Losing confidence in IT security

Worldwide stock markets recently took a dive, some losing as much as 8% of their value overnight. Experts mostly blame the drop on loss of investor confidence rather than any underlying long-term problem. Confidence plays such a huge role in business and, indeed, in the whole global economy. That's understandable, given that we're still living in the shadow of specters such as Enron, WorldCom and a host of other companies that were perched on a house of cards. People are still jittery when a problem comes to light.

This topic came to mind recently as I talked with an IT security expert. We discussed the vulnerability of sensitive information, IT systems and transactions over the Internet. In recent years, there have been a few high-profile incidents of security breaches that have rattled people's nerves. This expert believes, however, that it's only a matter of time before a major IT security incident completely undermines the confidence of consumers, business users and ultimately investors.

If there is a poster child for security breaches, it's ChoicePoint, the broker that obtains and sells to more than 50,000 businesses the personal information of consumers, including their names, Social Security numbers and credit histories. In 2004, ChoicePoint revealed that it had inadvertently sold data on 163,000 consumers to entities that had provided false credentials -- a red flag for any business. As a result of this incident, more than 800 cases of identity theft were reported. In a matter of weeks, ChoicePoint's stock lost 22% of its value. Not just investors but the public in general was stunned by such a huge blunder by a company whose primary asset was extremely sensitive data.

The ChoicePoint situation was not a failure of information technology, but of processes and procedures meant to safeguard the data in the company's possession. To the public, however, the perception is that the private data was not properly protected by IT. It is, in effect, a persecution of information systems -- a loss of confidence, to the point where consumers now believe their digital data is inherently unsafe, no matter where it resides and who is caring for it.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Worldwide stock markets recently took a dive, some losing as much as 8% of their value overnight. Experts mostly blame the drop on loss of investor confidence rather than any underlying long-term problem. Confidence plays such a huge role in business and, indeed, in the whole global economy. That's understandable, given that we're still living in the shadow of specters such as Enron, WorldCom and a host of other companies that were perched on a house of cards. People are still jittery when a problem comes to light.

This topic came to mind recently as I talked with an IT security expert. We discussed the vulnerability of sensitive information, IT systems and transactions over the Internet. In recent years, there have been a few high-profile incidents of security breaches that have rattled people's nerves. This expert believes, however, that it's only a matter of time before a major IT security incident completely undermines the confidence of consumers, business users and ultimately investors.

If there is a poster child for security breaches, it's ChoicePoint, the broker that obtains and sells to more than 50,000 businesses the personal information of consumers, including their names, Social Security numbers and credit histories. In 2004, ChoicePoint revealed that it had inadvertently sold data on 163,000 consumers to entities that had provided false credentials -- a red flag for any business. As a result of this incident, more than 800 cases of identity theft were reported. In a matter of weeks, ChoicePoint's stock lost 22% of its value. Not just investors but the public in general was stunned by such a huge blunder by a company whose primary asset was extremely sensitive data.

The ChoicePoint situation was not a failure of information technology, but of processes and procedures meant to safeguard the data in the company's possession. To the public, however, the perception is that the private data was not properly protected by IT. It is, in effect, a persecution of information systems -- a loss of confidence, to the point where consumers now believe their digital data is inherently unsafe, no matter where it resides and who is caring for it.

The criminals who obtained the ChoicePoint data used fairly mundane methods to collect their prize; they simply lied about who they were. But evidence is mounting that cybercriminals are becoming increasingly sophisticated in the way they exploit weaknesses in IT security to obtain useful data illicitly. What's worse, we may never know it is happening until too late.

One common scheme to intercept data is called man-in-the-middle, where a thief collects information in transit from one entity to another, say between a consumer and his online bank. Criminals can buy an inexpensive toolkit to set up sophisticated man-in-the-middle phishing attacks with little effort. In fact, there is evidence that organized criminals are using the toolkit to siphon money from online transactions. This certainly makes me nervous about paying bills or making a purchase over the Internet, and I'm not alone. A March 2007 study conducted by Javelin Strategy & Research on behalf of security vendor TriCipher concluded that 88 million people would be likely to decrease their use of online banking or switch banks if it came to light that their own bank had been involved in a serious data breach. Count me among them.