Monday, October 20, 2008
Employees, not hackers, cause most corporate data loss
According to a new study (PDF, info required) from Compuware, IT departments should take a bow—only 1 percent of corporate data losses this past year were due to hackers. Unfortunately, the good news mostly ends there. Negligent employees are far and away the largest cause of data breaches, but IT managers also listed outsourcing and malicious employees (possibly ex-employees as well, one assumes) as two significant reasons why data breaches often occur.
Compuware reports that of the 1,112 IT practitioners it surveyed, 79 percent reported that their organization had experienced at least one data breach. That's an extraordinarily high number, but there are several intervening variables that may have inflated it.
* Compuware does not completely define the term "data breach." It provides an indication of what it means by describing a data breach as "the loss or theft of information about individuals such as consumer data, customer information, employee records, and so forth." That definition is more than adequate for a general discussion or description, but fails to address certain meaningful nuances.
* Compuware does not filter its results by magnitude; a breach that affected two million people is treated equally to one that impacted just two.
* Compuware does not filter by severity; this is where the subtle nuances of definition I mentioned earlier come into play. We know that a data breach involves the loss or theft of consumer data or employee records, for example, but no information on what, precisely, was stolen or exposed. If I'm a customer of JC Penney, and someone steals the list of customers who bought there over the past 24 months, I'm unhappy. If that list contained my home phone number and address, I'm concerned. If, on the other hand, that list contained my phone number, address, Social Security number, and credit card information, I'm downright worried, and may wish to take immediate action.
I raise these variables because the "gotcha!" of this particular story—79 percent of companies reporting data breaches—has, in my view, been somewhat distorted in the reporting. Compuware's figures may be perfectly accurate, but I'd be careful when drawing any conclusions from them—not every data breach is of TJ Maxx proportions.
In general, Compuware's study seems well-grounded and covers a number of interesting topics. Asked where their efforts are typically focused post-breach, a large group—41 percent of those surveyed—indicated that they participate in investigating, categorizing, and verifying the particulars of the incident. 18 percent of respondents indicate they were involved in remediation activities, 16 percent were tasked with training and educating staff or personnel, 11 percent conducted a root-cause analysis, and 10 percent established an incident response team.
I'm not sure what to make of that last, since incident response teams are emergency groups trained to respond when an emergency occurs. The fact that so many respondents were involved in specifically establishing one implies that 10 percent of the organizations surveyed didn't have them to begin with. Note the relatively low number of IT employees who were asked to spend time training fellow workers, as this will be important later.
Next up, we've got what I personally consider to be the most interesting information in the report, for all that it's largely gone unreported by the press. Having ascertained the roles IT personnel are most likely to play in the event of a data breach, Compuware asked them how confident they are in their own organization's ability to respond to such an event.
The majority of IT workers surveyed are clearly less-than confident in their employer's ability to monitor and detect information theft, even though they themselves almost certainly play a role in such efforts; 56 percent of respondents labeled themselves either "Somewhat confident" or "Not confident." As for the "Unsure" category, it's hard to imagine that the security professionals who opted for this category are secretly "Very Confident" or "Confident." As for why the breaches themselves occur, there's one category that stands out in particular:
Asked to name the leading causes of data breaches, IT staff couldn't run for the negligence category fast enough. Combine this with the fact that most workers don't trust their company to monitor the occurrence of data theft and the fact that relatively few IT staffers are tasked with employee training post-breach, the entire corporate security model begins to sway suspiciously.
The majority of IT professionals surveyed don't believe their employers can adequately monitor company resources for data breaches or prevent these breaches from occurring. Who's causing the breaches? Negligent employees. Given these two facts, one would expect to see the number of IT staff involved in employee training to skyrocket post-breach, as the company attempts to plug the hole, but again, evidence suggests this isn't happening; the majority of IT staffers are involved in fixing the technical aspects of the problem, with relatively few addressing the root cause of the issue.
This obviously makes some sense, given that the IT department wasn't hired to teach Security 101, but it may also indicate that company management hasn't grasped the true root of the problem. It's easy to bring in a consultant for some remedial security training, but without the explicit involvement of the IT department, such training will inevitably focus more on general bad practices and less on the specific situations that may have exposed customer data in this particular case. There's nothing in Compuware's report, meanwhile, that suggests this loop is changing, or that IT workers today feel more confident in their company's ability to deal with a data breach than employees did five years ago.
The report ultimately suggests that the vast majority of companies have security models that are semifunctional at best. Accountability is a hit-or-miss affair, confidence in the system as a whole is minimal, and the flaws that contribute to data breaches aren't confined to any single level of an organization. Not the most optimistic Friday read, I'll admit, but the results aren't all that surprising, either.
Friday, October 10, 2008
Live-in: Some fear misuse, Some welcome it
Maharashtra government's nod to the 'live-in' proposal, where in it considered giving the status of a 'wife' to a woman, if she is involved in such a relationship for a 'reasonable period', has received mixed reactions, raising fears of misuse.
Nishita John, a professional working in a consultancy firm feels that the government need not bring in legislation to regulate live-in relationships.
"If the relationship between the two individuals is consensual, then both should also consider how they will manage if the relationship should fail. It is not for the state to decide anything," she said.
Maharashtra government had approved the proposal on October 8, based on recommendations of the Justice Mallimath Committee which said if a man and a woman are living together as husband and wife for a 'reasonably long period', the man shall be deemed to have married the woman according to customary rights of either party.
The committee had also mooted that the definition of the word 'wife' under Section 125 of the CrPc, be amended to include a woman, living with the man like his wife for a 'reasonably long period'.
However, the definition of 'reasonably long period' is missing from the recommendation, which has left many worried on account of its worthiness and ramifications as it may be grossly misused.
"The period for which the couple live together should be clearly defined to ensure that it cannot be misused," Vivek Jaiswal, a software professional, said.
Indian cities have been seeing a growing number of live-in relationships, a concept once frowned upon as being too 'Western', and popular culture like films have also begun to accept the reality of its existence.
However, experts feel that the debate over the amendment was a larger one that extended beyond live-in relationships, which are more an urban phenomenon.
"The amendment would be more useful to women living in rural areas. In many areas polygamy still exists with no legal rights for the second wife under law," lawyer and women's right activist Veena Gowda said.
This new definition of a wife under the CrPC would provide some financial protection to women who are in relationships that are deemed as marriage by the society they live-in but have no legal standing, she said.