Get the ECT News Network Weekly Newsletter » View Sample | Subscribe
Welcome Guest | Sign In
ECTNews.com
Ideoclick eBook
E-Commerce Times TechNewsWorld CRM Buyer LinuxInsider

How to Respond to a Data Breach, Part 1

By Kelly Shermach CRM Buyer ECT News Network
Feb 8, 2007 4:00 AM PT

As the technology that businesses depend on has diversified, new tools have enabled the capture and storage of minutia from operations and transactions.

How to Respond to a Data Breach, Part 1

However, the wealthier companies become in data assets, the more attractive they become to attackers. This is why data security requires great attention and investment -- to prevent potential breaches.

TJX surely realizes this, given its recent challenges in responding to an unauthorized intrusion of its computer systems that exposed the credit and debit card details of customers in several countries, including the United States. After all, inoculation against a crippling disease such as data theft is less painful to the pocketbook -- as well as the brand -- than the post-crisis cure.

"A lot of people think security is expensive, but good security helps decrease the cost of maintenance," says Ira Winkler, vice president of marketing for the Information Systems Security Association and author of Spies Among Us: How to Stop the Spies, Terrorists, Hackers and Criminals You Don't Even Know You Encounter Every Day.

Additionally, overhead allocations for network utilities are eaten up exponentially faster by nefarious sources, which not only risk data integrity but eat up bandwidth and compromise efficiency.

Policies for Process

Data security policies should preempt any other provision in establishing strong security.

"Outsourcing to a hosting company is good in that the basic physical and technical security that a hosting company will have will easily exceed the majority of companies' [security]," Clive Longbottom, service director of business process analysis at the research firm Quocirca, tells CRM Buyer.

"However, for real levels of security, any outsourcing company will still need guidance and a strategy set by the owning company. ... You cannot depend on outsourcing companies to understand what your security needs are and therefore how to approach them with suitable solutions," he adds.

"We advise that companies take an intellectual-property asset view of security. ... Look at the actual files and data themselves, and ensure that these have security policies applied directly against them," Longbottom advises, so that "any item remains secure, even if copied, even when outside of the company, even when mobile."

Everyone needs some form of certificate that is checked on a constant basis, but this approach does give the highest levels of security within and across company boundaries.

Tactical Measures

After the policy-making, widely available solutions come into play -- including disk-level encryption software, firewalls, intrusion detection and other prevention tools. all PCs should have antivirus, anti-spyware and current software updates installed through automated commands as well as firewalls, according to Winkler.

Encryption follows industry standards such as the Payment Card Industry Data Security Standard. The credit card networks Visa, MasterCard, Discover and American Express cooperate in this initiative, which outlaws the storage of customer credit card data.

Lesson Learned

If TJX hadn't held onto shoppers account numbers, expiration dates and back-of-card security codes, there wouldn't have been assets for hackers to mine or automated attacks -- from bots -- to make vulnerable.

"Encrypting data can protect information but can also work towards preserving the corporate reputation by reducing the data breach notification obligations," Rob Scott, managing partner of Scott & Scott, tells CRM Buyer, adding that, of the 23 states that require intrusion disclosure, only five stipulate that breaches of encrypted data must be disclosed to affected parties.

In addition, just as companies must assess the value of the data they collect and keep, they also should evaluate the risk of critical data once exposed.

"There is little point in applying 3DES (triple date encryption standard) encryption on information and data that is already in the public domain," Longbottom explains.

Further, in cases where data vulnerability is low, the financial or brand-equity impact of a breach would be minimal. "In these cases, a company might make a conscious decision not to bother securing certain assets," he adds.

Staff Up

Once a grand plan is established, it needs to be staffed adequately. "Most people think of IT as a cost center," Winkler says. "They are penny smart, Pound foolish."

Instead, he notes, organizations should determine the optimum IT administrator to employee ratio and attempt to meet it.

"Most people are not aware of the threats they face," Winkler claims. However, even small companies in niche industries may be infiltrated.

"The reality is: Anyone is a target. If you don't keep yourself well-maintained, you're a target," he adds.

Hackers who break into an easily penetrated system may do so only to use that network to attack others -- and to leave liability for their crimes with the zombie host.

No Status Quo

Meanwhile, internal and external stakeholders are putting pressure on today's corporations to secure their systems.

"Company-wide security policy development, enforcement and ongoing employee education and training can promote protection and risk mitigation at all levels of the corporation," Scott suggests.

Quocirca's Longbottom congratulates the few who are actually seeing through such policing.

"Whether they know it or not, a lot more companies are getting better at security, as firewalls have morphed to include better content filtering, deep packet inspection, DoS (denial of service) attack identification, IDS/IPS (intrusion detection systems/intrusion protection systems) and so on," he says.

"Also, the security of databases has been much in the news, and newer database versions have much improved data security," Longbottom concludes. "For many companies, updating to the latest version of the database and refreshing the firmware on their firewalls would help a lot. Combined with forcing desktop antivirus/spyware software to be updated on a regular basis takes this even further."

How to Respond to a Data Breach, Part 2


Are you willing to pay a subscription fee to Twitter?
Yes - Twitter is an important tool for my organization. Paying for a subscription is an easy business decision for us.
Yes - I use the platform frequently and want access to every available feature.
Possibly - It depends on which features will be offered and what those will cost.
No - I will only use Twitter for services that are available free of charge.
No - I don't use Twitter for free, so I'd never consider a paid subscription.