Guarding against a data breach
A slumping economy will have a bearing on spend for safeguarding critical data in more ways than expected, reports Illena Armstrong.For most chief executives, anxieties about the global economic plunge have far outpaced concerns regarding the risks of data breaches. As overall confidence in the market seems to continue its wane, corporate leaders are searching for ways to keep the financial crisis from further eroding business plans and profit gains.
But, a sinking economy historically has the causal effect of escalating various types of crimes – both physical and cyber.
“Numerous studies have shown that crime and the economy are linked,” says Richard Starnes (left), special assistant in the Commonwealth Office of Technology in Kentucky. “No one is immune to market forces, not even criminals.”
And this fact has a way of deepening the already challenging problem of defending against well-established risks to confidential customer and corporate information bouncing around the internet.
“There is no doubt, based on the feedback we are hearing, that 2009 will present budget challenges. On the other hand, a focus on risk would suggest that the difficult economic times we are involved in would likely also cause us to witness an increase in cyber-related crime activity – including data theft attempts,” says Paul Smocer, vice president of security for BITS, a nonprofit, CEO-driven financial service industry consortium made up of 100 of the largest financial institutions in the U.S.
Predictably, this means that IT security executives responsible for safeguarding against intensifying threats to both their customers' and their company's critical data want to continue to see their programs receive a greater portion of their stakeholders' mindshare. And certainly, at least for the last couple of years now, corporate leaders, understanding the damage to brand and profits that a lone data breach can cause, have been throwing greater and greater support behind risk management plans and the IT security departments managing them.
“Protecting our products, customers, and reputation is critical to continued business success. My company certainly recognizes that. As a result, I spend a lot less time defending why we need security,” says Patty Edfors, chief privacy and security officer for Mirixa Corporation, a company sponsored by the National Community Pharmacists Association (NCPA) that specializes in targeted patient care services delivered via the nation's largest pharmacy-based patient care network.
However, some information security professionals are not as fortunate, revealing concerns that over the next six to 12 months their hard-won executive backing will wither away alongside the economy's seeming unending meltdown.
Exactly 80.6 percent of the 217 respondents to this year's second annual Guarding Against a Data Breach survey, which was conducted by SC Magazine and BT with research firm Millward Brown, say the threat of a data breach is greatly influencing organizations' current security initiatives. This number mirrors closely last year's result at 81.3 percent from 368 participants.
But, despite this influence, more respondents to the survey this year anticipate a decrease in budgets for IT security projects and data loss prevention efforts over the next year. About 11 percent foresee moderate or dramatic decreases – a stark contrast to about five percent last year. Additionally, approximately 53 percent expect their budgets to remain fixed compared to 41 percent last year.
Other respondents, though, have hope that the amount of funding slated for their IT security programs actually may increase despite the bleak economic times. Though the number has shrunk when weighed against 2007 results, 37 percent believe they will see dramatic or moderate increases in budget dollars as opposed to 54 percent in last year's study. Though some might deem these information security professionals too optimistic about funding, their thinking makes sense to BITS' Smocer.
“Minimally, we expect that budgets related to cybersecurty will remain relatively flat with organizations acting to sustain the programs they have put in place to prevent data loss and data theft,” says Smocer. “We can see, however, given the risk scenarios, the possibility that selective increases will occur in cybersecurity budgets.”
Yet, times have a way of changing quickly, so, for Edfors, it's “anyone's best guess” what the future may hold in the shadow of a degrading economy.
“It may mean that we have to have less separation of duties in our workforces and have less to spend on technology security improvements,” she explains further. “So our only real defense is to work creatively and flexibly to find compensating controls.”
Moving in the right direction
Of the 217 respondents to the SC Magazine/BT survey, 88 percent agree that their company is taking the right steps to prevent customer/client data from being stolen, exposed or lost, which parallels closely with the 90 percent of 368 respondents in last year's survey. But, just like last year, this may be more indicative of overly optimistic views of security, rather than confirming that companies are engaging in proper planning and management of critical information.
“If 88 percent of respondents were taking the right steps to prevent data theft, then data theft wouldn't be such a big problem. My guess is that the steps they're taking are necessary, but not sufficient, to prevent data theft,” says Bruce Schneier (left), chief security technology officer at BT, a provider of communications solutions and services operating in 170 countries. “The respondents may believe that their company is taking the right steps, but it doesn't mean that they are addressing the right goals.”
To Schneier, the best action to protecting critical data is “setting up a comprehensive program of assessment, enhancement and testing,” with the understanding “that such a program is not a quick fix.” More importantly, in order for it to be effective, it has to have ongoing executive buy-in, both in terms of support and budget.
“If, on the other hand, they are approaching it from a check-box mentality, driven primarily by price, then they are buying nothing but a false sense of security,” he adds.
Indeed, says Kentucky's Starnes, a follow-up exercise for those who note they are undertaking the appropriate means to protect data would be to engage their external auditors, asking them the same question. “I think those numbers would more properly reflect the reality of the situation,” he adds.
Still, the fact that corporate executives and their IT security officers understand the need for protecting critical data is significant. Out of the 217 respondents, approximately 65 percent agree that their IT security departments and executive leaders will make strides to continually improve overall data security, up a small bit from 63 percent last year.
“All companies understand that bad security is bad for business, but not all companies realize that good security is good for business,” says Stephen Scharf, senior VP and global CISO for Experian. “As organizations continue to understand that security is a value differentiator, which can add to a competitive advantage, I would expect the percentage measurement on this question to increase.”
Accounting for risks and drivers
To be sure, despite expected belt-tightening, the drivers behind risk management and data protection initiatives stand strong year upon year. Possible negative impact to the company (75 percent), regulatory mandates (71 percent), possible profit loss (43 percent), customer demand (36 percent) and executive board demand (35 percent) all are factors that compel respondent to the SC Magazine/BT survey to better safeguard customer and other critical data from being stolen, exposed or lost.
These statistics have changed since last year's survey, which showed that regulatory mandates and possible negative impact to the company were tops at 79 percent. Executive board demand followed at 45 percent, while customer demand and possible profit loss came into the last two slots.
“It's a bit surprising that the ‘regulatory mandates' category has dropped nearly 10 percent, given that there are more laws on the books and more points of enforcement each year,” says Schneier. “Equally, the drop in executive board demand by 10 percent suggests that either the risk has been reduced or that pain threshold for the executive boards has. It is highly unlikely that the risk has been reduced, since the number of data breaches has only increased in the past year.”
What he believes is more likely is that to some, reports of data breaches are becoming old news, too repetitive given the frequency with which they now appear in mainstream media outlets. Additionally, because there have been no significant prosecutions for data thefts or more companies being brought before Congress to discuss why data was exposed, the risk probably is being perceived as lower.
Major 2008 data breaches showing individual records lost (Source: Privacy Rights Clearinghouse)
As for those drivers that help IT security officers to get the resources and budget they need, just like last year, regulatory mandates (62 percent) and possible negative impact to the company (59 percent) were the leaders this year. Following these were possible profit loss (at 35 percent) and executive board and customer demand (at 33 and 30 percent, respectively). But, profit loss last year was further down the list.
BITS' Smocer says the issues pushing budgets seem relatively consistent year-over-year, and while percentages may change a bit, these fundamental drivers will remain the same. Mirixia's Edfors agrees.
“Given the number of reported breaches and the activities with state security breach laws, these numbers don't surprise me,” she says. “While we all are trying to keep up with myriad regulatory mandates, the bottom line is protecting the brand, customer and company.”
Protecting the company and its customers requires an understanding of the risks – and, make no mistake, these abound.
For many, mobile security concerns are certainly high on the list of priorities, as is application security and browser vulnerabilities, says Jerry Dixon, director of analysis, Team Cymru, and former director, NCSD, DHS.
Dixon's list ties closely to how respondents to the SC Magazine/BT survey are spending their money to deploy various solutions next year to safeguard customer/client data. Making the top of the list, as it did last year, is email management and content filtering (60 percent). Following up in this year's results are database security (55 percent); mobile security solutions (49 percent); email encryption solutions and secure web services for customers (45.2 percent); data loss prevention solutions/services (44 percent) and web application and secure coding (42 percent, respectively). Rounding out the list were items like two-factor authentication, laptop encryption, access controls at the perimeter, web/IM/P2P filtering appliances, and more.
“You will note a significant number of responses dealing with application-oriented security,” says Kentucky's Starnes. “This is where the threat vector has moved. Hackers are no longer primarily seeking to exploit operating system flaws. They have moved on to application-oriented vulnerabilities. This has the unfortunate effect of considerably widening the number of possible attacks.”
In addition to web application security rising in prominence over the coming year, database security and other mobile threats will continue to be a main concern, add BT's Schneier.
“There are more and more databases being pushed into the edge of the network, instead of residing solely deep inside the core of the corporate network environment,” he explains. “Also, USB port security will likely come into its own.”
Moreover, says BITS' Smocer, while the priorities noted in the SC Magazine/BT survey reflect what Smocer is understanding are priorities for BITS members, he sees an increase in expenditures for “the monitoring of outbound traffic levels and outbound traffic destination points.” Given some of the recent malware that has come onto the scene, this type of monitoring is proving effective in monitoring for data loss, he says.
“We do expect to see an increasing level of malware and trojan activity in the future, particularly focused at the consumer level, but also affecting corporate networks,” he adds.
Evolving with the threat landscape
“It has become clear, over the last two years in particular, that data theft has become a growing business with an increasingly growing level of crime syndication behind it,” says BITS' Smocer. “As organizations assess risk, most would have recognized this and recognized the need to keep enhancing their cyber defenses and internal controls.”
Also, generally speaking, corporate leaders must understand that as new technologies to meet business goals evolves, so too will cybercriminals, says Schneier.
“Attackers will always be looking for the path of least complexity and resistance,” he says. “Technology changes will enable new attacks.”
So, organizations have to be prepared. But, from the looks of the SC Magazine/BT survey, many are not.
“It is good that companies are taking the threat of data breaches seriously and taking steps to prevent them. Nevertheless, more can be done,” says Chris Painter, deputy assistant director of the FBI's Cyber Division. “I note that only 39 percent of respondents say that they have a cohesive and complete plan in place to react to data breaches. This is something that all companies should have, so that they are not scrambling to devise a plan in the midst of a crisis.”
Organizations and standards are out there that can assist security pros in building an incident response plan, says Starnes. And, while such planning does require a certain mindset, having a strategy in place before a breach occurs is critical.
Some corporate executives, though, may just think it won't happen to them. Experian's Scharf says it's probable that the 71 percent of respondents who don't have one in place haven't gone through a data incident before, which may, in their minds, “reduce the need for preparedness.”
Or, perhaps, they simply feel as if they don't have the resources to develop and test a formal incident response plan. For these companies, Scharf suggests starting “with some basic elements, such as creating calling trees and assigning system/application owners.”
“If a breach occurs, you will at least know who to call and which person is responsible for the system in question,” he explains.
Also, the plan should include arrangements to involve law enforcement entities, says the FBI's Painter, “so that we can bring those responsible to justice, help stem the distribution of stolen data, and thereby protect consumers and have a deterrent effect on those who might steal critical data in the future.”
In addition to incident response plans, it's also crucial to establish and continually strengthen overall risk management plans and security strategies. To be both effective and well-organized, IT security pros can enlist the help of standards to develop these. Approximately, 63 percent this time around, compared to 61 percent last year, are turning to standards to help evolve or better their overall security strategy. Those of note include ISO 17799 (35 percent), ISO 27001 (48 percent), the U.S. Department of Defense Trusted Computer System Evaluation Criteria (Orange Book) (26 percent), and standards such as COBIT, NIST, OWASP, PCI and HIPAA (24 percent).
The best tactic to create and maintain these: Pick and mix, says Starnes.
“None of the … standards will exactly match the needs of a company,” he explains. “Do not be afraid to pick the components that work for your company from a wide range of standards, but never forget that compliance with a standard does not equate to security.”
“Data breaches are posing an increasing and serious threat to consumers and businesses. The harm they cause is not limited to the financial cost of a stolen credit card and financial data, but includes substantial and difficult to quantify harm to the privacy of the consumers whose data is stolen,” says the FBI's Painter. “These breaches also can have a significant impact on the business reputation of those companies which are the victims of data breaches. Because of the value of financial, customer and other data, it is not surprising that cybercriminals, including online criminal groups, are targeting corporate data for theft and, later, distribution.”
And such online threats, both executed inside and outside the organization, are bound to increase, so companies must stay diligent, adds Smocer.
“The sophistication of organizations' risk processes has grown significantly over the last few years. While clearly other risks, such as credit risks, have come to the fore, we would believe that organizations' risk assessment processes would continue to drive a focus on cyber risk,” says Smocer. “Of course, the realities of today's economy will have an influence as well.”
Growth of IT security budgets, then, might be less likely this year, he adds, but cyber risks and the potential negative impact they could cause will remain top concerns for most companies.
And since most organizations will try at least to sustain what IT security measures they have put in place, if failing to have the funding to further enhance them, the best approach for IT security executives will be to focus on risk assessment. This is because such a tactic will help focus decisions when pulling from scarcer resources, Smocer explains further.
Layoffs, cuts of non-revenue-generating services, and possibly even companies “falling into a state of non-compliance” with some regulations could be the result of reduced resources, according to Starnes, yet “consumer concerns over data protection” will continue to garner support for activities that safeguard such data in the next year.
In the end, the possible impacts to companies failing to address data security issues could be far greater than the initial capital outlay to mitigate against these, explains Experian's Scharf. Most corporate executives get this, even if bottom lines aren't what they used to be.
“Mature organizations understand that information security is not something that gets slashed indiscriminately to save a few dollars,” Scharf says. “These short-term cost savings can quickly lead to long-term losses if protections are dropped below acceptable levels. In addition, regulatory requirements demand certain thresholds that must be obtained, regardless of how the economy is performing. Where I do see increased change is in the transparency of information security spend and the need to continue to articulate the value proposition for requested initiatives. Security executives must be prepared to clearly demonstrate that their budgets are in line with industry averages and are appropriately structured.”
A good first step, he says, is to reconcile the company's existing spend and question what you pay for and what value you get for it. “Reducing costs by cutting products which have little value is a good first step in ensuring your required programs get the support they need.”
The SC Magazine/BT Data Breach Survey was conducted by SC Magazine and Millward Brown. Email notification was sent to corporate professionals and a total of 217 IT/information security professionals completed the survey online between October 15-31, 2008. Results are statistically tested at a confidence level of 90 percent. Results aren't weighted.
COMPLIANCE: Why it's important
Regulatory mandates continue to be a top reason why corporate leaders feel compelled to safeguard critical customer and company data.
Although regulatory mandates took second place at 71 percent in this year's SC Magazine/BT Data Breach Survey, it fell short only be a few points to possible negative impact to the company as the top factor at 75 percent. Other top drivers included possible profit loss at 43 percent, customer demand at 36 percent and executive board demand at 35 percent. In last year's survey, these two drivers tied for first place at 79 percent.
“Perhaps on explanation for the slight drop associated with ‘regulatory mandates' is simply that they have become fairly long-lived and organization have become used to complying with them,” says John Carlson (right), senior VP of BITS. “In addition, while regulatory mandates may have, at one time, served as a catalyst to action, we think most organizations have matured to the point where business issues have taken over as the key driver. Organizations realize that a perceived loss of customer trust can have a downstream effect on customer retention and on company reputation.”
Regulatory mandates were in the lead position at 62 percent for helping IT security departments get additional resources and budget, however. Possible negative impact to the company (59 percent), possible profit loss (35 percent), executive board (33 percent) and customer demand (30 percent) also helped, according to this year's survey data.
Specific mandates noted as priorities by respondents include Sarbanes-Oxley (50 percent), state data breach notification laws (43 percent), PCI (42.4 percent), HIPAA (41.5 percent) and FISMA (34 percent). Others on the list included eDiscovery legislation, GLBA, FFIEC guidelines, EU Data Protection Act and still more. Experian's senior VP and global CISO Stephen Scharf isn't surprised by the spread.
“Most organizations have realized that properly focused SOX programs can have a positive impact on the protection of customer/client data. While attention to data breach requirements is critical, this is a reactionary process versus SOX, which is more proactive,” he says. “There is also the potential that more company have had to comply with SOX versus the number of companies that have been required to act in a breach notification process.”
To respondents of the survey this year, PCI was the most helpful mandate to 39 percent in providing details about the proper safeguards to protect customer/client data. Sarbanes-Oxley came in a close second at 36 percent, while HIPAA was third at 31 percent. Others noted included FISMA (28 percent), state breach notification laws (20 percent) and e-Discovery legislation at 18 percent.
Patty Edfors, chief privacy and security officer for Mirixa Corporation, a company sponsored by the National Community Pharmacists Association (NCPA) that specializes in targeted patient care services, says that in her experience PCI definitely gets top billing for being the most specific.
“The certification and self assessment criteria is very prescriptive. I think SOX requirements, since they are supposed to be tailored to the business environment but are based on COBIT, are reasonably disciplined but leave room for interpretation. SOX provides a general framework that allows you to pick and choose what you believe is critical based on materiality for that environment,” she explains. “A certain level of expertise is required, however, to make the right choices.”
Generally speaking, compliance likely will continue to push companies to ensure they're doing all they can to protect critical data. Yet, problems will continue to arise for those trying to meet demands. One only has to look to Hannaford's as an example. That company, when breached last year (see map) was actually touting being in line with PCI data security standards. Many industry experts used the breach as an example to remind organizations at the time that being compliant with regulations didn't necessary mean that they were actually secure. Richard Starnes, special assistant, Commonwealth Office of Technology for Kentucky, says companies would do well to remember that “compliance instruments are philosophical.”
“This leaves them open to wide interpretation and, in some cases, misinterpretation. Thus, compliance instruments are only as effective as your assurance staff and executive management allow them to be” he explains.
Plus, many companies, with offices all over the globe, must contend with international laws – many of which conflict, he adds.
Among the many regulations just U.S.-based companies must deal with, there are still others. For instance, identity theft ‘red flags' just took effect.
“The regulators and the FTC released them in final form in November 2007 with a compliance deadline of November 1, 2008,” says BITS' Carlson. “These regulations emanate from the Fair and Accurate Credit Transacations Act (FACT Act). BITS and our member companies focused a significant amount of time this year discussing how bet to comply with these requirements.”
According to Bruce Schneier, chief security technology officer at BT, a provider of communications solutions and services operating in 170 countries, it's all about how much regulations are being discussed in the media and by the creators of the mandates themselves and who's getting prosecuted for non-compliance. With these factors in mind, compliance likely will continue convincing companies to allocate the resources necessary to safeguard critical data.
“I think the top drivers are likely to remain the same in the coming months,” says Schneier.
SECURE CODING: Why it's importantMost experts agree that secure coding practices can go a long way in helping companies protect critical corporate data since cybercriminals often take advantage of holes in applications or software.
“Such practices do help to protect critical data in the sense that insecure coding can provide the pathway into customers' and organizations' data,” says Paul Smocer, VP of security for BITS.
Too few organizations, however, are bettering their secure coding practices before deploying applications for use by customers and clients, according to this year's Guarding Against a Data Breach survey. Out of the 217 respondents, only 34 percent say they have strengthened these practices. Another 23 percent say they have not, while 30 percent say they have, but not nearly enough. Some 13 percent don't even know.
“As resources are divvied up for security programs, it is concerning that secure software development is being overlooked in over 50 percent of the respondent's organizations. A successful secure software development lifecycle is essential in protecting critical data,” says Stephen Scharf, senior VP & global CISO for Experian.
He explains that a secure design process kicks off by bringing together “software architects and security architects to discuss application features and design flows.” This first step will result in “a functional and secure design,” he says. “This is then followed up with implementation reviews to ensure that the design is being written with strong secure coding practices. Lastly, a penetration assessment against the pre- and post-production application will flush out any overlooked issues that allowed exploitable conditions to exist.”
Other techniques that organizations can enlist to get on track with secure coding include training of their programmers, encouraging programmers to obtain certifications in the area of secure coding, and enhanced white and black box testing, says Smocer.
Failing to undertake these and other steps to ensure holes in their code is plugged, companies likely are leaving themselves open to increasing attacks that use insecure code, such as buffer overflow exploits, which have been on the rise the last few years, he adds. – Illena Armstrong