Post-Breach: How to Protect IDs

Top Tips for Info Recovery and Breach Response

By , March 15, 2012.
Post-Breach: How to Protect IDs

Data breaches continue to impact organizations, and cyberattacks are usually to blame. In fact, hacking was behind most large-scale breaches in 2011, according to a study conducted by the Identity Theft Resource Center.

See Also: CISO Agenda 2015: Adding Value to a Security Program with Application Security

Over the past five years, the ITRC has categorized nearly 700 breaches. [See the ITRC's state-by-state breach analysis.]

Karen Barney, who oversees research at the ITRC, says organizations need to develop formal processes to review and evaluate their systems and breach response policies.

"What information is being gathered and how is it being safeguarded?" Barney asks in an interview with BankInfoSecurity's Tracy Kitten [transcript below]. "If there's important information to be protected, then measures need to include strong passwords and encryption."

Organizations also need to review the reasons why they're collecting certain information in the first place. If the data isn't relevant, why have it?

"There need to be protocols for both electronic data destruction as well as paper files," she says.

During this interview, Barney discusses:

  • Steps banks, business and government are taking to notify consumers after breaches;
  • How adequate breach notification impacts branding and reputation;
  • How insufficient breach notification has impacted reporting figures.

Barney, a former victim of identity theft, has served in a variety of positions for the Identity Theft Resource center since joining in 2002. In her current role as the center's program director and research analyst, she provides and disseminates information about the center and its data. Barney presents ID theft statistics to civic and community organizations, especially where cybersecurity risks, consumer and business best practices, and protection of PII are concerned. She also plays an active role in most of the ITRC's partnerships.

2011's Breaches

TRACY KITTEN: In this most recent analysis, the ITRC compares breach stats from 2007 all the way through 2011. The breaches continue to increase though the percentages have shifted a bit. What stands out to you about the results that were collected in 2011?

KAREN BARNEY: The main things that we were seeing throughout 2011 were breaches that were occurring as result of hacking and in 2011 that represented nearly 26 percent, which is a significant jump from 2010. Following that, we have data on the move and in that area we showed that the medical industry and business seemed to suffer the highest percentages in those two categories. Other types of causes would basically include insider theft, accidental exposure and subcontractor incidents. Those statistics vary from one industry sector to the next.

KITTEN: That's a perfect segway into my next question, and that was to ask if you can explain a bit about how the ITRC defines and categorizes breaches.

BARNEY: Basically since 2005, we've been identifying five industry sectors: business, educational, government, military, medical healthcare and the banking credit financial sector. Since 2007 the business sector has consistently held the number-one spot for the highest number of breaches, growing to nearly 50 percent in 2011. Following that is the health medical sector, and then it goes down from there.

The banking credit financial industry we identify specifically as credit or cash issuers, credit cards, bank loans, they are the bank's credit unions, mortgage brokers, credit card providers, or those entities which extend money. Businesses can be subcontractors which provide third-party services for all of the other industries. Medical healthcare is the medical provider or the insurance provider and government military is any city, county, state, national or military entity.

Further categorization is the type of breach that has occurred, which I mentioned earlier, the insider employee threat, which we consider to be a malicious attack; data on the move we consider to be accidental. It might be the laptop stored in the back of a car. Hacking is again malicious. Accidental exposure is somebody inadvertently leaves something up on a website that's discovered down the line. And subcontractors can actually be an occurrence of any of the above. It's just going to depend on how that type of breach occurred.

Collecting Breach Figures

KITTEN: What about the breach figures themselves? How are the breach figures collected?

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Cybersecurity Coordinator: Don't 'Waste a Crisis'

Not wanting to "let a good crisis go to waste," White House Cybersecurity Coordinator Michael...

Latest Tweets and Mentions

ARTICLE Cybersecurity Coordinator: Don't 'Waste a Crisis'

Not wanting to "let a good crisis go to waste," White House Cybersecurity Coordinator Michael...

The ISMG Network