How to Avoid the Fate of Sony, Target or Home Depot in 2015

NEWS ANALYSIS: One of the most effective methods of preventing massive data breaches is remarkably easy and very inexpensive.

Breach TargetB

These days my email is full of press releases from IT vendors that claimed their products are the magic bullet that will prevent the next Sony data breach. But the reality is, there is no magic bullet.

But that doesn't mean you can't keep your company from being a victim of cyber-criminals—because you can. But there is no magic bullet. And it's important to realize that some breaches may be all but impossible to stop, but those should be a small minority.

First, it's important to know that while you can't totally solve the data breach problem with technology, you should still keep using the available technology—including firewalls, email screening appliances, anti-malware and similar products—to keep things under control. They do help. By using the best of the available products, you can at least keep most of the bad stuff out of your network so you can focus on the rest.

Second, it's important that you not buy into the dismissal of employee errors by calling them "stupid user tricks" and then throw up your hands in dismay. While nearly all major breaches were the result of an error made by a trusted employee or contractor, it's wrong to suggest that they're somehow stupid and therefore unpreventable.

"They're just highly trained people in another field," said KnowBe4 CEO Stu Sjouwerman. But it's wrong to simply pass off these security problems as being the unavoidable problem of stupid users. "The stupid user might be a highly trained CFO," Sjouwerman said.

His point is that many of the employees in your company aren't trained in IT; they have little or no training in security and, as a result, wouldn't necessarily recognize a security threat.

This is one reason Sjouwerman takes issue with statements, such as one by Denise Zheng, deputy director of the Center for Strategic and International Studies, who told CNN recently: "There is no patch for a stupid user."

The fact is, there is a patch for users who make errors in how they respond to cyber-threats. It's called training, and it doesn't need to be difficult or expensive. It just needs to be continuous.

Sjouwerman's advice is echoed by a number of security experts who point out that for any security plan to be effective, it has to involve the people who use the network. When I recently talked to Frank Abagnale about security exploits, he made the same point when he told me "someone in every breach did something they weren't supposed to do."

Wayne Rash

Wayne Rash

Wayne Rash is a freelance writer and editor with a 35 year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He covers Washington and...