I was fortunate enough to grow up in an era when the likes of Rich Little and Dana Carvey could be seen on a regular basis doing impressions of famous people on late night TV. It was always amazing to me how spot on these gentlemen could imitate the facial expressions, mannerisms, and speech patterns of so many famous people. As entertaining as that was to me as a kid, now it kind of freaks me out. Why, you ask? It’s because it reminds me of all the various data breaches I’ve undergone, and how many people could imitate me as a result.
A few weeks ago, it was revealed that Equifax, one of the world’s largest credit bureaus, suffered a data breach that affected somewhere in the neighborhood of 143 million Americans – or more. Data breaches in and of themselves are bad enough, as they provide hackers with details about a person that open them up as a potential target for fraud. However, a credit bureau being hacked is one of the worst data breaches imaginable, as they store the complete credit history of consumers – and you have little control over their ability to store data on you, rendering you virtually impotent to have protected yourself from this data exposure. (Obviously, never having applied for credit would help to keep you off of their radar, but many jobs pull credit reports as a part of their background checks too.)
Unfortunately, this is not a rare occurrence. Personally, I’ve been notified of data breaches from several former employers, banks, e-mail providers, former health insurers, and other businesses more than a dozen times within the last decade. I’m certainly not alone – last year nearly 1,100 data breaches were recorded per a compilation by the Identity Theft Resource Center. As an aside, this data was gathered through their research, not from a definitive system, so there are almost certainly more that went undiscovered and/or unrecorded.
Over the last few days, the recently retired CEO of Equifax Richard Smith has been testifying about the breach before the Senate. When asked about how this could have occurred, he essentially blamed a single person within their IT department for not applying a necessary patch to fix the security hole. That’s even more ridiculous than the image of Uncle Moneybags the Monopoly Man sitting behind Mr. Smith at the hearing. Clearly Mr. Smith doesn’t know what the concept of Level 5 leadership is.
And this, folks, is where we get down to brass tacks. Data security is not the responsibility of a single individual. It is the responsibility of every individual. Overlooking the awful culture such inept leadership likely spawned, the simple fact is that no one person holds the keys to the kingdom in any organization’s data security profile. It is absolutely imperative that data security takes a multi-layered approach. Please note that the following is not intended to be comprehensive, but more of an example of a defense-in-depth.
First and foremost, your data assets must be physically protected from intrusion. Twice I received word of a potential data breach of my information occurring by the combination of an unlocked car door and a laptop sitting in the front seat. Not only must a physical barrier be erected in order to prevent outsiders from acquiring the physical assets that store the data, but password protection of said assets is equally important. I’ve worked at several companies where an unlocked computer would be punished mercilessly – often in a humorous manner when discovered by friendly coworkers, but merciless nevertheless.
Secondly, your data should be protected behind that most basic of network security devices, the firewall. Proper firewall management with routine penetration testing can prevent a great number of hacks, though clearly not all. In today’s world, it’s such a universally accepted security need that even the home version of Windows comes with a basic firewall.
Third, though perhaps this should be listed first, is proper training of your employees. Knowledge of how phishing, attached executable files, and SPAM dangers in general will allow your employees and vendors to proactively protect themselves from the dangerous code objects that manage to penetrate the firewall. Symantec’s 2016 report on security trends shows a steady decline of phishing and SPAM related attacks. This would seem to indicate that these methods are becoming less effective, and hackers are turning to other means to gain access. Nevertheless, it is important to remind your users of the constant dangers from these avenues of attack.
Fourth, your data assets and the applications that query said assets should be secured. It is recommended that those who access said data assets do so with distinct user ID, vs. generic application IDs. This allows not only for differing levels of security to be applied, but also for tracking query usage patterns in order to begin discerning when a possible data breach could be occurring. I.E. – A user who runs a few specific queries at the end of the month who suddenly begins dumping the entirety of the DB tables could be compromised.
Fifth, you will need to ensure that key data elements that could identify a specific individual have limited query access and are not being propagated across numerous platforms. After all, the more platforms you have with the sensitive data, the more vulnerabilities you have to protect. In fact, you may wish to consider only allowing access to those specific fields to those who absolutely need it. I would even go so far as to recommend utilizing table and row level security structures to further ensure that users can only retrieve data that you wish for the to have access to.
Sixth is leadership. Yes, I know it sounds trite, but it’s true. Fostering a culture of self-starters with the confidence, education, and management backing to fix issues as the programmers encounter them may be the most effective method of preventing the majority of hacks. More importantly, great leadership encourages teams.
Again, these are not all-encompassing. They are simply a set of ideas for you to begin your data security conversation.