By Jim Zimmermann
Verizon’s recent “2012 Data Breach Investigations Report” uncovered 855 incidents of data breaches in 2011, with 174 million corporate and personal records compromised. Disconcertingly, 96 percent of attacks were not very difficult, and 97 percent of breaches were avoidable through simple countermeasures.
PwC’s “The Global State of Information Security Survey 2013” stated: “As mobile devices, social media and the cloud become commonplace—both inside the enterprise and out—technology adoption is moving faster than security.” Mark Lobel, a principal in PwC’s Advisory Practice, was quoted in the study saying, “Security models of the past decade are no longer effective. Today’s rapidly evolving threat landscape represents a danger that shows no signs of diminishing, and businesses can no longer afford to play a game of chance.”
It seems as if news of major data breaches is a regular staple of news organizations, but these reports are only the tip of the iceberg. Most security breaches do not make it into media outlets, and many breaches go undetected for long periods of time—if they are ever detected. In addition, many breaches that are detected are not reported.
The biggest impacts mentioned in the news are monetary losses caused by stolen credit card data or loss of other financial or personal data. However, data breaches can have other negative effects on an organization, including image and intellectual property.
An organization’s reputation and brand can be severely damaged—sometimes to the point that an organization cannot continue doing business. And if intellectual property is stolen, it can harm an organization’s ability to compete.
The “2012 Data Protection & Breach Readiness Guide” from the Online Trust Alliance states: “Few events can damage a company’s brand and the trust of its customers more than a data incident, defined as either the loss or misuse of customer data.” As Zappos CEO Tony Hsieh said after the breach of its 24 million customers, “We have spent over 12 years building our reputation and trust; it is painful to see us take so many steps back due to a single incident.”
Unfortunately, data breaches cannot be completely eliminated, since threats continue to evolve as new techniques and technologies are developed. However, there are ways that companies can mitigate future threats. One of the best is through vigorous and ongoing security training of employees.
Staff Needs Security Training
As mentioned earlier, the Verizon study found that 96 percent of attacks were not very difficult, and 97 percent of breaches were avoidable through simple countermeasures. So the challenge is to make data breaches more difficult to accomplish and to block avoidable breaches through countermeasures.
PwC’s “Global State of Information Security Survey 2013” found that “No security program can be effective without adequate training, yet only about half of respondents report that their companies have employee security and privacy awareness training programs. … Lack of training is cited as a top reason why contingency and response plans are not effective.”
One way organizations can help make data breaches more difficult—while implementing appropriate countermeasures—is through vigorous training and certification of staff. Although a great deal of the training needs to take place in IT departments, non-IT employees also need to receive security training. The best security systems put in place by IT can be compromised when employees are careless about security.
Security training can take many forms: self-education via books and online courses; instructor-led training; mentoring; and courses and degrees from institutions of higher education. Even more important than the training modality is having executive support. If executives do not emphasize the importance of security training in a very visible way, much of the training will fall on deaf ears.
In addition to basic security training, companies may want to consider securing certifications for IT staff because these certifications guarantee a baseline level of expertise. Staff with security certifications have studied security issues and have successfully passed stringent exams that demonstrate that they have learned the required materials.
General security certifications are available as are specialty certifications such as network security, data security and application security. The most popular certifications include CompTIA Security+; ISACA Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA); (ISC)2 Certified Information Systems Security Professional (CISSP) and Certified Secure Software Lifecycle Professional (CSSLP); GIAC Secure Software Programmer; and EC Council Certified Ethical Hacker (CEH).
When coupled with continuous learning—both on the job and via other learning modalities—certifications can help achieve more secure IT environments.