Preparation Key to Managing Data Breaches
BALTIMORE-In this era of Internet connectivity, businesses must prepare for what is becoming the almost-inevitable data breach, according to a pair of chief privacy officers for major financial institutions.
At the IntrusionWorld Conference and Expo co-located with the Web Services Security & SOA Conference here May 13, Joel Tietz, chief privacy officer at AXA Financial, and Michael Drobac, chief privacy officer at Merrill Lynch, discussed the increasing risk and costs of data breaches and how enterprises can better prevent and manage them.
Drobac exhorted every organization to have a plan in place for data breaches. "Failing to plan is planning to fail," he said, noting that data breaches have become almost inevitable in the connected era.
Drobac provided his own top 10 list of ways to prevent and manage a data breach that could cost an organization time, money, productivity and reputation.
No. 1 on Drobac's list is to enforce a "need to know policy," so that only those who truly need to know certain information actually have access to it. He also stressed a focus on access control, such as role-based access control.
Other steps businesses need to make is monitoring for data leakage-particularly in e-mail and peer-to-peer technology-keeping an eye on all the various mobile devices being used by employees, such as thumb drives, PDAs, phones and iPods, and strengthening authentication protocols.
Drobac also said businesses need strong oversight of vendors, examine data retention standards, ensure destruction policies are adequate, build privacy and security into the software development lifecycle and engage senior management in the overall process of preventing and managing data breaches.
Drobac said the "low-hanging fruit" are encryption data classification or providing different levels of security for different levels of data. "But it's not all about encryption and data security," he said.
One of the first steps to managing a data breach is defining exactly what constitutes a data breach for your organization, Drobac said. After that, enterprises need to establish a centralized channel for reporting breaches. The next step is to "identify your response team, including the leader," he said. The response team should include the organization's general counsel, media relations personnel, front office sales, information security staff and fraud investigators, he said.
Once those steps have been taken, the enterprise should get the facts about the data breach by using a forensics team, and then "conduct immediate triage to prevent further damage, such as shutting down the site; it might call for swift and hasty action," Drobac said.
"It may mean pulling down your gateway to your revenue stream," Tietz said. That is why "you should make sure you have an escalation mechanism to the highest levels of the company," Drobac said.
At this point, it is time to "involve PR [public relations], law enforcement and regulators," about the data breach, Drobac said. "They'd rather hear it from you than from the Wall Street Journal." The organization also must provide notice to its customer or user bases, he said.
Then the enterprise must "remediate and modify existing business practices," he said.
Preparation is also key, they said. Enterprise should track events for root causes of breaches and constantly perform practice drills to be prepared for breaches, Drobac said.
Tietz said typical data breaches involve stolen laptops, PDAs or thumb drives, but also include network hacking, malware and lost backup tapes among other things. "But the No. 1 form of data breach is Dumpster diving," he said.
Tietz ran down statistics. There have been 230 million records of U.S. residents exposed to security breaches since 2005, and $6.3 million is the average cost per reported enterprise breach in 2007, up from $5 million in 2006, he said. In addition, 20 percent of consumers have ended their relationship with a company after being notified of a security breach. Indicating how important data security has become, Tietz said nearly 40 percent of new security spending in 2007 was directed toward protecting data by reducing the network security expenditures.
Data breaches have touched on a number of companies, including Eli Lilly, ChoicePoint, the U.S. Department of Veterans Affairs and TJX.
He said in the commercial sector, 40 percent of data breaches is through stealing laptops, while errors accounted for 20 percent of breaches, insider theft 15 percent, fraud 15 percent and hacking 10 to 15 percent. In the university setting, hacking accounted for 45 percent of data breaches, and laptop theft, insider access, errors and fraud all accounted for 10 and 15 percent each, he said.
In a separate presentation here, Joe Gersch, vice president of engineering at Secure64 Software, spoke of how to justify spending on security. Gersch said enterprises need to quantify the benefits of security by assessing the annualized loss expectancy, which is equal to the single loss expectancy plus the annual rate of occurrence.
However, as a best practice, an enterprise should invest no more than 37 percent of the expected benefits of the security. "If you have an expectation of losing $100,000 annually, you should not invest more than $37,000" on security, Gersch said.
He noted that quantifying return on investment for security technology is difficult. However, what Gersch referred to as "genuinely secure systems" can be less costly and more attractive than conventional security or building a security fortress, he said. Such a system "has a secure operating system architecture that fully utilizes the hardware to make applications immune to compromise from rootkits and malware and resistant to network attacks," he said. They also can be less expensive than conventional security.
Secure64's core technology is SourceT, a patent-pending, genuinely secure micro operating system designed to make it and any applications running on it immune from rootkits and malware, and resistant to network attacks, Gersch said. Secure64 defines a genuinely secure OS as one with a secure architecture that fully utilizes the hardware to make applications immune to compromise, unlike a hardened OS, which is typically manipulated to minimize exposure to its insecurities, he said.
As the technology continues to improve and emerge, "self-defending networks, self-defending OSes, and self-defending services will start to pay off," Gersch said.
Paul Lipton, a senior architect at CA, said autonomic computing-or self-healing-technology should become a key part of securing service-oriented environments.