- For all the talk about sophisticated security strategies, too many breaches can be avoided by making sure the basics are under control, starting with adequate data security policies.
- The recent breaches of Global Payments and LinkedIn’s data cast a harsh light on the lack of care those organizations took to applying appropriate protections such as multi-factor authentication and encryption to safeguard customer data.
One unfortunately consistent truth about data security is how often some of the most egregious data breaches could have been stopped if adequate care was taken to ensure the most fundamental elements of security were in place, starting with the appropriate policies regarding the handling of crucial customer data. We have seen this recently with attacks such as the theft of hundreds of thousands of patient records from Utah’s Medicaid health system in March (see “Anatomy of a Breach: What We All Can Learn from the Utah Medicaid Records Theft,” May 18, 2012), where a cascading series of clear missteps in policy and execution made the breach relatively easy for hackers.
Like the Utah Medicaid breach, the unauthorized access of Atlanta-based Global Payments’ processing system also occurred in March. Moreover, it also exposed customer data that could have been contained if the payment card processor had applied controls such as multi-factor authentication and encryption. Similarly, this month’s theft of 6.5 million LinkedIn user passwords from the popular business social network’s servers prompted a loud outcry questioning why more sophisticated cryptographic controls were not applied to safeguard the passwords.
Incidents such as these make headlines initially based on the breadth of their impact, in terms of the number of victims and the potential value of the stolen data. Yet, what is really striking about these incidents is how easily they could have been prevented, especially given the substantial resources most of the organizations in possession of the data can bring to bear. Regrettably, these breaches are most likely emblematic of many more equally avoidable albeit lower-profile incidents.
Unfortunately, too many organizations build too high a level of risk tolerance into their security cultures to take the fundamental steps necessary to eliminate these incidents. Without adequate outside pressure, be it from regulators or customers, there is no real incentive to change. However, when an organization sees an incident such as the Global Payments event which resulted in the company losing its PCI-compliant status with Visa, jeopardizing its future survivability, a real pressure incentive comes into play. This pressure incentive is likely to be the only way to motivate organizations on a broad basis to reevaluate their security postures and rethink their practices. After all, no one wants to be the next LinkedIn.