A lot of letters have been landing on a lot of doormats across the U.S. so far this year warning people that their personal data and financial records have been either stolen or lost.
More than 140,000 consumers received notifications as a result of a scam against data broker ChoicePoint, followed shortly after by revelations of security breaches at LexisNexis, which affected more than 300,000 people, and DSW Shoe Warehouse, from which thieves obtained 1.4 million credit card numbers. Then there were a half million Wachovia, Bank of America, Commerce Bank and PNC Bank customers who were hit by a data theft ring that was unearthed in New Jersey in April. Add to that the loss by Iron Mountain of backup tapes containing details of 600,000 current and former Time Warner employees, the 1.2 million federal employees impacted by a loss of data tapes by Bank of America and an additional 200,000 people affected by a similar incident at Ameritrade and we've got an epidemic on our hands.
So what is going on? Why the sudden slew of bad news? In part, it actually is more the fact that we are hearing about these events - which hasn't always been the case. ChoicePoint, for example, was forced to reveal its security breach as a result of California Civil Code 1798. California was the first state to introduce mandatory disclosure requirements in the event of a security breach, but many states are set to follow its lead.
"About 36 states have mandatory disclosure laws going through their state legislatures, all modeled after California Senate Bill 1386 and California Assembly Bill 1950, which are both part of California Civil Code 1798," says Michael Rasmussen, principal analyst with Forrester Research. Additionally, a number of bills are being reviewed by the United States Congress at present, he adds.
But increased disclosure is not the whole story. More security breaches are occurring than ever before, according to Rasmussen. "There is a whole profit-seeking venture in being able to steal identities and sell them," he says. "That is really why we're seeing the rise."
Given the virtual nature of much of our modern world, in which financial transactions are predominantly about electronic flows of data rather than hard cash, information - and access to that information - has become a key source of risk. As a result, the new security focus is on information management, relates Robert Garigue, vice president and chief information security officer for BMO Financial Group.
"We've been managing technology for a long time, and now we have good networks, better operating systems and stronger applications," he says. "But these are what I call containers. What we are starting to realize is that the value and the risk are associated with the content and not the containers."
Consider the centralization of data. With the emergence of data brokers such as ChoicePoint and LexisNexis, and with banks and brokerages aggregating their data into central warehouses, businesses are creating tempting targets for cyber criminals. Yet, as with Fort Knox, simply knowing that all the treasure is in one place doesn't make it any easier to steal.
In fact, some of the centralization contributes to stronger security, as it allows firms to put many layers of security sophistication around the data, which would be hard to repeat on a smaller scale, according to Richard Breunich, managing director and head of Citigroup's enterprise technology office. "If every night I wipe out the data on your PC, bring it back into a central site that is secured and encrypted and also keep a log of who accesses that data, and I can report an occurrence of some activity that doesn't make sense to me, it is easier to keep secure," he says. "And because it is in a single place, it is cost-feasible to give the layers of protection that you couldn't do 50,000 times over."
The problem is that if someone does access such a centralized repository, the potential for damage is huge - which underlines the importance of information management and business processes. As Forrester's Rasmussen points out, the ChoicePoint breach was not a technical hack. Rather, the thieves were able to hack into a business process and use legitimate IDs to access information. Likewise, the LexisNexis incident involved people using legitimate customer IDs and passwords to obtain sensitive personal data.
"When you are dealing with information security, or information risk management, it is not about technology - it is about defining the controls and business processes, and awareness training for users," asserts Rasmussen. That's not to say that technology is no longer important to security, but technology alone doesn't ensure security. Rather, technology has become so sophisticated and ubiquitous that anyone seeking to access an organization's systems has to find new weak points to do so - and those weak points often are found in people and processes. So technology must be a component of a firm's security environment, rather than the entire solution.
Who Goes There?
Identity and access management offer a case in point. How do you prove that the people entering user IDs and passwords are who they say they are? And, in the case of internal breaches by employees, how do you manage and restrict access to those defined areas that are applicable to their roles? Securing data requires monitoring and management of the security provisions themselves, some of which will come from technology, some from improved business processes.
Citigroup, for example, is in the process of implementing its enterprisewide Information Security Technology Framework Initiative, which brings together more than 30 projects under three programs: identity and entitlement management; infrastructure survivability; and data protection. "Identity and entitlement management is about identifying who the user is, assuring through certain credentials that it is the person, and then assigning the right authorizations and entitlements to that person based on who they are and where they are at that point in time," explains the firm's Breunich.
For its part, BMO is establishing an enterprisewide information management policy. "We are establishing the roles of information stewards across the lines of business who will be responsible for ensuring the quality and some of the life cycle management aspects of sensitive and confidential content and business models, as well as a chief privacy officer who will look after that content pertaining to employee and customer information that is regulated by law," says the firm's Garigue. BMO also is reviewing best practices, focusing on awareness programs concerning confidentiality of content, and moving to two-factor authentication, for example, for services that require strong authentication of identities, he adds.
Indeed, such authentication practices likely will become more commonplace, particularly in light of the Federal Deposit Insurance Corp.'s recommendation that financial institutions upgrade from single-factor to two-factor authentication as a means to combat online fraud resulting from account hijacking. E*Trade Financial and Bank of America are among the organizations adopting the technology.
E*Trade is introducing a digital ID token during the second quarter for those customers that wanted it. The physical token provides customers with a randomly generated, six-digit code that changes every minute as part of their passwords. "If someone tries to use the ID and password that you've used on every other site at E*Trade, it won't work because you have to have your secure ID [which is generated by the ID token] as part of it," explains Joshua Levine, chief technology and operations officer with E*Trade Financial Services. "It defeats the issue with keylogger [spyware]."
Of course, not all security problems are the result of malicious actions. Accidents, as with the loss of backup tapes, do happen. But there still are ways to build in safeguards.
"Tapes that get moved physically outside of our control are all being encrypted. So if a tape containing confidential data is lost, you won't be able to get to it," asserts Citigroup's Breunich. "Of course, some very sophisticated people can break down encryption, but it is meant to stop the more casual user."
Citigroup also is looking at alternatives to backup tapes, such as using secure file transfer protocol, adds Breunich. "That way, you can know the address on the other side and if you don't see the right address, you don't transmit. And because it is encrypted and only lives for a short period of time in an electronic format on the line, it is much safer."