Data breaches pose one of the greatest threats to business and government. With the recent data breach at Equifax magnifying the problem of data loss in businesses and the public sector, it’s time for organizations to think hard about using data-aware protection to safeguard sensitive information.
The ever-changing cybersecurity landscape requires organizations to evolve beyond merely protecting the network perimeter and end-points to implementing protections on the data. When data breaches are successful, the costs can be staggering. How much will it cost Equifax to offer credit monitoring to millions of people? What makes these data breaches so disheartening is that many could be avoided or mitigated by modernizing legacy IT systems and protecting information at the data or document level.
While years of investment have helped strengthen network and end-point security, the data continues to leak. Attacks continue to breach the perimeter and insiders have accidentally or intentionally distributed sensitive information to unauthorized recipients. Phishing attacks and other social engineering are getting more sophisticated so that traditional perimeter security detection and prevention is becoming ineffective.
Situations like the Equifax data breach point to many organizations not even doing the basics around security. Default passwords, running old software and not patching systems are some of the most common reasons for data breaches. Equifax even had references on its website to the Netscape browser which has not been in use in almost 10 years. Some of this may be that IT departments are overwhelmed with daily tasks or have outsourced portions of their IT and security activities to third parties. Experian hired a third party to do a risk assessment of their infrastructure following the last breach. It seems the assessment and remediation efforts were not that effective.
Rather than solely focusing on the perimeter, protection mechanisms that are data-aware provide much stronger risk mitigation. The encryption of digital files using enterprise digital rights management (DRM) is the best way to thwart hackers or insider threats. Some organizations are also using attribute-based access control (ABAC) to limit access to specific data in databases or other information systems. Combining audit information from the ABAC system with the DRM-protected document interactions provides insights into who accessed sensitive data, when and from where. Since data protected by DRM can be dynamically controlled, incident response programs benefit from the ability to completely revoke access to sensitive information, even after it has left the organization.
We have reached a critical point in data security. We can either take the necessary steps to protect the data or cross our fingers and hope there will not be another major breach. That’s like hoping it doesn’t rain. It sounds great, but the reality is the next storm is around the corner.
Photo credit Merrill College of Journalism