Tuesday, June 06, 2006

Privacy Sticker Shock: IT Security

Technorati , , ,

Gartner Security news on an upcoming summit will hopefully rattle some businesses who hold sensitive personal and financial information on customers out of their complacency and move them into action on customer data protection.

According to Gartner vice president and analyst Avivah Litan, IT security measures at companies holding private and personal information on as few as 10,000 customers can spend up to $160,000 for encryption, intrusion prevention and security audits on that data. And although Litman gently broke down the numbers to a per-customer cost of $90, the cost to respond to a large scale data breach can exceed a bit more shocking amount approaching $1,000,000 (One MILLION) for those same ten thousand customers.

Litman also warns in the press release announcing the IT Security Summit, that social security numbers can no longer be the sole, trusted source of identity because as many in one in seven social security numbers in the US have already been compromised!

Here's an idea for companies who want to save money on IT Security - DON'T ASK FOR OR STORE CUSTOMERS SENSITIVE PERSONAL INFORMATION! Then you don't have to store it, protect it, encrypt it and audit your security. That also means you can't sell it - darn. Hmmmm. What a concept.

Now some financial companies do need to have sensitive personal and financial information on customers and they absolutely must guard that information as though it were all the gold in Fort Knox. Security should not be in question. Full and complete protection of customer data should never be doubted. Those companies should be legally required, yes I said LEGALLY REQUIRED to fully encrypt that data, have the finest intrusion protection systems and continually audit their systems and their people against fraud and error. Further, those companies that hold and store sensitive personal, medical, financial data on customers should be legally compelled to fully restore and make good any losses incurred by customers due to data breaches of any sort in their systems - period.

Now there is another element to this little puzzle as well. NO COMPANY SHOULD EVER BE ALLOWED TO SELL PRIVATE PERSONAL FINANCIAL OR MEDICAL INFORMATION ON ANY CUSTOMER OR POTENTIAL CUSTOMER to another company or individual - period. I reproduced an article in this space last week about that offensive practice in the financial industry that should have us all gasping in complete shock.

Companies that hold personal financial or medical information on any customers should treat it like gold and lock it away in the most secure way possible. IT geeks at companies who hold sensitive customer data, please attend this Gartner IT Security Summit oulined in the press release below and go back to your company, convince the beancounters to take security to heart and lock up and protect customer data like gold.


Analysts Examine Protective Measures Companies Can Implement During Gartner IT Security Summit, June 5-7, in Washington, DC

The recent thefts of personal data from companies and government agencies make it clear that Social Security numbers can no longer be relied on as proof of identity, according to Gartner, Inc. Gartner analysts said enterprises should use this data as only part of an overall "identity score."

Avivah Litan, vice president and distinguished analyst at Gartner, recently testified at the oversight hearings for the Committee on Veteran's Affairs regarding the theft of sensitive information belonging to 26.5 million veterans and spouses from a Veteran Affairs employee's home. Ms. Litan told the committee that this latest compromise shows just how unprotected some of the nation's most sensitive data is.

"This incident also shows that the Social Security number has become an extremely unreliable piece of information and cannot be trusted to be unique to an individual. Companies should not rely on Social Security numbers alone as proof of individual identity," Ms. Litan said. "As many as one-in-seven adult Social Security numbers in the U.S. may already have been compromised."

Ms. Litan is providing more detailed analysis regarding identity theft during the Gartner IT Security Summit, which is taking place here through June 7.

While security managers are attempting to implement more-stringent security measures around sensitive information, the price tag for such protection can cause sticker shock for many companies. Security managers are facing challenges in receiving the budget required to better protect customer and business-sensitive information. Gartner analysts point out that data protection is much less costly than data breaches.

"A company with at least 10,000 accounts to protect can spend, in the first year, as little as $6 per customer account for just data encryption, or as much as $16 per customer account for data encryption, host-based intrusion prevention and strong security audits combined," Ms. Litan said. "This compares with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach."

Encrypting stored data can provide the most robust data protection, but if that is unfeasible because of undue cost and complexity, companies should deploy comprehensive host-based intrusion prevention systems (HIPS). However, successfully deploying HIPS requires strong server configuration control and additional administrative cost and complexity. Another option is strong security audits to validate that the organization has deployed satisfactory mitigating controls, reducing the need for data encryption or HIPS.

"None of these options are mutually exclusive, but implementing all three will still be less expensive than having to respond to a large-scale data breach," Ms. Litan said.

Additional information on identity theft prevention is being released at the Gartner IT Security Summit, being held at the Marriot Wardman Park Hotel in Washington, DC. Gartner analysts, industry experts and IT security practitioners are delivering unbiased, realistic analysis on the current state of IT security, as well as an independent overview of the market during the next 12-18 months. For complete event details please visit the Gartner IT Security Summit Web site at www.gartner.com/us/itsecurity.

About Gartner

Gartner, Inc. (NYSE: IT) delivers the technology-related insight necessary for its clients to make the right decisions, every day. Gartner serves 10,000 organizations, including chief information officers and other senior IT executives in corporations and government agencies, as well as technology companies and the investment community. The Company consists of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 3,700 associates, including 1,200 research analysts and consultants in 75 countries worldwide. For more information, visit www.gartner.com.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:35 AM


Post a Comment

<< Home