As technology has advanced during the past few decades, cybersecurity policies have progressed as well, and enterprises are generally safer now from malware and outside attack than ever before. But the stronger defensive technologies and internal security policies get, the more sophisticated cybercriminals become.
Most of us are familiar with the recent, high-profile data breaches affecting companies such as
For example, if you read through the Federal Information Security Management Act of 2002 -- the government's own information security regulation -- you won't find anything specific about what federal agencies must do to protect their information. It simply states that certain commonsense structures, such as policies, procedures and IT controls, should be in place.
What the regulation does do, however, is prevent overly negligent behavior, with penalties and fines for crossing a very low threshold. You'll find similar elements within the Health Information Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and most other privacy-related regulations issued by the government.
Knowing risks is a key ingredient for building a solid internal security policy.
The good news is that compliance with these regulations is fairly easy. The bad news? They're nowhere near sufficient as comprehensive data security guidelines. Most of the big companies involved in recent high-profile data breaches were in compliance with government regulations. Heartland Payment Systems Inc. didn't pay over $100 million in penalties and fines to the government because they failed to comply with regulations. They paid damages to credit card companies like Visa and MasterCard because they were hacked. All the while, they were given a clean bill of health by Payment Card Industry data security compliance auditors.
A better strategy is to build a solid, prevention-focused internal security policy, because prevention addresses risk proactively. For instance, a common recommendation for dealing with cyberattacks is to build a data breach action plan to contain damage after a breach is discovered. This is reasonable advice, but if you're at the point where the plan must go into action, the breach has already occurred. It's far better to never have the data breach at all.
Building an internal IT security policy around prevention starts with asking the question, "What would cause a data breach at my company?" It continues with, "How can I prevent these causes?" and, finally, "How should my operation look if I were effectively preventing these causes?"
Build internal security around regulation
Although adhering to regulations does not provide adequate protection against cyberattacks, they can be a good starting point, because regulations provide clues as to what your actual risks are. Knowing risks is a key ingredient for building a solid internal security policy. To uncover risk, start by examining a piece of the regulation and asking, "What risk (i.e. uncertain event) is this regulation trying to control?"
For example, HIPAA's technical security regulations state that data involving protected health information (PHI) must be secured from intrusion. It goes on to talk about encryption for network transmission. But in a closed system with proper access control, encryption is optional. What risk are we trying to prevent? It's an unauthorized person accessing private data, regardless of how they get it.
If we focus on the real risk of an unauthorized person accessing private data, we can start to build an internal security policy around that risk. One factor to consider is the medium on which private data resides (e.g., hard drive, flash drive, CD-ROM). Regardless of physical access to the media, if the data is not usable, then it's not accessible. One preventive control is to use encrypted media with tightly controlled passkeys distributed only to authorized personnel. This could be the beginning of your new internal security policy: always use encrypted media when PHI is involved.
More on data security
Notice how we arrived at this policy through a specific risk, and how it's different from the original regulation, which seems to be a little lax about encrypted hard drives. If BlueCross BlueShield of Tennessee had gone through this process, they probably would not have had 57 unencrypted hard drives with PHI data stolen from their facility, and they also probably would not have had to pay out $1.5 million to the Department of Health and Human Services for their data breach.
Data breaches will continue regardless of what measures companies take -- cybercriminals always stay at least one step ahead of the cybersecurity companies – but, like most criminals, they usually pick their easiest targets. The individuals that hacked Heartland Payment Systems didn't pierce their firewall with sophisticated algorithms reserved for the super-intelligent -- they initially tunneled in using a simple SQL injection hack.
Even if you keep your security gate high by maintaining good internal policy, you can still be hacked. But why would cybercriminals prey on those companies when there are easier targets out there? Remember: The best data breach is the one that never happens.
This was first published in May 2012