What Privacy? Security Survey Pessimistic

Scary: A recent survey sponsored by Deloitte & Touche concluded that almost 85 percent of the 800 privacy and security professionals polled believe that there has been a privacy breach within their organization during the last year. (Source: securityfocus.com)

Scarier: Two thirds of those polled have had multiple breaches during the last year. Moreover, in a recent Microsoft Study of 3600 security, privacy and marketing executives, 78% of the security and privacy executives expressed confidence that their marketing counterparts would consult them before collecting or using private personal information. But, yikes! Only 30% of the marketers said they actually do so.

Scarier still. This is only the tip of the iceberg as evidenced by recent security attacks and data losses. Retail mammoth, TJX Companies (TJ Maxx, Homesense, Winners, etc.) announced that they have lost by deliberate security attack more than 94 million credit card and debit card accounts. Last month, the British Revenue and Customs agency responsible for taxes reported a leak of sensitive data involving 25 million people. These follow the AOL leak of 20 million private search records in mid-2006 (Source: vnunet.com), and the compromise of Salesforce.com which resulted in exposure of the customer databases of Salesforce.com's clients. (Source: washingtonpost.com)

These are just the security breaches that make the news. In the last few years, other lesser-known compromises have involved the U.S. Department of Energy, Georgetown University, the U.S. Department of Agriculture, Citigroup, and Ameritrade.

One reason data attacks are increasing is that the nature of web-based applications has changed. In the past, data was stored in central, physically secure, data centers. Now databases are externally accessible; often suppliers, customers and partners all have direct access or share data.

Another reason for the increase is that data attackers have gone professional. This means that they sell easily monetized data like credit card or social security numbers, and that they are optimizing their attacks on large collections of data rather than on sneaking one or two credit cards at a time. The end-result is that attackers are changing tactics. Instead of trying to break through the firewalls of major enterprises, attackers are now using carefully targeted means of compromising people on the other side of the firewall from within the organization.

For example, in the SalesForce.com incident, an employee was snared using a carefully crafted phishing scheme. In this way, attackers focus on the weakest point of the information infrastructure: from the inside.

What's next? Expect to see more attacks that are even more elaborate. Then expect tougher access restrictions and tougher access controls...on just about everything.