A stream of high profile data losses and increasingly sophisticated financial crime is slowly edging the issue of IT security up the corporate agenda
At the start of the new year warnings abound concerning the persistent and increasingly complex threats posed by financial crime, which costs the European economy billions each year.
Despite this, recent research shows that information security doesn’t feature that highly in corporate agendas. In December last year, an Ernst & Young survey found that a separation persists between the information security function and the strategic decision making process. Staggeringly, over one quarter of the executives polled admitted to not reporting on information security compliance or incidents.
This lack of awareness, could explain how even the senior manager of a bank can become the victim of identity fraud. In January it emerged that Barclay’s chairman Marcus Agius fell victim to this crime as the result of a blunder by staff at his own bank. An official at the bank told the media: ‘It was down to human error, procedures were not followed fully and we have learned from it. This is an ongoing battle with professional fraudsters.’
Organisations in both the public and private sector have been shamed by their apparent inattention to data security over the last two or three years. High profile data theft isn’t just bad PR, when the UK bank Nationwide lost a laptop containing 11m customers’ details, it was fined £980,000.
Human error was also held responsible for a recent incident at the UK’s HM Revenue & Customs (HMRC), in which the personal information of 25m people was lost. In this instance the finger of blame was unfairly pointed at a junior clerk for losing CDs holding the unencrypted information.
Following heated controversy surrounding the HMRC incident, a technology specialist produced figures that showed the extent of the problem. The survey found many commercial employees do not follow corporate policies on data and computer security. Nearly half (48%) of those polled said data was threatened by employee negligence.
The proliferation of new forms of media has only served to open up new fronts. Gregory Kopiloff, from Seatlle, was the first person indicted for using peer-to-peer file sharing networks to commit identity theft. Kopillof allegedly used the software to steal tax returns, credit reports and bank statements.
“Only by pushing resilience to the top of the agenda and engaging senior management will businesses be able to confront and absorb the security shockwaves of 2008 and beyond.
Fred Chedham, head of Detica's business resilience services
Adding to these problems, hackers are becoming ever craftier. Looking ahead to 2008, Dan Hubbard, vice president of security research at Websense, said: ‘Looking at the current attack trends, cyber criminal techniques are evolving quickly and efficiently to not only evade detection, but to steal data and manipulate trusted content such as websites and applications.’
Despite efforts to eradicate spam from e-mail servers and private mailboxes, this modern plague has continued to spread. According to F-Secure’s annual Data Security Wrap-up, the number of cumulative malware detections during 2007 doubled, reaching the half a million mark, suggesting that network criminals are producing new malware variants in bulk. Mikko Hyponnen, chief research officer at F-Secure, said: “We predict that the increase in malware volume will continue into 2008.’
Furthermore, an independent testing authority, Virus Bulletin, has revealed that 17 out of 32 anti-virus products tested—including big name products Trend Micro, Kaspersky, Norman and Sophos—failed to make the grade. A total of 13 products failed to spot threats known to be circulating in the real world, and a large number also produced false alarms on known clean files.
And this week the Federal Bureau of Investigation released fresh warnings about ‘vishing’—a new scheme employed by fraudsters to harvest personal information, which involves sending an email that asks the recipient to confirm account details over the phone.
All this in a year when the Olympics is due to be held in a country known to have a big hacker community. Websense said the Olympics could fuel a surge of hacker activity such as compromises of popular Olympic news or other sports sites.
Businesses can never be completely safe from danger, but faced with this level of complexity firms should ensure the highest possible levels of security.
Fred Chedham, head of Detica’s business resilience services, concluded: ‘Only by pushing resilience to the top of the agenda and engaging senior management will businesses be able to confront and absorb the security shockwaves of 2008 and beyond.’