Customers and employees trust businesses to protect their data, and businesses trust CSOs and CISOs to make sure the data is secure. Those in charge of protecting the network and defending sensitive information know that security cannot be guaranteed. It is simply a game of risk management.
Anthem lost that game apparently. The nation's second largest health insurance provider revealed that it was the victim of a data breach that may have compromised information on up to 80 million individuals.
There is an old saying that applies: “You don’t have to run faster than the bear to get away. You just have to run faster than the guy next to you.” The reason that is apropos is that there is no such thing as absolute security. You are vulnerable. Period. But, if you do just enough to be more secure than the next company, there’s a very good chance attackers will ignore you and go after the low-hanging fruit.
Here are three things organizations should keep in mind in the wake of the Anthem breach, and to ensure your organization is not the proverbial low-hanging fruit:
1. Don’t believe the hype
Any time a major breach like this occurs it’s an opportunity for security vendors to pitch their products and services. If only Anthem would have used this product or that service, then this horrible thing wouldn’t have happened. I’m sure that each product and service fills some need and provides some value, but don’t make the mistake of believing that any one thing is the “silver bullet” that will save you.
2. Encryption isn’t necessarily the answer
It’s easy to think that if the data in question had been encrypted it would be safe from compromise or exposure. In most cases that isn’t actually true. Encryption is good for securing data in transit and at rest so that unauthorized user or attackers can’t access it. Most encryption, however, is designed to work seamlessly and decrypt data automatically for authorized users, and most attacks involve hackers logging in using valid credentials that have been obtained or stolen somehow. In other words the data will be automatically decrypted and accessible to attackers just as it is for the authorized user whose credentials they’re using.
3. Don’t collect the data in the first place
If you don’t have your customer’s Social Security number, you don’t have to worry about it being stolen in a data breach. Chester Wisniewski, senior security advisor at Sophos, says, “Stop collecting unnecessary sensitive information. Social Security numbers need only be collected for tax purposes. If you are using them as identification numbers or for any other purpose you are inviting these types of accidents.”
Wisniewski also recommends that organizations look at tokenization and storing sensitive details like birth dates and Social Security numbers in different places using unique identifiers to make the job of the crooks significantly harder.
One last piece of advice: assume you’re compromised. Rather than trying to fortify your network under the misguided premise that you can block all attacks, you should operate from the assumption that you’re always under attack and probably already compromised. Put tools and processes in place to monitor activity for indicators of attack, and indicators of compromise, and be on the lookout for anomalous or suspicious behavior.
If you’re sitting around waiting for an attack to set off an antivirus alert, you’re going to be the next data breach headline.