Saturday, June 4, 2011

Why aren't Firms doing a cost benefit analysis on Data theft?

After reading a lot of recent news on phishing and cracking attacks on high profile firms, I keep wondering whether anything is being attempted at all in the security front all. I mean,you're on the WWW, there are a broad spectrum of people who are for/against/indifferent to you.  And if you do something perceived as unpopular, you're inviting some form of protests, legitimate or not. Inevitably, the firm's site is cracked and a whole lot of really, really sensitive information gets leaked and then there is much grovelling and PR.

Is it still that companies are still going through the popular 'security theatre'?
Virus software Check
Firewall Check
RSA token Check
ACL software check

and that's it?

And oh 'It can't happen to us/me' syndrome?
Yes,Yes, I get the usefulness of the above softwares and how they raise the  bar on cracking and all that but it all seems so pointless when the actual methods of cracking are revealed, isn't it?

Why aren't the firms looking at cost benefit analysis on the loss of data before doing any securing of the data?  I mean, if you're looking at a Credit Card database, wouldn't a worst case planning of complete compromise of the same be planned and mitigation steps planned for the same?  Multistep authorisations, access control, manual verification, disabling remote access for certain operations, aren't they supposed to be done for securing such data? I find it hard to wrap my head on the entire credit card databases being whacked;  I can understand a single card holder account compromised due to social engineering tricks but entire card databases?  How?  It boggles the mind.

Wouldn't one at least check the cost of compromise of the database? i.e. we'd lose X millions in sales and revenue if this get leaked along with the bad PR and legal issues pertaining to card data losses and intimation to individual users and hence we'd need to make sure we have the above security checks and processes in place? Shouldn't the expected data loss cost be a factor in making additional investments in terms of money, time and processes to make sure the unthinkable does not happen?  And application teams and project managers deploying things would probably think about security from the ground up rather than treating it as something the infrastructure guys would help with before deployment.

And shouldn't they pick up best practices from the casinos?  Of course, I realise they work with physical money more rather than electronic stuff but they seem to be doing a good job in making sure they don't come out red faced that often with so much money involved.  And they seem better at figuring out Insider threats and have enough checks and balances to catch them?  I mention this because (apparently) most data losses seem to stem from insiders doing it and/or providing the information to external parties under duress, carelessness or otherwise.

The downside of the litany of compromises is that, there will be legislation and laws that are not going make it easy to do business.  In India, we seem to have that started with the central bank insisting mobile/internet payments in certain cases be done through a 2 step process.  I currently have to do that now for paying my cellphone bill through the carrier's mob app. I pay through the app and then I get an SMS that outlines how I will have get in touch with the bank payment gateway, get a one time code and send that as an SMS again to the carrier.