make a good business better

Blog Information Security

Print Divider Print Divider Branding

Data Security: Is Your Data As Secure As You Think?

09/02/2015  |  By: Jason Riddle, CISSP, President, Information Security


Social Logo Social Logo Social Logo Social Logo

Too many organizations operate under the false assumption that once they’ve implemented a few cyber security controls, then they’re safe from all potential breaches. This simply isn’t true.   

When reviewing an organization’s security program, we often hear any number of the following responses:

  • “We just invested in security technology upgrades.”
  • “We trust that our vendors have adequate security.”
  •  “Our data wouldn’t be of value to anyone outside of the organization.”
  •  “We’re PCI-compliant, so we don’t have to worry about a breach.”
  •  “Our people are trained well enough.”

Unfortunately, there is a fault in the logic behind each response.

Technology Is Not a Panacea

Many organizations mistakenly believe that purchasing network security technologies translates to “one and done.” Even if your organization regularly invests in and implements security technology upgrades, those alone are not enough to deflect all security breaches. Target illustrates this perfectly. All the upgrades in the world could not have prevented that breach. In their case, an outside vendor used to conduct routine maintenance on Target’s refrigeration systems became the breach entry point when his vendor credential information was stolen.

Vendor Security Up to Snuff?

It’s not safe to assume that your vendors have adequate security measures in place. The U.S. Office of Personnel Management (OPM) became vulnerable partially through a background check vendor, KeyPoint. Reputable sources report that KeyPoint had previously suffered a breach that was attributed to China.

The lesson learned for organizations — do not assume your preferred vendors are immune to attacks, or that they even have an effective security program in place.

Identifying Targets Using Data Value Analysis

According to a June 2015 SecurityWeek article, nearly 75% of organizations worldwide are not equipped to address cyber security issues. Even if your organization is one step ahead of most, are you properly assessing the value of your data?

It’s not just credit card, bank or social security numbers that hackers are after. Intellectual property and personnel information can be used for malicious intent or sold on the black market. OPM can attest to it. When their system was hacked, it exposed sensitive information for up to 22 million former and current federal employees, applicants, spouses and partners. Worse, it compromised highly sensitive security clearance information — highlighting the ripple effect of such breaches and striking a significant blow to national security.

Cyber Security Is a Marathon, Not a Sprint

Look at cyber security as a marathon. You have to lay the groundwork for a successful marathon by creating a training plan — your security program. Then you need to consistently and diligently train by running through security procedures and monitoring the system. Next, you must run through the possible scenarios of marathon day and figure out how you’d handle them. Like a marathon, robust network security is a long and arduous process. Proper planning, training and testing will go a long way to ensuring you maintain an effective security program.

Compliance Does Not Equal Security

Many organizations find the task of implementing HIPAA or PCI compliance requirements to be daunting and time-consuming. Because compliance regulations are constantly changing, it is also difficult for many to keep up-to date.

At the same time, it is not a good idea to rely too heavily on compliance as the cure-all for your security needs. Don’t become “compliance complacent.” A strong security program cannot be placed into a compliance checklist, but needs to come from balancing risk and business impacts with controls.

Assessing Your First Line of Defense — Security Training

With many organizations, training is insufficient, incomplete or worse, non-existent. Naturally, cyber criminals realize this weakness and use it to their advantage.

According to Ponemon’s 2015 Cost of Data Breach Survey, it costs an organization an average of $145 for each customer record breached. Multiply that across your customer base and that can add up to a costly line item.

Every organization should train their employees to detect security red flags — including common phishing techniques— and to report them quickly so they can be contained should an attack slip through the controls.  

Maintaining a Security Program Requires a Specific Skillset

Not everyone has an in-house cyber security expert with the specialized skillset to identify issues and to implement and manage a security program. This is why outsourcing is often a good option to consider. What’s more, you can designate precisely which areas of security you’d like an outside security vendor to handle, from risk assessment consulting to around the clock monitoring.

Many organizations use third-party cyber security providers to look for patterns (and malware) across their client networks. Others opt for using security consultants to develop strategies to avert attacks and for ongoing testing of controls. If breached, they use them to help contain the problem, restore normal business operations, and ensure that all areas of the network are secure again, not just the area that was identified in the breach.

Adopt a Proactive Stance

The key here is to be proactive. Join a local chapter of the Information Systems Security Association (ISSA) or Infraguard, a public/private partnership between industry, academia, law enforcement agencies and the FBI. Get educated, and over time you’ll be better prepared on how to manage and keep your organization’s data secure.

Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity.