Posts from ‘Compliance’
Many thanks to the Verizon RISK Team (along with the U.S. Secret Service and the Dutch High Tech Crime Unit) for publishing their 7th annual analysis of data breaches. Compromised data continues to plague organizations worldwide, and studies like the 2011 Data Breach Investigations Report can help us all avoid becoming a victim – both as individuals and also as corporate citizens.
Here are a few noteworthy data points:
- Nearly 800 data breaches were reported in 2010, a sharp increase from the 900 breaches reported in the previous six years combined
- 4 million records were compromised in 2010 which is significantly less than the 144 million compromised in 2009
- Many breaches involved sending data externally – Take this as a warning to pay more attention to information leaving your organization
- 89% of companies suffering credit card breaches were not PCI compliant at the time of the breach, indicating that organizations with rigorous compliance efforts are less likely to be breached
- Only 17% of breaches implicated insiders (down from 31% last year) and 29% had a physical component
A key takeaway is that while the quantity of data breaches quintupled in 2010, the number of compromised records actually dropped. This data is consistent with the growing belief that attackers are increasingly targeting smaller companies (which tend to have less focus and expertise on IT security) simply because they are easier to exploit.
As the Verizon team points out, in the world of cyber crime, knowledge is power. Not only do companies require visibility into the files and data that are being transferred around an in/out of their organization, but they also need the management and enforcement capabilities to control, govern, and protect the growing number of mission-critical and confidential files that are being accessed every day by internal and external systems, applications and people.
Did you know that the average cost of a data breach is $7.2 million dollars?
Or that the cost of each compromised record is $214, an increase of 7% over last year?
A data breach resulting in the loss or theft of protected personal data will have serious financial consequences on an organization – the least expensive breach reported in 2010 was $780,000 (and the most expensive one was over $35 million). You can read more about the cost of data breaches in the Ponemon Institute’s 2010 U.S. Cost of Data Breach survey results.
Here are a few other key takeaways:
- For the 5th year in a row, data breach costs have continued to rise
- Lost business accounts for over 60% of data breach costs, the remaining amount is data breach detection, escalation, notification and response
- Escalating data security threats and compliance pressures are driving rapid responses to data breaches, resulting in higher costs
- Criminals now account for 31% of data breaches and they are significantly more expensive to contain and fix
- Negligence remains the most common threat, and an increasingly expensive one
What is your organization doing to ensure the privacy and confidentially of your information, including when it’s sitting on your servers, being shared between systems and business partners, and shared between people? And don’t spend all your time combating criminal threats…. Negligence now accounts for 41% of data breaches, you must safeguard against negligence too.
Go ahead, estimate the data breach risk to YOUR organization. First, ballpark how many pieces of sensitive files and data are floating around your company today…. Then multiply that number by $214. I’m sure you’ll agree that the ROI on the time, technology and resources spent to protect company data are well worth the investment and risk avoidance effort.
Does it feel like you’re hearing about a new data breach almost every day?
Well guess what — you likely are. The Identity Theft Resource Center recorded 662 data breaches on its 2010 ITRC Breach List. That averages to over a dozen reported breaches per week…. And a whopping total of over 16,000,000 reported exposed records in 2010. The fact that social security numbers and/or credit card information is included in the majority of breaches just makes things even more alarming!
Denise Richardson lays out a solid argument for mandatory data breach reporting, as well as some key takeaways from the ITRC Breach List, including:
- Malicious attacks still account for more breaches than human error, with hacking at 17% and insider theft at 15%
- 39% of listed breaches did not identify the cause — Indicating a clear lack of transparency and full reporting to the public
- 49% of breaches did not list number of potentially exposed records — A clear sign of inaccuracy and incompleteness of reporting
- 62% of breaches reported exposure of Social Security Numbers
- 26% of breaches involved credit or debit cards
As I’ve blogged about before, I firmly believe that breached individuals have the right to timely notification. Delays are unacceptable, and hiding it is unthinkable. Afflicted people deserve quick notification so they can ensure their credit report isn’t showing strange activity and that their social security number isn’t being used to open new credit cards or being used to fraudulently report wages.
Mandatory disclosure would provide the structure, discipline and enforcement required for consistent and transparent breach information. Compliance would require a very high level of visibility and control of all files that enter, bounce around and exit an organization. This would benefit not only breached individuals, but also the organizations and their business partners.
For those unfamiliar, the Information Commissioner’s Office (ICO) in the United Kingdom is the independent regulatory office dealing with data protection regulations such as the Data Protection Act.
Like many policy makers, the actual enforcement of policies has been a major stumbling block to their potential effectiveness. Up until recently, the ICO enforcement powers were very limited. However, the ICO has very recently started to issue fines (or “monetary penalties”) for failing to comply with the Data Protection Act.
- A4e was fined £60,000 for losing an unencrypted laptop containing thousands of client details
- Hertfordshire County Council was fined £100,000 for faxing details about a child sex abuse case to the wrong people
At the very least, seeing harsh penalties handed out for data breaches should help increase organization’s focus on protecting sensitive business and customer information. Hopefully that focus will be centered less on what device people are using to access company files and data (such as USB drives, personal email, portable hard drives, smart phones, etc) and more on the underlying risk mitigation need.
“This is part of a wider trend whereby the penalties for, and consequences of, inadequate security measures are increasingly costly and come from different sources – from the payments card industry, to government and private sector contracts, to activist regulators and the public at large,” said Frank Kenney, VP of Global Strategy at Ipswitch File Transfer. “The ICO move has to be seen in the wider context of increased compliance activity.”
Businesses need to take inventory of their own information and understand what confidential files exist and where they are located. Access to confidential files should only be granted to people that are required to use it as part of their job. Simply making policies won’t make a difference; organizations need to follow up with policy enforcement and also must provide employees with the right tools to keep them productive so they done need to resort to their own devices.
Okay we get it. WikiLeaks had the gumption to collect private cables sent to and from the United States State Department, and actually publish them on a website accessible by anyone with Internet access. But the United States State Department blaming USB thumb drives and/or WikiLeaks for their failure to properly mitigate the risks associated with sensitive communications between government officials and ambassadors is just ridiculous.
I remember shortly after the 9/11 terrorist attacks the country waged all-out war on white box vans at U-Haul trucks, because those might have been the means in which terrorists would conduct future attacks. Creating an immediate policy that bans the use of USB thumb drives by United States government officials is not only overkill, but it also doesn’t make sense and it won’t work unless we also start banning iPhone’s, blackberries, digital cameras, portable scanners, wristwatches, necklaces, belts, laptops, fax machines, e-mail and all the other ways that individuals are storing and moving information.
Here’s an opportunity for our government to start to consider not just classifying data but generally making an effort to enforce policies around access and usage. Of the hundreds of thousands of tables that have been reportedly sent to Wikileaks, some news agencies are reporting over 3 million individuals have access. Let’s put that into perspective. If one of the world’s largest financial institutions decided to give 3 million individuals access to Social Security numbers, bank accounts and credit card numbers that financial institution would be run out of business and subject to fines, penalties and the mundane congressional hearing. It just doesn’t happen.
Just like any company or institution that stores and shares data on its customers and/or constituents, the US government, specifically the US State Department needs to be held accountable for access control policies, the enforcement of those policies and visibility into both the access of and usage of sensitive information. But clearly there is an issue of way too many ungoverned pipes connected to critical data stores and sources. Managed file transfer is certainly part of the answer. Consolidating all of those ungoverned pipes can help as well. A little content management and DLP may likely be valuable too. Or maybe just a good old reclassification and risk mitigation of sensitive data so that it isn’t accessible by 3 million people.
Over the last 9 1/4 years we stopped a lot of white box vans but I’ve yet to see a security report or an intelligence report (provided by the news media, I am not one of the 3 million who have access to that type of information) that says we’ve significantly mitigated our risk of terror attacks because we don’t allow white box vans.