Your data is under threat
Chief information officers (CIOs) beware! Even as threats posed to enterprise networks by viruses, software vulnerabilities, phishing, spyware and spam show no signs of subsiding, CIOs need to wake up to a new reality?no business is immune to the risk of data breaches either.
While incidents of data breaches in India are at present miniscule compared to those taking place in the US, Canada and Europe, it?s only a matter of time before they raise their ugly tentacles and assume menacing proportions.
First, let?s take a look at the damaging phenomenon and its financial implications for enterprise networks. Industry analyst Forrester Research calculates the direct costs of a database breach for non-financial companies at $15 per customer, covering customer notification and offers of credit monitoring services, IT remediation, revenue impacts from lost customers, and direct legal and audit fees. For a financial firm that issues credit cards, Forrester adds another $35 per customer, for a total of $50. Calculating total costs per incident, IT security specialist Ponemon Institute LLC estimates that each security breach incident costs $6.3 million. Overall, analysts estimate 2006 impacts of database breaches in 2006 at about $1 billion. And the figures are only set to go up in the times to come.
?Data breaches are becoming a high-profile element of the threat environment,? says Soumitra Agarwal, marketing director, Network Appliance (India). ?While data breaches are taking place in India, hardly do cases get reported. This is because there are no specific laws to reveal that these have taken place. With IT percolation among enterprises picking up now, it?s only a matter of time before data breaches assume alarming proportions particularly among enterprises in banking and financial services, telecom, defence and retail. Therefore, enterprises need a holistic approach to security,? he adds.
The moot point for enterprises is to stop data loss before it happens, insists Vishal Dhupar, managing director, Symantec India. While data breaches are very costly in financial terms, they also come at a price to the business? reputation and customer confidence. Quoting from a recent IT Policy Compliance Group report, Dhupar insists that business losses can be significant if the breach is reported. ?Benchmarks show businesses who publicly report data loss see an 8% decline in customers and revenue, and publicly traded firms can see an 8% decline in the price per share. This is besides expenses averaging $100 per lost customer record for firms that publicly disclose data losses and thefts,? he adds.
There are four ways in which data can be breached:
* Accidental exposure: Information leaked via error
* Dishonest insider: Abuse of employee privileges
* Stolen computer: Employee reporting computer missing
* Hacking: Gaining unauthorised access
Another point to note is that database breaches differ in several ways from hacker attacks, viruses, worms, spam, phishing and other types of threats. Focused on information rather than infrastructure, attempts to compromise database defences are often motivated by financial gain rather than attention. ?Data breach could either occur in the form of an accidental exposure, where an employee may, unintentionally send out confidential data or through a disgruntled employee abusing the system,? says Shubhomoy Biswas, country manager, SonicWALL.
Due to the lucrative possibilities, the sophistication of database attacks is rising. No wonder, if the incidents of data breaches reported globally are an indication, then professional criminals and not amateurs are staging the attacks, and the severity of the impact is rising.
And, just as there are new attackers, there are new patterns of attack. External hacking, accidental exposure, lost or stolen backup tapes, and lost or stolen computers are still significant sources of data leakage. But database attacks are often launched with the active participation of authorised insiders who access critical data by hacking application servers. This is done by gaining access through an application, circumventing infrastructure-based defences. Another method is by SQL injection. This is executed by injecting SQL commands into otherwise innocuous fields, compromising database security from outside corporate networks. Then of course, an employee who abuses their data access privileges seems to a widespread malpractice.
According to Dhupar, there are some tried and tested security solutions that help protect databases. These include role-based access controls to narrow down who can access what information in the database. Encryption on the network to protect against eavesdroppers, and field encryption in case the database server is physically stolen or broken into, is another option along with a host-based IDS to help protect against a malicious attack on the database server OS. These techniques help harden the database environment, but the database is still vulnerable to the insider attack. Who do you trust on the inside, and how do you monitor those that you trust?
A simple remedy for business to protect its most critical data from loss, leakage, and data fraud could be by providing real-time detection of leakage of sensitive company information. Analysing behaviour against established policies and access history to identify anomalous behaviour, even by authorised users could be another one. Then, meeting audit needs by logging all data flowing into or out of the database and storing the data to a secure repository could go a long way in easing the burden of CIOs. They could also look at other measures like improving control of information assets and enhancing the coordination between business and IT groups.
Besides, most data-centres are too complex and porous to protect critical information. That?s why a data-centric approach is called for?one that examines all transmission of information for critical patterns, without compromising database, appli-cation, or network performance.
?It?s time for CIOs to seek solutions that reduces risk without interrupting normal operations?which can mean a huge savings for the business,? adds Dhupar.
