How much security is enough?

There’s nothing like an apparent breach of security at a global company to concentrate the mind when it comes to information and data security.

There’s nothing like an apparent breach of security at a global company to concentrate the mind when it comes to information and data security.

The recent Mastercard breach, which is said to have placed the account details of millions of customers at risk, comes hard on the heels of a string of data incidents at US companies including CitiBank, Bank Of America, Lexis-Nexis, Time Warner and ChoicePoint.

The US Federal Financial Institutions Examination Council (FFIEC) is now investigating the circumstances of the case, while the FBI has also launched a probe into the incident involving CardSystems Solutions, where intruders exploited software security vulnerabilities.

Meanwhile, the US Senate is considering measures to boost personal data security and crack down on data theft. A Personal Data Privacy and Security Bill, which would restrict the sale or publication of social security numbers, and another bill introduced by California Senator Dianne Feinstein, would fine companies up to $50,000 a day for every day they don't notify customers about data breaches.

Yet the likelihood is that well-meaning legislation will be so watered down by the lobbyists who crawl all over corporate America that it will be rendered meaningless, leaving the public’s personal data still at risk. There is a marked contrast between the often cavalier approach to data security in the US, and the guidance offered by the respected Data Protection Commissioner here.

In the meantime, the security breach at CardSystems Solutions has increased the focus on new data-protection requirements pushed by both MasterCard and Visa.

The new Payment Card Industry Data Security Standard (PCI), which came into effect 30 June 2005, lists 12 criteria that all retailers, online merchants, data processors and other businesses that handle credit card data must meet.

Data encryption, end-user access control and activity monitoring and logging systems must be used, as well as procedural mandates, such as the implementation of formal security policies and vulnerability management programmes (offered by companies such as Qualys) for the scanning and auditing of websites.

PCI, allied to a Site Data Protection programme is a start – but don’t expect stories of data loss and theft to end tomorrow. 

What can we do?
The latest data incident highlights a recurring question posed recently by research group Gartner: “How much security is enough?”

Gartner suggests that, historically, enterprises will only do the bare minimum to meet regulations. It reckons there are eight issues that organisations face in attempting to define ‘due care’ for their security and data circumstances, including the state of information security technology, expense and affordability, the likelihood of technological security failure and how much harm - costs or reputation - could result from security failure?

I sought the view of some noted experts such as Paul Henry, a senior vice president at security specialist CyberGuard, David Lacey, director of information security at Royal Mail, and Brian Collins, vice-president of the British Computer Society, and chairman of the BCS Security Forum.

Henry believes when it comes to safeguarding information security, too many executives rely on short cuts and popularity, rather than adequate testing, even when it come to due diligence.

“Often, there seems to be less effort going into testing to ensure that a product does what it claims to do than, say, where the product comes in Gartner’s ’Magic Quadrant’. How do you know if the product will be right for the company unless it’s been fully-tested?”

Henry insists the first step towards adequate security would be some international harmonisation of the right attitude, culminating in global recognition of a cyber crime bill.

“Its all about ideologies. Globally, we can’t facilitate cyber crime legislation between countries, because although it cost us millions of pounds, the chap who came up with the I Love You virus is a national hero.”

Henry suggests recent privacy legislation in Florida once offered the prospect of organisations holding personal data having to be responsible for that data, and specifically to the person whose data it is, even if the data is handed over to a third party for processing.

But lobbyists for data holding companies got at the bill, turning the responsibility over to the third party, and simply driving more outsourcing of data processing to save money, and mitigate risk.

Henry believes there is now a trend in the US, although not as yet in Europe because corporate governance and data privacy law is stricter, for top executives to even try to push ultimate responsibility down the corporate food chain, while attempting to limit their accountability.

Lacey says Royal Mail has been practising risk management and BS7799 certification for many years because it works.

“It saves money, stops bad things happening and safeguards our reputation. We have a comprehensive, up-to-date portfolio of security policies and standards that is based on best industry practices and standards recognised by our clients and business partners. Our standard is that personal data is thoroughly protected by strong encryption, even in storage.”
Like many security experts, Lacey believes there is too much of a trend in which organisations adopt an approach to security of only doing enough to meet regulations - where they do only what they have been told to do, rather than thinking of their responsibilities to their customers and business partners.

“The organisation that doesn’t act according to what their risk profile is and responsibilities can support, is a foolish company,” he says.
Collins believes European companies already benefit from adopting a more holistic approach to security.

“The US attitude to information security is driven by legislation and regulation, and fear of litigation, rather than the situation in Europe, which is based on social responsibility, improving brand value and corporate governance.”

Collins adds that successful companies should base their approach to information security on four ‘pillars’ – people, technology, processes and information – and they need to have them all in place for it to work.

“You need to have the business processes and the people, but you also need the technology and information too. If you get these right and fit for purpose, they are your major assets. Exploitation of your assets in a coherent way will deliver maximum benefits at minimum risk.”

“But if you do just what the regulations say, that’s not enough. Nor is it enough to have a mechanical view. You have to think in terms of your customers, and the company’s reputation. Your brand value is vital.”

What is your view on the risks to Data Security?

How much security ‘is enough’?

Will data holders always do the minimum to comply with legislation – but no more than the minimum, instead of focusing on the risk to reputation and brand value?

Have you come across top-level executives attempting to limit their responsibility?

Read more on IT risk management