Ten Lessons CIOs Should Learn From The Biggest Data Breach Of All Times
Do all those news stories outlining the details
of the record setting 130 million credit card numbers theft make you
feel glad it was someone else and not your company? That may be a
natural reaction, but there are also some lessons to be learned that
just might help you stay off the front pages when the next big theft is
announced. Here are ten security lessons to be learned from the theft
allegedly masterminded by Albert Gonzalez, 28, of Miami.
1. Protect the data before the system. A theft of properly
encrypted data is close to worthless. Rather than starting with the
system and thinking of how you are going to harden it with password
protected access, constantly changed hard to guess logins and virtual
network transmission, start with the data. Encrypted data can be
transmitted quickly, securely and quickly de-encrypted to provide fast
access to business data. Start there.
2. Your system is only as secure as your weakest link. You need to
constantly monitor and think about system access from the outside in.
What do network sniffers tell you about your networks when you are
sitting outside in your company’s parking lot? How much information is
there about your point-of-sale system on the Internet? Is your guest
log-in networks walled off from your vital corporate networks? You
don’t have to go out and hire reformed hackers, but you do have to
think like a hacker to test security.
3. Employee access needs to be measured, monitored and maintained.
You can trust your employees, but only so far. The fastest way to hack
a network is still to get a disgruntled worker to provide access.
Sorry, but that’s the truth. Concentrating on getting the employee
access badge after they leave is not so important as making sure
computer access is also denied.
4. It is tough to beat the swarm. The bigger the prize, the more
hackers will band together for theft. You need to think about securing
your data first (see step one) or you will spend your career trying to
patch holes as underground digital networks spend all their time
discussing your system vulnerabilities.
5. Data theft is a big business. And a worldwide business. The days
of the lone, smart but crazed hacker are over. Stolen data is bought
and sold on underground exchanges as sophisticated as any stock trading
system. Don’t think that you won’t be a target.
6. Compliance is a start, not an ending. One of those unintended
consequences of compliance is that companies try to absolve themselves
of responsibility by trying to hit the minium compliance guidelines.
Compliance is not security. Security is your responsibility to your
customers. Compliance is what a government agency says is the minium
necessary.
7. Cloud computing doesn’t make data theft easier or harder. Cloud
computing just makes data security different. You need to be
absolutely clear in your understanding of what a Software as a Service
vendor is offering and willing to put in a service agreement regarding
security. The same attributes you would want in your company’s private
network need to be part of the service agreement with any cloud
computing vendor.
8. You’ve got friends. While no CIO is going to detail how they
have approached security at their company, they will be willing to give
you some advice and guidelines. However, they won’t be providing those
suggestions on a public, social network. Get to know CIOs in your
industry, region and top CIOs everywhere. There is still a great role
for CIO face to face events, but the biggest value is often in the
after dinner conversations.
9. Technology is changing and you need to change also. The
solutions that might have been discarded a few years ago (encryption)
have been upgraded and enhanced. You need a technology team at your
company or at your systems integrator who are always evaluating new
approaches and technologies. You need to stay ahead of the tech curve
or risk getting wiped-out.
10. Your job is going to get harder. Social networks are great, but
they are also potential security loopholes. You need to set some firm
guidelines on what information, documents and access points are
absolutely off limits to the social networks involving your company and
employees.