Data Security Isn’t Just IT’s Responsibility
By Tamara Dull, Director of Emerging Technologies ▪ SAS Best Practices
What does the IRS, Home Depot, Sony, Anthem, and Uber have in common? These organizations, among countless others, have all experienced a significant data breach in the last year. In fact, the ITRC reported that U.S. data breaches hit a record high in 2014 with 783 breaches, and 2015 continues to keep the pace with 115 breaches in the first two months alone.
While these data breaches have cost millions of dollars to fix, they’ve also cost some executives their jobs. If you don’t think data security is important, especially in this new age of big data, think again.
About data breaches. In April 2014, Verizon Enterprise Solutions released its 2014 Data Breach Investigations Report (DBIR). For this report: 50 organizations from around the world contributed; 63,000+ security incidents were analyzed; and 1,367 confirmed data breaches were studied. One interesting discovery that Verizon made in this report is that over the last 10 years, 92% of all data breach incidents can be classified into one of these patterns:
- Miscellaneous errors – any user mistake that compromises security
- Crimeware – malware, phishing
- Insider and privilege misuse – includes outsiders and partners
- Physical theft and loss – loss of devices and information assets
- Web app attacks – use of stolen credentials, exploit vulnerabilities
- Denial of service (DoS) – attacks, not breaches, designed to bring systems to a halt
- Cyber-espionage – state-affiliated breaches, intellectual property theft
- Point-of-sale intrusions – attacks on POS applications to capture payment data
- Payment card skimmers – physical installation that reads your card as you pay
Think about it: If these nine patterns classify almost all of the attacks an organization is likely to face, then organizations can use these patterns to better understand the threat landscape and prioritize their own security investments.
Why this matters. Even though data security may sound like it’s IT’s responsibility, it’s not. It’s a company-wide responsibility that affects every employee regardless of role. Not only can data breaches cost a lot to fix (both legally and technically), your customers may lose faith in your ability to protect their interests, your reputation will most likely be damaged, and your bottom line may be negatively impacted. Some companies never really recover from such tragedies.
Questions to consider. As I mentioned, data security is the responsibility of every employee. Even if you aren’t in IT, how prepared are you to answer the following questions?
- Is data security taken seriously at your organization? If not, why not? Remember that if you suffer a breach of any kind, the potential loss could be devastating.
- Are you encrypting sensitive data? Whether the data is being stored on-premises or in the cloud, make sure proper encryption (and decryption) techniques and practices are in place.
- What proactive steps have you taken to make sure the first-, second-, and third-party data you’re collecting is secure? Even though you may never be asked by a customer, be prepared to answer, “How is my data being secured?”
- Who has access to the customer data you’re collecting? And who’s accessing this data? (The answers to these two questions may be different, which could indicate a problem that needs addressing.) It’s important to keep data on a need-to-know basis and make sure access is revoked when an employee leaves the company.
One final story. It’s not enough anymore for companies to primarily focus on protecting themselves from external, malicious data breaches. As Edward Snowden, the NSA whistleblower, has aptly demonstrated, giving an employee (or trusted contractor) too much access can also work against you.
A few years ago, my colleagues and I attended a customer event sponsored by a software vendor whose training platform our team was using. One event presentation, in particular, still sticks out in my mind; it was presented by the chief privacy officer for a major entertainment studio. She was tasked with making sure all employees and contractors took data privacy and security seriously. She knew that the cost of studio data getting into the wrong hands was too high – and no, she didn’t work for Sony – and it was her job to make sure employees not only understood this, but also took responsibility for protecting the studio’s data.
This CPO was a creative, high-energy executive who wanted to go beyond the typical humdrum training videos employees are required to watch (but really don’t) – and make the training experience fun and memorable for all involved. So with the help of DC Comics, she put together a brilliant marketing campaign and gamified the entire online training experience. Not only were employees eager to participate in the training, they loved being part of this fun studio “mission.”
This CPO understood that data security is not just IT’s responsibility. It’s everyone’s responsibility. We must be vigilant when it comes to data security and pay attention to the warning signals. Even if that warning signal is coming from your gut.