IT Security Breaches Soar In 2009

slak11 quotes from a Globe and Mail article on the jump in corporate and government security breaches year-over-year. (The reporting is from Canada but the picture is probably much the same in the US.) "This does not seem to be all that newsworthy these days, since stories like this are appearing on a regular basis. The one detail I did like — that seems to break from the traditional 'hackers cause all the bad stuff' reporting — is the mention that everyday employees are a major cause of breaches. The recent Rocky Mountain Bank/Google story is a perfect example. As stated in the article: 'But lower security budgets aren't the only reason breaches tend to soar during tough economic times — employees themselves can often be the cause of such problems.' I figure this will be an ongoing problem until company management and employees accept their role in keeping company information safe. And IT people need to understand that regular employees are not propeller-heads like Slashdot readers, and to begin to implement technology and processes that average people can understand and use."

Mafiaa and "terrorists"

[religious+freak]

The one thing I don't understand is, why don't we actually see MORE breaches in data security than we do now? I mean like real deal, big time, Italian Job / Oceans 11 type stuff. Yeah a little crime here and there, ok. But with IT pervading every major monetary transaction, people in the know could essentially steal an infinite amount of money.

Really, even if you amalgamate enough talent to become 1/4 of a state actor in terms of budget / knowledge, you could make all kinds of money, XSS, SQL injection, social engineering, etc. I'm really surprised we haven't seen a major IT heist yet.

Re:Mafiaa and "terrorists"

[wigaloo]

The one thing I don't understand is, why don't we actually see MORE breaches in data security than we do now? I mean like real deal, big time, Italian Job / Oceans 11 type stuff. Yeah a little crime here and there, ok. But with IT pervading every major monetary transaction, people in the know could essentially steal an infinite amount of money.

What we learned during the 2008 financial crisis is that there are plenty of ways for crooks to steal an infinite amount of money legally.

Propeller-heads

[causality]

And IT people need to understand that regular employees are not propeller-heads like Slashdot readers, and to begin to implement technology and processes that average people can understand and use.

You have to love the implication that IT staff purposefully choose the most arcane implementation for the hell of it, or that they enjoy the support calls they receive when users have a hard time with a system. Sometimes what you are doing is inherently complex, and some ability to deal with complexity is necessary. The way I see it, there are two broad approaches to the problem of "implement[ing] technology and processes that average people can understand and use." One is to simplify those technologies and processes. The other is to increase the understanding of the users, or for the users to increase their own understanding.

For some reason, most discussions like this seem to have this unstated assumption that the former approach is the only possible one. I'd like to see more of a middle-ground solution. I like Einstein's saying about how things should be made as simple as possible, but no simpler. Once that is done, if the users still find the systems and processes to be too complex, and their job requires the ability to handle same, then I would conclude that this means they are not qualified for their job and need to be replaced by someone with more understanding. Is that really such a scary conclusion that we must perform all sorts of musings and mental gymnastics to avoid it? Because I certainly believe that people can improve if it is expected of them, if there are not infinite excuses for their shortcomings. For that reason, I don't believe that regarding users who can't handle good systems as unqualified would result in tremendous turnover within a company. I think it would result in more savvy users, even if only to avoid being fired. It would certainly help to disabuse people of this mentality that basic competency is only for nerds, hardcore geeks, and experts.

Security

[oldhack]

Security is a lot like IT, but much more so. It's waste of money until shit hits the fan. 5 minutes later, it becomes waste of money again. But it's difficult to judge how close you're to shit-blade collision point, though, because in the end it's an effort to mitigate breach, not a guarantee, and news stories that do pop up tend to be sensationalistic and doesn't help the assessment.