The exploitation of cards, PINs and passwords (CPPs) are the flaw of IT governance and is why IT governance has largely failed globally.
This is according to Mark Eardley, of Eardley and Associates, who presented at yesterday's ITWeb Governance, Risk and Compliance event, at The Forum, in Bryanston.
“The fact of the matter is that if a company is using CPP to protect important corporate information, it doesn't have any control over that information. CPPs can be shared, lost, stolen and forgotten. CPPs also fail in that they cannot authentically identify a user.”
He claimed the answer to protecting corporate secrets and driving IT governance lies with the deployment of biometric and fingerprint technology. According to Eardley, SA is one of the world leaders in terms of biometric technology adoption.
Eardley said it does not matter how complex a password or PIN is, CPPs can still be easily exploited; but biometric technology can authenticate, authorise and audit IT activity.
He cautioned that governance and government forcing protection of custodial data shouldn't be the only concern; it should be about protecting corporate secrets.
“Cyber crime is evolving and the market for stolen credit card details is saturated. Corporate secrets have become more attractive to cyber criminals; hence the rise of sophisticated targeted attacks.
“Last year, software and IT services alone lost £2.5 billion due to the theft of corporate secrets. These figures illustrate that there is a general lack of IT governance within corporate IT,” he added.
According to Eardley, Verizon and the US Secret Service worked together for the past two years to create the Data Breach Investigations Report - the world's biggest study of cyber crime that considered 1 700 cases. It found that cyber criminals have shifted their focus from stealing customer records to the theft of corporate secrets.
“In 2005, Symantec recorded 100 advanced persistent threat attacks on business; it's gone up to 77 a day by the end of last year.”
Eardley explains that the consequence of compromised corporate secrets is not just about the high cost of legal action, but also the financial loss of reputation, loss of competitive advantage and how that data can be abused by villains.
“The 2010 RSA data breach cost the company $43 million just to remediate the loss; this doesn't include legal action costs or loss of reputation. The Sony data breach, in May last year, cost $171 million to remediate,” Eardley concluded.
Share