Security Magazine

Saving Your Company from a Data Breach Nightmare

May 1, 2008
Efforts to reduce the risk of data breach must focus on reducing the likelihood of the event from occurring, according to Mike Paquette.


High profile data breaches such as the early 2007 TJX incident and the more recent case of fraud at the Société Générale have quickly raised the awareness of the problem. The data breach has now become a significant risk factor within many organizations’ risk profiles. From corporate risk officers to IT administrators, reducing the likelihood of an accidental or malicious breach of customer or company data have quickly moved up the list of priorities. While increased awareness of the risk is a positive step, actually reducing the risk is proving to be a significant organizational and technological challenge.

In many risk analyses, risk factors are measured by the product of the likelihood of an event happening and the impact of that event’s occurrence. Although a data breach is no longer an automatic death sentence for a corporation, it’s generally accepted that the remediation costs, fines and negative publicity of a disclosed data breach constitute a major negative impact to the mission of the organization. Efforts to reduce this risk must therefore focus on reducing the likelihood of a data breach from occurring at all.

The seemingly logical approach of “locking down” access to confidential data flies in the face of today’s Web 2.0 trends, where our dependency on the Internet and IT in general continues to increase. How can organizations reduce the risk of a data breach while enabling the commerce, collaboration and interactions that actually drive their mission?

It turns out that there is no simple formula that yields significantly reduced risk of a data breach. Instead, as with many risk factors, it takes the application of education, policies and technology to reduce this risk.

It is important to realize that the threat of a data breach comes from so-called cyber-criminals as well as from trusted employees and third parties. In a May 2007 study, the Ponemon Institute found that while vast majority of data breaches occurred due to missing devices, IT mishaps or negligence, a significant 12 percent of reported data breaches were attributed to criminal activity or malicious employees.

Give or Take?

One way to view the risk of a data breach considers the “give” and “take” causes of data breaches. The “give” category comprises data leakage incidents caused by the accidental or negligent actions of a person trusted with access to the data. Disclosure of confidential company news, R&D plans, trade secrets, intellectual property and employee information all fall into this category. These incidents occur when individuals leave documents in a public place, mistype an e-mail address or forget a laptop on an airplane.

The “take” category includes incidents where data, or the media on which the data is stored, is stolen or otherwise misappropriated. This category includes laptop theft, phishing and a wide variety of malware initiated incidents where information is stolen from computers as a result of becoming infected with malware.

A Give and Take Plan for Data Protection

Organizations should consider both the give and take when creating a data breach risk reduction plan. On the surface, the solution is quite simple – make it harder for trusted people to “give” away data and make it harder for those with malicious intentions to “take” it. Oh, and try to achieve these goals without negatively impacting the mission goals of the organization.

User education, creating and enforcing physical security, data protection policies, and effective deployment of technology can all play a part in reducing the likelihood of data breaches, but there are different applications of these three elements required to protect against the give and the take.

Protecting Against the Give Data Breach

Stated in its simplest form, don’t let trusted individuals give away data, or at least make the data unusable when they do!    Educate organizational members on how to label and treat confidential information. Inform users that external e-mail should not be assumed to be private, and must not contain sensitive company or customer information.

Create policies that restrict the location and mandate the control of physical media that contains the information. For example, reduce the risk of laptop theft with a policy that provides every laptop user with physical security devices for home, office, car and hotel. Make it a policy that the laptop is not to be left unsecured anywhere.

Use technology such as hard-disk encryption to ensure that even if/when computers or media are lost, the data is likely to remain uncompromised. Also, consider the use of data leakage detection tools that monitor information that is sent out of the organizations network, looking for sensitive or confidential information.

Protecting Against the Take Data Breach

Again in its simplest form, don’t let malicious employees or cyber criminals steal data from your organization.

Educate organizational members on how to defeat social engineering attempts. Re-educate IT users not to execute files attached to received e-mails, and make it clear to users “Don’t Click That Link!” Tempt-to-click e-mails and instant messages are likely to remain a primary method for infecting computers with malware, which can lead to stolen company and personal information.

Create policies that govern use of laptop computers in public Wi-Fi zones, perhaps by mandating VPN usage for all Internet access from these environments. Ensure that all users with smart-phone access to the organization’s e-mail system are using passwords on the mobile device. Enforce a policy regarding use of public computers to access company e-mail.

Use technology to reduce the risk of compromised computers that can lead to a data breach. Deploy endpoint security software, manage desktops, keep software (not just operating systems) patched. Install Network Intrusion Prevention System (IPS) technology, which is very effective in reducing the likelihood of protected computers being compromised. Consider some type of Network Admission Control (NAC) to keep compromised computers off the organizational network. Network IPS, NAC and data leakage solutions complement each other to create comprehensive information protection architecture.

The rapid growth of the data breach highlights a current imbalance in the equation that plays off user convenience against data protection. It’s time for a little give and take to restore balance to our IT-dependent world.