterprise need to differently today?
  2. Does the enterprise know if the company has been breached? How does it know?
  3. What assets are being protecting, what are they being protected from (i.e., theft, destruction, compromise), and who are they being protected them from (i.e. cybercriminals or insiders)?
  4. What risks does the enterprise face if it is breached (i.e., financial loss, reputation, regulatory fines, loss of competitive advantage)?
  5. Does the enterprise’s IT security implementation match the enterprise’s business-centric security policies?
  6. Are formal written policies, technical controls or both in place? Are they being followed?
  7. What is the enterprise’s security strategy for IoT?
  8. What is the enterprise’s security strategy for BYOD and “anywhere, anytime, any device” mobility?
  9. Does the enterprise have an incident response plan in place?
  10. What is the enterprise’s remediation process? Can the enterprise recover lost data and prevent a similar attack from happening again?

Security Compliance – Comprehensive, Detailed and Customizable for Your Business

The Security Compliance Policy and Audit Program bundle provides all the essential sections of a complete security manual and walks you through the creation of each step. Detailed language addressing more than a dozen security topics is included in 220 plus page Microsoft Word document, which you can modify as much or as little as you need to fit your business requirements. The template includes sections on critical topics like:

  • Risk analysis – Threat and Vulnerability Assessment via Electronic Forms
  • Staff member roles
  • Physical security
  • Electronic Communication (email / SmartPhones)
  • Blogs and Personal Web Sites
  • Facility design, construction and operations
  • Media and documentation
  • Data and software security
  • Network security
  • Internet and IT contingency planning
  • Insurance
  • Outsourced services
  • Waiver procedures
  • Incident reporting procedures
  • Access control guidelines
  • PCI DSS Audit Program as a separate document

Order Download Selected Pages

10 Tips to protect your personal information

10 Tips to protect your personal information

10 tip to protect personal information
Protecting Personal Information

10 Tips to protect your personal information – According to the Identity Theft Resource Center, it takes 600 hours to restore your identity after a theft has taken place. The FTC’s new online resource aims to streamline the process of reporting identity theft to the FTC, IRS, credit bureaus, and to state and local officials.

ID theft happens when criminals use your personal information to file for a tax refund with the IRS or process a credit application to purchase an item or withdraw funds from the victims account(s). Victims usually learn of the crime after having their tax returns rejected because their impostors beat them to it, check bounce, or the victim receives dunning notices. N

  1. Monitor credit reports – By law, you are entitled to a free copy of your credit report from the major bureaus: Equifax, Experian, Trans Union, and Innovis.
  2. Never provide personal information over public Wi-Fi or a network that’s not password protected.
  3. Password protections – the longer the better. Try disguising familiar phrases using a cipher.
  4. Don’t use the same password on all accounts and change them up frequently. The more variation, the better.
  5. Never store passwords on your computer. If you need to do it digitally, use an external hard drive or USB and disconnect it from the computer when you are finished.
  6. Watch out for phishing emails – Throw up an immediate red flag if you receive any email asking to confirm passwords, bank account numbers, or Social Security Numbers. This includes any type of electronic communication, such as text messages and social media channels.
  7. If you do receive a suspicious-sounding email, contact your service provider directly to verify its authenticity. If your bank is requesting updated information, log onto your online banking account and update it there (instead of clicking on the link in the email). If your account does not show need for an update, you’ll know the email was a scam.
  8. Take physical precautions – Do not carry your Social Security card with you or write it down on checks. Only give out your SSN if it is an absolute necessity. When filling in forms for organizations, hospitals, clinics, and other companies, leave the area asking for your SSN blank.
  9. Shred bills, credit offers, and expired credit cards to prevent dumpster divers from getting your personal info.
  10. Layer your cyber-security – Layer defenses with a firewall, antivirus, and anti-malware that includes anti-spyware.

Order Security Manual Download Selected Pages

Cyber attack stages

Cyber attack stages


Cyber attack stages - Security Manau
Cyber attack stages

Stages of a cyber attack’s life cycle need to be understood so that CIO’s can create an effective defense strategy. Malicious cyber attacks continue to threaten sensitive data — whether it is personal data or company sensitive data — one fact remains: attackers will continue to exploit weakness to infiltrate systems and extract data that they can turn into money. The life cycle of attacks is as follows.Order Security ManualDownload Selected Pages

Identify and define potential attack vectors

The first step attackers usually take is to identify members of staff within the organization and the best attack vectors to utilize. This is done by scanning the organization’s public facing websites and gathering as much information about the sites as possible, while simultaneously performing scans against the internal networks.

Initial attack

Using several identified attack vectors, hackers attempt to gain access to an organization’s network. Using different IP addresses and a significant number of computers, the hackers will kick off an automated dictionary attack and after only a few short days malware is installed on the victim’s computer.

Command and control

With the malware in place, the attackers can now begin an in-depth recon against the internal network. The attackers will attempt to escalate privileges on the victim’s account, and create new user accounts with administrative and privileged access.

Discover and spread

With access to the network, the hackers begin to spread it across the organization’s entire network. With a significant presence within the network allowing them to wait, while making detailed asset maps, noting employee patterns and any other information that can assist them in their long term goal: data theft.

Extract and ex-filtrate

Attacks siphon data out of their target company’s environment. They will do this by moving the targeted data to a remote server. After several weeks or possibly even months of siphoning data, the attackers can end their campaign. However, before exiting, they will ensure that they make several network modifications to enable them to return at anytime in the future.

Discovery and clean up

When the organization finally discovers the compromise, typically more than 200 days to detect a breach, stopping the attack begins.

Top 10 Best Practices Ransomware

Top 10 Best Practices Ransomware

Best Practices Ransomware

Best Practices Ransomware – Ransomware is a class of malware that holds a computer or data “hostage” until the user pays a particular amount or abides by specific instructions. The ransomware restricts access to the data and the system. Some cases of ransomware also repeatedly show messages that tell users they must pay the “ransom” or perform a particular action. There are some ransomware variants that encrypt files found on the system’s hard drive. Users must pay the ransom in order to decrypt the data that was altered by the ransomware.

Cybercriminals behind this threat made use of online payment methods as a way for users to pay the ransom.

  1. Have remote backups of your data that is not “mapped” to your computers and network.
  2. Show hidden file extensions. One way that Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions. In order to mitigate this re-enable the ability to see the full file-extension, it can be easier to spot suspicious files.
  3. Have your email server filter out all files that are executables. If there is a need to exchange executable files within your environment and are denying emails with “.EXE” files, you can do so with ZIP files (password-protected) or via cloud services.
  4. Disable files running from AppData/LocalAppData folders. One of the way that ransomware works is to place an executable within those Wndows folders and then launch the programs. By disabling those files you eliminate a major weakness in your operating environment.
  5. Disable Remote Desktop Protocol (RDP) which allows others to access your desktop remotely. If you do not require the use of RDP, you can disable RDP to protect your environment.
  6. Keep your software current by applying patches and updates in a timely manner. Malware authors frequently rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto your system. It can significantly decrease the potential for ransomware-pain if you make a practice of updating your software often.
  7. Utilize a security suite that has large user base and is updated frequently.
  8. If you run WiFi in your environment, ,make sure that all of the routers in the network are secure, utilize strong passwords and change their passwords at least quarterly. If you do have a ransomware attack turn your WiFi off immediately.
  9. Provide in-depth training to all users who have access to your environment on what they can and cannot do such as accept files that are suspicious or from unknown users.
  10. Stay current with all breaches and ransomware attacks that are reported and adjust your operating environment to address exposures that others have faced.

Security Manual Template and Compliance Tools

Order Security Manual Download Selected Pages

Size Doesn’t Matter: Every Business Needs Security

Size Doesn’t Matter: Every Business Needs Security


Business-storeOf the hundreds of data breaches that occurred in 2015, most people can only name those that targeted major corporations: BlueCross BlueShield, Experian, Ashley Madison, etc. However, just because these massive thefts were the only ones to make the news doesn’t mean smaller businesses are safe from cyberattacks; in fact, oftentimes they are even more vulnerable to digital disasters.

A majority of small businesses are woefully under-protected against cyber-threats, but erroneous feelings of invincibility are preventing businesses from correcting their cybersecurity mistakes. Learning why security is important for every business ― no matter how small ― will help companies stay alive in this dangerous digital climate.

The Temptation of Small Businesses

A common belief among new entrepreneurs is: “My business isn’t as profitable as larger companies, so hackers wouldn’t gain much by targeting me.” However, small businesses actually tend to be most criminals’ bread and butter.

Password-hiddenIn reality, the size of a business isn’t what attracts a hacker ― it is the type of data the business collects. Cybercriminals make money from mining and selling personal data, such as health information, financial information, or contact information. Digital thieves build automated viruses and malware capable of locating and stealing this data, so hackers make few conscious decisions regarding the size of business they target. Usually, larger enterprises have the resources to protect their digital cache while smaller companies make more digital mistakes, such as:

  • Lacking a dedicated IT specialist on staff
  • Lacking employee training for digital security
  • Failing to update security programs
  • Failing to secure endpoints, especially mobile devices

No matter how little revenue a startup makes in a year, its data is usually low-hanging fruit for cybercriminals to pluck and enjoy, causing untold ruin for the business and its customers.

The Essential Defenses

Fortunately, digital security isn’t difficult to enact quickly. In fact, many experts have compiled lists of basic defenses every business should have to be effectively secure. Essentially, a business can avoid harmful attacks with antivirus software, anti-spam software, and anti-phishing software, which are usually bundled together in a neat security suite. Thousands of security software providers exist, but businesses would do well to trust industry leaders, like Trend Micro.

However, before any business begins downloading programs and hiring system administrators, it is crucial to have strong security policies in place. Software is only as powerful as the people using it, which means employees must be trusted to uphold security measures, like using strong passwords and keeping those passwords secret. The security policies should explain punitive measures for those employees who skirt the rules, as they put the entire enterprise at risk.

Additional Technologies for Added Protection

In addition to basic protection, businesses can adopt a number of supplementary technologies to keep their data safe. Many of these target specific security risks incurred by alternative business practices.

For example, businesses that employ a number of employees who use networks remotely might be interested in using a virtual private network (VPN), which is a device that allows users to connect through browsers, encrypting any and all network traffic. Usually, VPNs require a username and password, but some businesses take security a step farther with a token that randomly generates passwords, like the RSA SecurID.

Additionally, businesses could complete full-disk encryption on all of its devices. This process translates all data stored on the machine into incomprehensible characters which can only be read with the proper password. Once again, users can use a security token, or businesses might prefer to use biometrics such as fingerprint scans or voice recognition, which is in early stages of use.

Common Security Mistakes

Some small business owners might believe they are protected ― after all, some pay big bucks for fancy security systems which are installed on every company-owned device. However, even small businesses with a satisfactory security budget are susceptible to cybercrime, all because of human error. Before any business believes itself secure, it should ensure it isn’t engaging in these major security mistakes:

  • Relying on the cloud. It is acceptable to store some data on the cloud, but businesses must have complete faith in their cloud-provider’s security first.
  • Ignoring smart devices. Nearly every piece of tech in the modern office can connect to Wi-Fi, which means hackers potentially have several unprotected entry points. Businesses must research everything, from office phones to printers, to be secure.
  • Forgetting to dispose of data. When tech gets old, many businesses sell, donate, or throw it away without doing a proper memory sweep. Criminals can find everything from passwords to actual information on unwanted devices.

Order Security Manual Download Selected Pages

10 step security implementation

10 step security implementation

10 step security implementation process:

Order Security Manual Download Selected Pages

  1. Make security an executive directive – The driver for security needs to be at the CEO and or the Board of Directors
  2. Implement clear security guidelines – Have a published security manual with specific policies, procedures, and statements of what will occur if someone does not follow the rules.
  3. Provide specifics for security compliance – Do not use statements like “in general” without having specific example of what the individual needs to do.
  4. Enforce that everyone follows the rules – If ID badges are require then everyone including the CIO and CEO need to use one.
  5. Provide formal training program – All new employees should go thru this program as soon as they are hired and all existing employees need to have “at least” an annual review of the security guidelines and rules
  6. Communicate Security – On an on-going basis communicate what security best practices all employees and associates need to follow.
  7. Monitor security compliance – Validate that security rules and guidelines are being followed and make individuals and managers accountable for breaches.
  8. Establish security compliance metrics – Identify metrics that are meaningful to validate that compliance is occurring. Have metrics which show violations to the security guidelines as well as the total breadth and depth of the security process
  9. Provide security compliance feedback – At least month provide a general report that show the status of the security program.
  10. Audit security with a third party – On an annual basis have a third party audit the security program and validate:
    • The program is in place and functional
    • The program is being followed
    • All of the right things are included

Security Manual Template and Compliance Tools

Security PoliciesSecurity Policies – Procedures – Audit Tools

Order Security Manual Download Selected Pages

Wearable Device Security Concerns

Wearable Device Security Concerns

Wearable Device Security – Over 300,000,000 wearable devices are going to be deployed in the next several years

Wearable Device Security
Wearable Device Security

Wearable Device Security – Janco Associates has determined that most mobile devices have some major vulnerabilities. They include:

  • Insufficient User Authentication/Authorization: Many devices are vulnerable to account harvesting, meaning an attacker could gain access to the device and data via a combination of weak password policy, lack of account lockout, and user enumeration.
  • Data Encryption Missing: Most devices have implemented transport encryption using SSL/TLS, but almost one half of all cloud connections are vulnerable to the POODLE attack, allow the use of weak cyphers, or still used SSL v2.
  • Insecure Interfaces: Over 1/3 of smartwatches use cloud-based web interfaces, all of which have major security concerns. In addition there are security concerns with the devices mobile applications. These vulnerability enables hackers to identify valid user accounts through feedback received from reset password mechanisms.
  • Software/Firmware Updates Not Secure: Firmware and software security issues, include transmitting updates without encryption and without encrypting the update files. On the plus side, most updates are signed to help prevent the installation of contaminated firmware. While malicious updates cannot be installed, lack of encryption allows the files to be downloaded and analyzed.
  • Privacy Controls are missing: most wearable devices collect some form of personal information, such as name, address, date of birth, weight, gender, heart rate and other health information. Given the account security issues and use of weak passwords on some products, exposure of this personal information is a concern.

The use of wearable devices that can capture and broadcast video, voice, data and location information is increasing at an accelerated rate

Janco addresses the security, privacy and reputation management issues for a world in which wearable devices have cameras, microphones, massive data storage and INTERNET connectivity

Download Selected Pages

Wearable devices provide a variety of potential business or educational uses involving accessing, capturing and sharing data.  At the same time they can pose a significant security risk to an organization with, the ability to surreptitiously record audio and video can threaten business confidentiality and jeopardize company data and even its reputation.

With that in mind, the consultants at Janco Associates have created a Wearable Device Policy that can be downloaded and used as a guideline for organizations as they establish rules for the use of such devices in the workplace.

10 actions to protect data assets

10 actions to protect data assets

10 actions to protect data assets — Janco has found that more than 90% of all data breaches affecting 500 or more individuals are caused by an organizations’ own employees, not hackers. Since ninety percent of an organization’s data breaches are due to “friendly fire” – the mistakes and transgressions of the business’s own employees and business associates CIOs and CSOs need to take a leadership position in managing this. By taking specific actions, a company can greatly reduce the likelihood of these internal breaches – both the careless mistakes and the malicious acts.

Here are 10 actions that a CIO or CSO can take are:

  1. Instill on all employees that they are the first line of defense when it comes to data protection and data security.
  2. Develop and implement specific policies and procedures regarding the handling of proprietary or sensitive information. Have employees sign an acknowledgement form indicating that they have read the policies and understand their responsibilities.
  3. Validate that the policies and procedures meet all industry and mandate compliance requirements.
  4. Improve training and require all employees to take. Many organizations think that a general 30-minute online information-security training followed by 10 questions is sufficient for employees to know what they should do in a given situation. However, the lack of specificity to their own responsibilities opens the possibility of unintentional exposure of, or unauthorized access to, protected information.
  5. Maintain a tight control on all data assets and ensure only the minimum necessary access to the information. Organizations need to take the time to assess the functions or roles in the organization that need access to confidential information, and to document the process for initiating and terminating that access. The most damaging impact on an organization can be caused by a disgruntled employee who is terminated from the organization, yet his or her access to information is not cut off in a timely fashion.
  6. Require all passwords be changed frequently and not be repeated.
  7. Communicate, enforce and apply consistent sanctions for information privacy or security violations. If there is no punishment for accessing or sharing information, people are more apt to do so. For example, rural hospitals and health plans have significant problems with employees snooping into medical records of colleagues, ex-partners, and others in the community. Larger hospitals and rehab centers have to address the improper snooping into the medical records of celebrities and prominent public figures.  An organization can suffer significant financial and reputational damage if steps aren’t taken when bad behavior occurs.
  8. Monitor employee activity both on PCs and mobile devices. Doing so ensures appropriate access and can unearth any unusual activity. Take the time to review or randomly sample usage reports to identify any potential problems early and initiate remediation activities.
  9. Ensure adequate oversight or governance of information security programs. This is necessary to evaluate the causes of security or privacy incidents, apply consistent sanctions, monitor training activities, provide resources for mitigation and remediation of impermissible disclosures, and make information security part of the organization’s culture.
  10. Have independent 3rd parties test the data protection and data security compliance practices.

Security PoliciesSecurity Policies – Procedures – Audit Tools

%d bloggers like this: