Saving Your Company from a Data Breach Nightmare

Efforts to reduce the risk of data breach must focus on reducing the likelihood of the event from occurring, according to Mike Paquette.

High profile data breaches such as the early 2007 TJX incident and the more recent case of fraud at the Société Générale have quickly raised the awareness of the problem. The data breach has now become a significant risk factor within many organizations’ risk profiles. From corporate risk officers to IT administrators, reducing the likelihood of an accidental or malicious breach of customer or company data have quickly moved up the list of priorities. While increased awareness of the risk is a positive step, actually reducing the risk is proving to be a significant organizational and technological challenge.

In many risk analyses, risk factors are measured by the product of the likelihood of an event happening and the impact of that event’s occurrence. Although a data breach is no longer an automatic death sentence for a corporation, it’s generally accepted that the remediation costs, fines and negative publicity of a disclosed data breach constitute a major negative impact to the mission of the organization. Efforts to reduce this risk must therefore focus on reducing the likelihood of a data breach from occurring at all.

The seemingly logical approach of “locking down” access to confidential data flies in the face of today’s Web 2.0 trends, where our dependency on the Internet and IT in general continues to increase. How can organizations reduce the risk of a data breach while enabling the commerce, collaboration and interactions that actually drive their mission?

It turns out that there is no simple formula that yields significantly reduced risk of a data breach. Instead, as with many risk factors, it takes the application of education, policies and technology to reduce this risk.

It is important to realize that the threat of a data breach comes from so-called cyber-criminals as well as from trusted employees and third parties. In a May 2007 study, the Ponemon Institute found that while vast majority of data breaches occurred due to missing devices, IT mishaps or negligence, a significant 12 percent of reported data breaches were attributed to criminal activity or malicious employees.

Give or Take?

One way to view the risk of a data breach considers the “give” and “take” causes of data breaches. The “give” category comprises data leakage incidents caused by the accidental or negligent actions of a person trusted with access to the data. Disclosure of confidential company news, R&D plans, trade secrets, intellectual property and employee information all fall into this category. These incidents occur when individuals leave documents in a public place, mistype an e-mail address or forget a laptop on an airplane.

The “take” category includes incidents where data, or the media on which the data is stored, is stolen or otherwise misappropriated. This category includes laptop theft, phishing and a wide variety of malware initiated incidents where information is stolen from computers as a result of becoming infected with malware.

A Give and Take Plan for Data Protection

Organizations should consider both the give and take when creating a data breach risk reduction plan. On the surface, the solution is quite simple – make it harder for trusted people to “give” away data and make it harder for those with malicious intentions to “take” it. Oh, and try to achieve these goals without negatively impacting the mission goals of the organization.

User education, creating and enforcing physical security, data protection policies, and effective deployment of technology can all play a part in reducing the likelihood of data breaches, but there are different applications of these three elements required to protect against the give and the take.

Protecting Against the Give Data Breach

Stated in its simplest form, don’t let trusted individuals give away data, or at least make the data unusable when they do!    Educate organizational members on how to label and treat confidential information. Inform users that external e-mail should not be assumed to be private, and must not contain sensitive company or customer information.

Create policies that restrict the location and mandate the control of physical media that contains the information. For example, reduce the risk of laptop theft with a policy that provides every laptop user with physical security devices for home, office, car and hotel. Make it a policy that the laptop is not to be left unsecured anywhere.

Use technology such as hard-disk encryption to ensure that even if/when computers or media are lost, the data is likely to remain uncompromised. Also, consider the use of data leakage detection tools that monitor information that is sent out of the organizations network, looking for sensitive or confidential information.

Protecting Against the Take Data Breach

Again in its simplest form, don’t let malicious employees or cyber criminals steal data from your organization.

Educate organizational members on how to defeat social engineering attempts. Re-educate IT users not to execute files attached to received e-mails, and make it clear to users “Don’t Click That Link!” Tempt-to-click e-mails and instant messages are likely to remain a primary method for infecting computers with malware, which can lead to stolen company and personal information.

Create policies that govern use of laptop computers in public Wi-Fi zones, perhaps by mandating VPN usage for all Internet access from these environments. Ensure that all users with smart-phone access to the organization’s e-mail system are using passwords on the mobile device. Enforce a policy regarding use of public computers to access company e-mail.

Use technology to reduce the risk of compromised computers that can lead to a data breach. Deploy endpoint security software, manage desktops, keep software (not just operating systems) patched. Install Network Intrusion Prevention System (IPS) technology, which is very effective in reducing the likelihood of protected computers being compromised. Consider some type of Network Admission Control (NAC) to keep compromised computers off the organizational network. Network IPS, NAC and data leakage solutions complement each other to create comprehensive information protection architecture.

The rapid growth of the data breach highlights a current imbalance in the equation that plays off user convenience against data protection. It’s time for a little give and take to restore balance to our IT-dependent world.  

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Mike Paquette

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security June 2015 issue cover

2015 June

In this June 2015 issue of SecurityIs the security director business’s new “corporate rock star?” Find out how CSOs can become the new leaders of their enterprises through mentorships, partnerships and creatively adding business value. Also, learn how security professionals are training employees in cyber security through games. And why are deterrence and detection so important when it comes to thwarting metal thieves? Find out in this issue.

Table Of Contents Subscribe

Body Cameras on Security Officers

Body cameras are being used increasingly by police in cities across the U.S. Will you arm your security officers with a body camera?
View Results Poll Archive


Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.