|
Cost of Data Breaches Continues to Increase
-
The cost per record of a data breach has gone from $138
in 2005 to $202 in 2009 according to the Ponemon Institute in its fourth annual
U.S. Cost of a Data Breach Study.
Other key findings from the study include the following:
-
Average total per-incident costs in 2008 were $6.65
million, compared to an average per-incident cost of $6.3 million in 2007.
-
Healthcare and financial services companies
experienced the highest churn rate - 6.5 percent and 5.5 percent
respectively, on a total average of 3.6 percent, which reflect the sensitivity
of the data collected and the customer expectation that information will be
protected.
-
Third-party organizations accounted for more than 44
percent of all cases in the 2008 study and are also the most costly form of
data breaches due to additional investigation and consulting fees.
-
More than 84 percent of 2008 cases involved
organizations that had had more than one data breach in 2008 - meaning that
companies are becoming more experienced in managing breaches over time.
-
More than 88% of all cases in this year's study
involved insider negligence.
-
More than half of respondents believe that training
and awareness programs assist in preventing future breaches and 44 percent
have expanded their use of encryption.
-
The most significant cost decrease was seen in
activities relating to post-breach response, which indicates that
organizations are becoming more cost effective in managing data breaches.
more
information
Massachusetts Data Protection Deferred
-
Massachusetts has deferred the deadline for compliance with it
latest data security and breach legislation (download PDF) which protects the personal data
of Massachusetts residents until January 2010. The rules apply at all companies that
handle the personal data of Massachusetts residents, whether they are based in
the state or not. The rules require
companies to
- Limit
the amount of data they collect
- Have
written security policies
- Maintain
a detailed inventory of all personal data, whether it is stored in computers,
archived on tapes or kept in paper files.
- Have
in place adequate physical and technical security controls for safeguarding
protected data and properly authenticating users who are given access to the
information.
Included
with the latest deferral, Massachusetts regulators also removed a requirement
mandating that companies get third parties with access to customer data to
attest that they were compliant with the regulations as well. The old provision
also required third-party services providers to include language in their
contracts specifying that they were willing and able to comply with
Massachusetts security rules. With
this latest revision, companies only have to take "reasonable steps" to verify
that any third-party providers with access to personal data have the ability to
protect the information through measures that are comparable to the ones spelled
out the Massachusetts regulations.
more
information
Record Managemet Policy
-
 
The Record Management, Retention, and Destruction
is a detail policy template which can be utilized on day one to create a records
management process. Included with the policy are forms for establishing
the record management retention and destruction schedule and a full job
description with responsibilities for the Manager Records
Administration.
more
information
Added Responsibility for the CIO
-
 McKinsey presented issued a challenge for senior executives to
commit to implementing new approached to managing data centers and energy
consumption. The challenges
are:
- Improve and integrate asset-management
capabilities in the data center.
- Include the true total cost of ownership in
business-case justifications for adding facilities or applications to the data
center.
- Formally move accountability for data center
facilities and operations expenses to the CIO and appoint internal energy
czars with operations and technology mandates to double IT energy efficiency
by 2012.
As energy costs seesaw wildly and public concern
over the environment grows, data centers are now seen as an expensive luxury
that needs to be controlled. CIOs find themselves on the hot seat, asked to
account for the huge energy costs their systems incur.
The question arises, should CIOs get ready to add
"energy czar" to their list of job roles? McKinsey has called on companies to
move accountability for facilities operations to the CIO and to appoint an
internal energy czar to better focus on the true cost of data center ownership,
which includes both equipment and facilities expenses.
more
information
Cost Cutting to Hit Mobile Device Market
-
Smart phones made up about 14% of all mobile
devices shipped globally in 2008 and should increase to more than 17% of the
total in 2009. This data is from a study by ABI Research Inc. in New
York.
Janco Associates forecasts that the fall will
continue and in some case accelerate.
They also said that in private meetings with Verizon employees, the
employees said that the internal projections for the next few quarters is "bleak
at best".
more
information
Data Loss Can be Prevented
-
Power outages are the most common driver in the
events that disrupt IT systems. A PW study shows:
-
34 percent of companies take more than a day to
recover.
-
10 percent of companies take more than a
week.
-
It can take up to 48 hours to reconfigure a
network.
-
It can take days or weeks to re-enter lost
data.
-
90 percent of companies that experience a computer
disaster and don't have a survival plan go out of business within 18
months.
The risk of a massive weather disaster like hurricane
Katrina is slight. Only three percent of data loss incidents are caused by site
disasters. Computer viruses only account for seven percent of data loss
incidents. The most destructive influences on data centers actually come from
much more mundane causes: software error (14 percent), human error (32 percent)
and hardware failure (44 percent), frequently triggered by power problems,
including power failure, power sages, power surges, brownouts, line noise, high
voltage, frequency variation, switching transients and harmonic
distortion.
That means that the greatest risks of data loss or
system damage in controllable.
more
information
Industry Standards for Security Continue to Expand
-
In response to high-profile security
breaches certain industries have also come together to create their own sets of
guidelines, as demonstrated in the following examples. Several of the standards
have an international remit, highlighting the extent of the
problem.
-
Credit
cards - The PCI DSS (Payment Card Industry Data Security
Standard) is one of the most well known standards governing the handling of
information relating to credit card transactions. It was created by major
credit card companies, including MasterCard and Visa, in response to
increasing credit and debit card security threats, and is designed to prevent
credit card fraud, hacking, and other
risks.
-
IT
governance - CobiT (Control Objectives for Information and
related Technology) is an internationally accepted set of best practices for
developing appropriate IT governance and control in a
company.
-
Financial -
Basel II is an international business standard that requires financial
institutions to maintain enough cash reserves to cover risks incurred by
operations.
-
Security Center for
Internet Security (CIS) is a not-for-profit organization that
helps enterprises reduce the risk of business and e-commerce disruptions
resulting from inadequate technical security controls. CIS Benchmarks is a set
of system hardening configuration settings and actions accepted by many
auditors for compliance with a number of regulations, including HIPAA and
Sarbanes-Oxley.
-
Standards
ISO (International Organization for Standardization) forms a
bridge between the public and private sectors and is the worldÂ’s largest
developer and publisher of International Standards with 157 member
countries.
more
information
Downturn Will Cause New Security Issues
-
 Security of IT systems could be compromised because of the
downturn. Employees who are afraid
that they may lose their jobs are an exposure that many enterprises have not
addressed.
Employers should not underestimate the level of stress the
recession causes workers. Treat your folks with respect and dignity and they are
more likely to behave decently back toward you.
Once workers learn they may be targeted for downsizing,
their ethics may erode. Employers should be aware of this and enhance security
accordingly.
more
information
IT Infrastructure, Strategy, and Charter Template Updated for PCI-DSS
-
 Janco released Version 3.0 of its IT Infrastructure, Strategy,
and Charter Template today. With the increased PCI-DSS requirement and the
explosion of technology into every facet of the day-to-day business environment
there is a need for tools to create and manage the necessary
infrastructure.
In addition to the updates to the template for
PCI-DSS compliance, detailed job descriptions have been added for the CIO of a
large enterprise plus a second CIO job description for a small
enterprise.
more
information
Passwords are Main Concern of Chief Security Officers CSO
-
Password issues are one of the primary concerns of Chief
Security Officers. For many users
there just are too many systems.
Many enterprise users have between 10 to 15 user names and passwords.
This in turn results in the fact that password issues account for up to one
third of all helps desk calls. In
some enterprises over 80% of help desk time is devoted to password issues.
Security of
passwords is weak because of:
Making
passwords more secure only adds to the problem as the number of systems increase
users forget their passwords and generate more calls to the help desk. In addition there is more of a tendency
for users to write down the passwords.
more
information
|
