The Era of Security Breaches
post by Chris Curran on May 2, 2011Guest post by Gary Loveland and Nalneesh Gaur
It seems like today’s organized data criminals have re-doubled their efforts to get their hands onto your customer’s data, and into their wallets. A full 85% of all data-related security breaches today are masterminded by organized crime, according to a 2010 Verizon Data Breach research report.
These criminals are using anything and everything to spy out opportunity and penetrate defenses: from viruses and malware and spyware delivered via USB sticks to seemingly casual web browsing, exploitation of server weaknesses, and ordinary email-based phishing attacks. In fact, sophisticated, easy to acquire ‘point-n-click’ toolkits have made it possible for nearly anyone to get into the game, and that has turned digital theft into the new cash cow for some very old fashioned organized crime syndicates.
With the rise in outsourcing and the advent of cloud-based services, more and more private- business and customer information gets shared among affiliates. And the criminals know it.
After a record number of credit security breaches in recent years, one marketing company that relies on the daily use of bulk emails was recently victimized, with the criminals getting away with literally millions of addressed, data-rich emails. The result? Security experts are warning of a rise in spear phishing attacks.
And while the price of entry for the criminals has come down, for the victims of data breaches, the price is just as costly as ever. According to a recent study by Ponemon Institute, the average breach cost businesses $7.2MM in 2010. That works out to about $220 per record.
Loss of Customer Trust
Time and again, we see that a breach can result in significant, prolonged loss of customer trust. And yet, despite the plethora of violations and incidents of stolen data, netizens as a whole don’t seem to be too put-off by the dangers. Instead, they simply have come to expect greater assurances of privacy from the custodians of private information. As a result, the onus remains on businesses active in the digital channel to safeguard their customer’s private information ― while ensuring that those safeguards rise to meet the challenge of continuously evolving threats.
While the U.S. Constitution doesn’t explicitly guarantee a personal right to privacy, the Supreme Court has heard cases involving privacy matters for over a century now. At a minimum, this would suggest that individuals asserting violations of personal privacy is nothing new, and that the topic has been around and litigated in front of courts ― in one form or another ― for quite some time.
Some might even suggest that there may already be sufficient precedent for some future court to declare a consumer/individual right to privacy, even though they have failed to do so in the past.
In any event, now is surely a time for caution. Given the regulatory climate, heightened privacy awareness, and the growing concern around heightened privacy protection, it seems clear that today’s businesses can no longer casually attempt to convert the private information of their customers into profits without real consideration of what could go wrong. Today’s organizations need to adopt an attitude of cautious realism when dealing with data privacy and the real people who could be harmed by its breach.
A 5 -point Data Protection Strategy
If it was once acceptable for business to rely on primitive techniques to safeguard customer information, that day has surely past. Instead, companies today need a vigorous data protection strategy ― and one that meets the current need while responding to the growing customer expectations.
Building such a strategy requires that:
1. Storing unnecessary customer data should be viewed as a liability. That way, only the bare minimum of necessary data actually gets stored.
2. Data breaches should be thought of as a sure thing rather than as an unlikely possibility. Breaches aren’t a matter of “if”, but of “when”. And when they do happen, just how will the organization respond?
3. Business understand the implications of a data breach in terms of risk to be managed and risks incurred, such as regulatory penalties or loss of reputation, etc. As a result, they should be committed to protecting its Information assets as a normal part of corporate risk management.
4. Processes and technology controls should be constantly adapted to changing risk paradigms.
5. Organizations should enlist employees and partners to serve as a vital layer of defense.
We’ve found that an information security and privacy strategy is more successful when it’s built from the ground up with input from a wide variety of stakeholders and updated on a periodic basis.
Please feel free to share your experiences designing and implementing a realistic, workable data security and privacy plan.
Photo by kevincole
Pingback: Cloud Computing and Security: Do you know where your Data is? — CIO Dashboard()