Research: Privacy, Security Problems Alarming But Fixable - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Research: Privacy, Security Problems Alarming But Fixable

According to one study, some 84% of network attacks could have been thwarted if after checking the user ID and password, the organization had simply authenticated the identity of the invasive computer with commercially available software.

A pair of security surveys released this week shows that protecting corporate and consumer data is sometimes easier than people might think, but the broader problem still is confounding far too many organizations. The first study, entitled "Network Attacks: Analysis of Department of Justice Prosecutions 1999-2006," shows most network attacks tracked by the DOJ used stolen IDs and passwords. Those attacks resulted in far more extensive damages than what had been assumed -- an average of more than $1.5 million per incident, with $10 million being the most damage incurred in one incident. The study, commissioned by Phoenix Technologies and conducted by research and advisory firm Trusted Strategies, analyzed data from all cases prosecuted and publicly disclosed by the DOJ between March 1999 and February 2006.

The report also maintains that a whopping 84 percent of these attacks could have been thwarted if, after checking the user ID and password, the organization had simply verified the identity of the invasive computer connecting to its network and accounts via device authentication policies and solutions.

The failure to implement such technologies can kick the door open to attackers. In 88 percent of the cases in the DOJ report, the attacker accessed one or more privileged user accounts, obtaining IDs and passwords by network sniffing, using password-cracking programs or colluding with insiders and employees who later left the organizations. The full results of the report can be found on Phoenix Technologies' Web site..

Another study released this week shows that almost two-thirds of security executives are convinced they have no way to prevent a data breach. In addition, most of them believe their organizations lack the accountability and resources necessary to enforce data security policy compliance. The report, called the "National Survey on the Detection and Prevention of Data Breaches," was prepared by the Ponemon Institute, a privacy and security research firm, and PortAuthority Technologies, a developer of Information Leak Prevention (ILP) solutions.

The report surveyed 853 U.S.-based information security professionals, finding that, despite increased attention and media and public scrutiny, data security still is flummoxing many U.S. corporations. Among the key findings: 59 percent of companies believe they can detect a data breach, but 63 percent believe they can't prevent one -- with high false-positive rates, ineffective policy enforcement and overly costly leak prevention technologies comprising a big part of the problem. Full results of the study are available upon request from the Ponemon Institute or Port Authority Technologies .

David Etue, senior security strategist at Fidelis Security Systems, a security solution provider in Bethesda, Md., says that "the FTC estimates the inadvertent or deliberate extrusion of critical data costs consumers and businesses $50 billion a year," a growing concern that could "threaten the integrity and growth of e-commerce" or even compromise national security.

In a statement released this week, Etue says the FTC and Congress are planning to launch new data privacy legislation during the remainder of this term and into the next one. Etue contends that any new law must be guided by principles, including clear, uniform and comprehensive application -- which applies to public and private organizations and includes authoritative definitions of "personal data" and "identity" -- and national benchmarks that "set a floor of protection, rather than a ceiling."

Etue also argues that such laws should deploy agreed-on best practices and require "vigorous" enforcement and "substantial" penalties for noncompliance.

"Penalties must be designed to encourage compliance that genuinely lessens the risk of private data loss," he writes. "This translates into significant funding; substantial penalties for intentional violations; lesser penalties for unintentional violations; and penalties based on the number of identities disclosed." He also suggests rewarding organizations that do comply and penalizing international violations at a higher rate.

Hopefully, the coming political season will result in the kind of results that make future studies of data security more encouraging. But, as Etue says, "Our economy's needs don't track the electoral calendar. 2007 must be the year for clear, uniform and comprehensive federal data privacy legislation."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
What Becomes of CFOs During Digital Transformation?
Joao-Pierre S. Ruth, Senior Writer,  2/4/2020
Fighting the Coronavirus with Analytics and GIS
Jessica Davis, Senior Editor, Enterprise Apps,  2/3/2020
IT Careers: 10 Job Skills in High Demand This Year
Cynthia Harvey, Freelance Journalist, InformationWeek,  2/3/2020
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll