Almost everyone that’s in a security role in organizations other than those at Global Payments probably expressed a big sigh of relief along the lines of, “Boy, am I glad it wasn’t me.”

In case you missed the news, see:

Breach Hits Card Processor Global Payments at the WSJ

MasterCard, VISA Warn of Processor Breach at Krebs on Security

And for all we know, some folks in the security-know at Global Payments might even be whispering, “We told you so…”

If this sounds like you, it probably is.

Recent discussions with some CSOs and CISOs indicate it may be time to reevaluate the current approaches to detecting vulnerabilities, infections, and threats, if what happened at Global Security is beyond normal due-diligence and practice.

Some of these people have said that their Web-applications and systems are routinely infected and trying to pretend otherwise is simply foolish and blind. These same people say what’s needed is something that can easily be used by normal systems and network administrators that will readily identify the proverbial needles-in-the-haystacks – in-situ – and allow rapid decisions so as to tackle the highest risk problems.

If this sounds like you, it probably is.

If you’re like these people, it may be time to think beyond the problem that surfaced at Global Payments today, re-think how we can effectively use our resources and avoid the hidden needles from causing more damage. If your networks are already infected and you can’t triage them effectively and fast enough today, then how will you climb-out from behind this potentially no-win posture?

Let us know what you think these might be and we’ll share what we find out.

Cutting IT budgets to reduce operating costs is directly related to reductions in customer retention, revenue and profit. The same organizations focused on reducing operating expenses for IT are – in general – the same ones also reducing the budget for information security and related internal IT audits. After all, information security and audits of IT are operating costs.

Well, do you get what you pay for?

The ongoing research shows the organizations with a special zeal to cut operating expenses in IT are the one’s suffering the highest customer defections, the worst year-to-year performance measured by revenue and profit, and the same organizations suffering from the highest rates of business downtime from IT related disruptions, losses and thefts of sensitive data, and deficiencies in IT found from external audits.

In an earlier post, we highlighted the difference in spend on information security as a percentage of the IT budget was related to outcomes by organizations, and how this spending has changed over the period from 2006 through 2011.

What’s interesting about the findings is that not much has changed during this five year period. The firms with the best outcomes continue to outspend all of their peers when it comes to information security, despite the recession that occurred mid-way into this five year period.

See the original post: Do You Feel Lucky, Well Do You? for spending on information security from 2006-through 2011.

In addition to looking at spend as a percentage of IT spend, it is more instructive to simply look at absolute spending on information security.

When the dependence on IT spend is removed and you are looking at the absolute spending allocated to information security, the results are even more black-and-white. The worst performers are spending about one-tenth compared to the average performers, while the best performers are spending almost 2.5 times more than the average performers. Compared to the worst performers, the best performers are spending almost 25 times more; an astounding difference.

Figure: Outcomes and spending on information security

                                                                                                                                                                                        Source: IT Policy Compliance Group, 2012

Do you get what you pay for?

Is the difference in outcomes related to the differences in spending?

Here we find direct evidence that you get what you pay for: those spending the least have the worst track records for revenue, profit, customer retention, business disruptions related to IT, data losses and thefts, as well as deficiencies in audit. Those spending the most on information security are experiencing the opposite outcomes with the best track records for revenue, profit, customer retention, business disruptions related to IT, data losses and thefts, as well as deficiencies in audit.

In this day-and-age where the notional-perimeter is becoming more and more obsolete, and the importance of IT is becoming more important, reducing operating expenses for information security is like cutting your feet off, to reduce your weight.

You’re bound to lose some weight but at the risk of bleeding to death.

The research findings confirm: You get what you pay for.

Let us know what you think accounts for the differences in spend and outcomes?

Legislative no-man’s land

A seemingly endless number of bills covering privacy of consumer information(more than 35) have been filed in the US, none of which have passed, and all of which are still sitting in committee referrals in the Senate or House of representatives in the United States. Some examples of the lands-of-no-return for these filed bills include:

• Subcommittee on Border, Maritime, and Global Counterterrorism
• Committee on Commerce, Science, and Transportation
• Subcommittee on Crime, Terrorism, and Homeland Security
• Committee on Education and Labor
• Committee on Energy and Commerce
• Committee on Finance
• Committee on Financial Services
• Committee on Foreign Relations
• Committee on Governmental Affairs
• Committee on Health, Education, Labor, and Pensions
• Committee on the Judiciary
• Subcommittee on National Parks, Forests and Public Lands
• Committee on Oversight and Government Reform
• Subcommittee on Transportation Security and Infrastructure Protection
• Committee on Ways and Means,
• Subcommittee on Workforce Protections, the Committee on Homeland Security

For a more complete list of the legislation and status, see the coverage at EPIC: http://epic.org/privacy/bill_track.html

EU refinements

Meanwhile the EU Commission adopted legislative proposals to reform and strengthen fundamental rights to data protection and unify the EU’s data protection laws and enforcement rules on Jan 25 2012.  See “Proposal on the Protection of Individuals with regard to the processing of personal data and on the free movement of such data”

And, see “the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data

Presidential politiks

Not to be outdone by the congress, a recent privacy blueprint and Consumer Privacy Bill of Rights was recently released by the administration of President Barack Obama.

Other than lobbying, will anything change?

Unlikely; the calculus of commercial and government interests – some of which overlap, others of which don’t – and the presidential election-year cycle in the US would indicate that much of what goes on in DC regarding “privacy” is going to stay inside the beltway.

What do citizen-consumers want?

Lost in the endless committee debates, jockeying between commercial interests and real-politicks are the citizens of the world, most of whom are being ignored by businesses and governments alike. Don’t believe it?

The resounding answer from constituents is, “yes” as your own anecdotal evidence from water cooler talk, PTA meetings, and neighborhood discussions on the issue of privacy seems to indicate. And, more evidence for this comes from Australia where the University of Queensland recently completed its latest survey of 1,106 adults recently.

The Personal Information Project being run by Mark Andrejevic at the University of Queensland (http://cccs.uq.edu.au/personal-information-project) found that more than 90 percent of adults want more say in how their personal information is used or not used by companies operating over the Internet, including laws governing their right to privacy, notifications when data is being collected, a do not track option, the right to see what information is stored on a website, and the ability to delete personal data if requested.

See the findings of the Personal Information Project at the University of Queensland for more information: http://cccs.uq.edu.au/personal-information-project

What’s Privacy Worth in the Market?

In recent coverage by the NY Times in “What would you pay for privacy?” (see http://bits.blogs.nytimes.com/2012/03/19/what-would-you-pay-for-privacy/ ) the article cites recent research conducted by ENISA to determine economic choices people would make regarding their personal information.

The original study is well worth reading if you are with a business or are in a legislative capacity. You can find it here:  http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/monetising-privacy

•  Some of the interesting findings from this study include:  most of the respondents (about 93%) are very interested in whether a firm protects their information or not (basically the same rates found in the Australian study)

• A majority of purchases are made at privacy-friendly firms when there are no differences in prices (not surprising, and the study data backs the finding). As a result, privacy-friendly firms are able to snatch a higher share of the market

• However, when there is price differentiation, consumers show a tendency to choose cheaper services and goods (also not surprising, and the study data backs the finding).

The findings of this study should stimulate interesting discussions about yields, market penetration rates, demographics, and economic game choices among most commercial businesses, and therefore change the landscape of how we think about privacy.

Recommendations of the ENISA study:

• If there are little to no differences in the prices offered for homogeneous goods, privacy-friendly firms will obtain a competitive advantage.

• Regulatory frameworks should allow for sufficient flexibility for businesses to offer different menus regarding prices and personal data requirements

• Standardized and simplified data collection requirements, data protection and privacy policies should be made more visible to consumers in order to enable comparison of terms

• Regulation should encourage the portability and transfer of standardized personalized consumer profiles upon the consent of consumers and in accordance with personal data protection legislation to reduce switching costs for consumers and increase price competition among firms

The study authored by ENISA “Study on monetising privacy: An economic model for pricing personal information“, is one of the better, more recent economics-grounded studies of privacy and the choices that consumers make.

An older study entitled “What is privacy worth? – which is also worth looking at – can be found at: http://www.heinz.cmu.edu/~acquisti/papers/acquisti-privacy-worth.pdf

And, for cynics who are only focused on the cost-risk and cost-benefit tradeoffs of litigation, another small piece of evidence might be of interest from Thompson-Reuters here:  http://graphics.thomsonreuters.com/11/05/PrivacySettlements.pdf

It’s worth the time to download and read these reports to determine how your company can best implement and leverage consumer-friendly privacy policies and practices that will create more business, more revenue and larger profits – while being mindful of competitive displacement.

In a front-page article in the Wall Street Journal today, regulators in the U.S. and Europe are said to be investigating Google for bypassing the privacy settings of millions of users of the Apple Safari browser.

Although Google is said to have stopped the practice last month after being notified by the Journal, the investigations by US Federal agencies, US State attorneys general, and the French Commission Nationale de l’Informatique et des Libertes are new developments in this ongoing saga between regulators and this Hi-tech titan.

As cited in the Journal article, the key in this latest development appears to be “a pretty clear case of deception”, according to Justin Brookings, the director of the consumer privacy project at the Center for Democracy and Technology.

See the March 16th article in the Wall Street Journal

Google in New Privacy Probes

http://online.wsj.com/article/SB10001424052702304692804577283821586827892.html

 See the February 17th WSJ article

Google’s iPhone Tracking

http://online.wsj.com/article_email/SB10001424052970204880404577225380456599176-lMyQjAxMTAyMDEwNjExNDYyWj.html

 See the source, Jonathan Mayer

To see the original source for what Google was doing to circumvent the protections on the Safari browsers, and how it was done without asking user’s for permission, see the original post by Jonathan Mayer

http://webpolicy.org/2012/02/17/safari-trackers/

So, what are the likely outcomes here?

1) Fines levied against Google?

2) Sanctions and audits of Google’s behavior to limit such behavior in the future?

3) More pollyanna holy hossanna, we’ll self-police ourselves?

4) More ill-guided regulations that will be outdated before the ink is dry?

5) Tools user’s can use to limit privacy-snatching (a lot of these already exist as plugins for Firefox)

6) Something else?

Let us know what you think.

What should be done, what can be done, and what will work?

A class action lawsuit has been filed in Austin Texas against a number of Hi-tech companies claiming the firms illegally steal address book data residing on mobile cell phones without the knowledge or the consent of the owners. One of the attorneys representing the class, Jeff Edwards said, “A second grader knows that you’re not supposed to take things that aren’t yours, and so should a tech company.”

See local coverage of the class action lawsuit:

http://www.kxan.com/dpp/news/local/austin/lawsuit-filed-over-app-privacy-invasion

The Class is seeking an immediate, temporary preliminary and permanent prohibition of the claimed activities by the named defendants, a trial by jury, treble damages for the class, attorney’s fees, litigation costs, and periodic audits to ensure compliance with a successful ruling for the plaintiffs.

The defendants in the class include:

• Apple
• Beluga
• Burbn
• Chillingo
• Electronic Arts
• Facebook
• Foodspotting
• Foursquare
• Gowalla
• Hipster
• Instagram
• Kik Interactive
• Linkedin
• Path
• Rovio Mobile
• Twitter
• Yelp!
• ZeptoLab

The Apps claimed to be illegally harvesting personal data – in case you want to check if you have these on your mobile device -  include: Angry Birds, Beluga, Cut the Rope, Facebook, Foodspotting, Foursquare, Gowalla, Hipster, Linkedin, Instagram, Path, Twitter, and Yelp!

The defendants are being sued for negligence and gross negligence, invasion of privacy and seclusion, public disclosure of private facts, the Texas theft liability act, comon law misappropriation, conversion, civil liability for fraud and related activity in connection with computers, RICO violations, interception of electronic communications, civil liability for violations of the Texas wiretap act, aiding and abetting, unjust enrichment, and constructive trust.

See the full lawsuit claim here:

http://media2.kxan.com//PDF/AppsClassAction-OriginalComplaint.pdf

See related coverage:

http://www.statesman.com/business/lawsuit-mobile-apps-accessing-users-address-books-2236188.html

 See the original story in the NY Times from February 15, 2012:

http://bits.blogs.nytimes.com/2012/02/15/google-and-mobile-apps-take-data-books-without-permission/

If you lost your cell phone today, would you get it back?

Don’t expect it back. Worst yet, the information on the phone – and the resources accessed through the phone – are most likely compromised.

A recent study published by Symantec shows you have a 50/50 chance of getting your cellphone back, with people in some cities more likely to notify and return the phone to you, whereas others are less likely.

The recent test run by Symantec involved 50 pre-configured smartphones that were left in publicly accessible places in North American cities.

The key findings include:

• For 50% of the lost phones (25 of them) the finders tried to return the phone
• Once found, 96% (48 of the 50) of the finders accessed the devices to see what they could find

More coverage can be found at these links:

• Lost Smartphone? Don’t Plan On Seeing It Again  (PC World)
• Lost Smartphone? Finders Peek At Data (PC Mag)
• Ottawa an ‘honest’ city when returning lost phones (Ottawa Ctv)
• Symantec’s lost cell phone study confirms the worst in people, Fox News (Fox News)

And, of course the original findings of the study can be found here

• The Symantec Smartphone Honey Stick Project, Symantec

So, what does this mean if you’re dealing with the loss of your own phone, or your company’s phone and you have sensitive information on it, banking applications on it, or passwords for sensitive accounts on it, and more?

Find out by reading what the best performers do about managing mobile computing, Managing the Benefits and Risks of Mobile Computing.

And, see what these organizations do about Data Driven Reporting and Communications about IT.

A random collection of recent headlines includes:

March 7th:  Arizonans Data Exposed by State Agency

See more here:  http://www.abc15.com/dpp/news/region_northern_az/payson/state-agency-leaves-arizonans-sensitive-documents-in-dumpster

Will anything substantial change in Arizona after the findings of this expose? Maybe some controls will be introduced to limit garbage-dumping. More evidence it’s not just about electronic thefts.

March 6th:  Belfast City Councillors Data Exposed

See more here:  http://www.belfasttelegraph.co.uk/news/local-national/northern-ireland/belfast-city-councillors-bank-details-disclosed-in-data-foulup-16126996.html

Want to take odds on something changing in the procedures used to protect personal data in Belfast now that the City Councillors have experienced this first-hand?

March 6th:  Soldiers Data Exposed, Defence under Investigation

See more here:  http://www.abc.net.au/news/2012-03-05/defence-under-investigation-over-privacy-breach/3870002/?site=brisbane

For those of you down-under, what’s the likelihood of something changing in the way Defence handles personal data?

Risk and controls go together like salt and pepper.

It’s just that sometimes we forget about the ever changing relationship between the two, and instead spend a lot of fruitless time remediating controls in IT based on past assumptions or simply their severity, without any relationship to current business risks, complimentary controls or changed conditions.

Acme Conglomerate

The following story about the experience of one organization helps explain the importance of paying attention to changing risks and controls. Similar conditions at your organization are purely coincidental.

Acme Conglomerate (not the real name of the organization) depended on its financial transaction processing systems to accurately account for store-sales during its heaviest seasons and for routine month- and quarter-end rollups and reporting.

Originally staged on mainframes, the relevant applications were migrated several times to other platforms, including System/36 minicomputers, and then onto PCs. About two years ago the applications were virtualized and run on demand, as needed and from whatever PCs were available.

When the applications were hosted on the mainframes, they were assigned a “severity level 1″ rating if the applications were degraded or not available. The impact of the Sev-Level 1 rating for applications is that someone in IT is dispatched to immediately investigate and restore services as rapidly as possible. The time frame associated with resumption of service for the applications is two hours at Acme Conglomerate.

The assignment of Sev level 1 for these applications have not changed since first assigned, when the applications were first deployed on the mainframe. Since then, the retail portion of Acme’s business has declined from 76 percent of its revenues to 22 percent of its revenues.

A brief look at the severity level (or “Sev level”) assignments at Acme Conglomerate reveals:

Sev-levels at Acme Conglomerate

Sev 1: assigned to mission-critical production systems being down with no workaround immediately available

Sev 2: assigned to noticeable changes in performance or throughput for some critical systems that are operating in a restricted manner

Sev 3: assigned to degraded functions or performance impacting only some users of the IT systems

Sev 4: assigned to routine problems affecting a small number of users of IT systems

The original thinking had been that these financial recording and reporting applications were critical to Acme’s financial reporting, that the mainframe being used to generate the information was an expensive resource, and that the inability to produce accurate financial data could lead to business risks the organization wanted to avoid.

Over the years the changes that occurred included, the acquisition of non-retail businesses that represented a larger share of the organizations business, cheaper and more easily replaced IT resources, leading eventually to virtualization and run-anywhere, anytime for the applications. In addition, complementary controls evolved with the evolution of the platforms to deal with notification and more automated forms of remote-recovery in case something was not working. And, one other thing changed: in the past six years the company has had to report on material impacts from operational events related to its financial reporting.

Despite the changes in its business, its systems and complementary controls, Acme Conglomerate has kept the assignment of Sev 1 with these retail financial rollup applications, even when it’s no longer warranted.

Was this a major problem for the company? No, but it did waste resources, including time and money that could have been been spent on more critical issues. And, because IT was forced to treat this application as “Sev 1″ well after it was necessary, additional expenses were borne to treat other Sev-1 problems that posed much higher business risks for the organization.

Which severity level is appropriate at Acme Conglomerate?

Given the changes in its business, its regulatory reporting requirements covering the information and controls, and the systems being used to run these applications, what severity level would you assign to this?

Severity levels and risk

The use of severity levels plays a critically important role by informing people about events that should be responded to, and importantly, what they should do to respond and in what time-frame. But, severity levels are not the only marker to use when making decisions about mitigating actions.

And, business downtime is not the only possible business risk related to the use of information systems. Examples of others include events impacting intellectual property, the brand of the organization, Internet security threats, and other high-profile threats.

But frequently, we forget to take into account the business risks, and as happened at Acme, we forget to update our assumptions about risk as conditions change.

Lessons learned

For some organizations, the lessons have been to develop, implement and maintain a centralized Risk Register, while for others the nature of operations dictates the use of different Risk Registers, some of which are IT-focused, others of which are line-of-business focused. Which approach – business or IT-focused – do you think is delivering better results?

For others, the use of formal change-control boards and change-management systems are required for IT-related resource employed in a production capacity. Why is the use of formal change control procedures helpful?

For others, Sev-levels have been re-thought. For example, I know of some organizations where Severity level 1 is now only associated with potential death or injury, and all other threat-events have lower severity levels associated with them. At others, I’ve seen a time-dimension added to the categorization of threats and severity levels, which includes the impact of non-trivial Internet security threats. At other organizations, the use of automated asset discovery procedures and mappings of assets against regulatory mandates, risk registers, controls, severity levels and policies is common.

To see additional practices, download a free copy of the latest research, Data Driven Reporting and Communicating about IT, at the IT Policy Compliance Group.

What are some of the lessons learned at your organization?

Some additional resources:

Severity Levels and Security, Vista Internet Bank Audits.  www.internetbankingaudits.com/severity_levels.htm

Severity Levels, Columbia University.  services.cuit.columbia.edu/definition-severity-levels

Risk register, Wikipedia.  en.wikipedia.org/wiki/Risk_register

Benefits of a Change Control Board, PMI.  blogs.pmi.org/blog/voices_on_project_management/2011/07/the-benefits-of-a-change-contr.html

Risk and controls, U. Central Florida  pegasus.cc.ucf.edu/~inspgen/RisksControls.htm

Evolution of Risk and Controls, KPMG. www.kpmg.com.cn/en/virtual_library/Audit/The_evolution_of_risk.pdf

Operational Risk Systems and Controls, FSA-UK.  www.fsa.gov.uk/pubs/cp/cp142.pdf