Blog Entries

Verus Inc., a medical IT contractor, closed its doors after being implicated in exposing the sensitive information of five different hospitals across the country. The contractor was responsible for maintaining the websites and services of 40 to 60 different US hospitals nationwide. Most large companies depend on outside contractors to perform similar services on their behalf, and most of the time companies just assume the contractor has the knowledge and experience necessary to handle their confidential information. Before releasing sensitive information to outside contractors, it is imperative that you make sure the contractor has policies and procedures in place that meet or exceed your own internal standards.

All five incidents occurred when an employee shut down a firewall during the transfer of data from one server to another. This huge mistake would have been easily preventable if the company would have had standard procedures in place for transferring confidential information, and better employee training to make sure everyone involved in the process knew and understood the guidelines. All told, the personal information of over 80,000 different patients from five different hospitals were exposed.

After knowledge of the security breaches became public, all of the hospitals terminated their contracts with Verus, but irreparable damage was already done. The most damage was done to the five hospitals who lost patient information. The affected patients will hold the hospitals responsible for the information loss, even though it was the contractor’s fault. Even the hospitals whose patient information wasn’t exposed had their reputations tarnished from the incident; after all, it was only by chance that the other hospitals lost data and not them.

Everyone who handles your confidential information is at risk of losing it, and your company will be held responsible if it ever happens. No matter how good your own internal policies and procedures are, information loss can still occur if you don’t frequently audit those of your contractors, partners, and resellers.

Businesses large and small must guard against outside threats each and every day. Businesses are constantly under attack and the weakest vulnerability will be exploited. These threats can come in all different forms from employees, hackers, or natural disasters. Each one can cause equal damage.

According to PC Magazine, “Forrester estimates that 39% of small businesses will “significantly upgrade their security environment” and 44% will “significantly upgrade their disaster recovery capabilities” this year.”

It’s even more important for small businesses to protect themselves from threats because the aftermath can be devastating.

The first step in protecting your small business is to have a Disaster Plan.

“According to the National Archives & Records Administration, 93 percent of companies that had trouble restoring their data after a disaster were out of business within 18 months.”

A disaster plan should include ways to prevent your data from being exploited. This can be done by defining proper policies within your company. It should also define how you are going to protect your data with procedure. If someone breaks your policy whether it be an employee, contract worker, or outside element you should have a procedure in place to make sure that data doesn’t get compromised. Finally, if your data is compromised, you need to be able to eliminate it from the public. If your proprietary information is being displayed on websites or other places on the Internet you need a plan to take that information down. This is where the services from webArgos becomes invaluable.

“With today’s technology and tools, keeping a business safe doesn’t have to be a difficult or time-consuming process.”

On July 23rd an anonymous person was able to find the password to one of Fox’s secure servers in plain sight. Unfortunately, this is not an uncommon occurence, one person making a small oversight can put millions of dollars of company information at risk.  While browsing around the Fox News website (www.foxnews.com), the person stumbled across a file which contained the username and password for a highly secure FTP server.  Luckily, this person chose to publically expose the flaw instead of exploiting it or selling it to a malicious hacker.  Fox was able to patch the information leak by quickly changing the password to their server, but since the exploit had already been made public, there was still a great deal of damage done to their reputation.  As a major news outlet, much of their business depends on them being able to keep confidential information secure until they are ready to release it to the public.  Leaks like this could cause potential sources to think twice before sending them sensitive information; or even more importantly, it could cause mistrust among their viewership.

The only way to prevent leaks like this is through frequent and thorough security audits.  Oftentimes, internal teams do not have the time or resources necessary to conduct these audits frequently enough.  It is unknown how long the Fox News password was publically available, but it is likely that a well implemented monitoring program would have found the password first, notified Fox News, and allowed them to fix the problem before it became public.

Recently several highly classified documents were discovered on public government servers. These documents included detailed schematics of a military detainee holding facility in southern Iraq, geographical surveys and aerial photographs of two military airfields outside Baghdad, and plans for a new fuel farm at Bagram Air Base in Afghanistan. Anyone could log in as a guest to the public FTP server and download these documents to their personal computers. It is hard to believe, but this kind of information is mistakenly posted on public servers all the time:

“In a survey of servers run by agencies or companies involved with the military and the wars in Iraq and Afghanistan, The Associated Press found dozens of documents that officials refused to release when asked directly, citing troop security.”

The officials in the military had no idea these documents had been leaked by careless employees and contractors until they were discovered by private citizens and sent to news organizations.  Even though these documents posed an immediate threat to troop security, they were still able to slip through the tight security regulations of the US military.  This is a prime example of why no matter how good you think your organization’s security procedures are, it is still in your best interest to retain the services of a third party monitoring service to find leaks like this as soon as they occur.

Most of the time, companies don’t even realize it when they are at risk for information loss. The threat of losing confidential and proprietary information on the web is still so new that many companies have not implemented procedures and best practices to ensure that their intellectual property is safe. We have just launched a free quiz that companies can take to find out if they are at risk or not. If you are interested in learning more about what your company can do to protect its information, contact us today for a free assessment.

Take the quiz now!

A company’s former employees are a significant threat for confidential information loss. If not managed properly, they can post insider information to one site on the web, which can in turn spread like wildfire until there is no way for the company to contain the loss of information. In one recent high profile case, a former Dell Sales Manager posted a list of “22 confessions” outlining how a person could cheat Dell’s system to get cheaper computers than otherwise possible, abuse the warranty system to get new laptops after a model is no longer in production, how to get bargains on printer cartridges from “cool” kiosk employees, and many more secrets and strategies that only a company employee would know. The information quickly spread across the internet, but the way that Dell handled the incident caused it to become a PR disaster for the company. Read our in depth case study here.

Yesterday, Google signed an agreement to purchase email security and compliance provider Postini for $625 million in cash. This is a great amount as Google takes the next steps to provide business level email services through its Gmail brand name.

Google had to do this because security is a very important concern for any business in using their services. A security breach can cost a company a lot of money and time to resolve the security breach and prevent it from happening again.

Do your clients trust you with their private information? What would happen if your client’s private information was released to the public? If your company isn’t using security measures to protect private information, you are leaving yourself open for lawsuits. There are countless examples of court rulings which have ruled against companies that have not provided security measures in their business, and the negative publicity can be devastating to a company’s sales and brand name.

Take the extra step and make sure you have your business protected with security measures in place. If it’s good enough for Google, shouldn’t it be good enough for your company?