Corporate culpability

This article is the archived version of a report that appeared in June 2009 Consumer Reports magazine.

While consumers need to protect themselves online, businesses should become much more proactive about computer security. But many aren't. "The entire business is one of 'blame the user,'" says Alan Paller, director of research for the SANS Institute, a security training organization. According to SANS, tens of thousands of sites, including state, federal, and corporate sites, have been compromised by cybercriminals over the past year.

According to a recent McAfee study, millions of companies estimate losses or theft averaging $4.6 million worth of intellectual property per company in 2008.

Business practices don't seem as though they'll improve soon. "Corporations are not even beginning to do the right thing," says Steve Gibson, a security consultant in Laguna Hills, Calif. "Databases are exposed to the Internet; corporate information is stored in non-encrypted form. They're using generic off-the-shelf junk IT put together."

SANS instructor Ed Skoudis says that "a sufficiently determined but not necessarily well-funded criminal can get in almost anywhere. We haven't learned from mistakes of the past. Security is improving, but the bad guys are improving faster."

That might mean more announcements like the one Heartland Payment Systems of Princeton, N.J., the nation's fifth-largest credit-card payments processor, made in January when it revealed a breach of its database of credit-card holders.

And recently the FTC charged Geeks.com, an online computer hardware retailer, with inadequately protecting sensitive consumer data. The settlement requires the company to establish a comprehensive security program that would include regular audits for 10 years.

Sites that handle credit-card information are supposed to comply with the industry's security standards, although the industry lets each card provider decide whether to fine a violator.

Consumers Union, the nonprofit publisher of Consumer Reports, believes that businesses should store sensitive data in encrypted form. Two-factor user authentication, using a password and a key with a constantly updated passcode, would provide further protection.

Companies should regularly test the security of their Web applications and networks. Programmers should be educated about the latest security measures. Companies entrusted with valuable consumer information should be certified by Trustkeeper and Verisign.

Web-hosting companies must tighten policies to fight phishing, including suspending terms-of-service violators and requiring the collection of accurate information about account holders, as the Anti-Phishing Working Group suggests.