BreachExchange mailing list archives
Re: Identity Theft protection changes needed
From: George Toft <george () myitaz com>
Date: Tue, 11 Jul 2006 08:33:51 -0700
Our business is focusing on a vertical that is clearly governed by Gramm-Leach-Bliley. Their professional journal carried 49 articles on the applicability of GLBA since 2001, yet in 1600+ telephonic conversations with members of this industry, the majority of the business owners have never heard of GLBA. The FTC calls out their business as being regulated. 16 CFR states they are regulated, yet they don't know about it. So where am I going with this? In our research to discover why we are getting little results in our marketing, we stumbled across two pieces of wisdom: 1. It's hard to convince someone to spend money on something they don't understand; and 2. The human mind is built to react, not proact. In our case, we are trying to help these businesses stay out of the [near] daily security breach headlines, yet the business owners do not understand why security is important. "That will never happen to me." Regarding the human mind, I think that we - as security people - are mis-wired. We think proactively - that's why we proactively secure our systems (to the maximum extent allowed by the budget). And it is hard for us to understand why the rest of the world can't see the freight train about to hit them. I have been tasked with presenting a webinar to the senior management of a medium-sized company that is still running Windows NT on all their servers. (By now, most readers are probably gasping in shock.) The IT Director understand the problem, but senior management's mindset is "It's not broken, so why fix it?" So what it comes down to is that senior managers do not think proactively. They are focused on revenue generation, not asset protection, and surely not security. This point is supported in a recent study (http://www.eweek.com/article2/0%2C1895%2C1979919%2C00.asp). They will react when it hits them in the balance sheet, but by then the damage is done. Proactive thought is neither taught nor practiced in college as shown by the trend in data loss (1/3 of victims are universities). In my own studies - undergraduate and graduate - we were taught to solve problems, not prevent them. (My policies class came close - we were taught to look at the failings of others and develop policies to protect the business.) The root cause of the problem lies squarely in our education system. Unfortunately, it takes years to move that industry, so the problem will continue for quite some time. George Toft, CISSP, MSIS My IT Department www.myITaz.com 480-544-1067 Confidential data protection experts for the financial industry. Al Mac wrote:
In security breach news we are seeing the same scenario played out again and again, with different enterprises doing the same stuff that leads to disaster. How come no one seems to be learning by example to avoid being the next story in the news? I have my theories on this, but in this article, IDG News Services asked leaders of three security businesses to give their theories on this. * People do what is easy and convenient and don't give much thought to the consequences. * Many people do not get insurance until something happens to a neighbor, or they see problem in news, and realize they need insurance against that * Security is a balance between other management priorities, in which several are more important than security * There has been a conceptual shift in recent years. It used to be that companies trusted employees, gave them reasons for that trust, but now job security is threatened by off-shoring, unions have been busted, and Sarbanes Oxley is re-establishing separation of duties ** but none of that is why we have all these new laws saying no one can be trusted ... here's why http://wallstreetfollies.com/ scroll to the bottom and blow it up http://wallstreetfollies.com/diagrams.htm * there's a lot of traffic that goes over the Internet in the clear * you can't tell from a web ad if there is something malicious going on My theories have to do with the notion that security breaches have been occurring since the dawn of computer history, and we are now only hearing about those associated with geographies where there is a legal obligation to report them. Let's suppose you work in a company that has existed for 100 years, had computers for 50 years, have had 20 security breaches and survived them all. The fact that your company is now obligated to publicize breaches means that it does not dawn on anyone what the PR consequences of that are until after the first publicized breach. There are laws that are not enforced. We can go to any electronics store and buy the where with all to tap into cell phone and other radio traffic. Totally illegal, but have you ever heard of anyone being arrested for it?. Do you know what a police scanner is? People who like to listen to police radio calls for their entertainment. You can also listen to taxi service and other outfits. Some parts of the electromagnetic spectrum are reserved for special kinds of traffic, like pagers. I hear tell there's all kinds of interesting stuff for snoops. Companies with wireless not locked down. Several breaches have involved someone with laptop in their parking lot. People get some kind of communication service and assume there is zero risk of it being tapped, hacked, or what have you. http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=cybercrime_hacking&articleId=9001672&taxonomyId=82 - Al Mac AKA Alister Wm. Macintyre _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- Identity Theft protection changes needed Al Mac (Jul 11)
- Re: Identity Theft protection changes needed George Toft (Jul 11)