Two recent security-related surveys raise troubling questions for individuals and enterprise computing professionals alike.
The first, from the U.S. General Accounting Office (GAO), reveals that data mining efforts by the federal government have become widespread. Nearly 200 projects designed to collect and analyze personal information on American citizens either are being carried out or planned by at least 52 federal agencies. I say at least 52 because the GAO’s survey doesn’t include most classified projects. One can only wonder how many of those secret snoop projects exist.
The second survey, from professional services firm Deloitte & Touche, shows that 40 percent of the top banks and insurance companies around the world have sustained financial losses due to attacks on their IT systems in the past year. And more than 80 percent of the respondents — top security officers from 100 of the world’s largest financial institutions — reported their networks have been compromised over the same period, more than twice the 39 percent reported in 2003.
What’s worse — being spied on by your government or having your bank accounts drained by cyber-thieves? Tough call.
Successful Attacks on Rise
Though it certainly is in the best interest of banks and insurance companies to protect their networks — and, theoretically, their customers’ information and assets — against cyber-attacks, the numbers hardly are reassuring.
According to respondents to Deloitte’s 2004 Global Security Survey, the doubling of compromising incidents over the past year has occurred despite overall increased spending on security. The survey indicates that 10 percent of financial institutions reported cuts in security budgets, with a bit more than 25 percent reporting no change in security spending. That leaves about 65 percent having allocated more money for security in the 12 months tracked in the survey — yet there were more than twice as many attacks that penetrated networks.
What is the extra money being spent on? Not antivirus measures. Whereas 96 percent of respondents to last year’s Deloitte survey said they had fully deployed antivirus measures, that figure was down to 87 percent this year.
What appears to be happening is that financial institutions are redirecting security spending to upgrade regulatory compliance efforts — a necessary expense. Two-thirds reported that they have installed a program for managing privacy, up from 56 percent in the 2003 survey. Still, it’s hard to understand why fewer financial institutions are deploying antivirus safeguards when virus attacks are more prevalent, damaging and costly than ever.
A clue that may explain such a seeming lapse comes in this part of Deloitte’s report:
“One way to meet security requirements is to increase the pool of expertise and hire more security staff. The survey demonstrates that the majority of respondents are already facing difficulty in finding and hiring staff with the required skills and competencies.”
Now is a bad time to face a shortage of experienced security pros, but that shortage exists. One way that small financial institutions cope with the shortage, the survey reports, it to outsource routine security functions such as virus protection and patch management.
Perhaps the most ominous portion of the Deloitte survey — for customers, especially — involves consolidation in the financial services industry:
“Information security and privacy, along with IT-related controls, are not at the forefront of activities and considerations, leading to some gaps and threats. Across the industry, there are no consistent and proven industry best practices on this topic…”
In other words, banks are merging faster than you can punch in your ATM access code, but no one has bothered to figure out a good way to do it without exposing customer assets to computer fraud. Unless something changes soon, there’ll be a financial scandal that will make phishing seem like a harmless prank.
Big Brother is Mining You
The GAO report on government data mining tries to be reassuring, telling readers, among other things, that 65 percent of the projects are designed to improve services and performance, with 24 percent designed to detect fraud, waste and abuse, 23 percent intended to analyze scientific and research information and 17 percent to help better manage human resources. Only 15 percent are deployed to detect criminal activities and patterns and 14 percent are used to analyze intelligence and detect terrorist activities.
The problem here is that these purposes are as described to the GAO by the agencies. Should we simply assume good faith and take the government’s word for it? I think we’ve done that recently; it hasn’t turned out so well.
Further, of the 131 active programs reported (remember, there are classified programs going on as well), 54 involve efforts to mine data from the private sector, and 36 of those are pursuing personal information such as email addresses, Social Security numbers and driver’s license numbers.
Much of this sure sounds like the Pentagon’s Orwellian-sounding Total Information Awareness program, which Congress killed last September amid privacy concerns. The Electronic Privacy Information Center (EPIC) has filed a Freedom of Information Act request to find out more about one government agency’s effort to mine intelligence reports and Internet searches to combat terrorist activities.
For enterprise professionals there are a couple of issues here: Are they even aware of this data mining and, if so, should they be required to cooperate?
Hopefully the EPIC request will shed more light on the government’s activities and IT’s role and obligation to cooperate.
