With the number of high-profile data breaches in the news this year, following the breaches of 2013, it would be easy to conclude that these sorts of incidents are an inevitable part of dealing with data. The news stories of data breaches are certainly coming out frequently enough for one to think that public data loss is just going to be a cost of doing business. But it doesn’t have to be.
Organizations have the ability to protect their customers’ data against all the methods of attack that have been used in high-profile news stories. That’s why these stories are still news. If there was no defense against these attacks, they would happen far more often, and IT security professionals would be completely at the mercy of the hacker community. Companies with the most valuable data would be the first to have it exploited.
Even though data breaches are avoidable, security managers have their work cut out for them. Not only do they have to keep up with all the standard best practices and technology to keep their companies’ data safe, but also they have to keep up with new and emerging risks to stay a step or two ahead of the most determined hackers.
The bulk of the recent data breaches seem primarily motivated by money. The attackers are stealing credit card and personal information, which they try to sell in batches on underground markets. The buyers are then able to exploit those payment and personal details in a variety of fraudulent ways.
Attackers only have a few areas that they can exploit. They can attempt to gain access to the system at the root level. They can attempt to install rogue software on the system that will let them transfer data out. Or they can hack into individual user accounts either through brute force attacks or through social engineering tactics. Security managers may not be able to close and control every conceivable weakness in a security system, but enough of them are now well-known enough that there is little excuse to fall victim to a data breach in the same way as one of these other high-profile break-ins.
Security managers have to take care of all the basics, and implement the strongest versions for each situations. This means implementing multi-factor authentication and automating the password reset process to secure user accounts. Multi-factor authentication ensures that hackers cannot break into an account simply by guessing or stealing the password, unless they are also able to steal the second authentication factor (which is usually a physical object the user carries with them like a phone or key-fob).
Also, data at rest, in motion, and in process should be protected by strong encryption, so that even if it is stolen from the system, it will be useless to anyone who acquires it. A file and field-level encryption tool like ASPG’s MegaCryption can keep data safe while still making it usable and readable by the people and systems that should be able to see it.
The combination of encryption and multi-factor authentication remains . Those in charge of data security have to weigh the costs of securing data against the costs of what a data breach would mean for that business both in lost customers and loss of good will. It is important to cover all the basic data security best practices, as well as learn from the misfortunes of other organizations so that your business doesn’t fall prey to a data breach. To learn more about how you can secure your company’s IT systems, both through data encryption and more secure user authentication and password management, request a free trial of one of ASPG’s data security products.