Yet new software vulnerabilities surfaced at a rate of more than seven per day last year, for a total of 2,636 documented vulnerabilities, according to Internet security vendor Symantec Corp. What's more, Symantec's Internet Security Threat Report, published in March, says software vulnerabilities are getting easier to exploit, and hackers are attacking them more quickly.
To slow the rising threat of customer-data breaches, companies must become more diligent about security basics: Lock down networks with firewalls and application-security and intrusion-detection systems, and patch newfound vulnerabilities before hackers develop exploits. Sloppy business practices, such as cramming hard drives and notebooks with unencrypted customer data, could be prevented through updated, stringently enforced security policies.
Another threat comes from viruses and worms specifically designed to steal financial or personal information. Many virus writers are no longer satisfied with ego boosts from causing problems with malicious code--they want to make money. For example, a version of the BugBear virus surfaced last June that targeted about 1,200 financial institutions around the globe. When the virus penetrated a bank, it attempted to install a backdoor to allow intruders access. BugBear reportedly infected hundreds of thousands of systems.
Symantec's most recent Internet Security Threat Report says that in the second half of 2003, it was alerted to three times as many serious viruses and worms that threatened privacy and confidentiality--the number rose an alarming 519%--since the previous report.
While viruses are difficult and worrisome, security breaches that involve computer, hard-drive, and notebook thefts also are common. Data encryption might sound like an easy answer, but it's controversial, even among information-security professionals. "Encryption can greatly hinder system performance, and it's not always necessary if other security controls are in place," says one security executive at a financial-services firm, who asked not to be named.
John Pescatore, research director at research firm Gartner, says resistance to encryption is common. There are many problems associated with encrypting stored data, including managing encryption keys so that they're easily accessible to those who need them without putting the systems at a security risk. And if encryption slows performance by making the retrieving and managing of encrypted information more difficult, companies won't endear themselves to customers.
Encryption vendors Decru, Ingrian, NeoScale, and Vormetric are making some progress working around these problems. Provident Funding Associates LP installed Ingrian Networks Inc.'s DataSecure Platform, which encrypts and protects data while it rests in storage; when it's in transit between servers, databases, and storage devices; and while it's processed by applications and databases. DataSecure Platform helps boost encryption speed by off-loading computing-intensive cryptographic functions, says Tom Rabaut, systems administrator for Provident Funding. "It's really difficult to implement security that doesn't hinder the speed at which companies move," he says.
Even the best electronic security isn't a guarantee. Thieves still can rummage through a company's or individual's trash, trick customer-service representatives to turn over passwords, and bribe (or blackmail) employees to get the information they seek. And sometimes the threat exists on the inside of a company's firewall. In November 2002, federal agents arrested Philip Cummings, who once worked on the IT help-desk staff at Teledata Communications Inc., for allegedly using his insider knowledge to garner access codes that companies used to run credit reports. Federal authorities claim that Cummings stole credit information on more than 30,000 people, resulting in more than $2.7 million in losses. He has been indicted on more than 20 counts of fraud conspiracy in connection with the scheme.