Stand Guard

TJX kicked off '07 with the largest data breach in history: a whopping 45.7 million records lifted when hackers infiltrated the company's network over a period of 18 months. Other large-scale losses—such as a phishing scam at a military research lab and the loss of two unencrypted United Kingdom government disks—followed in its wake.

And experts say this is just the tip of the iceberg. Since January 2005, the Privacy Rights Clearinghouse has identified more than 215 million records belonging to U.S. residents that have been compromised due to a security breach. Plus, a recent study conducted by the Ponemon Institute determined that the total average costs for exposed data grew to $197 per compromised record, representing an increase of 8 percent since 2006 and 43 percent since 2005.

"You lose 10 million records, it gets really expensive, really quick," said John Dasher, director of product management at Palo Alto, Calif.-based PGP Corp., a data protection company. "That's really staggering if you think about it."

To say the least, businesses, from the largest companies to the smallest shops, are still reeling from the effects. We can expect to see significant changes within companies as to how they protect data and deal with its loss in 2008, according to experts.

"One of the things that makes data leak prevention so significant is that it's so hard to do. There's always a way around any defense you can think of," said Richard Stiennon, chief marketing officer at Fortinet Inc., Sunnyvale, Calif. "It's a problem without an ultimate solution."

Next: Data In The Spotlight Data In The Spotlight
Even with increased awareness and more sophisticated security measures, experts say businesses can expect to see more data breaches grace the headlines this year—primarily because more companies and organizations will be required to publicly disclose them.

"Part of what we're seeing is the effect of disclosure laws," said John Thielens, vice president of technology at Tumbleweed Communications Corp., Redwood City, Calif. "The problems are being made visible."

So far, more than 35 states impose regulations requiring companies or agencies to notify affected individuals, such as customers, employees, citizens, students and alumni, when their confidential or personal information has been lost, stolen or otherwise compromised.

"There's all kinds of studies that show that customers don't want to do business with companies that have experienced a breach," said David Vergara, director of product marketing for data security at Check Point Software Technologies Inc., Redwood City. "It's going to get painful if you're not able to control and protect that sensitive information."

And more database vulnerabilities will come to light as companies implement policies and deploy comprehensive security technologies. "They change some policies and, 'Oh my gosh,' those tools and policies and processes are shining a light on other breaches that would have gone unrecognized," Dasher said.

A Gold Mine Of Information
While individual attacks will still be prevalent, experts anticipate that cyberthieves will increasingly hunt for sensitive information right at its source: the databases.

As a result, database protection will emerge as a significant issue for businesses this year. Both large enterprises and SMBs alike will increasingly invest in database security initiatives, which should include technologies that monitor the information and minimize the amount of data leaving their secure networks, security professionals say.

"Otherwise you run yourself ragged," said Ted Julian, vice president of marketing and security at New York-based Application Security Inc. "You could kill yourself trying to secure every single one of those avenues."

Expect More Second-Tier Attacks
While financial institutions will indeed be targeted, security researchers project that there will be waves of attacks on smaller, second-tier businesses in 2008, as larger businesses accordingly adopt security measures that adequately challenge existing threats.

"Whenever you go downmarket, you're going to see more companies," Vergara said. "We're going to see [companies with] lesser household names."

Experts predict that attackers will more and more focus their efforts on targeting smaller retailers and organizations. The reasoning, most agree, is that those organizations won't receive high-profile media attention and might not be as equipped to protect themselves against sophisticated attacks.

"There are many retailers that just haven't figured it out yet," Fortinet's Stiennon said. "They will be the newsmakers because it will be extremely embarrassing."

Next: Classifying Data Classifying Data
Most businesses often have more data than they know what to do with. In order to control copious amounts of information, companies will increasingly put resources into classification.

"I think people will take another look at reducing the amount of data that they have," Julian said. "If it doesn't need to be on that system at all, let's just delete it."

Companies will be a lot more likely to invest in security risk assessment and management in 2008, security experts say. This means developing a system that prioritizes the most sensitive information in order to determine what data potential attackers will target and where it's located.

"The big thing holding up organizations is that they believe they know what the sensitive data is and they know who should and shouldn't see it," said Faizel Lakhani, vice president of product marketing at Reconnex Inc., Mountain View, Calif. "Every company has information that if it gets into the wrong hands would really hurt shareholder value."

Data loss prevention vendors will also introduce tools to help companies learn where the most sensitive information is located, what information is leaking out of the company and to whom.

"It's not just data. You have to classify everything from a risk perspective," said Brian Cleary, vice president of marketing at access governance firm Aveska Inc., Waltham, Mass. "Once you have those controls in place, the likelihood of losing that data goes down exponentially."

Accidental Threats
While outside threats will always be a problem, studies have shown that the biggest threat by far to a company's sensitive information occurs through simple human error. A recent survey conducted by RSA, the security division of Hopkinton, Mass.-based EMC Corp., indicated that some of the most significant breaches in 2008 will probably come from within the company itself and will likely be an accident.

Approximately 72 percent of respondents reported that their company or organization employs temporary workers who require access to sensitive information and systems. Increased outsourcing and offshoring will also open more avenues for data leakage, and security experts anticipate tracing more security breaches to those outsourced or contracted workers.

In addition, 33 percent said they still had access to old accounts after switching jobs internally, making it increasingly necessary for businesses to conduct periodic reviews of employment shifts in order to understand users' roles and the type of information they can access.

"Everyone thinks it's about these Russian networks," Cleary said. "They're out there, but it's also just human error."

Next: Data Loss: A Breach Of Promise Data Loss: A Breach Of Promise

The results of a 2007 Ponemon Institute study on data loss indicated the following:

> Total average costs of a data breach grew to $197 per compromised record. The average total cost per reporting company was more than $6.3 million per breach and ranged from $225,000 to $35 million.

> The cost of lost business due to a data breach grew more than 30 percent, averaging $4.1 million, or $128 per compromised record. Lost business accounted for 65 percent of data breach costs in 2007.

> Lost or stolen laptops still are responsible for the majority of all data loss—49 percent of all data breaches occur as the result of lost or stolen laptops, flash drives and other mobile devices.

> Forty percent of respondents reported breaches by third-party organizations such as contractors, outside consultants, outsourcers and business partners—up 11 percent from 2006.

> Encryption and data loss prevention (DLP) were the top two technologies implemented following a data breach.

> The Ponemon Institute study found that legal defense costs grew by 8 percent while public-relations costs grew by about 3 percent following a breach.