Information Security (including data privacy, storage and management) ranked #1 among the top technology challenges faced by organisations, according to 2012 IT Audit Benchmarking Survey conducted by Protiviti, a global consulting firm operating in over 20 countries. Protiviti conducted the survey at the end of September 2012 with 1,000 people from companies with 100+ employees.
Cloud computing, social media, risk management & governance and regulatory compliance followed the list of top technology challenges.
The survey hints that a large of number of organizations may be understaffed in terms of IT Audit capabilities in their internal audit functions. Organizations are meeting this gap with guest auditors, co-source providers and outsource IT audit function.
While the survey indicates a significant gap in the IT audit capabilities of many organizations, 48% of small companies are not using any outside resources, clearly indicating that these organizations lack necessary skills and resources to manage IT risk.
IIA Standard 1210.A3 – Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.
IT Audit Risk Assessment
Considering the pace of technology proliferation in organizations IT implementation and business models as well as the changing threat scope in general, IT audit risk assessment needs to be carried out on an ongoing process and at least in a quarter. Interestingly, only 13% of the organizations are conducting the risk assessment at this frequency and as many as 65% of the organizations conduct at annual intervals !! This clearly indicates, majority of organizations are NOT keeping pace with the rate of technology change, emerging new threats and innovations in the organizations.
IIA Standard 2110.A2 – The internal audit activity must assess whether the information technology governance of the organization supports the organization’s strategies and objectives.
Unfortunately, responses from about three fourths of the organizations indicate that IT Governance process is NOT a priority.
The survey also covered other aspects like training, gaps in audit plan and can be accessed from http://www.protiviti.com/en-US/Documents/Surveys/2012-IT-Audit-Benchmarking-Survey-Protiviti.pdf
Greek Man Accused of Stealing Data of 9 Million Citizens
Greece is in news again, for all wrong reasons. This time it is not the ever failing economy or bailout plans from one more country or authority. A Greek man has been arrested on suspicion of having stolen 9 million personal data filesin what is believed to be the biggest breach of private information the country has ever seen. The 35-year-old accused was found in possession of the data files that included identity card details, tax numbers, vehicle license plate numbers and home addresses.
General legal framework in Greece
Personal data processing and protection in Greece is mainly regulated by Law 2472/1997 known as the Data Protection Act (DPA), implementing Directive 95/46/EC. The DPA regulates the automatic or manual processing of data relating to living identifiable individuals in connection with the provision of electronic communications, which are not publicly available. The DPA sets forth the basic terms and conditions relating to data collection and processing, imposes fundamental obligations on data controllers regarding all categories of data-related activities. The DP Authority receives complaints and have been levying penalties on data breach complaints received.
What abets the crime?
Interestingly, data breaches were observed in increased proportion across the Globe during the years of recession and economic slowdown few years ago. Security experts warn that incidents of crime are likely to increase during challenging economic times. There is evidence from the large security monitoring networks showing that cyber crime attacks like phishing have already risen. With rising levels of uncertainty of employment & negative growths in income, disgruntled employees might take sensitive data when they leave an organisation. Even for the honest worker, there is no guarantee, that he would return all assets like USB token and remember to erase entire company data from his personal devices. Further, with falling incomes, companies would try to cut all expenses, perhaps those on information security administration as well, in order to save few more pennies.
What can be done?
Organisations should not see this as a case of ‘data loss’ alone, and what they should remember is that the company’s reputation itself is at stake. In addition, don’t forget the penalties imposed due to Data Protection & Privacy Laws in force. Organisations handling potentially sensitive data should not routinely invest in some data protection tools and gain false assurance, as these tools, despite having a positive role, suffer from many of the limitations of early intrusion detection and intrusion prevention systems like potentially high numbers of false positives and associated inconvenience to legitimate business users. In addition, these organisations should invest sufficient time and effort in creating policies and practises – like access controls to key & critical applications, log management – aimed at preventing data loss.
Educating the end-users about their responsibilities to organisation and customer data, would be more effective than locking down USB ports or disallowing devices. The problem of data breaches is NOT just with the technology, as popularly perceived, and the solution lies more in focusing at the policies, processes and education. The returns on investment on these are more rewarding than on investments in technology.