There are no 100% guarantees in information security. We all talk about it. Often, we turn to technical solutions to solve security problems. For each solution, someone can offer a reason it won't work. Far too often we end up declaring "breaches are inevitable." This is where many firms throw…
In what has become a “tip of the iceberg” wave of security breach reporting, most companies suffer the effects quietly. Each year we look back on countless examples of large and small companies falling victim to cyber security breaches. While the largest cases (often with tens…
Bill Burr, the guy that originally recommended password rules at NIST years ago, seems to regret how far that advice traveled and was used. While it's possible people will misstate his current views on the subject (proving his point again), at issue is how we simple humans use passwords…
Since significant M&A due diligence activity centers on on valuation both of the asset today (point in time) and as an ongoing source of positive economic activity, risk assessment has long been a foundation of transactions. The dawning realization among [some] M&A due diligence teams is that risks…
You are Here For reasons yet unexplained, I'm a fan of those maps you find in traditional shopping malls. The maps that say "You are here" and offer a bright little star to indicate your location. They do something simple and they do it simply. They provide context. I…
Recently, the Federal Trade Commission (FTC) announced a $250,000 fine and a Consent Order with Henry Schein over misleading claims about encryption in their software. If we're honest, for the average consumer it’s not even a blip on the radar. That changes when we're talking about a child's health records. I've…
I attended a Cyber Security presentation this morning organized by a leading insurance and benefits provider with offices in St. Louis. They brought together speakers representing brokers, wholesale as well as accounting and audit to discuss cyber security with business owners.As they build momentum around cyber-liability offerings, it’s becoming clear…
If you have the curiosity and time, I recommend reviewing NIST Special Publication 800-115, "Technical Guide to Information Security Testing and Assessment". In addition to being 80 pages of excitement and fun, this document provides us with rich details on testing information technology systems using a consistent approach. For the sake…
At work, home, or in public, everyone is exposed to threats while using WiFi on their phones, tablets or computers. Fortunately, many Wi-Fi risks can be mitigated easily. "Open" hotspots create an immediate risk of eavesdropping with few barriers, but even secured networks in public can compromise the path between…
Updated: This is an outdated list, but I leave it here as a reminder. Software has security a half-life. That half-life is the combination of how long it takes for an attacker to find a weakness, for an exploit to be developed, and for you to realize it's…