Information Security

The problem of information insecurity is well documented in the public (think stolen government laptops and T.J. Maxx) as well as inside the enterprise where attempts to thwart and lock down data leaks are increasing. Two reports on information security, with somewhat different angles but painting a similar picture, came out at the end of last year. The subtitle of the Fifth Global State of Information Security report, published by Price Waterhouse Coopers (PWC), “The End of Innocence,” provides a fine summation of the current state of affairs: it is time to acknowledge a problem that until now was either ignored or invisible.

The other report, “Reinventing Data Loss Prevention,” published by IronPort, sites some numbers which suggest why the problem must be faced. “The United States Trade Representative (USTR) reported in 2006 that U.S. businesses are losing approximately $250 billion annually from trade secret theft, while the FBI estimated that the cost of all data breaches in 2006 to U.S. companies totaled $62.7 billion.” Numbers that high should get attention, and they are. According to PWC, “Awareness of the problematic nature of information security is approaching an all-time high. Out of every IT dollar spent, 15 cents goes to security. Security staff is being hired at an increasing rate.” Unfortunately, though the defense is adding strength, “enter­prise security isn’t improving.”

PWC points out that when they first published the annual report five years ago, 36 percent of respondents, “reported that they had suffered zero security incidents,” this year the number dropped to 22 percent. Though the numbers appear to indicate an increase in attacks, the report offers an alternative assessment, “We believe it simply means that more companies are aware of the inci­dents that they’ve always suffered but into which, until recently, they had no visibility.” And as they become aware, enterprises are taking action: The number of companies stating that they have an overall security strategy jumped 20 percent in the past year, from 37 percent to 57 percent.

“But here’s an odd paradox: Despite the massive buildup of peo­ple, process and technology during the past five years, and fewer people reporting zero incidents, 40 percent of respondents didn’t know how many incidents they’ve suffered, up from 29 percent last year.” The “Don’t Know” box was checked 40 percent of the time (versus 29 percent in 2006) for number of incidents, 45 percent for type of attack (26 percent in 2006), and 33 percent for primary method used (26 percent in 2006). This across-the-board increase in unknowns is very telling, “It doesn’t bode well that after years of buying and installing systems and processes to improve security, close to half of the respondents didn’t have a clue as to what was going on in their own enterprises.”

The result of so much being unknown is likely to be a shift in the plan of defense. The future will show less of a focus on the containment of breaches and more, “risk analysis and proactive intel­ligence gathering,” as these may prove more fruitful in the long run. The report uses analogy to make the point: “Think of a glass break sensor on a window at a museum. That piece of technology is extremely effec­tive at telling you that someone broke the window; it does nothing to explain how and why a painting was stolen, nor can it help you prevent the next window from being broken and the next painting from being snatched.” Mark Lobel, a principal with PWC’s advisory services, says. “We have the tech­nology but still don’t have our hands around what’s important and what we should be monitoring and protecting.” That, he says is the “Next level of maturity.” Included in that next level will be an element of cooperation between companies; though each has its own secrets, they are fighting a common enemy. “For a while, I think, ignorance was bliss. Now, with all the technology in place, we’re learning that we all have the same problems,” says Ron Woerner, security engineering consultant at TD Ameritrade.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: