Data not business Managers and asset directors fail to communicate A recent survey of those responsible for security showed a mixed bag of attitudes. “Over 30% of organizations do not recognize that any of their business information is either sensitive or critical and therefore a business asset”, claims the Information Security Breeches Survey 2000. Many of the most notable statistics were the ones that must be met with scepticism. For example, “60% of organizations have suffered a security breach in the last two years”, seems extremely low. Of those who have been breached, more than half believe that there was nothing that they could have done to prevent it from happening, while almost three out of four did not have a contingency plan. The fact is, few businesses will admit to having been hit, and that even if they do admit it, they think it was inevitable and take no responsibility for the losses. A wall of silence seems to be helping criminals to hit corporations. On the upside, 83% were implementing good practice in the form of “virus protection and password controls”. Regarding encryption, 8% use it already and 13% will do so soon. The main reasons given for prioritizing encryption were confidentiality (69%), client confidence, fraud prevention and customer demands. Some stated that it was in order to perform secure E-commerce.
IT managers and senior directors have conflicting views of the security risks and policies within their own companies. A survey, performed in the UK by MORI, shows that only 39% of senior decision makers believe that their company could suffer an undetectable breach, as opposed to two out of three network managers. This is particularly startling in the light of the recent stealth attack on Microsoft Corporation. Simon Boyle from Dimension Data who commissioned the research commented that, “Many IT managers are not making the board fully aware of the dangers — perhaps this is because they are anxious to protect their own reputations.” However, 42% of managers do not believe security matters make it into the board room even though it is reportedly on the agenda in 90% of cases. This disparity is belied by the discovery that only 46% of IT managers actually have a disaster recovery plan, while 63% of senior decision makers think that there is already one in place. Boyle recommends that in order to prevent the subject of security from remaining such a taboo, the attitude must change, “It is not a question of apportioning blame, merely being more open about the risks that exist and communicating to management the best
measures to take that will minimize these risks.” The onus cannot be placed completely on IT managers though. “In our view,” said Boyle, “it doesn’t help that the majority of security vendors use scare tactics to promote their products — creating panic at the top.”
Privacy groups focus on Amazon Amazon faces litigation in both the US and in Europe regarding its alleged failure to provide customers with a copy of their personal data upon request. This is illegal under European data law. According to Simon Davies of Privacy International, he requested his own personal data which Amazon has failed to provide. He claims that the company wrote to him saying, “I’m sorry, we can’t separate your data from our processing operations.” Davies has appealed to the UK Data Protection Commission to shut down Amazon’s UK operations. If this is unsuccessful, Davies has vowed to sue privately. A spokeswoman from Amazon.co.uk refutes the claims, “Privacy is something we take hugely seriously.” The company denies refusing to disclose or delete personal data. Its view is that it must keep a copy of transactions for tax purposes. However, the taxation authorities were quick to point out that only the financial data is needed — the time, date and amount of
to prevent their data from being sold. Jason Catlett of Junkbusters commented, “If Amazon gets away with this, we’ll have to revise the definition of ‘never’ in all English-language dictionaries.” Amazon holds details on 23 million customers. Privacy groups fear that if they cannot enforce privacy rules to control Amazon, that they have little chance achieving privacy with anyone else. The sheer size of Amazon’s operation means that this could be a landmark case. In an unrelated statement at a privacy conference in November 2000, FTC chairman Robert Pitofsky stated, “The FTC may up the level of enforcement on a case by case basis in the coming year.” Set against the backdrop of this commitment, and the fact that the FTC has received a substantial budget increase for the purpose, it seems likely that action will be taken in this case. See www.junkbusters.com for coverage of the various letters to and from Amazon.