The question is whether 2005 has been particularly bad for data breaches, or it’s the case that more organisations own up to indiscretions. After all the consequences for being found out are now a lot more serious than admitting to a problem.
It seems like almost every month last year, some organisation or other was admitting to backup tapes being misplaced. They were either getting lost in warehouses, disappearing when entrusted to some courier service or other.
In the UK, the Inland Revenue lost a computer disc, sent by the bank, which contained address and account details of the banks investors, and apparently they are still looking for the disc. In Japan, millions of credit card details were stolen. In fact the stories go on and on. The potential seriousness for your business was quantified by the department of Trade and Industry, which said that 70 percent of organisations that experience serious data loss go out of business within 18 months. So looking on the bright side, the UK may become a tax haven during 2006!
An organisation should never underestimate the potential damage in case of exposure or loss of confidential data. This is the reason why most businesses takes great care to ensure that the physical media is protected in physical safes with dual control procedures. And in some cases these physical security measures are even enforced by formal regulations.
Securing data while it travels between applications, business partners, suppliers, customers, and other members of an extended enterprise is crucial. As enterprise networks continue to become increasingly accessible, so do the risks that information will be intercepted or altered in transmission.
For example how many CEOs are aware that sensitive data within the organisation is visible to everyone from database administrators, developers, and system administrators? How many bank directors are aware that in many cases financial transaction files are sitting in clear text on application servers – a European bank recently fell foul during an external audit when it was discovered that payments being sent to and from a third party payment system where accessible to system administrators, and the bank had no means to control administrator access to the systems, and no way to verify if the file was manually adjusted. And the chances are that if it’s true of this bank, it’s very likely the case in others since they generally use similar systems. And not only are they not aware, they don’t always understand the technical issues involved. Like my accountant and I when we meet – we have these brief conversations where I try to explain what I do, and vice versa, and quite frankly neither of us has any understanding of the other’s profession.
Think about the company who is contracted to carry out research and development for many business partners – do management understand how confidential R&D data is shared with business partners? Or how about the financial company that processes payments for non face-to-face businesses including Internet, mail and telephone – does management know how payment files are delivered to and from merchants? The list is endless.