In 2007 and 2008 the industry has seen an upsurge in data breaches affecting millions of consumers and causing corporations to pay heavily in fines.
Despite the increase in the number of data breaches via illicit means, internal controls seem to fail when it comes to the assurance that critical assets remain uncompromised. According to the Identity Theft Resource Center a total of 336 breaches have been reported in 2008 alone, putting the overall number at 69 per cent greater then this time last year . This is a concern for security teams especially given the fact that a lack of dedicated resources exist to combat and revert this trend.
This is significantly important to take into consideration when going through the formal audit process to certify adherence to Sarbanes-Oxley (SOX), Graham Leach Bliley (GLBA), Payment Card Industry (PCI), or Health Insurance and Portability and Accountability Act (HIPAA).
With the significant increase in data exposure corporations can't afford to take short-cuts when it comes to information assurance. Otherwise it is almost certain that one will become a victim of a serious exposure of sensitive information.
Data breaches can lead to exposure of consumer information through a number of different ways that vary in complexity. The common perception associated with a data breach is the difference between data being extracted from physical assets stolen and actual breaches in perimeter security (electronic).
While there is certainly a number of cases in which stolen assets account for the breach at hand, however; we are seeing a number of electronic breaches that have accounted for some of the most famous incidents of 2007 and 2008.
- TJ Maxx - Monster.com - Hannaford Bros
In fact the financial community has experienced twice the many incidents in 2008 then all of 2007 according to a study conducted by the Identity Theft Resource Center (ITRC). These incidents go hand in hand with regulatory laws that were supposedly designed to mitigate and reduce the risk window in an attempt to avoid such embarrassing situations.
Take for example an organization that has been PCI compliant for years, but suffered a data breach that involved hackers placing targeted malware on credit card processing servers at a major retailer. The question the security team has to ask themselves "Why didn't my current anti-virus solution detect the threat"? I have an interesting hypothesis on this subject that can be found in the article "Regulatory Compliance and the Real Risk of Undetected Malware."
In 2008 implementing measures to protect against data breaches will be critical to the survival of any corporation in the long term. It's not a matter of if you will be breached, but a matter of when, therefore; it's important that the primary goal is to significantly reduce the acceptable loss and mitigate the window of risk.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.