Tuesday 27 November 2012

Privacy commissioners seek greater power as breaches increase

Privacy commissioners of Australia and New Zealand said they need more enforcement authority to combat data breaches and other privacy concerns.

Whilst we agree data breaches can be a cause of identity theft it is the lack of legislation that will allow Police to charge employees who steal data and breach privacy that is at odds with the commissioners enforcement requirements.

A recent Kroll Global Fraud Report indicated that over two thirds of corporate frauds are committed by insiders. Even the Attorney-General herself said, at a recent Security Conference in Canberra, "One of the greatest risks to the security of government computer systems is from exploited or corrupted public servants".

Data theft by employees is at epidemic levels and continues to increase. Imposing hefty fines on a small business due to a security breach by an employee only serves to further damage the effected business and does not prevent continuing occurrences.

Employees are completely immune from prosecution by Police if they steal data or any IP belonging to the company they are employed by.

There are civil remedies however a small to medium size business, whose primary asset is data, is usually so financially devastated by such a theft they cannot afford to fund litigation. The thief benefits from the theft, breaches the employers privacy policy with its customers and potentially causes additional loss for the business when it is fined under the proposed Bill.

To injunct a thief costs about $50,000.00 plus an additional surety over costs of up to $150,000.00. Most small businesses cannot afford this impost and the distraction of a usually protracted legal battle.

If the proposed Bill is to have any impact at all it must be supported by legislation that will allow Police to charge employees who misuse authorised access, to a computer or computer system, to steal data from their employers.

Most businesses, including big business are completely unaware that if an employee, or in fact anybody who has been provided access to their business steals data, they cannot be prosecuted by Police.

Tuesday 20 November 2012

Cyber-Ark 2012 Trust, Security and Passwords Survey

Cyber-Arks annual global IT Security Survey was released in June 2012. Here are some key conclusions:

Privileged accounts are increasingly being targeted in enterprise assaults – regardless of the attack entry point :
  • 71 percent of respondents consider insider threats to be the greatest security risk to their organisation.
  • 29 percent cite external threats, including targeted cyber-attacks and opportunistic hacks.
  • 64 percent of respondents believe that the majority of recent security attacks have involved the exploitation of privileged account access.

Recent high-profile security attacks, such as the RSA and Global Payments data breaches, have made an impact on security strategies this year:

When asked if they were rethinking security strategies based on these high profile breaches, more than half said yes (51 percent).

Respondents were asked to rank their 2012 IT security priorities in order of importance:
  • Vulnerability Management (17 percent)
  • Privileged Identity Management (16 percent)
  • Security Information and Event Monitoring (SIEM) (15 percent)
  • Anti-Virus/Malware (13 percent).

Despite growing awareness of the privileged connection in cyber-attacks and the increasing insider threat, some businesses are failing to uphold their responsibility for securing customer and similar sensitive information:
  • 43 percent of respondents stated that their organizations do not monitor the use of privileged accounts or were unsure of whether they did.
  • Of those organizations that monitor privileged access, 52 percent of respondents believe they can get around the current controls.

Current legislative and regulatory efforts to curb data breaches have proven ineffective to date:

When asked if data breach notification laws are effective in curbing data loss, 72 percent of respondents stated no, while only 28 percent stated yes.

The perception of the insider threat as the greatest security risk is driven by continued unauthorized access to sensitive information:
  • 45 percent of respondents indicated that they have access to information on a system that is not relevant to their role.
  • 42 percent of respondents indicated that they or a colleague have used admin passwords to access information that was otherwise confidential.
  • 55 percent of respondents believe that competitors have received their company’s highly sensitive information or intellectual property.

See the full survey here (pdf)