Strike 1: The first incident occurred on April 26th, when SONY announced personal information had been compromised on their PlayStation Network exposing the personal information of 77 million users.
Strike 2: One week later, a second security breach occurred on a different SONY network compromising 24.6 million users.
Strike 3: A third incident took place with the leakage of 2500 users’ names and addresses. SONY admitted that this breach was due to human error on the part of their system management team.
In a recent study from Application Security and Unisphere Research, more than 50% of the respondents felt that human error (or malicious insiders) were the biggest risks to an organization’s security. Two-thirds of organizations experiencing a data breach in 2011 have reported it was either from human error or an insider attack.
Lessons learned continue to show:
Sony struck out this month…is your organization going to bat with situational awareness and accountability and ready to adapt to pitches coming your way?
OCEG recently announced poll results from a One Minute Poll about Policy Management. In their poll, 429 members replied to the following question:
How do you primarily manage lifecycle of internal policies, procedures and guidelines?
Lessons learned: Bad guys already know what the results from this poll clearly reveal…People are an organization’s weakest links. As long as 86% or more of organizations continue to use status quo methods that provide little or no accountability and little or no auditability to ensure situational awareness at the individual level, organizations will be vulnerable to attacks, mistakes, lawsuits, fines and disconnects that have a negative (potentially significant) effect on their bottom line.
Check out this recent overview of 10 of the largest data breaches from 2010 resulting in the loss of millions of data records.
Lessons Learned: Is your organization providing ongoing situational awareness training? People are the weak link for the majority of data breaches which are caused by human error, lost devices, social engineering attacks and numerous other poor decisions. It is critical for organizations to educate their employees (and third-parties) ongoing as risks, threats, requirements, and ’next’ practices are constantly changing. Lessons learned clearly reveal that once-a-year general training is not enough.
A review of security practices and investments at 46 global organizations finds that compliance with industry security standards actually saves money over the long-term. A recent Ponemon Study revealed that companies that consistently comply with security requirements and standards save three times more in security-related expenses annually than non-compliant companies.
Lessons Learned: Compliance does not equal security, but security can benefit from compliance. Organizations investing in comprehensive compliance programs are better prepared to prevent expensive breaches, lawsuits, fines, etc. and save money and resources over time.
Miami-based Pacific National was fined a $7 million penalty for violations to the Bank Secrecy and USA Patriot acts.
Lessons Learned: Fines for gaps in AML practices are becoming more severe. Financial organizations must ensure they have the appropriate policies and procedures in place and ensure their people are aware and accountable for their decisions to meet ongoing compliance requirements. Organizations also need legal-ready and audit-ready documentation to avoid expensive fines, lawsuits, and embarrassing headlines.
According to Symantec’s Internet Security Threat Report, there were 286 million new threats in 2010 which equals an average of about 783,561 new threats per day. The report also points to dramatic increases in both frequency and sophistication of targeted attacks and continued growth of social networking sites to distribute attacks.
Lessons learned: Your people are under attack…how is your organization keeping your people up to date on new attacks and new threats?
I recently came across an interview on BankInfoSecurity entitled, “Banks Must Assume Customers Will Compromise Themselves”.
In this interview, Tom Oscherwitz, chief privacy officer and vice president of government affairs for ID Analytics, discussed why online security measures are failing due to basic authentication techniques. With the use of current social networking sites, such as Facebook, customers are often revealing all the information fraudsters need to figure out their log-in credentials.
Many experts (and vendors) are recommending banks increase their security measures and implement expensive fraud detection technology solutions and measures. Unfortunately this is merely reacting to a symptom rather than preventing the problem. The root of the problem is uneducated consumers and lack of situational awareness, so why not teach situational awareness and help bank customers work with banks to proactively protect their personal information?
If bank customers could make the connection between sharing their maiden name, pets’ names, nicknames, birth place, birthday, etc. on their Facebook profile and then using that same information as their authentication question for their online banking, they may be less inclined to do so.
And those Financial institutions implementing ongoing customer awareness programs will gain a competitive advantage by having customers who are more aware and working with the bank to mitigate risks involving:
As risks, threats, regulations, etc. are constantly changing, it will be critical to maintain an ONGOING program. And financial institutions sharing lessons learned from current data breaches will help ensure copycat breaches do not happen at their institutions or to their customers.
Visionary Financial leaders providing situational awareness training for their customers will not only be helping their customers, but also preventing expensive data breaches and lawsuits and improving their ongoing customer relationships, customer trust and their institution’s reputation. Financial institutions should stop assuming things about their customers, realize more technology is not the answer, and start helping their customers make better decisions.