Symantec's most recent Internet Security Threat Report says that in the second half of 2003, it was alerted to three times as many serious viruses and worms that threatened privacy and confidentiality -- the number rose an alarming 519 percent -- since the previous report.
While viruses are difficult and worrisome, security breaches that involve computer, hard-drive and notebook thefts also are common. Data encryption might sound like an easy answer, but it's controversial, even among information-security professionals. "Encryption can greatly hinder system performance, and it's not always necessary if other security controls are in place," says one security executive at a financial-services firm, who asked not to be named.
John Pescatore, research director at research firm Gartner, says resistance to encryption is common. There are many problems associated with encrypting stored data, including managing encryption keys so that they're easily accessible to those who need them without putting the systems at a security risk. And if encryption slows performance by making the retrieving and managing of encrypted information more difficult, companies won't endear themselves to customers.
Encryption vendors Decru, Ingrian, NeoScale, and Vormetric are making some progress working around these problems. Provident Funding Associates installed Ingrian Networks' DataSecure Platform, which encrypts and protects data while it rests in storage; when it's in transit between servers, databases and storage devices; and while it's processed by applications and databases. DataSecure Platform helps boost encryption speed by off-loading computing-intensive cryptographic functions, says Tom Rabaut, systems administrator for Provident Funding. "It's really difficult to implement security that doesn't hinder the speed at which companies move," he says.
Even the best electronic security isn't a guarantee. Thieves still can rummage through a company's or individual's trash, trick customer-service representatives to turn over passwords, and bribe (or blackmail) employees to get the information they seek. And sometimes the threat exists on the inside of a company's firewall. In November 2002, federal agents arrested Philip Cummings, who once worked on the IT help-desk staff at Teledata Communications, for allegedly using his insider knowledge to acquire access codes that companies used to run credit reports. Federal authorities claim that Cummings stole credit information on more than 30,000 people, resulting in more than $2.7 million in losses. He has been indicted on more than 20 counts of fraud conspiracy in connection with the scheme. Credit card companies are ramping up efforts to combat identity theft at all its sources. They have a huge stake in combating data leaks and identity theft, since plastic is the quickest way for thieves to get access to money or goods. Visa USA and MasterCard International have been working on making sure data security at brick-and-mortar merchants and credit-card processors is up to the standards they've set for online commerce.
Both companies want to ensure that merchants securely store credit card and customer information. Visa's Cardholder Information Security Program, which began in April 2000 and was mandated in June 2001, requires that merchants and banks comply with a set of security standards, including using firewalls, conducting proper software patching and restricting access to a need-to-know basis.
Merchants comply with Visa's security policy because of what's at stake, Shaughnessy says. Visa initially mandated that only large Internet merchants comply with the policy, but it was extended to validating compliance among all e-commerce sites that take Visa. The company figured online transactions were most vulnerable to hacker attacks, says John Shaughnessy, senior VP of risk management at Visa USA. Now, Visa has once again expanded its program, saying in February that it wants to validate compliance among all types of merchants.
Merchants are largely cooperative with the program because of what's at stake, Shaughnessy says. They know that breaches and fraud anger customers, as well as hurt credit card issuers and other merchants victimized by subsequent fraud after a breach. Data breaches that lead to fraud total 6 or 7 cents for every $100 in sales, Shaughnessy says. "When you look at our overall breach rate, it's pretty low," he says.
The first deadlines for demonstrating compliance with Visa's program come this September, when most larger merchants will have to document that they've met the requirements. Banks, which authorize merchants to accept Visa or MasterCard, face fines if any of their merchants can't provide validation. "Members are to work with the merchants to help them get the job done," Shaughnessy says. Visa has a roster of approved vendors that provide consulting to ensure compliance.