I took some time this week to look at data breaches for this blog, and am completely amazed at the commonplace happening of data exposure. AT&T, NYC Department of Education, and many other big names have been in the news just within the last month. 222 million records were breached in 2009. Many of the people affected have still not been notified of the breaches concerning their data.
Data breaches have become all too common, and what was once enough of a scandal to bring down the company that had a breach is now looked at as just news. Data privacy is one of the most important goals of IT security. Financial malfeasance such as robbing banks is the number one crime, but the theft and loss of Personally Identifiable Information, or PII, should be second only to this crime in scope and importance. The loss of this data can cause such havoc to the people affected by a breach is very real and of major value.
The combination of breaches, such as taking one list and comparing it to one or more stolen lists is the nightmare scenario for any consumer. If matches are found, which is an inevitable occurrence, the consequences of having all relevant PII about a collection of individuals is very real. The problem that so many people and organizations fail to realize, is that just a fraction of these ARE fully or partially exploited, and the cost is easily in the billions of dollars for the combined group affected. Without getting into too many details, criminals or foreign agents could in effect completely become another real person, or at least access the wealth, savings and credit of that person. No one person is above this risk, since from the richest to the poorest, everyone is on thousands of electronic lists.
Right now it is estimated that fully two thirds of the companies in America lack a database security plan. Many of these do so at their peril, by putting too much faith in the firewall, or other singular methods of security. The resulting scandal from a small local business is much worse than for AT&T, which has a prepared legal and PR team at their disposal. They also do it at our peril, since the data that gets taken often is of a deeply personal nature.
Remedies are not easy, cheap, or fast. They are necessary.
1. Practice security-in-depth. Look at the physical security, firewall, internet filters, anti-virus programs and policies as one unit working together. Enforce tough policies across the organization, harden the systems, and deal with shortcomings honestly and as a priority.
2. Have a regular review of your security posture, at least annually, to ensure that the evolving nature of the threat doesn't advance beyond you.
3. Test your procedures. Hire someone to test you defenses, and see what happens. This could be done in-house, but it's only truly been tested if someone outside your organization tries.
When I looked at data breaches this week, I could also tell how seemingly small a problem this is to be reported on. Most breaches flare up on the news channels, but the bigger companies hunker down and weather the days of bad publicity. Soon something else will comae along like the Gulf of Mexico tragedy to put the average American into overload. A culture of prevention and security needs to surround this part of our lives. I have tried to avoid sounding like a full-on advertisement on this blog, but this should be a driving force to get security professionals involved. With concerted effort, and corporate buy-in, much of the problems could be avoided. With enough of a defensive posture in place, large scale attacks on multiple systems can be detected and thwarted. With enough mechanisms in place, small business can be spared the agony of getting wiped out through scandal, litigation and remediation after losing all of your customer records.
Sounds like it's worth it to me.
No comments:
Post a Comment