Data Protection: Common MistakesBreaches Can't Be Viewed as Strictly IT Issues
What are the common mistakes individuals in organizations make when it comes to data security and breaches? Craig Spiezle of the Online Trust Alliance provides insight from the latest research.
"The first area that's the fundamental flaw that we've seen when a data loss incident has occurred is that they're viewed as an IT issue," says Spiezle, founder and CEO of the OTA, in an interview with Information Security Media Group [transcript below].
"The reality is companies that do not take a holistic view of data security/privacy really set themselves up for failure," he says.
For example, organizations' IT departments can put measures in place to secure servers, but they can't secure employees and their actions within the company; nor can they secure the process by which an individual group may work with a cloud service provider and share sensitive information.
"Until you take a holistic view, you're going to really open your organization to a high level of threats and compromises," Spiezle explains.
The OTA's recently released 2013 Data Protection & Breach Readiness Guide draws upon breaches from the past year to identify this year's trends and emerging threats. Some of the results, Spiezle says, are pretty obvious.
"If you look at our data, over 90 percent of the leading data loss incidents could have been prevented," he explains, such as starting at the top with patch management.
In an interview about data protection and breach readiness, Spiezle discusses:
- Common mistakes organizations make;
- How to develop a data lifecycle strategy;
- Skills necessary for protecting organizations in 2013 and beyond.
As CEO of the Online Trust Alliance, Spiezle is a thought leader on the convergence of interactive marketing, society and digital commerce. Leveraging his understanding of privacy, security and data stewardship, he is a champion of best practices to help build consumer trust and confidence and of the importance of promoting innovation on the Internet. Spiezle frequently briefs members of Congress representing the roles and shared responsibility of members of the ecosystem and the importance of meaningful self-regulation. Before joining OTA, he spent more than a decade at Microsoft in several management roles, including director of security and privacy product management.
Online Trust Alliance
TOM FIELD: For those that might be a little unfamiliar with the Online Trust Alliance, can you tell us a bit about the organization, yourself and your work with the group?
CRAIG SPIEZLE: The Online Trust Alliance, or OTA, was founded in 2004 as a group of business and technology leaders that were looking to address some of the key issues that were affecting online trust. In the early days, the focus was on e-mail, and today the organization is a nonprofit. We've grown globally to over a hundred organizations, looking at everything from e-mail to websites to how to better protect your privacy and your data.
Data Protection and Breach Readiness Guide
FIELD: OTA has just released the 2013 data protection and breach readiness guide. I'd like to hear a little bit about the genesis of the report, how it came together and who the target audience is.
SPIEZLE: The report, now in our fourth year, has grown substantially. [Regarding] the genesis of it, as many of our members internally were talking about some of the threats, we had some working committees to start to share best practices. What became very clear is the need to develop some guidelines, share them, get beyond the choir - so to speak - and provide prescriptive advice. Part of this was, as we were sharing and observing where these breaches or data losses were, seeing the common thread, seeing some common areas that were overlooked, if we could get ahead of it we would actually be able to better protect businesses and the customers.
Common Mistakes in Organizations
FIELD: As I understand it, the guide pulled together information based on trends from past data breaches. What are some of the common mistakes that you see individuals making to impact their organizations, maybe even in ways that they can't see?
SPIEZLE: The first area that's the fundamental flaw that we've seen when a data loss incident has occurred is that they're viewed that this is an IT issue. The reality is companies that do not take a holistic view of data security/data privacy really set themselves up for failure. For example, the IT department can secure your servers, but they can't secure the employee and how they treat data. They can't really secure the process in which an individual group might work with a cloud service provider and share data. Until you take a holistic view of data privacy and data security, you're going to really open your organization to a high level of threats and compromises. That's the first thing that we've seen.
Some of the things are very obvious. If you look at our data or you look at the Verizon report, over 90 percent of the leading data loss incidents could have been prevented, and some of them start at the very top [with] patch management. I know we all are hesitant to update our servers sometimes, but what happens is a significant number of breaches or incidents are a result of known vulnerabilities. Have the operators of the servers been updated? That's one of the key areas.
Data Protection Recommendations
FIELD: Let's talk about some of the recommendations that the OTA outlines in the guide. Speak to some of those and what organizations can be doing, and where they're missing the mark as well and need to show some improvement.
SPIEZLE: The very first thing in data security is revalidating the business purpose of the data you collect. The second one is revalidating access to the data. The third part would be how to protect the data. On the first point about reevaluating the business of collecting the data, what we find is organizations, after a breach, in many cases were unaware at senior levels that this data was being collected. There are individual pockets within organizations that maybe thought they could be used in the future. That's one of the foundation things - why you collect it in the first place.
The second thing is who has access to it. All too often access management provides employees access. They may move to different parts of the company [and] they still have access. They may have passwords they don't have updated; or they may be using third-party cloud service providers and moved out of the organization. When the employee leaves, while the IT department gets their card key and removes their access to the servers, you still have open access to the third-party services and such. These are some fundamental operational things.
If you take the discussion a little bit on the technical side, there's data encryption. While we don't want to get into the merits of one form of encryption versus the other, any data that's being stored and any data that's being transferred really needs to be encrypted today. There are many alternatives out there, and these are some reasonable steps that businesses can take immediately.
FIELD: If I could follow up on that, what about the personnel side? Do you find that there's a skills gap in terms of readiness and data protection with the personnel versus the sophistication of the threats?
SPIEZLE: It's a great question, and you add to that the bring-your-own-device employees. It's the awareness of the data that they're holding. It's a challenge. Education and awareness on both privacy and on data security needs to be reinforced throughout the company. It's everyone's job.
The other area I think you go to is what happens when you have a breach. Do you have a plan in place? That was the other objective of this report, to illustrate the point that all companies collect some form of personal data. The second point is some day you will lose that data, so the third point is you must be prepared. That's having a very thorough plan of who do you notify, what are the appropriate forensic steps that you take, and what should you not do and how to communicate with customers. Those are also companywide issues that we recommend, whether you're a small business of 20 employees or a large business of 20,000. You need to have a playbook, so to speak, and be prepared to respond to a data loss incident.
Developing a Data Lifecycle Strategy
FIELD: One of the guide's recommendations is for the creation of a data lifecycle strategy. What does this entail, who has to be involved and how do organizations begin developing this strategy?
SPIEZLE: It speaks to the point where it's everyone's job. You have marketing that's collecting data, or operations, and they're sharing data. What should they be keeping, how long should they retain it and when do you get rid of it? How you destroy it is another component of that. As you go through that cycle - for example, when we find that someone has credit card numbers that are five years old - you would question why they're keeping that. The second thing is, as we know, credit cards expire, and so the company would be smart to have an effective way of destroying that data. You need to look through that lifecycle where it goes, and it's the lifecycle of the data and it's also the data flow. As we become more reliant on cloud service providers, what do we know on their security practices? What do we know on their encryption approaches? Last but not least, at what point are they required to notify you as a company if there has been a breach or attempted compromise of your data store?
Creating an Incident Plan
FIELD: Another recommendation was to develop an incident plan. Now, as we know, the threats that we faced over the past couple of years have somewhat changed with who needs to be involved with a plan and how it's spread across the organization. What specific recommendations do you make for individuals and organizations to be better prepared to deal with incidents when they do arise?
SPIEZLE: First of all, when we scope out a breach, we need to also recognize about 25 percent of the data loss incidents are actually the result of an employee losing a notebook, a hard drive backup, a USB stick or other forms. It's not just the cyber criminal. In scoping this, you might say, "I don't have threats but no one's going to attack my server." That would be misguided.
To your point about creating a plan, one thing that's really critical is you have someone who's appointed with a decision-making capability of how to respond. What you don't want to have a situation with is in the middle of a holiday weekend that someone at your IT desk recognizes something's happened to a server and starts calling around and trying to find out who should get involved. It's really key that you have a designated owner at an executive level who can work cross-company. He or she needs to have the ability to have this task force with representatives of every aspect of the company - operations, employment, finance, HR and such - involved. Be thinking about every element of the plan.
Obviously, if you plan in advance you know where your data is stored and you know where your backups are. You also know what data attributes are on those files. The second thing is making sure that your IT department has fully enabled logs. [With] the logs, make sure that you go back 12 months or so. The reason why that's important is quite often these breaches are not discovered right away. You want to look at patterns. Having logs of your servers, your application servers as well as your firewall, is really important to be able to provide some indication of what happened, what the scope was and also to provide some forensics capability.
Mitigating Risks: The Bottom Line
FIELD: [What's] the bottom line for individuals or organizations as they navigate 2013? How should they use your guide as a reference? How should they go about protecting themselves and mitigating the risks that are posed against them?
SPIEZLE: The first point is recognizing that there's not a silver bullet and there's not one answer. The guide is provided to help open that dialogue to a company and to get executives and teams to be thinking about what else they can be doing. There are multiple layers, obviously. There are technical solutions. There are business processes. It's having a plan in place.
One key point of having an incident plan is knowing who to contact. There are two points to that. One is the regulatory requirements. There are 46 states and territories that have data breach notification requirements at the state level, and then there's also working with the FBI and Secret Service to help identify where the threats are coming from. It's important all the way through. You take a lifecycle approach, a holistic approach at data protection, revalidating the business purposes of the data you have, revalidating your security measures and having that fire drill in place - testing it and educating employees on what to do when you have a loss incident. Combined, that would clearly better protect the company, the data, the consumers and the stockholders from potential threats.