Top businesses have smart people working in IT and Information Security. So why do we suffer from so damned many breaches? It might be because the vulnerabilities are no longer where the experts are patching weaknesses.
I answered the phone: It was another “after the breach” client. Hackers had gotten into their systems, customer data was lost, and now the company’s name was plastered across the news.
As part of the “learning experience,” the business is ready to aggressively address the gaps between “we should” and “we do.” And now — after the breach — new budget dollars are allocated to compliance, information security, and other IT systems. Ever since the data breach, the about-to-become-a-customer tells me, he’s scrutinized the company’s data security and compliance policies, and he has investigated its technology infrastructure design choices.
This conversation is not rare, by any means. As much as we’d like it to be otherwise: It’s no longer a question of if a company will be hacked, but a matter of when. It’s as though companies are playing a game of Russian Roulette with data, except that often the victims are consumers who entrusted these institutions with personally identifiable information (PII): their credit, health care, and other sensitive information.
It’s a human response for us all to close the barn door after the horse has bolted, but in this case it makes sense: There are plenty more “horses” in that barn.
The world is changing so fast that it feels impossible to identify and plug the holes. Worse, the gap is widening. And that has dreadful consequences: The massive cyber-attacks at the U.S. Office of Personnel Management followed years of audits that identified deficient systems and processes for managing technology, reported the Wall Street Journal. Worse: The world of sophisticated organized hacking is rapidly evolving. Technology and people are hard put to keep ahead of newly discovered exploits or social hacking schemes. Just look at the security pros at Hacking Team, a for-hire organization specializing in identifying exploits, who were breached themselves.
After a breach, I’ve seen, enterprises (or companies of every size, really) assess the potential for the next incident. They invest heavily in internal controls. And they do their best to improve the ways their organizational data is better secured, monitored, tracked, and quarantined. It falls upon the IT and InfoSec departments to determine the risk of exposure, penalties, lawsuits, reputation damage, and loss of jobs — the often-unreported internal aftermath of major breaches.
And doesn’t it make sense to do that before the CEO arrives in your office, asking you how the hackers got into the system?
The actual breach is only the visible part of the problem — and in some ways it’s the easiest one to solve. Behind the breach is the vulnerability that enabled the bad guys to break in and access data across multiple systems internally; at that point, asking, “Who left the door open?” seems moot. The question leans more towards, “Who left all the stacks of money on the table?”
The point is, even the best doors can’t address 100% of the problem. It’s IT’s dirty secret: Breaching the firewall is only a single dimension of a much larger problem. It’s the one that grabs the headline. What often doesn’t make the front page is that in 65% of reported breach incidents, the data is misappropriated internally (as in the AT&T privacy breach), or misplaced, or stored on a stolen machine — causing not only security issues but major compliance ones as well. One need only look at the HHS HIPAA violation list to see how uncomfortably often this occurs.
As with so many other IT issues, it’s not the “oops” moment (and the steps to ease the blow) that should capture the CIO’s attention. It’s on preventing the problem in the first place. And several things are making that more difficult. For instance: What worked in the datacenter isn’t necessarily true in the cloud or with a mobile workforce.
Almost all organizations have internal data systems with strong security models and auditing capabilities. The challenge arises when the data leaves those systems or is collected by end-users locally, and proper policies aren’t followed. There is no easy way to track where sensitive data is as it travels around the organization, to end-user systems, to mobile devices, and to the cloud. Sure, you could argue that many organizations have data policies, relying on employees to follow them. But without enforcing a regular data-safety training program (something I have rarely seen), most employees don’t know the policies exist; those who are aware of the policies won’t follow them if a policy interferes with their productivity.
Given that — alas — a breach is a when not if for many companies (including the companies where the breach remains unreported), shouldn’t organizations increase investments in better monitoring and tracking their data sitting at-rest, locally on end-user devices, or on cloud services? Historically, enterprises have invested in in-flight/in-transit technologies such as data loss prevention (DLP), scouring email messages, and data exchanging services to catch employees mistakenly sending sensitive, unsecured materials. Yet these solutions don’t address the at-rest issue where most of the major exposures and infractions are now occurring. Things need to change, and quickly, given the pace of exposure incidents.
So what steps can a company take in today’s environment to better address their at-rest, end-user data risks?
Here’s a place to start.
- Do a thorough security audit of internal end-user systems: A security audit is one of the first things our “after the breach” clients are required to do. Yes, it’s going to be time consuming and expensive, but the aftermath costs are much higher. And it’s much better than having the company’s general counsel knocking at your door; her resolution to solving the problem is going to be much more time consuming, costly, and painful.
- Create a data-security awareness training program: Your company undoubtedly has legally-mandated programs to teach employees about topics like sexual harassment. Take a similar approach to data security. Make it part of your corporate compliance policy. Make such classes a requirement for new hires, and ensure yearly refreshes. A major breach can cause the loss of many jobs, so everyone needs to be accountable for the company’s safety and long-term viability.
- Use two-factor authentication. If your organization handles regulated data (PHI, PCI, PII) then two-factor authentication for systems and personnel who have any access to that data is a good initial simple step. Many companies don’t want to burden their end-users, but the overhead is nominal; and you’d be surprised how many end users keep passwords in text files and other unprotected locations.
- Consider embracing the cloud more broadly. For many Druva customers, this seems counter-intuitive. But the reality is that a properly vetted cloud service adds complexity to the attack surface. It also separates data repositories from one another, making them less readily accessible in the case of a breach. Most customers are surprised when I tell them our top 10 cloud customers all handle more sensitive data than do the average enterprise, yet leverage our cloud for this specific reason. It’s also better to adopt cloud technologies that your teams have vetted for security and provide those approved tools to end users as a service instead of leaving the end users to adopt cloud applications on their own. They look at product features; IT and InfoSec also are conscious of security and data privacy.
- Address at-rest end user data. Technologies have matured. We can support massive ingestion of data in a highly compact, efficient manner, and also provide parallelized data indexing so that data can be leveraged for data analysis. In the Druva model of proactive compliance, end-user data sources (mobile devices and cloud services like Microsoft Office 365), and activity logs are unified for holistic data visibility; automated agents regularly scan the data to identify potential compliance risks for the organization to assess and remediate as needed.
- Invest in mobile data protection: Solutions exist today that can be provisioned to end-user desktops, laptops and smart-devices) to provide remote-wipe, geo-location and enforce encryption. These technologies can put companies in a more favorable position when a device is stolen (among the leading incidents in HIPAA violations) in both data recoverability and in ensuring the device’s data isn’t accessible to whomever grabbed it.
Protecting sensitive data in today’s environment has become increasingly more complex. It’s not just the exposure of data during a breach, but also the ability for today’s enterprise to effectively audit and take action on data before an event occurs, whether driven by external or internal influences. Emerging technologies like proactive compliance offer organizations a way to address several of these long-standing issues as part of a comprehensive data security and compliance initiative.