E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants

Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


Source: Informatica Information Security

Posted on February 1, 2006

      According to a report released by Symantec last week, the average laptop contains a whopping $1M worth of information. The AVERAGE laptop. Some executive notebooks are valued as high as $US8.8 million based on the client data, intellectual property and confidential information they contain. The news comes about 10 years after the industry noted that laptops are the most valuable target of corporate theft. Today, according to the recent FBI computer crime survey, 50% of organizations reported the theft of laptops in 2005.

      All theft aside, according to Silicon.com, in the UK as many as 10,000 laptops are simply lost or forgotten in public places each year. That adds up to a lot of valuable data. In the US, according to the FBI study, 2.8million organizations experienced losses totaling $67.2 million as a result of security incidents. That number was found to be 3 to 4 times HIGHER than in previous years.

      According to SecurityFocus: "Among the [FBI Study] findings, nearly nine out of ten organizations experienced security incidents in the past year. Over 64% of respondents incurred a financial loss as a result of computer crime - yet only 9% reported these incidents to law enforcement. The United States and China top of the list as by far the worst offenders, together accounting as the source of more than half of all external intrusion attempts. However, not surprisingly the survey also reports that 44% of all reported intrusions were sourced as internal to the organization affected."

      Although we can assume that researchers are getting better at quantifying losses and calculating the impact of security incidents, it is clear that after decades of Internet use, e-business innovation and progress, organizations are still way behind in terms of security preparedness and respect for the vast problems that define information asset protection.

      To be clear, the only thing that we should take away from the statistic that 9 out of 10 companies have experienced a breach is the fact that 1 out of 10 hasn't bothered to find or report its security breaches. The biggest issue is the fact that the same breaches are occurring year after year, with the simplest and most expensive ones leading the pack.

      According to my rough calculation, 30 large companies made the Wall of Shame last year. 30 that should have known better because they pretend to be the consumer's best friend, keeping our private data and trading it for cash. According to the Privacy Rights Clearinghouse, these affected millions of people. Here are the top 10 offenders:

1. CardSystems Solutions 40 million consumer accounts
2. Citigroup 3.9 million consumer accounts
3. DSW Shoe Warehouse 1.4 million
4. Bank of America 1.2 million
5. Time Warner 600,000
6. LexisNexis 310,000
7. Ameritrade 200,000
8. Polo Ralph Lauren 180,000
9. ChoicePoint 145,000
10. Boston College 120,000

      Don't be impressed by the big numbers. They're important, but they don't tell the whole story. A closer look at the facts tells us that most of these security breaches were not caused by high-tech whiz kids (those probably go undetected). No, these failures occurred because of simple things like lost backup tapes, stolen passwords, smash&grab robberies and in the case of Citibank, the tapes were simply lost in the mail.

      Granted, DSW Shoe Warehouse, Polo Ralph Lauren and LexisNexis did manage to get hit hard by by hackers, but that's just the problem, coverage has been inconsistent or non-existent either because the general media, the ones who have all the eyeballs, have no idea how to represent the magnitude of the problem to the average reader without covering the story in the "Oddly Enough" column or risking it seem as if the sky was falling.

      Perhaps that's why 75% of all new prospects that I meet have developed a well-rehearsed mantra: "We have no security problems, everything's taken care of". That same group is later forced to react to security breaches instead of preventing them, a much more expensive and less effective proposition. Aside from uninformed people working with incomplete data in an attempt to bring us pre-digested news while carefully avoiding apocalyptic scenarios, what else do you believe is the cause of this blatantly false sense of security?

      Here are my other 7 contenders:

      1. Coasting on momentum - it's not just about apathy and ignorance, or is it? Is past performance an indicator of future security? Not in this business! What we don't know can't hurt us, but what about the aforementioned infamous 30 organizations? They had all the money in the world, they just lacked the budgets. And so it goes for the other 75% of international (mostly small and mid-size) companies that felt the sting of security inadequacy last year.

      2. Security suites - are you seeing all-in-one security products flying off the shelves? Let them. Your security protection - whether on a home system or an enterprise network - should be made up of specialized layers, of best-of-breed tools, not one big bloated magic pill. Note, the latter is different from the concept of centralized security management, an often effective strategy for increasing visibility and control across the enterprise.

      3. Automated, online security tools - have you come across e-commerce Web sites that proudly proclaim that they are "hacker-free" "security-protected", "impermeable to breaches" or otherwise invulnerable based on the fact that they are 'checked daily' by an automated scan? Rest assured, hackers couldn't care less about such claims and the only thing that it should mean to you when presented with the typical 'shield' logo, is that the company in question is deluded about their own level of protection.

      4. Computer vendors and retail stores - why does out-of-the-box ease-of-use plug-and-play have to mean "bogged down with obsolete demo versions of software that are a pain to remove"? Computer stores and vendors are now basing all their marketing on how quickly you can be 'online' once you've stepped away from the cash register. What people should be asking is how much time do I have before my new computer gets infected . The answer? About 20 minutes.

      5. Security vendors - why is it that every time a new security product is introduced, it paints such a rosy picture of the world that you literally feel like you will never have another care in the world. Alternatively, it makes such a huge deal out of threats that you didn't know existed that you're either compelled to ignore it, or get a trial copy (just in case) and never end up using it (probably because it interferes with every other security tool you have).

      6. Telcos and ISPs - ah the telecommunications industry. When it works, it's a cash cow. Millions of homes and businesses providing reliable, monthly cash flow earmarked for expansion and diversification. Due to roughly gazillions of complaints from Internet subscribers, companies have finally found a way to provide solutions they can actually profit from, while fitting neatly into their guaranteed monthly revenue model. From subscription-based software firewall service to monthly virus/spyware protection, it's all available in byte-sized chunks. Unfortunately, its relative value is measured in crumbs. Convenience and security don't always go together.

      7. Oblivious and desensitized IT managers - the least guilty people of the lot. They were hired to make sure systems and networks support business functions, then were told that not only are they responsible for 'security around here' but also for every single network user's infected PC, the company's security and privacy compliance and all the new threats that crop up on a daily basis. Can you really blame them for saying "nah, we're fine. Security is completely under control here". Unfortunately top level management most often believes them and fails to create a mature, actionable security plan that would minimize the damage from incidents occur.

      Agree? Disagree? Am I completely off base? Why did I stop at 8? Why am I letting Microsoft off the hook? How do Chinese hackers fit into my equation?

      Ask away. Write back and let me know. Claudiu Popa,: claudiu@InformaticaSecurity.com

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.