CitiFinancial's move to digitally encrypt customer data beginning next month could spur other organizations to follow suit, an information security analyst said Tuesday.
Jon Oltsik of Enterprise Strategy Group said interest in digital data encryption has picked up in 2005 after a handful of incidents where couriers lost tapes en route from one office to another.
In recent months, Bank of America, Ameritrade and Time Warner have lost tapes containing personal data on customers or employees, spurring calls for a national data security law.
In the latest case, UPS lost a box of tapes it had picked up at a CitiFinancial facility in Weehawken, N.J. on May 2. The tapes, which contained personal information such as bank account and Social Security numbers of some 3.9 million customers, never made it to its Allen, Tex. destination.https://o1.qnsr.com/log/p.gif?;n=203;c=204660765;s=10655;x=7936;f=201812281308090;u=j;z=TIMESTAMP;a=20400368;e=i
What makes CitiFinancial's case interesting is not so much that the bank, a loan provisions division of CitiGroup, said it was switching from "sneaker net" to electronic transmission and encryption, but that it had already planned to do so before the tape gaffe.
"CitiFinancial is planning to send data through encrypted electronic transmission and not through a third-party courier in July," said a spokesman for CitiFinancial. "That was a change that was in the works before this happened."
The CitiFinancial spokesman, who said the data was not encrypted, declined to say what kind of solutions the bank was looking at for encryption.
But solutions could be anything from services and software from companies like Glasshouse Technologies, Kasten Chase, or Symantec. Fixes might also include storage security appliances and software from vendors such as Decru, Vormetric and Neoscale.
Oltsik said CitiFinancial is so well respected in the industry for its attention to security that its promise to go digital could spark a domino effect in other companies that still use tape storage.
"I do think that will spur an action," Oltsik said in an interview. "We've seen an uptick in actions since the Bank of America incident. It's kind of baby steps, but it's movement in the right direction."
Tape Losses Raise Awareness
Oltsik is basing his opinion on a recent survey he conducted of 232 storage professionals, in which he asked them if the recent wave of lost or stolen tapes changed their company's approach to security as it pertains to data protection.
Forty-seven percent of respondents say the events have prompted their organizations to take some type of action.
One quarter of those surveyed said they are reviewing their off-site tape storage provider's policies and procedures, 23 percent have accelerated their deployment data encryption technologies, and 19 percent have conducted or plan to conduct a gut-check of their data protection scheme.
Still, inconsistencies remain. Oltsik said ESG's new data indicates that although actions are being taken, there is some continued apathy and idealistic expectations around storage security.
For example, in the face of recent identity theft and documented storage vulnerabilities, 42 percent of users said that these recent incidents have had no change on their security processes.
The data indicates some security movement in the storage marketplace but does not demonstrate any sense of urgency. ESG believes this is a risky mistake that could lead to devastating consequences, Oltisk wrote in the brief.
Oltisk sees CitiFinancial taking the other tack, paving the way for other major corporations to up their security around stored data.
"CitiGroup is known as a cutting-edge IT shop. They've been very vocal about a five-year plan they have for security to really lock down their systems and their network," Oltsik said. "So if CitiBank comes out and says we will encrypt our data, I do believe that it's a leading indicator that it's time that people really take this seriously."
Oltsik said institutions who embrace security will find themselves with a market advantage over lethargic peers. Moreover, companies can save themselves a lot of grief in being proactive on security.
Congressional representatives are breathing down the necks of large corporations that suddenly find themselves in the spotlight following compromised customer information.
U.S. senators are urging new laws requiring institutions whose data is not encrypted to advise customers of any lost personal data. California has such a law in place, thanks to Sen. Diane Feinstein. The California law has likely been the impetus behind this year's admissions of lost or compromised personal data.
Article courtesy of Internet News