“As a general rule the most successful man in life is the man who has the best information.” Benjamin Disraeli
At the end of the first half of 2012, there were 562,854,336 records disclosed to unauthorized parties from 3,190 reported incidents across all industries since the Choice Point incident in 2005. It is not unusual for an individual to have multiple records breached, multiple credit cards reset on account of fraud, and to have multiple offers of credit monitoring services. Thirty-seven percent of those records were because of:
Fifty-six percent of these losses involved malware or hacking, that is electronic entry by an outside party, malware, and spyware. Less than one percent were on account of payment card fraud.
This is significant. It is evidence that the PCI DSS requirements are successful in decreasing the volume of fraud, evidence that controls do work. According to the website, the data chain, payment card fraud losses in 2010 reached their lowest levels since 2000. That is the good news. The bad news is that over 90 percent of the losses involved some combination of hacking through unprotected systems, unintended disclosures (mistakes), lost mobile devices, theft, or improper disposal of media. This is only the tip of the iceberg as it pertains only to those losses that are reportable under statutory requirements, and it only reflects the breaches that are actually discovered.
What the 90 percent problem is telling us, in part, is that the vast number of reported losses involves media that was not erased prior to release – improper disposal of electronic and paper records. It hints at mobile devices containing sensitive information that are easily lost and are not encrypted properly, and the ease of electronic transmission of files containing information that should have been removed, encrypted, or obfuscated. These are basic fundamental control issues across people, process, and technology aspects. The larger part of the loss is more difficult; it means that we are deploying or acquiring infrastructure and applications that are prone to malware and mobile software attack, that we continue to be vulnerable to “click and own” threats via poor browsing practices by users, and that our systems are improperly hardened against both insider and outsider attacks. This was nowhere more clear than with sophisticated breaches in 2010–2011. A few notable examples are included in the following table:
The adoption of cutting edge IT involves more and more third parties, and fewer “in-house” implementations. IT departments in some companies are becoming less technical and more focused on service management of third-party contracts and relationships. The accountability for preventing data loss of all kinds still rests with the contracting organization. Detailed responsibilities for control can only extend to the contractor from the contracting organization via contract. It is essential that the security organization and legal support work closely with supply chain management to ensure that end-to-end holistic processes and controls are in place at the service provider, and that these controls are auditable by the contracting organization or its designated representative. Such demands are likely to affect the cost of services delivered by the third party and could even be rejected by the third party, leaving the contracting organization unable to comply with baseline security policies ipso facto. The desire to adopt a particular vendor or technology can lead to negotiations and agreements with controls that are less than those required to address the exploding data loss problem.
There are three primary actions necessary for due diligence by an organization that is adopting cutting edge IT through third-party services, and two are relatively new to the IT controls catalog:
18.117.227.194