Townsend Security Data Privacy Blog

Data Protection - What Today's Security Admins are Up Against

Posted by Victor Oprescu on Dec 17, 2012 4:16:00 PM

View Webinar: Four Solutions for Data Privacy Compliance

Compliance Webinar

View this webinar to learn what compliance regulations (PCI DSS, HIPAA, FFIEC, etc.) say about data protection.

Click Here to View Now

Data breaches happen all the time and we do what we can to prevent that, still cyber crimes are on the rise. Verizon Business Data Breach Investigations Report for 2012 counts as many as 174 million records compromised that year. Verizon compiles the 2012 report with data collected in 2011. You can find the full report here, but I'm going to summarize just a few of the highlights.

  • 98% stemmed from external agents, meaning one way or another, cyber criminals gained access to systems storing sensitive data and compromised them.
  • 81% used some form of hacking, in many cases in conjunction with malware.
  • The statistic that hits home hardest, 96% of victims subject to PCI DSS had not achieved compliance at the time of the breach.

That is really hard to palate because here at Townsend Security we work so hard to spread the word about the importance of merchants being PCI DSS compliant. It's not just about appeasing the auditors or passing an Annual Self-Assessment Questionnaire, it's about protecting everyone's sensitive personal information. These are our credit card numbers that are being stolen, our dates of birth, social security numbers, and a myriad of other information criminals can use to their gain, and our fault. The report lists that 48% of data compromised was payment card data, like credit card numbers.

According to the report from the 855 incidents recorded, 54% of companies affected by that year's data breaches were in Accommodation and Food Services, 20% were Retail Trade, and 10% Finance and Insurance fields. And it's not just companies in the US that are affected, in 2011 data breaches were reported in as many as 36 countries worldwide.

And as if all this information wasn't already scary enough, apparently as many as 55% of data breaches remained undiscovered for months or longer. And the majority of data breaches are discovered by external parties; meaning that the companies experiencing the data breach end up learning about it from someone else, causing bad publicity and damage to the company's reputation.

This report did not talk about the cost experienced by companies or consumers as an effect of these data breaches, however Symantec took the time to compile those numbers for 2011 and in September of 2011 extrapolated the costs over the 12 months that year to $144 Billion in cost. Obviously this has become a very lucrative business for cyber criminals and it's not surprising why they expend so much effort on their endeavors.

The Verizon Business report has one more piece of information worth sharing - their recommendations. Implementing sound security policies around system credentials, like using strong passphrases and changing them on a regular basis, as well as ensuring essential controls on data are met, like encrypting sensitive data and using recommended encryption key management practices like separation of duties and encryption key storage. Especially for larger organizations, monitoring and mining event logs is recommended to aid in discovering active data breaches quickly and internally.

A new report should be published soon and although there has been a lot of attention on these subjects in 2012, the trends in the past have been an increase in data breaches, rather than a decrease. However, knowledge is power, and we have a lot of knowledge for you. Empower yourself and your company by reading some of our white papers on encryption, logging, and data security.

View Data Privacy Compliance Webinar

Topics: Data Privacy, encryption strategies

5 Key Questions Before Starting an Encryption Project

Posted by Luke Probasco on Aug 4, 2011 8:23:00 AM


encryption strategies white paper

Download our AES Encryption Strategies: A White Paper for the IT Executive and learn more about deploying an encryption solution.

Click Here to Download Now

Many IT executives are now faced with the urgent need to secure sensitive data on their computing systems in a very short period of time.  Decisions need to be made on what data security solutions to use, which projects need priority, and how to make the best use of available resources. The need to deploy better data security has arisen quickly and many IT executives feel the need for more information.

The data security solutions you select now will be in use for many years to come.  Over time, these solutions will be integrated into almost every major application in your IT environment.  Selecting the right solution now is an important first decision, whether that decision is to develop data encryption capability in-house, or to work with a data security solutions provider.

Here are some key questions to consider when making this decision:

  • Who will be able to provide us with mature guidance on the appropriate use and implementation of encryption?
  • Encryption is a complex technology - do we have the expertise and resources to do this on our own?
  • Data security is incorporated into a number of regulations that control our Enterprise, are we using the right technology to satisfy these regulations? And will our solution help us minimize legal liability?
  • Will our data security solutions easily extend to new requirements? We need to secure credit card numbers today. What about tape encryption, spool file reports, and IFS files? Will our data security technology lend itself to new uses?
  • We transfer data between diverse systems in our internal network, and between customers, suppliers, and employees. Will our solutions meet all of these needs?

For further information and strategies for beginning and encryption project, download our White Paper titled AES Encryption Strategies: A White Paper for the IT Executive.

Topics: Encryption, encryption strategies