Some would argue that signs of what WW III might be like are already emerging … it’s just not visible to ordinary folks because it takes place online, often in the dark web, largely out of the public eye.
Just like generals and politicians, schooled in infantry-based warfare, weren’t prepared for tanks and airplanes in WW I, nor for Blitzkrieg, aircraft carriers, submarines, or long-range strategic bombing in WW II, politicians today do not understand that a nation state or individual can do severe harm to individuals, organizations, or entire countries without shedding one drop of blood as we explained in a recent interview with Zach Noble of “The Business of Federal Technology”.
Has your company or a company you know of failed a compliance audit? Many security models are built off of the necessity to meet compliance regulations. While it is understandable to build compliance-driven security initiatives, it is not a best practice.
Some of the many reasons that companies build compliance-driven security initiatives, is that they are trying to reduce cost and time spent. However, there is a win-win to data security that goes beyond just saving time and money achieving compliance, but that starts with accurately identifying and classifying the sensitive data that needs to be protected. This can achieve both, compliance and security initiatives, quickly and inexpensively.
“What is broken in the security industry?” CSO Online recently asked data security experts at Black Hat USA 2015.
Rather than the processes or products being the problem, Todd Feinman, CEO of Identity Finder had another take on it; truly understanding your data. Given the unprecedented amount of data that organizations produce and store, their biggest challenge is understanding their data and what’s inside of it. “Not all data needs to be protected equally,” says Todd Feinman. When you have so much data, you tend to forget what the most sensitive information is and where it is located, which makes it even harder to protect.
When looking at a security program you have to look at discovering, classifying, monitoring and protecting data throughout its lifecycle—from creation to use to storage. Unfortunately, no single system will provide you with the ability to do everything. Many systems have to operate together so you know exactly where to focus and can ensure that your most important and sensitive data is protected.
SC magazine released its review of classification solutions and weighed in on its importance in DLP strategies. The full review can be found here
At the risk of stating the obvious, the core mission of Information Security is about protecting sensitive data. Sensitive data means a lot of things to different people. And thus it is about accurately classifying data into what is sensitive and what does not pose a risk of harm. Hackers make headlines when they compromise valuable data, be that financial information, personal data, state secrets, or simply embarrassing emails whose publication draws unwarranted and damaging public attention.
Recently I sat down with Renee Murphy and our own Chief Council, Neil Stelzer, to discuss regulatory topics including the impact of the 7th circuit effectively lowering the threshold needed to bring a class action lawsuit in a data breach. The ruling states that harm occurs the moment that a data breach occurs, not if or when the data is used to commit fraud. On the heels of that ruling, the 3rd circuit has now upheld that the FTC can sue companies for being breached.
Today, Josh Keller, K.K. Rebecca Lai and Nicole Perlroth published a fantastic interactive piece of content in the New York Times that directly points to the very serious nature of identity theft. The article features an app that prompts readers to indicate whether or not they’ve provided sensitive data to 26 well-known organizations (retailers, healthcare organizations, social media sites, etc.) that experienced a recent data breach. Upon completing the survey, a tally showing the number of instances hackers have potentially seen the reader’s sensitive data.
Visualizing actual numbers that directly relate to individual sensitive data exposure is a perfect way to illustrate how often consumers are victimized. Perhaps more alarming is the fact that only 26 organizations are included. Another site that tracks similar information and allows the database to be searched is Troy Hunt’s ‘have i been pwned’ site which lists several dozen more. It is safe to assume that this is the tip of the iceberg, given the almost daily incidences of data breaches.
The U.S. Census Bureau confirmed that they suffered a data breach involving compromised “non-confidential” data, such as employee names, email addresses, phone numbers, etc. This, of course, is a big deal. However, against the backdrop of the Office of Personnel Management incident or last week’s breach of Ashley Madison, the news seems less significant by comparison (we would assert that it’s not).
But let’s stop and think about this for a moment: a person or a group made their way into a governmental agency’s network and started plucking data at will, and it barely registers a shrug of the shoulders?
There was a time when any breach of a governmental office would be front page news, but we now live in an era when only so-called “mega breaches” grab our collective attention, and even then we’re only paying attention until the next big one. And typically the wait isn’t long. So what does that say about the state of things?
Late Sunday evening, security blogger Brian Krebs reported that sensitive data belonging to 37 million users of Ashley Madison had been stolen by a hacker or hackers identifying only as The Impact Team. As is typical with incidents of this nature, names, addresses, credit/debit card information and other personal information may have been taken. However, the article asserts that an alleged lapse in sensitive data management practices may have been the motivation behind the attack:
According to the hackers, although the ‘full delete’ feature that Ashley Madison advertises promises ‘removal of site usage history and personally identifiable information from the site,’ users’ purchase details — including real name and address — aren’t actually scrubbed.” Continue reading →
The process of securing an organization against a data breach can be dizzying, if not impossible. There are any number of ways that a cybercriminal can get into a network—never mind the thought of an internal hack or accidental sharing of sensitive data. Should you build up a stronger perimeter, double-down on encryption, invest in business-user training to instill proper data management? The questions are seemingly endless, and being able to answer them all correctly is highly stressful. However, much of that complexity can be vastly reduced. This isn’t to say it’s easy, but by taking a few very critical strategies into consideration, preparing your company against data exposure can be more straightforward and effective.
Accept the inevitable. You will be breached eventually. There, we said it. It’s the elephant in the room. If the last two years have taught us anything, it’s that you cannot build a wall high enough to keep intruders at the gate. Once that reality is accepted, you can realistically move forward to institute policies and solutions that minimize the risk of a breach and shrink the associated damage once it happens.
Know your data. Breached organizations are very often surprised by the data that’s uncovered. Documents containing SSNs, credit/debit card numbers, home addresses, etc., often live in unseen, yet unprotected areas. Documents that are no longer legally necessary to store (and lots of them) are taken. Have a clear understanding of all the data in your possession and create strict retention and deletion schedules to ensure the smallest possible data footprint at all times. The less there is, the less that can be exposed.
Customize your solution approach. Whatever tools you utilize to minimize your chances of sensitive data exposure, make certain you understand every aspect of how your data is created, classified, saved, stored, retrieved, etc. Armed with that information, the selection and areas of focus for data security solutions become a lot less complicated. Additionally, it is critical that the solutions you choose are compatible with other existing tools in your information security arsenal.
Have a response plan in place. A worst case scenario requires a planned reaction. Data breaches will put your organization in a tough spot with customers, regulatory agencies and, depending on the size of the breach and types of data leaked, the media. A key part of that response is knowing exactly what data has been taken. An “I don’t know” will exacerbate the reputational damage associated with the incident.
There’s no easy way through a data breach. Sadly, such incidents are no longer avoidable throughout the totality of an organization’s existence. However, with the proper mindset, organizational insight and planning, an easier-to-implement plan to protect sensitive data can be achieved.
A great deal of attention has been given to the recent government data breach, which put a reported 14 million current and former government workers’ sensitive data at risk. While the details continue to be sorted out, this incident—along with other highly-publicized breaches—hammer home the fact that strategies that focus on “keeping the bad guys out” or on monitoring data crossing a network perimeter alone are not enough anymore to protect an organization’s sensitive data.
The telltale evidence supporting this assertion is that despite the growth in traditional security spending, breach sizes and frequencies are on the rise. Consider data from the recent IBM-sponsored 2015 Cost of Data Breach study by Ponemon:
65 percent of organizations surveyed say the attack evaded existing preventive security controls
95 percent of organizations surveyed did not discover even their breaches for at least three months
Despite best efforts to keep intruders at bay, organizations recognize that blockading their networks is only one part of a larger data protection strategy. The study also suggests that the average breach in the US costs $6.5M, with catastrophic breaches well exceeding the largest loss amount of $29M that the study had sampled.
What’s clear is that a holistic approach that addresses sensitive data management is just as important as traditional security concerns—encryption, prevention, etc. Only focusing on security strategies that prevent infiltration and/or exfiltration leaves a critical flank unguarded, and can lead to a false sense of security. If the locations of sensitive data are precisely known and preventive measures to protect such sensitive data are taken, such as quarantining, destroying or redacting data, there is nothing for them to find or steal should they make it “past the gate.”
The end result is a significant reduction in the post-breach losses associated with sensitive data breaches. Further, sensitive data management strategies don’t require a complete redo of an organization’s security strategy. While not all breaches are “mega breaches,” every organization has sensitive data it wishes to protect. Making sure that this critical data is where it should be and eliminating all sensitive data that should no longer be present is an important key to overall data risk management.