A pair of security surveys released this week shows that protecting corporate and consumer data is sometimes easier than people might think, but the broader problem still is confounding far too many organizations. The first study, entitled "Network Attacks: Analysis of Department of Justice Prosecutions 1999-2006," shows most network attacks tracked by the DOJ used stolen IDs and passwords. Those attacks resulted in far more extensive damages than what had been assumed -- an average of more than $1.5 million per incident, with $10 million being the most damage incurred in one incident. The study, commissioned by Phoenix Technologies and conducted by research and advisory firm Trusted Strategies, analyzed data from all cases prosecuted and publicly disclosed by the DOJ between March 1999 and February 2006.
The report also maintains that a whopping 84 percent of these attacks could have been thwarted if, after checking the user ID and password, the organization had simply verified the identity of the invasive computer connecting to its network and accounts via device authentication policies and solutions.
The failure to implement such technologies can kick the door open to attackers. In 88 percent of the cases in the DOJ report, the attacker accessed one or more privileged user accounts, obtaining IDs and passwords by network sniffing, using password-cracking programs or colluding with insiders and employees who later left the organizations. The full results of the report can be found on Phoenix Technologies' Web site..
Another study released this week shows that almost two-thirds of security executives are convinced they have no way to prevent a data breach. In addition, most of them believe their organizations lack the accountability and resources necessary to enforce data security policy compliance. The report, called the "National Survey on the Detection and Prevention of Data Breaches," was prepared by the Ponemon Institute, a privacy and security research firm, and PortAuthority Technologies, a developer of Information Leak Prevention (ILP) solutions.
The report surveyed 853 U.S.-based information security professionals, finding that, despite increased attention and media and public scrutiny, data security still is flummoxing many U.S. corporations. Among the key findings: 59 percent of companies believe they can detect a data breach, but 63 percent believe they can't prevent one -- with high false-positive rates, ineffective policy enforcement and overly costly leak prevention technologies comprising a big part of the problem. Full results of the study are available upon request from the Ponemon Institute or Port Authority Technologies .
David Etue, senior security strategist at Fidelis Security Systems, a security solution provider in Bethesda, Md., says that "the FTC estimates the inadvertent or deliberate extrusion of critical data costs consumers and businesses $50 billion a year," a growing concern that could "threaten the integrity and growth of e-commerce" or even compromise national security.
In a statement released this week, Etue says the FTC and Congress are planning to launch new data privacy legislation during the remainder of this term and into the next one. Etue contends that any new law must be guided by principles, including clear, uniform and comprehensive application -- which applies to public and private organizations and includes authoritative definitions of "personal data" and "identity" -- and national benchmarks that "set a floor of protection, rather than a ceiling."
Etue also argues that such laws should deploy agreed-on best practices and require "vigorous" enforcement and "substantial" penalties for noncompliance.
"Penalties must be designed to encourage compliance that genuinely lessens the risk of private data loss," he writes. "This translates into significant funding; substantial penalties for intentional violations; lesser penalties for unintentional violations; and penalties based on the number of identities disclosed." He also suggests rewarding organizations that do comply and penalizing international violations at a higher rate.
Hopefully, the coming political season will result in the kind of results that make future studies of data security more encouraging. But, as Etue says, "Our economy's needs don't track the electoral calendar. 2007 must be the year for clear, uniform and comprehensive federal data privacy legislation."