Questions? Contact Us


Latest News

Featured News & Events

Act Now To Prevent Data Breaches

After twelve months of increasingly dramatic press headlines about failures to safeguard personal data records, it's time to assess the size of the issue and identify best practice steps for reducing the incidence of, and damage caused by, these data breaches.

The IT Governance Data Breaches Report identifies that spectacular data breaches, such as the UK's HMRC CD-Rom fiasco and the prolonged theft of TK Maxx credit card records, are not caused by the misdemeanor of a junior employee but arise, rather, from systemically inadequate information security arrangements at the organizations where the incident occurs.

A data breach is 'the unauthorized disclosure by an organization of personally identifiable information, where that disclosure compromises the security, confidentiality, or integrity of the data that has been disclosed.'

The Attrition database shows that the numbers of reported data breaches in the US increased from 22 in 2004 to 326 in 2006. The pattern in the UK and elsewhere is similar. Three developments in recent years make addressing this issue a real priority:

1. Identify theft is a low-risk, high return option for organized crime. Traditional crime, including violent robbery and theft, has clearly identifiable risks. It is easy to be recorded on video by CCTV, seen by witnesses or caught by means of DNA, and the returns are relatively low. High-tech crime, on the other hand, creates real problems for the police force and is, conversely, relatively low-risk for the criminal. Contributing factors include the perpetrator's anonymity, the speed at which crimes can be committed, the volatility or transience of evidence, the trans-jurisdictional nature of cybercrime and the high costs of investigation.

2. Legal and regulatory compliance initiatives, such as the EU Data Protection directive and California's data breach disclosure law, SB1386, have both formalized the concept that personal data must be legally protected, and introduced penalties for failing to do so.

3. The proliferation of mobile data storage devices has changed the boundaries of where we store our data and effectively eliminated "fixed fortifications" as an effective tool for preventing data breaches.

The number of data breaches reported both within the US and the UK has been steadily increasing since 2006. In the US, the introduction of California's data breach disclosure law, SB1386, in July 2003 led to a greater awareness of data breaches and, as a consequence, greater reporting of them. Within the UK, the numbers of reported data breaches has also been steadily rising, with a large increase in the number of reported data breaches following the HMRC breach. The peaks in reported data breaches following the disclosure of the UK's HMRC data loss, suggests that there were - and probably still are - many data breaches that go unreported and research suggests that organizations are reluctant to officially report data breaches unless they have already been exposed. The evidence suggests that waiting to be found out is not the best strategy.

12% of reported breaches in the UK were at regulated financial services organizations. Those reported in the unregulated private sector are much lower. An extrapolation from this behavior is that the likely scale and cost of data breaches in this sector in the UK is probably much bigger than has actually been reported - and at least as great as that in the public and regulated sectors.

The reported number of internally caused data breaches remains lower than external ones, but averages to around a third of those reported each year since 2000. Many data breaches are self-inflicted in that organizations adopt confidentiality regimes that make it difficult for people to actually do their job and, as a result, they bypass controls with unpredictable but inevitable data breach consequences.

The Ponemon report commented that "the investment required to prevent a data breach is dwarfed by the resulting costs of a breach" and " the return on investment (ROI) and justification for preventative measures is clear". Costs of data breaches - legal costs, the costs of restitution, brand damage, lost customers and so on - are significant; for financial services organizations, it was about £55 per compromised record.

Whilst not involving legal compliance, if an organization has a credit card-related data breach and is found not in compliance with the Payment Card Industry Data Security Standard (PCI DSS), there are potentially severe contractual and financial penalties, including a bar on the business accepting payment cards.

All these factors make the protection of personal data a key business and compliance responsibility; the information security management standard ISO27001 provides a best-practice specification for an information security management system that would meet the requirements of the Data Protection Act 1998.

The most important steps for Data Protection Act compliance are:

As a minimum:

1. Encrypt all personal data on laptops; whole disk encryption is a more secure solution than folder or file level encryption, and FIPS 140-2 is the recognized standard for encryption engines.

2. Encrypt all removable and portable media that might contain personal data, including USB drives, CD-Roms and magnetic backup tapes.

In addition:

3. Establish rigorous procedures to ensure the physical destruction of redundant computer drives, magnetic media and paper records prior to disposal, and ensure that disposals are made in line with a formal data retention timetable.

4. Organizations that accept credit and other payment cards should also comply with the PCI DSS.

5. Provide regular training and awareness on legal responsibilities for all staff that deal with personal data.

6. Deploy outward-bound channel (email, instant messenger) filtering software with customized dictionaries for relevant legislation such as DPA, PCI, etc

7. Establish a vulnerability patching program and implement anti-malware software.

8. Implement a business-driven access control policy, combined with effective authentication.

9. Develop an incident management plan that enables the organization to respond effectively to any data breaches.

Data Breaches Report

Article Source:

Important Concepts For Linux Beginners - Permissio...
Securing Xen in a Distributed Environment

Related Posts


Tag Cloud

logical security compliance cyber liability insurance Ubuntu trends Email log files activesync cloud IT security PCI Service Provider PCI Solutions World Backup Day business community Continuous Monitoring dss phishing Geekend cyber sender policy HIPAA Solutions Small Business ICANN GDPR business solutions multi-factor authentication INFOSEC windows 7 command line email accounts permissions Healthcare Records Medical Records protect data Control Panel cli cell phone email exchange Debian safe computing Cybersecurity David Zendzian dsbl Security business solitions physical hosting control panel business cyber security arduino Vulnerability smartphone computing in the cloud IT Services PCI Data Security Standards Hosting infrastructure shared server IT services ZZ Servers Co-Founder caller-id follow.The HIPAA Privacy Rule HIPAA social engineering QSA Online Business IT SSL bash VPS Servers PCI DSS 3.2 malicious software cloud infrastructure Internet shared hosting vps TLS Positive Customer Impact pci complliant hosting Business Solutions Hackers Linux cyber protection HIPPA Medical Solutions physical security intrusion detection eCommerce Solutions members area Server Mangement Xen education kerio Payment Card Industry Assigned Names National Cyber Security Awareness Month blackberry Alarm iphone two factor authentication vyatta router firewall filter security PCI HIPAA small business cybersecurity PCI Compliance compliant hosting vulnerability scanning spf Cloud Computing Windows credit card payment apache anti virus healthcare solutions health care providers Firetalk Las Vegas Shmoocon IT solutions HIDS mail server Internet Corporation search data privacy Home Depot Breach credit card backup solutions Scalable Redundant Cloud Infrastructure Reports spoofing lamp Health Care Cybersecurity cyber monitoring HIPAA solutions Internet infrastructure TiaraCon information technology security circles Credit Card Security PCI Hosting InterWorx Disaster Recovery Plan Announcement Car Hacking Accountability Act ipad computer networks passwords Charleston CentOs Domani Names shared folders qsa Interworx-CP Presentation Compliance recovering data Web Hosting DEF CON OSSEC computer security embedded management credit cards stolen network DRP BSides data protection Credit Cards password personal information employee training Zendzian support ZZ Servers Cybersecurity Business Solutions video spam security amazon ec2 PCI compliance phishing attacks black friday teensy Information Technology change assesment eCommerce shared secure hosting PCI Audit Business Planning businesses Sysadmin PCI IT Solutions cyber monday Health Insurance Portability data breach openssl motivation