On January 20, as President Barack Obama was being sworn into office in Washington, D.C., a little-known company called Heartland Payment Systems put out a press release announcing that it had discovered a serious data breach. So serious, in fact, that while the full extent of the damage is not yet known, some experts suggested it may prove to be the largest in U.S. history. Within a week, lawsuits were being filed against the company.
That was just the latest reminder that despite advances in technology and a bevy of new regulations intended to force companies to safeguard consumer data, data thieves are as clever — and busy — as ever. While information-technology budgets are under extreme pressure these days, information security may be one area that should escape the ax.
Security attacks are not lessening with the economic downturn; in fact, research shows just the opposite. The number of data breaches at businesses, government agencies, and educational institutions in the United States jumped by nearly 50 percent in 2008 compared with 2007, according to the Identity Theft Resource Center (ITRC), a nonprofit organization that supports victims of identity theft and broadens public awareness of the problem.
The ITRC says there were 656 breaches reported in 2008 — up 47 percent from the year before — exposing more than 35 million electronic records. (This data doesn’t reflect the Heartland incident, which took place in 2008 but was announced this year and had yet to be adequately assessed as of press time.) The breaches took many forms and were perpetrated by both outsiders and insiders, but many shared a common trait: they were easy to pull off. A mere 2.4 percent of all breaches required the perpetrators to foil encryption or other strong protection methods; password protection was in place in fewer than 10 percent of the cases.
That suggests that many companies can significantly boost security and reduce their exposure by following basic and inexpensive measures. But even if your company has encryption in place (as Heartland did), don’t rest too easy. “The sophistication and automation of financially motivated cybercrime is very steep today when compared with counter-efforts,” says Ken Dunham, director of global response at iSight Partners, a provider of threat intelligence services. “Criminals are agile and able to outpace the rate of adoption of counter-technologies in the marketplace.”
The motivation for cybercrime is even higher during economic hard times. A January report by iSight says that the economic decline in the United States and around the world will significantly increase the risk organizations face from employees who are laid off, fear being laid off, or face some form of personal financial trouble that may lead some to consider insider crime.
“We’ve always faced information security threats. The difference is in the desperation that individuals are facing,” says Tony Hildesheim, vice president of IT for Washington State Employees Credit Union (WSECU). “This adds a component of internal risk that may be underestimated.”