Articles from last posting
FTC gets order freezing assets of errant spyware removal vendor
Pakistan still cut off from the Internet
"Freakish incident" takes down New Zealand's Stock Exchange
Read Mary's latest column, The Weakest Link in the Globe & Mail- about the recent 40 million credit card breach at a US payment processor
Update
The New York Times reports that Visa has banned CardSystems (CS) - the errant US payment processor responsible for the recent 40 million credit card breach - from processing Visa payments - a move unquestionably calculated to send a message that such lax, or possibly non-existent, adherence to existing security protocols will not be tolerated. CS may not take on any new Visa customers, or process any international Visa payments.
They appear to be unconvinced that CS has put its house in order, and are not taking any chances.
Visa has reportedly advised banks that use CS to process payments that they have until the end of October to find another provider. CS may continue to process Visa payments until then, under what seems to be tight supervisory control. Better late than never?
Such decisive action on the part of Visa may silence critics who have argued that existing credit card rules in the security domain lack teeth. It is unclear at this juncture whether MasterCard and the other affected card companies will follow suit, but it must surely be inevitable.
Last time around, we wrote about a class action that has been filed, probably one of many, arising out of the whole sorry affair.
Iron Mountain loses (more) backup tapes
In what appears to be an epidemic of carelessness, yet more backup tapes have fallen off the back of yet another truck in the US.
The tapes were being moved on behalf of an LA bank, City National Bank, and were lost in the course of a 'routine delivery' by Iron Mountain. The bank is remaining mum - while notifying customers pursuant to California law - on the number of customers impacted by the latest security breach.
I remain convinced that there is a virtual Bermuda Triangle somewhere out there on the US highways and byways just sucking back these tapes- or maybe Jesse James is back- and no-one is tellin'.
2005 CSI/FBI Computer Crime and Security Survey released
It's become an annual event, but rarely brings good news. The 2005 Survey is now in its 10th year, and this year the results are based on responses from 700 US 'security practitioners'.
As we have pointed out in the past, the response rate to these anonymous surveys (700 out of 5000 parties responded this year- a 14% response rate, and up considerably from 494 responses in 2004) is predictably abyssmal - a fact that can be attributed to a general reluctance to even discuss the sensitive topics, even on a 'no names' basis.
Caveats
Therefore, it is fair to say that while these surveys are probably better than nothing, they should be read with a slightly jaundiced eye. The majority of the respondents appear to be relatively junior employees, and therefore any questions about the cost of security breaches, from a reputational risk perspective, are likely to go unanswered, or to be pure guess work. There is also a good deal of well- meaning supposition and hyberpole in the report.
I also note that only a measly 1% of respondents were in the retail sector, despite, or maybe as a direct result of, a plethora of serious incidents in that space. The high- tech, financial, and government sectors- with a smattering of manufacturing - were the dominant sectors responding.
Bearing these caveats in mind, the key findings are that viruses and incidents involving 'unauthorized access' (very broadly defined to include inappropriate employee behaviour) caused the greatest financial loss to these respondents- US$42,787,767 and $31,233,100 respectively, with theft of proprietary information in third place at $30,933,000. Despite these big numbers, little or no increase in IT security spending was noted in the report, and it remains fairly static.
Big increases...
A six fold increase in average losses from unauthorised access episodes is noteworthy, as is a doubling in average losses from theft of proprietary information incidents, which probably explains a slight increase in the uptake of smart cards and one time password tokens.
Little outsourcing..insurance..
The IT security function is not, however, despite doomsaying, being outsourced in any significant way. Nor are companies taking out cybersecurity insurance in droves, apparently preferring to self insure- only 25% of respondents carry such insurance policies.
Insiders not guilty?
Another notable finding was that attacks respondents experienced from the outside were roughly as frequent as those from the inside, although the number of 'don't knows' was greater for the insiders question. This finding throws some cold water- although I would not get too excited, or bet the ranch on it- that bad apple insiders are the bane of our collective existence and far more abundant than hackers and their external ilk.
Reporting non- existent
Probably the most alarming finding was a decrease in the amount of reporting of security incidents to law enforcement- for a seven year low. There was an increase in the numbers reporting to someone -hopefully their unfortunate customers, likely to conform with various US state laws requiring them to do so. Such findings make it inevitable, I believe, that governments will take a long hard look at mandatory reporting.
However, on an even more alarming note, only 12% of respondents advised 'legal counsel' about the incidents- an all time low figure for the survey.
Involve your lawyer
As the driver for most IT security spending globally is regulatory compliance, it boggles the mind that legal counsel are not being advised. A good in house lawyer with even a modicum of good sense, and a slight comprehension of the issues can be a godsend in these scenarios, and leaving them out of the loop is akin to hari-kari.
Lawyer phobia in such cases is misguided and potentially extremely costly. Go hug your lawyer. He/she is paid to keep you out of harm's way.
|
