It is Spring again, and the national pastime is in full swing. This year Spring also brought knowledge of the Heartbleed Bug – another threat to the security of information stored and transmitted online. And just as baseball is a fixture of the American landscape, so too unfortunately are data breaches and other information security threats.
As of April 29th, the Identify Theft Resource Center (ITRC) has identified 260 breaches (affecting over 8 million records) that have taken place in 2014 alone. Likewise, the ITRC recorded 614 breaches in 2013, a 30% increase over the 470 breaches it reported in 2012. Each new major data breach (think Target) is reminiscent of those that have come before it (Citibank, Sony, Heartland, Countrywide, etc.).
MLB Hall of Fame catcher Yogi Berra, during his more than 50 years as a Major League player, manager and coach, offered (unwittingly or otherwise) baseball and its reading and listening public a great deal of wit and wisdom.
In the spirit of the season, several of Berra’s “Yogi-isms” also offer guidance for businesses facing the challenges of protecting information.
“You can observe a lot by watching.” (Know Your Information and How and Where You Store It and Send It)
Information is an asset. You cannot protect information or use it effectively until you can locate and identify it, categorize it (determine its value), and track it:
Where is information stored in your organization, and where does it go within the company and beyond?
What information do you collect and store that is considered sensitive (at risk) and worthy of protection?
Who has access to sensitive information?
How is information currently being protected?
Mapping and assessing current information practices is a necessary step in creating an effective information security program.
“If you don’t know where you are going, you might end up somewhere else.” (Take Responsibility and Plan for Information Risks)
Every business needs to be prepared to respond to an event that could compromise its information or information systems (computers and computer networks):
Recognize that information security touches every part of the organization;
Designate one or more individuals with authority, responsibility, and accountability for managing and securing information;
Create, implement, and update policies and procedures to manage information risk, including but not limited to:
An incident response plan;
Business continuity arrangements;
Information retention and destruction policies consistent with corporate needs, legal responsibilities, and business risk.
Consider insurance policies particular to information risk; and
Deploy appropriate computer technology to prevent, detect, and manage threats.
“Never answer an anonymous letter.” (Train Your Employees to Detect Phishing Emails and Other Security Threats)
The threat to computer networks caused by “phishing” -- attempts to acquire sensitive information by pretending to be a reputable entity in an email -- is significant. According to the latest Verizon Business Data Breach Report, over 95% of targeted attacks start with a phishing email. The same Verizon Report makes a more startling observation: a phishing campaign that sends 20 emails has almost a 100% probability of getting at least one click.
All organizations must train their employees to be skeptical of suspicious emails, and to report suspected phishing messages. Employee training and awareness is a necessary component of an information security program, as are “layered security” or “defense-in-depth” mechanisms that may prevent or limit a system compromise brought about by clicking on a phishing email.
“If people don’t want to come to the ballpark, nobody’s going to stop them.” (Protecting Information is Good Business)
The damage that results when sensitive information is disclosed without authorization can take several forms. In addition to the financial and regulatory losses and burdens a company faces in the wake of a breach, the damage to its reputation may be the most significant and lasting. Losing a customer’s information compromises trust, a very valuable asset in a competitive market. Protecting information assets protects the value of the company.
Conclusion: “The future ain’t what it used to be.”
Effective information security is a moving target and an ongoing process that requires a combination of people, processes, and technology. As the last several years have demonstrated over and over again, hackers and other threat actors continue to become more sophisticated and pervasive. As a result, standing still is not an option, and instead an organization must evaluate and update its security policies, training, and technology on a regular basis.