Perspective: Uncle Sam's newest security challenge to businesses

Recent high-profile data breaches have brought the issue of protecting confidential information to the forefront of the security industry and the American public.

Over the past two years, data leaks have compromised more than 150 million personal-data records, according to the Privacy Rights Clearinghouse.

These breaches come with a high price tag. Forrester Research says that a security breach can cost anywhere between $90 and $305 per record, meaning that the cost of a single, significant breach may run into millions or even billions of dollars. The problem is certainly not going away, and it's no surprise the federal government is considering laws to mandate how sensitive data is handled.

This fall, pending legislation could have a significant impact on how businesses are required to protect confidential information, as well as when and how they are required to notify the public in the event of a breach. Several legislative bills are expected to be introduced in Congress that would specifically address identity theft protections, the storage and encryption of sensitive cardholder data, and wireless data security.

Protecting financial information for a small retail chain will not be the same as what's required for an international bank.

The outcome of this legislation remains uncertain, but it appears there is building support within Congress to take more proactive measures for enforcing higher data security standards.

The business world has already experienced the impact of government attempting to control the inner workings of an organization. Sarbanes-Oxley is well-intentioned, but the cost of compliance has been staggering for many businesses. A recent study by Foley & Lardner found that since 2001, the average cost of SOX compliance for companies with under $1 billion in annual revenue has increased more than $1.7 million to approximately $2.8 million.

It's important that all of a business' stakeholders--employees, partners, and consumers--are promptly notified when confidential information has been breached. This could include personal information, trade secrets, financial data, and more. However, the government will face a monumental challenge if it tries to prescribe: 1) what exactly constitutes confidential information and 2) how to protect said data.

Across different industries and organizations, the definition of sensitive information varies greatly. It may be patient forms at a hospital, patent applications at a research facility, or credit card numbers at a retail store. There are common threads among all industries, such as employee Social Security numbers, but the nuances from one business to the next will make it nearly impossible to make an overarching definition of sensitive information.

It's logical to expect that compliance with data protection laws could have financial implications similar to SOX. The laws will likely require a combination of technology and processes to protect data, which are ultimately going to have hard costs and could take time to implement across the board.

A one-size-fits-all approach to data protection simply won't work. Protecting financial information for a small retail chain will not be the same as what's required for an international bank. It's important for the government to compel businesses to notify the public promptly when a breach has occurred, but the onus is on the business to determine what data it needs to protect and to implement the right policies and technology to ensure it's secure.

The board is in the best position to identify the company's "crown jewels"--from employee and customer data to trade secrets. When considering what information is most important to protect, anything deemed "material" to the organization and subject to indemnity disclosure is often a good benchmark for setting internal content protection policies.

Most boards will realize that if they have an indemnity disclosure and financial risk associated with a data breach, it is in their best interest to protect their sensitive data or potentially face costly intellectual-property loss and legal damages associated with a breach.

Once sensitive data is identified, technology can be employed that acts as a digital content guardian, controlling who accesses the data and how it's accessed, as well as where and how it's shared. No one knows your business like you do. However, by not taking the appropriate steps to protect your data in advance of a potential breach, you could be exposing your company to tremendous risk--which could ultimately be your last mistake as a business.

Biography
Gene Hodges is chief executive officer of Websense, a supplier of security software.

More Perspectives

[wbenton]

Solution is really Simple

>>>. Forrester Research says that a security breach can cost anywhere between $90 and $305 per record, meaning that the cost of a single, significant breach may run into millions or even billions of dollars.<<<

Bill the company the millions or billions.

Once companies realize that their lax security might just be the string that broke the company's back... they'll start investing tens of thosands of dollars to upgrade their security levels to what they should have been in the first place rather than have to fork out the millions or billions for clean-up.

Risk strategies will show them that investing in stronger security is risk headging at it's best! (* GRIN *)

No new "one-size-fits-all" government ursurping more unnecessary tax dollars is required at all!

Bottom Line: Anti-up for stronger security or anti-out of the market place.

Walt

[zlando]

Check out this program!

A new program from called SecInclude from Israel... from the tops in the league that is making waves not only for it's ability to stop hackers, but it's price.... many of the hi tech firms here use it....

www.modumax.net

[pguglietti]

The same old story.

Once again we are told that busioess is its own best regulatory, that government can't and shouldn't be involved. The simple fact is that business interests do not act for the common good unless forced to do so--it's against their bottom-line interests to do more than the bare minimum of self-regulation. What else can consumers do except use government as a toll to ensure compliance to a rerasonable standard.

[fire1fl]

"Moanin' Blues" ought to be the theme for

all the Sarbanes-Oxley crap being spewed by the Wall Street mavens. Investment is a risky proposition but the playing field shouldn't be a haven for cheats, sharks, charlatans, or gangsters. There are many key words that will bring up the reasons to regulate corporations (transparency, charge-back, director misfeasance, share fraud, back-dating, etc.)but if there is just one word on which to search, let it be Exxon.
Security is just another example of most companies skimming along, hoping the odds increase profit at the risk of the customer.

The government exists to (and should) level the playing field. Placing the responsibility (and risk) where it belongs, in this case with the companies and boards, is exactly what the government *should* do. Being a customer should not carry the risks of endless identity crises.

[caelli]

Security challenge to business - "everything old is new again"

Think about it!
Congress ( and Websense's CEO) are asking industry to categorise (classify) their information systems in relation to information assurance requirements. Well - yes - 25 years ago that is exactly what the bases of the "Orange Book" were - and - that led to the insightful decision that "mandatory" style access was a real need for environments where mixed security needs and responsibilities existed. BUT - BUT - governments worldwide ignored this and let the ICT industry develop and sell pointless "discretionary" access systems with little interest in industry regulation. So where to now? When do we stop blaming the end-user 9small, medium or large enterprises, public or private) and blame and regulate the industry itself. By now we should be seeing operating systems and allied structures that enable strong access control on the basis of exactly what this article advocates - a classification of applications and users into categories that can be reliably ENFORCED - and an obsolete "C2" type discretionary, commodity system will not "hack it". Indeed, if congress takes up the points made in this article then ALL server systems in the USA should be based around "type enforcement" concepts as set out in the NSA's "Secure LINUX" (SELinux) project - itself 7 years old by now - at least in the open world.

Richard Clarke has said it, everyone agrees - a "laissez-faire", non-regulatory stance on the ICT industry, different from other industries such as pharmaceuticals, food, air transport, healthcare and the like, has led us to where we are. It is time now for congressional action - BUT - not just on the hapless ICT product and system consumer but rather on the industry itself!!