Michael Santarcangelo delivers Awareness that Works™
Your paradigm is so intrinsic to your mental process that you are hardly aware of its existence, until you try to communicate with someone with a different paradigm. ~ Donella Meadows Considering the meaning, purpose and expression of awareness is a personal and professional pursuit. In fact, it’s my sole focus and the reason I [...]
By Julie Fugett So much of what we do in information security is immediately measurable: how many packets did the firewall drop? How many security incidents did we handle this week? Elsewhere, however, our reach can be more difficult to measure. How effective is our awareness program? Are we talking about the right topics to [...]
The goal in building an effective security awareness training campaign is changing behaviors. While there are many factors to consider, and important factor is useful feedback, presented in a meaningful way to the end user. Many of the security awareness training programs we evaluate use measures to point out when users do something wrong – for example, using pink or red tape flags or other notices when people violate a clean desk policy.People are then surprised when these measures fail. Put yourself in their shoes – do you like being told you’re wrong all the time?… USA Today ran a story entitled, “Pedometers may encourage weight loss” (By CARLA K…. Turns out that people looking to lose weight through increased movement get good results when they use a pedometer. they have a challenge and an external tool helping them keep trackthey write their progress in a journal, which has three distinct benefits1…. they have a record of their events, so they can establish a trend and measure progress (or understand lack of progress)3. they establish a challenge for themselves – and a good (and reasonable) challenge motivates!While the motivations for losing weight and protecting information may be different – how would your security awareness training be improved if you provided user-friendly feedback that could reinforce behaviors?
I’ve heard other authors exclaim that at the end of the writing process, it felt as if they were ready to give birth — and couldn’t wait for this labor of love to be done…. Now that I’m nearing the home stretch of this book, I’m starting to understand…Into the Breach: Why Companies Fail to Protect Data and What We Need to Do About It has been under development long enough! I have distilled the problem and presented a careful and easy-to-follow solution that will help companies improve their top line, protect their bottom lines and manage people, risk and information more efficiently. I am writing a book for business leaders to understand the fundamentals of how to unmask our human problem and take simple steps to reduce the chaos…. Seriously, though, my best friend lives in Charlotte – and he and some other good friends have suggested that we consider moving our base of operations to the Carolinas. The more the tell me about the region, the more I’m inclined to agree, so I decided it would be a good time to take 10-12 days to head down and check it out, while wrapping up the book.I could use your helpIf you live or do business in Charlotte – I would love to speak with you, or even meet with you in the next two weeks. I’m seriously considering moving our business there — and I’d like to learn about the business climate, partnership opportunities (or companies looking for a partner), family environment and the like…. I’m happy to share.When you will get the bookI plan to have the galley copies out by the end of the month to my review team…. I promise I’ll do what I can to get this information to you and into the hands of decision makers as soon as I can.I also am offering a limited number of my Information Protection Program to companies that want to implement the suggestions in the book to reduce the risk of breach, while reducing the cost of compliance.
Yet today, instead of confronting meat-packing and railroad industries, the FTC is going to have to monitor technology giants in order to protect American’s online experience and not stifle internet growth…. They argue that data collected through behavioral targeting could be used by government to monitor users without their consent and could potentially lead to racial profiling and discrimination. Online privacy has become a major concern, especially in light of the news earlier this year that Google was purchasing internet advertising giant DoubleClick…. The potential harm to consumer privacy that might occur out of the DoubleClick-Google purchase appears not to have stopped others from continuing down the path of online advertising. Social-networking sites are also trying to earn profits by allowing large advertising firms mine to mine for information on their subscriber pages to determine members’ interests and what specialized advertisements would be delivered to them…. The court ruled against the plaintiffs citing that there was no violation of the Electronic Communications Privacy Act or the Computer Fraud and Abuse Act because DoubleClick only gathers information concerning a user’s activities on a DoubleClick affiliated web site…. As a result of these legal and business developments, the FTC has to take a more active involvement in slowing down the pace of behavioral targeting…. Yet while these recommendations are a step in the right direction, the government should not try to develop a one-size-fits all model that would stifle the economics on which internet innovation relies upon…. The concerns for consumer privacy should also be taken in tandem with the economic model that continues to fuel new technological advancements.The Google-DoubleClick acquisition has put online privacy at the forefront of government concern.
As we near the end of the year, I’m advising friends and clients on successful strategies to address their current challenges around improving their security programs, how to reduce the cost of compliance, and engage their people in security awareness programs that get results! Several of my clients have started to book my keynotes and [...]
Recently, state governments have begun to change this by imposing liability on the retail business and others, thereby opening the door for consumers to sue companies that do not adequately protect the personal information that they collect…. In the meantime, we’re going to ignite our series of articles exploring these laws and developments by analyzing some recent events.Minnesota PCI LegislationEffective August 1st 2007, Minnesota became the first state to require that all companies handling credit and debit card data comply with the Payment Card Industry (PCI) data security standard (in a future article or podcast, we’ll explore and debate the value of tying the PCI standard to the legislation – Michael).The state’s new Plastic Card Security Act would prohibit a company from retaining a credit card’s security code data, the PIN verification code number, or the full contents of any track of magnetic strip data…. In Pisciotta v. Old Nat’l Bancorp, the court held that there was no state statute supporting the compensation of incurred costs because “had the Indiana legislature intended that a cause of action should be available against a database owners for failing to protect adequately personal information, we believe it would have made some more definite statement of that intent.” So for the time being, unless you have an actual showing of harm as a victim of identity theft, potential harm will not suffice.Consequences for the Courts As more states begin to enact legislation that requires companies to comply with PCI, courts may begin to allow litigants to be compensated as a result of a security break. The argument that courts have made in cases like Pisciotta will clearly be much weaker as states legislatures conspicuously demonstrate their intent to punish companies by enacting specific statutes targeting the security of personal information…. Clearly, there is a way for the legislature of any state to write a statute that can pressure companies to improve their data security standards without crippling small business owners. While the retail industry will continue to resist such legislation, there is strong support from banks and credit unions, since in the eyes of consumers they often blamed for such breaches…. Depending on how the case turns out, the burdens and cost of breaches will shift away from consumers, banks, and credit unions but will perhaps be shared by the retailers and others (of course, the consumer pays in the end).Preparing for the changeAs a consequence of new state and federal legislation, the landscape of data security will continue to evolve, sometimes in seemingly dramatic fashion…. Industries that have for now been able to get away with having minimum security standards will begin to take notice of their potential liability and hopefully, will improve the way they guard information.
Products & Services”Without change, something sleeps inside us, and seldom awakens. The sleeper must awaken.”-Frank Herbert By now you’re getting a sense of what we are doing. With a new interpretation of our role in the information security community, a larger team, more consistent communications and new products and services, we are providing a comprehensive resource for individuals and organizations concerned about protecting data. It is important that you understand that the change to The Security Catalyst is not cosmetic. While we have updated our marketing, our real investment has gone into developing toolkits, web-based services, new presentations, and bundles of services so that we can deliver what you need – whether you are technically inclined or not. Our new offerings includ• e: The Information Protection Toolkit (IPT) ‘Speaking About Security’ training sessions for security professionals The Privacy and Awareness Toolkit Keynote speeches and workshops designed to engage, empower and enable your teamsCatalyst Sessions – dedicated and private support that blends coaching, consulting, and facilitation with deep industry experience.We’ve been testing our solutions over the last few months, and I am now excited to offer them with confidence – to help you improve your practice of information protection. We’re putting the final touches on our website so we can share more details with you in the coming days. Visit our website or contact me for more information.
I’d more or less accepted that some used them, while others didn’t – but paid little mind to the question – do email disclaimers matter?During a breakfast a few weeks ago, a friend of mine shared a situation in which a business email sent to an individual was later posted to a website (by the recipient)…. With the help of Patrick Romero, this is what we found:Some Background on DisclaimersTurns out these disclaimers can be used for a whole list of things – from breach of confidentiality to transmission of viruses to employer’s liability…. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.With the prevalence of e-mail communication, statements like these have become more and more ubiquitous among private and public companies – the majority are automatically generated whenever a user sends out any information regardless of the content of the message…. However, ECPA defines “intercept” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.”… Can encryption provide privacy and confidentiality email?I have spent a lot of time reminding people recently that “solutions follow requirements” – and I’m always hesitant to recommend a solution without understanding the requirements. However, if you are concerned about the privacy and confidentiality of your email communications, you probably need to investigate the use of encryption.I have always enjoyed learning about and teaching encryption – and while it can be a double-edged sword, it offers the safest means of ensuring privacy of email communications…. In a properly constructed and managed solution, only the designated recipient has the ability to decrypt and verify the message – ensuring the confidentiality of the transmission (this is an overly simplified explanation – if you’re thinking about using email encryption, give me a call and we can talk about specific details).Encryption solutions are available for commercial and personal use…. Think before you press send.One of the best methods for protecting information (note: information protection doesn’t always mean encryption) is to establish and effectively communicate expectations for proper use of email (if you need some help learning how to communicate policies more effectively – pick up the phone and call, it’s what we do).Every organization should put in place a company policy with regards to sending confidential information through e-mail…. In the end, some do, some don’t and you get to choseCurrently, there is little case law or statutory interpretation that discusses the legal rights of senders vis-à-vis e-mail disclaimers.
Engage with Michael