Over the last decade, a majority of the world’s population has embraced a digital lifestyle; from email and social media accounts, to using credit and debit cards for most financial transactions. We just assume that our digital data is safe, and the businesses or services where we use them have adequate security measures installed. It is no wonder then that experts claim security risks are the biggest threat to a company’s reputation. After all, buying decisions are based on trust.
Among the largest American banks, whose security was often compared to Fort Knox, JP Morgan was recently hacked. At Target, one massive data breach exposed card details of up to 40 million customers and cost the company $148 million. The same malware seems to have struck Home Depot recently, by some estimates exposing up to 60 million users. Google is still trying to remedy the damage to its reputation caused by 5 million Google accounts and passwords showing up on a Russian site, though it is yet to be determined whether the list is genuine, or whether it is actually a honey pot from Google. These are all large firms with deep pockets. The risk is higher for smaller businesses, especially since direct losses and potential lawsuits can add up significantly.
Security Measures and Metrics
Willy Leichter, Global Director Cloud Security at CipherCloud offered some insights, “Like all aspects of cyber security, defence requires an ecosystem approach to protect through the IT stack. Encryption can play a key role in protecting data if applied properly. Careful monitoring of users and network traffic has always been essential to security.”
Patrick Harbauer is a Senior Security Consultant at Neohapsis, with CISSP, QSA and MCSE certifications. His primary focus over the past several years has been to perform security risk, compliance and architectural assessments in order to help IT organizations build security into the architecture and operations of their IT systems. Based on his experience, Harbauer advised on security measures businesses should actively adopt. “In addition to logging and monitoring, other examples are effective vulnerability and patch management solutions, sound change controls procedures, regular review of firewall rule sets, access controls that enforce the principle of least privilege, secure coding practices, strong encryption solutions and effective network and application penetration testing, remediation and retesting. Specific security metrics should be in place that can quickly tell management and internal audit when there has been a drop in the effectiveness of critical security controls.”
Leichter added, “Third-party certification is a good starting point, but most certifications rely on self-reporting; not a reliable way to assess actual vendor practices.”
Dealing with Security over the Cloud
With many firms turning towards cloud based solutions to manage their processes, it provides a much wider surface for attackers. Leichter elaborated, “In the past, enterprises could secure their network perimeter and maintain reasonable control to ‘keep the good stuff in’ and ‘keep the bad guys out.’ But as these systems move to the cloud, businesses have inherently less control over who can access sensitive data, where that data is stored, and monitoring potential breaches.”
Even if a data security breach originated with the cloud service provider, under US law, it is . Drawing from experience, Leichter shares insights into protecting data when using cloud based services,
“So for the cloud, we need a lifecycle approach to protecting data from the moment it leaves the network’s edge:
Cloud discovery to identify and risk score all cloud applications in use at the enterprise
Data loss prevention (DLP) engine to set policies for data access
Security controls like data level encryption and tokenization to scramble sensitive data, like credit card numbers or birth dates, into gibberish for unauthorized viewers
Continuous monitoring to detect and flag suspicious access activities for data in all the clouds in use”
The Human Element to Cyber Security
Harbauer emphasizes the importance of vigilance and the human element in preventing such crimes, “As we have seen with some of the recent major breaches, there were thousands of security alerts generated that nobody acted on. So even if best of breed hardware and software security solutions are in place, the human element must still be there for these technologies to be the most effective.”
Some firms tend to see IT staff in a supporting role and not core to the organizations functioning. That can be disastrous in the long run. Harbauer shares, “I see high employee turnover and understaffed IT organizations all the time. I think this is a major contributor to the security incidents we’ve seen recently. There needs to be an internal audit function that oversees key IT managers and personnel and monitors their activities to make sure that controls are still in effect especially when there has been employee turnover.”
At the end of the day, responsibility for all data security, whether internal data or customers’ data, lies solely with the organization. Mere compliance with industry norms is no longer sufficient. Organizations need to proactively ensure the security of all their digital assets since any lapse is likely to result not just in reputational losses, but financial impact to the bottom line.