What you need to know about GDPR

What is GDPR?

GDPR is the European Union’s General Data Protection Regulation.
In short, it is known as the ‘right to be forgotten’ rule. The intent of GDPR is to protect the data privacy of European Union (or EU) citizens, yet it’s implications are potentially far reaching.

Why do EU citizens need GDPR?

In most of the civilized world, individuals have little true awareness of the amount of data that is stored about us. Some accurate, some quite the opposite.

Personal data is defined by both the directive and GDPR as information relating to a person who can be identified directly or indirectly in particular by reference to name, ID number, location data, or other factors related to physical, physiological, mental, economic, cultural, or related factors (including social identity).

If I find an error strewn rant about my small business somewhere online, my ability to correct it, or even have it removed is limited quite completely to posting a counter statement or begging whoever owns that content in question, to remove it. I have no real legal recourse short of a costly, and destined-to-fail law suit.
The EU sought to change this for their citizens, and thus GDPR was born.
In December of 2015, the long process of designing legislation to create a new legal framework to ensure the rights of EU citizens was completed. This was ratified a year later and becomes enforceable on May 25th of this year (2018).

There are two primary components to the GDPR legislation.

  1. The General Data Protection Regulation, or GDPR, is designed to enable individuals to have more control of their personal data.

It is hoped that these modernized and unified rules will allow companies to make the most of digital markets by reducing regulations, while regaining consumers trust.

  1. The data protection directive is a second component.

It ensures that law enforcement bodies can protect the rights of those involved in criminal proceedings. Including victims, witnesses, and other parties.

It is also hoped that the unified legislation will facilitate better cross border participation of law enforcement to proactively enforce the laws, while facilitating better capabilities of prosecutors to combat criminal and terrorist activities.

Key components of GDPR

The regulation is intended to establish a single set of cross European rules, designed to make it simpler to do business across the EU.  Organizations across the EU are subject to regulation just by collecting data on EU citizens.

Personal Data

Personal data is defined by both the directive and GDPR as information relating to a person who can be identified directly or indirectly in particular by reference to name, ID number, location data, or other factors related to physical, physiological, mental, economic, cultural, or related factors (including social identity).
So, this means many things including IP addresses, cookies, and more will be regarded as personal data if they can be linked back to an individual.
The regulations separate the responsibilities and duties of data controllers vs data processors, obligating controllers to engage only those processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet the regulations requirements and protect data subjects’ rights.
Controllers and processors are required to “implement appropriate technical and organizational measures” taking into account “the state of the art and costs of implementation” and “the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals”.

Security actions “appropriate to the risk”

The regulations also provide specific suggestions for what kinds of security actions might be considered “appropriate to the risk”, including:

  • The pseudonymization and/or encryption of personal data.
  • The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of systems and services processing persona data.
  • The ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident.
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Controllers and processors that adhere to either an approved code of conduct or an approved certification may use these tools to demonstrate their compliance (such as certain industry-wide accepted tools).
The controller-processor relationships must be documented and managed with contracts that mandate privacy obligations.

Enforcement and Penalties

There are substantial penalties and fines for organizations that fail to conform with the regulations.
Regulators will now have the authority to issue penalties equal to the greater of 10 Million Euro, or 2% of the entity’s global gross revenue for violations of record keeping, security, breach notifications and privacy impact assessment obligations. However, violations of obligations related to legal justification for processing (including consent), data subject rights, and cross border data transfers, may result in double the above stipulated penalties.
It remains to be seen how the legal authorities tasked with this compliance will perform.

Data Protection Officers

Data Protection Officers must be appointed for all public authorities, and where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale”, or where the entity conducts large scale processing of “special categories of personal data”; personal data such as that revealing racial or ethnic origin, political opinions, religious belief, etc. This likely encapsulates large firms such as banks, Google, Facebook, and the like.
It should be noted that there is also NO restriction on organization size, down to small start-up firms.

Privacy Management

Organizations will have to think harder about privacy. The regulations mandate a risk-based approach, where appropriate organization controls must be developed according to the degree of risk associated with the processing activities.
Where appropriate, privacy impact assessments must be made, with the focus on individual rights.
Privacy friendly techniques like pseudonymization will be encouraged to reap the benefits of big data innovation while protecting privacy.
There is also an increased focus on record keeping for controllers as well.

Consent

Consent is a newly defined term in the regulations.
It means “any freely given, specific informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by clear affirmative action, signifies agreement to personal data relating to them being processed”. The consent does need to be for specified, explicit, and legitimate purposes.
Consent should also be demonstrable. Withdrawal of consent must be clear, and as easy to execute as the initial act of providing consent.

Profiling

Profiling is now defined as any automated processing of personal data to determine certain criteria about a person.

In particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, behaviors, location and more”.

This will certainly impact marketers, as it appears that consent must be explicitly provided for said activities.
There is more, including details on breach notification.
It’s important to note that willful destruction of data is dealt with as severely as a breach.

Data Subject Access Requests

Individuals will have more information how their data is processed, and this information must be available in a clear and understandable way.
If said requests are deemed excessive, providers may be able to charge for said information.

Right to be Forgotten

This area, while much written about, will require some further clarification, as there are invariably downstream implications the regulations haven’t begun to address. Yet the intent of “right to be forgotten” is clear; individuals have certain rights, and they are protected.

Think you’re ready for GDPR?

Is your business really ready for GDPR? What measures have you taken to ensure you’re in compliance?
With the GDPR taking effect this coming May, companies around the world have a long, potentially costly, road ahead of them to demonstrate that they are worthy of the trust that so many individuals place in them.

America Needs An Education On Software Asset Management (SAM)

I recently had the privilege of attending (and co-sponsoring) the IBSMA SAM Summit in Chicago with some colleagues. It was a fantastic event with great sessions, a wonderful format and venue and amazing networking opportunities.   Representatives were in attendance from all of the major software vendors and many tool companies, alongside SAM consultancies like TxMQ.
What I noticed right away, though, was the skewed attendance. It’s wonderful seeing so many foreign firms travel thousands of miles to attend a conference in the US, but I’m really surprised by the lack of American and Canadian firms in attendance.
I have a theory I’ve been forwarding on why. Like many of my theories, this one’s based on a limited sampling of statistically insignificant data sets. So please give me a lump or two of salt for starters.
First, some contextual background: It’s clear to any informed American that we, as a nation, excel at many things. We eat well, spend well, vacation well, enjoy the finer things in life when we can afford them (and oftentimes when we cannot), and we love kicking problems down the road. Denial is more than an art form. It’s a social science.
Social Security reform? Not my problem – let future generations deal with it.   National debt? Please. My kids and grandkids can pay that off. The environment? Fossil-fuel consumption? Hardly seems to be an issue for my generation.
And US management is too often focused on putting out fires, instead of building fireproof things. So it shouldn’t have been a surprise to see so few American firms interested in understanding and investing in compliance improvement and best practices.
We must work to change the culture of America at a macro level, that much is clear. But we can all work today to change the culture of our workplaces to embrace SAM and declare it a must-do effort – not a future “nice to do if we get audited” thing.
Software Asset Management should NOT be undertaken as an audit-defense practice, but as a part of an overall corporate strategic leadership. Corporate best practice should be to have a tightly integrated leadership organization that includes a SAM leader alongside corporate-compliance officers, security officers and financial overseers.
From software-renewal-agreement negotiations to better alignment between software usage and needs, SAM brings tremendous goodness to organizations.
I’ve written separately on much of the value of SAM, as have many others, so I won’t get into a deep-dive here. But I will say again that a well-run company, with a solid SAM program, delivers greater value to its shareholders by:

  • Minimizing waste (like unused software and entitlements)
  • Maximizing efficiency (by limiting the wasted time replatforming out-of-compliance software or applications)
  • Creating a more positive environment for stakeholders (there’s less stress and worry because there’s less uncertainty and confusion around assets and their allocation or disposition)

Let’s all do our part to help educate our workplaces on SAM as a necessary part of corporate governance and leadership. I’m ready to start the conversation: mailto:[email protected].

Hacking into Healthcare: Why hackers want health data and how healthcare SMBs can protect their patients

As I was reading about Cedar Sinai’s recent implementation of Bottomline’s Healthcare Data and Security Solution, I couldn’t help but to wonder – why is patient data at risk in the first place?
Clearly, we can all understand why big box shops like Target and Home Depot were hacked; credit card numbers are better than cash. Siphoning electronic funds is the digital age’s form of Bonnie and Clyde-style bank robbing. So, realistically, what could a hacker possibly stand to gain from breaching healthcare data security and gaining access to my records?
After consulting with a few colleagues in the healthcare industry, I realized there is one extraordinarily valuable piece of information that all U.S. residents have – a social security number. With that 9-digit treasure chest, individuals with more nefarious tendencies can open a line of credit under your SSN, file for a fraudulent tax refund and open financial accounts. But, that’s not all.
Medical identity threat was up 40 percent in 2013. Stolen health credentials go for about $10 each, double and sometimes triple the black market value for credit card numbers. This information can be used in hundreds of ways, but what they’re really after is your identity.
In some cases, only a few that I found, are hackers ever really interested in your maladies. Social security checks, yes, credit lines, yes… your latest blood pressure reading? Not so much. But it does happen. Mostly, though, they’re breaching healthcare data security so they can pretend to be you, convincing a bank they are you, which is much more valuable than health history.
So that’s why protecting patient data is extremely important to healthcare organizations. It isn’t just about not having the world know about your heart condition, although that certainly is one reason. It’s about what people are capable of doing once they get ahold of all the information that they need to take control of your financial credibility. Cedar Sinai’s decision to implement Bottomline puts them one step farther away from a reputation-damaging data breach.
That being said, what can smaller companies do for healthcare data security? Bottomline has a price tag that could bankrupt small specialty providers. What are the security options out there for the healthcare SMBs?
While there are many options out there, IBM has a whole arsenal of data, application and integration security options – many of which are scalable for both size and budget. Fortune 500s all the way to private locally-owned practices can benefit from a number of these solutions. These security products are packaged to meet individual organizations’ needs, ranging from identify protection to fraud prevention, from encryption to vulnerability assessment. How do you know what’s right for you? As an IBM Business Partner, TxMQ assists companies with the selection, deployment and maintenance of enterprise security options. As experts in securely integrating solutions in the cloud, we can not only help make your patient records more secure, but we can help you digitize them, as well. We’ll stay with you for as short or as long as you need us.
Photo from BrainFoodTV.com

Upgrade Windows Server 2003 (WS2003) – Do It Today

Another day, another end-of-support announcement for a product: On July 14, 2015, Windows Server 2003 (WS2003) goes out of support.
Poof! Over. That’s the bad news.
What’s the upside? Well, there isn’t really an upside, but you should rest assured that it won’t stop working. Systems won’t crash, and software won’t stop running.
From the standpoint of security, however, the implications are rather more dramatic.
For starters, this automatically means that anyone running WS2003 will be noncompliant with PCI security standards. So if your business falls under these restrictions – and if your business accepts any credit cards, it certainly does – the clock is ticking. Loudly.
There’ll be no more security patches, no more technical support and no more software or content updates after July 14, 2015. Most importantly, this information is public. Hackers typically target systems they know to be out of support. The only solution, really, is to upgrade Windows Server 2003 today.
TxMQ consultants report that a large percentage of our customers’ systems are running on Windows Server, and some percentage of our customers are still on WS2003. There are no terms strong enough terms to reinforce the need to get in touch with TxMQ, or your support vendor, for an immediate plan to upgrade Windows Server 2003 and affected systems.
Server migrations oftentimes take up to 90 days, while applications can take up to 2 months. Frankly, any business running WS2003 doesn’t have 60 days to upgrade, let alone 90. So please make a plan today for your migration/upgrade.

IRS Get Transcript Breach – The Agency Didn't Adequately Prepare

The announcement came yesterday: Chinese hackers had breached the federal government’s personnel office. In isolation, this might seem a single event. But when viewed in the grouping of several other top-level hacks, it becomes clear that the federal government is extremely vulnerable.
One clear parallel was the recent IRS Get Transcript breach, announced in late May, which is believed to trace to the Soviet Union. The information was taken from an IRS website called Get Transcript, where taxpayers can obtain previous tax returns and other tax filings. In order to access the information, the thieves cleared a security screen that required detailed knowledge about each taxpayer, including their Social Security number, date of birth, tax-filing status and street address. The IRS believes the criminals originally obtained this information from other sources. They were accessing the IRS website to get even more information about the taxpayers, which would help them claim fraudulent tax refunds in the future. Might the information in the more recent hack also provide the fuel for a future hack? Quite likely, in my opinion.
What’s especially bothersome to me is the IRS had received several warnings from GAO in 2014 and 2015. If the warnings had been implemented, there would have been less of an opportunity for the attack. The IRS failed to implement dozens of security upgrades to its computer systems, some of which could have made it more difficult for hackers to use an IRS website to steal tax information from 104,000 taxpayers.
In addition, the IRS has a comprehensive framework for its cybersecurity program, which includes risk assessment for its systems, security-plan development, and the training of employees for security awareness and other specialized topics. However, the IRS did not correctly implement aspects of its program. The IRS faces a higher statistical probability of attacks, but was unprepared. Let’s face it: The US federal government is a prime target for hackers.
The concern here, of course, is the grouping of attacks and the reality that the US government must be more prepared. I’ve managed IT systems and architecture for more than 3 decades and I’ll say this: The IRS testing methodology wasn’t capable of determining whether the required controls were in effective operation. This speaks to not only physical unpreparedness, but a general passive attitude toward these types of events and the testing protocols. The federal government doesn’t adequately protect the PII it collects on all US citizens, and simply sending a letter to those impacted by a breach is not enough to prevent recurrence in the future.
I don’t need to tell you that. The GAO told the IRS the same thing: “Until IRS takes additional steps to (1)address unresolved and newly identified control deficiencies and (2)effectively implements elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure.”
These shortcomings were the basis for GAO’s determination that IRS had a significant deficiency in internal control over financial-reporting systems prior to the IRS Get Transcript Breach.
Author Note: In my next blog on security, I’ll talk about the NIST standard for small businesses, with recommendations to prepare and protect in the wake of these high-level breaches.
(Photo by Ray Tsang)

What The Premera Breach Teaches Us About Enterprise Security

By TxMQ Middleware Architect Gary Dischner
No surprise to hear of yet another breach occurring – this time at Premera Blue Cross. The company became aware of a security breach on Jan. 29, 2015, but didn’t begin to notify anyone involved (including the state insurance board) until March 17, which was 6 weeks later. The actual attack took place in May 2014 and may affect 11 million customer records dating back to 2002.
As with many companies that experience a security breach, the excessive delays in first identifying and confirming that a breach has occurred, coupled with the typical delays in assessing and providing notification, subsequently led the state insurance board to fault Premera with untimely notification. A review of the HIPAA regulations for breach reporting indicates that a notification of those impacted absolutely needs to occur within 60 days. Many companies, including Premera, just aren’t equipped with the tools and security-management processes to handle these incidents. For Healthcare companies, HIPAA guidelines state that notification to the state insurance commissioner should be immediate for breaches involving more than 500 individuals. Consequently, Premera is now being sued by the state insurance commissioner.
A company found guilty of late notification should concern the public: There’s at least the appearance of a general lack of concern over both the impact and severity to its customers, partners and constituents. Blue Cross Premera has responded to its own behavior with efforts to protect itself and to cover up details of the incident, rather than be forthright with information so that those impacted can take the needed steps to protect themselves from further exposure and potential consequences, such as fraud and identify theft.
A secondary concern is the lack of security-management measures around protected data at many companies. In this case, the audit recommendations – which had been provided to Premera on Nov. 28, 2014 – found serious infractions in each of the following domains:

  • Security management
  • Access controls
  • Configuration management
  • Segregation of duties
  • Contingency planning
  • Application controls specific to Premera’s claims-processing systems
  • HIPAA compliance

More and more companies are being reminded of the data exposures and related risks, but remain slow to respond with corrective measures. Companies of high integrity will take immediate responsive measures and will openly express concern for the repercussions of the exposure. Companies that do not? They should be dealt with severely. Let this Premera example serve as the Anthem breach for companies that are holding sensitive data. As a customer or business partner, let them know you expect them to take every measure to protect your healthcare and financial information.
And in closing, let’s all take away a few lessons learned. Security assessments must become a regular operational function. Self-audits demonstrate a company’s high integrity and commitment to identifying process improvements for security management. Such efforts should be assessed quarterly with reports to the company board to make sure every vulnerability is remediated and customers who are working with the company are protected. After all, it’s only the company that can secure its own technical environments.
Photo by torbakhopper

POODLE Vulnerability In SSLv3 Affects IBM WebSphere MQ

Secure Socket Layer version 3 (SSLv3) is largely obsolete, but some software does occasionally fall back to this version of SSL protocol. The bad news is that SSLv3 contains a vulnerability that exposes systems to a potential attack. The vulnerability is nicknamed POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption.

The vulnerability does affect IBM WebSphere MQ because SSLv3 is enabled by default in MQ.
IBM describes the vulnerability like this: IBM WebSphere MQ could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.”

The vulnerability affects all versions and releases of IBM WebSphere MQ, IBM WebSphere MQ Internet Pass-Thru and IBM Mobile Messaging and M2M Client Pack.

To harden against the vulnerability, users should disable SSLv3 on all WebSphere MQ servers and clients and instead use the TLS protocol. More specifically, WebSphere MQ channels select either SSL or TLS protocol from the channel cipherspec. The following cipherspecs are associated with the SSLv3 protocol and channels that use these should be changed to use a TLS cipherspec:
AES_SHA_US
RC4_SHA_US
RC4_MD5_US
TRIPLE_DES_SHA_US
DES_SHA_EXPORT1024
RC4_56_SHA_EXPORT1024
RC4_MD5_EXPORT
RC2_MD5_EXPORT
DES_SHA_EXPORT
NULL_SHA
NULL_MD5
FIPS_WITH_DES_CBC_SHA
FIPS_WITH_3DES_EDE_CBC_SHA

On UNIX, Linux, Windows and z/OS platforms, FIPS 140-2 compliance mode enforces the use of TLS protocol. A summary of MQ cipherspecs, protocols and FIPS compliance status can be found here.

On the IBM i platform, use of the SSLv3 protocol can be disabled at a system level by altering the QSSLPCL system value. Use Change System Value (CHGSYSVAL) to modify the QSSLPCL value, changing the default value of *OPSYS to a list that excludes *SSLV3. For example: *TLSV1.2, *TLSV1.1, TLSV1.

TxMQ is an IBM Premier Business Partner and “MQ” is part of our name. For additional information about this vulnerability and all WebSphere-related matters, contact president Chuck Fried: 716-636-0070 x222, [email protected].

TxMQ recently introduced its MQ Capacity Planner – a new solution developed for performance-metrics analysis of enterprise-wide WebSphere MQ (now IBM MQ) infrastructure. TxMQ’s innovative technology enables MQ administrators to measure usage and capacity of an entire MQ infrastructure with one comprehensive tool.
(Photo from J Jongsma)

Shellshock / Bash Bug Vulnerability Bulletins And Fixes

Today’s breaking news of the Unix “Shellshock” vulnerability reminds me instantly of the famous auror-turned-Hogwarts-professor Alastor Moody, who preaches that the fight against the dark arts demands “Constant Vigilance.” Same for cybersecurity. Constant Vigilance.
Consider: The Heartbleed issue affected potentially 500,000 machines worldwide. The new Shellshock (or “Bash Bug”) could potentially affect 500 million.
Cures for the Shellshock vulnerability, at the time of this writing, are still being sorted out. It affects Unix-based operating systems such as Linux and Mac OS X, which in some non-default configurations could allow a remote attacker to execute arbitrary code on an affected system. The weakness lies within the Bash (for Bourne-Again Shell) command prompt.
The simplicity of an attack is what scares system admins the most: The vulnerability is truly easy to exploit.
The US Computer Emergency Readiness Team (US-CERT) is tracking the issue (see Bourne Again Shell (Bash) Remote Code Execution Vulnerability.) Following is CERT’s list of vendors that are confirmed to be exposed to the vulnerability. This list is initial and is expected to grow.

US-CERT recommends the following system-specific pages for hardening and patch info:

US-CERT aldo recommends users and administrators review TA14-268AVulnerability Note VU#252743 and the Redhat Security Blog for additional details and to refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch. A GNU Bash patch is also available for experienced users and administrators to implement.
Not sure where to start, or if your systems are affected? Contact TxMQ president Chuck Fried for an immediate and confidential consultation: (716) 636-0070 x222, [email protected].

How The IBM DataPower XB62 Bridges Internal And External (B2B) Integration

One of the more elegant features of the DataPower XB62 appliance is its dual ability to govern internal application integration as well as external B2B (or Trading Partner) integration. In essence, the XB62 bridges the gap between internal and external integration, which is what makes it such a complete solution for so many different types of businesses.
In support of the XB62, IBM states that the company “recognizes the convergence” of internal and external integrations. And it’s obvious that the need for integrations near or at  the edge of the network is growing rapidly. By opting to deploy the XB62 you can better support complex B2B flows and become more flexible in routing and file processing. It’s therefore much easier to bridge between the DMZ and protected networks without sacrificing security. This in turn allows you to attract more partners due to the ease, flexibility and security of the external integration.
One oft-cited example of an XB62 deployment is to have the XB62 sit in the DMZ, where it securely connects to trading partners, but that same appliance also exchanges data with a DataPower X152 appliance within the protected network, which handles all the enterprise service bus functions.
TxMQ successfully deployed a DataPower XB62 solution for Medical Mutual of Ohio that serves as a strong example of the appliance’s secure integration capabilities. Medical Mutual wanted to take on more trading partners and more easily align with government protocols, but lacked the infrastructure to support it. “We needed to set up trading-partner software and a B2B infrastructure so we could move the data inside and outside the company,” says Eleanor Danser, EDI Manager, Medical Mutual of Ohio. “The parts that we were missing were the trading-partner software and the communications piece to support all the real-time protocols that are required from the ACA, which is the Affordable Care Act.”
TxMQ’s DataPower XB62 solution delivered $250,000 to $500,000 annual savings on transaction fees for Medical Mutual, as documented in this story published by Insight Magazine.
For more information on TxMQ’s many DataPower solutions for all industries, contact vice president Miles Roty – (716) 636-0070 x228, [email protected] – for a confidential and free initial consultation.

"iBrute" questions iCloud Security

Even Apple a heretofore breech-less vendor has recently been found responsible for a security breach. It appears that on Sunday August 31, 2014 a number of photos were taken from Apple iCloud.  The vulnerability created the exposure known as “iBrute” and allowed access to the compromising photos, rather than locking the iCloud entry way after numerous attempts left it open.
The vulnerability has been closed by Apple which after five missed attempts has now locked the entry way preventing any further attempts.
There apparently is a python based script, (which was available at GitHub) allowed the would-be attacker  to brute force their way into the “Find My iPhone” service.  The Find My iPhone” service did not lock the gateway after repeated attempts to guess the users password.
The vulnerability allegedly discovered in the Find My iPhone service appears to have let attackers use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password had been matched, the attacker can then use it to access other iCloud functions freely.
Although the Apple breach is the most recent Cloud breach, there have been many others. In April 2011 E-mail services firm Epsilon had a cloud based breach which cost them up to $225 million in total costs as a result of its data breach, a massive event that indicated the often overlooked risk of cloud-based computing systems. In early April Epsilon, the world’s largest permission-based email marketing services company that serves over 40 billion emails annually reported a breach in its security.
Also in 2011 Amazon experienced a disruption to its services to popular sites like Foursquare and Quora. It is another example of a cloud failure that could prove extremely costly in the long run – and a hint of more troubles on the horizon.
With the transition of more and more services to the cloud, it’s imperative that your company secure its cloud infrastructure. There is no one, “right” way to do so. Consult with business experts to ensure that your data is being secured and a sensitive breech like this does not happen to you.
The average cost to a company of a large scale security breech is $3.5 million. If your company is a mid-market size organization, this cost is enough to shut down operations completely. And more and more, hackers are targeting mid-market companies purely because they are aware of the lack of intense focus on cloud security.
Contact your IT experts before this cripples your business entirely. Anytime your company is handling sensitive personal data, whether it’s social security numbers or credit card numbers, it’s imperative that you have a safe security space. Because as you can see, if even the behemoth companies are susceptible, why would your company be any different?
If you have questions about your security infrastructure, contact [email protected] for a consultation. Your first conversation is a free discovery call to assess what your needs may be.
 
Image Provided by Flickr: dekuwa  https://www.flickr.com/photos/dekuwa/
Statistics provided by: Ponemon Institute