There’s nothing like an apparent breach at a global
company to concentrate the mind when it comes to information and
data security.
The recent Mastercard breach, which is said to have placed the
account details of millions of customers at risk, follows hard on
the heels of a string of data incidents at US companies including
CitiBank, Bank Of America, Lexis-Nexis, Time Warner, and
ChoicePoint.
The US Federal Financial Institutions Examination Council
(FFIEC) is now investigating the circumstances of the case, while
the FBI has launched a probe into the incident involving
CardSystems Solutions where intruders exploited software security
vulnerabilities.
Meanwhile, the US Senate is considering measures to boost
personal data security and crack down on data theft. A Personal
Data Privacy and Security Bill, which would restrict the sale or
publication of social security numbers, and another bill introduced
by California Senator Dianne Feinstein, would fine companies up to
$50,000 a day for every day they don't notify customers about data
breaches.
Yet the likelihood is that well-meaning legislation will be so
watered down by the lobbyists who crawl over Corporate America that
it will be rendered meaning-less, leaving the public’s personal
data still at risk. There is a marked contrast between the often
cavalier approach to data security in the US, and the guidance
offered by the respected Data Protection Commissioner here.
In the meantime, the security breach at CardSystems Solutions
has increased the focus on new data-protection requirements pushed
by both MasterCard and Visa.
The new Payment Card Industry Data Security Standard (PCI),
which came into effect on June 30, lists 12 items that all
retailers, online merchants, data processors and other businesses
that handle credit card data must meet.
Data encryption, end-user access control and activity monitoring
and logging systems must be used, as well as procedural mandates,
such as the implementation of formal security policies and
vulnerability management programs offered by companies such as
Qualys for the scanning and auditing of websites.
PCI, allied to a Site Data Protection programme is a start – but
don’t expect stories of data loss and theft to end tomorrow.
The latest data incident highlights a recurring question
recently posed by research group Gartner - “How much security is
enough?”
Gartner suggests that historically, enterprises will only do the
bare minimum to meet regulations. It reckons there are eight issues
organisations face in attempting to define ‘due care’ for their
security and data circumstances, including the state of information
security technology, expense and affordability, likelihood of
technological security failure, and how much harm - costs,
reputation - could result from security failure?
I sought the view of some noted experts such as Paul Henry, a
senior vice president at security specialist CyberGuard, David
Lacey, director of information security at Royal Mail, and Brian
Collins, vice-president of the British Computer Society, and
chairman of the BCS Security Forum.
Henry believes when it comes to safeguarding information
security, too many executives rely on short cuts and popularity,
rather than adequate testing, even when it come to due
diligence.
“Often, there seems to be less effort going into testing to
ensure that a product does what it claims to do, than say, where
the product comes in Gartner’s ’Magic Quadrant’. How do you know if
the product will be right for the company unless it’s been
fully-tested?”
Henry insists the first step towards adequate security would be
some international harmonisation of the right attitude, culminating
in global recognition of a Cyber Crime bill.
“Its all about ideologies. Globally, we can’t facilitate Cyber
Crime legislation between countries, because although it cost us
millions of pounds, the chap who came up with the I Love You virus
is a national hero.”
Henry suggests recent privacy legislation in Florida once
offered the prospect of organisations holding personal data having
to be responsible for that data, and specifically to the person
whose data it is, even if the data is handed over to a third party
for processing.
But lobbyists for data holding companies got at the bill,
turning the responsibility over to the third party, and simply
driving more outsourcing of data processing to save money, and
mitigate risk.
Henry believes there is now a trend in the US, though not so far
in Europe because corporate governance and data privacy law is
stricter, for top executives to even try and push ultimate
responsibility down the corporate food chain, while attempting to
limit their accountability.
Lacey says Royal Mail has been practising risk management and
BS7799 certification for many years because it works.
“It saves money, stops bad things happening and safeguards our
reputation. We have a comprehensive, up-to-date portfolio of
security policies and standards that's based on best industry
practices and standards recognised by our clients and business
partners. Our standard is that personal data is thoroughly
protected by strong encryption, even in storage.”
Like many security experts, Lacey believes there is too much of a
trend in which organisations adopt an approach to security of only
doing enough to meet regulations i.e. what they’ve been told to do,
rather than thinking of their responsibilities to their customers
and business partners.
“The organisation that doesn’t act according to what their risk
profile is and responsibilities can support, is a foolish company,”
he says.
Collins believes European companies already benefit from adopting a
more holistic approach to security.
“The US attitude to information security is driven by
legislation and regulation, and fear of litigation, rather than the
situation in Europe, which is based on social responsibility,
improving brand value and corporate governance.”
Collins adds that successful companies should base their
approach to information security on four ‘pillars’ – people,
technology, processes and information – and they need to have them
all in place for it to work.
“You need to have the business processes and the people, but you
also need the technology and information too. If you get these
right and fit for purpose, they are your major assets. Exploitation
of your assets in a coherent way will deliver maximum benefits at
minimum risk.”
“But if you do just what the regulations say, that’s not enough.
Nor is it enough to have a mechanical view. You have to think in
terms of your customers, and the company’s reputation. Your brand
value is vital.”
Feedback
What is your view on the risks to Data Security?
How much security ‘is enough’?
Will data holders always do the minimum to comply with
legislation – but no more than the minimum, instead of focusing on
the risk to reputation and brand value?
Have you come across top-level executives attempting to limit
their responsibility?