Emerald Business Systems Blog

Home
Business & Finance
News
U.S.
Politics
International
Technology
Entertainment
Sports
Lifestyle
Oddly Enough
Health
Science
Special Coverage
Video
Pictures
Your View
The Great Debate
Blogs
Weather
Reader Feedback
Do More With Reuters
RSSRSS Feed
Widgets
Mobile
Podcasts
Newsletters
Your View
Make Reuters My Homepage
Partner Services
CareerBuilder
Affiliate Network
Professional Products
Support (Customer Zone)
Reuters Media
Financial Products
About Thomson Reuters
Study Finds Protecting Credit Card and Patient Data Drives IT Spending Yet Most Organizations Still at Risk
Tue Oct 20, 2009 9:15am EDT

Email | Print |
Share
| Reprints | Single Page
[-] Text [+]
Featured Broker sponsored link

Study Finds Protecting Credit Card and Patient Data Drives IT Spending Yet
Most Organizations Still at Risk
Less than half encrypt backup tapes, full disks and databases while nearly 20
percent said they would wait for a data breach before they encrypt tapes

SAUSALITO, Calif., Oct. 20 /PRNewswire/ — Trust Catalyst, a research firm
helping companies build data protection strategies that strengthen customers’
trust — today announced the findings of its second annual 2009 Encryption and
Key Management Benchmark Report which surveyed more than 600 IT security
professionals and was sponsored by Thales.

The study found 41 percent surveyed encrypt backup tapes, 43 percent encrypt
databases and 49% encrypt full disks, despite the growing number of new
industry, state and national data protection regulations. While participants
indicated the protection of health care and credit card data was driving
future IT spending, 19 percent said they would wait for a data breach before
they would encrypt tapes. This data left unprotected in databases and backup
tapes causes these organizations to be at higher risk for a data breach.

The study revealed the primary obstacles preventing organizations from
encrypting these applications were due to concerns about cost and data
availability. Once data is encrypted, participants fear they could lose this
data or it would not be available when it was needed causing a business
disruption even though twice as many surveyed admitted to a data breach than
losing data because of a lost encryption key.

“Given the nature of new data breach regulations, organizations no longer have
the luxury of time to wait and encrypt credit card and healthcare data because
of data availability concerns,” said Kimberly Getgen, Principal of Trust
Catalyst. “With less than 50 percent of participants encrypting backup tapes
and nearly 20 percent of respondents saying it would take the pain of a data
breach to get their organization to reverse their decision, too many
organizations, customers and patients are needlessly at risk.”

Here are some of the study’s key findings:

— Patient and Credit Card Data Protection Drives IT Budgets. 53.9
percent
indicated they were allocating budget for PCI DSS, 28.9% for HIPAA and
22.4% for the EU Data Privacy Directive. HIPAA was the number one
allocator of new budgets for US participants.
— Cost of encryption remains top concern. Participants express that
cost
remains the single most important factor preventing data that “should”
be encrypted from being encrypted. Over half cited the cost of the
encryption solution (26%) or the cost of managing the encryption
solution (25%) as their primary obstacles for being able to bring
encryption into their organizations where it is needed most.
— Operational concerns delaying encryption projects. The decision to
postpone encryption is often because operational efficiencies like
availability of data and performance are seen as more important than
data protection. For example, when asked specifically about what was
preventing them from encrypting databases, it was the complexity of
managing keys that was identified as the primary obstacle preventing
participants from encrypting backup tapes (24%). Here, participants
said availability was far more important than confidentiality.

— Cloud computing not ready for prime time. 52.1 percent of
participants
cite data security concerns as being the number one barrier preventing
their organization from adopting cloud computing. 42.6 percent of
survey participants said they were not currently planning on moving to
the cloud while another 46.5% said they would wait until data is
encrypted before moving. 58.8 percent said they would want to manage
their own encryption keys if encrypted data was moved to the cloud.

The full 2009 Encryption and Key Management Benchmark report can be downloaded
from http://www.trustcatalyst.com/2009EncryptionSurvey.php

There is no shortage of advice of ways to try and prevent a data breach. But if it happens to you, do you have a plan of precisely what to do next? Very few retailers do.

Before we delve into what you should do next—and the fact that you really need to get your teams together and figure it out now (think of it as Data Breach Disaster Recovery Plan)—let’s look at why this is such a difficult area. In the last couple of years, a veritable who’s who of major retailers have been breached, including TJX, Hannaford, 7-Eleven, Target, J.C. Penney, BJ’s Wholesale, Boston Market, Sports Authority, Dave & Buster’s, Office Max, Barnes & Noble, Forever 21 and DSW. And that’s merely a partial list of the ones we know about.

And in almost every one of those cases, the cyber thieves entered those networks, rummaged around, copies GBytes of payment data and related files, transferred that data to themselves and left—all without the retailers detecting any alarms. Invariably, it was the card brands—and sometimes the U.S. Secret Service—that detected the fraud days, weeks, months and sometimes years later and then circled back to give a heads up to the retailers involved.

That’s complicating factor Number One: You’re likely to learn of the breach long after it’s been halted by the thieves themselves. That tends to fuel the tendency to react slowly, as it doesn’t feel like an emergency. Trust me: It is.

Complicating factor Number Two: Data logs. As Wal-Mart learned a few years ago, those logs are the first things that professional cyber thieves will alter and manipulate once they break in. You simply can’t trust them if you know that cyber thieves have had hours of free reign within your network. That’s one of the reasons that real-time alerts (E-mail or otherwise)—stored in various locations far away from the enterprise servers (beyond the reach of the intruder)—are so attractive. Before the bad guy can cover his tracks, video of those tracks has already been sent to 40 different inboxes.

That said, today’s the day. You’ve just gotten the call from Visa that your systems are apparently the common point of purchase with a few million fraudulent transaction attempts. What are the first three things you need to do?

One: Identify The Nature Of The Breach
Although number two on this list is cutting off your networks from the intruder and others associated with the intruder, you can’t meaningfully do that until you at least reliably know the basics of the attack.

What if you choose to yank your system from the network—which is exactly what one breached Colorado liquor store did—and you later discover that the attacks were done physically on the card swipes and that network access limits wouldn’t stop them?

Or perhaps you choose to break off all external links, leaving intranet and VPN connections alive so operations can continue. And you later learn that it was an inside job done by two people in accounting and an IT programmer? Oops.

So as tempting as it is to make “cutting off the intruders” number one on this list, establishing the exact nature of the breach has to be Number One. (Actually, phoning a reporter for StorefrontBacktalk really should be Number One, so as to prevent this breach from impacting others. You’re a retail patriot, no?)

Two: Cutting Off The Bad Guys
You have learned of a major security hole. Even if you’re confident the perpetrators have been caught and made inactive, these thieves use discussions forums and share knowledge. You can wager generously that it’s known—at least in the cyber thief world—that you’ve been breached and how.

You’ve got to plug those holes before the next wave of silent attacks happen. Don’t forget that they are silent, leaving almost no easily discoverable tracks. They may be copying files as you sit in a meeting debating options.

But you actually have a sub-priority that should trump your key priority: Maintain operations and maintain them seamlessly. Whatever you do, it can’t meaningfully impact customers. You can’t simply stop accepting online coupons or processing CRM points if you used to.

There are an infinite number of ways of cutting off access to the bad guys, but they generally fall into two equally-viable categories: Go Back; and Move Forward.

The Go Back strategy suggests cutting off access as much as possible to cut your losses and halt damage. It has some severe drawbacks, both in terms of functionality and security (no encryption), but it’s also likely to avoid further breaches for a bit. After all, it’s hardly cost-effective to steal one card at a time by tapping phone lines.

The Move Forward approach is also known as the “Panicky IT Executive Throwing Money At The Problem.” To be fair, many of the “move forward” options will have to be seriously considered for Step Three, which is returning the network to the new normal. But it’s not an especially great idea at this stage because the immediacy required prevents the kind of due diligence this merits. Still, adding software to plug limited holes or to generally boost protection is something to consider at this phase.The Zero Liability programs from the major card brands do a wonderful job of limiting direct financial losses from your customers. But if, in an attempt to make your systems temporarily breach-proof, you start losing customer-facing functionality, you have the real potential of alienating—and losing—key customers. If that happens, candor—in the form of “Well, we’ve been breached and we think this Eastern European cyber thief gang has your credit card info”—is not likely to help you, unless you define “help” as stopping customers from walking away and instead getting them to run away.

Three: Activating The New Normal
Once you’ve figured out exactly what the attackers did—to your satisfaction at least—and prevented anyone from doing those particular techniques to you again, you need to return to the living and get your operation to move into the next security phase.

But given the RFPs that need to be created and circulated plus the competing bids and then the questions and trials and trail evaluations and then limited deployments, you could easily have to live a year or two with your “immediate” approach. Don’t rush the new normal as that will be your key safeguard for quite some time.

If the size of your chain means that you may have to live longer without the new normal, that would certainly suggest that the Move Forward approach in Number Two might be a good way to go for you.

Breaches are becoming a fact of life in retail IT today and there’s no way to prevent them. But with some prep right, you can at least make the post-breach nightmare a little less horrific.

Evan Schuman is a guest blogger on the McAfee Security Insights blog. Evan is the founder and Editor-in-Chief of StorefrontBacktalk.com, a global site that tracks retail IT and E-Commerce issues for readers. He also writes the weekly Retail Realities column for CBSNews.com. More on Evan can be read on his author page.