A data breach survival guide

Matt Little asks how do companies identify, react to and guard against thieves, snoops and idiots?

Matt Little, VP/product development, PKWARE
Matt Little, VP/product development, PKWARE

It's getting progressively harder - some would say impossible - to keep thieves, snoops and idiots out of sensitive company information.

The Ponemon Institute's 2016 Cost of a Data Breach report puts the latest average consolidated total cost of a data breach at US$ 4 million (£3 million), up from US$ 3.8 million (£2.9 million) last year. Ponemon says the average cost incurred for each lost or stolen record containing sensitive and confidential information crept up from US$ 154 (£119) to US$ 158 (£122), and warned that the likelihood of a material data breach involving 10,000 lost or stolen records in the next 24 months is at 26 percent. Elsewhere, the UK Office for National Statistics (ONS) told The Guardian that one in 10 people in England and Wales were victims of cyber-crime this past year.

Data breaches became routine a long time ago. The Privacy Rights Clearinghouse website has been tracking breaches since 2005, and adds new victims to the casualty list almost daily.

Data thievery has thrived largely because organisations keep making the same mistakes. Everyone should assume they will eventually be breached, if they haven't been already.

Common breach causes

Most breaches have a common thread: Attackers penetrated the victim's network by capitalising on old software and application vulnerabilities for which security patches have long been available.

Meanwhile, IT shops still struggle to track chain of custody as data moves from one employee to the next. Unencrypted data continues to flow in and out of enterprise networks, despite myriad regulatory rules and industry standards that require encryption. For these reasons and more, attackers have had enormous success stealing data through the top nine methods outlined in the 2016 Verizon Data Breach Investigations Report:

     1.    POS Intrusions

2.    Crimeware

3.    Cyber-espionage

4.    Insider Misuse

5.    Web App Attacks

6.    Miscellaneous Errors

7.    Physical Theft/Loss

8.    Payment Card Skimmers

9.    Denial Of Service

But there are common-sense steps organisations can take for a more ironclad defence. To that end, here's a survival guide to help companies better protect intellectual property, customer information and other sensitive data.

Defensive measures

The harsh reality is that it's become almost impossible to protect an organisation from data thieves. Despite security practitioners' best efforts, the bad guys are occasionally going to break through the walls built to stop them. But there are ways to keep information safe.

Recognise that people are at the top of the information security process problem. Here are five steps organisations can take to protect their data with much greater success:

1.    Train employees early and often: Make security training a must for employees starting on their first day and continuing on a regular schedule. Teach them examples of good passwords versus those that are easy to crack. Educate them to identify phishing scams and repeatedly stress the importance of enabling security updates on their devices.

2.    Patch obsessively: Whether they're on your laptop or mobile device, many applications push out updates on a regular basis. Users sometimes ignore the alerts because they don't want to stop what they're doing to accept a download. Microsoft and Oracle have monthly and quarterly patching cycles for their software. But if automatic updates are turned off and security bulletins are ignored, vulnerable software remains easy pickings for attackers. Enterprises should configure everything so that patching is automatic, whatever the device or location. Don't leave it to end users to do the right thing.

3.    Discover and classify your information: Every organisation must work to get a handle on their unstructured data problem. Sensitive information lives in files stored everywhere. File servers, end-user workstations and devices, contractor systems and even cloud services.  A discovery and classification process needs to be implemented to ensure information is handled by systems and personnel appropriately.

4.    Encrypt: If data is encrypted, the attacker can't make use of what he/she steals. The best defence is to encrypt the data itself, whether it's moving between devices or stored on a server. Security luminary Bruce Schneier makes a powerful case for encryption in his blog, saying that encryption works best if it's ubiquitous and automatic. “Encryption should be enabled for everything by default, not a feature you turn on only if you're doing something you consider worth protecting,” he wrote.

5.    Control and keep track of data handlers:  Employees should only have access to the data they need to do their jobs and serve customers. Those who do qualify for access should be bound by strict usage rules. If something bad happens, an organisation must be able to quickly nail down who accessed what, when and why. Chain of custody tracking is an important part of that. It also allows IT to monitor data flow and catch bad behaviour before it becomes a data breach.

Contributed by Matt Little, VP/product development, PKWARE