A New Year is always a good time to reflect on the past and make plans for the future. 2008 was a very busy year for security breaches, with 656 reported breaches exposing up to 35 million customer records according to a recent report by the Identity Theft Resource Center (ITRC). This was nearly a 50% jump from 2007.
Since our focus is the development of information security policies, we decided to take a look back at 2008 and see if we could draw some conclusions about trends and priorities for 2009. Think of this as an industry-wide risk assessment exercise. Based on some of the largest incidents of 2008, which information security and data privacy policies, if properly implemented, would have helped reduce the likelihood or impact of these incidents? (Needless to say, many of these policies are contained within Information Security Policies Made Easy.)
The stakes are getting higher. According to a study conducted by the Ponemon Institute, data breaches are costing businesses an average of $197 per customer record, up from $182 in 2006. So, based on some of the top incidents of 2008, here are our suggested top security policy priorities for 2009:
1. Data Breach Notification Policies
Despite the many costly, embarrassing data breaches that have been reported over the last several years, organizations seem to get caught without a plan for dealing with breaches that involve sensitive customer data. Slow or poorly organized responses end up creating confusion and increasing the potential damage of the breaches.
Six months after a breach happened at the parent company of the Montgomery Ward website, the company Direct Marketing Services finally began notifying customers that their credit card information was stolen in part of a hack that stole at least 51,000 records in December 2007. In March, the Maine-based Hannaford Brothers grocery store chain announced that 4.2 million customer card transactions had been compromised by hackers. More than 1800 credit card numbers were immediately used for fraudulent transactions.
A data breach notification policy must include a variety of possible elements, including breach reporting procedures, documentation of breach notification requirements (by state or country), notification methods and schedules, and the establishment of breach response teams.
Data breach response is going to end up on the radar sooner or later. The recent Homeland Security Agenda announced from President Obama includes a goal for a nationwide breach notification law, but so far no national law has been passed, leaving a patchwork of state-level requirements within the United States.
2. Tracking of Physical Media in Transit
Another common theme in many incidents is the loss of physical media, including laptops, PDAs, hard drives and backup tapes. Since the data is often not encrypted (See item #3), the loss triggers breach notification requirements (See item #1).
There are a variety of controls that can be addressed in policy, from the most basic (tracking the delivery of sensitive equipment) to the more complex (laptop tracking software, RFID tags). As always, employees play a key role since they are often the ones transporting the sensitive information. An effective Mobile Device security policy must cover the controls around the logical and physical protection of mobile devices.
The number of incidents involved lost media and mobile devices are too numerous to talk about in detail. (Several web sites do maintain such a list, including the Open Security Foundation (OSF) Loss Database and the Privacy Rights Clearinghouse. According to the Open Security Foundation, stolen laptops account for the largest share of data breaches, at 22% of the total.
3. Encryption of Sensitive Data Backups
This policy is really a subset of a wider set of controls involving the monitoring and tracking of sensitive customer data throughout its lifecycle. However, this one deserves special attention due to some large incidents in 2008.
In February 2008, an unencrypted backup tape with 4.5 million customers of the Bank of New York Mellon went missing after it was sent to a storage facility. The missing tape contains social security numbers and bank account information on 4.5 million customers – including several hundred thousand depositors and investors of People’s United Bank of Connecticut. Early in January, Iron Mountain reported that it could not find a backup tape that belonged to GE Money, containing information on over 650,000 J.C. Penney customers and 100 other retailers.
Encryption policies involve a variety of control areas, including identifying the data that must be encrypted, choosing and implementing encryption methods, and encryption key management. (ISPME has over 50 security policies addressing this topic.) Many organizations that process sensitive customer data are finding it more cost effective to simply encrypt all data, rather than identifying the subsets required. Despite the obvious need for encryption, according to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use.
4. Malicious Software Prevention
Companies are increasingly falling prey to malicious software being installed and resident on their systems. Trojans and keystroke loggers were responsible for a number of high-profile breaches, including the Best Western Hotels, where thousands of user accounts were stolen and began appearing on Russian Mafia web sites within hours of the heist. In potentially one of the largest recent breaches, Heartland Data Systems has acknowledged a data security breach that may affect tens of millions of payment card accounts. Initial investigation revealed malicious software on their network.
In November, security vendor RSA said it found a single Trojan that had taken more than 500,000 online banking accounts credentials, credit cards and other resources. The reported indicated that the hacking gang behind the Trojan may have been operating for as long as three years. The compromised data came from hundreds of financial institutions around the world.
There are a number of related information security policies that can help address this common threat. These include standard security configurations for desktop and mobile devices, regular updates of virus and malicious software signatures, regular scanning of networked systems, and user education and awareness on software downloading and responding to phishing emails (see Item #5).
5. Employee Security – Screening, Education and Awareness
It is unlikely that there will be a year when employee education and awareness would not be a top information security priority. From rogue insiders going undetected to employees accidentally downloading spyware from a phishing attack, users are always at the front lines of many attacks. It has been said so many times that we can be numb from hearing it – educated users are essential to any security program. And yet, organizational priorities to not always follow this basic premise. A 2008 study by the Computer Security Institute showed that the average organization spends less than 1% of their budget on security awareness.
There are a number of security policies that can help integrate information security responsibilities into the workforce. Some examples include the requirements for annual security training, quarterly awareness activities, the formal documentation of information security responsibilities for various job roles, and validation of these in formal job reviews.
5.1 – The Insider Threat
This special area of employee-related security deserves special attention.
An alarming number of breaches now involve malicious employees or contractors. The breaches range from cases of espionage, to the simple pilfering of customer data for personal gain. According the ITRC report, insider theft – now at 15.7% of all breaches – has more than doubled between 2007 and 2008.
In one of the largest insider incidents of 2008, a former Countrywide Financial Corp. senior financial analyst was arrested and charged by the FBI for stealing and selling sensitive personal information of an estimated 2 million mortgage loan applicants. The data was taken over a two year period and sold to competitors. In March 2008, a former bank programmer at Compass Bank was charged after he had stolen a hard drive with 1 million customer records and used it to commit debit-card fraud.
A recent case involved a database administrator of a UK company, who was fined and sentenced to three months in jail after hacking into his former employer’s computer system. Later investigation revealed that the man had lied on his resume and also had prior criminal charges.
Written security policies can also help address the growing insider threat, and must focus on the entire lifecycle of employees and contractors. Examples include screening of employees in positions of trust, regular review of access rights, integration of security roles into job descriptions, monitoring of systems for unusually large transactions, and post-employment removal of logical and physical access rights.
So there are our top five categories. They are certainly not comprehensive, but they can give you a start on your priorities for 2009.
So what can we learn from this list? First, most data breaches involve a variety of factors, including both people and technology. So a variety of controls are required to help reduce the risk of these incidents. As we see from the analysis, most security policies are dependent on other policies to be completely effective. Privacy policies, encryption policies and backup policies must work together to prevent a breach involving stored sensitive data. User awareness and training policies must worth with malicious software detection and configuration control to help stop identity theft and the spread of botnets.
That is why Information Shield strives to provide the most comprehensive library of information security policies available. If your organization has gaps in any of these key areas, we encourage you to take a look at our security policy products. We look forward to serving you in 2009.