According to a recently-released report from McAfee, the downturn in the economy is creating a “perfect information security risk storm.” The report, entitled “Unsecured Economies: Protecting Vital Information,” can be found here [Note: MacAfee requires registration to downloade the report]. McAfee bases its findings on a worldwide survey of 1,000 IT decision makers.
The McAfee Report makes four key findings:
- Increasingly, important digital information is being moved between companies and across continents and is being lost.
- The global economic crisis is increasing pressure on companies to cut spending across the board, including spending on data security, which leads to increased opportunities from outside threats of cybercriminals. Moreover, increasing layoffs are increasing incentives for insiders to steal confidential information.
- Elements in certain countries are emerging as the main threats to data security. According to the report, “[g]eopolitical perceptions are influencing data policy reality, as China, Pakistan, and Russia were identified as trouble zones for various legal, cultural and economic reasons.”
- Cybercriminals have evolved beyond basic hacking and stealing of data. They are becoming more organized and sophisticated.
In many ways, the global economic crisis could not have come at a worse time for companies attempting to keep their data secure. As layoffs fueled by the troubled economy increase, the number of employees with the motive, means and opportunity to steal valuable data or to sabotage their employer with a damaging data breach are clearly on the rise. According to the McAfee Report, 68% of those surveyed cited “insider threats” as the top threat to essential information. “Data thefts by insiders tend to have greater financial impact given the higher level of data access.”
Coinciding with the increased threat from insiders is a growing and increasingly sophisticated threat from outside groups of cybercriminals. For example, the McAfee report notes that “malware writers now have R&D departments and test departments” and that malware programs are “regularly updated by its developers as to which vulnerabilities to exploit.” According to one source, the number of malicious programs on the internet tripled in September 2008.
And while the expansion of information crime has led to increased government regulation, it is clear that the complex demands of various state and federal regulatory schemes are increasing the burden on companies already struggling in the weakening global economy. According to the National Conference of State Legislatures, 44 states have enacted legislation requiring notification of security breaches. This leaves companies with the unenviable task of determining what state laws apply and how to make sure they are complying with scores of overlapping, potentially inconsistent state rules. This quagmire has led to calls for Congress to set a single federal standard for information security. A group called the Consumer Privacy Legislative Forum, which includes companies such as eBay, Microsoft and Hewlett Packard, released a statement calling for “comprehensive harmonized federal privacy legislation” and will be outlining recommendations for such legislation next month. The FTC also has recommended in its recent report on Social Security numbers that Congress set federal standards for information security.
Between the increasing threats to information assets and the confusing morass of new regulations governing information security, business are stuck between a rock and a hard place while the funds and personnel needed to address the threats and comply with increased regulation are dwindling. Given recent reports that “[o]rganizations that experienced a data breach in 2008 paid an average of $6.6 million last year to rebuild their brand image and retain customers,” the only way through this perfect storm may be to push ahead with efforts to evaluate the increasing security threats and adopt reasonable measures to combat these threats, as regulators appear to be demanding.
Links:
- McAfee Unsecured Economies Report
- SA Today Article: Data Scams Have Kicked Into High Gear As Markets Tumble
- National Conference of State Legislatures: State Breach Notification Laws
- CPLF Statement of Support of Comprehensive Consumer Privacy Legislation
- CSO Online Article: Industry Giants Weigh in on Privacy Laws
- FTC Report: Security in Numbers: SSNs and ID Theft
- Washington Post Article: Data Breaches Are More Costly Than Ever
Departing Employees Commonly Stealing Information
As discussed by Mike Rosen on Foley Hoag’s Noncompete Blog here, and reported by the Washington Post and CNN, a recently released report by Symantec Corp. and the Ponemon Institute (which can be found here) revealed that 59% of ex-employees…