Group items tagged

"The Identity Theft Resource Center (ITRC) reported its annual breach data for 2009 last week, and for the first time malicious attacks were more frequently identified as the source of those breaches than human error. In its "2009 Data Breach Report," the ITRC found 498 publicly disclosed breaches last year, down from 657 the year before. The downturn could have resulted from changes in breach disclosure, rather than a real drop-off in system compromises, the organization says. Interestingly, paper breaches now account for 26 percent of data leaks, up 46 percent compared to 2008. Malicious attacks outnumbered breaches attributed to human error for the first time in the three years the report has been compiled. The business sector accounted for 41 percent of data breaches, up from 21 percent the year before. Approximately 222 million records were compromised, the organization says -- and about 130 million of those came from the single breach at Heartland Payment Systems. Out of 498 breaches, only six reported they had either encryption or other strong security features protecting the exposed data, the ITRC says . "

Expect more action from the FTC on data privacy breeach

In Deloitte's sixth annual Global Security Survey, people are the problem. "[P]eople continue to be an organization's greatest asset as well as its greatest worry," Adel Melek, global leader of security and privacy services at Deloitte Touche Tohmatsu, said in the report. "That has not changed from 2007. What has changed is the environment. The economic meltdown was not at its peak when respondents took this survey. If there was ever an environment more likely to facilitate an organization's people being distracted, nervous, fearful, or disgruntled, this is it. To state that security vigilance is even more important at a time like this is an understatement." On one level, that couldn't be more obvious: It's not as if anyone worries about squirrels hacking servers; security has always been about people. (Robots, the report says, are unlikely to replace the human workforce during the lifetime of anyone reading the report. Finally, some good employment news.) Yet despite the obviousness of the problem, the obvious solution -- complete denial of access -- doesn't work. People use computers and computers are more useful when connected and it just gets worse from there. That may explain why identity and access management remained top of mind for survey respondents. Deloitte's survey, drawn from major financial companies around the globe, focuses on governance, investment, risk, use of security technologies, quality of operations, and privacy. It includes some good news -- external breaches have declined sharply over the past year -- and troublesome news -- fewer companies say they have the commitment and funding to address regulatory compliance. In terms of risk, specifically information systems failure, people are identified as the most significant vulnerability. "Human error is overwhelmingly stated as the greatest weakness this year (86%), followed by technology (a distant 63%)," the report states. It attributes the rising risk to increased adoption of new techno

Banks and financial firms are placing more emphasis on internal threats to cut the flow of data leakage as a result of employee mistakes or workers disgruntled with layoffs and downsizing during the economic crisis, according to a recent survey. The report, "Protecting What Matters: The Sixth Annual Global Security Survey," is based on a Deloitte survey of 250 CISOs in the financial-services industry. It found that 36% of respondents believe the internal threat represents the greatest risk to organizations, compared to 13% who said external threats are the biggest concern. Mark Steinhoff, head of Deloitte's financial services security and privacy practices, said an organization's biggest mistake would be to let its guard down. While the number of security breaches may have declined over the last year, cybercriminals are not rationing back their efforts. "The number of breaches that are occurring are really at the hands of insiders and organizations are understanding that there is a real threat of malicious attacks and exposure of personal information by insiders," Steinhoff said. The failing economy may be driving the increased concern over insider threats, Steinoff said. "The climate we're in today causes concerns about disgruntled employees," he said. "We are seeing the layoffs and other forms of downsizing. Frankly with limited budget and less than satisfied employees, it really raises the parameter on that threat." Human error is the leading cause of information systems failure, and is likely to be the main cause of security attacks in the near future, according to 86% of those surveyed. To protect against employee mistakes that lead to a breach, financial firms should focus on risk rather than compliance to protect themselves, Steinhoff said. "[Organizations] need to look at what they want to protect and look at various types of threats internally and evaluate who has access to the data and who has access to which system, and approach it from that persp

Privacy & security are individual rights and responsibilities, not just corporate or governmental responsibilities. Reliance on technology is bound to fail without motivation for all involved to find mutual benefits.

Identity theft and security is always in the spotlight through the constant stream of news stories about companies losing confidential customer or client data, such as social security numbers, credit card numbers, health histories and so forth. These "breaking news" stories now seem to happen so frequently that we scarcely pay attention to them unless, of course, we are directly impacted by them. They have, however, heightened the public awareness and have even spawned new identity protection businesses. Information technology companies rightly react to this by developing new technologies to improve security and eagerly market these to CIOs as a way to protect the personal information of their customers and clients. While we should use these appropriately, we can't rely just on technology for identity protection. While some of these security incidents involve someone hacking into a system, many involve a human failing. Examples include a laptop with confidential information being lost or stolen and employees e-mailing sensitive data to their personal e-mail accounts so they can work on it from home.