 |
 |
 |
|||
 |
 |
Contact | |||
 |
|
||||
 |
Pretexting Goes Unnoticed by Microsoft | Prevalent Security Neglect | FTC EnforcementArchive Pretexting Goes Unnoticed by Microsoft Obtaining financial information using the practice of pretexting has been illegal since the enforcement of the Gramm-Leach-Bliley law in 2001. The law prohibits fraudulent statements and impersonation, to obtain consumers' personal financial information, such as bank balances. However, con artists continue to use this technique of false pretenses to find passwords and other personal information that will lead to the theft of financial information. Prevalent Security Neglect Over half of all companies doing business in the technology, media and telecommunications sectors have experienced data breaches that potentially exposed their intellectual property or customer information, a new research report shows. According to the report, published by Deloitte Touche Tohmatsu, not only have many technology providers been hit with the same sorts of data losses that have recently plagued other industries, but a large number of the firms have also failed to make sufficient investments in security technologies aimed at preventing future incidents. Deloitte researchers said that security has long been "neglected" by technology, media and telecommunications companies despite their dependence on digital information to run their businesses. The consulting company surveyed executives at 150 such companies and found that even in the face of public embarrassment, financial losses and potential litigation linked to data breaches, many of the businesses have yet to make necessary investments to more adequately protect their information. According to the report, more than 50 percent of the companies surveyed admitted to having a data loss within the last 12 months, with roughly one-third of those incidents directly resulting in financial losses. Half of the companies reporting data breaches said the incidents involved internal attacks or policy violations. Of the firms surveyed, only 4 percent said their employers are doing enough to address the issue, and just 20 percent of respondents said that they feel confident that their companies' intellectual property is being sufficiently safeguarded. Some 24 percent of interviewees said that the security tools they have installed are being used effectively. While phishing schemes continue to pose a major threat to companies' customer information and brand reputations, only 18 percent of those executives surveyed said that their firms have employed technologies aimed at preventing the attacks. Deloitte said that 37 percent of the companies it interviewed have provided additional security training to their employees within the last 12 months. At the heart of the issue, the report said, is companies' reluctance to increase their spending on new security measures. While 74 percent of survey respondents said that they expect to spend more time and money on improving security in 2006, the average budget increase among those companies was only 9 percent. Fewer than 15 percent of those increasing their security budgets planned to do so by over 20 percent, Deloitte said. For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub. Despite the sobering statistics, Deloitte researchers said that technology, media and telecommunications companies are beginning to make changes to improve their IT defenses and security policies. Regulations such as the U.S. government's Sarbanes-Oxley Act have help pave the way for those improvements, said Brian Geffert, principal of security and privacy services at Deloitte. "Sarbanes got people to understand security a bit more, and now more people are catching up; more CEOs are communicating directly with chief information security officers, and I think we will see a lot more investment from these particular companies," said Geffert. "To a degree people are in the stage where they are still making plans, and not yet fully engaged in moving forward, but there's progress." Only 63 percent of respondents to the survey said they have a senior-level executive in their company dedicated to managing security issues, with 53 percent of information technology companies employing those types of leaders. Deloitte noted that those numbers were lower than the proportion of companies in other industries with C-level security executives already in place. Further, the survey found that 52 percent of technology, media and telecommunications companies consider security a problem for IT departments, rather than viewing the issue as a central business concern. The top five information security concerns identified by the executives polled were those related to instant messaging systems, phishing schemes, viruses that attack mobile devices, hacks into online brokerage accounts and other Web-based crimes. So-called insider attacks, or threats emanating from employees or other people with legitimate access to IT systems, are another major concern. However, only 59 percent of the companies interviewed said that they have any form of employee behavior monitoring technology in place. While 25 percent of respondents listed cited insider fraud as their primary internal security concern, 22 percent pointed to data losses such as the incidents that have recently victimized the U.S. Department of Veterans Affairs and insurance giant American International Group as their greatest fear. "These data leaks are starting to make people think differently about the manner in which they handle data, and you also have the emergence of small storage devices capable of carrying off a boatload of data, those things have opened people's eyes," Geffert said.
"At the end of the day, it's all about getting people to look at their work habits differently and letting workers know what their responsibilities are for protecting the data; technology companies are a bit behind other industries today, but there's no reason that they cannot catch up." Companies Surprised with FTC Enforcement The Federal Trade Commission has begun enforcing the "Safeguarding Customer Information Guidelines" from the Gramm-Leach-Bliley Act. The FTC has named identify theft as the #1 fraud reported by consumers in 2004. As part of a nationwide sweep targeting mortgage brokers and automobile dealers, the commission found deficiencies in the way customer information was stored and protected. The FTC found that the mortgage companies that violated the rule did not assess the risks to its customer information; did not implement reasonable policies and procedures; did not provide written privacy notices to customers; did not initiate employee training; did not oversee employees working and handling customer information at remote locations; did not oversee the collection and handling of customer information via the companies' web sites; did not monitor the computer network for vulnerabilities and did not take steps to ensure that service providers provided appropriate security in handling customer information. Automobile dealers audited by the commission were surprised that they fell under the definitions of the rule. The "financial institutions" covered by the Rule include not only lenders and other traditional financial institutions, but also companies providing many other types of financial products and services to consumers. These institutions include, for example, payday lenders, check-cashing businesses, professional tax preparers, auto dealers engaged in financing or leasing, electronic funds transfer networks, mortgage brokers, credit counselors, real estate settlement companies, and retailers that issue credit cards to consumers. The administrative actions taken by the FTC against the companies that did not comply with the rule will result in significant expense compared to the pro-active effort that the initial analysis and implementation would have cost. In fact, the central issue to the Safeguards Rule is that organizations employ appropriate measures before an incident occurs, "identifying reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information." Foreseeing risk is somewhat of a challenge. With the fast paced Internet and information technology landscape, new risks emerge daily. Regardless, the companies surprised with the actions of the FTC were not covered by the "I didn't know" excuse. The very rule required that they were to know. The attitude held in days past by corporate executives confidently stating, "that's not going to happen to us" has changed with the law, which now requires them to foresee the next threat. In order to foresee, those bearing the responsibility of the organization's actions must admit a need to assess the fact that an unknown threat could exist from within or without. It is no longer sufficient to rely on the opinion and recommendations of the internal security or technology officer. The Safeguards Rule charges the board of directors with the responsibility of overseeing the employees and service providers who are implementing and adjusting an information security program. |
||||
 |
|||||