The truly sad thing about a webinar on Wednesday featuring Forrester Research security and risk analyst Heidi Shey — apart from it being called a "webinar", ugh! — was its depressing familiarity. Businesses keep making the same information security mistakes over and over again. That needs to stop.
Shey ran through the lessons we could learn from five of the biggest data breaches in the last year or so — eBay, Korean Credit Bureau, Adobe, the New York Presbyterian Hospital-Columbia University duo, and Target.
The lessons to be learned were, as I say, familiar — or, at least, they should be to any information security professional who's been paying attention.
The victim companies had failed to plan for failure, so once the bad guys were in, they could run amok. They failed to limit data access to those who truly needed it, or, if they had those controls, they failed to make sure they were working. They failed to monitor their databases, or use encryption properly. They needed better visibility into what was happening on their network — I bet that one was added to help the event's sponsor, Websense. They needed to prevent the use of removable media, or make better use of the "human firewall" by training people about data risks. They assumed that common off-the-shelf (COTS) tools were secure, or they assumed that their partner organisations were secure — and you know what they say about the word "assume". And so on.
All the usual stuff, right?
To move on from what Shey called this Golden Age of Hacking, we need to change our game. She recommends two key strategies.
One is to plan for failure.
Businesses need processes for responding to a data breach — in terms of who's responsible for communications, what channels they'll use, and how they'll say it, as well as the internal processes to respond to and contain a potential breach in the first place. eBay learned that one the hard way.
"It's about having an overarching data control strategy that you can then go and execute on in a very deliberate, proactive way," Shey said.
The other is to protect customer privacy and data like it's your own.
"In today's age of the customer, data protection really needs to be thought of as a corporate social responsibility [CSR]. One, because it's true. And two, because it's something that the rest of the company can really rally behind and feel good doing it — because it's the right thing to do," Shey said.
"This is really a topic that matters to customers today. The public is way more opinionated about security, privacy, breach response, than they've ever been before, with all the news of breaches that they see — and especially when consumers start to experience one, two, maybe more breaches themselves, it becomes much more personal. I don't think people expect that companies can stop every single determined hacker, or some kind of malicious insider, but they really do expect that the companies they do business with to try to make it very, very hard."
Customer data protection needs to be right up there with product quality, safety, environmental protection, and anti-corruption processes. Framing it this way will help change people's mindsets, and elevate the discussion within the organisation.
"You could bring cost considerations into it, but typically, the way we've seen organisations do this is that it becomes more of a governing philosophy of sorts — not just for the infosec team, but for management in general," Shey said.
"It no longer becomes simply an IT thing or a security thing, but it's a real core business initiative and capability."
Companies following this approach have listed data protection in the CSR sections of their annual reports and other public communications. Typically, they'll describe the key things they're doing to support this initiative, whether that's increased investment in training for their employees, or something else.
"It's really a way to change our perspective and our mindset here — to get out of this whole cycle of reacting to bad things that happen, whether it's a breach, or a failed audit, or a query from the board. As security professionals, we need to think about starting to get recognised for the things that we are doing, rather than the things that we haven't done or didn't do yet."
I agree with everything Shey said.
So many privacy policies begin with a boast about how the organisation is committed to protecting customer privacy and protecting personal data. Maybe it's time for businesses to tell us, specifically, what they're doing to support that alleged commitment.