Call today! 1 866 3 NYMITY
Username: Password:
Home About Us

 

Privacy Studies

 

This section of Nymity's Threat Tracker highlights articles, studies, research and surveys relating to privacy.  This section is updated at the beginning of each month.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  
PIPEDA

 

 

 

Now Hiring

 

 

 

 
Consumers' Report Card on Data Breach

 

Business Activity: Breach Response

 

Impact

Majority of consumers believe breach notification is poorly executed; most common reaction to breach notification is discontinuation of the relationship with the organization. (04/16/2008)

 

Relevance

Background Facts:

  • Ponemon Institute surveyed 1,795 American consumers about their opinions regarding organizations' breach response;
  • survey participants had received notification about the loss or theft of their personal information within the past 24 months.


Relevance to Business Activity:

  • breach response considerations:
    • over 83% of survey respondents said they received one or more data breach notifications over the past 24 months:
      • 47% received two or three data breach notifications;
      • 52% of the breach incidents involved the loss or theft of customer or consumer data.
    • more than 55% of respondents state that notification about the data breach occurred more than one month after the incident:
      • 34% received notification more than one month but less than 90 days following the incident and 21% received notification after 90 days;
      • 71% believe notice should occur less than one week after the incident;
      • 17% never received formal notification that a data breach occurred.
    • 77% of respondents are concerned or very concerned about loss or theft of their personal information:
      • 52% stated that their number one concern is identity theft;
      • 21% are generally concerned about financial losses.
    • a large number of respondents believe they may become victims of identity theft as a result of the data breach incident:
      • 72% believe their chances of becoming an identity theft victim is greater than 20%, however:
        • less than 2% became a victim of an identity theft crime as a result of the incident.
      • consumers' fears about the possibility of becoming an identity theft victim do not reflect the actual rate of experience.
    • the vast majority of respondents believe that the organization’s notification of the data breach was poorly executed:
      • more than 50% rated the timeliness, clarity and quality of the notification as either fair or poor;
      • less than 10% rated their experience as excellent or very good.
    • less than 32% of respondents said that the organization reporting the data breach offered free or subsidized services to protect them from further harms:
      • of those receiving the services, about 80% said credit monitoring was offered;
      • the remaining services offered included credit freeze services (9%), fraud alerts (5%), identity recovery (5%) and identity theft insurance (3%).
    • less than 47% of respondents said that they took advantage of the free or subsidized services offered:
      • of those who didn't take advantage of the service, 29% became ineligible because of responding too late and 26% already had the service.
    • a majority of respondents who elected to receive free or subsidized services found them helpful and of high quality:
      • 35% believe the services were excellent, 16% believe they were very good and 43% believe they were good.
    • respondents’ opinions about the organizations overall performance in handling the data breach incident appears to be related to the free or subsidized services received by them:
      • while over 58% agree or strongly agree that the data breach caused them to lose trust and confidence in the organization, only 38% who received the services held this belief;
      • while less than 18% believed the organization did a good job in handling the breach, over 30% who took advantage of the services felt this way.
    • the most common actions taken by respondents after being notified about the data breach was to directly contact the organization reporting the breach or to discontinue a relationship with the organization:
      • over 35% stated that their immediate response was to contact the organization;
      • 31% discontinued their relationship with the organization.

 

http://www.marketwire.com/mw/release.do?id=844160 (article)

http://www.idexpertscorp.com/Breach/ponemon-study/ (registration required)

Symantec Global Internet Security Threat Report

 

Business Activity:  Safeguarding Data

 

Impact

In depth analysis of internet security threats; contains an extensive list of recommendations to mitigate risk.  (04/10/2008)

 

Relevance

Background Facts:

  • this report, covering the six month period from July 1 to December 31, 2007:
    • encompasses security intelligence data gathered from more than 40,000 sensors monitoring networks in over 180 countries;
    • provides an update of worldwide internet threat activity;
    • includes analysis and mitigation recommendations.


Relevance to Business Activity:

  • safeguarding data considerations:
    • malicious activity and attack trends:
      • the United States has the highest amount of worldwide malicious activity, with 31%;
      • Canada has the seventh highest amount of worldwide malicious activity, with 3%;
      • the education sector accounted for the highest number of known data breaches that could lead to identity theft, with 24%;
      • the government sector was the top sector for identities exposed, accounting for 60%;
      • theft or loss of computer or other data-storage medium was the cause of the most data breaches that could lead to identity theft, with 57%;
      • to protect against malicious activity and reduce the likelihood of identity theft an organization should:
        • develop, implement and enforce a security policy;
        • strongly encrypt all sensitive data;
        • educate users on the proper procedures for using such programs;
        • closely monitor network traffic and track all activity to ensure that access to data is controlled;
        • monitor all network-connected computers for signs of malicious activity;
        • ensure any infected computers are removed from the network and disinfected as soon as possible;
        • test security processes and systems regularly to ensure their integrity;
        • employ defense-in-depth strategies, including the deployment of antivirus software and a firewall;
        • update antivirus definitions regularly;
        • ensure that all desktop, laptop, and server computers are updated with all necessary security patches;
        • perform both ingress and egress filtering on all network traffic to ensure that malicious activity and unauthorized communications are not taking place;
        • filter out potentially malicious email attachments to reduce exposure to enterprises and end users;
        • advise that users never view, open, or execute any email attachment unless the attachment is expected and comes from a known and trusted source, and unless the purpose of the attachment is known;
        • take necessary steps to protect data transmitted over the internet or stored on computers;
        • enforce compliance to information storage and transmission standards.
    • vulnerability trends:
      • not including site-specific vulnerabilities, 2,134 vulnerabilities were documented:
        • 58% affected web applications;
        • 73% were classified as easily exploitable.
      • to protect against the exploitation of vulnerabilities, administrators should:
        • employ a good asset management system to track what assets are deployed on the network and to determine which ones may be affected by the discovery of new vulnerabilities;
        • use vulnerability management technologies to detect known vulnerabilities in deployed assets; 
        • monitor vulnerability mailing lists and security web sites to keep abreast of new vulnerabilities in web applications;
        • employ vulnerability assessment services, a vulnerability management solution, and vulnerability assessment tools to evaluate the security posture of the enterprise;
        • identify unpatched vulnerabilities and assess them according to the risk they present;
        • upgrade all browsers to the latest, patched versions;
        • educate employees to be extremely cautious about visiting unknown or untrusted web sites and viewing or following links in unsolicited emails;
        • deploy web proxies in order to block potentially malicious script code;
        • actively maintain a whitelist of trusted sites and disable individual plug-ins and scripting capabilities for all other sites;
        • subscribe to a vulnerability alerting service in order to be notified of new vulnerabilities;
        • manage web-based assets carefully;
        • audit all web applications for security prior to deployment;
        • ensure that applications are properly configured and that secure, up-to-date versions are used.
    • malicious code trends:
      • 499,811 new malicious code threats were reported, which is a 136% increase over the first half of 2007;
      • threats to confidential information made up 68% of the volume of the top 50 potential malicious code infections;
      • of all confidential information threats detected, 76% had a keystroke logging component and 86% had remote access capabilities.
    • phishing trends.
      • 207,547 unique phishing messages were detected:
        • 80% of all unique brands used in phishing attacks were in the financial sector;
        • 66% of all phishing attacks detected were associated with web sites located in the United States;
        • the most common top-level domain used in phishing web sites was .com, accounting for 44%.
      • to protect against phishing threats it is recommended that organizations:
        • filter email at the server level through the mail transfer agent;
        • consider using domain-level or email authentication in order to verify the actual origin of an email message;
        • educate end users about phishing;
        • keep employees notified of the latest phishing attacks and how to avoid falling victim to them;
        • provide employees a means to report suspected phishing sites;
        • employ web-server log monitoring to track if and when complete downloads of their web sites, logos, and images are occurring;
        • monitor non-deliverable email addresses or bounced email that is returned to non-existent users;
        • use antiphishing toolbars and components in web browsers and other software detection methods.
    • spam trends:
      • 42% of all spam detected worldwide originated in the United States;
      • the most common type of spam detected was related to commercial products, with 27%.
    • additional best practices:
      • turn off and remove services that are not needed;
      • consider implementing network compliance solutions that will help keep infected mobile users out of the network;
      • enforce an effective password policy;
      • ensure that emergency response procedures are in place, including having a backup-and-restore solution;
      • educate management on security budgeting needs.

 

http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf

Ten Myths About Identity Fraud - Tim Wilson, Dark Reading Site Editor

 

Business Activity:  Safeguarding Data

 

Impact

Two recent studies identified as revealing the reality of identity theft and its impact. (02/15/2008)

 

Relevance

Background Facts:

  • a review of the results of a 2008 study by Javelin Strategy and Research and a recent study by ID Analytics which debunk many of the current myths about identity theft.


Relevance to Business Activity:

  • safeguarding data considerations:
    • there is a higher incidence of ID fraud than in recent years:
      • the Javelin study identifies a downward trend in this area:
        • 3.58% of respondents reported experiencing online fraud during the previous year which is down from 3.74% in the 2007 study, 4.0.% in the 2006 study and 4.7% in the 2003 study;
        • the identity fraud incidence rate has decreased every year since the research firm began doing the report five years ago.
    • there are more victims of identity theft and fraud today than ever before:
      • the research firm estimates that there were approximately 8.1 million victims of ID theft and fraud last year, but that number is down, not up, from the year before;
      • the number of ID theft victims in the United States has dropped every year since Javelin began conducting the study:
        • approximately 10.1 million people reported experiencing fraud or theft in the 2003 study; that figure had dropped to 8.4 million by last year, and 8.1 million this year.
    • identify fraudsters are stealing record amounts of money from their victims:
      • the cost of identity fraud and theft underwent its most precipitous drop last year, according to Javelin:
        • after hitting an all-time-high of $58 billion in the 2007 study, ID fraud and theft totaled just $51 billion in the U.S. this year -the $7 billion drop was the largest in the history of the research.
    • most identity theft and fraud occurs online:
      • the conventional wisdom is since everybody's doing business via the Web, the criminals must be moving there too:
        • many enterprises have responded by improving sign-on and multi-factor authentication schemes to protect the online consumer.
      • criminals are in fact responding by simply moving to places where the pickings are easier: telephone and mail fraud:
        • the Javelin study reveals that identity theft via phone and mail order fraud have skyrocketed in the past year, going from approximately 3% of cases in the 2007 report to 40% this year;
        • in 2007, only 48% of the top 25 U.S. financial institutions had instituted a multifactor authentication scheme for telephone banking, making it a much easier approach for criminals than the better defended website.
    • online attackers are the greatest perpetrators of identify theft and fraud:
      • approximately 14% of thefts occurred through traditional "hacker methods" such as Trojans, viruses, or phishing;
      • data breaches accounted for another 7% of thefts - but even taken together, these account for less than a quarter of all ID fraud;
      • about a third (33%) comes from physical theft:
        • a lost or stolen wallet, purse, or credit card.
      • a surprising 17% of identity theft is perpetrated by friends, relatives, or in-home employees, the study says.
    • large security breaches are the most dangerous to users:
      • the ID Analytics study reveals that individuals are more likely to be victimized by a small data breach than one of the much publicized breaches such as TJX's;
      • smaller breaches have a higher misuse rate, according to ID Analytics:
        • misuse of personal data ranged from one in 200 identities for breaches of fewer than 5,000 individuals to a misuse rate of less than one in 10,000 identities for breaches of more than 100,000 individuals.
    • identity thieves distribute their booty widely, selling or publishing it wherever they can:
      • according to the ID Analytics, many identity thieves apparently protect the data they steal, just as a bank robber will protect his bags of money;
      • the study found no evidence that fraudsters who misuse breach data were selling the data broadly or distributing it over the Internet.
    • valid credit cards are the identity thief's primary target:
      • the Javelin study reveals that virtually every category of "card not present" fraud and theft has shown an increase over the past year e.g.:
        • attempts to create new accounts using stolen personal data; and
        • efforts to break into existing bank or credit card accounts through means that don't require a card.
      • address changes are among the most popular methods of attack:
        • a criminal may call or email a company and claim that he wants to change the address on a card or account; then
        • using stolen data to verify his identity, he may gain access to the account without ever possessing a card.
    • fraudsters steal as much personal data as they can, storing it up until they are ready to use it:
      • according to ID Analytics, in most cases, online fraudsters don't store up stolen ID information, but cycle through it quickly:
        • fraudsters misuse a breached identity for no more than two weeks before moving onto the next identity, researchers found.
      • the Javelin study confirms this conclusion:
        • in that study, data collected via viruses, Trojans, or phishing was misused for the shortest period of time, usually between 21 and 41 days; but in contrast
        • data obtained from a physical theft or by a friend or relative may be misused for an average of 112 to 130 days.
    • the incidence of identity fraud is pretty much the same from state to state:
      • the Javelin Study does not support this conclusion:
        • over the past three years, consumers in California, Delaware, Idaho, Illinois, and West Virginia have experienced a higher rate of identity fraud and theft than their counterparts in other states;
        • on average, New England and the Plains States reported the lowest incidence of fraud.

 

http://www.darkreading.com/document.asp?doc_id=145823&f_src=darkreading_section_296

Ponemon Study Shows Ineffective Access Management Processes Pose Risk to Businesses - Business Wire 2008

 

Business Activity: Safeguarding Data

 

Impact

Study identifies overly wide access rights, potentially outdated policies and poor monitoring practices as significant risks. (02/07/2008)

 

Relevance

Background Facts:

  • Aveksa Inc. and the Ponemon Institute announced the release of the 2008 National Survey on Access Governance which examines access risk and compliance management;
  • almost 700 IT practitioners with an average of ten years business experience and nine years IT/information security experience were surveyed.

 

Relevance to Business Activity:

  • safeguarding data considerations:
    • user access rights are poorly assigned:
      • 78% of respondents believe individuals have too much access to information assets that are not pertinent to their job description very often (11%), often (33%) or sometimes (34%);
      • 59% also disagree, strongly disagree or are unsure that there is little risk that employees, temporary employees and contractors have too much access to information resources.
    • policies are not regularly checked or enforced:
      • 69% indicated that access policies within their organizations were either enforced poorly or not at all;
      • only 30% state that their organization makes sure user access policies are validated:
        • regular reviews and monitoring of change is necessary.
    • organizations are not able to keep pace with changes to users' roles:
      • 55% describe their company's ability to grant access rights based on role and job function as poor, including 42% that say it is not done at all:
        • businesses might find it too difficult to manage access rights at the individual level because of changing roles and responsibilities regarding information access; and
        • individuals may be able to access information resources that are not in alignment with their roles and responsibilities.
    • senior management lacks understanding of the importance of access governance:
      • 74% believe that senior management does not view or is unsure that, access governance is a strategic security imperative.
    • collaboration is viewed as critical but is not being achieved:
      • 83% believe that collaboration among business units, audit and compliance, and IT security functions is either important or very important for compliance with regulations and mandates;
      • 57% report that stakeholders do not collaborate or are unsure about collaboration to achieve access compliance within their organizations.
    • this study reveals that:
      •  IT practitioners recognize the importance of access governance as a key element for successfully implementing effective information resource compliance and risk strategy.
    • it is recommended that:
      • a centralized enterprise-wide access policy and process management approach can make compliance sustainable and better manage business risks associated with granting users access to information resources.

 

http://www.pr-inside.com/ponemon-study-shows-ineffective-access-r422183.htm

http://www.aveksa.com/campaign/2008_Survey_on_Access_Gov.cfm  2008 National Survey on Access Governance (registration required)

Data Security Policies are not Enforced - US Survey of IT Practioners - Poneman Study

 

Business Activity:  Safeguarding Data

 

Impact

Poor policies and lax enforcement leads to employees increasing companies exposure to security risk. 

 

Relevance

Background facts:

  • a national survey conducted by Ponemon Institute, involving 893 individuals who work in corporate IT, designed to better understand employee compliance with data security policies in the workplace.

 

Relevance to Business Activities:

  • safeguarding data considerations:
    • protecting sensitive data on USB memory sticks:
      • USB memory sticks are often used to copy confidential or sensitive business information and transfer to another computer that is not part of the company’s network or enterprise system:
        • 87% of respondents said that their company’s policy forbids the copying of unprotected sensitive information onto a USB memory stick (a.k.a. flash drive);
        • despite the existence of a policy forbidding its use, over 51% of respondents’ admitted they have transferred confidential data onto a memory stick;
        • 57% believe others within their organization routinely use memory sticks to store and move sensitive or confidential data.
      • the primary reasons for this high level of non-compliance with their company's policy are:
        • lax enforcement by the company (40%);
        • the lack of employee awareness about the policy (33%); and
        • the need to “bend the rules” for convenience or time savings (29%).
    • employees’ access to web-based email accounts from their workplace computers:
      • web-based email accounts are inherently insecure, exacerbating data security risks and other related vulnerabilities:
        • outbound emails containing business confidential attachments – such as customer lists, employee records and so forth – can be transferred without a company’s detection;
        • incoming web-based emails often bypass a company’s spam filters or anti-virus tools – thus permitting insidious software downloads such as worms and Trojans that aim to infiltrate corporate networks.
      • more than 74% of companies do not permit employees to access their web-based email accounts from the workplace or on company-assigned computers;
      • 45% of respondents stated they have accessed their web-based email accounts;
      • 40% believed that others in their organization routinely use or access their web-based email accounts from their workplace computers;
      • the three main reasons for non-compliance to the security policies are:
        • the perception that security policy that forbid the use of web-based email accounts are not enforced (40%);
        • general lack of awareness about the problem (23%); and
        • the belief that no one really cares about the use of web-based email accounts in the workplace (21%).
    • protecting sensitive information on portable data storage devices:
      • the most frequently cited lost, stolen or misplaced portable storage devices are cellular phones, memory sticks and laptop computers:
        • more than 39% of respondents admit they have lost or misplaced a PDA, cellular phone, USB memory stick, zip drive or laptop computer containing sensitive or confidential information recently;
        • over 50% of respondents also believe that others within their company have experienced the loss or theft of a portable storage device.
      • 10% of respondents believe their organization has a defined policy or set of procedures for reporting the loss or theft of a portable storage device:
        • 28% of respondents who lost a portable storage device actually reported it immediately;
        • 34% said they reported the loss within a few days of the incident;
        • 38% admitted they never reported the loss even though it may represent a potential data security breach.
    • downloading personal software such as peer-to-peer file sharing applications onto a personal computer used in the workplace:
      • 45% of respondents admitted the downloading of personal software on a workplace computer and 48% believe others do the same:
        • this finding represents a potentially serious issue, especially if it involves peer-to-peer file sharing applications that has been shown to create privacy and security risks for companies:
          • only 40% of respondents state that their company’s data security policy forbids such downloads.
        • the frequency of downloads can possibly be attributed to the high percentage of respondents who said they do not know if there is a policy that forbids this practice (39%):
          • 34% of employees said it is because they are not aware of the policy;
          • 34% said there is no enforcement of the policy;
          • 32% said no one really cares about illegal or dangerous software downloads onto workplace computers.
    • sending workplace documents to a personal (home) computer:
      • confusion among respondents as to whether they are permitted to send a document or spreadsheet attachment from a business address to a personal email address:
        • 33% said they have emailed documents to their personal email address;
        • 34% believe that others in their organizations do the same.
      • the company’s lack of enforcement (35%), apathy toward policies (34%), and no awareness about the policy (30%) are the top reasons for non-compliance:
        • over 48% don’t know if there is a policy that forbids this practice;
        • 19% stated there is no formal security policy that restricts this practice.
    • turning off security settings on personal computers in the workplace:
      • to expedite the receipt of inbound emails or to gain access to Internet portals that may be marked as off-limits:
        • 83% cited that they do not turn off (change or manipulate) their anti-virus software settings or desktop firewalls;
        • 77% said others do not turn off their anti-virus setting;
        • 29% said others do not turn off their desktop firewalls
        • 48% can't determine if others in their company have done it.
      • over 80% of respondents said their company has no policy or they are unaware of such a policy that restricts the changing of security settings on workplace computers:
        • 35% of respondents cited the lack of enforcement;
        • 32% cited apathy toward the policy;
        • 32% the lack of awareness about the problem.
    • sharing passwords in the workplace:
      • a serious security issue among employees, temporary employees and contractors:
        • 46% of respondents said they have shared passwords with coworkers;
        • 56% believed others in their organizations routinely share their passwords;
        • 67% admitted that sharing passwords violates company policy;
        • 12% of respondents stated their company does not have a policy forbidding password sharing;
        • 21% stated they do not know if such a policy exists.
      • the prime reasons for non-compliance are:
        • lax enforcement of the policy (45%);
        • convenient to share workloads with coworkers (40%); and
        • the perception that no one cares (36%).
    • implications for organizations:
      • the results of this study indicates that there is a critical need for organizations to address and mitigate serious threats to the protection of sensitive and confidential information as follows:
        • create policies to address the identified vulnerabilities;
        • strengthen existing policies; and
        • train insiders to comply with these policies.
      • conduct these activities as part of an enterprise-wide data security program.

 

http://www.redcannon.com/documents/RedCannonPonemonReport.pdf

Poneman Study Shows Data Breach Costs Continue to Rise

 

Business Activity:  Breach Response/Safeguarding Data

Impact

New research shows that the cost of failing to manage the challenge of protecting customer private data is on the rise. (11/28/2007)

 

Relevance

Background Facts:

  • Poneman Institute releases the results of the 2007 Annual Study: Cost of a Data Breach;
  • initiated in 2005, the study examines the financial consequences of data breaches involving consumers' personally identifying information; and
  • focuses on the results of actual data breaches in 35 U.S. organizations across 16 industries including financial services, retail, healthcare, manufacturing, consumer goods, marketing, retail, services and software.

 

Relevance to Business Activity:

  • safeguarding data considerations:
    • the study tracks a wide range of cost factors including:
      • legal;
      • investigative;
      • administrative expenses;
      • customer defections;
      • opportunity lost;
      • reputation management; and
      • costs associated with customer support such as information hotlines and credit monitoring subscriptions.
    • data breach incidents cost companies $197 per compromised record in 2007, compared to $182 in 2006;
    • average total cost per-incident in 2007 were $6.3 million compared to $4.8 in 2006;
    • cost of lost business increased by 30% to an average of $4.1 million in 2007- approximately two-thirds of the average total cost per incident;
    • breaches by third-party organizations such as outsourcers, contractors, consultants, and business partners were reported by 40% of respondents, up from 29% in 2006;
    • breaches by third-parties were also more costly than breaches by the enterprise itself, averaging $231 compared to $171 per record;
    • the study found that there is a positive correlation between the number of records lost and the cost of the incident.

 

  • breach response considerations:
    • notification costs fell 40%, decreasing from $25 per customer in 2006 to $15 in 2007, suggesting a more measured, less reactive breach response;
    • the following six technology measures (in rank order) were enacted after a data breach:
      • expanded use of encryption;
      • data loss prevention solutions;
      • identity and access management solutions;
      • endpoint security controls;
      • security event management solutions;
      • perimeter controls.

 

http://www.pgp.com/newsroom/mediareleases/ponemon-us.html

10th Annual Global Information Security Survey - Ernst & Young

 

Business Activity:  Safeguarding Data

 

Impact

Survey designed to help organizations obtain a deeper understanding of current information security trends and to focus efforts on areas where it is expected that improvements may be most essential.  (12/18/2007)

 

Relevance

Background Facts:

  • this 10th annual Ernst & Young Security survey gauges the current state of information security the major factors that will shape its future;
  • the report examines the following:
    • how organizations are aligning information security with their business objectives;
    • what is driving the need for and improvements in information security;
    • how organizations are managing their information security function; and
    • how organizations are staffing information security.
  • the survey was conducted between May 2007 and August 2007 with 1,300 organizations across all major industries participating:
    • financial services;
    • manufacturing;
    • technology;
    • government;
    • energy & utilities;
    • retail, wholesale & distribution;
    • health services; and
    • other.
  • participants by region:
    • Americas
    • Asia/Pacific;
    • Europe;
    • Middle East/Africa.

 

Relevance to Business Activity:

  • safeguarding data considerations:
    • in 2007, compliance remains the number 1 driver of information security(64%), privacy and data protection is at 58% and meeting business objectives 45% with fewer than 15% of respondents seeing technology as an important driver:
      • information security is moving toward greater business objective alignment which allows information security to focus more on business initiatives.
    • 82% of respondents have partially or fully integrated their information security with risk management operations:
      • this compares to 40% in 2005 and 43% in 2006.
    • monthly meetings are three times more likely to occur between the information security team and IT leaders (76%) than they are between information security and corporate affairs(28%):
      • a majority of information security functions met less than once a quarter with leadership;
      • 20% said their information security groups do not meet with corporate officers or business unit leaders.
    • 82% of respondents view information security as a positive contributor who capability and level of importance within the organization has improved due to its support of compliance efforts:
      • eight out of ten organizations believe that information security's contributions have resulted in improvements to overall information technology's operational efficiencies;
      • nearly six out of ten indicate information security has been instrumental in enabling strategic objectives.
    • 23% strongly agree that regulatory obligations in general has greatly improved the organization's information security, 57% strongly agree and 13% are unsure;
    • organizations rely on audit and self-assessment to evaluate the effectiveness of their information security programs:
      • 63% assess their information security by self-assessment, of those 91% are using corporate policies, procedures and internal standards as a basis;
      • nearly three-quarters rely on formal internal and external audit results;
      • six out of ten evaluate their security management approach, implementation and controls using industry-recognized information security standards like ISO 27001 and 27002:2005; and
      • nearly 40% use independent assessment techniques e.g. SAS 70 or other third party assessments to evaluate security programs.
    • organizations are demanding more from vendors and business partners in managing third party relationships:
      • substantial increase in the requirement of third parties, business partners and vendors to abide by the policies, procedures and standards of the client organization-78% in 2007 up from 66% in 2006;
      • almost half of the respondents also require the third-party organization to have its own information security and privacy policies and procedures in order for it to do business with the client organization-an increase of seven percentage points from 2006.
    • in 2007, participants ranked at 51% human resource constraints (availability of experienced IT and information security resources) as the most significant challenge that organizations face in delivering information security projects:
      • availability of experienced and well-trained security specialists 46%;
      • having sufficient funds 46%;
      • having management sponsorship 42%;
      • availability of experienced and well-trained consultants 20%:
        • 75% using third parties for attack and penetration testing;
        • 47% using outside resources for information security architecture design, procedure development and training and awareness programs.
      • lack of skilled resources can ultimately disrupt and organization's ability to make strategic business decisions and execute against them.
    • third parties will continue to play a valuable role in filling resource gaps and their use should be considered to augment information security roles especially when highly skilled and experienced personnel would not be sustainable long-term option for the organization;
    • into 2008 and beyond the key message in balance i.e. allow a more natural balance of risk and performance.

 

http://www.ey.com/Global/assets.nsf/International/EY_TSRS_GISS2007/$file/EY_TSRS_GISS2007.pdf

Enterprise @ Risk:  2007 Privacy and Data Protection Survey - Deloitte

 

Business Activity:  Safeguarding Data/Privacy Governance and Oversight

 

Impact

Organizations continue to struggle with managing and protecting private data. (12/14/2007)

 

Relevance

Background Facts:

  • 800 North American privacy and security professionals responded to the online survey by Deloitte & Touche and the Ponemon Institute LLC, which was conducted to better understand the emerging privacy function.


Relevance to Business Activity:

  • privacy governance and oversight considerations:
    • reportable breaches are occurring often and repeatedly within organizations:
      • 85% of privacy and security professionals surveyed had a reportable breach within the past 12 months;
      • 63% had multiple reportable privacy breaches – between 6 and 20 breaches – in the past year.
    • privacy and security professionals are locked in reactive mode:
      • only slightly higher than 7% of their time is allocated to employee training;
      • 10% of their time is allocated to establishing an incident response team, management reporting and conducting root-cause analysis;
      • more than 50% of their time is spent on more reactive and tactical activities such as remediation of operational vulnerabilities and responding to incidents in real time.
    • privacy and security professionals agreed their time allocation should be increased among the following activities:
      • employee training;
      • root-cause analysis;
      • reporting to management.
    • privacy professionals indicated they were spending most of their time as follows:
      • detect, verify, investigate facts and categorize incidents (22.74%);
      • notify parties/communicating with consumers, employees stakeholders and other (18.11%)-ideally should be spending less than 5% pf their incident response time on notification;
      • remediation activities(14.64%).
    • the remaining time was divided among the following:
      • interact with regulatory/legal authorities/outside lawyers (11.23%);
      • determining appropriate response-including internal escalation (8.24%);
      • define response plan (7.70%);
      • train and educate staff employees (7.28%).
    • privacy programs implementation- most enterprise privacy programs are in the middle or early stages of the maturity cycle:
      • governance-related components such as documented privacy policies (71%) and enterprise privacy governance structures (64%) have the highest rates of implementation;
      • framework to assess risk in business process as related to PII (44.5%);
      • design and implementation of measurable controls (27.2%);
      • process to identify and assess new legal regulations and legislative developments (60.8%)
      • more than 50% of privacy and security professionals stated that privacy and security training occurred only once (slightly more than 35%) or on an "ad hoc" basis (15%);
      • only 23.2% indicated the existence of a change management process to respond to developments that impact privacy in the organization;
      • only 27% reported having measurable controls in place.
    • privacy function reporting structure:
      • privacy professionals report most often to General Counsel (38%) or Compliance(21%);
      • security professionals reporting structure is concentrated at the CIO (76%) position.
    • privacy professionals as a group spend more dedicated time on privacy-related activities with over half(61.9%) indicating they spend 75% or more of their time on privacy;
    • security professionals active time spent occurring in the 25%-49% category- overall only about 25% of security respondents reported spending over 50% of their time on privacy-related activities;
    • as organizations move to a more "risk intelligence" approach to the marketplace, there may be a trend to consolidate enterprise risk-related functions such as privacy and security under the Chief Risk Officer(CRO):
      • 63.7% stated that there was no CRO role while 36.3% stated that such a role existed.

 

  • safeguarding data considerations:
    • respondents were given a list of technology solutions related to privacy and data protection and asked to select all that had been implemented within their organizations:
      • segregation of duties(tools)-59.90%;
      • intrusion detection and prevention-59.30%;
      • data classification-57.70%;
      • encryption(data at rest)-56.10%;
      • encryption(data in motion)-55.50%;
      • database security/scanning-51.80%;
      • audit logging and monitoring-50.40%;
      • identity & access management-42.20%;
      • fraud discover & montoring-42.20%;
      • data inventory-36.90%;
      • content monitoring-34.80%;
      • data leakage prevention-26.70%
      • digital rights management-17.0%;
      • not implemented any of the above-7.3%;
      • don't know/not sure-6.7%.

 

http://www.deloitte.com/dtt/cda/doc/content/us_risk_s%26P_2007%20Privacy10Dec2007final.pdf

Security Survey in the United States

 

Business Activity:  Safeguarding Data

 

Impact

Survey of the state-of-security in small and medium-sized businesses with results covering three areas of interest: network security, education and budgets. (12/14/2007)

 

Relevance

Background Facts:

  • this survey conducted in the USA examines the state of, and approach to security among small and medium-sized businesses ("SMBs");
  • a total of 455 companies or institutions participated  and respondents were senior executives or senior IT administrators representing the whole spectrum of companies falling into the SMB sphere:
    • defined as a company having between 5 and 1000 seats.

 

Relevance to Business Activity:

  • safeguarding data considerations:
    • 42% of SMBs, or 4 in 10, do not consider their networks to be secure;
    • types of breaches suffered in the past 12 months:
      • 23% virus attack;
      • 4% hacker attack;
      • 2% identity theft;
      • 10% malware;
      • 8% lost hardware (laptop); and
      • 1% other.
    • security solutions implemented:
      • 96% and 93% have an anti-virus software and firewalls;
      • 80% have spam products;
      • 36% Intrusion Detection System;
      • 17% vulnerability management;
      • 40% event log management;
      • 19% endpoint security;
      • 11% other.
    • 55% have a combination of software, appliances and hosted services to protect their network;
    • daily IT concerns:
      • 71% say downtime and security issues;
      • 51% identify user support;
      • 20% say compliance.
    • greatest security risks:
      • 39% email viruses;
      • 22% internet downloads;
      • 7% uncontrollable portable devices;
      • 10% hacker attempts;
      • 7% insider attacks;
      • 9% malware.
    • 55% of SMBs spend 10% of their budget on security measures;
      • 77% say this budget is enough to cover their security requirements;
      • 48% believe that better awareness on security among employees would improve the level of security while 25% want senior management to be more aware of security issues.

 

http://www.gfi.com/documents/rv/smbsurvey.pdf

Trusted Users Pose Significant Security Threats Survey Finds - Denise Dubie, Network World

 

Business Activity:  Safeguarding Data

 

Impact

A recent RSA survey reveals vulnerabilities to business. (12/10/2007)

 

Relevance

Background Facts:

  • a RSA survey reveals that a majority of internal employees that pose a significant threat to network security are well-meaning, innocent offenders -- as opposed to those with malice on the mind;
  • the survey of 129 people was conducted in November, 2007.

 

Relevance to Business Activity:

  • safeguarding data considerations:
    • 35% of people polled said they need to work around their organization's security policies to get their job done;
    • some 63% of those surveyed said they frequently or sometimes send work documents to a personal e-mail account to more easily access the files from home;
    • others rely on remote access capabilities, such as VPNs or Web mail for 87% of people polled, to work from home;
    • 57% of mobile workers also put the company at risk when they access their work e-mail via a public wireless hotspot;
    • another 52% gain access via a public computer in an Internet café or at the airport;
    • close to two-thirds of respondents reported they frequently leave their workplace with a mobile device such as a laptop;
    • 8% reported having lost such a device bearing corporate information -- leaving their organization susceptible to data loss;
    • 34% reported having held a door open for someone they did not recognize;
    • 40% reported being on the receiving end of such hospitality when they had forgotten their key card or access code;
    • 66% said there are no security credentials required to gain access to the network;
    • as for data and application-level security, one-third of respondents reported that they have changed jobs internally and still maintain the same set of access rights;
    • close to one-fourth of respondents said they have "stumbled into an area of their corporate network to which they believe they should not have had access";
    • RSA states that having a policy is insufficient; actual behaviour must be measured and tracked against the policy to keep security aligned with the business:
      • organizations must understand the type of information that insides need to access, determine sensitivity and protect it appropriately.

 

http://www.networkworld.com/news/2007/121007-users-security-threat.html?page=2

Private Customer Data Vulnerable During Application Testing - Shawna McAlearney

 

Business Activity:  Application Development

 

Impact

Ponemon study finds that organizations application development and testing practice leaves personal information vulnerable to breaches.  (12/10/2007)

 

Relevance

Background Facts:

  • Ponemon study shows that a majority of companies use real, sensitive customer data to develop and test applications, not realizing the information is vulnerable to breaches;
  • the survey was conducted between July 2007 and August 2007 based on the responses of 897 IT professionals with an average of ten years experience.

 

Relevance to Business Activity:

  • application development considerations:
    • 62% of companies surveyed by the Ponemon Institute report that during the application development and testing process, they use:
      • real customer data—including employee;
      • vendor and customer records; and
      • credit card and Social Security numbers—instead of disguised data to test applications.
    • the data is unprotected in a non-production environment, according to the report,  and could therefore be vulnerable to:
      • unauthorized sources including in-house testing staff, consultants, partners and offshore personnel.
    • 52% of the companies outsourced application testing;
    • 49% of those respondents shared live data with the outsourced organization;
    • 50% had no way of knowing if the data used in testing had been compromised;
    • 41% of respondents do not protect live data used in software applications;
    • 38% of respondents were unsure if live data their organization used for testing or development had been lost or stolen.

 

http://www.cio.com/article/163750/Private_Customer_Data_Vulnerable_During_Application_Testing

Data Breach Harm Analysis from ID Analytics Uncovers New Patterns Misuse Arising From Breaches of Identity Data - ID Analytics, prenewswire.com

 

Business Activity: Safeguarding Data

 

Impact

Study reveals how fraudsters are more organized when using stolen data. (11/07/2007)

 

Relevance

Background Facts:

  • ID Analytics, Inc., an identity risk management company, conducted a study on the harm resulting from data breaches and how criminals are actually using the data;
  • over a dozen breached files were analyzed for suspicious activity indicative of identity fraud.

 

Relevance to Business Activity:

  • safeguarding data considerations:
    • key findings from the research are:
      • smaller breaches had a higher misuse rate than larger breaches:
        • misuse of personal data ranged from one in 200 identities for breaches of fewer than 5,000 individuals;
        • misuse rate of less than one in 10,000 identities for breaches of more than 100,000 individuals.
      • fraudsters engaged in organized misuse of breached identity data tended to cycle through the data quickly:
        • fraudsters would misuse a breached identity for no more than two weeks before moving onto the next identity. 
      • the study found no evidence that fraudsters misusing breach data were selling the data broadly or distributing it over the Internet:
        • this finding is significant because one of the greatest potential risks of data breaches is the broad dissemination of personal information to others with criminal intent.
      • fraudsters tended to link the breached personal data to a limited set of new phone numbers or addresses:
        • they worked to associate these identities with particular phone numbers for verification purposes and with addresses where they could receive credit cards, wireless phones or other merchandise ordered using the breached identity data.
      • in two of the five cases of organized misuse, the breach perpetrator was an employee who stole the data:
        • in both cases, the resulting misuse was linked to identities geographically close to the site of the employee theft.
      • fraudsters may favour those identities that represent easier access to physical addresses where the perpetrator could receive or intercept credit cards, stolen goods and bank statements.

       

http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/11-07-2007/0004699502&EDATE

Most Consumers Clueless About Online Tracking, Behaviour Profiling - Jaikumar Vijayan, computerworld.com

 

Business Activity:  On-line Marketing / Monitoring Privacy Perceptions

 

Impact

Discrepancies exist between companies committments in their privacy policies and their on-line marketing practices. (11/02/2007)

 

Relevance

Background Facts:

  • the Samuelson Clinic at the University of California, Berkeley, and the Annenberg Public Policy Center at the University of Pennsylvania conducted a poll of nearly 1,200 California adults about consumer perceptions about online privacy and common advertising practices.

 

Relevance to Business Activity:

  • monitoring privacy perceptions about online marketing :
    • the average American consumer is largely unaware that online marketers and advertising networks gather and use the information for serving up targeted advertisements are tracking all of their online moves;
    • consumers still think that online privacy policies are representing that the Web site will not sell or use data in specific ways:
      • many companies track everything consumers do online and offline, maintain profiles of customers and sell the profiles to whomever will pay the most for it;
      • many consumers are opting out of tracking which is offered by some large companies.
    • most consumers don't understand that privacy policies are just notices and they don't guarantee any rights:
      • most consumers think that online privacy notices mean certain default protections:
        • 55% assumed that a company's privacy policies prohibited it from sharing their addresses and purchases with affiliated companies;
        • 4 out of 10 online shoppers falsely believed that a company's privacy policy prohibits it from using information to analyze an individual's activities online;
        • a similar number also assumed that online privacy policies meant that a company they're doing business with wouldn't collect data on their online activities and combine it with other information to create a behavioural profile.
    • 85% rejected the idea that a site they value and trust should be allowed to serve up click stream advertisements based on data from their visits to various other sites;
    • companies say they respect a user's choice not to be tracked, yet still find ways of circumventing their commitments not to:
      • allow third-party tracking users across sites;
      • share consumer information with an outside party;
      • store more data than the customer realizes; and
      • keep the information for longer periods of time than would be acceptable to a customer.

 

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9045159&source=rss_topic84

OPC Canada - EKOS Research Associates Inc. Survey, March 2007 - Canadians and the Privacy Landscape

 

Business Activity:  Monitoring Privacy Perceptions

 

Impact

Two-thirds of Canadians want to be notified of a breach of their personal information.  (10/23/2007)

 

Relevance

Background Facts:

  • the Office of the Privacy Commissioner commissioned EKOS Research Associates to survey Canadians on a number of privacy issues;
  • the poll involved a 15-minute telephone survey with a random sample of 2,001 Canadians from March 13 to 26, 2007.

 

Relevance to Business Activity:

  • monitoring privacy perceptions – key findings of the poll include:
    • 7 in 10 polled feel they have less protection of their personal information than they did ten years ago;
    • 60% continue to agree that health information is one of the most important types of personal information that needs protection through privacy laws;
    • Canadians are much more comfortable giving their personal information to doctors, the police, governments and banks:
      • they are concerned about giving information to telemarketing companies, Internet service providers and polling and social research companies.
    • 17% believe the government and 13% believe that businesses take protecting personal information very seriously;
    • 77% believe that government agencies and affected individuals should be notified if sensitive personal information is compromised as a result of a breach:
      • 66% believe government agencies and affected individuals should be notified if non-sensitive information is compromised.
    • 4 in 5 place great importance on having strong privacy laws:
      • however, more than 50% indicate that th