Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Businesses IT

Most Companies Admit Their Data Is At Risk 60

Weblver1 writes "A recent survey of IT professionals published by web security firm Finjan shows that data-theft should be a good reason for concern. Based on answers from 1,387 professionals, 25% acknowledged that their organization has been breached. What's worse, 42% did not know and could not exclude a breach, reflecting on the number of organizations that could potentially be breached without anyone knowing after the fact. Other findings we should be concerned about include 82% of Healthcare IT respondents admitting that medical records are at risk of data-theft, and 68% of all sectors admitting sensitive corporate information can be compromised by cyber-criminals. Finjan's report is available here (PDF, registration required). This survey comes a week after Forrester Research found in their survey that IT security spending is expected to rise (or at least remain the same) — with the current level of data breaches and sensitive data that is not protected well enough, there is a good reason for it.
This discussion has been archived. No new comments can be posted.

Most Companies Admit Their Data Is At Risk

Comments Filter:
  • surprised? (Score:5, Interesting)

    by zappepcs ( 820751 ) on Saturday September 13, 2008 @12:13PM (#24991499) Journal

    I really don't think this will surprise anyone in the IT industry. It's not even really news. Most data remains secure/not-stolen simply by accident.

    That is just how things are. To secure data, it will not be pretty, comfortable, or cheap. In the current economic environment nobody is all set to start spending with an increase in IT budge of 250% and so insecure it will remain.

    • Re:surprised? (Score:5, Interesting)

      by Lumpy ( 12016 ) on Saturday September 13, 2008 @12:18PM (#24991579) Homepage

      Bingo. When I was doing the SOX audits for my last Fortune 100 corporation I worked for. I highlighted all the problems and found solutions.

      The CTO and all other executives said, The costs are too high to fix it, we'll just report we are out of compliance.. the Fines are cheaper.

      I left that company 3 weeks later.

      • by gblfxt ( 931709 )

        besides fines, they need pmita prison for executives making these decisions. they are not only putting their company at risk, they are putting their customers at risk as well.

    • Re:surprised? (Score:4, Informative)

      by plover ( 150551 ) * on Saturday September 13, 2008 @12:24PM (#24991619) Homepage Journal

      Like everything else, it takes external pressures to get companies to spend where they haven't had to before.

      In the case of retail stores, it's the Payment Card Industry's Data Security Standard (PCI DSS) that requires merchants to submit to security audits in order for them to continue accepting credit cards. In the case of pharmacies, it's the threat of HIPPA/Privacy suits that encourages them to protect their data. For publicly traded firms, it's the Sarbanes-Oxley Act (SOX). For banks, it's the Graham-Leach-Bliley Act (GLBA).

      For industries that aren't feeling those pressures, sometimes breaches of security will motivate them. For the rest, nothing will likely happen until something else changes.

      • Re: (Score:3, Interesting)

        by Ritchie70 ( 860516 )

        I don't fully agree with this. Sometimes standards are just for making auditors money and managers and regulators feel good.

        The large retailer I work for is technically not compliant with PCI-DSS standards.

        The reality of our current credit processing solution is that it would have to be done at the acquirer/processor for a system-wide data breach, and to breach a single retail location, the credit card data would have to be captured on the fly across the internal, no-gateway, wired point-of-sale LAN.

        It woul

      • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Saturday September 13, 2008 @01:09PM (#24991963)

        For industries that aren't feeling those pressures, sometimes breaches of security will motivate them.

        From TFA:

        25% of the respondents reported that their data had been breached, with an overwhelming 42% of respondents who could not exclude the possibility of a breach

        I'd be more interested in those who DID believe they could spot a cracker after the fact.

        I'm not talking "what's this daemon running on my server" or "why are all these warez on my server".

        I'm talking someone cracking your server and copying your data last year. Without installing anything that could be traced.

        There are very few people who really know that their systems have not been cracked. And those people would be the ones who would be instantly aware if they were cracked tomorrow.

        I'm fighting with our programmers right now about how they should put confidential information on our website. They want to link from the website in our DMZ to the database server behind our firewall. So anyone who can crack the webserver has a direct line to our database server.

        But all of the other approaches are "too hard" or "too time consuming".

        • I'd be more interested in those who DID believe they could spot a cracker after the fact.

          Exactly. Surely the choice is between "could not exclude the possibility of a breach" and "deluded about their own security"?

          If someone outsmarted them to get access to the data, why do these other x% believe that they would somehow find out about it?

    • Most data remains secure/not-stolen simply by accident.

      Actually, this is how most of my own security is done, e.g. figuring the odds. I lock my door at night, but is that going to stop someone determined to break in to my house? I play the odds that if criminals are randomly selecting houses to break in to that, just like the lottery, my number wont come up. It's not to say that more shouldn't be done, but like you said, it involves trade offs with other things that are also important (profits, ease, etc.)

    • Re: (Score:3, Interesting)

      I'm going out on a limb here because I'm on this 'dark side' of this. First I should note that we're a small company 30+ people dealing in research science. Our data security is important as it pertains to our IP. However, we are currently in a heated discussion with our IT department (2 people) over the security that they have implemented and want to further strengthen. While I stated our data is important their draconian measures have severely limited the work progress. We have a linux based system (kiosk
    • I use to be a programmer for a local state mental hospital. They had me make a report that would print each patient's name, physical description, SSN, DOB, and last known address.

      I have no idea why they needed the report, but I SURE hope they did a fine job of shredding it when they were done with it.

      So our data was as secure as an orderly could make a printed report secure.

      An interesting note: Out of every 100 people, 58 knew if they've been breached or not, 25 knew they have been. That's just over 43%.

  • by Anonymous Coward

    Wouldn't a completely honest answer to this question be "yes" 100% of the time for even the best security.

    I like that kind of paranoia in security people. I'm glad 42% answered yes and hope to get those numbers even higher in future.

    • I agree. I constantly worry about every avenue of data theft where I work. From external network breaches, to USB keys and laptops leaving the building with data on them. The problem is the avenue that you don't expect! That's the one that bites you in the ass in the end. Everyone at our company expects data loss to happen at some point. We lie awake at night worrying about it, and as a result the time, effort, and money is spent to protect the data the best we can.

      Paranoia in IT is a good thing!

  • 1. Their homepage says "Finjanâ(TM)s Survey Finds that 91% of Organizations Perceive Cybercrime as a Major Business Risk." Of course they do, anyone with a website does. That doesn't mean they perceive their specific data as being at risk. Is this paradoxical? Yes, but it's also the way things work. The "it won't happen to me" complex.

    2. According the TFS, Most IT Professionals say their data is at risk, not most companies. That's not the safe as companies saying it.

    If companies admitted th
  • Do you trust me? (Score:4, Insightful)

    by BadAnalogyGuy ( 945258 ) <BadAnalogyGuy@gmail.com> on Saturday September 13, 2008 @12:16PM (#24991547)

    Do you trust the people you work with? Any individual in any business can access all sorts of material information.

    Maybe it will be leaked to someone outside. Maybe it will be inadvertently passed in an email reply. Maybe someone will break in and steal an unguarded laptop.

    There is no way to protect any data. The medical records everyone cries over is already shared with your doctors. Do you trust their secretaries? Do you trust the software makers and the maintenance/service engineers who come to diagnose software problems?

    There is no privacy, and there is no secret information. There is only information which has not yet been leaked. And your only hope is that any information that is leaked is already moot by the time it becomes public.

  • by nathan.fulton ( 1160807 ) on Saturday September 13, 2008 @12:22PM (#24991613) Journal
    From the footnotes of the PDF:
    -The anonymous survey was open to all respondents independent of geographical location, job title, company size or industry.
    -The survey was web-based and aimed at respondents interested in or worried about web security threats in general and aimed at their organization. In other news, when we polled members before entering a porn site, 98% said they plan on taking measures to protect their web anonymity within the next hour. The other 2% have a very strange fetish.
  • 42% did not know and could not exclude a breach, reflecting on the number of organizations that could potentially be breached without anyone knowing after the fact.

    It'd say they sample is based on 42% of IT professionals and 58% of PR people.

  • remember how the state officials in the uncooperative admin case in san fran handed over LIVE usernames and passwords of 50-60 (?) users in the network to court as 'evidence' against the administrator ? TOTALLY proving his case ?

    as long as executives, officials, non i.t. people are TOO stupid as to use security systems, breaches will continue to be easy.
  • by nmos ( 25822 ) on Saturday September 13, 2008 @12:32PM (#24991717)

    Personally I'd be more worried about the other 33% who seem to think they could not possibly have had their security breached.

    • If people really understood about information security and countermeasures they'd probably close all their accounts, burn all their personal papers and do all their business under a randomly rotated set of deniable assumed names, in cash. That's pretty much how corporations and political figures do it -- they never do business in their own name without a layer of paper corporations or expendable underlings between themselves and an actual decision. In the current climate that's the only way to reliably bu

  • Well, duh. (Score:4, Insightful)

    by julesh ( 229690 ) on Saturday September 13, 2008 @12:32PM (#24991719)

    25% acknowledged that their organization has been breached. What's worse, 42% did not know and could not exclude a breach

    No, that's not worse. That's _better_. Those 42% are being realistic. Realistically, unless you're one of a tiny percentage of people who either (a) receives so little traffic they can audit it all or (b) can be 100% certain of the security of all the software they're running, you should be in one of those two categories: breached, or don't know whether you've been breached but can't exclude it.

    What's _actually_ worrying is that 33% of respondents think they are in one of these two categories, when in actual fact I'd suspect the figure is less than 1%.

    (FTR: my company is in the 'breached' category. We had a worm infect one of our servers via a BIND bug back in 2000 or so, although the infection was apparently unsuccessful... it seemed to rely on there being a line feed on the end of the last line of /etc/inetd.conf, and our file didn't have one. I can't, obviously, rule out any breaches since then, but am reasonably confident there haven't been any.)

  • by Anonymous Coward on Saturday September 13, 2008 @12:46PM (#24991827)

    Depending how you look at the question, shouldn't those numbers be closer to 100%?

    We're talking about IT people, here, a group whose job it is to believe in risk (whether that be from intruders or just hardware failure) and try to mitigate it. They also tend to think in absolutes, and are likely to interpret the question that way (i.e. view it as "no" risk instead of "low" risk). To believe that your data are absolutely safe and that it would be impossible for something bad to happen would seem to me like a sign of incompetence.

    Moreover, if there were no perceived risk, many of them would have no jobs. So I'm surprised the number is not higher.

    My guess is this survey tells us mostly about how people interpreted the question.

    • We're talking about IT people, here, a group whose job it is to believe in risk (whether that be from intruders or just hardware failure) and try to mitigate it.

      You actually believe IT people believe in risk? You'll be surprised at the "who would hack us, we're too small" mentality that abounds. Unfortunately these are the same people who think just adding a firewall to a server will protect them from all the nasties. Ignore the fact it's swiss cheese to allow connectivity in and out as mandated by the clueless managerbot.

      I think the number of IT n00bs who pass themselves off as experts who are capable of spotting a breach, let-alone protecting from it is 0%. T

  • by petes_PoV ( 912422 ) on Saturday September 13, 2008 @12:48PM (#24991833)
    Everything's at risk - the question is: how much risk and do these risks justify the benefits (of leaving thins as they are), or should money be spent on reducing the risks.

    Until someone can quantify these risks, the whole survey is pointless. Although it does make a nice, juicy headline for the innumerate masses.

  • by jbsooter ( 1222994 ) on Saturday September 13, 2008 @01:11PM (#24991983)
    I don't think I've ever worked with a system that couldn't be breached if someone wanted to bad enough and IT professionals in charge of them are likely to know exactly how to do it. There's a big difference in a system that could possibly be breached by criminals with intimate knowledge of it and a system that is realistically at significant risk. Asking paranoid IT pros if their systems are vulnerable is likely not a great indicator of the likelihood of them being breached. Of course, asking overconfident ones is probably a worse indicator.

    I will say that some medical records are probably the easiest things in the world to get a hold of. Small private practices generally don't have the knowledge or resource to properly secure their data. A lot of them leave patients in exam rooms alone with a computer, often connected to the internet, for extended periods of time. Not necessarily bad if decent security practices are in place but again, small practices generally don't have the knowledge to have them or just don't feel the need to enforce them.

    I know a guy who did some IT work for several small practices and he still contends that MAC Authentication is about as good as security gets for wireless networks and his clients have all the faith in the world in his judgment. Until those networks get breached and someone leaves enough evidence behind to prove him wrong, its likely those networks will be open to the world.
    • by guruevi ( 827432 )

      But then again, who really cares about their medical records or any records for that matter.

      1) People don't care. I work in a University related to a hospital. There have been breaches and people affected are invited to take up an offer of 1 year free privacy protection. How many do you think actually accept that offer? Minimal amount.

      2) Yes, it would be easy to hack into such a systems (or any general medical facilities system) but what would be the benefit. The risk is too great and the rewards too little

      • I very much agree that hacking those systems and getting the data is pretty useless for things like identity theft or credit fraud (unless you can get it all without the breach being noticed) when there are ways of getting better information with significantly less risk. That's is not to say that the data isn't useful if put into the right hands. Two quick examples:

        1. A list of people, addresses, phone numbers, last exam dates, and current conditions would be extremely useful in some directed marketin
  • Plural, you monkeys.
  • by toby ( 759 ) *
    Most companies admit they run Windows.
  • > What's worse, 42% did not know and could not exclude a breach, reflecting on the number
    > of organizations that could potentially be breached without anyone knowing after the
    > fact.

    Perhaps that merely indicates that 42% know that it is impossible to exclude the possibility of an undetected breach with absolute certainty.

  • It's a tacit admission that's one step away: We don't really care about it.

    When it comes to customer data, though, it's nothing a few well-placed convictions for willful negligence won't solve.

  • "Other findings we should be concerned about include 82% of Healthcare IT respondents admitting that medical records are at risk of data-theft" Is anyone else concerned about the 18% of healthcare IT respondents who DON'T think that medical records are at risk? I mean seriously - that's nearly a fifth of the people questioned in charge of IT for the healthcare industry who think that their systems are actually invulnerable to attack. So far as I'm concerned, that kind of attitude is the biggest threat to
    • by julesh ( 229690 )

      Is anyone else concerned about the 18% of healthcare IT respondents who DON'T think that medical records are at risk? I mean seriously - that's nearly a fifth of the people questioned in charge of IT for the healthcare industry who think that their systems are actually invulnerable to attack. So far as I'm concerned, that kind of attitude is the biggest threat to IT security there is.

      Based on my experience with medical institutions, it wouldn't surprise me to find that 18% of them were so conservative that

  • Most all data in commercial and government systems are "exposed" or "compromised" to one degree or another virtually all the time. Should each citizen therefore be mailed 100 breach notices every day? Legally and ethically speaking, we do not have a competent definition of what is and is not a security breach. The result is confusion and excessive anxiety on the part of data holders, data subjects, legal authorities and the media. Ben http://hack-igations.blogspot.com/2007/09/definition-of-data-security-bre [blogspot.com]
  • As I sit here reading this, I am waiting on deployment scripts to finish running for our monthly production deployment. This month is "PCI Compliance" month - lots of security & permissions changes, auditing, etc. going into prod tonight. Should be done in about three hours... :-( ZZZZZzzzzzzzzzzzz...............

  • The reality of off site backups alone might make a lot of hosting/managed server customers cringe. How many companies go to the expense of security to deliver the off site backups to a safety deposit box in a bank or somewhere similarly secure? How many have the backups sitting for free in the trunk of an employee's car?

  • This security survey from informationweek [techweb.com] (registration required) said the same thing. Worse, when you get into the report, few companies are acutally using encryption for back-ups and think physical access control is good enough.

    It's a mess out there kids and not getting any better.
  • I just wonder if the response to this article (or lack of response as compared to responses to a lot of other [types] of articles here on /.) is an indication of the state of concern for this important topic.

You know you've landed gear-up when it takes full power to taxi.

Working...