The Sad Truth About the Data Breach
Data breach prevention is much more achievable than many people realize. According to a newly published report by the
Online Trust Alliance
(OTA) based on a review of more than 1,000 data breaches in 2014, 90 percent of data breaches were preventable if a dozen best practices had been followed.
Per the OTA statistics, 40 percent of data breaches were due to external intrusion, 29 percent were caused by employees due to a lack of internal controls,
18 percent were attributed to lost or stolen devices and only 11 percent were due to social engineering or fraud.
Defenses against data breaches fall into three categories: those intended to minimize the chances of a data breach, those intended to minimize the damage from
a successful breach and those designed to maximize the effectiveness of a response to a successful breach.
Minimizing Opportunities for Data Breaches
It is important to use password protection policies enforced by enterprise password management software. These protections include unique, strong passwords
that must be changed on a regular basis and use two-factor authentication. Limit user access by granting access only to users who require access to a given system,
which is commonly called least user access.
Use device management software to limit access to only those devices that are recognized and use the software to enforce all your security controls, including
locking out devices, wiping data from devices and encrypting data on devices. Limit access inside the firewall to only devices that are inside the firewall or
use a Virtual Private Network to gain access from outside the firewall.
Use real-time intrusion detection and prevention software to detect and quarantine anomalous behavior. In the past, most data security was based on preventing
access by hardening the firewall and identifying malware through the use of antivirus software. More recently, the world of data security has adopted intrusion
detection and prevention software. There have been tremendous advances in this class of software over the past few years based on improvements in predictive
analytic algorithms used by the software.
Minimizing Damage From a Data Breach
Even with the most rigorous efforts to prevent data breaches, they can still occur. The two most important things an organization can do to minimize the damages
from a breach are to encrypt the data and limit the data that is online.
An organization should encrypt any data it would not mind having in public distribution, such as data with personal and private information, trade secrets and
customer information. Data should be encrypted both at rest in storage and in motion when moving through networks. Protection should also be extended to devices
by redacting the personal information by default when it is displayed on a device or printed.
Needless to say, data backups should also be encrypted, regardless
of the backup media type or backup location. Another important protection for backups is to require unique passwords for access to backups.
As should be obvious, data that is online in production systems is more easily stolen than data that is offline or has been destroyed as part of a data retention
program. Old applications and their data that are not in production should not be online. Rather, they should be retired with the data and destroyed if they are no
longer needed. Or, if the data should still be retained, they should be archived into a secure, encrypted environment. Given that many old applications and data
stores cannot be easily encrypted, archiving may be the only way to easily secure them.
After the Breach
Some breaches are going to occur, and your organization must be prepared for them. Data breach preparedness should be a cornerstone of an organization's
information governance program. A data breach preparedness plan should be part of that program, as well. The plan should be tested, perhaps with the assistance
of white hat hackers, and should be continuously improved based on the test results.
Unfortunately, for the time being, data breaches are a fact of life.
Fortunately, by making use of these best practices, your organization can minimize its exposure to data breach risks.
Do you have questions about data management? Read additional
Knowledge Center stories on this subject, or
contact Iron Mountain's Data Management team. You'll be connected with a knowledgeable product and services specialist who can address your specific challenges.