It’s going to be interesting to see how this one pans out (further to Peter Benson’s story yesterday; Disclosure Laws – Reality Checks)

Bankers suing TJX.

A successful action against TJX will no doubt have a tsunami effect on businesses – with global implications. Is it about time?

The Payment Card Industry DSS message and its objectives (and just plain good Information Security practices) will have no better driver than the fear of a company being the next to feel the wrath of badly burnt banks or business partners, clients, customers or …..wait for it….. Shareholders!

You’ll see the same old story if you track the links deeper. Surprise surprise, this may have been happening back as far as 2005. I hate to keep repeating myself but many (a lot, more than you would hope, a good percentage of) companies just have no idea if their systems are secure, who “owns” them, whether they have been breached in the past and whether they continue to be used by unauthorised parties. It’s been said many times …. most companies just don’t want to know!

What impact does this have on Disclosure Laws? Hmmm……

An article from Peter Benson, on Disclosure Laws.

So when do you disclose a breach? From what we have seen in Australia and New Zealand, generally only when you are forced into it. The notion of disclosure is starting to raise its profile around Australasia, as a result of breaches occurring, and a general lack of public disclosure being undertaken.

The unfortunate aspect of this, is that within our region, there is nothing to force companies to disclose, and as a result, a number of companies are not taking their information security seriously.

Companies are either burying their heads in the sand, or using obscurity as the weapon whereby they resist letting the public and their customers know of bad stuff happening. Often times, as a lack of this accountability and good corporate citizenship, information security is still being seen as an “IT issue”, or alternatively, something to be avoided. In a number of cases that we are aware of, organizations haven’t even been aware that they have been breached, until such time as “weird things happen”, or it otherwise gets into the public arena.

Lets be real about this; while there are emerging standards such as the Payment Card Industry and banking regulations that bring in mandatory compliance in some organizations, the reality is that it is simply just good and responsible practice to at least let your customers know that you have had a breach, and that their information may have been impacted!. What is better…. covering up a breach and having the media find out about it first (then catch up with media controls), or to demonstrate an ethical responsibility to customers where their information has been put at risk? The old school notions of “not telling anyone” just dosen’t cut it any more, and is likely to result in a higher impact over time if issues become disclosed by third parties.

So lets look at bringing back a level of responsibility and accountability to the customer. If we don’t, it is likely that disclosure laws will be enforced sooner rather than later, which will force the issue, and potentially have a much higher impact than if we take a proactive stance on this.

Lets make no mistake, accountability is there, and while there are some courses of action available to enforce accountability around protection of information, the reality is that these will largely be superceded in the not too distant future through disclosure laws. Protection for customers interests and privacy is something that a lot of us have not really addressed seriously as yet, and we still give lip service to this as an “IT issue”. It is not; it is the ethical and responsible protection of our customer’ (and implicitly our shareholders) in behaving in ways that are socially and ethically responsible. To say that this doesn’t exist, or is not a risk, is simply untrue, and we will see changes coming in the near future. Watch this space!
Peter was recently quoted in Computerworld on this topic. He will be presenting on this topic in New Zealand and possibly Australia. Watch this space also.

Peter raises a good comment about organisations not even knowing if they have been breached. We see this all the time as I have noted in a few entries; Botnets, Zero Days, Tell me I’m not owned. How will this play out when disclosure laws come out? 3 monkey approach? I hope not!

Posted in: Uncategorized

Some of the ‘marketing’ for products like this is interesting to say the least. Thanks Wade for pointing these out to me.

Posted in: Dumb Security, WTF

Keen on your thoughts or hit the SA Website and click on the poll.

I don’t normally push products but I really do like what the guys at Qualys are doing. QualysGuard continues to been recognised as the world’s leading Vulnerability Management solution. At the recent 2007 SC Magazine Awards Europe, QualysGuard was awarded:

- Best Vulnerability Assessment Solution
- Best Security Product

This follows on from the 2007 SC Magazine Awards USA where QualysGuard took out: Best Audit/Vulnerability Assessment solution, and TechTarget’s Information Security Magazine and 2007 ‘Readers’ Choice Awards’ where QualysGuard won Best Vulnerability Management solution. More information at the SA website.

On a related note, it still amazes me that relatively few organisations run a vulnerability assessment and management program.

Maybe in total number of incidents? At least for once, it is noted that the numbers don’t represent a “scientific sample”. From Worth a look.

Still, most of the crime continues on quietly……..

Posted in: cyber crime

Computerworld reports the money has been won.

Posted in: MAC Security

Ockham’s Razor

Donal always has some good takes on IT Security. His post on ‘The Elves and Shoemaker’, also in the link is worth a view (scroll down). :-)

Posted in: governance

No more to add at the moment…… stay tuned. The SA guys are intrigued (in a good way!) that I am using a MAC now and are happy to leave mine alone.

They’ll get to it…….it does though still look like shooting fish in a barrel but who knows?

Posted in: MAC Security

Not meaning to pick on our kiwi friends again …. they sent this to me! ……… in follow-up to the last post:

War driver’ sparks Otago DHB network security review

Once again, no further commentary required.

But, the question needs to be asked AGAIN. (Aside: How often do I cover this?). How can CIOs and senior IT managers justify having no clue about basic security principles? (By CIO, not just the acting dude from the article but CIOs in general). The usual excuses of being too busy, they employ “specialists”, it’s not their responsibility etc etc etc etc …… these things just do not cut it! It’s akin to a CEO not bothering to understand his company’s financial position because he has hired accountants!

CIO with no direct interest in, or management of IT Security (take out lip service) = Dumb CIO – danger to the company they work for!

And you wonder why so many security dudes are angry young men. :-)

Posted in: Dumb Security

Older Posts »