It seems that according to new research published by AIIM during the week, the idea of a paperless office is further away than it ever was. This is not just hearsay, but one of the conclusions of the new report on records management in the Aimm State of the Industry series.

It also seems from the report that even with all the technologies and advances in capturing and storing information, enterprises are still struggling to manage all of their office records.

However, digging a little bit deeper into the subject, you find — as might be expected — that the problem lies not with the technologies, but the lack of a coherent records management strategy in many enterprises, especially when it comes to digital documents.

One of the most striking facts that come out of this year’s report is that the number of paper records is increasing despite the growing volumes of electronic content and the ease with which enterprises can turn physical records into electronic records.

The volume of paper records is increasing in 42% of organizations and decreasing in 34% — a negative gap of 8 percent. This is in contrast to last year’s report which saw more organizations showing a decrease than an increase.

Why there should be a return to increase in paper growth is not clear, research author Doug Miles says. It may simply be that the number of business transactions fell during the economic downturn, it could be file-scanning projects have been run down and not restarted as a cost cutting measure, or that during the downturn, space was scrutinized more closely.

Also of note here is that while deletion polices were, generally speaking, the same for electronic and paper records, when it comes to destruction, enterprises were more likely to destroy electronic records than paper records.

There was some positive news for emails, with 73% of enterprises selectively treating emails as records, but the problems here have been replaced by concerns around the way electronic messaging is treated.

It seems that few organizations are treating dynamic, personalized content as records, collaborative SharePoint content is considered transient as is instant messaging despite the fact that they have a legal standing. The challenge here, then, is to start looking at policies to manage this.

Source: www.cmswire.com

The post Paperless Office? appeared first on BC Records Management Services.

Why? Because it doesn’t matter the size or focus of your organization: January is for media-agnostic destruction.

Seriously, this is my favorite time of the year.

Garbage-In, Garbage-Out

In the early phases of your electronic records management (ERM) implementation, you must be concerned about GIGO, or “Garbage-In-Garbage-Out.”

I am about to say something rather harsh, considering the extraordinary talent and resolve an organization and the executive sponsor therein must have to codify signatures on the ERM implementation project charter. But the signatures on the project charter are a walk in the park compared to what’s next.

I don’t care what repository you use; you have a responsibility to your organization to house only records in the records repository. To put it bluntly: you are not allowed to trash your repository with unnecessary objects to justify the original expense of it.

Tough to admit considering how difficult it is for most organizations to sponsor a repository in the first place.

January is Records Statistics Month

Well, ok, every month is records statistics month, but if I can choose only one, this month is it. Destruction review in January is a perfect opportunity to leverage the business imperative of declaring records. The bliss that is the records review needs only two things: your gift of anticipation and your records logic.

You’ve prepared your phase summary; distribute it to your C-level to gain permissions to the metadata of their file shares. Review your box collection. Does every box have an inventory? By business unit, lift the lids off the boxes and perform a file level inventory (especially if you have a small collection).

Those file titles are perfect for keyword and chronological searches in all potential records locations. Chronologically arrange your keywords according to your records retention schedule. Tack your statistics up. Look at your baselines in 2012. What metrics stand out to you? Here are a few suggestions in no particular order:

Who most frequently saved duplicate (or more) objects?

Who averages what types of files and where are they stored?

What hasn’t been modified in how many years?

How much has storage grown in particular increments?

What is typically named how?

How many of your records series are relevant to your records storage?

If the content was stored in other media, how much storage would it consume?

Just Go

You’re getting the picture of how to create the picture.

In my experience it’s less than helpful to advertise your ERM implementation as a governance effort — that’s the document you create behind the implementation as you complete each phase.

No, describe the project (and this set of tasks in particular) as eliminating wasted storage space first in your unstructured locations in order to ensure your repository is neat and clean. This message will inhibit your records repository’s chances of burgeoning into a receptacle for objects of transitory importance. Most organizations hate waste; I hate waste; I recommend you hate waste too.

Source: http://www.cmswire.com/cms/information-management/january-is-records-statistics-month-019149.php

The post January is Records Statistics Month appeared first on BC Records Management Services.

I don’t mean to say that your organization shouldn’t have one — far from it. Every organization should have a records retention schedule safely tucked away in the arms (arsenal?) of the Records and Information Management, Legal and Technology departments. However, Typical End User (TEU) doesn’t want it and won’t use it.

So, Records Manager, how will you respond? What’s in your wallet?

Hard Copy Records Management
For hard copy records management (usually remembered during the 4th and 1st quarters), a straightforward shopping list of records types and their corresponding retention periods is simple and easy to post on the intranet.

Direct the new TEUs to the link off of the Records department’s main page during the onboarding process (be gentle; they’re not going to remember it later) or to your colleagues during those “Help!” calls always placed to you at 4:55 pm.

Electronic Records Management Minus the Retention Schedule
Electronic records management is trickier. The trifecta of Records and Information Management professionals can always agree to match rules behind e-Records publishing platforms, but what if TEU involvement is required? How best do you encourage TEUs to make retention decisions without reliance on the records retention schedule only?

Let’s play a game. You, Records and Information Management professional, will create a guideline that outlines how your organization’s content becomes a record. First, a few rules:

You can’t:

defer to the records retention schedule
discuss legal/regulations/standards
use records jargon
rely on the old standby, “but it’s instinctual!”
You can:

use specific business examples
use company jargon
discuss the types of documentation in your company
mention scope and impact
So, how do you create your deliverable?

First, leave the Records and Information Manager role behind. Next, disassociate yourself from the traditional definition of a record — weighed against the pace of the typical work day, TEU doesn’t really have time to care in that context. Remember: everyone attended the mandatory Records training and promptly forgot it. You’re creating a new (records-related) Third Place.

Draw on haunting, inspirational sources like this one. This 2012 Motion Graphics Finalist in the Vimeo Awards was created beautifully by Adam Gault, Stefanie Augustine, Chris Villepigue, Carlo Vega and read by Mitch Rapoport. Sure, it’s Speech 101, but remind yourself:

you’re creating a memorable, but 101 document;
you’re providing a directive that will encourage TEUs to decide what content becomes a record in less than 5 seconds; and
most importantly, you’re reminding TEUs of “here” — this organization’s records, this preservation activity, this legacy.
The Gettysburg Address is perfectly suited for such inspiration and this video is deceptively simple. Simple is elegant.

Meanwhile, don’t forget your instruction from Edward Tufte (create depth) and Nancy Duarte (resonate with meaning).

What are the results of this game of logic? Three to five typical business content categories that should in no way map back to functional records series. These categories are different. It’s ok to present the dotted line model — after all, we’re discussing a change of information state — but you should leave that behind with the definition of a record if you can. The categories must be universal because they’re relevant to everyone’s responsibilities. At best, TEUs will remember one in the declaration moment. But one category is all that’s needed, yes?

Source: http://www.cmswire.com/cms/information-management/records-management-retention-schedules-take-a-back-seat-017698.php

The post Records Management: Retention Schedules Take a Back Seat appeared first on BC Records Management Services.

The National Association for Information Destruction (NAID), Phoenix, has advised businesses in the path of Hurricane Sandy to consult with secure destruction companies about how to properly handle their wet or damaged documents. Every business has a legal responsibility to record and securely dispose of wet or partially destroyed paper records containing sensitive information, NAID says.

Paper records and electronic devices often are among the items damaged by rain or flood water, and organizations must determine whether and how to restore these documents or to securely destroy them. NAID says it recently published two articles describing the disposition of wet records and how to handle moldy records.

”In the event wet paper records are old enough to discard, disposing of them in a secure and safe manner is still a struggle,” says NAID CEO Robert Johnson. “On the other hand, if the records have not reached their legal disposal date, there are still some basic steps that allow organizations to avoid problems due to their loss.”

In the first article, “Ask the Professionals: How do you Dispose of wet Records?” NAID consulted with legal experts about the retention limits, conditions of records and the regulatory requirements for paper records with water damage. One expert says when records cannot be salvaged and need to be destroyed, “create a complete inventory of the records along with documentation noting the condition of the records, the date of destruction and the name of the service destroying the records.” Whenever possible, a business should have full documentation of the circumstances and decision-making process in the event that issues arise later.

“Moldy records: Hype or Hazard?” addresses the rare but potential problem of mold growing on records that were stored in damp locations or that were destroyed by flood waters. Mold poses a health risk to the business’ employees and customers as well as to the document destruction company’s employees handling the records. Disaster recovery experts suggest wet, mold-laden records be handled with extreme caution. Therefore, NAID recommends finding a NAID member company that is familiar with the destruction of wet documents and moldy records.

According to Johnson, “The worst option is doing nothing. There are many potential problems leaving soaked records around to dry on their own.”

NAID is a nonprofit trade association of the secure destruction industry, currently representing more than 1,900 member locations globally. NAID’s mission is to promote the proper destruction of discarded information and to encourage the outsourcing of destruction needs to qualified contractors.

The post NAID Offers Advice on Handling Wet, Moldy Records appeared first on BC Records Management Services.

Well, there is no one size fits all solution – it depends on the individual circumstances and where you are in the world – but we’ve drawn up some scenarios that are typical of some of the crimes that any computer user, at home or work, might come across.

In the first of our series of articles on how to report a computer crime, we’ll look at unauthorised email access, what offences are committed when a crime like this happens and how you should report it.

Take this scenario:

Abigail is at work. She logs into her personal webmail account during her lunch-break, which she is allowed to do according to her company’s computer policy.

A friend had advised her to use a complex password for her personal webmail, but she finds it difficult to remember so she has it written down in her diary.

Abigail logs out of her personal webmail account and leaves the building to make a private phone call, but doesn’t take her diary with her.

Barry sits opposite Abigail; he has a secret crush on her. Barry goes to Abigail’s desk, searches her diary, finds the webmail account name and password and logs into her webmail account from his smartphone at the office.

Barry reads a number of Abigail’s previously read personal emails using his mobile, but does not read any unread mail in case Abigail notices someone has accessed her account.

Abigail later discovers that someone has read her emails after she checks her email account activity and notices the account has been accessed by a mobile web browser. She suspects it was Barry after he made a comment regarding something she had written in a personal email.

What was the offence?

We can break it down like this:

Flower on laptop, courtsy of Shutterstock

Barry deliberately gained access to Abigail’s web-based email account
Barry did not have permission to access the account, nor would he have been given it if Abigail, the genuine account holder, knew what he was doing.
Although Barry did not delete or deliberately alter any data, he has still committed an offence because the access was not authorised

The legal bit

We’ve focused on the UK, USA, Canada and Australia, but each country has its own legislation, though the relevant statute often exists to accommodate the same offences in each country.

UK

In the UK, most computer crime falls under offences covered by one of three pieces of law:

Computer Misuse Act 1990
Communications Act 2003
Fraud Act 2006

Other associated crimes could include Conspiracy or Money Laundering offences, but victims of crime are more often than not affected by at least one of the three Acts listed above.

In this case, Barry committed an offence of “Unauthorised Access” in contravention of S1 Computer Misuse Act 1990, committed when the offender causes a computer to perform a function intending to secure access (which Barry did when he gained authentication to Abigail’s account).

Gavel, courtesy of ShutterstockUSA

In the USA, most cybercrime offences are covered by Title 18, United States Code (USC) Section 1030 – Fraud and related activity in connection with computers. This is what Barry contravened when he logged into Abigail’s account.

Canada

The Criminal Code of Canada contains sections that specifically cater for cybercrime, including:

Unauthorised Use of Computer
Possession of Device to Obtain Computer
Mischief in Relation to Data
Identity Theft and Identity Fraud

In this case, Barry contravened Section 342.1 Canadian Criminal Code (CCC) – Unauthorised Use of Computer.

Australia

Both state laws and commonwealth laws exist in Australia. In South Australia, the investigation of cybercrime by police is classified under three tiers and is spread across the organisation depending, mainly, on severity.

The primary legislation for computer offences is the Summary Offences Act, 1953 (SOA) and the Criminal Law Consolidation Act, 1935 (CLCA).

In this case, Barry has contravened Section 44, Summary Offences Act.
Reporting the crime

UK

Police station, courtesy of ShutterstockIn the UK, when a crime has taken place it should be reported to the police, so Abigail should go to her local police station to report it.

A crime allegation may be investigated by a police force or may be referred to the Police Central e-Crime Unit (PCeU) which provides the UK’s investigative response to the most serious incidents of cybercrime. The PCeU requests that the routine reporting of computer crime offences are not made directly to them.

There is also an alternative reporting body for internet-enabled crime: Action Fraud.

Action Fraud records and passes on crime reports to the National Fraud Intelligence Bureau, who then decides whether the incident requires further investigation, as not all computer crimes are investigated.

USA

The Department of Justice website contains a Computer Crime and Intellectual Property Section with a contact page for reporting incidents to local, state or Federal Law Enforcement Agencies (LEA).

Two Federal LEAs have a remit to investigate some computer crimes:

The Federal Bureau of Investigation (FBI)
The United States Secret Service (USSS)

In this case Abigail should report the crime at her FBI Local Office, or US Secret Service or Internet Crime Complaint Centre.

Canada

The Royal Canadian Mounted Police (RCMP) are the main agency with regard to the investigation of federal statutes but also have policing responsibility for a number of the Canadian provinces and all 3 territories, as well as some local police services in towns and cities.

A computer crime victim, like Abigail, should report their incident to their local police service. If appropriate, it will be escalated for the attention of the agency with federal responsibility, the RCMP.

Australia

Abigail should report the crime to the Australian State or Territory Police.

Investigation policy differs from state to state but the Australian Federal Police website offers a guide on whether the crime should be reported to either Australian State or Territory Police.
Preserving the evidence

Woman at computer, courtesy of ShutterstockAbigail may want to consider informing her webmail service provider that she has reported the incident to the authorities.

She should also request that they preserve the web access logs so they can be looked at during the investigations.
Remediation

Abigail should change her webmail password immediately and use a robust password that she can memorise rather than one which she has to write down. She could also consider using password management software (examples include 1Password, LastPass or KeePass) where she only will need to remember one complicated master password.
Conclusion

In general, it’s important that all computer crime is reported. Even if no investigation follows, crime report intelligence can be built up and an accurate picture of the levels of computer crime can be produced.

If victims of a particular crime do not come forward to report incidents, then the number stated in crime reporting statistics will be not be a true reflection of the number of crimes taking place.

The scenario above is given as an example to help you in understanding when and what offences have taken place. Please be reminded that no two situations are the same and we have not catered for the “what if” situation.

We have also not included any corporation’s AUP (Acceptable Use Policy) that may be in place and may have been breached.

All of the scenarios are made up and the characters depicted bear no resemblance to any person.

source: http://nakedsecurity.sophos.com

The post How to report a computer crime: Unauthorized email account access appeared first on BC Records Management Services.

The phishing email is sent from multiple e-mail addresses and has in its subject line a nine digit complaint number. BBB Accredited and non-Accredited Businesses have been targeted and some consumers have also received the e-mail.

The body of the e-mail states the company has received a complaint and asks the company to respond by directing the e-mail recipient to “BBB Complaint Dep” <complaintdep@chicago.bbb.org>; this e-mail address is not affiliated with the Better Business Bureau.

The BBB advises any business that receives this e-mail to take the following steps:

Do not click on any links or reply to the message,
Completely delete the message from your inbox,
Run a full virus scan immediately on your computer if you did click on any links.

If you receive an e-mail from the BBB about a complaint filed against your business and need assistance in determining whether or not it is legitimate, contact the BBB serving Chicago and northern Illinois at (312)832-0500 or info@chicago.bbb.org

Phishing e-mails are a common way for hackers to get at your personal information or break into your computer.

“Don’t click on any links or open any attachments to e-mails until you have confirmed that they are not malicious. E-mail addresses that don’t match up, typos and grammatical mistakes are common red flags of a malicious phishing e-mail,” said Steve J. Bernas, president & CEO of the Better Business Bureau serving Chicago and northern Illinois. “Also beware of unsolicited e-mails from companies with which you have no association. Make sure you have current antivirus software and all security patches have been installed on the computer.”

For more information on phishing and how to keep your computer safe, visit www.bbb.org

The post Urgent Scam Alert: Beware of Fake Complaint E-mail Claiming to be from Better Business Bureau appeared first on BC Records Management Services.

A recent benchmark study reveals an alarming trend that shows no sign of slowing – the rising costs of data breaches. The study was released by Symantec Corp., one of the world’s leading information storage and security solutions providers, and the Ponemon Institute (PI), a leading researcher of privacy and data protection practices. It is their sixth annual study of data security benchmarks. Fifty-one American companies participated in the study, representing 15 different industries, including: healthcare, pharmaceuticals, finance, retail, services, education, technology, manufacturing, research, transportation, hotels and leisure, media and communications and energy. These disparate companies all had one thing in common – in 2010 they experienced some form of large data breach. The amount of records compromised in these breaches varied from 4,200 to 105,000.

According to the study, organizational costs related to data breaches have grown significantly in each of the past five years. In 2010, the average cost per data breach reached a whopping $7.2 million or approximately $214 per compromised record. That’s a significant jump from 2009 when the average per-record cost was $200. The most expensive data breach included in the 2010 study cost a company $35.3 million to resolve. The least expensive data breach was $780,000.

The driving factor behind these rising costs? Compliance pressures for faster response times to escalating data security threats. According to the study, the good news is that organizations in the private and public sectors are showing signs that they are making serious efforts to improve the speed of their responses to data breaches. Forty-three percent of the companies that participated in the study reported that they notified victims within one month of the breach, a 7 percent improvement from 2009.

Here is the bad news: Quick responders saw significantly higher per-record costs than slower responders for the second consecutive year. The average per-record cost for companies that notified their customers within one month of a data breach was $268, a 22 percent increase over the average per-record cost for quick responders in 2009 – no data breach response attribute had a higher percentage increase last year. By contrast, organizations that notified customers more slowly (30 days or more) paid on average $174 per-record, 54 percent less than quick responders. Slow responders actually saw an 11 percent decrease in their average per-record costs from 2009.The study took into account a wide range of data breach related costs, including:

· expense outlays for detection, notification and ex-post response;

· direct costs such as the expense of forensic experts, outsourced hotline support, free credit monitoring subscriptions and discounts for future products and services;

· and, indirect costs such as in-house investigations and the extrapolated value of customer loss due to turnover or diminished acquisition rates.

Analysis of the economic impact of lost or diminished customer trust, as measured by churn rates, was also taken into account in the study. Regulatory compliance contributes to lower churn rates by boosting customer confidence in organizations’ IT security practices. Overall, average abnormal churn rates across all 51 incidents stayed level at 4 percent. Pharmaceuticals and healthcare were once again the industries with the highest churn rate (both up a point to 7 percent in 2010). The industries with the lowest abnormal churn rates were the public sector (less than 1 percent) and retail (1 percent). Industries with the highest 2010 average per-record costs were communications ($380), financial ($353) and pharmaceutical ($345). Those with the lowest costs were media ($131), education ($112), and public sector ($81).

For the third consecutive year the study found that direct costs accounted for the largest proportion of overall data breach costs, while indirect costs continued their trend of gradual decrease. Increases in legal defense costs remain a leading reason for increased spending in ex-post response, as companies fear successful class action lawsuits by breach victims. These trends indicate that companies are making serious efforts to repair the damage breaches cause and are slowly rebuilding customer and partner confidence. This, in turn, is lowering the number of present and potential customers who take their business elsewhere after a breach. These results may also bolster the argument that organizations are focusing more on regulatory compliance, as direct costs correspond to the cost activities covered by data protection regulations.

Malicious Attacks on the Rise

Protection against viruses, malware and spyware infection has become organizations’ top priority. According to the study, 2010 marked the first time that malicious and criminal attacks were the most common and most expensive cause of data breaches. In previous years, malicious attacks have been consistently ranked the least common form of data breach. Thirty-one percent of all data breach cases included in the study involved a malicious or criminal act, a 7 percent increase from 2009. At $318 per-record, the average cost of malicious attacks increased a staggering 48 percent from 2009. Nearly all of the study respondents (97 percent) reported that they considered cyber attacks the most severe threat to their ability to carry out their missions.

Breaches by third-party outsourcers are becoming slightly less common but much more expensive. Though third-party mistakes experienced a slight decline in 2010, their per-record cost rose $85 (39 percent) to $302; an indication that compliance with government and commercial regulations for data protection are dramatically raising breach costs involving outsourced data. Similarly, breaches involving lost or stolen laptop computers or other mobile data-bearing devices have remained a consistent and expensive threat. While the number of reported breaches involving stolen or lost mobile devices decreased from 34 to 35 percent, the per-record costs rose $33 (15 percent) to $258 per-record. Historically, device-oriented breaches have cost more than many other types of breaches due to the expense of necessary investigations and forensics.

Vigilance and Prevention: An Ongoing Challenge

Negligence remains the most common cause of data breaches. The increase in number of breaches caused by negligence in 2010 rose only slightly – from 40 to 41 percent – but the average cost per-record rose 27 percent to $196 per-record. This steady trend reflects the ongoing challenge of ensuring employee and partner compliance with security policies. Companies are getting more vigilant about prevention, as system failures decreased from 36 percent in 2009 to 27 percent in 2010. This trend indicates organizations may be more conscientious in ensuring their systems can prevent and mitigate breaches through new security technologies and compliance with security policies and regulations. The study data seems to bear it out: Investments in identifying and remediating data breaches are paying off.

Encryption and other technologies are gaining ground as post-breach remedies, but training and awareness programs remain the most popular. Sixty-three percent of respondents use training and awareness programs after data breaches, down 4 percent from 2009. Encryption is the second most implemented preventive measure as a result of a data breach, at 61 percent. Both encryption and data loss prevention solutions have increased 17 percent since 2008.

“We continue to see an increase in the costs to businesses suffering a data breach,” says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Regulators are cracking down to ensure organizations implement required data security controls or face harsher penalties. Confronted with both malicious and non-malicious threats from inside and outside the organization, companies must proactively implement policies and technologies to mitigate the risk of costly breaches.”

“Securing information continues to challenge organizations at all levels, but the vast majority of these breaches are preventable,” adds Francis deSouza, Senior Vice President, Enterprise Security Group, Symantec. “Organizations must not only protect the data itself wherever it is stored or used, but also create a culture of security including training, policies and actions. The results of this study show that companies with information protection best practices in place can greatly lower their potential data breach costs.”

By taking a holistic approach to data protection, companies can better protect data wherever it is – at rest, in motion or in use. Symantec recommends that organizations implement the following best practices, whether or not they have suffered a data breach:

· Assess risks by identifying and classifying confidential information.

· Educate employees on information protection policies and procedures, and hold them accountable for non-compliance.

· Deploy data loss prevention technologies which enable policy compliance and enforcement. For example, proactively encrypt company laptops to minimize damage following theft or loss.

· Integrate information protection practices into your business processes.

· Vet and evaluate the security posture of third parties before sharing confidential or sensitive information. Pick responsible vendors that can guarantee data protection through encryption and appropriate procedures and controls. Also, ensure that third parties protect data on their employees’ mobile devices.

While manual and policy approaches are a good start, by themselves they are not as effective as a multi-pronged approach that includes automated IT security solutions. Many kinds of automated, cost-effective enterprise data protection solutions are now available to secure data both within an organization and among business partners. Some of the most popular and effective of these technologies currently available include:

· Encryption (including whole disk encryption and for mobile devices/smartphones). Ensure that portable data-bearing devices – such as laptops, smart phones and USB memory sticks – are encrypted, especially for extensive business travelers. Also, consider implementing inventory control, anti-theft devices and data loss prevention (DLP) policies, practices and technologies.

· Data loss prevention (DLP) solutions.

· Identity and access management solutions.

· Endpoint security solutions and other anti-malware tools.

In addition, by centralizing the management of IT security solutions companies can automatically enforce IT security best practices throughout their organizations and align data protection with their security policies and regulatory or business-partner mandates.

Companies in a rush to respond to data breaches often do not believe that they have the time to bring in outside help to meet compliance requirements. As a consequence, fewer companies are using external consulting support, even though such support lowers data breach costs. The proportion of respondents that engaged outside consultants fell 7 points in 2010 to 37 percent. The study data suggests that moving too quickly through the data breach process may cause cost inefficiencies for companies, particularly during the detection, escalation and notification phases. Companies are choosing to absorb the additional costs of quick response due to the pressure of compliance with commercial regulations and state and federal data protection laws. Despite this pressure, PI and Symantec recommend that companies take as slow and thoughtful an approach to data breach response as possible – given the federal and state legal requirements applicable to their location, industry and circumstances of the breach.

Summary

Perhaps the most striking study trend is the strong correlation between data breach costs and the presence or absence of major data breach causes or data protection best practices. Specifically, 2010 costs for breaches involving all major causes grew between 15 and 48 percent from 2009.

Conversely, breaches that lacked those factors or illustrated best practices dropped between 1 percent and 27 percent. These figures may indicate that organizations’ data breach costs stayed relatively stable or only increased a small amount in most cases.

As in prior years, data breach cost appears to be directly proportional to the number of records compromised. Therefore, larger breaches continue to be a more serious cause for concern than smaller breaches. Customer turnover in direct response to breaches remains the main driver of data breach costs: For the second straight year, abnormal turnover of customers after data breaches appears to be the dominant factor in data breach cost.

Overall, the study data suggests that American companies are getting serious about their stewardship of sensitive personal data and are taking greater steps to ensure its protection from breaches. The study also reinforces the efficacy of best practices for IT security and privacy in protecting data and providing positive returns on investments.

The post IT Security: The Rising Costs of Quick Response appeared first on BC Records Management Services.

Dropbox says users can now view photos via mobile phone “as easily and vividly as you would from your computer.” By visiting the Dropbox site from their mobile phone, users can then select the Dropbox icon, click the “Photos” button and see the photos in their “Camera Uploads” folder in what Dropbox is promoting as a “big, shiny gallery format.” Dropbox photos can also be viewed at full size on a mobile phone and mobile users can flip through photos one at a time.

Enhancing Photos for All Mobile Users
One of the most significant aspects of this move by Dropbox is that the mobile site itself has been enhanced. Thus users of mobile platforms that Dropbox has not yet developed an app for (such as Windows) can now get the same enhanced photo-enhanced experience as users of Dropbbox’s iOS and Android apps.

A new article in TweakTown comments on the importance of the latest upgrade to the Dropbox mobile experience. “Dropbox have moved toward a gallery-style image viewer, which is available to anyone with a mobile device,” states the article. “Windows Phone is included, which is great news as there’s no official Dropbox application on Microsoft’s mobile OS.”

Source:http://www.cmswire.com

The post Dropbox Improves Mobile Photo Viewing Experience appeared first on BC Records Management Services.

Shredders are a supposedly secure way of destroying evidence, not only in criminal endeavors but also as a way for businesses to protect their clients from garbage-rummaging identity thieves, and for governments to get rid of classified documents.

But just how secure are those shredded bits of paper that get tossed in the dumpster?

That’s exactly what the Department of Defense’s Defense Advanced Research Project Agency, commonly known as DARPA, is trying to find out.

On October 27, DARPA issued a challenge to the world: build a computer program that could analyze bits of shredded documents and piece them back together. The goal, as stated on the shredder challenge website, was “to identify and assess potential capabilities that could be used by our warfighters operating in war zones, but might also create vulnerabilities to sensitive information that is protected through our own shredding practices throughout the U.S. national security community”

While the challenge went unnoticed in many spheres of society, the computer programming world sat up and took notice. More than 9,000 teams registered to compete for the $50,000 prize. To reach the finish line, the teams had to reconstruct documents for five separate problems, and correctly answer questions about the information contained in the documents.

A team named ‘All Your Shreds are Belong To Us’ won the top prize on December 2. Led by computer programmer Otavio Good, the team was made up of a group of acquaintances from the San Francisco Bay area.

Good entered the contest on a whim, thinking that it would be a fun project to tinker with on weekends. But over the course of a month, he and his two teammates spent more than 600 hours programming and putting together the equivalent of a really difficult jigsaw puzzle.

A really hard virtual jigsaw puzzle, that is. The official puzzle consisted of five documents shredded into 10,120 small strips. These were then scanned into a digital document, so that everyone participating would have the same material to work with.

Good and his team designed a computer program that would examine the scanned pieces and suggest connecting shreds to a human operator. He said that the program came together over time, and they eventually trained it to recognize connecting letters, patterns on the paper, and other distinguishing features.

So, if Good and his friends can write a computer program that can piece together shredded documents, just how safe are your shredded bank statements? Right now, they’re probably ok. A group of people can eventually reconstruct shredded documents by hand if they work long enough, especially if the document in question is only torn into a few hundred pieces instead of a few thousand.

And even with a program like Good’s helping out, it takes hours upon hours to piece thousands of shreds of paper together, and when they’re mixed in with the remains of other pieces of paper, the task gets exponentially harder. While it’s certainly possible to rebuild your shredded tax returns, the time required to do so is usually enough of a deterrent. Especially if you’re a relatively low-profile target, as most of us are.

This story was provided by Life’s Little Mysteries, a sister site to SecurityNewsDaily.

The post How Safe Are Your Shredded Documents? appeared first on BC Records Management Services.

Register before *January 16th for early bird pricing!* Registration will also include a complimentary lunch and a chance to speak with fellow archivists, information professionals, students, and Symposium speakers.
For your convenience, payment can be made with a credit card, cheque or cash.

The post Register now for the ACA Student Symposium, Feb.17! appeared first on BC Records Management Services.