|
Legislation related to data security has taken hold fairly quickly in the United States and is still evolving at a rapid pace. Organizations are finding themselves under increasing pressure to modify business processes and IT infrastructure in a fundamental manner to meet compliance challenges.
However, these organizations often lack sufficient security-specific technical knowledge and experience to design and deploy robust security solutions at maximum efficiency. Budgets and other resources have been stretched to the limit in the wake of growing internal demands for improved protections for business data and applications, external demands from customers and consumers regarding privacy and financial safety, and legislative pressure for significantly heightened controls and reporting mechanisms.
The question is: How can an organization respond to the serious security threats against business systems, and employee and customer data in ways that minimize the costs of data security compliance, ensure the adaptability of security solutions over time, meet all relevant compliance requirements, and adequately reduce exposure to risk?
Today’s organizations of all sizes must incorporate substantial protections across diverse IT systems and business processes, extending IT budgets and personnel to accommodate new security purchases and added security management needs for the entire enterprise infrastructure. This paper examines existing regulations and provides an understanding of the breadth and scope of relevant security technologies that can ensure your organization will be able to make wise, cost-efficient decisions regarding security strategies, policies, and technology implementations.
EVOLVING DATA SECURITY THREATS
Growing Number and Diversity of Attacks
Years ago, only the occasional big-time computer hacker made headlines; today, data theft and attempts at data breaches are commonplace. According to the Privacy Rights Clearinghouse, between January 2005 and June 2007 over 155 million individual records in the U.S. were reported compromised through unauthorized access to data systems, insider wrongdoing, administrative incompetence or theft of computers and other storage media. Widely publicized incidents include
- The 2006 disappearance of a U.S. Dept. of Veterans Affairs laptop containing sensitive information on over 28.7 million veterans.
- A computer server containing the personal information and medical records of 930,000 customers was stolen from the New York offices of insurance giant AIG.
- An estimated forty million compromised credit cards at outsourcing vendor CardSystems Solutions hacked.
- Hundreds of thousands of Social Security numbers obtained from data aggregation company ChoicePoint.
Data breach figures swell even further if unreported incidents are also taken into account. Internal and external threats to corporate and personal data include, but are not limited to:
- Unauthorized access to protected information by outsiders or employees
- Compromised system security as a result of system access by an unauthorized person
- Interception of data during transmission
- Corruption of data or systems
Financial Consequences of Data Breaches
Although the true costs of data breaches and related problems are hard to quantify precisely, some figures are available, in part due to the growing number of data breach disclosure laws that have been passed by state legislatures. In its 2006 Computer Crime and Security Survey, the Computer Security Institute (CSI), with the participation of the San Francisco FBI Computer Intrusion Squad, stated that virus attacks, unauthorized access to networks, lost and stolen laptops or mobile hardware, and theft of proprietary information or intellectual property account for more than 74 percent of financial loss.
The CSI study indicated that the average reported loss for an individual company in 2006 was $167,713. However, since half of the respondents were unable or unwilling to report actual figures, aggregate loss statistics were inconclusive. By contrast, twice as many respondents provided loss figures in 2005, with total costs listed as $130,104,542 for that year. While many categories saw a decrease in reported losses (in part due to missing information from respondents), reported losses from laptop or mobile hardware theft and telecommunication fraud revealed a substantial increase. In fact telecommunication fraud losses rose more than 400 percent compared to 2005. The study took care to state that “we are suspicious that implicit losses (such as the present value of future lost profits due to diminished reputation in the wake of negative media coverage following a breach) are largely not represented in the loss numbers reported here.”
|
