Practical Data Loss Prevention
(Week 1 of 4)
By Michael McKinzie, CISSP
Data Loss Prevention or DLP is an interesting and popular topic especially since the largest single incident of data theft recently occurred. Heartland Payment Systems discovered numerous systems were compromised and an estimated 130M consumer credit card numbers were at risk surpassing TJX Companies reported compromise in 2007 of 94M consumer records.
The implications of these incidents can be difficult to measure, but if you just consider the amount of resources to investigate, notify consumers and remediate an incident, the costs rise quickly. In addition if we try to account for any fraudulent activity that may have occurred or the time consumers must spend to monitor credit activity and/or dispute fraudulent activity this adds to the cost considerably. Will Heartland or TJX Companies disappear, fail or go bankrupt as a result of these security breaches? Well, not likely but is there a negative impact? If we look for a correlation between stock price and the reported incidences, it is inconclusive; TJX appears to follow the trend of the S&P 500, while Heartland does a nose dive. One thing is certain, the costs to investigate and remediate the data loss is significant having a negative impact on the bottom line in both cases.
 |
 |
| HeartLand Payment Systems | TJX Companies |
Obviously, these are high profile incidences and may have even affected some of you reading this, but probably nothing more than receiving a letter, a new card and asked to monitor your credit reports, and watch for suspicious credit card activity. The questions I have are we as a society just accepting this as the problem is too hard to control or is it merely a cost of doing business today? International boundaries, anonymity of the internet, millions of insecure computers primed for botnets, poor security architecture by software vendors, lack of information security budgets etc., all are significant challenges to protect our information.
I believe there is a personal and corporate responsibility to protect our information just as most of us trust our bank to keep our money safe and it is expected they will do so or more safe than tucked away at home. They also expect consumers to be diligent with access control. They issue ATM cards with user defined Pin Codes (two-factor authentication with limited authorization i.e. maximum daily withdrawal limits), credit cards with signature panels and identifiers or they deliver a battery of questions when we need to obtain any information on our account by phone.
I am interested in hearing your thoughts on:
1. Is the bank/consumer model or concept reliable? Do you think it works reasonably well?
2. Do you think there should be greater responsibility on users, or the organization to ensure data confidentiality?
3. Is Data Loss, a real concern for you or your organization? Why?
About Me:
Michael McKinzie, CISSP (Business Development Manager, SecurStar) – security practitioner for 12+ years, worked in IT management, consulting, casino gaming, and on the dark side with encryption and security manufacturers. Still a fan of the C Programming Language by Kernighan and Ritchie and know I will make some money from my autographed copy of Applied Cryptography on eBay some day.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Congratulations, what words … great idea