USA Today recently published research showing that 43% of companies have had a data breach.
It’s an interesting article. Unfortunately, the only actual “reason” mentioned in here is human capital. Front door attacks are designed to fool end users into giving away the keys to the kingdom. And even more unfortunate, is that there is little that we can do on the network security side to ensure that people aren’t fooled.
Many people try to migrate to the cloud rather than start fresh there, which perpetuates many of the hidden dangers of their previous architecture. That’s certainly one thing to leverage. But if you look at this article, it accounts for at most 20% of the breaches. The remainder are employee negligence… Could they have put IT department negligence in here? Possibly, but it doesn’t gel with the point of the rest of the article.
I think the second thing to think about is that resources used in the cloud are easily provisioned, easily torn down and don’t reside on local equipment, so, at the very least, it eliminates or reduces the human element of leaving a laptop behind, physical security of a data center, not locking a local desktop, etc. This is all also happening in an era where BYOD is becoming the norm. If someone doesn’t have a password on their iPad, they receive an email with customer information, and someone picks it up at Starbucks, is the company to blame? Or the employee? Or both? Which leads to Mobile Device Management…
MDM is going to start to drive the discussion in the next few years. Again, you can’t stop people from being purposefully negligent, but you can prevent them from being careless. No password on your iPad, no access to corporate data. Remove your password, wipe all corporate content or the whole device. You also have to consider what applications the business allows for use on these devices for IM, social media, etc., which are now increasingly becoming targets for phishing attacks.
Another topic that has been around forever is DLP (Data Leak Protection). People really haven’t understood what it is and how to use it, but with these numbers swinging so dramatically towards people as the cause of breaches, companies with compliance concerns will be forced to consider a stance on DLP. There are simple solutions that can be added to email servers and other data “exit” points that are not difficult, and can live in the cloud.
Most importantly, it’s education. Companies are just not taking the people element seriously enough. Companies with compliance risk will need to have cyber education programs for employees to identify and understand how hackers are trying to leverage them as a security breach. I fully expect that governance around corporate education may find its way into HIPAA and PCI regulations in the next few years.
How can we leverage all of this? We have to deal with these kinds of issues every day. And while we all may not have easy to buy services yet for all of these items (although several will be released this quarter), we’re watching and are ahead of where our customers can be.Categories: Security & Compliance