With the emergence of regulatory laws borne out of experience from a variety of embarrassing security breaches, today's corporate leaders face a myriad of repercussions. These range from serious fines to jail time when found not in compliance with regulations such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), and Payment Card Industry (PCI), etc.
These regulations are designed to protect the privacy of individuals and to ensure the proper internal controls are in place to maintain confidentiality and integrity of sensitive information.
For example it mandates in the Sarbanes-Oxley act section 404 that any publicly traded corporation must maintain adequate internal controls, ranging from proper financial reporting to the protection of critical assets. This includes designing controls around the premise of protecting consumer data from an information security perspective.
Normally, these controls are defined and established through a risk analysis that identifies potential threats and weaknesses. The development of a policy framework based on this audit untimely drives the definition of what would be considered "adequate" controls.
However, in 2007 the industry suffered a record-breaking loss of information stemming from data security breaches ranging from stolen laptops to hijacked advertising as seen in the Monster.com attack. It's estimated that over 79 million records were exposed last year alone.
Despite established security policy, these breaches lead to public dismay and a loss of consumer confidence. Take for example the TJ Maxx incident that led to an exposure of 45 million credit card numbers and eventually cost the retailer over 200 million dollars in both hard costs incurred and stock value reduction.
These incidents raise several interesting questions. Were these security breaches a result of undetected malware, perhaps a targeted attack orchestrated by a foreign hacker group? Why did the internal controls, established according to company policy, fail to protect assets from being compromised? And what are the real risks and implications of undetected malware as it pertains to regulatory compliance?
These are all good questions, especially concerning the changing crimeware landscape and its evolution from curiosity to financial gain. Not surprisingly, this trend has a considerable part do with the dramatic increase in information exposure in 2007.
For example a majority of identity theft and financial fraud incidents in 2007 were related to Banker Trojans that infected individual consumers, thus, stealing credentials and other personal information that could be used to gain profit.
Furthermore, if we put this into perspective we are more at risk then we were a few years ago when the primary concern was the prevention of network worms that caused data destruction.
In that day and age, controls were designed around the need to ensure the integrity and availability of information assets. CIOs and IT Managers designed and implemented systems that had the primary goal of ensuring that their users had access to information. At that time security was a secondary concern in this scenario, because the threats were different and much less sophisticated.
Today we face a new breed of threats with different motives: financial gain through targeted attacks. In fact targeted attacks in 2007 showed a marked increase over previous years with respect to online fraud.
The mentality of CIOs and IT Managers has shifted to a security focused mind-set, especially with the advent of recent high-profile security breaches. What's alarming is the rate at which malware is developed and released to infect victims on a daily basis. For example, PandaLabs and other major AV labs see over 4000 new strains per day.
This is mainly due to the overwhelming inability for security vendors to respond to this ever increasing rate of new malware strains. We are witnessing a literal denial of service against vendor resources.
Therefore, a large number of malware currently circulates the Internet undetected, thus, resulting in a large number of companies infected despite having up-to-date security solutions.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.