No matter how immune you think your systems and security processes are, these days data breaches are unavoidable.
Historically, a data breach was impossible as systems and networks were standalone and inaccessible. Nowadays, everything is in the cloud or on the internet. Not only that, but the overall increase in processing power means that the ability to operate sophisticated attacks has also increased, and all we can do is accept it.
Yes, you will incur data breaches. Yes, your data can be accessed, and yes, despite that, you can protect it.
The amount of data that organisations are creating today continues to grow (borne out by the amount of storage required). The Symantec 2011 Annual Study: The UK Cost of Data found that the cost per capita has risen to £79 from £71 in the previous study.
It is this increase in per capita exposure that suggests that attacks are homing in on information that is desirable, rather than large amounts of information that may bear something useful.
Most businesses are likely to come across one of three types of attackers. The traditional hackers will try to find vulnerabilities with your software and systems and provide feedback on where faults are.
Crackers are a different breed: they try to find holes that they can exploit; they'll take your data, use it and sell it.
The script kiddies are the chancers of the bunch and the most dangerous. They hit Google, find script and chance an attack. This can be anything from an ex-girlfriend's Facebook account to your customer's bank details. They are the most dangerous because they have no concept of what it is they are trying to do.
Today, it is generally held that no organisation is breach-proof, rather that breaches are going to occur. It is perhaps this laissez-faire attitude to information security that is accounting for an apparent reduction in the breadth of security breaches.
For information security managers, the goal now is to make sure that the information that is accessed during a breach is utterly worthless to the attacker. A good example of this is where obfuscation is used, for instance only displaying the last four digits of credit card numbers unless the user has the correct privilege to unlock the rest of the details, or encrypting information that is safe in the hands of the owner.
This means that a company can accept that data may be accessed during a breach, but that it is utterly worthless to the attacker and it doesn't matter whether you use cloud computing or locally host your data.
A useful benefit of using keys to secure data is that in order to securely ‘delete' the data, all that actually needs to be destroyed is the key. Once the key is destroyed, so is the data.
Si Kellow is security consultant and chief security officer at Proact