Now we have to go around and figure out who owns this data, how do you value it and how does the company value it. For instance, my database system that tells me how many chairs I have, if I'm the facilities person that is really important to me. Now you have to look at it and ask, is it really important for Symantec to know how many chairs we have? Unlikely, because developers will sit on the floor if they don't have a chair.
We were accused of changing our story. Well you change your story as information becomes available.
It is an exercise. Identify your systems, identify what is accessing them, identify your data, where it is and who owns it, categorise your data. Then you have to look at the control documents and ask what controls do I need to apply.
Symantec, like most other commercial companies, relies heavily on ISO (a security standard offering best practice recommendations) certifications. I don't think ISO is strong enough or deep enough in the technology side, or prescriptive enough, to clearly define what an individual needs to do. I believe that ISO is a good programmatic tool to use and it's gotten better, but it still doesn't get to the bit and byte level that I really feel is critical for us to protect our data.
Folowing the pcAnywhere, and what happened to RSA with their breach last year as well as Sony's nightmare year, have you learned anything about disclosure?
When you've had a situation, when do you put the public eye on it? The situation changes as information becomes available. So when this first thing came out, it was something completely different than what ended up happening.
Thinking back to 2006, we had completely different forensics capabilties. So what was first released was the hacker saying they had something but weren't going to say what it was. Then they said they were going to tell Symantec what it is and they had some bogus document that looks like it came from some Government and stole it from somewhere. After a couple of days, we were able to say that was a bogus document and you're just full of crap, you just bought it from somebody.
We were accused of changing our story. Well you change your story as information becomes available, so as we got better visibility into it we were actually able to tie it back to the situation that took place. We were trying to be as transparent as we could.
With eveything that has happened in the past year, including disclosures from RSA, yourself and VeriSign, as well as the undermining of the certificate authority system, should companies ensure they're being as transparent as possible about breaches?
I'll use an anecdote. Let's say a Government entity has a sensitive piece of information and it's classified and it gets put into an email and inadvertently sent out to a bunch of people who don't need to know, don't have the right clearance level. So now you've contaminated and polluted your email system.
The next thing you know people have forwaded this information outside your .gov domain into the public domain. Say public disclosure of that information could lead to loss of life - as an entity you have to look at it and if you look at it realistically, do I tell everybody about it? Do I say publicly how this happened, so get ready to die? Or do you say in this situation, I'm going to make a risk based decision?
You have to look at things and make risk-based decisions. In dome instances our products protect national security and so there is a business deicison and a risk-based decision that have to be made with your customers in some instances to say how far we want to go with something.
-
Why keeping track of AI assistants can be a tricky businessColumn Making the most of AI assistants means understanding what they can do – and what the workforce wants from them
-
Nvidia braces for a $5.5 billion hit as tariffs reach the semiconductor industryNews The chipmaker says its H20 chips need a special license as its share price plummets
-
Capita tells pension provider to 'assume' nearly 500,000 customers' data stolenCapita told the pension provider to “work on the assumption” that data had been stolen
-
Gumtree site code made personal data of users and sellers publicly accessibleNews Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
-
Pizza chain exposed 100,000 employees' Social Security numbersNews Former and current staff at California Pizza Kitchen potentially burned by hackers
-
83% of critical infrastructure companies have experienced breaches in the last three yearsNews Survey finds security practices are weak if not non-existent in critical firms
-
Identity Automation launches credential breach monitoring serviceNews New monitoring solution adds to the firm’s flagship RapidIdentity platform
-
Neiman Marcus data breach hits 4.6 million customersNews The breach took place last year, but details have only now come to light
-
Indiana notifies 750,000 after COVID-19 tracing data accessedNews The state is following up to ensure no information was transferred to bad actors
-
Pearson fined $1 million for downplaying severity of 2018 breachNews The SEC found the London-based firm made “misleading statements and omissions” about the intrusion
