Data Breaches: Turn Back the Tide
by George Hulme - InfoSec Journalist - CyberArk - Thursday, 14 July 2005.
Those statistics are even more alarming when one considers that in 2004, the Federal Trade Commission said 635,173 identity theft related complaints were reported. That figure is considerably higher than the 403,688 filed complaints in 2002. It’s no surprise consumers are losing trust in E-commerce and how carefully organizations protect their private information. Gartner says 1 in 20 adults are likely to become victims of some form of identity theft.

It’s not just consumers that are losing. According to a survey conducted by the Chamber of Commerce, PricewaterhouseCoopers, and ASIS International, businesses lost between $53 billion and $59 billion between July 1, 2000 and June 30, 2001 due to the theft of their intellectual property.

Set the regulatory demands on information security aside – Basel II, European Union Data Protection Directives, GLBA, HIPPA, SB 1386, and Sarbanes-Oxley – as customers become increasingly security and privacy savvy, sound security policies and trust will increasingly become a competitive differentiator. Gartner predicts that if Internet-based security threats aren’t mitigated, the robust 20 percent annual E-commerce growth rates will be slashed to 10 percent or less within the next two years.

While the myriad of regulations do not dictate what security technologies companies need to set in place, they all demand that business and customer data are adequately guarded.

While it is not possible to eliminate risk, clearly more needs to be done by organizations to reach a higher level of security to protect their intellectual property and their customers’ personally identifiable information. The level of diligence organizations place on securing their business-technology systems simply isn’t high enough – and is one of the primary reasons identity theft cases are soaring. Organizations need to re-evaluate their approach to information security, consider new tactics for protecting digital assets and, most importantly, the trust of their suppliers, partners, shareholders, and customers.

Organizations Need to Get Back to Basics

To turn the tide on the skyrocketing lack of trust customers have toward the way enterprises protect their personal information, organizations need to instill security awareness throughout their enterprises. Security culture within an organization needs to flow from the top down: CEOs, boards of directors, and senior management need to make it clear that information security needs to be an integral part of their daily operations, and that IT security initiatives must be closely aligned with business objectives. Without senior management providing strong security governance, insiders abusing IT resources, system breaches, and careless handling of customer information will continue to proliferate at an alarming rate. Security policy can’t be static; information security policies and procedures need to be dynamic, living documents that are continuously refreshed as both technology, computing infrastructures, and business environments evolve.

In a successful information security program, all three pillars – people, process, and technology must be strong. Senior management lip-service to the importance of security, and the protection of the customer information they are entrusted to secure, no longer suffice. The continuous spate of data breaches clearly shows that simply investing in conventional defenses such as anti-virus programs, content filtering, firewalls, identity-management, and intrusion detection and prevention systems aren’t enough. Not enough attention is being placed on the other two pillars of security: people (security training and awareness), and process and procedure (security policy), and no amount of investment in security technologies will make up the difference in the equation.


(IN)SECURE Magazine issue 45 released

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Learn about personal data bankruptcy and the cost of privacy, security and compliance, delivering digital security to a mobile world, and much more.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Mar 6th