Data Security is a Moving Target

Data Breaches are expensive. IBM cites the average cost of a data breach at approximately $150 per record, an increase of 6% over the previous year. In the US, it’s even higher, at $217. Many small and medium enterprises (SMEs) don’t regularly take the time to audit their IT and data security policies, which may explain why, in 2013, a record 71% of breaches occurred in businesses with fewer than 100 employees. The average SME has about a 10% chance of suffering a data breach in any given year, for a total cost of between $500,000 and $1 million.

Data breaches can also reshape the management of an organization. Just this Friday, Katherine Archuleta, the director of the US Office of Personnel Management resigned after revelations that hackers had made off with more than 21.5 million people’s personal information, including sexual, drug, and credit history. She’s not the only executive casualty caused by a massive data breach. Target, Sony, AOL, and now Ashley Madison have all had C-Suite directors step down as a result of hacking.

The Federal data breach, and Ashley Madison (a dating site catering to those looking for affairs) hacks show a growing trend in which hackers seek increasingly personal information for exploitative purposes. While credit card data remains popular, personal history, fingerprints and location data have now become fair game. The Ashley Madison hack in particular, claimed by “The Impact Team,” was done by exploiting a “full delete” feature offered to Ashley Madison customers for $19.99. The fact was, Ashley Madison did not delete the data, and the associated credit cards meant Looking4Luv1972 could be clearly tied to a real name, address, and credit card number. It remains to be seen how Ashley Madison will weather the storm however it’s certain to effect their plans for a late 2015 IPO. More than 35 million site users’ information is at risk.

Even with such high profile examples of the catastrophic consequences of a data breach, many small organizations still don’t follow even the most basic protocols to protect their user data. Many simply don’t consider data security to be a top priority. Others feel that cloud applications managed by third parties are inherently secure. 33 % of small businesses lack even antivirus protection.

Help reduce your risk by following these recommendations:

  1. Implement an internal Data Access and Management Policy that clearly defines where different types of data resides, who can touch it, and what level of security each type of data needs. Once yearly, hold a data security continuing education training to remind all staff of these policies and procedures.
  2. Any removable device that leaves the office should be fully encrypted using a technology such as Microsoft’s completely free BitLocker technology. Should an employee device be stolen, hackers cannot simply plug the hard drive into their own computer and retrieve the contents. This applies equally to removable devices such as thumb drives, and is equally easy to implement.
  3. Consider using a Password Management technology such as LastPass or Keepass. These programs securely store credentials for all of your online accounts, helping you to use very strong passwords and ensuring you never use the same password for different sites, while remaining very easy to use.
  4. Keep all of your back-office data behind a VPN, and require external employees to authenticate via the VPN before gaining access to sensitive data. If you’re keeping data on premise, consider a solution such as Dell’s SonicWall line. If you’re located in a cloud datacenter, setup a site-to-site VPC.
  5. If running an externally accessible web service, make certain that it is fully encrypted with SSL. Likewise, if using products from other parties, ensure their services are running only over SSL as well.

Estimates place the worldwide impact of data breaches on the global economy at more than $575 billion, yet there seems to be a notable absence of any government wide plan to increase cyber security. China is far from the only concern. Groups from Russia, North Korea and Brazil are all common perpetrators. Critics of the current administration are calling for deterrent measures, including counter-attacks on foreign administrations and businesses.

Level of awareness on security standards is also lacking government-wide. The National Institute of Standards and Technology (NIST) continues to make revisions to its standards framework, including recent warnings about vulnerabilities in the Dual Elliptic Curve random number generator. The document is 76 pages long and focuses on improving security with redundancies and discrete staff roles that discourage collusion. However overall, many of the companies and agencies who have experience recent data breaches were found to be fully compliant with NIST or another common security framework (HIPPA, PCI-DSS, etc.).At Carrollton, we worry that security frameworks like this can lure companies into a false sense of security. They feel safe knowing they have a stamp of approval (ex: HIPAA certified) and don’t actively audit and revise their security processes. We feel data security should be an ongoing effort. If you have concerns about your company’s data security, please reach out to us at Inquiry@Carrollton.LA.