Data Breaches: Turn Back the Tide
by George Hulme - InfoSec Journalist - CyberArk - Thursday, 14 July 2005.
According to Ernst & Young’s 2004 Global Information Security Survey, less than half their respondents provide regular IT security training to their employees. Only one-fifth of respondents believe their enterprises view IT security as a CEO-level priority. The 2004 Computer Security Institute/FBI Computer Crime and Security Survey, which queried nearly 500 organizations with arguably the most sophisticated IT security programs, revealed that, on average, all the respondents believed their organizations invested inadequately in security awareness programs. And these organizations invest heavily in many conventional security defenses: anti-virus programs (99 percent), firewalls (98 percent), server-based access control lists (71 percent), and IDS systems (68 percent). One of the most startling statistics from the survey is that even these companies fail to invest in encryption solutions, with only 64 percent encrypting data in transit, and 42 percent using encryption to protect stored files. This raises concerns about just how seriously companies take the task of protecting their own information and the information of their customers’.

Information Security Best Practices

Information security managers are well aware of the best practices outlined below. But the question remains: Why aren’t companies better able to secure their intellectual property and the sensitive information they hold about their customers? Because attaining adequate levels of security is extremely challenging and requires a daily enterprise-wide commitment starting at the highest levels of management. While there is no IT security cure-all, information is ubiquitous, and since organizations will continue to increasingly inter-connect their customers, partners, and suppliers to their business-technology systems more must be done. The biggest obstacles to IT security within organizations today are the lack of senior managements’ commitment to drive a “culture of security” and set the proper tone throughout their enterprises, a lack of employee security awareness training, and a failure to consistently adhere to strong security best practices and procedures. By doing so, embarrassing and costly data breaches could be greatly reduced.

To help mitigate data breaches, organizations need to:

1) Classify and Determine the Value of Data and Business-Technology Systems

Security professionals know that before any data can be cost-effectively protected, it must first be classified. The first task in risk assessment is to identify, assess, classify and then decide the value of digital assets and systems.

Many executives consider the most difficult aspect of a risk assessment is to uncover the abundance of system and configuration vulnerabilities that place their systems at risk. Not so: An abundance of tools are available to help automate that task. It's deciding, organization-wide, the value of their data and intellectual property that is one of the most daunting tasks security professionals confront.

How much is the research and development data worth? How much will it cost the organization if it loses access to the accounting or customer-relationship management systems for a day? Without knowing the value of information, and the systems that ensure its flow, it's impossible to make reasonable decisions as to how much should be invested to protect those systems and information. It makes little sense to spend $200,000 annually to protect information that wouldn't cost an organization more than $25,000 if it were exposed or lost. Tough decisions relating to the value of information need to be made. And that means bringing together management, legal, human resources, physical security, and other groups within the organization.

2) Adhere to Network Security Basics


What's the real cost of a security breach?

The majority of business decision makers admit that their organisation will suffer an information security breach and that the cost of recovery could start from around $1 million.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 11th