Wednesday, November 29, 2006

What Are Security Breaches: Trousers they are not

Are you new to the world of computer security? If so you might appreciate a little orientation lesson.
  1. Computer security is about protecting information that is processed by computers, otherwise known as data, and the processes that use such data. This includes, for example, information about your bank account and how much money you have in it [data] and your ability to withdraw that money [process]. You want the data to be both secret and correct; and you want the process to work on demand. These are the three main pillars of computer security: confidentiality [secret]; integrity [correct]; availability [on demand].
  2. Computer security can also be referred to as information system security although technically an information system might include other elements besides just computers.
  3. Information system security is a part, or subset, of information security [because information security includes stuff that is not on computer, like a set of design drawings or company secrets whispered from one person to another].
  4. Information security can also be referred to as information assurance.
Suppose you are a bank and you have procedures and mechanisms in place to prevent anyone but an account holder from finding out how much money is in an account. If someone defeats those procedures and mechanisms the result is called a security breach, as in "my cannons have breached the walls of the city" and "Once more unto the breach dear friends."

Failure to prevent the breach may cost the bank money. The bank might be sued by the account holder. The bank may have to divert staff from normal duties to a review of records to determine the extent of the breach. If the breach exposes confidential information about a lot of customers the bank might lose some existing customers who are angry about this, and the marketing dollars that the bank spends to attract new customers might not work for a while due to bad publicity.

In my previous posting I cited a study that put a dollar amount "per record" on the cost of security breaches. I think the number is higher than many businesses realize.

Wednesday, November 15, 2006

Rising Cost of Data Breaches: $182 per lost customer record

My hat is off to Larry for his study of security costs. In some ways this latest Ponemon Insitute study is probably more indicative of the state of things than the annual CSI/FBI survey.

If you are trying to get your company to do a better job of securing data, try multiplying the number of customer records your company processes/stores (CRP) times cost of loss per record (CLR) and you might have a good starting point for budgeting project to overhaul your current security (CRP x CLR = the hit to profits from any single incident in which CRP number of records are exposed).

Larry figures the figure for CLR is $182. A breach exposing 10,000 records is thus a $1.82 million problem. Spend that amount on security upgrades and you arguably save an unknown number of exposures (there is nothing that says you won't get hit twice in one year for example). Spend anything less than that and you are playing a high stakes game of chance with your business and, if you are a C-level exec or board member, with your personal and professional liability.

And don't let your managers fob you off with "these studies are just scare tactics." Tell them I know Larry Ponemon and Larry Ponemon is no scaremonger.

Friday, November 10, 2006

Trust in Electronic Voting Eroding Faster Than Florida's Beaches

Yes folks, once again Florida leads the nation in eroding public trust in electronic voting systems. Check out the story so far in Sarasota. Lots of familiar themes and players. Zero doubt in my mind that the books were cooked (based on 30 years of experience with fraud, audit, and computer security).

In keeping with what I have blogged elsewhere, I predict the public will never trust electronic voting as much as paper and pencil ballots. And rightly so. I've worked with computers in all manner of situatons, from auditing oil companies with mainframes to building mission critical networks and securing mobile devices. They work quite well for a lot of things but not everything. I just don't see how you can make a trustworthy voting system out of them. So why bother? What is there to be gained?

Monday, November 06, 2006

Save Millions on IT: Delay Vista Upgrade

Come on IT people, this is a no-brainer. Don't upgrade to Vista, yet if ever. At least wait until Service Pack 1 has been released and tested (which I predict will be late 2007, early 2008). Here's five ways you save:
  1. Fewer install hassles--let others learn the hard way and smooth it out for you.
  2. Lower software costs--avoid premiums [and headaches] on new versions.
  3. Reduced learning curve--if your users get Vista on their home PCs in the first half of 2007 they'll be training themselves.
  4. Reduced learning costs--as Vista training becomes commoditized.
  5. Hardware savings--the Vista delay (>2 years) has created a huge hardware surplus.
  6. Cut analyst bills--don't pay a dime to anyone who told you Vista was on track and early adoption was a good thing.
Twenty years of solid historical data show that the first version of Microsoft anything is:
  • shipped far too late but much too soon,
  • more trouble than it's worth,
  • often followed by successive versions which actually deliver on the original promises.
Remember, ad campaigns to the contrary, Microsoft doesn't care about anyone's business but its own. Otherwise it would not have acted in a way that is likely to cut $4 billion from PC sales this year. (Of course, I would also argue that any PC execs who believed Microsoft on delivery dates should be canned, sans parachute.)

About the only redeeming qualities Microsoft can rightfully claim right now is the relative stability of XP and the massive philanthropy of its founder.