Rants
Questions
Soapbox
Best Practices
Apply today for a FREE subscription to CIO Magazine!
Wed, Aug 27, 2008 16:41 EDT
|
Posted by: Bill Ledingham in Best Practices Topic: Enterprise Management
Current Rating: |
Introduction
The recent rash of high profile security breaches, data loss incidents and associated fraud highlights the fact that the security industry is failing to meet the threats organizations face when it comes to protecting the lifeblood of their business – their data and their customer’s data. As the threats of data loss continue to increase, it’s time for IT, CIOs, CEOs, Boards and security practitioners around the world to fundamentally reexamine their approach to security; and, instead make security a strategic, enterprise-wide initiative focused on protecting the most valuable asset: the data.
Protecting Data Within the Corporation
The value, quantity and mobility of data has increased to a level where any lost or stolen laptop or mobile device can lead to a significant loss of highly sensitive information. The recent examples of data loss are numerous and well-publicized. At Anheuser-Busch, a stolen laptop exposed 90,000 employees’ Social Security numbers and home addresses. At Countrywide Financial, a former employee compromised 2 million records, including Social Security Numbers of mortgage applicants which were then sold for profit to Internet thieves. At TJX, and other retail companies, the largest recorded data breech story continues to grow with the current count exceeding 100 million credit card users affected and has cost TJX and Visa over $40M in settlement costs. These examples represent the tip of a growing iceberg.
An analysis of these breaches points to a combination of vulnerabilities and threats. Networks are porous – given the mobility of data there is no effective “network perimeter” to protect. Computers are porous – given the size and complexity of the Windows environment and applications, it’s impossible to protect against all system vulnerabilities. In spite of a myriad and confusing array of security products – anti-virus, firewalls, host intrusion protection, network monitoring, etc. – corporate systems are becoming infected and compromised at an alarming rate, due in no small part to the growing sophistication and syndication of hackers and cybercriminals.
In addition to the external criminal threat, threats arise from insiders having access to increasing amounts of sensitive information. The risk of employees stealing information is real. A research chemist at DuPont who downloaded 22,000 sensitive documents prior to accepting a job at a competitor ended up pleading guilty to trying to steal $400M worth of company trade secrets. An employee of Ferrari stole trade secrets and took them to a rival competitor, McLaren. Luckily, by having the appropriate data controls in place, Ferrari was able to identify the breech and effectively prosecute the case to the tune of a $100M fine against McLaren, the largest in Formula One history.
Certainly, very little insider behavior is purposely malicious. However, through a lack of knowledge of information policies, improper training, perceived expediency or simple negligence, insiders can put sensitive data at risk. In addition, new information security demands arise as business models evolve. Ever-expanding supply chains, the growth in off-shoring and outsourcing, and the move to put more services and data online bring new potential for exposure.
The security industry is focused on the wrong problem. Data loss is not an infrastructure or network problem; it’s about protecting a company’s information where it’s at the greatest risk – whenever and wherever it is in use. It is only at the point of use where data can be effectively controlled. The challenge – and where the focus should be – is on expanding the coverage of effective information controls that can be applied where data is used. These controls need to be extended to anywhere and everywhere sensitive information exists and is used – this includes going beyond the corporate network; beyond the VPN;