It should worry all of us in IT Security and Risk Management practices that every day people read about their information being pilfered from online databases, unencrypted systems, and tapes or other media and have started to grow insensitive to this news. I've seen it talking to people in business; they general population is starting to get used to information theft and it's becoming background noise - much like viruses back in the day... this isn't good. This means that we're failing at our jobs so catastrophically that people who should be worried are now starting to grow insensitive to information being stolen. People are starting to assume that their information will be stolen at some point and are expecting banks and credit institutions to compensate them immediately when funds disappear... interesting.
Identity theft is on the rise, the numbers of identities is well in the hundreds of millions of identities stolen - and it's not showing any signs of slowing down.
What's going on? Why isn't IT security able to mitigate the risks that cause data and identity theft?
Unfortunately, I think the problems are numerous and the answers are still few. From my point of view, these are the main obstacles to having less identity theft and fraud...
- Consumers opt for simplicity over security
- Data storage is decentralized
- Consumerization is driving adoption of insecure technologies "to support the users"
- Identity/Information protection has been pushed off onto banks/credit vendors
- Consumers still don't understand the impact of their information being stolen/compromised
3 comments:
Hey Rafal,
I couldn't agree with you more. I believe we are getting desensitized to data being disclosed. I wrote some comments about this a while back. (http://un-excogitate.org/archives/2007/10/31/disclosures-approaching-white-noise/)
Can't wait for the paper.
-Christian
Why isn't IT security able to mitigate the risks that cause data and identity theft?
To me, that's the big question. However, considering the way data is handled within typical companies, it's up to the data custodian to classify the data appropriately for access control, encryption, third party exchange, and disaster recovery - not to mention persistence where it's used on a daily basis by authorized people and systems. In most cases, neither IT Security nor the Data Custodian are single points of control over all of those use scenarios, causing the issue we see today around data loss. Oh, and did I mention that the businesses that own this data want to sell it to everyone they possibly can, and they're greasing up the politicians to make it work with minimal risk?
The answer to your question should be, how can I (the end consumer, the business partner, the politician, etc.) cause pain to the business as a result of a data breach? That's the only way the business will change their approach to securing data in order to prevent data breaches.
great information, very useful for me
Post a Comment