Such concerns are for good reason, of course. Both cyber and physical compromises resulting in instances of massive data exposures are publicized more frequently. And, often, just as the ink is drying on these news headlines, hoodwinked companies are confronted with class action lawsuits, Federal Trade Commission (FTC) or congressional probes, and profit losses due to lowering stock values or high recovery costs.
Unsurprisingly, these and various other drivers are prompting information security professionals and their bosses to strengthen their corporate risk management plans. According to the
SC Magazine/MXI Security survey, Guarding Against a Data Breach, which was conducted with research firm Millward Brown, 81 percent of the 368 respondents say the threat of a data breach is greatly influencing their organizations' current security initiatives. And another 90 percent of those surveyed agree that their companies are taking steps to prevent customer data from being stolen, exposed or lost.
“Businesses do recognize their exposure even more than a couple of years ago and are taking steps in the right direction,” says Scott Crawford, research director with Enterprise Management Associates (EMA), an independent IT industry analyst and consulting firm.
Though a huge challenge, by enlisting today's available metrics companies are grasping that IT exposure could impact their bottom lines, he adds. “That's suggested by the total cost of TJX and other breaches.”
And the expenses of the TJX Companies incident, which exposed an estimated 96 million credit card accounts and is considered one of the world's worst credit card data breaches so far, keep rising. Recently, the company increased its estimate of pre-tax charges for the compromise to about $216 million from an earlier projection of approximately $168 million. And, some experts have reported that the Framingham, Mass.-based company may spend, in the end, upwards of $500 million on litigation fees, government fines and more.
“You know when you see all these headlines on CNN [or other mainstream news outlets], they don't seem to understand the difference between loss of names and something on the scale of TJX, which is very different,” says Nancy Edwards, VP and chief security officer of State Auto Insurance Companies.
But IT security pros do. And, when a company of TJX's size is estimating costs of about $300 million, corporate leaders from companies like hers are watching closely for the final outcome — from the FTC investigations and possible regulatory fines or legal settlements to the negative publicity and the distraction such a large-scale event poses to executives.
As illustrated by the SC Magazine/MXI Security survey, some 79 percent of respondents from all major verticals say possible negative impact to the corporate brand is a major driver to better safeguard customer, client and other critical data.
“It is not surprising that protecting corporate reputation is a key motivating factor,” says Scott Algeier, executive director of the Information Technology Information Sharing and Analysis Center (IT-ISAC), a community of security specialists dedicated to protecting the global IT infrastructure. “Senior corporate executives increasingly recognize the damage data breaches cause [to] their corporate brand integrity.”
With public awareness about information security at an all time high, Larry Hamid, chief technology officer, MXI Security, a portable security solutions provider, says he's noticing that company leaders are paying more attention to the problem of data theft.
“One customer in particular said, ‘I don't want to end up on the front page,'” says Hamid. So for that organization, it came down more to reputation than bottom line, he adds.
There are other drivers, also. Some 79 percent of survey respondents say regulatory mandates are a major influence, while 45 percent note executive board demand. Only 41 and 40 percent call
out customer demand and profit loss, respectively.
It's plain to EMA's Crawford that all these drivers are interconnected.
“Why are corporate executives sensitive? Why do we have regulatory mandates? Why are customers demanding [better security]?” he asks. “If you follow the chain of consequence, there is the immediate impact of a breach — public disclosure, public embarrassment, demand to remediate. And, if there is no compliance mandate in place, enough high-visibility events often will result in a compliance mandate, which then forces further implementation.”
And some of these regulations have a higher price than others. Executives and their corporations are now being held directly accountable and can face high fines or other costs for non-compliance with such mandates as Sarbanes-Oxley, Payment Card Industry standards, or the Federal Information Security Management Act (FISMA). As a result, some vertical markets are feeling more regulatory pressures than others.
“For us, our biggest customer is the U.S. government and, there, it's just mandated,” says MXI Security's Hamid. “They came and said every mobile device and laptop must be fully encrypted.”
Despite the likes of TJX and the Department of Veterans Affairs coming clean about exposures and then touting remediation efforts — in large part due to still more regulation in the way of state data breach notification laws — the notion of safeguarding private data is far from a fresh idea.
“The manner in which companies are addressing the [confidentiality] of their information assets is evolving and has improved. Part of this is due to regulatory pressure and part is due to the normal evolution of technology and sophistication of processes,” says Simone Seth, a director with PricewaterhouseCoopers, who supports the nonprofit Information Security Forum as part of her job.
To what extent this progress is being made, though, can be contentious. Most companies have a long way to go, according to Jon Gossels, president and CEO of SystemExperts, a provider of compliance and network security consulting services.
“Direct experience provides clear evidence that organizations have insufficient control to ensure that confidential information is protected,” he says. “Sensitive data handling, in general, is not a priority for companies.”
But, they're trying to make it one. Executives are beginning to understand that IT risk is a business risk, says EMA's Crawford. Consequently, organizations are attempting to make IT governance more strategic by better understanding the risks to their businesses, deciding the associated priorities, and then taking a systematic approach to address these.
To help with the specific risk of safeguarding customer and client data, respondents to the data breach survey (who include the C-suite, VP- and director-level execs, and systems and security staff), note several kinds of solutions they have either already deployed or are looking to deploy in the next year. On both lists, some of the top tools include email management/content filtering, database security, secure web services for customers and clients, mobile security solutions and still others.
“In every area — whether encryption or data-at-rest or intrusion detection or malware detection — they're all part of a multi-layered security approach,” says MXI Security's Hamid. “If you don't have something covering all of these areas you have an exposure.”
Another part of that multi-layered approach should focus on more than just technologies, however, adds Rich Baich, principal, Deloitte & Touche. Mirroring Crawford's suggestions, Baich says the key is to create and implement a sound and holistic security program that addresses business risks and priorities, then deciding what tools and policies can help tackle these.
“Again, we continue to focus on purchasing and implementing technology to mitigate operational risks, but that, by no means, translates into mitigating the risk of an issue,” he says. “Investing in technology without having a defined program established as to how the technology is going to reduce risk
today and in the future often leads to ineffectiveness.”
The cost of being vulnerable
According to the survey, the majority of the 368 respondents have so far avoided becoming newspaper headlines for exposing critical private data. Approximately 66 percent say they have not suffered a loss, theft or breach of customer/client data in the last year. Another 21 percent say they have, while 14 percent admit they don't know.
State Auto Insurance Companies' Edwards says she's not surprised that most of the respondents evaded falling victim to a breach. While companies may have suffered some kind of loss or exposure, customers' critical data simply may not have been involved.
While losses for those survey respondents who say they did experience an incident involving private data ran anywhere from less than $100,000 to $500,000, about 40 percent of them
didn't know the costs their companies faced as a result of the incident.
However, most were able to identify how the information was compromised. Approximately 17 percent say their companies experienced targeted attacks, while 17 and 13 percent say data was exposed because of lost or stolen laptops, respectively. Another road warrior problem manifested itself in the form of removable media for 12 percent of these respondents.
Chinks in the armor
The types of exposures revealed in the survey highlight the vulnerabilities organizations will be facing for some time. Insider threats, increased reliance on web applications for transactions, mobility of workers, desktop and server security, and still others are top concerns.
As a result, interest in identity management solutions or secure application coding, for example, is common, according to SystemExperts' Gossels. Additionally, adds Edwards, insider threats will prompt interest in solutions that help CSOs better manage what's happening on their networks internally.
“I think everybody's worried about the insider risk because it's so hard to control. If you've got a reason to collect [private] information, you have a reason for employees to access that information and do something with it,” she says. “Therefore, you've got fragile stuff that people have to handle well, and if your employee practices break down and you hire bad eggs, then those bad eggs have access you wish they didn't. Really knowing who did what with your data and when they did it is tough.”
For Dave Cullinane, chief information security officer, eBay, many of the areas that survey respondents note as priorities in coming months, such as database encryption, already have been addressed at his company. But, given how web-based his organization is, one concern remains constant.
“From my perspective, web security is, by far, the top priority, especially as we get into Web 2.0,” he says.
Generally speaking, another key area for companies is knowing what's going in and out of the company, adds Cullinane. To address this worry, organizations are examining robust content monitoring and extrusion prevention solutions, he says.
To protect credit card and other critical data, organizations must ensure they've safeguarded laptops and other portable devices, as well. In fact, explains Cullinane, his peers are voicing much unease over mobile workers. The small yet powerful handheld gadgets they're toting around have many more applications, so the risk of proprietary data getting exposed is much higher when accounting for these.
A question of ‘when,' not ‘if'
Most experts warn that all organizations should operate under the presumption that important data will get compromised — not if. Moreover, at this stage in the game, the expectation of due care has been set. Regulatory mandates, publicized incidents, and resulting government investigations and fines have made clear to companies that they must be trusted to handle data properly. Failing to take this responsibility seriously is unacceptable.
Therefore, as part of the information assurance and risk management plan that accounts for the vulnerabilities, policies, procedures and solutions to safeguard the operation, organizations would do well to implement a response plan to react to an incident when it does occur. The problem is quite a few companies still have yet to do so.
Although a little less than half of the respondents to the data breach survey — about 41 percent — say they have a cohesive plan in place to deal with a data exposure, breach or loss, another 21 percent have not. Approximately 31 percent say they have, but it's insufficient.
Gossels isn't surprised. Most breached organizations, he says, are “unprepared to handle a security incident. They [have] no real plan in place to categorize an incident, manage the technical response, including determining the extent of the breach, and manage the business response, including notifying customers and handling investor and public relations,” he explains.
Yet such a plan, as part of an overall information security strategy, is crucial to protecting not only customer data, but also other critical corporate information and, ultimately, the longevity and success of the business.
“The results of the survey reiterate the need for companies to take a risk-based approach to information management, including information collection, storage and transmittal, as opposed to simply instituting security procedures to meet minimum regulatory requirements,” says the IT-ISAC's Algeier. “Threats are dynamic and evolving and require robust mitigation strategies.”
The SC Magazine/MXI Security Guarding Against a Data Breach Survey 2008 was conducted by SC Magazine and research firm Millward Brown.
The survey was open to all SC Magazine readers. A total of 368 respondents completed the survey from 10/3/07 to 11/1/07. Results are not weighted. Based on this sample, the results are accurate to a margin of +/– 5.08 percent at a 95 percent confidence level. This report offers selected highlights only. Full survey results are offered in a Premium Edition for $295. Please contact [email protected] haymarketmedia.com for more details.
Focusing on employees
Another area where organizations are flailing is in security awareness and training. Often, corporate employees circumvent company policy, says Jon Gossels, president and CEO of SystemExperts.
“Even when there's a clear definition of what needs to be protected, most companies do a poor job of establishing data sensitivity and handling policies and educating their employees on what data needs to be protected,” he adds.
Companies set their own standard of care when establishing policies, says David Navetta, an attorney and the founding member of InfoSecCompliance LLC. “So when it comes down to whether your organization acted ‘reasonably,' the first thing a plaintiff will look at is whether you have followed your own procedures. Training is a key part of making sure those policies and procedures are followed,”
— Illena Armstrong
Help or hindrance
Regulatory mandates are main drivers for securing critical data, according to survey respondents.
The specific compliance priorities as they relate to the protection of customer/client data stored or shared electronically include Sarbanes-Oxley (SOX) at 54 percent, state data breach notification laws at 48 percent, the Health Insurance Portability and Accountability Act (HIPAA) at 42 percent, the Payment Card Industry (PCI) Data Security Standard (DSS) at 41 percent, and eDiscovery legislation at 29 percent. Others that made the list include the Federal Information Security Management Act of 2002 (FISMA), Gramm-Leach-Bliley Act (GLBA), Department of Defense directives, Family Educational Rights and Privacy Act (FERPA) and still others.
There were particular mandates that respondents say are the most helpful in providing details about safeguards to protect customer and client data. At the top of this list, coming in at 40 percent, is PCI DSS. The reason is “because its scope is narrowly focused on payment card data and it's relatively detailed or certain in terms of the controls that it requires,” says David Navetta, an attorney and the founding member of InfoSecCompliance LLC. And relative to other laws, such as GLBA or SOX that use terms like “appropriate” or “reasonable” in relation to an organization's security, PCI is more clear in spelling out the controls that companies should focus on when it comes to payment card handling, he adds.
“That said, I think that the detail or certainty of PCI is more perceived than real. The PCI standard actually has a great deal of ambiguity and room for interpretation. The problem is compounded because PCI is essentially becoming the law — literally, in some cases, such as the Minnesota Plastic Card Protection Act, and also with the plaintiff's expert in the TJX matter using TJX's failure to comply to PCI against it,” he says. “However, PCI is like a law without a judge or jury to interpret it. The room for interpretation could be trouble to those companies that adhere to looser interpretations.”
Regulatory mandates' sway doesn't end there. Respondents to the survey also state that the likes of Sarbanes-Oxley (49 percent), PCI DSS (32 percent), HIPAA (30 percent), state data breach notification laws (30 percent), and FISMA (19 percent) have helped to elevate to execs the need to implement IT security safeguards to protect critical data.
While that can be a good thing, Rich Baich, principal with Deloitte & Touche LLP, says such weight has a negative side as well. “As a result of legislative pressures, some organizations have chased a compliance-driven strategy rather than a risk-based strategy,” he says. “Before tackling any of these mandates, organizations should establish a data protection framework in which a requirement, such as PCI, would reside. If a data protection framework [is] in place, many of the requirements related to PCI compliance and other [mandates] could be leveraged through existing controls, resulting in potentially decreased spending to meet these newly created compliance requirements.”