Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, January 17, 2007

Less Data, More Security

Barely a week goes by these days without news of laptops stolen or lost, and loaded with data that can expose employees, consumers or patients to identity theft.  For companies involved, data breaches harm more than a corporate image.  According to research from the Ponemon Institute, a research firm focusing on privacy and data protection practices, data breaches cost companies $182 per record lost.  An FBI survey pegged losses due to data breaches at $67.2 billion in 2006.  And it’s not just companies handling personal data, such as Social Security numbers or medical information, bearing the costs.  That’s why security experts already see a shift in security policies underway, with more to come this year.

“People are running scared with their hair on fire,” said Troy Allen, a risk consultant and CEO of security firm Kroll’s Fraud Solutions unit.

When Pennsylvania’s Geisinger Health Systems learned personal data of some of its patients might be exposed as a result of a laptop theft, it offered ID theft protection from American Insurance Group (AIG).  Begun in 2006, the policy covers businesses, providing up to $25 million in coverage for companies facing costs, including legal, regulatory and other.

“Password protection only is very weak,” Yankee Group’s Sal Capizzi said.

Boeing had a policy requiring data downloaded be encrypted, but an employee skipped encryption.

Allen predicts firms will also restrict or ban downloading data to CD or USB flash drives.  “Employers will begin insisting that more information exchange takes place via secure online transfer,” Allen said in a statement.

Kroll is advising data minimization, a concept counter to the prevailing belief that customer information is an advantage.

For Allen, excuses that a stolen laptop was only a “smash and grab” where thieves aren’t interested in the data stored there doesn’t hold water. 

Not satisfied with a few hundred or thousand data files, criminals will turn to social engineering to gain access to data, according to Allen.

Posted on 01/17