Security Lessons Big Data Breaches Can Teach Us
Everyone should care about data security. This Q&A covers what IT departments can learn from recent major cyber breaches to better secure their data.
22 December 2014
Everyone should care about data security. In the online world we live in, data breaches are all too common. In 2014 alone, we’ve seen Fortune 500 companies victimized, in major hacks that put millions of individuals’ information at risk.
Perhaps, given the vast number of data breaches in the news this year, the recent Sony hack is not a surprise. Back in 2011, Sony underwent a separate hack that compromised consumer data from gamers. (The 2011 attack didn’t become as much of a public relations disaster to Sony as the current one.)
And sadly, threats such as hacking, phishing, and theft aren’t going away anytime soon. We should all be thinking about how we can bolster security. Here are just a few questions your executives (especially those in information technology and security) should be asking — along with some suggestions.
Is employee education a priority for companies that want to secure their data? Are companies doing enough?
Implementing effective security education is definitely a priority for companies — because insiders are often a conduit for outside attacks. But the important thing here is that companies must realize they aren’t doing enough to understand their own risks. It’s hard to justify the security expense for events that rarely, if ever, happen. But if companies understand their risks, the rest of their preparations and responses are easy to rationalize.
The majority of companies are very reactive. Security awareness training is in the proactive bucket, and is often the first item to fall to the budget axe. It’s key to have the right security policies and procedures already in place to be able to quickly respond to issues as they arise. Working with partners that put strong security and compliance first can help reduce your future risk.
Can companies ever real fully secure data from such attacks?
Given the determination of the attackers — preventing all attacks is probably an impossible goal. Detecting them on-time to mitigate the impact is an area that is often overlooked. Anytime there are terabytes of data leaving a network, it is a safe bet something nefarious is going on. Detecting and responding to attacks are equally, if not more, important and cost-effective as preventing them altogether.
What advice should companies consider to secure data?
Becoming complacent is the first mistake companies make. The conception that information is already secure as it is today is never the answer for tomorrow. Companies should always be looking ahead and taking preventative measures to secure and protect intellectual property, both from threats outside of the organization and within.
Make sure you know where your information is. Properly classify it and allocate most of your security resources to protect the most valuable information. That’s a very generic statement, but it all comes down to applying security measures directly to protect the data — not the environment, people or devices, but the information itself. Today, data is all too mobile to have effective protection at higher layers. It will require some re-platforming to implement some of the newer technologies, but if it economically makes sense — if your information assets are that valuable — you have to spend the money to protect them.
Mushegh Hakhinian represents Intralinks at the Cloud Security Alliance SME Council, is a certified information systems security professional, and is a frequent contributor to industry publications. Prior to joining Intralinks, Mr. Hakhinian lead security functions at a multi-tenant online banking service provider and an international bank.