These are the last two myths in our installment “5 Data Security Myths Debunked.” With the rise of data breaches occurring all over the world, we’ve been watching closely to see how company leaders are responding to these incidents. To say the least, we have been shocked by what some government leaders and CEOs have said surrounding data security in their own organizations. We believe that some of these sentiments are highly misleading, if not downright false. That is why we have decided to compile these statements into five "myths" of data security. These myths come from direct quotes by CEOs and government leaders.

Myth #4: There is nothing you can do to prevent your company from being hacked

Fact:
There are many actions a company can take to protect its network and prevent a data breach:

• Know which parts of your data is considered “sensitive”, and know where all of your sensitive data is stored. Is it on one server or many servers? Is it stored in applications or databases? Do you have multiple data centers that store sensitive information?
• Use file integrity monitoring (FIM) or system logging to be alerted to changes in system configuration, sensitive data, or unauthorized access in real time.
• Develop and enforce a unified, proactive data security policy to protect data at rest and in transit across your company’s entire network.
• Use AES standard encryption to encrypt sensitive data at rest and FIPS 140-2 compliant key management to protect your encryption keys.
• Automate updates to firewall configurations, password changes, and system patches.
• Restrict employee access to sensitive data.

Myth #5: CEOs do not need to be concerned about data security.

Fact:
Data security isn’t just the Chief Information Security Officer’s (CISO) problem, it’s a business problem that affects both the C-level and the IT level of an organization. IT security is often not made a priority due to the disconnect of perceived vulnerability and actual vulnerability within a company’s IT infrastructure. A recent survey by CORE Security found that approximately 75% of CEOs surveyed didn’t believe their networks were under attack or already compromised, while 60% of CISOs felt very concerned about attacks and believed their systems were already breached.

Poor data security is a business risk. The consequences of a data breach include loss of reputation, loss of customer trust, and hefty fines. In 2011, the average data breach cost an organization $5.5 million. Despite these often highly publicized repercussions, 65% of CEOs surveyed by CORE Security reported that they did not have the information they need to translate IT risk into business risk.