• About CSIA
  • Mission Statement
  • Committees
  • CSIA Team
  • CSIA Offices
• Board Members
• Events
  • CSIA Events
  • Industry / Gov't Events
  • Member Events
• Member Directory
• Newsletters
  • Current Issue
  • Archive
  • Sign Up
• Testimonials
• Join CSIA

CSIA Members:  Industry Research and Surveys

New Survey Provides Insight on Insider Attitudes Toward Database Protection

Increased connectivity has brought not only tremendous economic and social benefits, but also increased vulnerability for company and government databases from both outsider and insider threats. To better gauge how business and government organizations secure database resources and respond to targeted threats, Application Security, Inc. and the Ponemon Institute queried 649 respondents in corporate information technology (IT) departments within U.S. and EMEA (Europe, Middle East, Asia) based business or governmental organizations. The survey found that “trusted” insiders’ ability to compromise critical data is the most serious concern for respondent organizations. The four key issues examined in this inaugural study, completed in June 2007, were:

1.  What does the IT environment look like within organizations? Do size and complexity play a part in determining priorities?
2.  How critical is the need to deploy database security measures to protect sensitive or confidential information?
3.  How important is database security relative to other information security measures or practices?
4.  What are the priorities that drive database security initiatives within business and governmental entities?

Key findings include:

• Trusted insiders remain a significant, and largely unmonitored risk.
• A majority of organizations do not have the technology or processes required to effectively manage against insider threat.
• Due to perceived business value, many large organizations assign lower priority to the protection of customer and employee data versus intellectual property.
• The vast majority of data exposed in the past two years has been confidential customer and employee information.
• Over ninety-five percent of respondents would value solutions that enabled them to understand and prioritize database security needs within their organization.

The survey ranked data in terms of greatest risk to the core business in the following order:

• Intellectual Property Business
• Confidential Information
• Customer and Consumer Data
• Employee Data

A copy of the report can be obtained at www.appsecinc.com.

August 2007

New Survey from CSIA Member Vontu Reveals Data Breaches Undermine Consumer Confidence

In the wake of massive data breaches at businesses, educational institutions and medical facilities, consumers are modifying their purchasing behavior out of concern for the security of their personal information. A new study conducted by Ponemon Institute on behalf of Vontu shows that the high percentage of individuals that have been notified of a data loss event has contributed to increased consumer security worries. These data breaches may negatively impact consumer buying behavior, including reluctance to use electronic payment methods to purchase from an online merchant they don’t know, and unwillingness to provide certain types of personal data when registering online.

Key findings from the study include:

• 62% of respondents have been notified that their confidential data has been lost or stolen.
• 84% of respondents who were notified reported increased concern or anxiety due to data loss events.
• 62% of respondents said that they would be more upset with a company that lost their information due to negligence than if that company lost their information as the result of a criminal enterprise or theft.
• 36% of respondents stated that they would not use their credit or debit card to make a purchase with a Web merchant they don’t know. Respondents who have received notification are more cautious when sharing their credit card (43% vs. 32%) and debit card (44% vs. 32%).  In other words, findings suggest that breach notification may affect consumer behavior.
• 45% said they would not provide their Social Security number on a Web site.

More detailed information about the study can be found here: http://www.vontu.com/news/release_detail.asp?ID=587

Online Banking Security: FFIEC Deployment Experiences

Facing a looming deadline for compliance with the FFIEC guidelines for stronger online authentication, banks were racing to get ready. From August through September 2006, Entrust commissioned the Aite Group to target and survey a dozen financial institutions that have already selected their strong authentication and/or fraud detection vendors and have currently engaged in or completed their FFIEC projects, or were well down that path. The purpose of studying these institutions is to gain insight into their FFIEC compliance projects, which may assist other financial institutions as they begin their own FFIEC initiatives. 

View the full study.

Entrust 2006 Mobile Workforce Security Survey

Organizations are more concerned than ever that they could be subject to costly data breaches. In fact, in a recent survey, 75 percent of respondents from various industries indicated that they believe the occurrence of data breaches involving confidential personal information happens more than once a day in the U.S. alone. While concern is at an all-time high, research shows that most enterprises are not doing enough to minimize the risk of data breaches.

Entrust commissioned Osterman Research, Inc. to survey certain North American enterprises and determine how they are currently dealing with mobile workforce security issues.

With heavier reliance on remote access and mobile devices to hold sensitive corporate and customer data, the risk of potential data theft or loss, and the resulting costs of publicly disclosing these breaches are taking a toll on corporations across North America.

• Respondents indicate that on average, 36 percent of their employees carry laptops and mobile devices containing sensitive customer information.
• 98 percent of respondents say their organizations allow remote access to their corporate networks.
• As a result of recent world events and varying airline travel restrictions, 73 percent of respondents now believe more laptops and mobile devices may be lost or stolen during air travel.
• While 37 percent of respondents indicate they have already experienced some form of data breach due to loss or theft of mobile devices, a staggering 68 percent of respondents indicate it is likely they too could experience a data breach in the future. In fact, during a recent Entrust webinar, 60 percent of attendees noted that someone on their immediate team had a mobile device lost, misplaced or stolen.

Most organizations have addressed these risks through policy and training, yet the majority of those surveyed acknowledge that policies alone are not effective, nor sufficient.

View the full survey. 

2006 Cost of a Data Breach Study

PGP Corporation, Vontu, Inc., and The Ponemon Institute, a privacy and information management research firm, recently released the 2006 Annual Study: Cost of a Data Breach. This benchmark analysis details the financial impact of data loss incidents on affected companies. Initiated in 2005, the study examines all financial consequences of data breaches involving consumers' personally identifiable information. According to the Privacy Rights Clearinghouse, more than 330 data loss incidents involving more than 93 million individual records have occurred since February 2005. According to the study's 2006 findings, data breaches cost companies an average of $182 per compromised record, a 31 percent increase over 2005. The Ponemon Institute analyzed 31 different incidents for the study. Total costs for each ranged from less than $1 million to more than $22 million.

View the full study. 

CSIA Members:  White Papers

How to Deploy BS 25999
BSI Management Systems

The purpose of British Standard 25999 is to provide a basis for understanding, developing and implementing business continuity within an organization and to provide confidence in business-to-business and business-to-customer dealings.  British Standard 25999 is written in two parts.  Part 1, the Code of Practice, outlines the standard's overall objectives, guidance and recommendations.  Part 2, the Specifications, details the activities that should be completed in order to meet business continuity objectives within the context of an organization's overall business risks.