Identity Theft is the fastest growing crime in the US according to the FBI
 

Business Risks Associated With Data Breaches

Written by OSAblog on Thursday, June 11th, 2009

The EU Data Protection Supervisor – the independent EU supervisory authority responsible for protecting personal data within the EU – recently pushed for the EU ePrivacy directive to be amended to provide for a pan-European data breach notification requirement. In parallel, the UK Information Commissioner, who is charged with enforcing the Act in the UK, has been given powers to levy ‘substantial’ fines in cases where the UK’s Data Protection Act has been ‘recklessly’ disregarded.

Changes to data security regulation are inevitable after twelve months of increasingly dramatic press headlines about failures to safeguard personal data records, including the UK’s HMRC CD-Rom fiasco, the prolonged theft of TJX credit card records, and incidents such as the hacker infiltration of the customer database of a Berlin Best Western Hotel.  

In France, Germany, Spain the national data protection commissioners have been stepping up their enforcement activity, which includes increasingly substantial fines for non-compliance. Organisations now urgently need to assess the size of the issue, the potential impact on their organisation of a data breach, and the best practice steps for mitigating the data breach risk.  

Last Year’s IT Governance Data Breaches Report stated that spectacular data breaches are not caused by the misdemeanour of a junior employee but arise, rather, from systemically inadequate information security arrangements at the organizations where the incident occurs.        

A data breach is ‘the unauthorised disclosure by an organization of personally identifiable information, where that disclosure compromises the security, confidentiality, or integrity of the data that has been disclosed.’ which can come about via employee caused Data Leakage, Hacking caused by a lack of, or ineffective, penetration testing or ethical hacking activities, or deliberate theft or disclosure.

The Attritiondatabase shows a ten-fold increase in the number of reported data breaches – in the US, the UK and across Europe – since 2004. The peaks in reported data breaches following the disclosure of nationally significant breaches such as the UK’s HMRC data loss, suggests that there were – and probably still are – many data breaches that go unreported and research suggests that organizations are reluctant to officially report data breaches unless they have already been exposed. The evidence suggests that waiting to be found out is not the best strategy  

Data protection is receiving so much attention for three reasons:

  1. Identify theft is a low-risk, high return option for organized crime.  Traditional crime, including violent robbery and theft, has clearly identifiable risks.  It is easy to be recorded on video by CCTV, seen by witnesses or caught by means of DNA, and the returns are relatively low.  High-tech crime, on the other hand, creates real problems for the police force[3] and is, conversely, relatively low-risk for the criminal. Contributing factors include the perpetrator’s anonymity, the speed at which crimes can be committed, the volatility or transience of evidence, the trans-jurisdictional nature of cybercrime and the high costs of investigation.
  2. Legal and regulatory compliance initiatives, such as the EU Data Protection directive and California’s data breach disclosure law, SB1386, have both formalised the concept that personal data must be legally protected, and introduced penalties for failing to do so. The recent amendments to the UK Data Protection Act (DPA), and changes to regulatory activity across the EU that are introducing significant financial penalties for non-compliance with the Directive, make this a particularly urgent issue for UK organisations.
  3. The proliferation of mobile data storage devices – laptops, USB sticks, PDAs – has changed the boundaries of where we store our data and effectively eliminated “fixed fortifications” as an effective tool for preventing data breaches.

The last Ponemonreport commented that “the investment required to prevent a data breach is dwarfed by the resulting costs of a breach” and ” the return on investment (ROI) and justification for preventative measures is clear”.

Costs of data breaches – legal costs, the costs of restitution, brand damage, lost customers and so on – are significant; for financial services organisations, it was about £55 per compromised record.  

Whilst not involving legal compliance, if an organisation has a credit card-related data breach and is found not in compliance with the Payment Card Industry Data Security Standard (PCI DSS), there are potentially severe contractual and financial penalties, including a bar on the business accepting payment cards.  

All these factors make the protection of personal data a key business and compliance responsibility. There are nine key steps that every organization should take:  

  1. Encrypt all personal data on laptops; whole disk encryption is a more secure solution than folder or file level encryption, and FIPS 140-2 is the recognised standard for encryption engines.
  2. Encrypt all removable and portable media that might contain personal data, including USB drives, CD-Roms and magnetic backup tapes.
  3. Establish rigorous procedures to ensure the physical destruction of redundant computer drives, magnetic media and paper records prior to disposal, and ensure that disposals are made in line with a formal data retention timetable.
  4. Organizations that accept credit and other payment cards should also comply with the PCI DSS.
  5. Provide regular training and awareness on legal responsibilities for all staff that deal with personal data.
  6. Deploy outward-bound channel (email, instant messenger) filtering software with customised dictionaries for relevant legislation such as Data Protection Directive, PCI, etc
  7. Establish a vulnerability patching programme and implement anti-malware software.
  8. Implement a business-driven access control policy, combined with effective authentication.
  9. Develop an incident management plan that enables the organization to respond

James Tanner is an analyst at Orthus limited (http://www.orthus.com). Orthus is a leading provider of information risk professional services, helping orgnisations globally to measure, minimise and manage the information risks they face. Orthus provide end to end services for clients to comprehensivly address risk in their environments including Insider Threats, addressing issues including data leakage, sabotage and fraud; External Threats including penetration testing, virtualisation security, vulnerability management and Secure Software Development Life-Cycle; Supply Chain Threats including securing cloud services and data processed by third parties; and Legal and Regulatory challenges (http://www.orthus.com/grc_overview.htm) including Payment Card Industry (PCI) Data Security Standard (DSS).

Article Source:http://www.articlesbase.com/security-articles/business-risks-associated-with-data-breaches-961225.html

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • NewsVine
  • Reddit
  • StumbleUpon
  • Google Bookmarks
  • Yahoo! Buzz
  • Twitter
  • Technorati
  • Live
  • LinkedIn
  • MySpace
  • E-mail this story to a friend!
  • RSS
  • Turn this article into a PDF!

Welcome back! You may want to subscribe to my RSS feed. Thanks for visiting!

  • Share/Bookmark

If you enjoyed this post, make sure you subscribe to my RSS feed!

Blog Traffic Exchange Related Posts
  • Computer Security: Protecting Your Data Computer Security has become increasingly important as more and more companies rely on software to run their business. This article will provide you information about computer security and how you can use it to protect your data. Whether you’re a business owner, an executive, or an IT manager, the following......
  • Top 10 Compliance Spreadsheet Risks and How to Avoid Them - PART 2 6: Evaluate Granular Controls According to Forrester however, such content management approaches are giving way to more granular controls which audit spreadsheets at the cell level, can lock the underlying logic, and even roll back specific cell changes. "Many vendors are starting to move toward a fine-grained control approach, where......
  • Boosting Data Security with a Secure USB Drive It is becoming very clear that the best way to boost security of mobile data is through the use of a secure USB drive. As each week goes by more and more information becomes mobile and is available through many diverse mediums; internet, flash drives, etc. This naturally is going......
  • The Top Five Ways To Protect Yourself From Online Fraud Susan Littlegate has been a victim of online fraud not once but twice. In September last year her debit card was used in bank fraud transactions in Brazil, on the over side of the world. Luckily her bank spotted the irregularity of the transaction and cancelled it. The second time......
  • Removing PCAntiMalware Requires a Professional Removal Program There is nothing new about rogue antispyware like PCAntiMalware; this kind of software has been growing by leaps and bounds for the last few years. When you think about how quickly these types of malware have been growing you have wonder why, well the reason is simple. Rogue antispyware is......
Blog Traffic Exchange Related Websites
  • Remote Backup Securely Moves Your Data Where You Need It, When You Need It Not long ago, the thought of sending private and critical data across the Internet was radical and dangerous. In addition, leaving that data in the hands of a third party was unthinkable.Now, the most logical choice for a small to mid-sized business is to outsource data protection to managed......
  • IP Telephony is a Cost Effective and Secure Technology IP telephony is a funny name for a very practical and cost efficient technology that allows you to make calls with a digital cordless telephone using a broadband internet connection instead of a regular phone line. Also known as voice over internet protocol or VoIP services, it is becoming......
  • Telephone PBX - Customized Greetings A hosted telephone PBX with customized greetings enables businesses to provide better service to their customers and clients. Automatic answering service with custom greetings adds a personal touch to your business. Greeting messages can be used in all phases of telephone PBX service.Professional greetings can be customized according to......
  • The Single Most Important Thing to Know About Computer Phones (VoIP) Over 90% of computer phones (VoIP) are not secure because they use a public known codex (publicly known encryption of sound packets) and a publicly known protocol to transport voice conversations. Therefore, users of these type of services are unknowingly exposing themselves to anyone who wants to listen in......
  • Apple’s New Tablet To Be Baptized iSlate? Let’s Dig A Little Deeper Nice scoop by MacRumors, which reportedly retrieved historical evidence that Apple has acquired the domain name islate.com back in 2007. Apparently, the Cupertino company registered the domain through brand protection firm Mark Monitor to conceal the fact that the domain name is theirs, as usual, but was briefly listed as......

Comments

Trackbacks

 

Leave a Comment

CommentLuv Enabled

« Fix “Windows boot configuration data file is missing” Error | Home | Do You Have Spyware on Your Computer? »