Criminal Minds - Security Officers Challenged to Safely Store (and Protect) Data

Chief information security officers face the daunting task of protecting their data from internal and external security threats.  A look at the top data breaches of the 21st century shows no industry is immune, and includes such well-known names as Equifax, Yahoo, eBay, Target, JP Morgan Chase, Anthem, Sony, Home Depot and Adobe.  Here is a list of the top breaches of this century.

A single electronic medical record (EMR) can fetch up to $10 from criminals on the open market – that is more than ten times the value of a stolen credit card.  The reason is medical records can contain social security numbers, medications, addresses and more that can lead to a variety of illegal activities.  Protecting medical records means guarding against endpoint penetration from public facilities including hospitals, clinics, private physicians, pharmacies, and patients.

Fourth-Party Breaches

Fourth-party threats in Financial Services are a growing concern.  What is a fourth-party?  It is a vendor of a vendor. The financial eco-system connects institutions with their customers, and those customers connect with their vendors and customers. The challenge is often that fourth-party vendors are not even known.  So how do you mitigate the risk? You need to open discussions with your third-party providers to understand what, if any, fourth parties touch your sensitive data. Once you have that list their security ratings should be closely monitored. A drop in security rating may indicate a weakness that you need to address.

Government agencies are often dealing with public information, and the primary concern is to protect the data if it is being made readily available online.  They tend to be trusting, and less concerned about protecting the data that is accessible to internal users. From 2012 to 2014 the U.S. Office of Personnel Management was hacked on several occasions including one breach from a third-party vendor that wasn’t discovered until nearly a year later.  The breach impacted 22 million employees and the intruders stole their fingerprints, addresses of employees, and their relatives, associated with security clearance information.

Data At Rest and In Transit

Given the massive amounts of digital data organizations are handling today, and increasing regulations (like HIPAA and PCI-DSS) to protect people’s privacy – data storage and encryption are paramount. Organizations need to have a strategy to protect their data from unauthorized employees or external threats. Encryption is the most common safeguard and should be used to not only protect data “at rest,” but also data “in transit” from host to storage systems. Data traveling through networks is most vulnerable. Pooling multiple virtual storage devices into a single platform with centralized control provides several advantages from cost optimization to continuous access to data in the event of a technical failure.

Encryption of “at rest” data alone is no longer adequate; your organization must evaluate its unique needs and implement effective security controls and policies. Someone in your organization needs to put themselves in the shoes of the criminal to pinpoint potential weaknesses, and test your systems in every way imaginable. Protecting your data entails multiple layers just like protecting your home…whether that means locks, alarms, or cameras we all put the necessary protections in place to keep our families safe. The same applies to protecting your enterprise’s data.

About the Author: Troy Burke

With 30 years of experience providing clients with stellar service and strategic solutions for growth and development, Troy is committed to ensuring his customers receive the highest quality solution, training and support with every implementation. He frequently speaks on the topic of redaction and is actively involved with National Association of Court Management, Property Records Industry Association and several other government organizations.