Data breaches, those including personally identifiable information, increased 19% over last year (GAO).
Analyzing breach trends, leveraging Privacy Rights Clearinghouse reporting, provides valuable insight into which controls within specific industries appear weak and vulnerable.
Hopefully corporate America, specifically privacy and security professionals tasked with protecting sensitive data, is monitoring these trends. As you can be sure nefarious individuals and worse organized crime syndicates abroad, are monitoring, as they seek to exploit the easier targets offering the most financial gain.
I found an interesting correlation in the data, further galvanizing the 2012 Verizon Report, that hacking is lucrative and accounts for a significant number of compromised records. For example, thus far in 2012, 143 reported material attack such as: Zappos (24 million), Formspring (28 million), Gimigo (3 million), and LinkedIn.com (6.4 million).
What does this mean to privacy and security specialists? The complexities of today inter-related technologies don’t easily lend themselves to bullet proofing. We could invest millions, but existing and new vulnerabilities would be still be subject to exploitation. The best we can hope for, is risk based decisions to limit exposure, making our organizations less enticing.
In other words, implement sufficient security strategies, such that the business next door is easier to hack! This is analogous to home security. If I remove all of the expensive belongings from window view (i.e., eliminate the incentive), buy a guard dog (e.g., additional controls the potential thieve must overcome), and put an alarm system on the home with labels advertising (i.e., make the house next door a more appealing target), I materially decrease the odds of becoming a target!
So breaches are up, current trending models highlight hacking as a material contributing factor, aside from doing things to reduce visibility (i.e., becoming a less attractive target), what should we as security/privacy professionals be doing?
Risk assess, design layered security, implement a 3-year roadmap including tactical solutions and strategic solutions, test security controls, adjust as needed, and be prepared to quickly handle breaches should they occur. The bottom line: Hacking is lucrative and can be executed from nearly anywhere in the world. Security professionals should be providing risk assessment results annually to executive management. Of course, providing a list of vulnerabilities is probably career limiting.
Security professionals need to not only document in laymen’s terms the issues. This is the balancing act we must perform. Documenting only the issues, suggests we aren’t doing our jobs. Management will say, “I see a lot of vulnerabilities. Why aren’t you fixing them?”
Conversely, if you document all of the controls and they appear effective, if a breach occurs management will say, “You told us everything was secure.” Without fully articulating the risks, controls, etc. it’s a lose-lose. Privacy and security professionals can fly under the radar, until regulators or an event (e.g., large data breach) raises awareness.
So be proactive, manage risk by formally documenting and seeking consensus on the approach (e.g., what risks to mitigate, which to assume, which to transfer with breach insurance).
If you haven’t thought this process through, documented accordingly, and received executive buy-in, you are one hack, inadvertent data breach, or disgruntled employee with a USB drive away from, “Memo: Our information security officer has decided to pursue other opportunities outside the company…” If that’s your role, you might want to keep your resume current.
Brian Dean is a former senior vice president, chief privacy officer HIPAA officer and GLBA officer for one of the nation’s largest financial institutions. He now the Privacy Officer for SecureState and provides consulting services to banking, health, and other industries in the area of privacy. For more information contact Brian at www.SecureState.com
