[Dataloss] Identity Theft protection changes needed

George Toft george at myitaz.com
Tue Jul 11 11:33:51 EDT 2006 

Our business is focusing on a vertical that is clearly governed by 
Gramm-Leach-Bliley.  Their professional journal carried 49 articles on 
the applicability of GLBA since 2001, yet in 1600+ telephonic 
conversations with members of this industry, the majority of the 
business owners have never heard of GLBA.  The FTC calls out their 
business as being regulated.  16 CFR states they are regulated, yet they 
don't know about it.

So where am I going with this?

In our research to discover why we are getting little results in our 
marketing, we stumbled across two pieces of wisdom:
1.  It's hard to convince someone to spend money on something they don't 
understand; and
2.  The human mind is built to react, not proact.

In our case, we are trying to help these businesses stay out of the 
[near] daily security breach headlines, yet the business owners do not 
understand why security is important.  "That will never happen to me."

Regarding the human mind, I think that we - as security people - are 
mis-wired.  We think proactively - that's why we proactively secure our 
systems (to the maximum extent allowed by the budget).  And it is hard 
for us to understand why the rest of the world can't see the freight 
train about to hit them.

I have been tasked with presenting a webinar to the senior management of 
a medium-sized company that is still running Windows NT on all their 
servers.  (By now, most readers are probably gasping in shock.)  The IT 
Director understand the problem, but senior management's mindset is 
"It's not broken, so why fix it?"

So what it comes down to is that senior managers do not think 
proactively.  They are focused on revenue generation, not asset 
protection, and surely not security.  This point is supported in a 
recent study 
(http://www.eweek.com/article2/0%2C1895%2C1979919%2C00.asp).  They will 
react when it hits them in the balance sheet, but by then the damage is 
done.

Proactive thought is neither taught nor practiced in college as shown by 
the trend in data loss (1/3 of victims are universities).  In my own 
studies - undergraduate and graduate - we were taught to solve problems, 
not prevent them.  (My policies class came close - we were taught to 
look at the failings of others and develop policies to protect the 
business.)  The root cause of the problem lies squarely in our education 
system.  Unfortunately, it takes years to move that industry, so the 
problem will continue for quite some time.

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067

Confidential data protection experts for the financial industry.


Al Mac wrote:
> In security breach news we are seeing the same scenario played out again 
> and again, with different enterprises doing the same stuff that leads to 
> disaster.  How come no one seems to be learning by example to avoid being 
> the next story in the news?  I have my theories on this, but in this 
> article, IDG News Services asked leaders of three security businesses to 
> give their theories on this.
> 
> * People do what is easy and convenient and don't give much thought to the 
> consequences.
> * Many people do not get insurance until something happens to a neighbor, 
> or they see problem in news, and realize they need insurance against that
> * Security is a balance between other management priorities, in which 
> several are more important than security
> * There has been a conceptual shift in recent years.  It used to be that 
> companies trusted employees, gave them reasons for that trust, but now job 
> security is threatened by off-shoring, unions have been busted, and 
> Sarbanes Oxley is re-establishing separation of duties
> ** but none of that is why we have all these new laws saying no one can be 
> trusted ... here's why
> http://wallstreetfollies.com/ scroll to the bottom and blow it up 
> http://wallstreetfollies.com/diagrams.htm
> * there's a lot of traffic that goes over the Internet in the clear
> * you can't tell from a web ad if there is something malicious going on
> 
> My theories have to do with the notion that security breaches have been 
> occurring since the dawn of computer history, and we are now only hearing 
> about those associated with geographies where there is a legal obligation 
> to report them.  Let's suppose you work in a company that has existed for 
> 100 years, had computers for 50 years, have had 20 security breaches and 
> survived them all.  The fact that your company is now obligated to 
> publicize breaches means that it does not dawn on anyone what the PR 
> consequences of that are until after the first publicized breach.
> 
> There are laws that are not enforced.  We can go to any electronics store 
> and buy the where with all to tap into cell phone and other radio 
> traffic.  Totally illegal, but have you ever heard of anyone being arrested 
> for it?.  Do you know what a police scanner is?  People who like to listen 
> to police radio calls for their entertainment.  You can also listen to taxi 
> service and other outfits.  Some parts of the electromagnetic spectrum are 
> reserved for special kinds of traffic, like pagers.  I hear tell there's 
> all kinds of interesting stuff for snoops.
> 
> Companies with wireless not locked down.  Several breaches have involved 
> someone with laptop in their parking lot.
> 
> People get some kind of communication service and assume there is zero risk 
> of it being tapped, hacked, or what have you.
> 
> http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=cybercrime_hacking&articleId=9001672&taxonomyId=82
> 
> -
> Al Mac AKA Alister Wm. Macintyre
> 
> 
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/errata/dataloss/
> 
> 
>

More information about the Dataloss mailing list