Monday, September 28, 2009

Survey: Half of businesses don't secure personal data

From C|Net News
The personal information you give to businesses may not be as secure as you hope, according to a new survey. Around 55 percent of all businesses acknowledge that they secure credit card information but not Social Security numbers, bank account details, and other personal data, according to a survey of more than 500 companies released Wednesday by Imperva and Ponemon Institute.
Of the companies surveyed, 71 percent acknowledged not making data security a top initiative, despite the fact that 79 percent of them said they've been hit by one or more data breaches. In fact, Ponemon and Imperva noted that since the PCI DSS standard was enacted in 2005, the number of breaches and cases of credit card fraud has actually risen.
This is hardly comforting. As weve discussed business will collect data first and then figure out what to do with it later. In the interim it appears that many business do not bother to secure this data because its "too expensive."

5 comments:

Olivia said...

Reading this article makes you want to find ways to ensure that companies are forced to secure all personal data. The only thing that comes to my mind is federal legislation, and its obvious that going the legislative route would have problems.

Like we've said in class, the lack of up-to-date technical knowledge within Congress could hold a data security law back for years; it seems likely that since many people in Congress aren't comfortable when it comes to creating legislation for Internet, its easy for them to push it off to the side and address the routine kinds of issues they're used to considering.

Furthermore, big businesses are obviously going to worry more about protecting their bottom lines than about information security. Any company or industry large enough to have a lobbyist would surely work keep Congress from passing this kind of law. A law requiring the secure storage of sensitive data would create for them a new financial burden. I would imagine that securing all the vulnerable data that these businesses aggregate would be expensive just in labor costs alone.

Finally, any kind of legislation forcing businesses to secure data would also need a way to be enforced. How could you make sure companies would follow this new law? Would it be feasible or effective to create a government office or executive body just to monitor business' data aggregation practices? How can you even define what "secured" data is when the technological landscape is constantly changing?

All these problems make it obvious for me to see why the issues with data security within businesses have been left unresolved. There are so many other problems for the government to deal with and big business is obviously more concerned about watching its profit margin. This, coupled with the idea that (even in the current economic climate) consumers keep spending despite our worries about our personal information, leads me to believe it will take a lot of time before we can even begin to see this problem finally tackled.

Katie said...

Computers are valuable today because of the information that is stored in them. Both in the private and public sector and in society as whole, things are stored in computers that people would like to be secured. For example, Individuals may want to secure personal conversations that they have with loved ones, students would like to secure homework and papers, the government would like to secure military and economic secrets, and private companies such as banks would like to secure users personal information. In order to make sure that computer systems remain secure, companies and individuals should continually update the software on the computer and should continually install good spy ware programs. Companies and individuals should also limit who has access to the computer; the individual can develop a password that is specific to his or her life while the company should have a password that is relevant to its service. In both cases, the password should frequently change so that it makes it much more difficult to be broken into and will keep the information secure. Large sector companies should constantly be hiring professionals to make sure that their systems are secure so that viable information does not leak that can harm the general public. However, people need to be aware that it is always possible that a computer can be broken into and therefore should be careful with what type of information is disclosed and that the information on the computer should also be backed up on another source to prevent further damage.

Eric said...

Part of the problem with how businesses send legitimate emails: they continue to send them with links embedded within. While these are innocuous, it trains people to trust links in emails. When a phony email is sent by an attacker, people are more likely to click and thus, have malware installed on their computers.

Another problem is that businesses do not adequately warn their customers of the risks of doing business online and how to protect yourself.

Ultimately, though the greatest problem is that people do not take the time to protect themselves. Convenience trumps security for most people.

Katie proposes that passwords be changed more often. However, most people, if forced to change their password only change it by one number or letter. Or, if they do change it completely, they usually write it down and leave it near their computer to remember it.

It seems like her final point gives the only conclusion: we have to be careful what type of information we give away. This is the only way to adequately protect ourselves--because obviously we cannot depend on the businesses.

Marshall said...

As Professor Moran noted, this news is far from comforting. It again reveals the major lack of security within the private sector. The bottom line for these companies is that they just don't care much about security, their number one priority is their bottom line and maximization of profits. They do not have any special interest in the security of data. Proper security would require substantial spending on their part and that is something that businesses are not willing to do. They have their own best interests in mind. This leaves their customers completely vulnerable when their systems are maliciously breached. The scariest part of this, is that these businesses that we are patrons of are aggregating more and more data on us, whether we know it or not. We really have no control over their storage of our data and the means by which it is accomplished. Furthermore we have no idea or control over what these private companies are doing with or data now, or what they will use it for in the future. In effect, we are slowly losing more and more control and thus losing our entire sense of information security.

Marshall said...

As Professor Moran noted, this news is far from comforting. It again reveals the major lack of security within the private sector. The bottom line for these companies is that they just don't care much about security, their number one priority is their bottom line and maximization of profits. They do not have any special interest in the security of data. Proper security would require substantial spending on their part and that is something that businesses are not willing to do. They have their own best interests in mind. This leaves their customers completely vulnerable when their systems are maliciously breached. The scariest part of this, is that these businesses that we are patrons of are aggregating more and more data on us, whether we know it or not. We really have no control over their storage of our data and the means by which it is accomplished. Furthermore we have no idea or control over what these private companies are doing with or data now, or what they will use it for in the future. In effect, we are slowly losing more and more control and thus losing our entire sense of information security.