The InformationWeek -- Blogs
Welcome Guest. | Log In| Register | Membership Benefits

Digital Life

Topics:   Digital Life

  • Email this page E-mail this page
  • Print this page Print this page
  • Bookmark and Share
  • icon

Surprise! You're Not To Blame For Security Breaches


Posted by Michael Hickins, Apr 15, 2009 02:15 PM

Unglue those USB ports. Unchain your laptop. Feel free to leave your smartphone at the airport. If there's a security breach at your company, it's unlikely to be your fault.


For years, security software vendors have drummed up sales of anti-virus and remote device management software by peddling tales of CIOs gluing USB ports so that end-users (you and me, their own employees) wouldn't inadvertently introduce malware that would infect the company's systems and start calling home with its vital data or, worse, so we wouldn't walk away with valuable information on a flash drive we would then foolishly leave at the counter of the local Dunkin' Donuts, or sell on Craigslist (psst, want a peek at our client list?).

But while companies have been spending hundreds of millions of dollars on software designed to wipe the contents of lost BlackBerrys and refuse permission to copy files, it turns out that the worst exacerbators of this very real problem are IT managers who have failed to secure their own front doors. For instance, a mind-blowing 81% of companies don't comply with PCI standards to which they're subject, according to a study by Verizon.

The 2009 Verizon Business Data Breach Investigations Report made it a point to exculpate end-users who have been previously maligned as the source of most breaches:

Most data breaches investigated were caused by external sources. Seventy-four percent of breaches resulted from external sources, while 32 percent were linked to business partners. Only 20 percent were caused by insiders, a finding that may be contrary to certain widely held beliefs.
In fact, just about everything cited in the report points to negligent practices by IT departments rather than end users.

  • "In most successful breaches, the attacker exploited some mistake committed by the victim, hacked into the network, and installed malware on a system to collect data." -- In other words, attackers were able to hang around like Oceans Eleven at the casino, doing their dirty work right under an IT administrator's nose.
  • " In 69 percent of cases, the breach was discovered by third parties. The ability to detect a data breach when it occurs remains a huge stumbling block for most organizations. Whether the deficiency lies in technology or process, the result is the same. During the last five years, relatively few victims have discovered their own breaches." -- Hey buddy, I was just wondering -- did you really mean to let those people walk into your home and ransack your belongings, or should I call the cops?
  • "Nearly all records compromised in 2008 were from online assets. Despite widespread concern over desktops, mobile devices, portable media and the like, 99 percent of all breached records were compromised from servers and applications." -- Any chance you could apologize for that snarky email last year? The one where you implied we were incompetent bordering on criminally negligent?
  • The study also shows that, sadly, the incidence of cybercrime is exploding, which is likely to result tighter security measures. Tighter security measures has traditionally translated to longer lists of "don't do's" for end users, dragging down productivity and even innovation--like some stupid end-user fiddling around with an application and finding an unintended use for it that triples productivity.

    Maybe the real value of this report is not that it reveals just how bad things are, but who isn't to blame.

    « RIM CEO Defends The Storm During Interview, Hints At Future Touch Devices | Main | Additional Funding Vital In VC Deals »



    Sign Up Now
    For InformationWeek News Alerts




    This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

    Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

    Important Note: This comment area is NOT intended for commercial messages or solicitations of business.




     
    Digital Life Video

     

    1. Here's to the First Responders!
    2. HPC Joins the Dummy Revolution?
    3. Detecting Scalability Problems With Intel Parallel Universe Portal


    Join The InformationWeek Group On LinkedIn


                               


    1. 'Nexus One' Is Google's Android Phone For Consumers
    2. Motorola Droid Is Gadget Of The Year
    3. Microsoft's Non-Family Values
    4. HTC Droid Eris Receiving OTA Update From Verizon
    5. Windows Mobile 7 Now A Q4 Release


    1. Amazon Auctions Cloud Computation
    2. First Commercial LTE Network Goes Live
    3. Strong Authentication Not Strong Enough
    4. Apple Customers Report Flawed iMacs
    5. NASA Launches Comet-Hunting Space Camera
    6. Oracle Mobilizing MySQL Users

     

      Ars Technica
    Boing Boing
    Channel 9 Forums
    CRN Blogs
    Dr.Dobb's Portal: Blogs
    Engadget
    Gizmodo
    GrokLaw
      Lifehacker
    Schneier on Security
    Slashdot
    TechCrunch
    Techdirt
    Techmeme
    Valleywag

      DECEMBER 2008
    NOVEMBER 2008
    OCTOBER 2008
    SEPTEMBER 2008
    AUGUST 2008
    JULY 2008
    JUNE 2008
    MAY 2008
      APRIL 2008
    MARCH 2008
    FEBRUARY 2008
    JANUARY 2008
    DECEMBER 2007
    NOVEMBER 2007
    OCTOBER 2007
    SEPTEMBER 2007