Contact Information

  • Mickler & Associates
  • Vancouver, WA
  • Voice: 360.601.0818
  • Fax: 360.397.0468

The Cost of Data Breach

Written on April 14, 2007  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

So I was skimming the trades and encountered an article that indicated UPS lost a tape for one of their customers, People’s Bank, in January containing data on 90,000 customers who use its personal credit-line services. It contained addresses, names, SSN’s.

What is the cost of a data breach? Perhaps the easiest to quantify would be the cost to People’s Bank who must now field phone calls, letters, updates, internal investigations and external audits, and credit reporting bills for their customers. Indirectly, People’s Bank and UPS must contend with the media exposure a breach like this causes, government investigation and intrusion into their business processes, and deal with the inevitable impact upon brand, stock price, and the longevity of consumer memory.

There was a high-profile case out in my neck of the woods a year and a half ago. Providence Health Systems of Portland, OR had system administrators take backup tapes off-site, meaning they would travel outside of the control of the company and to their homes and vehicles. Turns out these tapes were stollen from the van of one of the system admins. The tapes had PHI (Private Health Information) concerning some 350,000 patients of Providence.

A Providence official told the Portland Oregonian that the case, excluding litigation fees, to cost from $7 million to $9 million, including the costs of providing affected patience with access to credit monitoring and restoration services; also, this figure excludes the future possibility of tort brought by state agencies and individuals damaged by the exposure.

The direct costs seem simple enough to compute and there are noteworthy studies. Forrester recently looked at 28 companies that had data breaches and estimated an exposure cost of $90 – $305 per record, where the variability depended upon the public profile of the breach and to regulatory controls that may apply to the data. Using these kinds of numbers, the recent TJX theft of over 45 million records would yield, conservitively, a $4.05 billion (with a B) pricetag.

Billions? Spending on stronger data breach control mechanisms is looking like a more positive ROI all the time. Yet, if we still need convincing, Darwin Professional Underwriters – an insurance company – analyzed data from media reports and other sources to come up with cost algorithms for an online calculator for financial risk of data loss/exposure.

I tried the 45 million figure; it just didn’t go up that high. The calculator seemed to break. So I tried our earlier reference of 90,000 records lost from People’s Bank. That yielded a total estimate of $10.97 million in direct and indirect expenses resulting from the data theft.

R
www.micklerandassociates.com

US Dept of Energy Loses 20 Classified PC’s

Written on April 12, 2007  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

Yes, 14 of the machines apparently had classified information and it’s suspected that the other six did as well. And this isn’t the first time the DOE has had reporting disappearing machines. According to the article, 269 computers were reported vanished from the Idaho National Laboratory and in 2005 an Apple G4, with its hard drive intact, was discarded by Los Alamos. In fact, according to the article:

In the past four years, audits have found more than 10 incidents of lost
computers that had been used in designing, building, managing, or administering
nuclear technology.

Excuse me – what?

It is amazing to me that the Department of Energy, an agency responsible for the nation’s nuclear program and for protecting classified information from espionage by foreign states, cannot perform basic asset management let alone follow their own NIST guidelines for asset retirement and media sanitization.

A couple of thoughts on this topic for small business – so that you can perform stronger asset management techniques than our nuclear laboratories:

1. Serialize every PC, laptop, or digital device. Although this used to be common practice when such assets were considered capital, every authorized piece of equipment in your technical inventory should have a unique identifier.

2. Manage the unique identifiers in a database. This could be QuickBooks, Access, even Excel. Delegate this task to your IT administrator.

3. In the dbase, indicate the PO number and vendor from where the asset came.

4. As assets are removed from production, update the database. Do not delete the entry, simply indicate that the asset was retired.

In this way, we can manage a complete chain of custody: from purchase, through use and disposition. The company could have a reasonable chain of custody and perview of production assets, and a more thorough database could even help with budget forecasting when it comes to asset replacement.

In terms of data disposition, take nothing for granted:

1. Most states have regulations concerning electronic equipment and landfills; you must recycle the equipment through appropriate channels. Use these channels.

2. Totally remove the hard disk, if possible. If you want to thoroughly prevent the use of the hard drive, take the drive into an appropriate space, grab a hammer, and smash it repetitively. Not only is this thereputic but it will render the drive totally worthless. Other authors actually recommend taking a jigsaw and drilling four holes into the platters at 90-degree angles; I think the hammer is more efficient and equally effective.

3. If the retired asset is a thumb drive or other form of digital media (a sim card), again – use the patented hammer method.

4. If the retired asset is being recycled for use, consult a technology professional so that they may perform zero-fill formats and degausing on the equipment to lower the potential risk of data remenance.

5. And once an asset is retired, indicate in the database when it was disposed of, how it was disposed, and maintain a receipt from the agency/technician who did the work.

In terms of best practices, the small business can now say – with a significant degree of confidence – that it knows where its assets came from and where they went; which assets are in circulation and which ones are inactive; how they were disposed of and how their memory was sanitized as to avoid data remanence.

Yes, you, too, can practice a level of IT Governance thorugh using a simple process that, seemingly, our national nuclear scientists have difficulty doing.

R
www.micklerandassociates.com

Backup Replacement for Vista

Written on April 9, 2007  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

So you read my latest post and learned that Vista’s backup utility just isn’t going to cut it, and – like me – you pondered what would ever motivate Microsoft to cripple native Windows backup like this in the first place? And you had enough with pondering and you’re ready to find a better solution than the native Vista backup utility.

Here’s my recommendation: Genie-Soft Backup Manager (Home or Professional).

The professional is a great application. All of the full features in a robust backup utility you would come to expect, and, a helpful user interface. Actually, the logs of the professional version look and feel a lot like Vertias’ (Symantec’s) BackupExec. You can target file and network locations. What’s really slick are the active adaptors that can backup the *.pst contents of Outlook and the Windows registry system separately – just like the agents in BackupExec.

Take a looksee – a full-featured demo is free for 15 days and the cost, after rebate for the professional version, was only around $45.

It’s a professional program for a professional world. Would highly recommend it – now, why Microsoft crippled NTBACKUP in the first place is a discussion for another day!

R
www.micklerandassociates.com

NTBACKUP and Windows Vista

Written on April 4, 2007  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

Well if you haven’t heard it already, your backups in XP using ntbackup.exe will not work in Vista. Vista “upgrades” backup to a new program that is entirely UI driven, backs up only by file extensions, and creates spanned *.zip files instead of a *.bak file.

Oh, it’s even more glorious. In the “new” backup, you can’t even select which file and folder locations you want, only file types on all of your volumes.

In effect, native backup is now entirely worthless in Vista forcing you to purchase a real backup program from some ISV. This could be a scary wake-up call if you tried to upgrade Vista clean, backing up all of your drive’s contents with ntbackup.exe only to learn that it’s not available – and not backwards compatible – within Vista. There is no facility to read in the file and even attempt a restore.

Yikes!
R
www.micklerandassociates.com

Small Business: Microsoft Exchange or Open Source?

Written on April 3, 2007  |  by RP Mickler  |  Leave a Comment Leave a Comment  |  Bookmark and Share

>From: Richard Grams

>Would you have any good leads for a calendaring/collaboration system for an
>organization the size of 150 employees?

>I suppose I am wondering, would an MS investment be the most efficient business
>tool rather than something open-source or off brand that may require much more
>hands on tech time…

Well, first off: probably the best answer to your question is Exchange. In terms of TCO and licensing, this is going to be the best deal in town. I think anybody else in this market is kidding themselves: they just don’t have the mojo like Microsoft in the small business market.

Open source would be a significant gamble for a company that size. Yes, you might save a couple of thousand on the initial software licensing expense, but the long term maintenance and management would likely be extraordinary.

If you want to play around with open source, I’d recommend Ubuntu Server (http://www.ubuntu.com/products/WhatIsUbuntu/serveredition).

A comparable groupware server (that would work under LDAP and POP3 specs in Outlook, or, you could get an open source mail client like Evolution, see below), would be opengroupware.org (http://www.opengroupware.org/en/applications/index.html).

A good productivity suite, open source, that would run well on Windows or Ubuntu Workstation, OpenOffice (www.openoffice.org).

Browser: Opera or Firefox.

And you’d need a PIM because one doesn’t ship with OpenOffice – Evolution is the best in the open source market: http://www.gnome.org/projects/evolution/

The cost of setting up and managing an open source installation is greatly diminishing. You’ll find, for example, you could get a Ubuntu Server up and running in no time, and all of these other things are installable and configurable using standard UI’s. The user experience and admin experience is a little different than managing a Windows-based client/server solution. Naturally, though, if the application’s your looking to run require a Windows server or client, you’ll be SOL without an open source or Linux-kernel alternative. This would take significant planning on your part, understanding the needs of the organization, to make this kind of call.

If you want ease of use and administration, ease of deployment and maintenance, lower TCO, constrained support, automated patches and security management, affordable licensing, and a huge user/admin community – your answer is Microsoft.

Good luck to you, sir!
R
www.micklerandassociates.com