A recent survey by iStorage of 500 IT professionals revealed that more than one third had lost USB drives and portable devices that contained unencrypted personal and company data.  Even more distressing is that over 50% of those surveyed reported to have transported data without any measure of encryption.

However, there are security experts who are opening calling on and urging companies and other organizations to adopt a full encryption of disks and to also implement proper key management to avoid the accidental or pre-mediated cyber criminal act from occurring.

One voice speaking about the need for encryption is the CEO of Venafi, Jeff Hudson.  Hudson recently noted that he sees organizations beginning to rely on “ubiquitous encryption to protect data across the enterprise.”  He pointed out that with last year’s high profile data breaches, many organizations are assuming that their firewalls and other defenses are in some way compromised or vulnerable to attack.  This realization that the walls around data are relatively open has brought many to the realization that the data inside the network needs layers of protection as well.  So much so, that Venafi’s Hudson is predicting that 2012 will be the “year of ubiquitous encryption.”

Other organizations have also stepped up efforts to promote encryption.  The privacy rights group, Electronic Frontier Foundation has made recommendations that it’s members “commit” to a full disk encryption on all devices, both desktop and mobile.  The obvious affect would be that all private data like sensitive business documents, personnel information, customer data and email correspondence.  With the full encryption, even if the device is stolen or lost, the data would be safe from being accessed.

Ulf Mattsson, CTO of Protegrity spoke to eWeek and noted “Organizations need to make sure that all data, regardless of whether it is stored inhouse or managed by a third-party provider, is protected by either encryption or tokenization.”  He went on to say that, “Incorporating these data security measures may add some complexity, but the protections would wind up saving the organization money in the event of a data breach.”

Jeff Hudson from Venafi also made note that as organizations begin to encrypt more and more of their data, they must also create effective processes to manage the keys for unencrypting.  Often times, an employee will be tasked with encrypting their data and then leave the company.  After they’ve left, the key is either missing or lost.  This process will need to become more organized and have a central person or group who manages the keys as well as making note of what data has been encrypted or is next in line to be encrypted.

The issues with passwords when protecting data is that when they are entered online or through software, hackers can remotely replicate that act by penetrating a security layer.  With LOK-IT, there is no way to remotely enter the password to unlock the drive, because LOK-IT uses hardware authentication where the user must have physical control of the device to enter the PIN through the onboard PIN-pad.

This move by the DoD and Pentagon chiefs is controversial with some top military commanders. These commanders are afraid that the expansion of wireless technology, especially when handling classified material will put military operations and network systems at risk for data breaches. However, proponents of the meaures believe that using smartphone and table technology is the way of the future for the armed forces and their civilian counterparts.

“The question they are struggling with is this: In a military that is trying to get more secure, how do we approve technology and protocols that are inherently less secure?” said Brian Hajost, president and CEO of Steelcloud Steelcloud is providing the military and other government agencies with wireless security systems.

The move to greater use of mobile wireless devices is fraught with risk and reward. The DoD includes the use of wireless technology as a common sense move that will help to make the agency more efficient. This move is also part of a greater strategy that the Pentagon has for enhancing security of computer servers, the use of encryption codes and also the development and usage of various military frequency bands.

One area that the Pentagon is exploring to move into the mobile device realm is tht of the Common Access Card. This is a card system that troops use to verify their identity when sending sensitive emails or when they log into a DoD database. The card is swipe in order to gain access, which works in an office environment, but isn’t very practical when using a mobile device. The military is looking at alternatives to this system such as biometric identifiers on the device or usage of encrypted devices that can both identify the user, but also protect the data.

However, besides the various technical aspects and devices, there remains a fundamental concern within the DoD. This is of course, how to continually protect and safeguard American secrets and ultimately to make certain that military troops are not put into harms way by a breach that allows an enemy to use data to wage battle against the U.S.

As the military moves forward with these plans, it will continue to have a very strict policy on the popular BYOD culture in the rest of the U.S. As the military rolls out the usage of mobile devices, it plans to limit the use to only those devices that are owned and issued by the Defense Department. This strict control will allow the Pentagon to exert control over its phones and tablets. If a device is lost, there is not an issue of what to do. An administrator can quickly wipe out the contents. If a troop is placed in a sensitive situation the administrator could also disable camera and also shut off any GPS locator signal in order to protect the location of a troop or its members.

Finally, to answer the critics of the plan, the Pentagon is also exploring the possibility of operating its own mobile network, thereby giving ultimate control over security and protection to the military itself.

By 2014, the installed base of devices based on lightweight mobile operating systems, such as Apple’s iOS, Google’s Android, and Microsoft’s Windows 8 will exceed the total installed base of all PC-based systems, according to Gartner.

“Enterprise, government and military IT managers can not ignore the move to tablets and smartphones and must understand that devices they purchase today could quickly be obsolete unless those devices are platform independent,” said John Tate, Systematic Development Group’s executive vice president. “With operating budget dollars at a premium, the flexibility of LOK-IT is an extremely valuable benefit.”

LOK-IT is the first encrypted flash drive with enterprise-level security that can be used with any operating system since it doesn’t require software for user authentication or encryption. To gain access to the drive and data within, LOK-IT users just punch a pin code into a 10-key PIN-Pad*, much like an ATM.

Confident Technologies has released it’s top 5 authentication predictions and trends for the New Year.   Confident Technologies is a San Diego based company that provides image-based authentication and verification services for websites, and mobile devices.  Here are their 5 Authentication Predictions for 2012.

1. Bring Your Own Mobile Device:  The Confident Technologies is predicting that this ongoing issue of employees bringing their own personal mobile devices (e.g., cell phones and tablets) to the work place will not only grow but will become a major issue for companies.  This combination of personal and business related activities will likely result in at least one if not more high-profile breaches.  The issue is that when an employee connects their personal mobile device to a company’s network without any security precautions in place, there is a far greater likelihood of some type of infiltration to occur, or if the device is stolen that access can be obtained via the device.  This BYOMD trend will bring about more authentication and security policies with a focus on what information can be accessed and stored on a personal mobile device.
2. Passwords Will Become Passé:  Another prediction by Confident Tech is that there will be a very large data breach due to unsecured passwords.  This breach will focus companies to make changes to their password only security layer.  As in the Sony online gaming breach, once a hacker gets a username and password, they can wield that information over many other websites.  They know that many people use the same username and password on multiple sites.  After the Sony breach, other sites like LinkedIn and Amazon had to force a password reset for its customers.  This breach will occur because of poor authentication, Confident Technologies states, and because of weak credentials.  This will lead to the end of the use of simple text passwords ans the only means of authentication to access websites.  Expect to see healthcare, education, and social networks adopt multi-layered authentication processes.
3. Zeus or Zitmo Malware to Grow:  Last year there were several versions of the Zeus malware that was modified and used to target mobile phones, in particular smartphones.  These attacks were used to intercept authentication text messages that financial instutitions sent to customers.  With the increase in the use of SMS-based authentication by many companies, the attacks will be stepped up and will grow.  This coupled with the fact that very few mobile device users have installed data security protections on their phones or tablets, will make them easy prey for cyber thieves.  This increase in Zitmo use by criminals will cause companies, in particular financial institutions to step up their game on authentication and find ways to ensure that the device receiving the authentication via SMS messaging is not affected with malware.
4. Image-Based Authentication and Biometrics on the Rise:  An increase in the use of smartphones and tablets will provide a new avenue for new types of authentication.  These devices have touchscreens and cameras, which will be the technology side of enabling these new types of authentication.  Some of the new types are graphical authentication techniques and image-based authentication.  Utilization of the touch screen will permit the use of pattern-based authentication.  With the camera, biometrics can be used to authenticate a person’s identity via face and voice recognition.  With the need for more secure means of authentication, Confident Technologies predicts there will be a triple-digit market growth for these new technologies in 2012.
5. Retailers Pave Way for New Mobile Authentication:  Mobile transaction via smartphones hasn’t taken off in the United States mainly due to the difficulty in users entering complex text passwords into a small mobile device in order to approve a transaction.  Payment providers in particular, but also retailers see that they are missing out on transactions due to the complexity of authenticating a mobile payment.  Recent surveys have shown that a vast majority of mobile users (84%) have struggled with a mobile transaction.  Confident Technologies expects that retailers and payment providers will pave the way in 2012 for new easy to use authentication techniques.

More and more companies are adopting and using Cloud based computing.  This is creating some unique paths to innovation and collaboration; however, it is opening up more and more questions about security.  How each organization will cope with securing its cloud-bound data is a question that all IT managers will need to ask in the coming months.  Also, who exactly is responsible for the security of the organizations data when it is in the cloud?  Is it the provider of cloud services or is it the IT manager and ultimately the organization’s task to secure the data?  Many critics believe that the cloud provider has the ultimate responsibility for network, system and physical security of sensitive data.  However, the organization that owns the data is responsible for maintenance of passwords, the integrity of the applications and the security of access to data.

Some things to consider in order to prevent cloud compromises include the following suggestions.  The first is to select a capable cloud-computing provider. Some questions to ask when selecting a vendor include questions about the physical, network and system security.  Ask about patch cycles.  Ask about firmware updates.  Another key question is to find out what type of insurance they have in case of a data breach.  Also determine if the vendor carries regulatory compliance certifications or compliance levels such as HIPAA, SOX or PCI.

Next make sure that you’ve secured the programming.  Perhaps the compromise most often blamed for data loss is SQL Injection. Hackers count on lazy programming so that they can send a malformed string to a database for processing. If this happens, data loss could happen and a hacker could acquire a list of usernames, passwords, credit card account numbers or the entire contents of a table or database.  Application security is the organizations responsibility. If a hacker steals data from the company’s database via SQL injection, select programmers carefully when interviewing.

Physical security is both the organization and the vendor’s responsibility.  This point has shared responsibility between the organization and the cloud provider. The vendor has the responsibility for maintaining physical security at the data centers.  The organization has the responsibility for the physical security of the office and work computers.  Since many compromises originate from a lost or stolen device, physical security shouldn’t be forgotten.

System locks, disk encryption, portable drive encryption and personal vigilance are key to preventing theft and data loss from mobile systems. Hard drives, standard flash drives and SIM cards should all be wiped using software tools or destroyed prior to disposal.  Remember that there is no perfect system and that people aren’t perfect either.  Vulnerabilities will exist and it is important to stay vigilant against them and be ready to respond if vulnerability is discovered.  It isn’t that the cloud is insecure it is that there are entry points to be exploited, just in any other computing/networking scenario.

1. Bring Your Own Device (BYOD):  Companies will have a continued challenge of adapting their mobile strategy with the increase of employees bringing their own devices to work with the expectation that they will use them for work related projects.  This personal device diversity in itself is a major challenge facing IT managers.  However, the fact that multiple corporate users will take these devices far beyond the walls of company buildings loaded with corporate data, as well as points of access to the corporate network will be a hardy challenge for all IT departments.  Cryptzone suggests that one over-arching security policy won’t be a suitable approach to this problem.  A “take-no-prisoners” policy is suggested so that employees who must use their personal device know that if it goes missing or becomes infected with some malware, that the company has the right to delete all data on the device both corporate and personal.  BYOD is becoming more and more popular, as people do not want to have to carry with them separate laptops, tablets and smartphones for both their work and personal needs.  Peripherals that have the ability to connect to any of these devices, no matter what the operating system, are badly needed.  LOK-IT is one of the few secure devices that can operate in this BYOD strategy.  Additionally, the LOK-IT encrypted flash drive provides a simple way to secure mobile content, versus an overall security of all content.
2. Content Security Vs. Hardware Security:  Throughout 2012, hardware security will remain a priority for companies. But, Cryptzone predicts that companies will begin to look into securing content rather than the storage device.  Since data can be replicated throughout the organization knowing all the locations where it is stored securely is often hard to determine.  The new wave of data security will not be focused on storage, but rather it will focus on the identification of what content is at risk and how to secure it.  With this tactic, no matter how much the data is replicated, it will remain secure wherever it is stored.
3. Targeted Attacks:  2011 was a banner year for targeted cyber attacks, especially with the likes of the group Anonymous targeting governments, businesses and even criminals.  Cryptzone predicts that this trend will continue to grow.  Hackers will be less likely to attack random targets, but will work together to target organizations due to its political views or to make right a perceived wrong.
4. Incident Response Management:  With risks of data breaches at an all time high, corporations have to be aware that an attack can occur at any time.  Having a plan to respond to each incident will be key in 2012.  Cryptzone suggests that companies implement and communicate an incident handling policy and incident procedures that can be quickly used when a breach occurs.  They suggest that companies should make the corporate culture one that permits staff to freely raise security issues or to be encouraged to quickly report suspicious activity.

These are just a few of Cryptzone’s predictions.  You can read more about what they are looking at for 2012 on their website.

Theft of intellectual property costs U.S. businesses more than $250 billion per year and the FBI in the past has reported that organizational insiders are the major component in the theft.   The report was researched and written by Dr. Eric Shaw and Dr. Harley Stock, experts with a background in psychological profiling and employee risk management.  With high profile cases mounting, it is clear that cyber crime is becoming a tactic for disgruntled employees to use when inflicting damage on an organization, business or government entity.

Most organizations employ some form of technology to fend off attacks by cyber criminals, but this report points toward utilizing psychological, criminological and sociological elements in boosting an organization’s defense against cyber crimes and also to catch the thief well before he or she inflicts severe damage.

Dr. Stock, a certified forensic psychologist and a managing partner with Incident Management Group (IMG), states, “In research, it says the typical person who conducts intellectual property theft is a 37-year old male Caucasian.  But we don’t want companies to get sidetracked by that.  Anybody at any given time is capable of stealing.  We tried to describe how they get on a critical pathway to IP theft, and how you can identify parts of that pathway.”

Dr. Shaw and Dr. Stock identified some key behaviors as well as indicators that can contribute to insiders stealing intellectual property.  Below are some of these as outlined in their report:

1. Insider Criminals Often in Tech Positions – not a big surprise, but the report notes that most are current employees, average age of 37 and work in engineering, science, research, and programming.  A large percent of these individuals have also signed an IP agreement as part of their employment contract.
2. Insider Criminals Have Accepted New Job – the report notes that about 65% of those employees who commit an IP theft already have lined up a new job or start a new job around the time of the crime.  About 20% were recruited by an outside interest targeting information owned by the employing company.  And 25% gave the stolen information to a foreign company or country.  The information is typically stolen within a month of leaving.
3. Insider Criminals Take Information Accessible to Them – 75% of criminal insiders stole information they had authorization to access.
4. Insiders Take Trade Secrets the Most – 52% of the cyber theft insiders stole company trade secrets, the next most taken information was billing information, price lists and other administrative data stolen 30% of the time.
5. Professional Setbacks Often Lead to an Insider’s Slide Toward Criminal Behavior – Most insiders criminals take a path to theft and data crime when they get overlooked for a promotion, miss a bonus or have other financial needs not met by the business or organization.

Organizations can implement a variety of measures to stop insider theft of data and intellectual property.  Some of these are as easy as being alert and knowing whether employees have an opportunity to steal data.    Understanding and acknowledging some of the traits outlined in the report will also help to establish policies and procedures that can help to reduce these pathways to insider criminal behavior.

If an employee steals information they have access to, there is little that can be done to stop it. Downloading files, sending via email, printing and even screenshots can gather the information the criminals want.  Of particular interest is that 25% of criminals stole information that they don’t have authorization to access.

In the case of encrypted USB flash drives, the way a criminal would steal the information on another employee’s encrypted flash drive would be to gain the employee’s password via insertion of undetectable keylogging malware on the employee’s PC.  Insertion of the keylogger could be as easy as sending them a link to a website that they would click on and thus become infected.  Then, the next time the employee uses their encrypted flash drive and enters the password on their keyboard, Wham!, the password is transmitted to the criminal.  Now the criminal simply grabs the flash drive at a convenient time.

All encrypted USB flash drives that use software authentication instead of hardware authentication are prone to this type of insider crime.

With software authentication, the password is entered via a keyboard and/or mouse. With hardware authentication, the user enters a PIN via onboard keyboard (like the LOK-IT Secure Flash Drive) or uses biometric identification.

Today, there are a number of agencies and organizations that are involved in the security of the U.S. grid, however no single organization is responsible for overseeing the security across all areas of the grid’s operations.

The report stated “This lack of a single operational entity with responsibility for grid cyber security preparedness, as well as response and recovery, creates a security vulnerability in a highly interconnected electric power system comprising generation, transmission and distribution.”

Noting in the report that as researchers they are not qualified to make recommendations to the government on what agency or government entity should take on this responsibility, they did mention that the U.S. Homeland Security, the Department of Energy or the Federal Energy Regulatory Commission (FERC) could step into this vial role. The FERC already oversees bulk power system security standards and seems the best option of all the agencies identified.

The White House did send a legislative proposal to Congress in the spring of 2011 that would give the Department of Homeland Security the power to develop a security infrastructure together with the electrical industry for the nation’s electrical grid.

The MIT report conceded that it is nearly impossible to fully protect and defend the electrical grid from cyber attacks. The researchers went on to say that even having standards and a centralized watchdog won’t make the grid completely secure from breaches and attacks. And any efforts will result in increased costs at a time of government budget constraints. The MIT researchers emphasized that a serious event happening is fairly low and the overall implications of such an event are difficult to put into a financial and national security context. However, an effort must be made to consolidate the responsibility, thereby ensuring the defense of the nation’s power grid.

The Bonneville Power Administration (BPA) has gotten a head start on data security, as it has been a long time LOK-IT customer. The BPA is a federal nonprofit agency based in the Pacific Northwest. BPA markets wholesale electrical power from 31 federal hydro projects in the Columbia River Basin, one nonfederal nuclear plant and several other small nonfederal power plants.

Those simple days are gone in this exploding world of connected smartphones, iPads, tablets and laptops.  And with the addition of software-as-a-service and the myriad of applications available for business and consumer uses, there is an even larger move away from a closed-loop computer system.

It is clear that the previous method of a hardware-based operating system is gone.  With that departure, the many protections and security of data are gone as well.  With this ubiquitous computing in the “clouds” we no longer have all of the protections like firewalls, antivirus software and secured system coding.  The applications that are delivered via the Internet to either your mobile device or computer are the new operating systems.  With all of this “access”, it is no wonder that the number of breaches has increased and has affected hundreds of millions of consumers, businesses and government agencies.

This move toward applications that are delivered and operated “online” has also shifted the perceptions of who handles security and also how that security is handled.  Before it was up to the computer’s operating system and third-party software anti-virus solutions.  However now businesses must depend on expert coding within the applications that are frequently used.  As the use of these applications has increased, so has the linkage of all types of devices and applications.  Now your desktop is linked to your laptop, which is linked to your online email, which is linked to your smartphone and is linked to your social media outlet and so forth.  Now, all of that previously computer-based sensitive data and information has also moved onto the Internet.  The data is linked from one device to another and from one app to another.  Everything is interlinked now.  This means that it is possible for someone with access to the Internet to steal data.

But stealing data online is now only part of the issue.  There has been a shift and there must be another shift in thinking.  In particular, this paradigm shift means that the way data is secured must shift as well.  Now not only can an individual or a business be put at risk for data stolen via cyber hacks, but also that data can be physically stolen if a mobile phone is snatched or an iPad is stolen.  Now more than ever, data can be both digitally and physically taken.  This shift in usage must include a shift in thinking so that everyone understands that all digital information must be secured both online and offline.  The necessity to secure data in more ways than one will continue to grow as more and more applications are moved off the computer hard drive and into the “clouds”.

Whether it is reports of hacks into the servers that control the water supply of a major U.S. city or the cyber attacks on Citigroup, the privacy and protection of digital information has become a central issue for governments around the globe.

A principal with PwC consultancy, Mark Lobel recently stated, “There are those who know that they’ve been breached and those that don’t.  If you connect with the Internet today, you’re getting scammed.”

Fortunately, the constant flood of news about breaches of security has created a sense of urgency for all governments and organizations.  Officials in advanced and developing countries are ramping up privacy and data protection laws.  As well, they are beefing up the enforcement of laws and regulations that are already on the books.

Until more safeguards are in place, it is up to the individual organization to make efforts to secure sensitive materials and information.  Security experts have outlined several steps that governments and other entities with sensitive data can take to both assess and secure digital data and information.

The first point in the process is to do a thorough assessment of the company or agency’s data.  Take inventory of what information and data needs to be secured and where it is.  An overall idea of how big the problem is or could be is the key element in this first step.

According to Karen Avery, a practice leader with Marsh Risk Consulting, it is very important for an organization to map out what information it has, it’s economic value in order to make good judgment calls on how to protect it.  She says, “What a criminal would do is map out the information value chain and look for the weakest link.  Taking this end-to-end approach allows you (the corporation) to understand where the weak links are and apply the appropriate solutions.”

The second step happens once the full extent of the organization’s data is known; it becomes much simpler to protect it.  The organization can control it by providing controls on access.  This can take place in several ways.  For example one method could be to restrict access to data to only a few employees.  The use of encryption is another method, making sensitive materials non-readable.

Jeremy Smith, practice leader in Willis’ London cyber-risk and data security team says, “Once the sensitive data have been identified, companies can look at ways of protection against unauthorized disclosure.” “One way, Smith says is that data should be encrypted and sending to third parties should be limited.”

The final step is to be certain that there is good documentation on:  1.  The data server protection;  2.  The persons with access to the data or access points and; 3. What other steps has the company or agency undertaken to keep data secure.  This will be important if there is a breach so that it can be easy to pinpoint where the hack occurred and possibly to pursue the criminals.  These steps are going to become more complicated as the move to cloud computing increases.  The distance the entity has from its sensitive materials will only increase the complexity of security.

The data breach response plan will reduce costs resulting from the breach and can be a way to provide proof to regulators, examiners and customers that there was sincere thought and good practices in place to protect the sensitive information.

Think of all the potential places that hackers could target to get private and valuable information when it comes to the health care industry:  insurance companies, health care providers, pharmacies, and all the other ancillary companies and entities that provide products and services to stay healthy.  All of these are regularly being hacked by thieves focused on stealing data and information from patients and doctors.

A watchdog website, PrivacyRights.org has been keeping track of the breach statistics for various industries and businesses since 2005.  So far in 2011, out of 480 breaches, the healthcare industry experienced 170 of that total.  This is twice the number of breaches for any other industry that is listed on the website’s database.  Most of the data breaches (50 breaches contained at least 4 million records!) happened after portable data devices went missing. Many of these cases were breaches of information on missing or stolen laptops and flash drives.

This rise in healthcare data breaches is finally getting the attention of experts and governments.  There are multiple government entities (both the Executive and Legislative branches) looking into the situation.  In recent months, Congress has begun holding hearings to determine if there are any Federal measures that can be undertaken to reduce these breaches.  As well, the Health and Human Services Department is undertaking some risk surveys to determine what procedures and best practices are currently in place within the healthcare industry.

Here are some basic tips for IT professionals in the healthcare space:  1.  Do an assessment and identify critical assets;  2.  Prepare a risk management program and process for the organization;  3.  Develop security programs and procedures that are proactive;  4.  Identify, secure and protect the most valuable information, perhaps by using encryption technology and hardware;  5.  Be proactive in responding to threats;  6.  Leverage security as a business enhancement to the organization rather than an added expenditure;  7.  Realize that data is never entirely secure, but knowing how to detect, effectively respond and then minimalize is the key and; 8.  Utilize the U.S. government’s proper encryption methodology; this is the FIPS 140-2 standard.

Let’s hope the next visit that your healthcare provider, pharmacy or insurance company makes to the Data Doctor, turns out to be a clean bill of health rather than the “patient” is in need of life support.