Equifax and the Curious Case of Data Breach. How to Dodge that Bullet?
Equifax is the recent addition to the ever-increasing list of a data breach. Companies are scampering to bolster their defenses with piecemeal measures. But to do something about it, first, we need to understand why it happens.
Is a Data Breach a Law and Order or Warlike Situation?
Is it a law and order problem in the cyberspace? Organizations believe and act in a way that the bad guys hack networks and breach data. And corporations have to protect themselves against the bad guys. No, it is a war against hackers. These people incessantly applying their expertise and creativity to test your security practices. They pierce the veil wherever it’s thin.
We fight wars differently. To put things in perspective, let’s have a look at some data. The US spends about 598 billion on military while 8 billion on policing. Does this make you think about how much more we have to do about data security? Organizations need to spend way more for data security rather than just buying some anti-malware or securing the network.
How to get more funding?
CIO uses threats and gives recent data breach examples to pursue business for more funding. However, it is an expense to the company, so business leaders are never excited about it. CIO’s need to bury the cost of security into business funded projects. I have seen that contractors create flaky products, without any focus on the Security. Every project should have a line item to protect that application against the security breach.
Role of Chief Security Officer (CSO)
The job of CSO is not limited to compliance. They should not treat themselves as a governing council, where they check every application against standard technical guidelines. CSO’s role should be to facilitate an environment in a company, where everyone is aware of security challenges. In my 15+ years of consulting career, I have visited about 50+ fortune companies’ IT department and never saw a training about security breaches. Compare this to plant safety, and you will see plenty of workshops happening. I was once in GE, where they had a meeting about power plant safety at their headquarters. It shows that how well the plant is doing the safety job. CSO need to organize IT security camps and training to IT staff.
Corporations should organize workshops to make all the employees more aware of IT threats and challenges. CSO should tell every employee not to open phishing emails, not to click on suspicious links. Educate them about what are suspicious emails. Educating them about seemingly simple things can go a long way.
Training to IT staff
In my opinion, every developer should be aware of various security-related challenges and how to overcome it. I have been a developer in my entire career and developed many applications, but no one ever thought about security challenges. They should design best practices and should train all the IT employees and contractors (YES Contracts). The huge problem is that companies think that they can outsource the work to IBM/Infosys/TCS and they will take care of it. But even these IT companies have zero ideas about security as they are busy hiring freshers for the job.
Do’s for IT developers and Security staff
We have created OvalEdge as a state of the art application covering various aspects of security. These are a few best practices I would advise to every company to follow.
Network protection: Antimalware, port scanning, VPN, SSL, etc. Outer network protection is the key to avoid security breaches. The problem is companies are only dependent on this layer, while they also need another level of security protection.
Zero Trust Network: Yes, you heard it right, do not trust your network. At home, you plonk your valuables wherever you want, but outside you keep it in your wallet or pocket. As the network is not secure anymore, you need to secure your applications using Zero Trust Network principles. Now, this is a comparatively new concept by which companies should treat their intranet also like the internet. It mandates that –
– Communication between applications should be SSL compliant.
– Authentication via OAuth2 technology
Password protection: I have consulted 60+ companies, and I know that they keep service account passwords for most applications in a flat file and not an encrypted one. It needs to change. Every password protection has to be via Key/token-based authentication.
Latest Patch: All the applications should be in its latest patch of software.
Encryption on rest: Corporations should store all data in encrypted form.
Use Big Data for threat detection
These are some use cases where you can ensure security using big data.
Network Security Intelligence
The network is vulnerable where data breach takes place. So when antivirus detects any malware, it affects many computers or servers. So for this, it’s vital to store the network logs and glean insights after the impact. By doing this, you can identify vulnerabilities and fix them proactively.
Unstructured data identification
In emails, chat etc. companies indeed have more unstructured data than structured. All the PII (Personal Identifiable Information) in these emails is on the servers which may not be encrypted and vulnerable. Use Big data to find all the PII on unstructured data and encrypt proactively.
To find out more about how OvalEdge ensures data security, Click here.