Research: Privacy, Security Problems Alarming But Fixable - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Research: Privacy, Security Problems Alarming But Fixable

According to one study, some 84% of network attacks could have been thwarted if after checking the user ID and password, the organization had simply authenticated the identity of the invasive computer with commercially available software.

A pair of security surveys released this week shows that protecting corporate and consumer data is sometimes easier than people might think, but the broader problem still is confounding far too many organizations. The first study, entitled "Network Attacks: Analysis of Department of Justice Prosecutions 1999-2006," shows most network attacks tracked by the DOJ used stolen IDs and passwords. Those attacks resulted in far more extensive damages than what had been assumed -- an average of more than $1.5 million per incident, with $10 million being the most damage incurred in one incident. The study, commissioned by Phoenix Technologies and conducted by research and advisory firm Trusted Strategies, analyzed data from all cases prosecuted and publicly disclosed by the DOJ between March 1999 and February 2006.

The report also maintains that a whopping 84 percent of these attacks could have been thwarted if, after checking the user ID and password, the organization had simply verified the identity of the invasive computer connecting to its network and accounts via device authentication policies and solutions.

The failure to implement such technologies can kick the door open to attackers. In 88 percent of the cases in the DOJ report, the attacker accessed one or more privileged user accounts, obtaining IDs and passwords by network sniffing, using password-cracking programs or colluding with insiders and employees who later left the organizations. The full results of the report can be found on Phoenix Technologies' Web site..

Another study released this week shows that almost two-thirds of security executives are convinced they have no way to prevent a data breach. In addition, most of them believe their organizations lack the accountability and resources necessary to enforce data security policy compliance. The report, called the "National Survey on the Detection and Prevention of Data Breaches," was prepared by the Ponemon Institute, a privacy and security research firm, and PortAuthority Technologies, a developer of Information Leak Prevention (ILP) solutions.

The report surveyed 853 U.S.-based information security professionals, finding that, despite increased attention and media and public scrutiny, data security still is flummoxing many U.S. corporations. Among the key findings: 59 percent of companies believe they can detect a data breach, but 63 percent believe they can't prevent one -- with high false-positive rates, ineffective policy enforcement and overly costly leak prevention technologies comprising a big part of the problem. Full results of the study are available upon request from the Ponemon Institute or Port Authority Technologies .

David Etue, senior security strategist at Fidelis Security Systems, a security solution provider in Bethesda, Md., says that "the FTC estimates the inadvertent or deliberate extrusion of critical data costs consumers and businesses $50 billion a year," a growing concern that could "threaten the integrity and growth of e-commerce" or even compromise national security.

In a statement released this week, Etue says the FTC and Congress are planning to launch new data privacy legislation during the remainder of this term and into the next one. Etue contends that any new law must be guided by principles, including clear, uniform and comprehensive application -- which applies to public and private organizations and includes authoritative definitions of "personal data" and "identity" -- and national benchmarks that "set a floor of protection, rather than a ceiling."

Etue also argues that such laws should deploy agreed-on best practices and require "vigorous" enforcement and "substantial" penalties for noncompliance.

"Penalties must be designed to encourage compliance that genuinely lessens the risk of private data loss," he writes. "This translates into significant funding; substantial penalties for intentional violations; lesser penalties for unintentional violations; and penalties based on the number of identities disclosed." He also suggests rewarding organizations that do comply and penalizing international violations at a higher rate.

Hopefully, the coming political season will result in the kind of results that make future studies of data security more encouraging. But, as Etue says, "Our economy's needs don't track the electoral calendar. 2007 must be the year for clear, uniform and comprehensive federal data privacy legislation."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Why 2021 May Turn Out to be a Great Year for Tech Startups
John Edwards, Technology Journalist & Author,  2/24/2021
How GIS Data Can Help Fix Vaccine Distribution
Jessica Davis, Senior Editor, Enterprise Apps,  2/17/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll