Print
Category: Breach and Disclosure

 

It was announced that the State of South Carolina had 3.6 million Tax Payer records including Social Security and 387,000  Credit Card information stolen.  It seems, according to the article, that anyone who files a tax return since 1998 may want to continuously check their credit ratings to ensure that everything is safe.  The State is also giving free a years worth of Identity Fraud.  1 free year!  Wow! The depth of this could be far reaching due to lax security and they only give 1 free year?!

Read the Article Here

What stands out to me, is that there are only 3.6 million tax payers in South Carolina since 1998? That's an average of 257.143 tax payers per year ? So who is not paying their taxes in South Carolina ?  But seriously, a breech of data and PII information is no laughing matter. Anyone, any organization, company or government is responsible for keeping data secure. Especially when it contains information that could directly effect your consumers, constituents, tax payers and population.  Everyone should be diligent in ensuring that this information is protected.  How can this be done with ever dwindling shrinking resources and funding?  As CISO and ISO of your organizations point out the huge risks that are associated with this kind of breech.  There are those that slough off the importance of this by purchasing Breech Insurance.  I kid you not! There is now available, Breech Insurance to help protect organizations against the massive cost of handling these incidences.  But are we getting lazy when this type of insurance is available ? Are we backing off on doing our due diligence of protecting our network and data because the insurance, "has our back" ?

There are dangers in this form of thinking and this type of insurance. When I first heard of this form of insurance about 3 years ago, I laughed and then quickly realized the dangers of this.  Since the insurance is there to protect the investments, there will be those within management that deliberately cut back on security services.  I've said it before and will continue saying it, "Security is an intangible asset that can only be measured after a breech".  Since it is an intangible asset, how do you know what level of costs are and are not acceptable?  How do you budget for something that is intangible? Everyone wants this or that technologies, but we all know a patchwork is not as effective as a strong cohesive defense.  How can you budget and protect assets that many people are unaware of or don;t want to know about ?

Security in some cases will be degraded to a (sorry stealing a line from Ross Perot) "crazy aunt that no one wants to deal with"? The chicken little of business is what Security is degraded to when you opt for insurance that covers your back moreso than the technology that is available. We can protect your systems and data today.  But IT security is always evolving because the bad guys don't sleep. How do you plan and protect against this, with insurance?

We as an industry needs to step back a little and re-evaluate the correct paths and directions instead of suggesting a patchwork of products.  A cohesive plan that can evolve as threats do.

 

Stay safe, protect your ASSets !