Thursday Feb 19, 2009

Email circular exposes sensitive board minutes

Having just read Simon's comments on securing email, I can't resist mentioning a recent report in the UK press about a company that accidentally exposed its board's thinking on how to cope with the current economic downturn.

According to the Daily Telegraph, an up-market estate agency accidentally included its board minutes in an internal email. Employees got to read about cost cutting proposals and a "final solution" that might be called for if things get really bad in the housing market. Attempts to recall the email were doomed, as some employees had already forwarded it beyond the company network.

Monday Feb 09, 2009

Average loss of data breach in 2008 = $6.65 million and results in lost customers have published an article by Dr. Larry Ponemon of the Ponemon Institute. It continues the relentless reports of how data loss incidents are on the rise and the associated costs. The article discusses the results of the recent annual data breach study which concludes that the average cost of a data breach in 2008 was $6.65 million.

Larry Poneman "Violate a consumer's trust and they are more likely to walk, and that likelihood increases when the breach involves an organization in which the consumer has placed a great deal of trust."
Dr. Larry Ponemon, chairman and founder The Ponemon Institute.

The summary of this study leads Dr Ponemon to state "the financial impact for a company that experiences a data breach is significant and rising." The institute use the data from their studies to, "analyze the methods and strategies used by companies when responding to a breach, and the outcome of the response, to create best practices so other organizations don't have to learn from their own experience."

One aspect of the report I found interesting is the effect on certain industries when it comes to rates of customer loss. Dr Ponemon describes;

"This year, lost business costs rose to a level 38 percent higher than in 2005. What's more, healthcare and financial services organizations experienced much higher abnormal customer loss—6.5 percent and 5.5 percent respectively—when compared with retail and consumer products organizations, whose churn rates were found to be 1.5 percent and 3.6 percent respectively. The significant difference in these rates of customer loss can be explained in one word: trust. Violate a consumer's trust and they are more likely to walk, and that likelihood increases when the breach involves an organization in which the consumer has placed a great deal of trust.

What do I mean? When a consumer chooses to do business with a financial services or healthcare organization, they tend to conduct more due diligence than when they walk through the doors of a department store to buy a shirt or a pair of shoes. A retail purchase is a simple transaction, but banking and healthcare requires entrusting an individual or organization with a great deal of highly sensitive information. Violate that trust and the customer may be more inclined to look for a new relationship. This is especially evident when the consumer receives multiple breach notifications from such an organization."

Companies right now need to do everything possible to retain existing customers and attract new business. As Larry highlights, people are very diligent when they make decisions about whom to place their finances with and with whom they entrust their healthcare so these organisations are more at risk than most.

Yet it isn't all doom and gloom. It is possible to turn this risk into a competitive advantage. Budgeting for the deployment of an IRM technology to protect customer information can both reduce financial risks of data loss but can also be used to differentiate your organisation from the competition by being seen to be using advanced technologies to protect their confidential information. This can drive new business which is crucial right now. Businesses who are freezing budgets, hoping to cut costs are potentially exposing themselves to further financial demise. Instead it is wise spending in the right areas to both maximise revenue and minimise risk that will prove the survival of the fittest.

Kaiser Permanente becomes another healthcare data loss casulty

Kaiser Permanente A news report in the San Francisco bay area has brought attention to Kaiser warning nearly 30,000 employees of a data breach
involving their names, addresses and social security numbers. Infact a handful of employees have already reported incidents of identity theft.

The report states, "The theft came to light after the arrest of San Ramon resident Mia Garza, 28, on Dec. 23 on suspicion of possession of stolen property and forgery. In a confiscated computer, San Ramon police later found a file with Kaiser employee data, said San Ramon police Cpl. Rich Persson."

So it seems that a computer was stolen from Kaiser and contained the information about the employees. A classic case of data loss that would've been prevented had the document in question been secured using Oracle IRM. Not only that, but attempts to open the file would've created an audit trail for the police to use as part of the investigation.

Kaiser is helping it's employees by providing "one year of free credit monitoring to help affected employees protect their accounts." This can't be cheap for 30,000 odd employees, I wonder if the cost of an IRM solution would have been cheaper?

Friday Feb 06, 2009

Data breach incidents are increasing

ESG_logo.gif I'm hearing it from everyone, data loss and security data breaches are on the up. Everyone has their own perception on why this is so, but they are all pretty much in agreement that with the current state of the economy, companies just cannot afford a big leak of sensitive information. Leaks are taking many forms, from web site hacks, virus/worm attacks and document loss/theft.

Jon Oltsik recently blogged on results from an ESG survey of 179 North American-based security professionals. Jon states that; "56 percent claimed that their organization had suffered a data breach within the past 12 months. In further analysis, 61 percent of organizations with 1,000 to 5,000 employees suffered a data breach in that time frame. It's easy to assume that these smaller firms are more at risk since they are likely to have fewer security technologies in place and smaller security staffs. Perhaps this is true, but even bigger companies are suffering data breaches--49 percent of organizations with 5,000 employees or more endured at least one data breach of their own."

Jon Oltsik "Armed with data from several years of surveys, I think it is safe to assume that things are getting worse, not better. Sensitive data continues to flow throughout the enterprise, ending up in e-mails and IMs, laptops, and thumb drives, and into the hands of malicious or careless employees--an uphill battle indeed."
Jon Oltsik, senior analyst at the Enterprise Strategy Group

We are absolutely seeing the effects of this in both the media and with our discussions with customers. With huge layoffs being made there are thousands of disgruntled employees who will be walking away with company secrets. The economy is forcing the cut back on spending, budgets are being revised and this exposes companies when right now it is the perfect time to ensure you have a grasp on your sensitive data.

Oracle is uniquely positioned also to provide security right from the database through to the desktop, I have a presentation i'm writing up here on my blog which I hope to get up soon.

Wednesday Jul 02, 2008

A study on the cost of US data breaches

At last! The blog system at Oracle has been updated with a much better solution. It is going to make publishing these blogs far easier, so without further ado I would like to share some information I found last year on data loss incidents within the US.

A study sponsored by Vontu and PGP was published which looks into the cost of losing confidential or personal information.

It reports that, "The total averages costs of a data breach grew to $197 per record compromised, an increase of 8 percent since 2006 and 43 percent compared to 2005. The average total cost per reporting company was more than $6.3 million per breach and ranged from $225,000 to almost $35 million."

It goes onto describe how Vontu and PGP can provide solutions for these problems, which do not come close to the range of solutions available from Oracle. Oracle has a much broader and complete range of technologies which the combination of Vontu and PGP cannot offer. For example;


  • Database Vault providing the ability to secure structured data in the database.
  • Oracle's Universal Records Management protecting and controlling unstructured data.
  • A complete identity management solution with Oracle's IdM suite to easily control access to applications storing/creating confidential information.
  • Finally Oracle's Information Rights Management (IRM) solution blows PGP and Vontu out of the water with a more mature, usable and feature rich solution which works alongside all of the above Oracle technologies.

PGP and Vontu have solutions which pin point areas where confidential information may reside at a particular point in its lifecycle, but with Oracle we can protect information throughout its entire life no matter where it resides, inside or outside the enterprise firewalls and perimeters, structured or unstructured, in applications, in content... anywhere...



Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide


« July 2016