There is no “typical” data breach and, unfortunately, no simple set of steps exists to secure an organization’s critical information, according to a study of 345 U.S. data breaches reported in the year ended April 1.
But companies that pay attention to technology, process and people—“the proverbial whole matrix of security,” as Howard Schmidt, president of the Information Systems Security Association, puts it—can still protect their customers and themselves.
American corporations, educational enterprises and governments can lose (or be fleeced of) vital data with stunning creativity, Attrition.org’s Data Loss Archive and Database shows. Chase Bank One employees reportedly left a 165-page spreadsheet containing the names and Social Security numbers of 4,100 employees in a desk drawer; it was discovered in January by a woman who bought the desk at a used furniture store in Louisiana. In December 2006, a laptop computer containing Social Security, date-of-birth, address and other information on some 382,000 past and present Boeing employees was stolen from a car.
And then there was the TJX Corp. breach, possibly the most prolific in the history of commerce. Hackers wallowed in data from at least 45.7 million credit and debit-card holders as well as 455,000 merchandise return records, containing customer names and driver's license numbers, TJX admitted in a recent filing. The discount-retailer says it may never know exactly what was accessed.
TJX’s 2006 annual report, released March 27, described a litany of woes spawned by the hack: 18 class-action lawsuits filed as of March 23; a Massachusetts-led investigation by attorneys general from 30 states; a pretax charge of $5 million in the fourth quarter of 2006. Worse, the company said in its filing that, “Beyond this charge, we do not have enough information to reasonably estimate losses we may incur arising from the computer intrusion.”
As a percentage of actual breaches, the greatest risk comes from stolen laptops; they constituted 25 percent of last year’s breaches, according to Attrition.org (see box below, right). Stolen computers or hard drives added another 12 percent.
Hacks comprised 16.2 percent of breaches, and inadvertent Web postings of sensitive data (say, Social Security numbers) made up another 13.9 percent. Lost equipment—laptops, disk drives, backup tape, storage media and documents—constituted another 10 percent of breaches, and improper disposal of documents, computers, tapes and disk drives were another 5 percent.
While that is a daunting array of weaknesses for compliance and IT managers to worry about, there is some good news: Relatively few breaches seem to involve genius hackers.
“While incredibly sophisticated hackers doing incredibly sophisticated things do exist, most breaches that happen in the real world come from incredibly simple mistakes,” says Trent Hein, CEO of Applied Trust Engineering, an IT infrastructure and security consulting firm.
For one thing, Hein says, corporate laptops should all have whole-disk encryption, “so that if a laptop is stolen, it’s essentially worth nothing in terms of data.”
Clint Kreitner, president and CEO of the nonprofit Center for Internet Security, says that in addition to keeping large volumes of sensitive data off of laptops and other portable devices, companies should also consider severe censure—including dismissal—for those who get their laptops lifted.
As far as networks, Kreitner encourages companies simply to keep up-to-date on software patches, and stresses that properly configured hardware can block 90 percent of known network-related vulnerabilities.
In general, Kreitner says, focus on email and Web practices. “Pay special attention to your front door,” he says. “And a big element of watching the front door is stopping dumb things people are doing.”
Kreitner also likes to cite a program instituted by William Pelgrin, director of New York State’s Office of Cyber Security and Critical Infrastructure Coordination. He office sends occasional “phishing” emails to New York State employees, keeps statistics and teaches those tricked into handing over personal information to bogus Web sites to cut it out, Kreitner says.
“The program is specifically designed to change human behavior,” he says.
As far as the threat of hacking, effective tools to scan network and operating-system vulnerabilities have existed for years, says Ned McLain, chief technology officer of Applied Trust Engineering. But the proliferation of Web applications to interact with the outside world—say, Gmail or file-transfer programs—has opened up new realms of risk.
“It’s really easy to develop a custom application,” McLain says. “There’s not a canned tool to look for problems. That’s the pressing issue.”
The better answer, McLain argues, is thinking hard about Web-application security from the moment a Web development project commences. That could involve legal requirements such as HIPAA or Sarbanes-Oxley, or the credit-card industry’s PCI standard, he says.
On the technology side, ISSA’s Schmidt says sophisticated IT security software solutions by companies such as PGP, Vontu and Tablus, viewed as luxuries as recently as two years ago, have gained favor with firms seeking help with SOX, PCI or Gramm-Leach-Bliley compliance.
Schmidt also advocates creating a company “security council” that considers not only prevention and education, but also makes recommendations when a breach happens, “to determine whether it’s something just bothersome all the way up to something that requires a notice to the SEC.”
Kevin Beaver, an Atlanta-based information security consultant and author of Hacking for Dummies, says companies need to rein in “unstructured data scattered across every network,” and stresses the need for IT organizations to continually prod for weaknesses with follow-up testing.
“You have got to verify the old flaws and new ones haven’t cropped up,” Beaver says. “With people being involved, combined with our complex information systems, new issues are guaranteed to come up.”