I was attending the annual Gartner Security and Risk Management Summit in National Harbor, MD this week and overheard an interesting comment from one of the speakers. He wondered if organizations and the public are becoming desensitized to data breaches.
It’s an interesting question and one that I can understand asking, unless you happen to be a victim of a data breach. Just do a Google search on data breach and see what comes up. You might be amazed.
With the constant barrage of daily data breaches from organizations like Sony, Anthem, Morgan Stanley, and Partners Healthcare, you begin to understand the fatigue. It’s becoming a lot of white noise to people.
Are most of us feeling like we are listening to the boy who cried wolf? Unfortunately this is not a children’s fairy tale and organizations need to take things seriously.
Just this past week the US government revealed that the Office of Personnel Management was hacked and that upwards of 4 million current and former federal employees had personally identifiable information (PII) stolen. Federal officials currently suspect that Chinese hackers may be behind the data breach and the FBI is investigating. A union representing federal employees is contending that it was far worse than disclosed and some believe it may have affected more than 14 million people.
Hackers, malicious insiders and privileged users are stealing sensitive data and finally enough data breaches have occurred that legislators and corporate executives are taking these breaches seriously. In the case of the US federal government, it sounds like the hackers stole a lot of documents that weren’t encrypted or protected by anything to ensure unauthorized users couldn’t access them. That’s crazy today, but all too common. This is clearly a case where the government needs to lock these files and provide persistent data security on them. That means the security follows the files and the owner is always in control of them.
This data centric approach to sensitive information would have allowed the government to kill access to the files immediately and prevent the hackers from accessing it. Without this type of continuous control, these files are very vulnerable and could go anywhere. There are already reports the information is alive and well on the DarkNet. With strong encryption and permission control, this wouldn’t even be a story. The hackers may have gotten some files, but they would be useless to them.
A lot of security professionals and others have realized that our traditional perimeter defenses are not stopping the bad guys from stealing data. At this week’s Gartner Security summit, the Garter analysts are finally talking about data-centric security. If a hacker wants your data, you need to protect it by controlling access and use at the data level through continuous encryption and persistent security policies.
There is breach fatigue out there, but I think the signal to noise ratio is changing as everyone realizes that locking the data is the only way to stop this. Take a look at your sensitive data and think about using a data-centric approach to controlling it.
Photo credit Yvonne Esperanza