E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: eWeek.com

Posted on May 19, 2008

      In this era of Internet connectivity, businesses must prepare for what is becoming the almost-inevitable data breach, according to a pair of chief privacy officers for major financial institutions.

      At the IntrusionWorld Conference and Expo Conference in Baltimore on May 13, Joel Tietz, chief privacy officer at AXA Financial, and Michael Drobac, chief privacy officer at Merrill Lynch, discussed the increasing risk and costs of data breaches and how enterprises can better prevent and manage them.

      Drobac exhorted every organization to have a plan in place for data breaches. "Failing to plan is planning to fail," he said, noting that data breaches have become almost inevitable in the connected era.

      Drobac provided his own top 10 list of ways to prevent and manage a data breach that could cost an organization time, money, productivity and reputation.

      No. 1 on Drobac's list is to enforce a "need to know policy," so that only those who truly need to know certain information actually have access to it. He also stressed a focus on access control, such as role-based access control.

      Other steps businesses need to make is monitoring for data leakage" particularly in email and peer-to-peer technology"keeping an eye on all the various mobile devices being used by employees, such as thumb drives, PDAs, phones and iPods, and strengthening authentication protocols.

      Drobac also said businesses need strong oversight of vendors, examine data retention standards, ensure destruction policies are adequate, build privacy and security into the software development lifecycle and engage senior management in the overall process of preventing and managing data breaches.

      Drobac said the "low-hanging fruit" are encryption data classification or providing different levels of security for different levels of data. "But it's not all about encryption and data security," he said.

      One of the first steps to managing a data breach is defining exactly what constitutes a data breach for your organization, Drobac said. After that, enterprises need to establish a centralized channel for reporting breaches. The next step is to "identify your response team, including the leader," he said. The response team should include the organization's general counsel, media relations personnel, front office sales, information security staff and fraud investigators, he said.

      Once those steps have been taken, the enterprise should get the facts about the data breach by using a forensics team, and then "conduct immediate triage to prevent further damage, such as shutting down the site; it might call for swift and hasty action," Drobac said.

      "It may mean pulling down your gateway to your revenue stream," Tietz said. That is why "you should make sure you have an escalation mechanism to the highest levels of the company," Drobac said.

      At this point, it is time to "involve PR [public relations], law enforcement and regulators," about the data breach, Drobac said. "They'd rather hear it from you than from the Wall Street Journal." The organization also must provide notice to its customer or user bases, he said.

      Then the enterprise must "remediate and modify existing business practices," he said.

      Preparation is also key, they said. Enterprise should track events for root causes of breaches and constantly perform practice drills to be prepared for breaches, Drobac said.

      Tietz said typical data breaches involve stolen laptops, PDAs or thumb drives, but also include network hacking, malware and lost backup tapes among other things. "But the No. 1 form of data breach is Dumpster diving," he said.

      Tietz ran down statistics. There have been 230 million records of U.S. residents exposed to security breaches since 2005, and $6.3 million is the average cost per reported enterprise breach in 2007, up from $5 million in 2006, he said. In addition, 20 percent of consumers have ended their relationship with a company after being notified of a security breach. Indicating how important data security has become, Tietz said nearly 40 percent of new security spending in 2007 was directed toward protecting data by reducing the network security expenditures.

      Data breaches have touched on a number of companies, including Eli Lilly, ChoicePoint, the U.S. Department of Veterans Affairs and TJX.

      He said in the commercial sector, 40 percent of data breaches is through stealing laptops, while errors accounted for 20 percent of breaches, insider theft 15 percent, fraud 15 percent and hacking 10 to 15 percent. In the university setting, hacking accounted for 45 percent of data breaches, and laptop theft, insider access, errors and fraud all accounted for 10 and 15 percent each, he said.

      In a separate presentation here, Joe Gersch, vice president of engineering at Secure64 Software, spoke of how to justify spending on security. Gersch said enterprises need to quantify the benefits of security by assessing the annualized loss expectancy, which is equal to the single loss expectancy plus the annual rate of occurrence.

      However, as a best practice, an enterprise should invest no more than 37 percent of the expected benefits of the security. "If you have an expectation of losing $100,000 annually, you should not invest more than $37,000" on security, Gersch said.

      He noted that quantifying return on investment for security technology is difficult. However, what Gersch referred to as "genuinely secure systems" can be less costly and more attractive than conventional security or building a security fortress, he said. Such a system "has a secure operating system architecture that fully utilizes the hardware to make applications immune to compromise from rootkits and malware and resistant to network attacks," he said. They also can be less expensive than conventional security.

      Secure64's core technology is SourceT, a patent-pending, genuinely secure micro operating system designed to make it and any applications running on it immune from rootkits and malware, and resistant to network attacks, Gersch said. Secure64 defines a genuinely secure OS as one with a secure architecture that fully utilizes the hardware to make applications immune to compromise, unlike a hardened OS, which is typically manipulated to minimize exposure to its insecurities, he said.

      As the technology continues to improve and emerge, "self-defending networks, self-defending OSes, and self-defending services will start to pay off," Gersch said.

      Paul Lipton, a senior architect at CA, said autonomic computing"or self-healing technology should become a key part of securing service- oriented environments.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.