Top businesses have smart people working in IT and Information Security. So why do we suffer from so damned many breaches? It might be because the vulnerabilities are no longer where the experts are patching weaknesses.
I answered the phone: It was another “after the breach” client. Hackers had gotten into their systems, customer data was lost, and now the company’s name was plastered across the news.
As part of the “learning experience,” the business is ready to aggressively address the gaps between “we should” and “we do.” And now — after the breach — new budget dollars are allocated to compliance, information security, and other IT systems. Ever since the data breach, the about-to-become-a-customer tells me, he’s scrutinized the company’s data security and compliance policies, and he has investigated its technology infrastructure design choices.
This conversation is not rare, by any means. As much as we’d like it to be otherwise: It’s no longer a question of if a company will be hacked, but a matter of when. It’s as though companies are playing a game of Russian Roulette with data, except that often the victims are consumers who entrusted these institutions with personally identifiable information (PII): their credit, health care, and other sensitive information.
It’s a human response for us all to close the barn door after the horse has bolted, but in this case it makes sense: There are plenty more “horses” in that barn.
The world is changing so fast that it feels impossible to identify and plug the holes. Worse, the gap is widening. And that has dreadful consequences: The massive cyber-attacks at the U.S. Office of Personnel Management followed years of audits that identified deficient systems and processes for managing technology, reported the Wall Street Journal. Worse: The world of sophisticated organized hacking is rapidly evolving. Technology and people are hard put to keep ahead of newly discovered exploits or social hacking schemes. Just look at the security pros at Hacking Team, a for-hire organization specializing in identifying exploits, who were breached themselves.
After a breach, I’ve seen, enterprises (or companies of every size, really) assess the potential for the next incident. They invest heavily in internal controls. And they do their best to improve the ways their organizational data is better secured, monitored, tracked, and quarantined. It falls upon the IT and InfoSec departments to determine the risk of exposure, penalties, lawsuits, reputation damage, and loss of jobs — the often-unreported internal aftermath of major breaches.
And doesn’t it make sense to do that before the CEO arrives in your office, asking you how the hackers got into the system?
The actual breach is only the visible part of the problem — and in some ways it’s the easiest one to solve. Behind the breach is the vulnerability that enabled the bad guys to break in and access data across multiple systems internally; at that point, asking, “Who left the door open?” seems moot. The question leans more towards, “Who left all the stacks of money on the table?”
The point is, even the best doors can’t address 100% of the problem. It’s IT’s dirty secret: Breaching the firewall is only a single dimension of a much larger problem. It’s the one that grabs the headline. What often doesn’t make the front page is that in 65% of reported breach incidents, the data is misappropriated internally (as in the AT&T privacy breach), or misplaced, or stored on a stolen machine — causing not only security issues but major compliance ones as well. One need only look at the HHS HIPAA violation list to see how uncomfortably often this occurs.
As with so many other IT issues, it’s not the “oops” moment (and the steps to ease the blow) that should capture the CIO’s attention. It’s on preventing the problem in the first place. And several things are making that more difficult. For instance: What worked in the datacenter isn’t necessarily true in the cloud or with a mobile workforce.
Almost all organizations have internal data systems with strong security models and auditing capabilities. The challenge arises when the data leaves those systems or is collected by end-users locally, and proper policies aren’t followed. There is no easy way to track where sensitive data is as it travels around the organization, to end-user systems, to mobile devices, and to the cloud. Sure, you could argue that many organizations have data policies, relying on employees to follow them. But without enforcing a regular data-safety training program (something I have rarely seen), most employees don’t know the policies exist; those who are aware of the policies won’t follow them if a policy interferes with their productivity.
Given that — alas — a breach is a when not if for many companies (including the companies where the breach remains unreported), shouldn’t organizations increase investments in better monitoring and tracking their data sitting at-rest, locally on end-user devices, or on cloud services? Historically, enterprises have invested in in-flight/in-transit technologies such as data loss prevention (DLP), scouring email messages, and data exchanging services to catch employees mistakenly sending sensitive, unsecured materials. Yet these solutions don’t address the at-rest issue where most of the major exposures and infractions are now occurring. Things need to change, and quickly, given the pace of exposure incidents.
So what steps can a company take in today’s environment to better address their at-rest, end-user data risks?
Here’s a place to start.
Protecting sensitive data in today’s environment has become increasingly more complex. It’s not just the exposure of data during a breach, but also the ability for today’s enterprise to effectively audit and take action on data before an event occurs, whether driven by external or internal influences. Emerging technologies like proactive compliance offer organizations a way to address several of these long-standing issues as part of a comprehensive data security and compliance initiative.