Thursday, January 8, 2009

Small and medium sized business will spend more on security in '09

In light of my post yesterday regarding the focus a business places on different components of an identity theft and privacy plan I was heartened to read this today.

A Forrester Research report finds that small and medium-sized businesses will spend more on security in 2009, and will zero in on data protection, reports SearchCIO. Forrester surveyed the business and IT leaders of 1,206 SMBs--businesses with fewer than 1,000 employees--and 942 enterprise companies, finding that the number one priority for both groups in the year ahead will be the protection of data assets.

The report goes on to say..

Nearly 20% of the respondents plan to pilot or adopt a host intrusion prevention system (HIPS), file-level encryption, full disk/desktop encryption, endpoint control and data leak prevention in the next 12 months. The moves will almost double the use of these security technologies at SMBs.

For me though this was the most puzzling part of this piece...

One area that isn't on the security radar for many SMBs -- but probably should be -- is access rights and the larger issue of identity management. Data assets must be protected against insiders, too, said Jonathan Penn, author of Forrester Research's security report.
"There are people who are authorized users who may inappropriately use information to the detriment of the company, or there are unauthorized users who in previous roles may have needed access to information but no longer do. Those kinds of processes in SMBs tend to be pretty poorly implemented," Penn said.
Part of the reason for this security shortcoming is that the technology for automating these processes can be expensive. But the bigger issue for SMBs is the process-intensive nature of keeping up with the rights employees should and shouldn't have.
"If it was a matter of just getting a tool to streamline
onboarding, they could do that if they saw the cost benefit of that. But SMBs have tended to shy away from how they manage people's rights throughout the lifecycle of employment," Penn said. Coordinating among IT, business departments and human resources to sort out the employee rights and keeping the policies up to date is tough, and not easily outsourced.

A high caliber Identity Theft Risk trainer can partner with the HR management to get all of the employees through a comprehensive awareness training in 1 hour or less in group settings. Once that is done a schedule of update sessions will keep the company current with the changing legislation on an as needed basis. The FACTA Red flags legislation calls for staff training of the company identity theft policy as a compliance piece. This comes under the heading of company policy and needs to be part of not only the onboarding of new hires but also for existing staff.
That really is the essence of good ongoing education for employees. Not only does the company get the advantage of expert trainers to keep everyone current in protecting the company's data assets but also having a better prepared staff who will act in a more proactive manner both on the job and with their personal identity. A significant area of concern when an individual is experiencing an identity theft episode is being distracted on the job, taking time off, and being under extra stress at work.
In any case it seems business is moving (somewhat) in the right direction.

Tuesday, January 6, 2009

2008 Breach Numbers Nearly Double

The number of data breaches reported in 2008 was nearly double that of 2007, reports the Washington Post. The Identity Theft Resource Center (ITRC) will announce the 2008 tally today, revealing that 656 breaches were reported last year, with the majority occurring in businesses and schools (57 percent, combined). Human error continues to be the cause of most breaches, while hacking and malware contributed to about 14 percent of those reported. The number of breaches stemming from employee data theft also doubled. "As companies become more stringent with protecting against hackers, insider theft is becoming more prevalent," said Linda Foley, ITRC co-founder.

Given the reality of this report what would motivate a company to concentrate its efforts on company server and internet security? Mis-information.It has long been known that the vast majority of breaches are not the result of hacking or "cyber crime" of any kind. As this report has found it's almost always either an inside job or gross error in judgement. This is what makes employee awareness training an absolute necessity in an information security program. If a business doesn't tell the entire staff how to handle personal information how are they going to expect them to do the right thing? Certified identity theft risk management experts who have studied the many forms of identity theft and methods of prevention should always conduct the training.

We have established that most all data breaches occur at business and public databases, and are the fuel for the illicit worldwide trade in identities. The profits from the sale of identity data have surpassed the entire international illicit drug trade. As I mentioned in my previous column it is very difficult to trace any given episode of identity theft to a single source as the data is sold many times and divided up along the way splitting one persons' information in many directions. As this occurs the information is used for a myriad of purposes. This is where it gets very sticky. While this misuse is going on different public and private databases are corrupted with false entries and may take years to surface. A person my not discover until years later that an event has taken place that has altered their Social Security records, medical records, insurance records, employment records, and so on. Often by then it is nearly impossible to correct these false records.Since we are literally judged by the entries in these databases wouldn't it be clever if they were accurate?

As long as data has value it will be stolen, sold, and misused. Until we can remove the value of the information itself we need to concentrate on prevention programs of businesses and public records keepers. A simple program of policy training and awareness of the nature of the crimes can go a long way to stem the tide of identity theft. This is not necessarily a difficult or expensive process. Often it can be done at little or no direct cost to the business other than the training time, which frankly is purely an investment. And if insurance companies are listening, should lower the rates of proactive clients just as their risk is lowered.

Monday, January 5, 2009

New Proposals in Iowa

From Today's Iowa Register

"Iowa governments would have greater authority to black out personal information from public records under proposals recommended by a legislative committee.Advocates say the proposals would protect citizens from identity theft.But opponents say the unintended results could be alarming, particularly if the public is unable to differentiate between, for example, a convicted sex offender and another citizen with the same name."The public has more to fear from government records containing information about them of which they are unaware than the release of information pertaining to them," said Bill Monroe, executive director of the Iowa Newspaper Association.

Lawmakers formed the Identity Theft Prevention Study Committee, which met in November, to consider how the release of personal information in Iowa could make residents vulnerable to identity theft. Public concern heightened this year when privacy advocates complained about a land records site, IowaLandRecords.org. The Social Security numbers of thousands of Iowans from all 99 counties were listed on the site, including those of Gov. Chet Culver and Secretary of State Michael Mauro.
Administrators of the site quickly shut down the ability to view details of the records after the advocates pointed out the problem. The group says removing personal information from all the records - called redaction - will cost the state as much as $2.3 million, which includes $500,000 to update its computer programs. Culver said in an interview this week that he agrees steps should be taken to redact personal information from public records that can be used to steal Iowans' identities.
However, he said he was not sure how the state would pay for such efforts. County recorders, for example, have proposed increasing an electronic filing fee from $1 to $3 to pay for the redaction effort.


"I think protecting individuals' identity is important," Culver said. "Once it gets to the level of security risk, we should take steps to limit how far we go in terms of disclosing things like Social Security numbers."
The committee made 11 recommendations, several of which would give governments more power to remove Social Security or bank account numbers.
Sen. Steve Kettering, R-Lake View, a member of the study committee, said there is no simple answer to the problem. Lawmakers must find the appropriate balance between protecting identities and maintaining public records that protect the public through transparent government.

"There isn't an easy solution, and that's the hard part," said Kettering, who noted that detailed records are critical in his profession as president of Farmers State Bank in Lake View.
Open-records advocates generally agree that some sensitive information like credit card numbers should not be released. The problem arises if governments redact information such as dates of birth, addresses or other unique identifiers, said Kathleen Richardson of the Iowa Freedom of Information Council. Richardson said lawmakers need to establish how frequently identity theft occurs through public records. She believes the problem is rare.

"I think there needs to be a demonstrated need of why we need to vacuum public records," Richardson said. "We also have to carefully consider what our definition of personal information is and make sure it's not so broad that it wipes out too much information."
Sen. Steve Warnstadt, D-Sioux City, said the committee has tried to be sensitive to the concerns brought forward by open records advocates when making its recommendations. The recommendations will likely be used to help draft proposals during the 2009 legislative session, which begins Jan. 12.

"The point of this is not to restrict access. The point is to prevent identity theft and personal information from being disclosed from people who don't have a legitimate reason to have that information," said Warnstadt, the committee co-chairman."

Iowa is tackling this issue head on and should be a model for other states to follow. Notice how Kathleen Richardson is addressing the central question by saying that the committee needs to assess the definition of personal information. Once a written policy including that crucial component has been established it becomes relatively easy to put a real plan into motion.

I would also counsel so-called "open records" advocates that while the concept of easy access is attractive, it has one fatal flaw. Data has value. The proponents are not the ones who determine what is valuable data and what is not. That is in the hands of the information black market. As I have said time and again. "As long as the data has value it will be stolen , sold, and used by thieves." As to public record theft incidents there were in excess of 15 million combined records lost or stolen from counties, cities, states, state universities, and school districts across the U.S. in 2008 alone. Those are public records databases. In my links area is a link to dataloss, http://datalossdb.org/ . You can see there how much is lost and stolen on a regular basis. But how much is acceptable? According to FTC and other sources there have been between 8 and 10 million domestic identity theft victims in each of the past three years. Due in part to the sale and resale of stolen information it can be difficult and even impossible to trace identity theft victims to a single incident, which skews statistics. This is particularly true with mass database theft such as with public records.

If the figure of $2.3M to update software and to redact records is correct the investment the state will have made will offset the upfront hard costs of a data breach, the liability of a large or even moderate breach, and any subsequent lawsuits resulting from identity theft. Good Risk Managers will tell you that the potential loss is far greater than the investment in a reasonable program.

Identity theft is on the rise at an alarming rate. As our economy unravels and becomes more fragile every day data sales becomes a very attractive activity with very low risk. As the businesses and local governments cut back on security budgets a lot more opportunities occur to steal information, and a lot more people are desperate to cash in on the market in personal information.