Questions? Contact Us


Latest News

Featured News & Events

Act Now To Prevent Data Breaches

After twelve months of increasingly dramatic press headlines about failures to safeguard personal data records, it's time to assess the size of the issue and identify best practice steps for reducing the incidence of, and damage caused by, these data breaches.

The IT Governance Data Breaches Report identifies that spectacular data breaches, such as the UK's HMRC CD-Rom fiasco and the prolonged theft of TK Maxx credit card records, are not caused by the misdemeanor of a junior employee but arise, rather, from systemically inadequate information security arrangements at the organizations where the incident occurs.

A data breach is 'the unauthorized disclosure by an organization of personally identifiable information, where that disclosure compromises the security, confidentiality, or integrity of the data that has been disclosed.'

The Attrition database shows that the numbers of reported data breaches in the US increased from 22 in 2004 to 326 in 2006. The pattern in the UK and elsewhere is similar. Three developments in recent years make addressing this issue a real priority:

1. Identify theft is a low-risk, high return option for organized crime. Traditional crime, including violent robbery and theft, has clearly identifiable risks. It is easy to be recorded on video by CCTV, seen by witnesses or caught by means of DNA, and the returns are relatively low. High-tech crime, on the other hand, creates real problems for the police force and is, conversely, relatively low-risk for the criminal. Contributing factors include the perpetrator's anonymity, the speed at which crimes can be committed, the volatility or transience of evidence, the trans-jurisdictional nature of cybercrime and the high costs of investigation.

2. Legal and regulatory compliance initiatives, such as the EU Data Protection directive and California's data breach disclosure law, SB1386, have both formalized the concept that personal data must be legally protected, and introduced penalties for failing to do so.

3. The proliferation of mobile data storage devices has changed the boundaries of where we store our data and effectively eliminated "fixed fortifications" as an effective tool for preventing data breaches.

The number of data breaches reported both within the US and the UK has been steadily increasing since 2006. In the US, the introduction of California's data breach disclosure law, SB1386, in July 2003 led to a greater awareness of data breaches and, as a consequence, greater reporting of them. Within the UK, the numbers of reported data breaches has also been steadily rising, with a large increase in the number of reported data breaches following the HMRC breach. The peaks in reported data breaches following the disclosure of the UK's HMRC data loss, suggests that there were - and probably still are - many data breaches that go unreported and research suggests that organizations are reluctant to officially report data breaches unless they have already been exposed. The evidence suggests that waiting to be found out is not the best strategy.

12% of reported breaches in the UK were at regulated financial services organizations. Those reported in the unregulated private sector are much lower. An extrapolation from this behavior is that the likely scale and cost of data breaches in this sector in the UK is probably much bigger than has actually been reported - and at least as great as that in the public and regulated sectors.

The reported number of internally caused data breaches remains lower than external ones, but averages to around a third of those reported each year since 2000. Many data breaches are self-inflicted in that organizations adopt confidentiality regimes that make it difficult for people to actually do their job and, as a result, they bypass controls with unpredictable but inevitable data breach consequences.

The Ponemon report commented that "the investment required to prevent a data breach is dwarfed by the resulting costs of a breach" and " the return on investment (ROI) and justification for preventative measures is clear". Costs of data breaches - legal costs, the costs of restitution, brand damage, lost customers and so on - are significant; for financial services organizations, it was about £55 per compromised record.

Whilst not involving legal compliance, if an organization has a credit card-related data breach and is found not in compliance with the Payment Card Industry Data Security Standard (PCI DSS), there are potentially severe contractual and financial penalties, including a bar on the business accepting payment cards.

All these factors make the protection of personal data a key business and compliance responsibility; the information security management standard ISO27001 provides a best-practice specification for an information security management system that would meet the requirements of the Data Protection Act 1998.

The most important steps for Data Protection Act compliance are:

As a minimum:

1. Encrypt all personal data on laptops; whole disk encryption is a more secure solution than folder or file level encryption, and FIPS 140-2 is the recognized standard for encryption engines.

2. Encrypt all removable and portable media that might contain personal data, including USB drives, CD-Roms and magnetic backup tapes.

In addition:

3. Establish rigorous procedures to ensure the physical destruction of redundant computer drives, magnetic media and paper records prior to disposal, and ensure that disposals are made in line with a formal data retention timetable.

4. Organizations that accept credit and other payment cards should also comply with the PCI DSS.

5. Provide regular training and awareness on legal responsibilities for all staff that deal with personal data.

6. Deploy outward-bound channel (email, instant messenger) filtering software with customized dictionaries for relevant legislation such as DPA, PCI, etc

7. Establish a vulnerability patching program and implement anti-malware software.

8. Implement a business-driven access control policy, combined with effective authentication.

9. Develop an incident management plan that enables the organization to respond effectively to any data breaches.

Data Breaches Report

Article Source:

Important Concepts For Linux Beginners - Permissio...
Securing Xen in a Distributed Environment

Related Posts


Tag Cloud

Business Planning IT Services compliance CentOs shared folders PCI Compliance ZZ Servers Co-Founder embedded computer security IT services network Security data protection World Backup Day blackberry OSSEC personal information malicious software Healthcare Records data breach kerio video small business computer networks businesses follow.The HIPAA Privacy Rule apache HIPAA shared hosting Scalable Redundant Cloud Infrastructure iphone IT multi-factor authentication cloud Interworx-CP Medical Solutions Geekend Presentation HIDS PCI Service Provider TiaraCon ZZ Servers cyber openssl Business Solutions health care providers Hosting Cloud Computing physical security anti virus Small Business spf Vulnerability permissions Credit Cards Disaster Recovery Plan Cybersecurity Business Solutions credit cards stolen information technology ipad intrusion detection computing in the cloud Internet Corporation vulnerability scanning cyber liability insurance dsbl David Zendzian members area social engineering InterWorx Alarm Charleston trends caller-id search Hackers command line PCI Audit Domani Names business solutions Firetalk business community cyber protection Sysadmin credit card business solitions Debian protect data backup solutions passwords INFOSEC PCI Hosting QSA physical black friday TLS IT security cyber security HIPAA Solutions activesync vps BSides Internet employee training Ubuntu DRP recovering data GDPR credit card payment cyber monitoring Internet infrastructure dss PCI Solutions password Payment Card Industry Medical Records Home Depot Breach cloud infrastructure Las Vegas Assigned Names Shmoocon data privacy PCI cli safe computing Web Hosting exchange shared secure hosting Linux Health Care Cybersecurity business National Cyber Security Awareness Month IT solutions phishing Online Business VPS Servers change log files Compliance email accounts support sender policy healthcare solutions Accountability Act motivation hosting control panel amazon ec2 Zendzian cybersecurity smartphone security Reports Positive Customer Impact eCommerce PCI DSS 3.2 ICANN Xen mail server compliant hosting arduino HIPPA security circles vyatta router firewall filter security PCI HIPAA windows 7 management PCI Data Security Standards spoofing shared server cell phone email Credit Card Security Continuous Monitoring teensy Windows eCommerce Solutions spam IT Solutions lamp Car Hacking PCI compliance logical security Email infrastructure Cybersecurity Control Panel SSL two factor authentication bash Announcement HIPAA solutions Server Mangement phishing attacks education assesment qsa DEF CON Health Insurance Portability pci complliant hosting Information Technology cyber monday