The federal government should step in and pass laws to ensure computer security, John W. Thompson, the CEO of Symantec told a security conference Tuesday.
In the last six months of 2007, nearly 50 million people worldwide were the victims of identity theft, and 70 percent of the most common malicious code used in attacks on computers targeted confidential files.
Loss or theft of laptops or storage devices account for 57 percent of data loss worldwide; 65 percent of new software created today is malicious code; and there is a black market in selling stolen files and data that is sophisticated enough to include money transfer capabilities.
This information from the Symantec Threat Report was disclosed by Stephen Trilling, the company’s vice president for security technology and response, at the RSA Security Conference in San Francisco.
The data came from “more than 120 million computers worldwide” that have installed Symantec’s software, Trilling said.
Act Locally, Fear Nationwide
That led Thompson to call for a nationwide law targeting hackers in his keynote speech, “Information Centric Security: The Next Wave.” “It’s impractical to have 40 different states, each with its own laws; we need a federal law with very high standards today,” Thompson said, adding that security issues have become a global problem.
If the growth of malicious software continues to outpace the growth of “good” software, white-listing — the implementation of a policy stating which applications are allowed — “will become very important;” identity management “will become important to cover everybody in the world;” and digital rights management “not just of music but of business documents” will become crucial, Thompson warned.
Enterprises will have to change their approach to security: “We will need to take an info-centric view to security using a risk-based approach,” Thompson said. This means that businesses must decide what information is critical to their survival and archive only that.
This hard approach is critical because “data grows by 50 percent a year, so only the most important information can be protected,” Thompson added.
Selecting Critical Information
Enterprises must answer three questions to figure out what information is crucial to their business: What sensitive information do they really have; where is it being stored; and how is that information being used, he said.
“Once you have answered these questions, you can set policies to guide strategies on how your organization stores and uses information,” Thompson said.
The increasing importance of business to businesses requires that business leaders — “not just the CIO, but also the CEO and CFO” — become involved in setting security policies. Security and data “must work hand in hand for combined risk management,” Thompson declared. “You can’t secure what you don’t manage.”