Tuesday, August 19, 2008

Data Breach Overload - Are Users Desensatized?

It's everywhere. It's covered in blogs, articles, whitepapers, press releases and the news. Data breaches are an everyday occurrence. That horrifies me.

It should worry all of us in IT Security and Risk Management practices that every day people read about their information being pilfered from online databases, unencrypted systems, and tapes or other media and have started to grow insensitive to this news. I've seen it talking to people in business; they general population is starting to get used to information theft and it's becoming background noise - much like viruses back in the day... this isn't good. This means that we're failing at our jobs so catastrophically that people who should be worried are now starting to grow insensitive to information being stolen. People are starting to assume that their information will be stolen at some point and are expecting banks and credit institutions to compensate them immediately when funds disappear... interesting.

Identity theft is on the rise, the numbers of identities is well in the hundreds of millions of identities stolen - and it's not showing any signs of slowing down.

What's going on? Why isn't IT security able to mitigate the risks that cause data and identity theft?

Unfortunately, I think the problems are numerous and the answers are still few. From my point of view, these are the main obstacles to having less identity theft and fraud...
  1. Consumers opt for simplicity over security
  2. Data storage is decentralized
  3. Consumerization is driving adoption of insecure technologies "to support the users"
  4. Identity/Information protection has been pushed off onto banks/credit vendors
  5. Consumers still don't understand the impact of their information being stolen/compromised
In the whitepaper I'm publishing in the next few days, I'm addressing these 5 critical issues, and what can possibly be done to address and overcome them. I know it's been talked-about before - but it's worth repeating until everyone has heard it. If you have any feedback you'd like to see in the paper, please ping me or leave a comment here.


Christian "@xntrik" Frichot said...

Hey Rafal,

I couldn't agree with you more. I believe we are getting desensitized to data being disclosed. I wrote some comments about this a while back. (http://un-excogitate.org/archives/2007/10/31/disclosures-approaching-white-noise/)

Can't wait for the paper.


Scott said...

Why isn't IT security able to mitigate the risks that cause data and identity theft?

To me, that's the big question. However, considering the way data is handled within typical companies, it's up to the data custodian to classify the data appropriately for access control, encryption, third party exchange, and disaster recovery - not to mention persistence where it's used on a daily basis by authorized people and systems. In most cases, neither IT Security nor the Data Custodian are single points of control over all of those use scenarios, causing the issue we see today around data loss. Oh, and did I mention that the businesses that own this data want to sell it to everyone they possibly can, and they're greasing up the politicians to make it work with minimal risk?

The answer to your question should be, how can I (the end consumer, the business partner, the politician, etc.) cause pain to the business as a result of a data breach? That's the only way the business will change their approach to securing data in order to prevent data breaches.

promote your website said...

great information, very useful for me