The Sad Truth About the Data Breach

Data breach prevention is much more achievable than many people realize. According to a newly published report by the Online Trust Alliance (OTA) based on a review of more than 1,000 data breaches in 2014, 90 percent of data breaches were preventable if a dozen best practices had been followed.

Per the OTA statistics, 40 percent of data breaches were due to external intrusion, 29 percent were caused by employees due to a lack of internal controls, 18 percent were attributed to lost or stolen devices and only 11 percent were due to social engineering or fraud.

Defenses against data breaches fall into three categories: those intended to minimize the chances of a data breach, those intended to minimize the damage from a successful breach and those designed to maximize the effectiveness of a response to a successful breach.

Minimizing Opportunities for Data Breaches

It is important to use password protection policies enforced by enterprise password management software. These protections include unique, strong passwords that must be changed on a regular basis and use two-factor authentication. Limit user access by granting access only to users who require access to a given system, which is commonly called least user access.

Use device management software to limit access to only those devices that are recognized and use the software to enforce all your security controls, including locking out devices, wiping data from devices and encrypting data on devices. Limit access inside the firewall to only devices that are inside the firewall or use a Virtual Private Network to gain access from outside the firewall.

Use real-time intrusion detection and prevention software to detect and quarantine anomalous behavior. In the past, most data security was based on preventing access by hardening the firewall and identifying malware through the use of antivirus software. More recently, the world of data security has adopted intrusion detection and prevention software. There have been tremendous advances in this class of software over the past few years based on improvements in predictive analytic algorithms used by the software.

Minimizing Damage From a Data Breach

Even with the most rigorous efforts to prevent data breaches, they can still occur. The two most important things an organization can do to minimize the damages from a breach are to encrypt the data and limit the data that is online.

An organization should encrypt any data it would not mind having in public distribution, such as data with personal and private information, trade secrets and customer information. Data should be encrypted both at rest in storage and in motion when moving through networks. Protection should also be extended to devices by redacting the personal information by default when it is displayed on a device or printed.

Needless to say, data backups should also be encrypted, regardless of the backup media type or backup location. Another important protection for backups is to require unique passwords for access to backups.

As should be obvious, data that is online in production systems is more easily stolen than data that is offline or has been destroyed as part of a data retention program. Old applications and their data that are not in production should not be online. Rather, they should be retired with the data and destroyed if they are no longer needed. Or, if the data should still be retained, they should be archived into a secure, encrypted environment. Given that many old applications and data stores cannot be easily encrypted, archiving may be the only way to easily secure them.

After the Breach

Some breaches are going to occur, and your organization must be prepared for them. Data breach preparedness should be a cornerstone of an organization's information governance program. A data breach preparedness plan should be part of that program, as well. The plan should be tested, perhaps with the assistance of white hat hackers, and should be continuously improved based on the test results.

Unfortunately, for the time being, data breaches are a fact of life. Fortunately, by making use of these best practices, your organization can minimize its exposure to data breach risks.

Do you have questions about data management? Read additional Knowledge Center stories on this subject, or contact Iron Mountain's Data Management team. You'll be connected with a knowledgeable product and services specialist who can address your specific challenges.


Offsite Tape Vaulting
Offsite Tape Vaulting

Topics: Offsite Tape Vaulting

Your organization operates in a world where hardware malfunctions, human errors, software corruption, and man-made or natural disasters are an ever-present threat to your data. And you’ve probably invested significantly in backing up your data should one of these incidents impact your operations — but that’s only one part of the story.

Preserving the World's Heritage
Preserving the World's Heritage

Topics: Data Archive

Our charitable partner CyArk is out to digitally preserve world heritage sites like Mount Rushmore using 3D-laser scanners. To preserve these sites, they require a long-term, cost-effective solution for protecting and managing the data. Read this case study for the surprising answer to this important challenge.