If You Think Data Security is IT’s Responsibility, Think Again

What does Ebay, Living Social and Adobe have in common? These companies, among countless others, have all experienced a significant data breach in the last year. While these breaches have cost millions of dollars to fix, they’ve also cost some executives their jobs. If you don’t think data security is important, especially in this new age of big data, think again.

What does Ebay, Living Social and Adobe have in common? These companies, among countless others, have all experienced a significant data breach in the last year. While these breaches have cost millions of dollars to fix, they’ve also cost some executives their jobs. If you don’t think data security is important, especially in this new age of big data, think again.

About data breaches. In April 2014, Verizon Enterprise Solutions released its 2014 Data Breach Investigations Report (DBIR). For this report: 50 organizations from around the world contributed; 63,000+ security incidents were analyzed; and 1,367 confirmed data breaches were studied. One key discovery Verizon made this year is that over the last 10 years, 92% of the incidents they’ve seen can be summarized with these nine classification patterns:

• Miscellaneous errors – any user mistake that compromises security
• Crimeware – malware, phishing
• Insider and privilege misuse – includes outsiders and partners
• Physical theft and loss – loss of devices and information assets
• Web app attacks – use of stolen credentials, exploit vulnerabilities
• Denial of service (DoS) – attacks, not breaches, designed to bring systems to a halt
• Cyber-espionage – state-affiliated breaches, intellectual property theft
• Point-of-sale intrusions – attacks on POS applications to capture payment data
• Payment card skimmers – physical installation that reads your card as you pay

These nine patterns classify almost all of the attacks an organization is likely to face. Organizations can use these patterns to better understand the threat landscape and prioritize their own security investments.

Why this matters. Even though data security may sound like it’s IT’s responsibility, it’s not. It’s a company-wide responsibility that affects every employee regardless of role. Not only can data breaches cost a lot to fix (both legally and technically), your customers may lose faith in your ability to protect their interests, your reputation will most likely be damaged, and your bottom line may be negatively impacted. Some companies never really recover from such tragedies. 

Questions to think about. As I mentioned earlier, data security is a company-wide responsibility. Even if you aren’t in IT, how prepared are you to answer the following questions? 

• Is data security taken seriously at your organization? If not, why not? Remember that if you suffer a breach of any kind, the potential loss could be devastating.
• Are you encrypting sensitive data? Whether the data is being stored on-premises or in the cloud, make sure proper encryption (and decryption) techniques and practices are in place.
• What proactive steps have you taken to make sure the data you’re collecting is secure? Even though you may never be asked by a customer, be prepared to answer, “How is my data being secured?”
• Who has access to the customer data you’re collecting? And who’s accessing this data? (The answers to these two questions may be different, which could indicate a problem that needs addressing.) It’s important to keep data on a need-to-know basis and make sure access is revoked when an employee leaves the company.

One final thought. It’s not enough anymore for companies to primarily focus on protecting themselves from external, malicious data breaches. As Edward Snowden, the NSA whistleblower, has aptly demonstrated, giving an employee too much access can also work against you. Be vigilant and pay attention to the warning signals. Even if that warning signal is coming from your gut.