This is important because Acrobat Reader use is so widespread. Whenever you read a PDF file in your browser or open a PDF file on your system you are most likely using the Acrobat Reader program.

The vulnerability appears to be related to the use of JavaScript in the PDF file. There are bad files in the wild and it is expected that the number of these will increase. Most virus protection software appears to be unable to detect these bad files. It is important to protect your computer.

We’ve posted a short video on how to change the configuration of the Acrobat Reader on your computer. Find the Adobe Acrobat Reader in your start menu and then view this video.

Sunnyvale, CA – Announcing the launch of CSO Compass, an innovative Cybersecurity Services company focusing on early to mid-stage companies serving customers on the west coast and across the US.

Effective security is a critical foundation for growing companies. Our mission is to deliver a program covering all aspects of security efficiently and effectively, saving our customers significant time and costs.

While organizations average one information security specialist for every 100 developers, an emerging company cannot afford an adequately diverse staff for a dedicated security team. With our many years of security experience, CSO Compass can deliver a repeatable program tailored to a growing organization’s needs. Working with you, we provide an effective security program with the necessary coverage while offloading as much of the work as possible from your team.

Coverage: The CSO Compass Team addresses all eight major categories of security as defined by international standards: security policy, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, system development and maintenance, and business continuity management.

Program: We take a metrics-based approach to identify the most critical risks as well as the most important assets to be protected. Based on this, we create a security roadmap that maintains focus on your most important requirements.

Team: Each member of the CSO Compass team has extensive security experience in a broad set of roles. These include operations, software development, customer service, program management and product management.

Location: CSO Compass has offices in Silicon Valley and metropolitan Los Angeles.

website: www.csocompass.com

The scope of a board’s responsibility is increasing in these areas. For instance in the financial industry, which is often the model for other non-regulated industries, the board is expected to not only approve the company’s security program but to oversee its implementation.

It’s unfortunate that all too often boards are not asking these questions despite the need. For more information on this problem you can read more about a report from Carnegie-Mellon University’s CYLAB at: IT security risks dismissed by boards.

So what are the questions the board should be asking of the organization? Here is a sampling of some of the critical questions:

1. Are there documented security policies related to each type of asset?
2. Do we conduct regular independent assessments?
3. Do we have a written plan to mitigate risks identified in the assessment?
4. How do we train employees relative to data security and compliance with the policies?
5. Have we implemented tools to audit and track the access to all protected information assets including access by technical staff?
6. Do we have an incident response plan in case of a security breach?
7. Who is accountable for maintaining and updating the security program?

Contact us to learn about the services we offer.

So, what is the cost of a lost or stolen laptop?

A cost of a stolen laptop can be as high as $186,000 with the average cost of a lost laptop was over $24,000. The actual replacement cost is a small portion of the actual overall cost for a lost laptop. The report shows that the highest cost was for service industry laptops where the data breach cost component was significant.

The value of the lost laptop is based on seven cost components:

• replacement cost,
• detection,
• forensics,
• data breach,
• lost intellectual property costs,
• lost productivity and legal,
• consulting and regulatory expenses.

So why should I care?

Up To 12,000 laptop computers are lost weekly in U.S. Airports. That averages out to more than one per minute, every day! Having rushed to make a flight while on a phone call in a busy airport, you can see how this could happen.

Over half of the professionals surveyed carry confidential company information which can include customer information, confidential business information and intellectual property such as software code. Almost 2/3 of those who carry confidential information don’t take steps to protect it.

If your corporate or customer information is on a laptop, you have to consider the potential consequences. Even the potential breach of customer data can send your organization into a frenzy dealing with the many layers of privacy regulation that exist.

What can I do?

There are a number of steps you can take to protect confidential information:

• Follow your company’s information security policies. They’re usually there for a reason.
• Don’t carry any more confidential information than you have to.
• Encrypt what you do carry. There are many encryption technologies available today that are easy to deal with while keeping information secure.

Contact us to learn about the services we offer.

Most of these types of insider attacks were only detected once a system became unavailable or there was a noticeable irregularity in the information or system. In some cases, the system administrators were discovering the damage to the system at the same time that customers were discovering their inability to access it. This resulted in negative impact to the business including significant financial losses to the organization.

There are many safeguards that can be instituted. For example, the proactive monitoring of system log files for abnormal behavior or changes. However in the vast majority of cases logs were only inspected after an attack instead of proactively monitoring logs for abnormal behavior. Another example includes backup and recovery procedures. In some incidents, the system personnel stole valuable data backups with critical business data and privacy information.

You can protect your company from insider attacks by disgruntle employees but preventing it is a complex problem that needs detailed analysis of policies, procedures and technical controls. This combined with the appropriate personnel policies including security awareness training are some of the prudent steps all organizations need to implement to protect from insider vulnerabilities.

Contact us to learn about the services we offer.

For a SaaS vendor it’s especially important to work closely with their customers to clearly identify the PII data being used by the SaaS solution It’s recommended that metadata is maintained that clearly identifies, PII data, financial data, health other classes of protected data. Along with classifying the type of data, one should maintain records on the source of the data which may include the user, the application, and data transferred from/to the customer or third parties.

In most cases, receiving the individual’s authorization to store the data is adequate for compliance. However, that is not always the case. If the individual user is the employee of the customer being serviced, their consent is sometimes not adequate because of the leverage an employer has over the individual in an employer to employee relationship.

Clear policies need to be established by the company, defining proper use of that data by the application, and within the company. For example, limiting data access to only those individuals within a company that is involved with direct customer support is not adequate. Do they need access to the entire record or just basic information such as login information vs. tax payer identification numbers? Is system personnel handling backups authorized to have access to data or are backups encrypted? If offshore personnel providing support have access to PII data that is also considered a cross border transfer.

Recommended articles:

Why Cross-Border Litigation is a Compliance Concern

Primer: Privacy Laws — An Overview

Contact us to learn about the services we offer.