Security managers suffer 'price tag shock' when attempting to implement more stringent measures to protect sensitive information, according to distinguished Gartner analyst Avivah Litan.
Speaking at the company's IT security summit in Sydney yesterday, Litan said a company with at least 100,000 accounts to protect can spend, in the first year, as little as $8 per customer account just on data encryption. Or, the organization may spend as much as $20 per customer account for data encryption, host-based intrusion prevention and strong security audits.
"This compares with an expenditure of at least $120 per customer account when data is compromised or exposed during a breach," she said.
Encrypting stored data can provide the most robust data protection, Litan said, but if that is not feasible due to cost and complexity, organizations should deploy comprehensive, host-based intrusion prevention systems (HIPS).
However, Litan said successful deployment of HIPS requires strong server configuration control and additional administrative cost and complexity.
"Another option is a strong security audit to validate the organization's deployment of satisfactory mitigating controls, reducing the need for data encryption or HIPS," she said.
"None of these options is mutually exclusive, but implementing all three will still be less expensive than having to respond to a large-scale data breach."
Litan's presentation comes at a time when scammers have found a way around new, token-based authentication systems, which are typically used by banks.
Over the past few weeks, about 35 phishing Web sites have been set up that use the new attack mode. They attempt to trick users into divulging the temporary passwords created by the security token devices banks such as Citigroup use, according to Rich Miller, an analyst with Internet research company Netcraft.
Phishers have only recently begun looking for ways around token authentication, using what is known as a "man-in-the-middle" attack.
Token devices are used to create a temporary second password for online banking customers.
Under an ongoing attack against Citibank customers, phishers have set up a fake Web site where victims are tricked into entering their passwords.
The fake site instantly forwards the password information to Citibank's real Web site, allowing the criminals to sign on before the victim.
With a total of 35 such phishing sites now spotted, it seems that the attack is becoming widespread, Miller said.