Now that we’ve rolled through another New Year’s celebration, we’ve left behind one of the worst years on record for data breaches. Privacyrights.org, a consumer advocacy organization, reports that 2011 witnessed a staggering 547 breaches involving more than 30 million records. Companies ranged from small non-profits all the way up to industry giants such as Bank of America, Sony, and Epsilon. Interestingly, 86 of those breaches (involving almost 120,000 records) involved insiders with some level of legitimate access. With mitigation costs now surpassing an estimated $200 per record breached, we’re talking about some pretty serious money!

With all of the current investment and focus on legislative compliance, how is this even still possible? How can huge multi-national companies continue to fall so hard? It’s actually not that hard to understand. In my opinion, one of the biggest culprits is that too many companies are focused solely on achieving compliance at the expense of security.

A simple analogy is to think of obtaining your first driver’s license. As young adults, we study a handbook and take a test to verify that we understand and are compliant with the basic laws of the road. But do we let newly “certified” drivers loose on the busiest of highways with the expectation that they are now perfect drivers and will never get into an accident? Of course not! The guidelines (hopefully) help us avoid making basic mistakes, but there are many other factors to be considered. The flaws in the guidelines start with the assumption that everyone else also is adhering to the same rules—something that every speed limit sign and red light camera knows isn’t true. And experienced drivers understand that there are many things that aren’t even included in the handbook. We have to expect the unexpected, adapt and use learned experiences to read between the lines, and even improvise—sometimes with little or no warning—to avoid an unplanned disaster.

The same holds true with computer security. Regulations like Sarbanes-Oxley and HIPAA were never intended to intricately detail how to protect your IBM i database from every possible type of misuse. These two common regulations, and many others just like them, are nothing more than basic guidelines to overview access to critical business data. While important, focusing solely on satisfying compliance can be misguided, and might lead an organization into the assumption that they are also secure. In 2011, hundreds of organizations joined the ranks of those that have already discovered the reality of this assumption.

Compliance is an important objective, but it shouldn’t be pursued at the expense of a comprehensive security plan. In fact, taking the time to build and implement a solid security infrastructure undoubtedly will make that objective easier to achieve. New business processes and procedures typically will be required by a compliance standard, but the technology aspect of compliance usually is left to interpretation of an auditor who is often unfamiliar with IBM i. It’s critical, therefore, that compliance directives not be relied on as the sole guideline to protecting data access.

In the analogy of our new drivers, testing is important and has its place to ensure that we understand and acknowledge the basic rules of the road. However, it’s ultimately the focus on learning and deploying good driving skills that’s going to have the greatest impact on the likelihood, magnitude, and consequence of an accident.

Businesses are going to have to get smarter and more committed to security. They must allocate a budget to assess and mitigate the largest risks, and acknowledge that, sooner or later, controls probably will be compromised. The goal is to develop a plan to address possible breach scenarios BEFORE you’re unlucky enough to find yourself in the midst of one. The plan should include the deployment of appropriate technologies to assist with the timely detection and alerting of a problem, but also (gasp!) the training of employees who are designated to respond and react. This is not just theoretical as a number of recent breaches involved warning signs that were not correctly responded to. Many employees never receive adequate training on their company’s security tools—this simply leads to a false sense of security by management.

Don’t secure only the data at rest in the data center; take a look at the entire data lifecycle. And, expect the unexpected. Many of the breaches from last year involved the collection of credit card information from point-of-sale (POS) devices and ATMs. This came from skimming devices, employee theft, and even unauthorized replacement devices at retail store cash registers! We cannot control the intent of the criminal element so we have to devise better ways to deter, detect, and respond. Similarly, lost and stolen laptops might be out of your corporate control, but securing the data stored on them isn’t. And, while we might not classify this like a traditional breach, the Ponemon Institute reports that it happens 637,000 times at U.S. airports every year!

For most organizations, corporate budgets already have been established for the upcoming year. If yours doesn’t include monies for security-related projects, focus on fully leveraging the existing investments and the staff resources already in place for now. Ensure that employees are trained and optimizing the tools they’ve been given. And remember, while we hope that this year shows a vast improvement over last, it’s never too early to start planning for next year.

In 2012, let’s all resolve to start taking security more seriously.

If you would like information on the solutions modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

This entry was posted on Thursday, January 5th, 2012 at 9:33 am and is filed under Other, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.