2 Sep 2015
Data Security Lessons To Learn Right Now Much has been said about the recent Ashley Madison (AM) hack attack, and even more was said about the subsequent data dump of highly sensitive customer information. Are there lessons to be learned from AM? To some extent—the consequences would have been worse had card data not been encrypted. But in the wake of last week’s court ruling that gives the U.S. Federal Trade Commission (FTC) the authority to sue companies for failing to maintain adequate cyber security, it’s obvious that business needs to pay more attention to their security controls. The FTC Is Watching The court decision came in response to the FTC’s lawsuit against Wyndham Worldwide Corporation for digital security failures—storing payment card information in clear text, using easily guessed passwords to protect property management systems, failing to use basic security measures like firewalls, and etc.—that resulted in a series of data breaches in 2008 and 2009. According to the FTC, payment card information from more than 619,000 Wyndham customers was stolen by cybercriminals, resulting in total fraud losses of at least $10.6 million. The Wyndham story is far less titillating than the AM attack, but companies need to take a long look at the court ruling. The FTC is charged with monitoring and remediating “unfair or deceptive acts or practices in or affecting commerce.” The court has found that this power applies to failures of cyber security. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information,” FTC chairwoman Edith Ramirez told Reuters. We all know that the internet was built for friendly sharing of academic and technical info. We have built a world economy on a platform that is fundamentally insecure in a myriad of ways. The “OMG It’s The Biggest Hack Attack of All Time” is quickly superseded by an even bigger attack a week or so later. What to do? We know throwing money at cyber security doesn’t solve the problem. Security is an attitude; a decision not to take the easy way out. We all had a good laugh over that folder, cleverly named “passwords,” on Sony’s network, that contained a long list of passwords in clear text. It’s amusing in a horrible sort of way, but be honest — how many best practice violations exist on your laptop, mobile phone, and network? Plenty. It’s so easy to get sloppy. We all need to straighten up and start doing the things we know we need to do, rather than giving lip service to security. 2016 will almost certainly bring a tsunami of cyber attacks. Batten down the hatches now. Data Security To-Do List As the “Year of the Breach” winds down, it’s also good to remember that being in compliance with a data protection standard does not equal security. Standards tend to describe the bare minimum necessary to protect data at capture, in transit, and at rest. Likewise, standards address a wide common denominator with necessarily wide definitions of what one should and should not do. (And yet, companies routinely find these baselines too difficult or costly to implement, as the executive director of information security at Sony Pictures Entertainment explained to a reporter in 2005.) Compliance is but the beginning of a comprehensive security posture. Don’t make the mistake of spending money strictly to comply with a specific standard. Instead, run a gap audit to determine your weakest points. And conduct a risk audit to understand where the danger lies — why would an attacker target your company, and where do the most likely attack vectors lie? Develop a plan to address these issues. Consult with a compliance expert who can ensure the regulatory demands are covered by your comprehensive security plan. Team this with a business culture that recognizes the vital importance of maintaining best security practices and you’ll be far better equipped to survive the coming storm.