Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/29/2007
01:18 PM
50%
50%

Data Security: You're Not Learning From Others' Mistakes

As I was catching up on some e-mail last night, I came across a message that's become all too familiar to me. It was textbook: A company was apologizing that one of its laptops had been stolen and that the laptop contained customer account and credit card information. A real yawner, until I considered that this e-mail was delivered to my personal e-mail account and that it was my customer account and credit card info that may have been compromised. Companies just aren't getting the messag

As I was catching up on some e-mail last night, I came across a message that's become all too familiar to me. It was textbook: A company was apologizing that one of its laptops had been stolen and that the laptop contained customer account and credit card information. A real yawner, until I considered that this e-mail was delivered to my personal e-mail account and that it was my customer account and credit card info that may have been compromised. Companies just aren't getting the message about data security.Needless to say, the e-mail got me pretty pumped up last night. As soon as I saw that e-mail from Register.com with "Important information concerning your Register.com account" written in the subject line, my reaction was, "Uh, oh." I'd just renewed my account with Register for another year to host my personal Web site. It had acknowledged receiving payment. I shouldn't have been hearing from it again so soon.

My heart sank as I read the e-mail. It was written in language that's become so familiar to me as I've covered the security beat. The e-mail included phrases designed to assure me that 1) only a small percentage of customers would be affected, 2) that the data contained on the stolen laptop was password-protected and encrypted, 3) that the thief probably didn't even know the value of the information contained on the laptop, and 4) that affected customers were being offered free credit-monitoring services.

I quickly fired off an e-mail to Register to let the company know how displeased I was with it. That was done as someone who's used its Web hosting services for the past four years.

As a journalist, however, I just have to shake my head. Companies (Register is by no means alone in this) simply aren't learning from other people's mistakes. While last year's theft of a Veterans Affairs laptop was probably excruciating for the millions of veterans whose names and information were contained on that computer, it was a gift for everyone else. IT and security pros got to see up close how carelessness and poorly defined (and enforced) security procedures can cost an organization and cause lasting embarrassment and mistrust. Why would any sane person want to endure the grilling that VA Secretary James Nicholson went through last year?

Even the now-infamous breach into the systems at TJX Cos., the parent of T.J. Maxx, Marshalls, and other retailers, followed a well-established pattern. If the reports about someone using the wireless "wardriving" technique to poach data from a Marshalls wireless network are true, then TJX can't escape the fact that the Lowe's home improvement store chain was hit by an eerily similar 2003 attack against a Southfield, Mich., store. In the Lowe's case, cyberthieves gained unauthorized access to an unsecured Lowe's wireless network in an attempt to obtain credit card transaction data. They used the Wi-Fi network at the Lowe's store in Southfield to access the company's central data center at Lowe's North Carolina headquarters.

I've always found IT leaders to be well read and well informed. How come the same mistakes are being made over and over again?

Don't get me wrong, I fully understand just how difficult it is for management to keep an eye on every piece of IT equipment issued to their employees. Living in New York, I also understand that, even in the nicest neighborhoods, it's possible that someone will smash a window to your car or apartment and help themselves to something that's not theirs. But businesses should be smart enough by now to mitigate these obvious risks to their customer data.

And the answer isn't just encryption or passwords, it's making sure that each and every employee with access to customer data (or any other sensitive information) knows what they're allowed to do and not do with that information. After they've been educated, that's when the real work begins. It's not enough for employees to simply know the risks of compromised data; they have to understand their company's security policies and why they're in place, and make it their personal mission to protect the information with which they've been entrusted.

That's the only way things will get better.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
CVE-2019-6184
PUBLISHED: 2019-11-20
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.