Survey Finds Security Breaches Continue to Rise
Juniper Networks and the Ponemon Institute have jointly released Perceptions About Network Security Survey of IT & IT security practitioners in the U.S. (June 2011), finding that 90% of respondents had one breach in the past 12 months and 59% admitted to more than two breaches. The breaches were also expensive, with 41% disclosing that costs of US$500,000 or more were incurred.
The survey also found that 53% of respondents said they had little confidence that their organisation would avoid a cyber attack in the next 12 months. While greater spending on security measures was popularly identified as a means of addressing security breaches, 75% specifically suggested that developing end-to-end solutions would increase the effectiveness of network security.
Joint media release (22 June 2011)
Related news item:
Network World: Ponemon study: Cyber attacks more frequent, severe (22 June 2011)
(Source: Juniper Networks; Ponemon Institute; Network World)
Compulsory Committees for IT Data Security
The Economic Times reports that the Reserve Bank of India (RBI) has ordered banks to establish committees which will focus on information security management. The committees are reportedly intended to address cyber crime threats to the banking sector, and will examine “information security, e-banking, technology risk management and cyber frauds”. An RBI working group also reportedly stressed that as “information security affects all aspects of an organisation … a steering committee of executives should be formed”, with a senior member of the executive team to be designated as chief information security officer.
The RBI has reportedly ordered that banks implement a basic organisational IT framework and associated policies and procedures by 31 October 2011, with other aspects to be implemented at a later date.
The Economic Times: RBI asks banks to set up committees to protect IT data (30 April 2011)
(Source: The Economic Times)
Companies Fined for Failing to Protect Confidential Information
The US Financial Regulatory Authority (FINRA) has announced that it has sanctioned a US$450,000 fine against Lincoln Financial Securities Inc (LFS) and a US$150,000 against Lincoln Financial Advisors Corporation (LFA) for failing to protect confidential customer records and information. FINRA found that between 2002 and 2009 certain current and past employees were able to access customer information on the internet by using common login credentials. As a result of the failure to impose safeguards “confidential customer records including names, addresses, social security numbers, account numbers, account balances, birth dates, email addresses and transaction details were at risk”. Additionally, FINRA found that shared user names and passwords were left unaltered even after employees had ceased working for the companies.
FINRA’s media release (17 February 2011)
The New York Times (NYT) reports that the Nasdaq stock exchange experienced a data breach in late 2010 after hackers accessed one of its computer systems. The company has reportedly clarified that the trading system was unaffected by the breach, and that the compromise “was confined to a separate Web-based application, on which corporations can store and share information”. Nasdaq has also reportedly stated that “there was no indication that the hackers had gained access to data belonging to the service’s 5,000 customers”.
Tabb Group chief executive Larry Tabb reportedly suggested that the breach would concern the companies which do business with Nasdaq, and further opined that Nasdaq would have to work hard to “show the listing firms that they can be confident their data was not compromised”. Issuer Advisory Group chief executive Patrick Healy also reportedly said that customers would expect Nasdaq to advise “how the company has enhanced its security as a result of the incident”.
According to the NYT, the breach has been investigated by the Justice Department and the Federal Bureau of Investigation.
NYT: Breach Tied to Nasdaq May Have Wider Effect (6 February 2011)
Credit Card Security a Weakness
India Today reports that a survey of Indian banks has revealed worryingly low security for credit and debit cards, with many banks failing to “follow even basic measures to ensure card security or protect … personal information”. Amongst other matters, the survey of 20 banks found that many use “highly risky practices” including excessive data retention. Such practices are reportedly contrary to “globally accepted practices for card security”. India Today reports that many banks also lacked appropriate resources, such as internal security teams, to manage threats and did not have mechanisms for detecting fraud.
Banks are reportedly urged to “align internal policies, procedures and deploy technology safeguards for protecting sensitive personal information”, and implement appropriate measures including privacy policies, privacy impact assessments and the full integration of data privacy in business processes.
India Today: Banks not taking credit card data security seriously: Survey (8 February 2011)
(Source: India Today)