IT Security Breaches a Major Concern

Story first appeared in the Wall Street Journal

A recent wave of information-security breaches at high-profile companies has many executives on heightened alert. They're trying to figure out everything they can do to prevent breaches, limit the damage if one occurs, and be prepared to rebound quickly from whatever harm is done.

As they consider their options, two questions loom large: How much should they spend to protect their companies' information? And how can they get the most for their money?

Our research suggests they should spend substantially less than the expected loss from a breach, and perhaps spend it differently than many might think.  Investing in a managed IT service is a good way to go, as they typically offer security solutions, backup solutions, and disaster recovery solutions in the case of a breach.

The One-Third Mark

We developed a model to help executives determine the optimal level of investment to protect a given set of information—whether it's customers' personal information, company financial data, strategic-planning documents or something else. The model weighs the potential loss from a security breach, the probability that a loss will occur, and the effectiveness of additional investments in security.

One key finding from the model: The amount a firm should spend to protect information is generally no more than one-third or so of the projected loss from a breach. Above that level, in most cases, each dollar spent will reduce the anticipated loss by less than a dollar.

A second key finding: It doesn't always pay to spend the biggest share of the security budget to protect the information that is most vulnerable to attack, as many companies do. For some highly vulnerable information, reducing the likelihood of breaches by even a modest amount is just too costly. In that case, companies may well get more bang for their buck by focusing their spending on protection for information that is less vulnerable.

Working It Out
The following four-step approach has proved useful in helping executives sort all this out:

Step 1. Estimate the potential loss from a security breach for each of the company's various sets of information. For starters, it's useful to simply categorize information sets as having either Low Value, Medium Value or High Value.

Step 2. For each set of information, estimate the likelihood that it will be stolen, by examining the probability of an attempt to steal the information and the vulnerability of the information to attack. Again, broad categories are useful: Designate each set of information as either Low Threat/Vulnerability, Medium Threat/Vulnerability or High Threat/Vulnerability.

To combine the two factors, assign each a numerical rating—say, on a scale from 1 to 10—and multiply the two numbers by each other.

Using that scale, you might consider any combined ranking below 30 to be Low Threat/Vulnerability, and any ranking above 70 to be High Threat/Vulnerability; different people will draw those lines in different places.

A key point: Information that is highly vulnerable to attack but unlikely to interest a hacker (think of a banged-up old subcompact parked with the keys in the ignition, in a high-crime neighborhood), or that is very attractive to a thief but is very well protected (a brand-new luxury car on the White House grounds), would fall into the Low Threat/Vulnerability category.

Step 3. Create a grid with all the possible combinations of the first two steps, from Low Value, Low Threat/Vulnerability up to High Value, High Threat/Vulnerability. Then plot each set of information on the grid. This gives a clear view of where the greatest potential losses lie—not just in terms of the cost of a breach, but also in terms of its likelihood.

Step 4. Focus spending where it can reap the largest net benefits—where a given amount of money will produce the biggest reduction in potential loss.

Security investments should continue to be made as long as the incremental benefits are greater than the incremental costs—which usually stops being the case where the costs are roughly one-third of the total expected loss from a security breach.

Security breaches can have a substantial negative effect on corporations. However, contrary to conventional wisdom, the overwhelming majority of security breaches have little economic impact on corporations—all the more reason to use this kind of cost-benefit analysis to allocate finite information-security resources.

However, this approach is best thought of as a framework, not a panacea, for making sound information-security investments. It is not a magical formula that can be used to churn out exact answers. Rather, it should be used as a complement to, and not as a substitute for, sound business judgment.


For more technology and electronics related news, visit the Electronics America blog.
For national and worldwide related business news, visit the Peak News Room blog.
For local and Michigan business related news, visit the Michigan Business News blog.
For healthcare and medical related news, visit the Healthcare and Medical blog.
For law related news, visit the Nation of Law blog.
For real estate and home related news, visit the  Commercial and Residential Real Estate blog.
For organic SEO and web optimization related news, visit the SEO Done Right blog.

Utah Medicaid Database Hacked

Story first appeared in the Chicago Tribune.

SALT LAKE CITY (Reuters) - A data security breach at the Utah Health Department, believed to be the work of Eastern European hackers, has exposed 24,000 U.S. Medicaid files bearing names, Social Security numbers and other private information, state officials said on Wednesday.

The intrusion initially appeared to have affected claims representing at least 9 percent of the 260,000 clients of Medicaid in Utah. But because each file often contains information on more than one individual, the full extent of the breach is probably wider, officials said.

Medicaid is a federal-state program that helps pay for healthcare for the needy, the aged and disabled. The state determines eligibility and which services are covered, and the federal government reimburses a percentage of the state's expenditures.

Hudachko said the Technology Services Department notified state health officials Monday evening about the cyber attack.

Technology Services had recently moved the claims in question to a new server, allowing the hackers "to circumvent the server's multi-layered security system," according to officials.

He said the cyber attack is believed to have originated in Eastern Europe, based on a suspicious Internet Protocol, or IP, address, but investigators are still trying to pinpoint the precise source.  It is possible that an outsourced IT Security Solution could have prevented this issue.

GRAVE CONCERNS

Utah state Senator Allen Christensen, who also is a practicing dentist, said each compromised claim is going to have two parties involved - both the recipient and the provider.

The chairman for the Utah State Health and Human Services Committee, expressed grave concerns over the impact on the Medicaid population in Utah and suggested the database was left vulnerable by human error.  An outsourced IT Security Solution would have been a good option to alleviate any possible human error.

State officials said they were examining all servers and reviewing policies and procedures to ensure effective security measures are in place.

The compromised files also contain individuals' names, addresses and other private information.

State Health officials are urging all their Medicaid clients and providers to keep a wary eye on their bank accounts and other personal records. Customers whose Social Security numbers are found to have been compromised will receive free credit monitoring services, officials said.

For more technology related news, visit the Electronics America blog.