Why do organizations keep suffering from relentless massive data breaches? Weak security, executive management ambivalence, increasing hacker prowess? Maybe all of the above, but the more cogent reason we continue to read of data breaches is because it’s lucrative!
In other words, criminals have figured out how to monetize stolen data. Russian and Ukrainian nationals were indicted July, 2013, for stealing 160 million records and selling U.S. credit card data for $10, Canadian for $15, and European for $50 each. As security professionals; how can we stem data breaches and stay out of the headlines?
I liken the strategy to the two hikers out walking in the woods. With a large angry 600 pound black bear approaching, one hiker stops to put on running shoes. The other hiker says, “You can’t out run a bear!” He replies, “I do not need to out run the bear, I just need to out run you!” Often data security is the same. You don’t need the best security program, just one that is good enough that hackers seek an easier target. So here are the top five ways to reduce the data security target sufficiently to dissuade would be hackers . . .
1) Encrypt, encrypt, encrypt. Use strong encryption (e.g., 256 AES), strong passphrases, and proper key management. If managed correctly, hackers will not likely invest the estimated 192 years hack you, even with an endless supply of Red Bull.
2) Low profile. Recall Life Lock’s CEO Todd Davis took out full page color advertisements, billboards, and TV commercials to publish his SSN, daring nefarious individuals to try to steal his identity! They did – 13 times! Better solution, keep a low profile.
3) Segmentation. Isolation with proper access control. With unlimited resources, all systems are vulnerable. Separating data we care about and data that is less sensitive allows emphasis on protecting sensitive data stores. Your risk assessment, data inventory, and data classification work together to help prioritize – now segment your sensitive data!
4) No hoarding! Storage is cheap and therefore there is a propensity to retain data long after its useful business life, and worse, businesses often create multiple copies of the same data with no business value. Managing downstream manifestations of the data, creating a business justified data retention program, and managing to that program significantly reduces breach probability – you can’t “lose” data you don’t have!
5) Don’t collect it in the first place. When recently completing an online form, it sought name and address, plus payment information. To transact business these are logical data points to collect. The form also wanted email (to send receipt), date of birth (determine buyer demographics), and income (again demographics). For the latter two data points, there is a strong argument that they are not needed. There is little justification for collecting DOB in this example. If they are truly seeking demographic information, only the year born, not the DOB, is necessary. Be judicial in determining what data to collect.
Security is not a Boolean value. It is not a question of whether or not you have security. It’s a risk-based algebraic equation where you determine risk appetite; 
then determine which risks to mitigate, transfer, or accept. Clearly the internet, its open standards, and [ability to hide one’s identity] makes it a conduit for good business and nefarious individuals alike. Reduce the target on your back, make it difficult to exact meaningful data, and make sure your management team agrees to the level of risk you are assuming. At least then when you are hacked you are in a defensible position and have garnered management support in advance – a career extending proposition. Then just be the faster runner and hopefully the bear will pursue the easier target.
Pertinent news releases…
ð Dunn & Bradstreet; Lexis-Nexis; and Kroll hacked (botnet possibly via phish)
ð Nasdaq; 7-Eleven; JC Penney; Hannaford Brothers; and JetBlue hacked (Russian nationals)
ð Sony; 100+ million user accounts hacked
ð Heartland Payment Systems; hacked for 130 million records (key logger/sniffer)
ð TJ Maxx; hacked for 45 million records