How can organizations adapt to the rise in data breaches?
There’s more money currently dedicated to stopping data breaches than ever before; however, this money isn’t always being sent in the right direction to truly put a stop to the problem. Companies of all sizes and in every industry are well aware of the threats they face. Still, if it seems as though data breaches are still coming every day, it’s because they are.
The Identity Theft Resource Center tracked nearly 28 percent more breaches in 2014 than 2013. Data comprised in these breaches ranges from personally identifiable information (PII) to proprietary business intelligence, and every piece of it comes with a cost. The Ponemon Institute found, for example, that the average cost-per-record of a data breach was approximately $200. Now, consider the fact that these breaches aren’t always attacks from hackers; more than 78 percent of data breaches result from accidental employee slipups or the occasional disgruntled worker taking his frustration out in the wrong way.
Each of these threats is real, but the paradigm of Web security may be at the root of the problems. Data security needs to be about more than just preventing external threats with perimeter defenses like putting up firewalls, particularly as many of the attacks come from the inside or start because of a mistake or other form of internal negligence; for example, many organizations choose not to enact effective technologies because they have employee policies in place that allow them to claim they’re protected. Given how many times we’ve seen internal policies prove entirely ineffective, this kind of strategy is the data security equivalent of the ostrich with its head in the sand.
From the external threat perspective, firewalls are ineffective against more sophisticated attacks. Back door access to a corporate network allows a hacker to navigate without much threat of detection by an administrator, providing nearly unfettered access to the confidential and sensitive information that make up a company’s crown jewels. Without a holistic approach to securing and managing sensitive data from the inside out, companies are doing themselves a disservice by not minimizing their risk posture and breach potential. What’s more, workers charged with securing and managing sensitive data may not always collaborate to establish the kind of holistic control required to take these breaches off the table.
Once a company realizes it’s been hacked, it’s far too late. And simply responding to the attack months later and closing the exploited path into a network isn’t enough. Building a 10-foot wall around a network is little more than a brief road block to a hacker, and they’ll quickly erect their 12-foot ladder to get inside. Holistic data security is about protecting information internally as much as it’s about keeping the bad guys on the other side of the wall. Securing information on the inside offsets much of the accidental causes of breaches.
When a company is hacked, too many security leaders look at their IT counterparts and ask what they could have done differently to prevent the attack. That’s essentially the crux of most data security solutions and policies in place. The individuals owning a business’ IT and Web security activities should instead collaborate to develop a data management strategy that starts with the data’s creation. Keeping hackers out is, of course, significant, but preventative data management strategies and solutions that identify sensitive information make it harder for cybercriminals to do any damage even if they do work around a firewall.
This builds on another major issue with data security. Learning the route a hacker took to compromise data is one thing, but counteracting their strategy altogether is much different. Top-down security solutions can woefully underestimate hackers’ acumen for quickly accessing PII and other critical data housed in a primary storage platform. Securing that data at the point of storage and protecting it at its core is the key moving forward.
Adapting to evolving technologies is the only way businesses of all sizes can work to secure their data, whether it involves vulnerability scanning, email protection, behavior monitoring, browser exploit protection, file reputation services or leveraging data-aware technology. SMBs in particular are especially interested in new, more holistic concepts; enterprise-level security solutions are entirely too expensive for the SMBs, not to mention these teams rarely have enough personnel and resources to manage so many disparate IT and data solutions.
Securing data from the inside helps both IT workers and those charged with managing security (who could very well be the same person in some organizations) understand their actual risk posture, as well as the information they truly need to protect. This sounder comprehension of information assets is vital in the management and protection process.
Keeping hackers out will always be a part of the strategy, but it’s even more significant to understand why they’re trying to get inside in the first place. Employee records, customer information and proprietary business data are typically the most sought-after files. However, these are often compromised through the accessing of unstructured “dark data” in the form of older, forgotten files within employee accounts. A simple password list used at the start of employment can be easily neglected over time and exploited by a cybercriminal months or years later. Beyond the cost of the data breach, this kind of unstructured, unsecured information can result in hefty regulatory fines for noncompliance.
Whether it’s any of the most well-known data breaches reported in the national news or the data loss at a local credit union, there’s clearly a need for a shift in the way businesses approach managing and protecting their most significant information assets. It isn’t just about keeping the bad guys on the outside. It’s about making sure the good guys have control of the inside.