Prevention is Not the Security Panacea

A pound of prevention (which in this case means the use of chip-based payment cards, encryption of data stored in the enterprise, and restriction of third-party network access) is not a complete cure when it comes to improved data security for retailers, according to panelists at the recent CIO Symposium at the MIT Sloan School of Management in Cambridge, Massachusetts.



One complicating issue is that the “cloud” is becoming a “fog” as the Internet of Things continues expanding the range of devices that are online with IP addresses, creating new security liabilities.



“IP addresses crop up in devices you don’t realize, and they’re not protected,” said Patrick Gilmore, CTO of data center provider Markley Group. “What if someone hacks your printer and reads every document your CIO ever printed, or posts them online?”

The odds of such occurrences are on the rise. Symantec data indicates there were 253 major data breaches in 2013, up 62% from 2012. Those breaches compromised 552 million user IDs. And increasingly, data breaches are committed by affiliated groups of global cybercriminals or even nation-states, noted Mark Morrison, senior VP and CISO of State Street Corporation.



“This is not your grandmother’s hacker,” Morrison said. “Nation-states are even including cyber-attacks in their war-planning efforts.”



Effective data-security strategies, panelists agreed, need to focus on detection and remediation as well as prevention. Regardless of how strong a firewall is, USB devices are easy to hide, and securing an operating system against downloading of data is extremely difficult and can permanently damage the OS.



“Data is ubiquitous and easy to transfer,” Gilmore said. “If your security plan is built on preventing data from ever getting on a USB, you’ve already lost.”