A new security intelligence report and survey from Microsoft may reveal the root cause of some data breaches. The biggest reason, it seems, is that various company departments tend to mismanage their data while assuming the IT department is securing it all.
The biggest disconnect appears to be between a company's marketing staff and its security and privacy professionals, said Brendon Lynch, a privacy strategist with Microsoft. If better coordination doesn't happen, he warned, more data breaches are a certainty.
"Each of the three groups we talked to have different motivations for protecting personal information and they tend to speak different languages," Lynch said in an interview Tuesday. "Marketers care about trust and brand reputation, and worry about the brand's reputation suffering in the face of a data breach. The security professionals are focused on preventing attacks, and the privacy folks care about regulatory compliance."
Unfortunately, security and privacy professionals labor under the false assumption that marketing personnel are regularly checking in with their departments before collecting and using sensitive data, Lynch said.
The survey found that 78% of the security and privacy executives surveyed said they were confident that their marketing colleagues consult them before collecting or using personal information. But only 30% of marketers said they actually do so.
The survey of more than 3,600 security, privacy and marketing executives across a variety of industries in the United States, United Kingdom and Germany was conducted by the Ponemon Institute on Microsoft's behalf. It found that organizations with poor collaboration were more than twice as likely as organizations with good collaboration to have suffered a data breach in the past two years.
Lynch said 74% of companies that acknowledged poor collaboration between departments suffered a data breach in the last two years. Only 29% of those reporting good collaboration had suffered a breach in that period.
"It shows the need for better collaboration that accounts for the entire data lifecycle," he said. "You can't just assume the IT security people are taking care of it all."
One reason the IT security staff can't handle it all is that attackers are adjusting their tactics too quickly for them to keep up, according to Microsoft's latest security intelligence report. The report measures the amount of malware detected via the software giant's Malicious Software Removal Tool, Windows Defender and ForeFront products in the first half of 2007.
It indicates a continued rise in attacks designed to steal personal information or trick people into providing it through malicious Web sites, email attachments and other means.
During the first half of 2007, Microsoft said, 31.6 million phishing scams were detected, an increase of more than 150% over the previous six months. Meanwhile, there was a 500% increase in such Trojan malware as password stealers and keyloggers. Two notable families of Trojans detected and removed by the Microsoft Malicious Software Removal Tool are specifically designed to steal data and banking information, the report said.
Scott Charney, corporate vice president of Microsoft's Trustworthy Computing Group, shared the results in his keynote address at the International Association for Privacy Professionals Privacy Academy in San Francisco Tuesday.
"There is no one-size-fits-all solution for organizations looking to effectively collaborate and protect data, but we hope this research will be a good resource for companies thinking about how to approach this," Charney said.