From The Editor | October 23, 2014

From ASCII Atlantic City: Winning The War On Data Breaches

jim roddy

By Jim Roddy, VP of Marketing, RSPA

ASCII Atlantic City

You know how speakers at a conference are supposed to lift you up and give you — and hopefully your business — a boost of energy? Well, Billy Austin, the president and co-founder of iScan Online, made the nearly 100 solutions providers at the ASCII Success Summit shudder shortly after he took the stage Wednesday afternoon.

With 19 years of network security experience, Austin detailed what he’s seeing lately in both large and small businesses. Here’s a sampling of what he said before I crawled under my seat:

  • 53 percent of mobile phones have no on-screen password, making it easier to get to sensitive data.
  • 1 out of 20 phones are lost or stolen.
  • 23 percent of all Dropbox accounts Austin examined, which were accessible through mobile phones, contained private data like social security numbers and credit card numbers.

“Nobody is hacking for fun anymore and defacing websites,” Austin said. “It’s all about financial motivation. Defacing a website is only a diversion now. It’s all about the money.”

Yikes. And that’s just one aspect of data security. “It all comes back to two things,” Austin said. “The first is sensitive, confidential data. Customer data and credit cards make the headlines. The second thing is a vulnerability — either an operating system vulnerability, an application vulnerability, or a configuration vulnerability. Examples of common configuration threats are no encryption or no on-screen password.”

For the rest of his presentation, Austin talked about what solutions providers can do about data breaches in the SMB space. As he talked, most in the room took copious notes … and my blood pressure returned to a healthy level.

The first step is to conduct a discovery of data. “If we can identify that data, we can now understand what is at risk,” Austin said. “Almost every dentist office where I conduct a data survey has a file called ‘customers.xls’ or ‘patients.xls’ which can be accessed just if someone on that machine visits a bad website. All patient information is there, including driver’s licenses.”

By discovering the data and detecting the threats, the MSP (managed services provider) knows what data is at risk and how the attacker is most likely to get in. The data that solutions providers should be seeking is cardholder information, personal identifiable information, trade secrets, and intellectual property.

A second step is to detect vulnerabilities. This will identify the threat posture of the device storing sensitive data. Common detections include the operating system, applications, configurations, and running services.

Austin also recommended that MSPs offer a complimentary assessment. “These scans are fast,” he said. “If you find something, you may make a sale within minutes. I just talked with a university who called their CIO into the room after just three minutes. He never talks to vendors, but after just four minutes, he said, ‘This is exactly what my board of directors needs and wants us to have.’”

Austin also advised the MSP attendees to add these services to increase their recurring revenue. “Convert this to a monthly service, not just a one-time clean-up,” he said. “Deliver Security-as-a-Service to your customers. I guarantee they have data at risk and you can help them.” 

The ASCII Success Summit – Atlantic City is being held October 22-23 at the Bally’s Atlantic City Hotel and Casino in New Jersey. It is the last of eight solution provider-focused conferences ASCII hosted in 2014. For more information on ASCII, go to www.BSMinfo.com/go/InsideASCII.