The latest release of “Ernst & Young Global Information Security Survey” shows that a growing number of organisations recognise the link between information security and a strong brand / reputation. It covered nearly 1400 senior executives in over 50 countries, and it strongly indicates that a security incident would have a greater impact on reputation and brand than on revenues. Considering the previous results and my experience – it seems that the major drivers of information security spend are shifting from compliance to brand protection.
More importantly, it suggests that the spending is set to increase in Information Security. While, I think there will be major cutbacks in a number of existing areas and the same money will be re-channelled with more robust monitoring of the bottom line.
FSA releases report on protection of consumer data within Financial Services industry. This review was carried out by FCID (Financial Crime and Intelligence Division) of FSA – In summary, it highlights the need for improvement in current practices deployed in the financial services industry for protecting consumer data. It also highlights and acknowledges a few good practices currently in place.
Main findings were around following themes:
– Training and Awareness
– Staff recruitment and vetting
– Physical Security
– Disposing of customer data
– Managing third-party suppliers; and
– Internal audit and compliance.
Some really exciting statistics reported by Verizon Business RISK team.
It is worth to note the fact that although percentage-wise the insider data breaches are 18% compared to the external 73%, later in the report is is mentioned that impact of an insider breach is relatively a lot higher than of an external breach. Summary is below:
Who is behind data breaches?
73% resulted from external sources
18% were caused by insiders
39% implicated business partners
30% involved multiple parties
How do breaches occur?
62% were attributed to a significant error
59% resulted from hacking and intrusions
31% incorporated malicious code
22% exploited a vulnerability
15% were due to physical threats
What commonalities exist?
66% involved data the victim did not know was on the system
75% of breaches were not discovered by the victim
83% of attacks were not highly difficult
85% of breaches were the result of opportunistic attacks
87% were considered avoidable through reasonable controls
Apparently not, FSA is urging banks to improve their controls, while a simple advice but barely followed. SocGen is a prime example. Although, other entity level and manual controls failed as well, but it was the technology that made it possible in the first place (based on the SocGen’s official statement released sometime earlier)