Your company may survive a data breach. Your job may not.
Just a few days ago Target announced that CEO Gregg Steinhafel would be stepping down in the wake of the massive data breach that exposed millions of customer credit and debit card numbers. This announcement came following the resignation of Target CIO, Beth Jacob, in March. While the consequences of a data breach are far reaching, few business leaders consider themselves in harm’s way. From this data breach, and many others, executives are beginning to realize that they have far more at risk than fines or a slap on the wrist.
At the end of the day, the responsibility for Governance, Risk Management, and Compliance as well as the protection of customers falls directly on the shoulders of the CEO and other accountable executives. Target is not the only organization to push out leadership in the wake of a breach. In 2012, a massive data breach of Utah Medicaid servers exposed personal information of 780,000 individuals, resulting in the resignation of the state Chief Information Officer (CIO) Steve Fletcher. Also in 2012, the South Carolina Department of Revenue (DOR) was hacked, resulting in the loss of 1.9 million social security numbers, and the South Carolina DOR director, Jim Etter, resigned as well. The Target breach resulted in the first resignation of a senior executive in a major corporation.
While risk management is directly incorporated into other daily activities such as financial transactions, as a whole, businesses have yet to fully adopt risk management practices in data security. The Target breach stands as an example of what can happen to business leaders when data security falls to the wayside, and these leaders should consider this breach a wake up call. Not only are lost jobs a major consequence of a data breach, extensive litigation also follows suit.
Business leaders now may be asking themselves how they can prevent a data breach. To avoid the costs of a data breach, a business leader can ask his or her IT security team these questions:
Are we using encryption everywhere our sensitive data is?
Sensitive data such as credit card numbers, financial data, email addresses, and passwords should be encrypted from the moment you received that data from your customer until the deletion of it from your database. An intelligent hacker will detect any holes in your encryption strategy and exploit them. If Target had been using proper encryption and encrypting customer cardholder data from the moment it entered the Point of Sale (POS) system, they never would have become a poster child for bad security, there never would have even been a story, and Gregg Steinhafel would likely still have his job.
Are we protecting our encryption keys?
While encryption is a major player in a strong data security solution, the success of your encryption relies heavily on how well you protect your encryption keys. What many business executives don’t know is that without an encryption key management solution, their IT administrators may be storing the encryption keys locally in a database alongside the encrypted data. This is a common practice for organizations who are encrypting, but don’t have a comprehensive security plan. Executives should understand that if a hacker gains control of the encryption keys, then they can “unlock” the encrypted data, and the encryption itself is rendered useless.
Are we using two factor authentication to prevent unwanted intruders from gaining access to our data?
Two factor authentication is becoming a widely popular method of ensuring that the person viewing your company’s sensitive data is authorized to do so. Usernames and passwords can be easy to steal, so two factor authentication requires the user to present a piece of information they have (such as a one-use code texted to their cell phone) along with the information they know (i.e. username and password).
Are we monitoring our IT technology with system logging software in order to catch malicious activity in real time?
Detecting suspicious activity on your servers is a critical step to preventing a breach, or preventing one from becoming much worse. With good system event monitoring tools, your IT administrators should be able to catch malicious activity in real time, and be notified if anything out of the ordinary occurs.
According to the 2014 Online Trust Alliance Data Protection & Breach Readiness Guide, of 500 breaches studied in 2013, 89% of them were preventable if proper controls and security best practices were used. Business leaders can play an active role in mitigating data breach risk by asking informed questions and becoming acquainted with basic security practices.
To learn more about the disconnect between executives and their IT teams, download the eBook: Turning a Blind Eye to Data Security (Mending the Breakdown of Communication Between CEOs and CIOs.