Overview
The departure of Avid Life Media (Ashley Madison's parent company) CEO Noel Biderman wasn't the first time an executive resigned due to a data breach. It's actually the third from a high profile company over a span of a little more than a year. And chances are, it won't be the last.
Just last February, in the aftermath of its highly publicized hacking incident, Sony Pictures Entertainment's co-chair Amy Pascal deemed it appropriate to step down. Not long before that, Gregg Steinhafel, the chief executive of Target also left the retail giant after it suffered its own massive data breach.
It's understandable. With a damage to company reputation as catastrophic as these, it's logical for accountability to rise to the top.
Judging from the Third Circuit Court of Appeal's decision on FTC's case against Wyndham Worldwide Corp, the pressure on data accountability's just going to get higher and CEOs will just have to do more to protect their companies from a data breach.
But what can be done?
Consider these 7 suggestions:
1. Acknowledge threats to data
This is really important. Unless executives accept that cyber crime is an impending threat, they won't be compelled to take immediate action to protect company data. But it is.
According to the 2014 report of the Ponemon Institute's annual "Cost of Cyber Crime Study",
- The average annualized cost of cybercrime has now reached $12.7 million;
- That amount above translates to a 96% increase from what it was 5 years ago; and
- The number of attacks organizations are experiencing per week is growing: from 50 per week in 2010 to an astounding 138 in 2014. That's a 176% increase.
Simply put? 1) It can happen to your company and 2) it will be costly.
2. Initiate, support, and participate in your company's security program
Your security program should have been launched yesterday. But what's really important here is that, if you're CEO, the program should have your full support. Don't just initiate and then leave everything to the head of IT.
The policies and procedures that should go into the program will need inputs from other departments, like HR and Legal. For instance, before an effective access control policy based on "need to know" can be implemented, HR has to identify the roles users play in the organization. Similarly, before a data retention and disposal policy can be applied, the Legal department should see to it that the time limits are within legal bounds.
Only someone who has authority over these departments can make everyone cooperate and arrive at policies that aren't just plain stringent, but also legal, humane, and realistic.
The succeeding recommendations are for CEOs who want to have an idea of the essentials that should go into these security policies. They're also for the leaders of organizations who aren't big enough to have their own CISO (Chief Information Security Officer) or CSO (Chief Security Officer) to address the technical and not-so-technical aspects of security.
3. Adopt password best practices
Passwords are the keys to your company's data and IT infrastructure. If they're compromised, confidential data can fall into the wrong hands. Worse, if those passwords are that of a privileged user (someone with administrative rights), a large data breach could eventually follow.
Passwords must be at least 10 characters long and consist of a combination of alphanumeric and non-alphanumeric characters. They must also be changed periodically. The article below about password compliance is based on PCI DSS requirements but can be applicable to non-PCI DSS-covered organizations as well.
Required MFT Server Password Settings for PCI DSS Compliance
4. Educate end users (including yourself) about security
End users are usually the weakest links in the IT security chain. Many of them use predictable passwords like "password" or "123456", post passwords on their monitors, or share them with other users. They're the ones who misplace laptops and USB sticks containing volumes of personal information. They're also the ones who inadvertently download malicious programs through emails.
You can have the most well thought out security policies in the world. But if you're unable to communicate those policies to your employees and help them understand the importance of adhering to them or how a data breach can affect them, those policies will be useless.
And because security threats and vulnerabilities are constantly evolving, education as well as information dissemination must be done periodically.
Some of the online resources we'd recommend include:
- the SANS Institute Reading Room
- the Coursera course on security
- TechTarget's SearchSecurity
- and of course, the security articles on this blog.
5. Apply encryption
Encryption is one of your best defenses against threats to data confidentiality. Even if your server, desktop, laptop, USB stick, hard disk, or any storage device is physically carried away, the crook won't be able to obtain the information stored inside if the file(s) or disk holding it is encrypted.
(Strong) encryption can be so effective that they're often required or highly recommended in regulations like HIPAA or PCI DSS. Encryption is even sometimes used as safe harbor in certain legislations.
There are two main types of encryption. One protects data-in-motion. The other protects data-at-rest. Data-in-motion encryption are those built into secure network protocols like SFTP and FTPS, while data-at-rest encryption are those that protect data while they're lying in a storage device. An example of such is OpenPGP (although it can also be used to protect data-in-motion).
If you both store and transmit sensitive data, you'll need these two types of encryption.
6. Employ 2-factor authentication
The problem with relying on passwords (even strong ones) as the only method of authentication is that attackers have already developed other means (as opposed to the usual brute force attacks) of obtaining them. A combination of:
- social engineering (like impersonating a legit user, calling helpdesk, and asking for a password reset),
- online research (hint: end users' social media posts are favorite sources), and
- some free downloadable tools
A password is something that a user knows. If you can throw in something else, say something that a user has (e.g. a private key or a client certificate) as another requirement for authentication, then you'll make it more difficult for an attacker to succeed.
When you combine two methods of authentication, e.g. passwords and private keys or passwords and client certificates, you call that 2-factor authentication, a topic we'll be discussing on a separate blog post soon. So stay tuned for that.
7. Use a DLP solution
Manually keeping track of sensitive pieces of data like credit card numbers and social security numbers and making sure they don't leak out can be a very tedious, time-consuming, and virtually impossible task.
Combining vigilance, data handling best practices, and an automated Data Loss Prevention mechanism would be a much more effective solution. The article Using DLP to Protect Credit Card Data provides a good example on how a DLP mechanism works.
This is by no means an exhaustive list. But it should be enough to significantly improve your security posture and reduce the chances of a data breach. Did you like this post? Do follow us on social media: