A LOOK BACK AT 2007 DATA BREACHES - COULD THIS BE ONLY A SAMPLING OF WHAT'S AHEAD?
A recap of disclosed data breaches for 2007 indicates the trend of compromised data and the mishandling of sensitive information isn't getting any better. In fact, analysts see no slowdown and predict data incidents will be even worse throughout 2008.

The drive that hackers have for financial gain by using private company information is not going to go away any time soon. Dishonest insiders, malicious software used to gain access to servers, unsecured Web sites, and employee mistakes caused by a lackadaisical position of data security are really taking a toll.

Our 2007 Reported Data Breaches and Disclosures show that breach notifications within the education sector was 25 percent higher than in 2006. Lost or stolen laptops and drives accounted for 45 percent of all disclosures, and data compromised by dishonest employees or hacking accounted for 22 percent of disclosed breaches. As more states take after California's SB 1386 Breach Notification Law and implement notification laws of their own, the overall disclosures reported will no doubt have an impact during 2008.

So the question that keeps us scratching our heads is . . . why the disconnect between IT and the boardroom or top execs? Many IT departments don't have a full understanding of the business risk that lax security can cause and because most feel they are doing a good job, they don't press the issue to upper management -- until something happens. And top executives are slow to address data security or try to ignore it even though they know a breach could now cost $198.00 per record according to the latest study conducted by the Ponemon Institute. So why are companies waiting to act? Could it be the ROI that concerns

them or is it that IT isn't making a strong enough case? But surely CEOs know the costs will be much greater with a breach, right?

Take for instance the retail conglomerate TJX Cos. breach that unfolded this year; the largest breach in history at over 100 million records. TJX is the owner of about 2,500 stores, including T.J. Maxx and Marshalls. It's pretty obvious to all by now that their security practices were flawed with many high level deficiencies. News articles suggest that they did not properly manage their cardholder data environment, failed to patch correctly, and bungled antivirus and intrusion detection. TJX is now the poster child of what not to do and has set a precedent for lawsuits by banks trying to reclaim their expenditures.

Throughout this year, NCX did discover some good news. Many of the CEOs we've met are 'getting it'. They're taking security more seriously and realizing their customers and the business community are demanding it as a fiduciary obligation of conducting business. Even though ROI is always a consideration, many of the risks and vulnerabilities found in a risk assessment or security review are easily fixed or addressed without a single purchase. But remediation is key. Remember, it was found that retailer TJX had failed to comply with nine of 12 standards that credit card firms impose on merchants to protect data. So if you need to fix a vulnerability or address a risk, do so within the time frame and urgency specified by the Findings document.

Many CIOs and IT directors are still in reactive mode and have not developed a proactive security plan. We encourage you to push for security experts like NCX to review your business' security strategy. Now is not the time to be turning a blind eye to security, and a review can give you the peace of mind, education, and direction you need to develop an ongoing security strategy for your business that will pay off.

NCX Group wishes you a Happy New Year. We look forward to introducing our services to ensure your company has a prosperous new year.

For information on NCX consulting services and solutions for your company, please contact us at 888-448-5451 or request a representative to call you.

---

NCX Group, Inc.
5000 Birch Street, West Tower, Suite 3000
Newport Beach, CA 92660
888-448-5451