The Secret Service report states that exploitation of vulnerabilities has dropped significantly in the last couple of years. The reasoning is, many of these exploits can be stopped with a comprehensive vulnerability program followed by conscientious patching. This brings us to the second event that has affected how companies view the risk of their data.
The previous change in risk to data deals with a change in threat vectors from the public network. We will now discuss how legislation or regulations have changed how we protect consumers private data; be it financial, health, or privacy data. Credit card data is handled by the industry that issues the payment cards which can be considered self-regulating. It doesn't matter how the security is mandated as long as it protects our private information. Whether this is truly protecting our private information is a discussion we can have at a later time.
The two events have changed the value of the asset called data, regardless of which of the above mentioned types. Companies now value the data higher not because of the intrinsic value to their company but because of the value it might give to a hacker. Also, companies don't want their brand to become the next big headline. It goes without saying that they don't want the monetary penalties that might be levied by either the government auditors or the industry that is regulating the data that was compromised.
So given the changes in the risk environment; asset value changed because of monetary reasons, threats changing to more external attacks, or vulnerabilities moving to those easier to be exploited. The risk for a company has changed considerably in the last few years, which can aid the security professionals in a company to gain traction for implementing security. Security professionals can utilize these changes in risk to at least gain the attention of the executives.
We need to be careful though, of using these regulations as a scare tactic in order to get security in place. This can result in a negative reaction to future security measure if the cost becomes too great. Fear, Uncertainty, and Doubt (FUD), can be used to get the attention of the executives but remember the statement earlier in this blog; if nothing happens, the cost could be questioned in future budgets. If we as security professionals do our job diligently, then an incident shouldn't occur. This leads to the questions touched on earlier; why are we spending this money if nothing is happening?
One needs to stay current with the statistics for breaches and data compromised to point out the increase in the criminal activity that can lead to a bruising of the brand name along with the added cost of a fine or penalty, then let the executives run their risk equation.
The legislation and standards all revolve around the premise that we can mandate security that should have been designed into our systems and applications. Those of us that have worked in the security industry for more than 10 years have discussed this in many forums. The real issue is; will these legislative and industry requirements enable information security to be considered in the design phases of projects or application development?
The risk to a company around data that is gathered for business purposes will be increased when a regulatory act or a requirement by a standards body makes a data compromise a public issue. Examples of these would be HIPAA (HITECH Act) or PCI-DSS. Either of these makes the disclosure of a breach mandatory and public. This increases the cost of a breach due to the damage to the company's reputation as discussed earlier. These requirements raise the bar in regards to possible loss to a company in order to make them take the risk more seriously. Since having their reputation damaged is hard to remedy and very difficult to budget for, it is a strong deterrent.