In recent months, with the continued growth in highly public data breach incidents, we began looking at how organizations assess their level of exposure to data breach risk. I suspect if you ask the CEO of most public companies or public sector organizations about their level of risk, that they would tell you that they are “highly secure” and maintain excellent practices to prevent the misappropriation of personal information of their customers, patients, employees, students and other affiliates.

For many firms, they have to meet security and compliance requirements that are necessities in their industry, such as PCI for those that handle credit card information and HIPAA for healthcare organizations. Historically I think that they felt such rigorous compliance requirements could ensure their safety from the risks of data breach.

However, the recent past demonstrates that no organization is really immune to a potential data breach incident. The very visible Heartland Payment Systems breach affected many millions of Americans who’s credit cards were processed by Heartland, an organization that had to adhere to very strict security standards set for the financial industry and their payment processors.  This seeming inconsistency between a perception of being immune from data breach risks with the rapid growth in data breach incidents, led us to think about whether organizations can “quantify” their level of data breach risk.

We were somewhat surprised that there isn’t much available to organizations to help them in measuring and scoring their level of data breach risk. Given this situation, we began to look at how we could model and quantify risks specific to the breach of personally identifiable information (PII) and personal health information (PHI), since it is the unauthorized release of this information that is regulated by state and now federal laws.

To this end, we created what we call the Breach Healthcheck(tm),  tool that uses a proprietary model to assists organizations in quantifying two dimensions of measurement into a Breach Protection Index(tm) — measuring both an organizations level of data breach exposure as well as their level of data breach protection.  Breach Healthcheck then maps this index onto a two dimensional risk map that allows organizations to get a visual indicator as to their level of data breach risk.

Our sense is that organizations that are trusted to hold PII and PHI will find it useful to be able to measure their level of data breach risk, and to understand the primary areas where their practices may lead to unanticipated levels of risk. To get complimentary access to the Breach Healthcheck tool, qualified organizations can contact ID Experts at www.idexpertscorp.com or 866-726-4271.

Today, in a report by Wired Magazine, it was revealed that Savvis Inc- the company which performed audits for CardSystems during 2004 when they experienced one of the largest credit card data breaches for it’s time- is being “pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices.”

Savvis is accused of certifying that payment systems were compliant with security standards, when they were not. Due to the recent rash of breaches by companies that were supposedly compliant with payment industry security standards, PCI Council said last year that it was tightening its oversight of auditors.

These auditors are in charge of ensuring that a company’s methods of processing payments and transmitting information are up to industry standards. However- Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. I see many problems associated with this audit system as it stands today, highlighted in part by the article:

• Listing standards to become complaint is poor security practice. Good information security comes from adapting, expecting and meeting new threats. By the time new standards are drafted and approved as part of compliance, the threats may have already done damage.
• 3 people on full time staff are in charge of the auditor certification program. How much are these auditors scrutinized?
• Difficulty understanding complex standards creates difficulties for organizations desiring to install or update components to their systems
• 80 percent of the audits in the payment industry are conducted by a dozen major vendors. As the article pointed out, “the rules and requirements for auditors reveal a number of potential conflicts of interest (.pdf) that could arise between an auditor and the entity it’s assessing. For example, many security auditors also make security products. The rules state that a security company will not use its status as auditor to market its products to companies it audits, but if the auditor should happen to find that the client would benefit from its product, it must also tell the client about competing products.”
• A recent study reveals that 20% of IT security managers and technical staff from enterprises and government departments admit to cheating on security audits or knowing of a colleague that did. An even larger percentage “cut corners” resulting in potential holes in audits or security compromises
• Problems are getting worse as companies slash budgets. Staffing issues, substandard or used equipment which may or may not be infected with viruses, and time constraints are all symptomatic of the economic pressure on this industry

It is important to realize that standards and procedures are wonderful tools, necessary to implement any security process or program. However, a chain is only as strong as the weakest link. In this case, the links are made of people, and it only takes one lie or misrepresentation to create millions of dollars in loss.