Security Experts:

Preparing for the Inevitable Data Breach: Discussion

NEW YORK - Companies need to start thinking of themselves as stewards of consumer data and be proactive about data protection, a panel of experts said this week at a town hall event in honor of Data Privacy Day.

Businesses need to understand they will experience a breach incident and plan accordingly how they would protect the data, said Craig Spiezle, executive director and founder of Online Trust Alliance (OTA). If they don't, "they're really not meeting their obligations to their customers or their stockholders," Spiezle said.

Data Protection

The town hall was organized by OTA in honor of Data Privacy Day 2014. Observed every year on Jan. 28, the day is intended to promote collaboration among government, industry, education, and non-profit organizations to improve data privacy and security.

Collect vs. Protect

One of the challenges has to do with deciding which data is sensitive and needs to be protected. Somebody within the organization has to decide on a case-by-case basis whether or not to protect a specific type of data, and whether or not customers and regulators would have to be notified in case of a breach. The simplest way to avoid this dilemma is to be more cautious about what data is collected from customers in the first place, said Tim Rohrbaugh, CISO of Intersections and the moderator of the panel. Organizations have to first figure out which types of data provides real value to the business, and if the costs of protecting that data outweighs the business benefits, then don't ask the customer for that information, he said. This way, the organization makes a conscious decision on what to collect and what not to.

It's also important to remember that consumer attitudes and regulations about what is considered personal or sensitive can shift over time. Rohrbaugh noted that if he asked the town hall attendees to define what data fell under personally identifiable information (PII), "everyone will come up with a different definition."

The regulatory rules are changing, too. What was okay to collect ten years ago may have legal ramifications today. For example, when Sony PlayStation Network was breached in 2011, attackers made off with millions of customers' email addresses. At the time, email addresses weren't considered particularly sensitive. However, California recently expanded its SB-46 breach notification law so that email addresses, online user names and other types of online data are now considered personal information and subject to notification rules.

"Data that seemed obscure just a few years ago is being monetized by criminals today," said Rohrbaugh.

Value Shifts

What many businesses fail to realize is that different groups are interested in different types of data, and "one man's trash is one man's treasure," said George Schultzel, a special agent with the Federal Bureau of Investigation's New York division. Not all attackers are after payment card data or trade secrets; they may just be out to embarrass the company, he said.

Many of these attacks are also crimes of opportunity, as opposed to targeted attacks. The thieves may grab whatever they can, and then find out later it was a treasure trove, Schultzel said. For example, in a recent case, an attacker stole usernames and passwords from a small company. The loss of the data wasn't a big deal to the company, but it turned out the attacker was able to use some of those usernames and password combinations to break into bank accounts, he said.

Planning is Critical

Companies are also not planning ahead on what they should do when—not if—their data is breached, the panel said. Despite a number of high-profile data breaches over the past two years, many companies are still in a "state of denial," Rohrbaugh said. Many organizations haven't identified the key staff members who will be in charge, let alone have a plan outlining what steps need to be taken.

Schultzel described working with a New York-based company that didn't have a plan after a breach. No one knew what exactly had happened, what had been stolen, or who to talk to. "They panicked," he said, adding, "There were 100 people running around like chickens with their heads cut off."

Even companies who put in the effort to put together an incident response plan make the mistake of not keeping it up-to-date. "It gets put on the credenza in the executive's office hoping no one has to touch it," Spiezle said. Companies should test their breach response plans quarterly, at the very least, he said.

"An incident response plan is just like having sprinklers in an office building. You don't want to ever have to use those sprinklers," Spiezle said, "but you sure want to know they'll work and put the fire out when that happens."

Security Best Practices

In a recent analysis of nearly 500 data breaches, the OTA found that 89 percent of them could have been prevented had the organization implemented rudimentary security controls or followed best practices. Data protection basics include encryption, checking access controls, and patch management. This statistic is "conservative" when compared with the 2013 Verizon Data Breach Investigations Report, which pegged the number of avoidable incidents at a staggering 97 percent, Spiezle said.

Defending is harder than attacking, as the attacker has to succeed just once. That doesn't mean the organization can just ask, "why bother?" Just as a safe driver who wears a seat belt can still get in a car accident, organizations can do everything they are supposed to do and still be breached, Schultzel said. And it's important to have a good relationship with law enforcement before an incident even happens, he said. Know who you need to call in your region and share information, he said.

The OTA released a white paper (PDF) to help organizations develop, implement and update corporate data protection and privacy policies. Data breaches are especially challenging for small businesses because they may not even know they have been breached, Spiezle said. Investigation may also be stymied because they may not have the kind of extensive logging or monitoring tools in place.

"Security and privacy needs to be everyone's job in a company," Spiezle said. It's not a task for IT, or marketing, or any one division, but a holistic process.

Related: All Data Is Not Valued Equally

Related: Understanding IT Risk from the Business Perspective

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.