Data breaches, those including Personally Identifiable Information (PII), increased 19% over last year (GAO). Analyzing breach trends and leveraging Privacy Rights Clearinghouse reporting, provides valuable insight into which controls within specific industries appear weak and vulnerable. Hopefully corporate America, specifically privacy and security professionals tasked with protecting sensitive data, is monitoring these trends. As you can be sure nefarious individuals, and worse organized crime syndicates abroad, are monitoring as they seek to exploit the easier targets offering the most financial gain. I found an interesting correlation in the data, further galvanizing the 2012 Verizon Report, that hacking is lucrative and accounts for a significant number of compromised records. For example, thus far in 2012, 143 reported material attacks, such as: Zappos (24 million), Formspring (28 million), Gimigo (3 million), and LinkedIn.com (6.4 million).
How to Discourage Breaches
What does this mean to privacy and security specialists? The complexities of today’s interrelated technologies don’t easily lend themselves to bullet proofing. We could invest millions, but new and existing vulnerabilities would be still be subject to exploitation. The best we can hope for is risk based decisions to limit exposure, making our organizations less enticing. In other words, implement sufficient security strategies, such that the business next door is easier to hack! This is analogous to home security. If I remove all of the expensive belongings from window view (i.e., eliminate the incentive), buy a guard dog (e.g., additional controls the potential thief must overcome), and put an alarm system on the home with labels advertising (i.e., make the house next door a more appealing target) I materially decrease the odds of becoming a target!
So breaches are up and current trending models highlight hacking as a material contributing factor. Aside from doing things to reduce visibility (i.e., becoming a less attractive target), what should we as security/privacy professionals be doing?
- Risk assess
- Design layered security
- Implement a 3-year roadmap including tactical solutions and strategic solutions
- Test security controls
- Adjust as needed
- Be prepared to quickly handle breaches should they occur
The bottom line: Hacking is lucrative and can be executed from nearly anywhere in the world. Security professionals should be providing risk assessment results annually to executive management. Of course, providing a list of vulnerabilities is probably career limiting.
Walk a Fine Line or Find a New Line of Work
Security professionals can’t just document the issues in laymen’s terms. This is the balancing act we must perform. Documenting only the issues suggests we aren’t doing our jobs. Management will say, “I see a lot of vulnerabilities. Why aren’t you fixing them?” Conversely, if you document all of the controls and they appear effective, if a breach occurs management will say, “You told us everything was secure.” Without fully articulating the risks, controls, etc., it’s a lose-lose. Privacy and security professionals can fly under the radar, until regulators or an event (e.g., large data breach) raises awareness. So be proactive, manage risk by formally documenting and seeking consensus on the approach (e.g., what risks to mitigate, which to assume, which to transfer with breach insurance).
If you haven’t thought this process through, documented accordingly, and received executive buy-in, you are one hack, inadvertent data breach, or disgruntled employee away from, “Memo: Our information security officer or privacy officer has decided to pursue other opportunities outside the company…” If that’s your role, you might want to keep your resume current.