Now that we’ve rolled through another New Year’s celebration, we’ve left behind one of the worst years on record for data breaches. In April, a Pew Research study showed 18 percent of online Americans have had personal information stolen. September brought survey results from the Ponemon Institute revealing 43 percent of organizations had suffered a security breach in the past 12 months. 2014 closed with an investigation into the Sony breach and a White House announcement about new cybersecurity initiatives.
With all of the resources dedicated to legislative compliance in recent years, how is this situation still possible? How can huge multi-national companies continue to fall so hard? It’s actually not that hard to understand. In my opinion, too many companies focus on achieving compliance at the expense of security.
Guidelines Are Simply a Beginning
A simple analogy is to think of obtaining your first driver’s license. As young adults, we study a handbook and take a test to verify that we understand and are compliant with the basic laws of the road. But, do we let newly “certified” drivers loose on busy highways with the expectation that they are now perfect drivers and will never get into an accident? Of course not! The guidelines (hopefully) help us avoid making basic mistakes, but there are many other factors to consider.
One flaw in the guidelines is the assumption that everyone else is adhering to the same rules—something that every speed limit sign and red light camera shows isn’t true. Experienced drivers understand that many things aren’t included in the handbook. We have to expect the unexpected, adapt and use learned experiences to read between the lines, and improvise—sometimes with little or no warning—to avoid an unplanned disaster.
The same is true of computer security. Regulations like Sarbanes-Oxley and HIPAA were never meant to intricately detail how to protect your IBM i database from misuse. These two common regulations (and many others) are basic guidelines regarding access to critical business data. Focusing solely on satisfying compliance can be misguided, and might lead an organization to assume they are secure. In 2014, hundreds of new organizations joined the ranks of those that discovered the reality of making this assumption.
Don’t Sacrifice Security for Compliance
Compliance is an important objective, but it shouldn’t be pursued at the expense of a comprehensive security plan. In fact, taking the time to build and implement a solid security infrastructure will make that objective easier to achieve. New business processes and procedures typically will be required by a compliance standard, but the technology aspect of compliance usually is left to interpretation by an auditor who is often unfamiliar with IBM i. It’s critical, therefore, that you don’t rely on compliance directives as the sole guideline to protecting data access.
Using the analogy of new drivers, testing is important to ensure that we understand and acknowledge the basic rules of the road. However, it’s ultimately the focus on learning and employing good driving skills that’s going to have the greatest impact on the likelihood, magnitude, and consequence of an accident.
Make the Commitment Today
Businesses need to get smarter and become more committed to security. They must allocate a budget to assess and mitigate the largest risks and acknowledge that controls probably will be compromised at some point. The goal is to develop a plan to address possible breach scenarios BEFORE you find yourself in the middle of one. The plan should include the deployment of technology for the timely detection and alerting of a problem, and training of employees designated to respond and react. This is not just theoretical—a number of recent breaches involved warning signs that were not responded to correctly. Many employees never receive adequate training on their company’s security tools, leading to a false sense of security by management.
Look at the Big Picture
Don’t secure only the data at rest in the data center; look at the entire data lifecycle. And, expect the unexpected. Many of last year’s breaches involved collecting credit card information from point-of-sale (POS) devices and ATMs. This came from skimming devices, employee theft, and unauthorized replacement devices at retail store cash registers! We cannot control the intent of the criminal element so we have to devise better ways to deter, detect, and respond. Similarly, lost and stolen laptops might be out of your corporate control, but securing the data stored on them isn’t. And, while we might not classify this like a traditional breach, the Ponemon Institute reports that it happens 637,000 times at U.S. airports every year!
For most organizations, corporate budgets have been established for the upcoming year. If yours doesn’t include money for security-related projects, focus on fully leveraging your existing investments and staff resources for now. Ensure that employees are trained and are optimizing their tools. Remember, while we hope that this year is a vast improvement over last, it’s never too early to start planning for next year.
In 2015, let’s start taking security more seriously.