Companies Need to Take Responsibility for Protecting Sensitive User Data
Cyber-criminals have grabbed headlines for highly-publicized data breaches in recent years. However, the greatest blame for many of these incidents is squarely on the shoulders of organizations that don’t properly manage sensitive data. Harvesting personally identifiable information requires far less effort due to insufficient security controls and the mass amounts of information exposed by organizations every day. The problem is exacerbated by employees with too much access and those who accidentally share mismanaged data.
While compliance helps drive business need, it is clearly not enough as evidenced by the 2013 Target breach and many subsequent retail industry breaches in 2014. A holistic approach to risk that includes data discovery, data classification and data protection is the most effective in preventing critical information from getting into the wrong hands.
Changing the breach mindset.
Organizations in all industries must stop working under the assumption of “if,” and instead, build strategies around “when” a data breach will occur. The bad guys are only getting better at what they do, and are often ahead of the security curve. When companies rely too heavily on securing the perimeter instead of managing the items within the perimeter, they’re setting themselves up for a more damaging breach.
A strong defense is important and necessary, but consider this analogy. If the world thinks you keep a pile of cash in your car, someone will try breaking in to steal it, even if the door is locked. If they knew it was secured in a safe or didn’t know it existed, they likely would not bother breaking in.
Greater attention to Sensitive Data Management.
Sensitive data management is a strategy that incorporates people, process and technology focused on data discovery, classification, security governance and protection. Sensitive data management can include the usage of data loss prevention technology, but as a whole it is a comprehensive strategy to know where your data is, what is at risk, who has access, when it is touched and how to protect it. Most organizations incorporate these steps into their sensitive data management best practices:
- Defining what the organization deems as sensitive information.
- Knowing where sensitive data is and who has access.
- Classifying data in terms of importance and potential harm to your organization, if stolen.
- Identifying who the data owner is.
- Governing the accountability of data owners.
- Determining if data is necessary or obsolete and if it poses unnecessary risk.
- Eliminating data as soon it is no longer necessary or protecting it if it must exist.
The consequences of not employing effective sensitive data management strategies are quite severe, as many breached organizations have learned. It can take many years to undo the damaging impact of data breaches that are exacerbated by improper sensitive data management controls, if they can be remedied at all. Some consequences include:
- Compliance fines, legal costs and insurance premium hikes. From HIPAA to SOX to PCI-DSS 3.0, there are any number of regulations that require organizations to protect this data and levy monetary penalties for not doing so. As a result, legal spend and insurance premiums also increase.
- Lingering sales drop. Studies have shown that in the finance, retail and healthcare industries, up to a third of consumers will stop doing business with organizations that are breached.
- Increased IT cost and inefficiency. Excessive data is not only a recipe for a breach nightmare, but it takes up space valuable on your network.
Organizations in all industries need to do a better job of managing sensitive data. Many are holding on to sensitive data they don’t even know they have and are at great risk that it could be stolen or exposed. In a day when cyber criminals are sharpening their skills on a daily basis, businesses should take inventory of every piece of data they own, classify it, protect it and govern its access. Getting breached is bad enough, but losing data that had no business being there in the first place is even worse.
Hackers’ Next Major Target: Your Smartphone
It was difficult to go through a week this year without hearing of another major cybersecurity breach. And it looks as though 2015 will be no different but this time it’ll be mobile phones which will be the big battleground for hackers, security experts have warned.
Most of the ever-lengthening list of headline-hitting hacks—including Sony Pictures and retailer Target—have happened via a compromise to the companies’ computer networks. Up until now smartphones have escaped relatively unscathed.
But as businesses allow their employees to use their own mobile devices for work, people use their phones to log into local wi-fi and the mobile e-commerce space explodes, analysts warn hackers are likely to follow the money.
“They (smartphones) are now so integrated into people’s lives and people are using them for all the things they would have used the laptop for five years ago,” David Emm, senior security research at Kaspersky Lab, told CNBC by phone.
Business and pleasure
Behind the heightened threat of hack attacks are two major drivers: the rising trend of bring your own device (BYOD) to work, and the increasing amount of money transactions done through phones.
Twice as many employee-owned devices will be used for work than enterprise-owned devices by 2018, according to Gartner, the information technology research firm. But this also increases the risk of a breach at a company.
“Businesses and enterprises are letting employees use the latest smartphones and access things like corporate emails and suddenly the mobile device is as convenient as on working on a larger device,” Vinod Banerjee, partner and data protection specialist at law firm Taylor Wessing, told CNBC by phone.
“You have employees doing more on a mobile device and doing it ad hoc here and there and perhaps therefore not thinking about some of the risks that are apparent.”
If a hacker is able to compromise a user’s personal device, they could easily get access to corporate emails or sensitive data.
Follow the money
Mobile e-commerce or “m-commerce” has also been on the rise and is also set to continue growing, especially after Apple announced Apple Pay earlier this year. An increasing number of people are paying for items on their mobiles and near-field communication (NFC) technologies will drive future growth.
Consumers are now storing lots of financial information on their phones through banking apps and virtual wallets.
Annual transaction value of online, mobile and contactless payments will reach $4.7 trillion by 2019, up from just over $2.5 trillion this year, according to Juniper Research. And this is tasty for hackers looking to make some serious money.
“You have both Samsung and Apple with their new pay system which suddenly opens the floodgates for phones to become the predominant method for payment,” Greg Day, FireEye’s chief technology officer for EMEA, told CNBC by phone.
“The simple reality is that we as consumers use our phones more and more and our wallets and laptops less and less. The criminal will surely follow that.”