Manage the Breach or the Breach Will Manage You
Several high-profile security breaches occurred in 2012. What’s ahead for security administrators in 2012, and how will IT respond?
By Ted Julian, Chief Marketing Officer, Co3 Systems
Unquestionably, 2011 was another riveting year in the security business, particularly from a breach perspective. It included headline-worthy incidents such as the multiple breaches at Sony and the highly focused and determined break-in at security vendor RSA. It also included the largest class-action lawsuit in response to a breach: $4.9 billion against healthcare provider TriCare.
These big names were hardly alone, however. Industry-watcher DataLossDB.org reports 369 breaches involving nearly 127 million records so far in 2011 -- and these are just what have been publically disclosed. Indeed, a recent study from Forrester Research suggests that at least 25 percent of organizations have suffered a breach in the last 12 months.
Developments like these have caused security pros to suggest one of two points of view. The more conservative view is that if you haven’t been breached, it’s just a matter of time. The aggressive view is: you’ve already been breached -- the only question is whether or not you know it.
2012 Prediction #1: There will be more attacks and you will be a target
The bad guys went pro years ago and began focusing on stealing things they could sell. The RSA breach is a great example of this as it was the result of a determined, sophisticated operation after very specific and valuable intellectual property. Although the RSA grabbed all of the headlines in 2011, analysis of related attack traffic suggests that, in fact, RSA was actually just one of more than 760 organizations that were targeted by that effort. Most organizations would be right to fear that if a leading security vendor with gobs of the latest security technology at their disposal like RSA can be breached, so can they.
If you think you aren’t a target because you are not a well-known organization, think again. Of the ten breaches reported in the week I’m writing these predictions, only one was at a firm whose name most people would recognize. If your organization has financial information like credit card data, or even personal information like employee data (which could be leveraged to create a profile for identify theft) then you are a potential target.
Prediction #2: There will be more regulations with more fines
States’ Attorneys-General figured out a few years ago that breach notification laws with fines for non-compliance were win-win scenarios. By passing such legislation, they could both protect their constituents (by looking after their personal information) and fill state coffers by collecting fines from firms that failed to follow the rules. As a result, the regulatory environment shifted from a few states having breach-notification laws (many without fines) to 46 state disclosure laws and fines that keep rising. Europe and the rest of world are following suit -- breach notification laws are passing for the first time in some countries, or existing laws are being updated with teeth in the form of fines.
Further complicating the regulatory patchwork are industry regulations such as the Payment Card Industry Data Security Standard (PCI-DSS) and the Health Insurance Portability and Accountability Act (HIPAA/HITECH) that also include security requirements with penalties for non-compliance.
Though not regulations per se, don’t forget contracts you may have with third parties. It has become increasingly common for agreements between business partners to include provisions for how the loss of data must be handled including repercussions for non-compliance.
Prediction #3: Data proliferation will drive more data loss
If this environment weren’t already challenging enough for IT professionals, data proliferation may be the straw that breaks the camel’s back. From smartphones and tablets to cloud computing and connections with business partners, an organization’s valuable data is in more places now than ever before. Naturally, the more far-flung data is, the greater the likelihood it will go missing or be stolen. Keep in mind that the regulations don’t care how data is compromised. Regulatory requirements must be fulfilled whether cyber criminals stole data from a database or a box of paper records went missing from a warehouse.
Prediction #4: Breach response emerges to mitigate breach risk
Most security pros agree that if you haven’t yet suffered a breach, it’s just a matter of time until you do. Most compliance experts and legal mavens will tell you that the regulatory environment around breaches has become remarkably complicated, risk ridden, and fine laden. Despite this, few firms have prepared an incident response plan and fewer still have practiced it.
In 2012, this will change. Breaches such as those at RSA suggest that there is no such thing as absolute prevention. The experiences of firms such as ChoicePoint teach us that the greatest post-breach expense can be fines ($15 million of the $41 million ChoicePoint spent after its seminal breach was for fines). Prudent management thus dictates that post-breach investments that help reduce the potential for fines will yield the greatest ROI.
Also driving improved incident response is the enterprises finally realize that doing better isn’t hard or expensive. Multi-million dollar projects with extensive integration requirements are not required. Firms simply need to get an incident response team together, define the policy and process for breach response, and then practice it.
Software and services can help inform and automate aspects of this process, but the end result is that, when a breach occurs, the organization can decisively and swiftly respond in a way that minimizes risk and/or expense and protects the brand by reassuring customers, appeasing regulators, and soothing shareholders. Thus, breaches can morph from an event that brings the organization to its knees to just another aspect of doing business.
Ted Julian is the chief marketing officer at Co3 Systems. You can contact the author at firstname.lastname@example.org