Why we still invite data breaches

Sentrigo's Dan Sarel writes that enterprise security has been slow to realize the evolving nature of for-profit cyber hack attacks.

3 min read
If you followed the news this summer, you doubtless read about a spate of data breaches reaching across corporate America.

After a massive security compromise at TJX earlier in the year (still the largest on record), some hoped it might signal the end of large-scale data breaches. That turned out to be not the case. Breaches later were reported at Disney, Western Union, Fidelity Information Services, Monster.com and TD Ameritrade. Millions of personal identifiable information records were pilfered, and then used to facilitate spamming, malicious software and spyware distribution, credit card fraud, and identity theft.

The authorities have begun to take measures designed to stanch the outbreaks. Some 39 states have enacted privacy breach notification laws. These regulations mandate that the organization where the suspected breach occurs must notify all affected individuals. But the rise in the profile and severity of breaches nonetheless continues.

That's because companies are being actively targeted for data theft. Personal information gets stored in too many places, creating opportunities to steal. At the same time, the nature of "hacking" has also changed. Organized crime now targets information that can realize financial gain for its perpetrators. The means at their disposal are substantial. If previously, unprotected data had a low risk of being spotted by the wrong people, gaps in data protection nowadays are constantly being probed and exploited.

If the data gets exposed, it will be stolen. If criminals cannot get to the data from the outside, they try to find an insider to do the job for them. Many of the recent breaches followed such a scenario, with insiders selling stolen data to spammers and criminal elements.

Most enterprises are ill-quipped to handle this threat, and until they upgrade their security procedures and tools, breaches will continue. While it is impossible to hermetically seal the enterprise, there are measures that can be taken to improve the situation, and leading companies are taking them.

First, databases, the systems that hold the bulk of sensitive data, have been neglected in terms of security. While the network is protected by firewalls and other systems, databases remain vulnerable to outside as well as inside threats. Last year, according to the annual survey by the CSI/FBI, financial loss from data theft outgrew losses from viruses, but IT budgets do not reflect that.

Moreover, while insiders originate the majority of attacks and breaches, few companies have the right procedures and systems to cope with this. Enterprises have focused on securing the perimeter--preventing intruders from coming in--and only now are starting to focus on securing internal systems as well.

An additional, obvious and easy way to prevent large-scale damage from data breaches is to avoid storing unnecessary data in the first place. Many educational institutions, for instance, used to assign Social Security numbers as ID numbers for students, and even kept them in their alumni records. This is risky and utterly unnecessary.

It may be impossible to secure enterprise data completely, but as the threat landscape changes, enterprise security has been slow to catch up. For some, new standards such as the credit card industry's PCI-DSS served as a wakeup call. Yet many companies that have gone through the process of complying with new security standards still remain far from securing themselves.