Log in

Computer crime

SEC wants companies to disclose their data breaches

October 15th, 2011

SEC orders companies to report data breaches

Corporate giants have been handling data breaches traditionally i.e. not revealing the breaches, not offering details. They always preferred keeping mum. It won’t be an exaggeration if we say that tens of billions of dollars worth of data is compromised every year from U.S. companies and very few of it gets reported !

But that is about to change. The Securities and Exchange Commission (SEC) has formally asked corporations to report data breaches and cyber crimes. The new guidelines issued by the SEC state that publicly traded companies must report cybertheft or attack and any risks associated with data.

These guidelines have been a result of Sen. John D. Rockefeller’s initiative. “This guidance changes everything. It will allow the market to evaluate companies in part based on their ability to keep their networks secure.”

“For years, cyber risks and incidents material to investors have gone unreported in spite of existing legal obligations to disclose them,” “Intellectual property worth billions of dollars has been stolen by cyber criminals, and investors have been kept completely in the dark.”

The current regulations do not specifically talk about cyberattacks. They only expect companies to report if there is risk to their material wealth. But now companies will be forced to talk about cyberattacks, thanks to these guidelines. The guidelines might, in addition to the above, ask the companies to disclose data breaches that took place in the past.

Cyber security is being beefed up through these regulations as cyber crime is on the rise. The recent major breaches including Sony’s and Citigroup Inc have resulted into this action.

Melissa Hathaway, an ex-White House cyber coordinator said in her statement “It’ll force executives to really understand what’s going on within their corporations,”. “I think it will create the demand curve for cybersecurity.”

Which cyber-incidents will be included in the guidelines?

Cyber incidents that could materially affect products, services, relationships with customers or suppliers, or competitive conditions will be a part of these new regulations.

Here is the exact wording in the guidance:

Registrants should address cybersecurity risks and cyber incidents in their MD&A [management discussion and analysis] if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition or would cause reported financial information not to be necessarily indicative of future operating results or financial condition

Alertsec comes to the rescue

80% of data loss is due to lost or stolen equipment. 50% of network breaches take place by using passwords from lost or stolen equipment. Laptop encryption is the solution to laptop theft problem. Small and big companies are now realizing the importance of tracking software. Alertsec offers laptop encryption service to secure your data.

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

No comments »

Posted in Computer security, Data Protection, Lawsuits and settlements, Security Flaw, computer security software, data breach, data encryption

Tags: business Citigroup Computer crime Computer security data breach International Monetary Fund John D. Rockefeller Melissa Hathaway Public company SEC Securities and Exchange Commission Sony U.S. Securities and Exchange Commission US Securities and Exchange Commission

The U.S. Senate Judiciary Committee approves three Democrat-proposed data breach bills

September 26th, 2011

Sen. Patrick Leahy's bill wins approval

Breach notification and data security are now closer to reality, thanks to the three bills three bills, proposed by Chairman Leahy(D-VT), Senator Blumenthal (D-CT), and Senator Feinstein (D-NH).

The Senate Judiciary Committee approved the bill on Sept 22. The committee’s 10 Democrats voted in favor and its eight Republicans voted against it. Leahy was disappointed that no Republican supported the measures.

About the three bills

As per the three bills, businesses are required to develop data privacy and security plans and set a federal standard for notifying individuals of breaches of sensitive personally identifiable information (SPII).

The Leahy bill

This bill is also known as the Personal Data Privacy and Security Act of 2011,. It is a cyber-security and online-privacy measure introduced to deal with threats from hackers and malicious software.

Three important points about Senator Leahy’s bill:

a. ‘Data minimization’ provision, requiring businesses to establish a plan to minimize the amount of SPII the business retains and to delete SPII that is no longer needed to fulfil a (unspecified) business purpose or legal obligation.

b. Previous iterations of Leahy’s bill had several sections on government access to commercial data. These have now been stricken off.

c. An important addition during markup was a provision designed to ensure that the CFAA is not used against people who merely violate website terms of service

Is this time any different?

Cyber security bills have been introduced before but not much was done about them. Data breach cases are growing at an exponential speed and hopefully this time is different.

Senator Chuck Grassley and the EFF concerned about the new bills

Here is what Senator Grassley had to say “Americans want and need the Congress to work with private businesses to create jobs,” “However, under this bill, we may end up with more burdensome regulations, small businesses forced into bankruptcy, jobs lost, and consumers still going unprotected because the over-notifications will be ignored.”

EFF and a group of civil liberties organizations and scholars have requested the committee to ensure the CFAA doesn’t punish ordinary computer users who happen to breach terms of use.

Discrepancies in the bill

According to the current bill, government employees who violate employment agreements remain vulnerable to contract-based prosecutions under the CFAA. All computer users should be protected against such charges irrespective of their work place.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organisations, especially corporate giants, have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

No comments »

Posted in Bkis, Hackers, Identity and Information loss, Security Flaw, full disk encryption, identity theft

Tags: CFAA Check Point Chuck Grassley Computer crime Computer Fraud and Abuse Act data security disk encryption Electronic Frontier Foundation Enter your zip code here Federal Emergency Management Agency Harry Reid Patrick Leahy United States United States Senate Committee on the Judiciary United States v. Lori Drew

Cost of One Breach = $1 Million To $53 Million via Ponemon Report

July 26th, 2010

: Image via Wikipedia

According to a recent study conducted among 45 Every week there is atleast one attack on organizations and the cost of these attacks varies from $1 million to $53 million per year, according to a newly published benchmark study of 45 U.S. organizations hit by data breaches.

Background about the study

The study conducted by Ponemon Institute has been titled “The First Annual Cost of Cyber Crime Study” (PDF). The average cost of cyber crime for american companies is a loss of $3.8 million a year. Primarily this covers all aspects ranging from detection to investigation to containment and recovery.

Over a course of ‘4′ week period, Ponemon Institute conducted interviews with 45 organizations from various verticals. The people who are handling the data protection vertical and IT practitioners from various organizations were interviewed. These people shared the average volume of threats faced by them everyday. The number of attacks experienced by these companies in a week were ‘50′ which is higher than one successfull attack per organization.

The second study conducted by Digital Forensics Association is called as “The Leaking Vault” (PDF). The details of this reports are again quite surprising and have also come as a strong eye-opener to all the involved organizations.

It has been found out that among the 2,807 data breaches which were publicly disclosed worldwide during the last five years, the cost to the victim firms was a whopping $139 billion.

Results from the report

Some underlying statistics from the report:

Nearly half of all of the reported breaches have comefrom a laptop, which was stolen in 95 percent of the cases signifying the important of encryption software.
Actual hacks accounted for the most stolen records during 2005 to 2009, with 327 million of the 721.9 million covered in the report.
It was also found out that Web-borne attacks, malicious code, and malicious insiders are the most costly types of attacks
The costs are as follows:
Web-based attack – $143,209
Malicious code – $124,083
Malicious insiders – $100,300

More than one third of security breaches during the ‘5′ year period exposed Social security numbers clearly indicating that leakages expose SSNs. At the second rank are the credit cards which are exposed 14 percent of the times. At an overall level malware leads the attacks at 25% followed by SQL injection attacks at 24%. The stolen credentials were found out in 16 percent of the cases.

Want to prevent breach?

Have you been affected by data breach? Do you think that your organization is susceptible to a potential security breach? For further information visit our website where you will learn about our encryption software and other security protection methods.

If you use a data security software a theft would simply be reduced to an insurance matter and cost of the hardware plus time to rebuild the laptop. That is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model. Feel free to subscribe for your personal 30-day free trial.