Prime Factors Blog

Lessons to Be Learned from Major Data Breaches

Posted by Pete Flagella on Aug 25, 2016 10:00:00 AM

Find me on:

15793895_m.jpgMaybe when you hear about a major data breach, your first reaction is happiness that it wasn't your company that was targeted. The headaches that stem from a breach are substantial for everyone affected, and it's not abnormal to experience relief that it hasn't happened to you. However, once that initial reaction has subsided, hopefully you're looking into what occurred so that it's less likely to happen to you. With so much information zipping around and opportunistic minds noticing how easy it is to get their hands on that data, it's really not a surprise that network security has failed us as much as it has. We'll share some of the lessons that can be learned from data breaches, so that you can keep a more proactive approach in mind at all times.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

Lesson One: Centralize Your Approach

The more people and data you add to your organization, the more complicated it gets. Companies may find themselves constantly trying to solve problems on a one-off basis, then laying down a blanket approach to try to cover all of the bases. Sometimes this can't be helped, as with a company who may be experiencing tremendous growth in a tiny time span. At other times, it's a question of whether or not a company is properly preparing themselves for an unknown future. If you can't name the person or people who are actively monitoring your company's precious data, then you wouldn't be alone. Many companies are opening themselves up to risk due to high turnover and the loss of the type of institutional knowledge that comes from working with a system for so long. You may find that administrative rights to your information run rampant across your company, meaning a lower-level employee who makes a simple mistake could lead to the ultimate take down of your company. Instead the lesson here is to concentrate on getting strong leadership that is as rock-solid as possible both in terms of company standing and in their experience.

Lesson Two: Determine Your Risk

When Lifelock's CEO was famously hacked after bragging about how impervious he was to cybercriminals everywhere, his company certainly looked a little foolish. Smart toys that interact with children, dating websites like Ashley Madison, controversial organizations: some companies are simply more likely to be targeted than others. If you stir up a lot of feelings with the general public, then there are that many more eyes and ears who are focused on what you stand for. From poorly perceived customer service to commonly protested practices, you need to be doing everything possible to mitigate the negative connotations of you, and if that's not possible, then employing the very best methods to ensure that your security stays on the cutting edge. You also have to look at the convenience factor of your business. For example, gas stations have swipe credit card machines that are not closely monitored, and a criminal can place a skimmer onto the machine, taking the information from unsuspecting customers who stop to fill up. A store staffed by one employee who frequently needs to step away from the register could suffer that same fate too. No matter what kind of enterprise you run or are in charge of the lesson is clear here: if you work with confidential information, you're always at risk for a data breach. This lesson is more about understanding where you fit into the larger security picture.

Lesson Three: Costs Are Out of Control

Target spent $100 million dollars to upgrade their payment processing machines after their hack, and much more to implement better security practices beyond EMV technology. Financial institutions spent twice that to cancel and reissue cards to all of their users. The average cost of a breach is over $3 million to larger organizations. Your company likely does not do business on the scale that Target does, but this is a prohibitive amount of money to spend on something that could be avoided. Because of these types of precedents, insurance companies understandably become nervous to insure companies against financial fraud or identity theft breaches or too heavily limit their liability. Protecting yourself now with the best techniques on the market makes your security stronger and could even potentially lower your policy costs. Also, the law continues to evolve in terms of who pays for what as new standards come to light. One version of the original responsible parties changing the rules has already occurred with the liability shift in October 2015, where credit card companies lobbied to ensure they won't be required to pick up the cost of wrongful purchases made with stolen credit card data unless merchants use EMV chip technology. When better methods become available for businesses, it doesn't always make sense for companies to switch systems. However, in the case of security breaches, there may be less choice in the matter than you realize without risking your entire organization's future.

Lesson Four: Technology Is Useless Unless It's Simplified

Passwords are a simple safeguard that companies continue to struggle with. It's worth talking about them because you may be seeing it happen in your own organization. When passwords are rarely changed or easy to guess, it can be an overlooked factor that ends in chaos. Even the banks struggle with getting their customers to use the right passwords, and even then may have customers accessing sensitive financial information on open networks when they check their statements in a public place. Statutory accounting principles have helped large enterprises develop consistent methods for logging information and keeping everyone updated about changes. However, many organizations have seen a backlash against using the system by frustrated employees who are tired of learning something just to have it change the next day. The more workarounds people find or the more they resist a new way of doing things, the more likely mistakes will be made. When choosing to make a change to a system, you should first ask how it fits in with your current framework, and you should also ask just how likely it is the new rules will be followed by employees. Not only do your policies have to be cohesive, they also have to be understood by employees.

Lesson Five: Vendors Can Be Dangerous

Target, Experian and Home Depot all put their trust into vendors to keep payment info, social security numbers, and credit data safe, and they were all victims of major breaches. It's why regulatory laws like HIPAA have expanded to ensure that companies are doing everything possible to investigate their partners before agreeing to share their information. Between inconsistent monitoring of employee and customer behavior and vulnerabilities within networks, you can't be certain what's going on in your own organization at all times - let alone someone else's. While there's no doubt that third-party affiliates specialize in data security and thus have more time to devote to it than potentially Target or Home Depot does, that doesn't always guarantee a favorable end result. Due to the success of these types of breaches, hackers have been steadily copying their techniques for companies that use third-party vendors. To remain compliant for HITECH, you'll need to be documenting your interactions with vendors that you've properly requested their security protocols and agreed to their methods.

Lesson Six: Shortcuts Are Abundant

Ebay's hack didn't make the splash across headlines like Target's or Ashley Madison's breaches did because the consequences weren't quite as severe, but it doesn't mean it's not worth talking about how it happened. Essentially hackers were able to steal demographic information from customers for months before Ebay even noticed. They chose not to encrypt their PII in the way they did their financial information and apparently weren't following the protocol necessary (or didn't have it established) to catch the problem before it got out of control. Even for companies with sufficient resources, these shortcuts are put in place because they save management and employees time and effort, all while keeping budget costs low in the short-term. To follow every necessary protocol to protect financial data is extremely difficult, and it might require an investment a company doesn't feel comfortable making. It can delay products or features coming out on the market for weeks, and those security protocols may have to change on a dime if and when some new super virus comes out or some software vulnerability is revealed from Microsoft. In fact, some experts have speculated that at the current pace and with no changes, the profits that are made in the virtual world will eventually be drowned out by the cost of security. For now though, implementing the strongest methods available, including encryption, is the smartest way to avoid these types of problems at your company.

Better Breach Responses

If you haven't looked at the policies you have in case of a breach for a while then perhaps it's time to review the solutions you have in place. You're going to need to have everything from language used in a public statement to the details of exactly how you'll inform customers of what happened with their data. In the case of PCI compliance, you'll need to have a plan that has been distributed and read by all people who are responsible for data. It also requires you to actively test the plan at least once a year to determine its effectiveness. You may also want to rethink how you investigate alerts, and how your malware responds to potential threats.


To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption


Topics: Enterprise Data Protection, encryption