Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

Big worries: The same survey from the Enterprise Strategy Group asked the same group of IT employees to identify weak spots in their network security.

One big challenge was reflected in a 2009 cybersecurity research roadmap (PDF) produced by the U.S. Department of Homeland Security. Among other things, it found that because information technologies and attack methods are evolving so fast, organizations find it hard to determine whether their data is becoming more or less secure, whether it’s more or less secure than that of other organizations, and whether a given level of investment is worthwhile. It doesn’t help that many organizations assess basic questions about security from a short-term financial perspective—even though cost-benefit analyses are hard to make because the cost of failing to take appropriate security measures might not be apparent for years. “Decisions resulting from such analyses will frequently be detrimental to making significant security improvements in the long term,” the report says.

It complicates matters even more that when data breaches occur, companies aren’t always entirely forthcoming. (Sony took six days to warn users that their information had been exposed.) Faster responses would help victims or potential victimsindividuals or companies whose data was exposed take steps to mitigate damage.

Possible changes in government regulations could tighten the rules on how such breaches are reported and what must be revealed. In the United States, 47 state laws currently govern the disclosure of data breaches that expose personal information, but President Obama recently proposed that a single federal law should govern the process.

That would be helpful, says cryptologist Bruce Schneier, chief technologist for the global telecommunications company BT—though just how helpful depends on how thorough the law turns out to be. What’s clear now is that the aftermath of data breaches is sometimes murky. “We don’t know who had access to the data—whether they are criminals, or kids, or spies,” Schneier says. “We don’t know the vulnerability that caused the breach.” Sometimes all we know for sure is how much the damage cost.

2 comments. Share your thoughts »

Credits: Credit: ESG Research Report, Protecting Confidential Data Revisited, April 2009 , ESG Research Report, Protecting Confidential Data Revisited, April 2009

Tagged: Business

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me