By Ulf Mattsson, Protegrity
Looking through the Identity Theft Resource Center’s running list of data breaches for 2014, one could be forgiven for thinking they were reading a “Who’s Who” of chain store retailers. Well-known brands such as Neiman Marcus, Michael’s, Home Depot, Old Navy, Lowe’s, Walgreen’s, Legal Sea Foods, P.F. Chang’s, Wendy’s, Rite Aid, CVS and Bebe Stores were involved in just a handful of the more than 750 publicly reported incidents this year in which customer or employee names plus social security numbers, driver’s license numbers, medical records, or credit/debit card information were potentially put at risk.
Going into the just-past holiday season you may have told yourself, “My company is PCI compliant. We haven’t had any breaches. We should be on Santa’s nice list.” But you should really have been asking yourself, “Were we really good at protecting our most critical data this year or were we just lucky? What else can we do to make sure the data Grinch doesn’t steal our reputation, customers’ loyalty, employees’ job satisfaction or even our profits?”
Undergoing a major overhaul of your data security environment is no simple task. In the short term, you should increase the granularity and frequency of regular systems monitoring, auditing, and alerts. Specifically, monitor traffic that is leaving your network. So while you may not be able to do much more at this point to prevent a breach from occurring, you may be able to catch incidents earlier and mitigate the damage by being extra vigilant.
But for a more thorough and long-term solutions, the following is recommended:
Recognize that all of your systems are connected, including the marketing database, transaction processing, and even employee records. The enterprise must be secured using a unified approach, to prevent “weakest link” issues relating to security gaps or vulnerable systems.
• Apply enterprise-wide fine-grained de-identification of personally identifiable information to protect your customers’ and employees’ privacy, while retaining the ability to mine and analyze the data.
• Apply fine-grained tokenization of payment card information to alleviate the need for cleartext data and exposure in-memory across the entire data flow.
• Implement policies requiring strong credentials, including password improvement and rotation, as well as a separation of duties, to prevent privileged users, such as DBA’s, or system administrators, from accessing sensitive data.
• Learn the lesson provided by your counterparts at companies that have been hacked that compliance does NOT equal security. Do not only to follow PCI and privacy guidance, but go beyond them, as they are just a baseline or minimum of acceptable security.
• If breaches cannot be wholly prevented or detected in real time, then you must secure the data to the point that it is useless to a potential thief. Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization.
• Independently verify solutions that protect the data itself. Many of the failures of data security today can be directly attributed to the negligence or ignorance of best practices for protecting data. Decoupling the assessment from the solution is vital to an unbiased audit.
• With an objective system to verify security in place, and a strong solution to actually protect data rather than building walls around it, you can be assured that your data environment is actually secure, rather than just ticking a compliance checkbox. You would be well served to follow the best practices outlined above and take a proactive approach to protecting your customers’ and employees’ information, rather than waiting for a breach that could potentially impact your company’s reputation and bottom line.
Ulf Mattsson is the chief technology officer at Protegrity, a Connecticut-based provider of enterprise data security software and services, and is an advisor to the industry’s top analysts and stakeholders, including the PCI Security Standards Council and ISACA. Ulf is the inventor of more than 20 patented technologies in the areas of encryption key management, policy-driven data encryption, internal threat protection, data usage control and intrusion prevention.