Opinion

FUD Watch: Sometimes, Data Breach Hype Is Justified

Each new data breach shows just how off the mark organizations can be when it comes to security. Public hangings may be necessary, but the facts had better be solid

By Bill Brenner, Senior Editor

August 28, 2008 — CSO —

Here's something different: An anti-FUD column that tells you to believe the hype. When it comes to the data breach epidemic, hype may be the only thing forcing organizations to take security seriously.

Bill Brenner

But along the way, the media has a responsibility to make sure all the facts are in place before pouncing. There's one case in which that doesn't seem to have happened.

The headline stack is ablaze again with fresh data breach reports, each new case further proving how much organizations still have to learn about security. Three examples:

From Silicon.com: "Unencrypted data on all 84,000 prisoners in England and Wales has gone missing after a Home Office contractor lost a USB stick on which it had been stored."
From The Associated Press: "Personal information including Social Security numbers and home addresses of more than 2,500 Prince William County students, employees and volunteers was accidentally released on the Internet this summer. Officials said Tuesday that the information was disclosed by a school employee. It was on the Internet for five weeks."
From The Mail Online: "Government probe launched after details of one million bank customers are found on a computer sold on eBay."

We've written plenty about the need for companies to keep close tabs on network activity logs, build a layered security program with such basics as firewalls, antivirus and data encryption; and foster workplace awareness on the importance of complex passwords and responsible e-mail use.

Though many organizations are starting to understand these things, each new breach shows that many more remain clueless.

In most of the cases we've seen in the headlines recently, the damage to customer and company alike could have been significantly blunted through simple security basics. It's common knowledge that letting contractors keep unencrypted data on USB sticks is a bad idea, yet it's still happening. It's obvious that organizations should keep an eye on the Internet to make sure someone hasn't posted their private data for public consumption, but it's still happening.

This may be one of those cases where media hype is the only way to coax companies into doing the right thing. My observation is that companies only address their security shortcomings after they're forced to disclose the breach and end up as a headline. It took massive media scrutiny (and plenty of pressure from investigators and lawyers) to help TJX get the message.

But nothing does more to smash that notion to smithereens than a media machine that blasts away before all the facts are in hand. That may have happened in the case of Best Western.