breaches

Take a multi-pronged approach to data security

Jim Kim — Sun, 20 Jul 2008 08:37:01 -0400

Data security is at the top of a lot of managers' minds these days. Perhaps we can learn from the financial services industry, where the issue is perennially on the front-burner. Aberdeen reports that "best-in-class'' organizations tend toward a multi-pronged approach that spans data discovery and classification, data monitoring and filtering, and endpoint data protection. This allows them to cover the spectrum of possible data leakage points. Most breaches stem from everyday, non-malicious employee mistakes. Article (Wall Street & Technology)

Time to rethink your data retention policies

Tue, 01 Apr 2008 07:59:59 -0400

Data retention is an issue at the forefront of everybody's minds right now. Sarbanes-Oxley has a seven-year requirement. Gramm-Leach-Bliley, HIPAA and the new PCI requirements all require data retention in some form. In any case you need a policy. Some tips from practitioners: Understand your industry and the specific requirements; get a grip on email and instant messages and other communications; and consider automated solutions. Electronic content management systems seem like a luxury for a lot of companies, especially nonaccelerated or nonfilers. But you would be wise to consider the savings against the cost. It would be more wise to invest now rather than suffer later.

For more:
- here's an article from Business Review

Related Articles:
Corralling data retention may require major steps. Article
Is your reference data in shape? Article

Data breaches hit record in 2007

Tue, 08 Jan 2008 06:59:59 -0500

It was a bad year for data protection. Sarbanes-Oxley made this a priority at some companies, but that didn't stop the hackers. By some measures--including one from the San Diego-based Identity Theft Resource Center--this sort of theft reached an all-time high in 2007. The level of theft was lifted by some really massive breaches, notably at TJX, where 94 million records were stolen according to Attrition.org. The numbers mask a lot of success at other companies. It's fair to say that awareness of the potential for these sorts of breaches is high. The problem is that most companies have finite resources to invest, and they are up against ever sophisticated adversaries.

For more:
- here's an AP article

Aberdeen looks at best-in-class security trends

Tue, 09 Oct 2007 06:59:59 -0400

When it comes to compliance-related security efforts, the benefits are pretty obvious. Most people would agree that automated approaches would work best, but resource issues and stubbornness at the top make it a somewhat lower priority than you might expect. Aberdeen Group has just issued a report that reiterates the benefits. Nearly 45 percent of "Best-in-Class organizations" reduced the cost associated with non-compliance incidents over the last year; 26% lowered their cost of grappling with security-related incidents. Nearly half were able to lower the number of security incidents. Overall, these marketing points, while interesting, are sort of obvious. But such projects compete with many others, including lots that are also compliance related.

For more:
- here's the report

Related articles:
- New world of network compliance and security emerges
- Don't let compliance overshadow security

More on small accounting companies and Sarbox

Tue, 11 Sep 2007 06:59:59 -0400

There has been a lot of ink spilled on small companies and Sarbox. What about small accounting firms? You would think that they would find more work as more small companies gear up to comply, often for the first time. So far, the benefits seem to have fallen to larger firms. According to the most recent Rosenberg MAP Survey, firms with over $10 million in net fees grew 16.3 percent, and partner income averaged $473,897. Firms with less than $2 million in fees grew an average 5.2 percent and the average income was $190,802. But with more small companies on the compliance hook, you have to wonder whether a pop for small accounting firms is in the making. They may be able to boost their billable hours.

For more:
- here's a brief on the survey from WEBcpa.com

Related articles:
- Mid-caps struggling with Sarbox compliance?
- How much do data breaches really cost?
- Compliance market still in growth mode

How much do data breaches really cost?

Tue, 24 Jul 2007 06:59:59 -0400

We've seen a lot of shocking data breaches as of late; JPMorgan's was a good example. But how much do they cost? According to a recent study by the IT Policy Compliance Group, businesses that report major incidents experience a drop in quarterly revenue, 8 percent for small companies and 12 percent for large companies. The cost of litigation and customer notification will average about $100 per each record lost. These are not trivial costs. The estimates are low, because there could be fines and regulatory tasks that must be undertaken. As well, how do you figure in the losses to your brand. Given the high stakes, it is somewhat surprising that the report found that 90 percent of companies do not have adequate systems in place to prevent data breaches. Something to think about.

For more:
- here's an article

Stateless computing a Sarbox benefit?

Mon, 09 Jul 2007 20:01:39 -0400

We've noted that just about all vendors have put together a list of Sarbanes-Oxley-oriented features and benefits. You would be remiss if you didn't. It can get overwhelming for buyers. But we were intrigued by the claims of the stateless computing crowd that any data stored on a desktop is at risk. They have a point. And it will be interesting to see if the corporate world will really transition back to a mainframe model of thin clients attached to powerful servers running all the applications and storing all the data. It makes some sense. There are those who would like to run all their apps off of Net servers (Google apps). But from a security point of view, stateless computing hardly seems like a panacea. It might make it harder for the rogue element to acquire data. But most breaches stem from good old human stupidity. But you've got to market, and Sarbox remains a hot-button issue.

For more:
- here's a release

ALSO NOTED: Does CEO certification matter?; Do laws actually encourage data destruction?;

Mon, 25 Jun 2007 20:01:38 -0400

> Neiman-Marcus has lost a laptop with personal data of about 160,000 employees. Article

> More banks sue in face of retailer and third-party data breaches. Article

> Security companies are hot, and the deals are heating up. Hewlett-Packard has bought SPI Dynamics. IBM has bought Watchfire. Who's next? Article

> A new study has found that CEO certification adds little value to a publicly traded company. Of course, this flies in the face of other studies that have found Sarbox compliance in general has made a difference. Summary

> LexisNexis, E&Y in Tax Center deal. Release

> Did Paulson change his tune. He no longer seems to back a small-company extension. Article

> SEC ends rule requiring foreign firms to reconcile books with U.S. standards. Article

> Do laws actually encourage destruction of data? Article

> Has Sarbanes-Oxley harmed entrepreneurs? Article

> Tale of revenue manipulation at Zomax. Article

And finally ... CPA boot camp prefers students for exam. Article

Big data breach at JPMorgan

Mon, 07 May 2007 20:01:39 -0400

We've discussed at length your customer data security obligations when it comes to customer data. Radio Shack's unfortunate event was both humiliating and costly. It never ceases to amaze me that companies, even big ones, are not more systematic about moving data. The latest example is JPMorgan. It announced recently that tapes of sensitive customer data, of its highest net worth customers no less, were lost last year. It has recently alerted 47,000 accounts in the Chicago area and advised holders to check for iffy activity. In a separate incident, a local union announced it found records in large trash bags outside some Chase branches. It posted video of the discovery on the Net. The union is trying to organize security employees at the bank. Make of that what you will. The point is that these sorts of breaches are a big no-no. This is a priority of the highest order.

For more:
- here's the union video

Unintended consequence: tighter controls on laptops

Mon, 17 Jul 2006 20:01:39 -0400

Did anyone think that the rise of Sarbanes-Oxley would lead to tighter control of employee laptops? Yet now it seems logical--there have been way too many data breaches involving stolen laptops. Many firms are lumping data security into the realm of compliance and control. Of course, the Gramm-Leach-Bliley Act of 1999 and the the Health Insurance Portability and Accountability Act (HIPAA) factor in as well. The bottom line is that more companies are likely to adopt more stringent rules regarding employee use.

> Read this article from The Dallas Morning News.