Hi-Tech-Consulting

Hackers Aren’t the Only Threat to Privacy
Wall Street Journal (06/23/10) P. B5; Worthen, Ben

Sensitive information such as Social Security and credit card numbers that has been left exposed or poorly protected by governments and companies can be stolen in ways that do not involve hackers breaking into systems. For example, sensitive financial information is sometimes available over the peer-to-peer networks that many people use to share music and video files. Dartmouth College professor Eric Johnson says a recent search of peer-to-peer networks using terms such as hospital names uncovered a document that included the Social Security numbers of more than 20,000 individuals. The same search also found a document from a medical-testing lab that included patients’ insurance information and diagnoses, Johnson says. Such documents are often downloaded by cybercriminals and the information they contain is sold in Internet chat rooms. In addition to peer-to-peer networks, sensitive data also can be accessed by individuals who are able to bypass weak security systems, says Sellitsafe president Steven Peisner. He says information on roughly 15,000 stolen accounts is being published on the Internet each month.

Justices Allow Search of Work-Issued Pager
New York Times (06/17/10) Liptak, Adam

The U.S. Supreme Court unanimously ruled that a California police department did not violate the privacy rights of one of its officers when they audited text messages sent on a department-issued cell phone. The ruling stuck close to the facts of the case, applying only to public workers and stipulating that the employer must have a “legitimate work-related purpose” in order to prove they are not violating Fourth Amendment rights. In this particular case, a city policy on computer, Internet, and e-mail instructed employees that the city had a right to monitor communications. The officer who brought the case had signed an agreement acknowledging this right. However, the policy did not apply specifically to text messages. At the time, the city was apparently considering a policy that would allow employees to send personal messages as long as they did not go beyond a 25,000-charater limit. Any texts sent beyond that limit would need to be paid out of pocket. The city audited the officer’s texts to see if such a policy made good business sense, uncovering multiple sexually-explicit messages on the phone, which led the officer, his wife, his mistress, and another officer to sue. The Supreme Court ruled that the audit was not a violation of privacy because the city “had a legitimate interest in ensuring that employees were not being forced to pay out of their own pockets for work-related expenses, or on the other hand, that the city was not paying for extensive personal communications.”

Workplace Violence: New Regulation, Threats, & Best Practices
Security Director’s Report (05/10) Vol. 2010, No. 5,

The Occupational Safety and Health Administration (OSHA) currently is pushing for tougher workplace violence regulations, while at the same time experts are calling for a different “zero” approach, and the judgment of line employees is being tested like never before. Organizations adopt zero-tolerance policies because “they sound good,” says Barry Nixon, executive director for the National Institute for the Prevention of Workplace Violence Inc. Unfortunately, these policies do little to eliminate the issue because they tend to be reactive — “this is what we will do” — rather than preventive, Nixon says. Speaking at the iSecurity online trade show and conference in March, Nixon called for a “zero-incidents” approach instead, because it emphasizes the prevention of unwanted behavior rather than detailing how the organization will handle it after the fact. In addition to tweaking policy language, Nixon recommended addressing workplace violence in the interview stage along with drug screening. While many potential employees expect a drug and background check, Nixon implored companies to similarly issue a proclamation to applicants that workplace violence is not tolerated. Most importantly, a zero-incidents approach — rather than zero tolerance — focuses security personnel on activities it needs to carry out at many points along the prevention continuum. These include: detection by identifying and anticipating possible problematic scenarios before issues actually surface; prevention by taking reports and signs seriously; and protection by putting the response plan into motion and taking immediate action.

Keeping Control: Cutting Security Costs May Increase Risk
Controller’s Report (06/10) Vol. 2010, No. 6,

The main challenge for controllers during an economic downturn is to identify the most successful cost-cutting strategies without making the organization more susceptible to burglaries, insider thefts, and other risks. In a recent survey, Security Budgets & Cost-Containment Strategies 2010, this publication asked security leaders about their organizations’ total projected budget for physical and asset security in 2009, including planned capital expenditures and security operating budget. Most security executives believe an organization should allocate more than 0.75 percent of its annual revenue to security. When organizations set aside less, a majority of security leaders say that security resources are insufficient. Overall, nearly four in 10 organizations — 39 percent — spent less on asset protection last year than they did in 2008. Just 26 percent of organizations are spending more. The average change to the security budget in 2009 was a decrease of 2.1 percent, according to respondents. The survey also found that a majority of business and professionals services companies spend less than 0.5 percent of their overall revenue on security.