Grand Theft Data: Lessons LearnedBy Eric Lundquist | Posted 08-18-2009
Ten Lessons CIOs Should Learn From The Biggest Data Breach Of All Times
Do all those news stories outlining the details of the record setting 130 million credit card numbers theft make you feel glad it was someone else and not your company? That may be a natural reaction, but there are also some lessons to be learned that just might help you stay off the front pages when the next big theft is announced. Here are ten security lessons to be learned from the theft allegedly masterminded by Albert Gonzalez, 28, of Miami.
1. Protect the data before the system. A theft of properly encrypted data is close to worthless. Rather than starting with the system and thinking of how you are going to harden it with password protected access, constantly changed hard to guess logins and virtual network transmission, start with the data. Encrypted data can be transmitted quickly, securely and quickly de-encrypted to provide fast access to business data. Start there.
2. Your system is only as secure as your weakest link. You need to constantly monitor and think about system access from the outside in. What do network sniffers tell you about your networks when you are sitting outside in your company's parking lot? How much information is there about your point-of-sale system on the Internet? Is your guest log-in networks walled off from your vital corporate networks? You don't have to go out and hire reformed hackers, but you do have to think like a hacker to test security.
3. Employee access needs to be measured, monitored and maintained. You can trust your employees, but only so far. The fastest way to hack a network is still to get a disgruntled worker to provide access. Sorry, but that's the truth. Concentrating on getting the employee access badge after they leave is not so important as making sure computer access is also denied.
4. It is tough to beat the swarm. The bigger the prize, the more hackers will band together for theft. You need to think about securing your data first (see step one) or you will spend your career trying to patch holes as underground digital networks spend all their time discussing your system vulnerabilities.
5. Data theft is a big business. And a worldwide business. The days of the lone, smart but crazed hacker are over. Stolen data is bought and sold on underground exchanges as sophisticated as any stock trading system. Don't think that you won't be a target.
6. Compliance is a start, not an ending. One of those unintended consequences of compliance is that companies try to absolve themselves of responsibility by trying to hit the minium compliance guidelines. Compliance is not security. Security is your responsibility to your customers. Compliance is what a government agency says is the minium necessary.
7. Cloud computing doesn't make data theft easier or harder. Cloud computing just makes data security different. You need to be absolutely clear in your understanding of what a Software as a Service vendor is offering and willing to put in a service agreement regarding security. The same attributes you would want in your company's private network need to be part of the service agreement with any cloud computing vendor.
8. You've got friends. While no CIO is going to detail how they have approached security at their company, they will be willing to give you some advice and guidelines. However, they won't be providing those suggestions on a public, social network. Get to know CIOs in your industry, region and top CIOs everywhere. There is still a great role for CIO face to face events, but the biggest value is often in the after dinner conversations.
9. Technology is changing and you need to change also. The solutions that might have been discarded a few years ago (encryption) have been upgraded and enhanced. You need a technology team at your company or at your systems integrator who are always evaluating new approaches and technologies. You need to stay ahead of the tech curve or risk getting wiped-out.
10. Your job is going to get harder. Social networks are great, but they are also potential security loopholes. You need to set some firm guidelines on what information, documents and access points are absolutely off limits to the social networks involving your company and employees.