An abundance of information security research is performed every year. Surveys that measure the foci and activities of information security practices, funding allocated to IT security, types of security controls that are being used, attitudes concerning compliance, number and types of incidents that have occurred, and amount of incident-related financial loss are just a few of the many that are taken. Large organizations such as the Computer Security Institute and ISACA and corporations such as the Big Four accounting firms are particularly likely to conduct these surveys. No matter what the year is, results generally indicate that funding and staffing are never sufficient, that senior management is prone to overlook information security-related risk, that the cost of security breaches is growing, and that certain types of security-related technology is used more widely than others. Read more…
Last year I spoke at 28 different conferences, and as things currently stand, by the end of this year I will have spoken at even more. When I speak at a conference, I generally spend a good amount of time doing social networking, but I also carefully look through the agenda for talks that might be of interest and value to me. I have listened to a few talks on cyberterrorism at several conferences I have attended recently. Despite the fact that those who presented these talks had obviously spent a good deal of time and effort in creating their vugraphs, I must admit that I was disappointed with their content. As I think back on what troubled me, however, I think that my problem is really with the concept of “cyberterrorism” more than anything else. Any kind of terrorism, no matter what its source is, implies an attempt to wreak fear and havoc among people because of the potential for an impending, disastrous event to occur. Frankly speaking, misusing computers does not have nearly the potential for instilling fear in people as do bombs, automatic weapons, and hijacked planes crashing into skyscrapers. Read more…
TJX is once again in the news. Nick Benson, now a former TJ Maxx employee in Lawrence, Kansas, was recently fired for posting entries on a news group site concerning poor information security practices within TJX. Benson’s postings among other things state that after the news of the massive data security breach at TJX surfaced, TJX had, announced that many of its security practices were being tightened. Benson noticed, however, that the password for employee computer access at his store was blank and that it was possible to choose a password that is identical to one’s username. The basis for firing Benson was unauthorized disclosure of confidential information. Read more…
