In my last post, I went on at some length about that alarming tools available to criminal hackers as revealed at the March 2007 Black Hat Conference.
Shortly after that, I came across something even more alarming, if that's possible: a pre-publication draft of a study by Phil Howard and Kris Erickson of the University of Washington entitled A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006. The paper reviews major media reports of 550 security breaches that took place during the period in question and it seems that 60% of them were the result of corporate incompetence. To quote from their abstract: "in terms of incidents, 9 percent were an unspecified type of breach, 31 percent of the incidents involved hackers, and 60 percent of the incidents involved organizational mismanagement: personally identifiable information accidentally placed online, missing equipment, lost backup tapes, or other administrative errors."
So it turns out that, even if you do implement my 10-point security check, your personal information could still end up in the hands of the Russian Mafia because corporations simply don't adequately safeguard their customers' data.
That's no reason to give up the security fight, but it's a darned good reason to insist on more accountability by the companies that hold our personal information. So far, most legislation and public policy has been driven by the companies themselves, and we can see where that has gotten us.
"I think", said Howard in an interview for Computerworld, " it is easier when your company loses a lot of client data to put an immediate spin on it and blame it on a hacker or some external guy using some ingenious hacking technique."
Besides, that money you saved by not investing in proper safeguards in the first place has been earning you some nice interest in the meantime. It's always easier to shell out for PR and spin afterwards.
No comments:
Post a Comment