Sol Cates | Principal Technologist, Data Protection
Over the last few years, we’ve experienced some serious breach fatigue, particularly in the retail sphere. According to Vormetric’s Insider Threat Report, 51 percent of U.S. retail enterprises identified as “very” or “extremely” vulnerable to a data breach.
In light of the upcoming anniversary of the Target breach in December, our CEO, Alan Kessler pointed out in his recent blog post that the Target attack was one of the most notable cybersecurity moments of the 21st century, leading to 2014, which saw a record number of data breaches. With that said, it’s safe to assume almost any individual in the U.S. knows at least one person affected by a data breach, and it’s creating a new cyber realizations for businesses and consumers alike.
ClickToTweet: What's gone RIGHT since the Target Breach? @solcates http://bit.ly/1MS3pWv pic.twitter.com/TQUrIjYTef
Target, however, was a precedent-setting breach that has led us to speak up about cybersecurity both in the public and private sector. The good news? We’re reaching new heights of cyber-awareness.
Since then, here’s what’s gone right:
A shift in strategy: more prevention, less detection.
Before Target, very few seemed to have a clear vision about where and how their security budgets should be invested. Now, organizations are taking a proactive approach, rather than a reactive one. Utilizing technologies like payment processors to reduce business risks is one example. CISOs and CSOs nationally are asking more questions and are evaluating technology more frequently than standard security cycles suggest. IT decision makers are also limiting the amount of data sets they have to maintain, in order to mitigate risk.
Additionally, more companies are understanding the importance of protecting personal identifiable information (PII).They’ve learned PII is more valuable than credit card information, and they’ve worked on identifying the crown jewels of the organization.
Organizations are focusing on prevention rather than detection. For example, they realize that watching out for changes in the amount and type of data being accessed by individual users at any given time can be essential to spotting an insider turned rogue or if their credentials have been hijacked by cyber-criminals. They are realizing that the consequences of not protecting data trump investments in security.
Data protection is a top priority.
Although it continues to be true that budget contributions for compliance projects remain easier to get from a board, which can help when looking to fund security breach protection strategies, it is often the case that compliance regulations lag behind real-world data protection requirements. Enterprises, regardless of vertical, are now continuously exploring technologies, processes and architectures to focus IT strategies on data, not compliance. It’s not just credit card numbers at risk, it’s intellectual property (IP) that is stolen and compromised. Now we’re seeing more interest on the board level to protect data and IP, and discussions are being held between investors, CSOs and CDOs in a new fashion.
IT decision makers are also more aware that compliance will not secure data. If an organization wants to know if IP or data is safe, they have to watch insiders with legitimate access and look for unauthorized access attempts.
Additionally, more organizations are looking to recruit talent through contractors or third parties to minimize risks wherever possible, working to keep system infrastructure running and date warehouses safe. As a result, we’re seeing more companies implement technologies like encryption, tokenization, data masking. This is mostly due to the fact that once data is exposed, organizations are at higher risk of facing system vulnerabilities that could be detrimental to businesses.
Mentorship matters.
As we saw earlier this year with the Cybersecurity Sprint, the government is working hard to identify and clean up security best practices, and it’s creating a sense of mentorship across different departments and industry sectors. Through efforts like the Sprint, Cybersecurity Awareness Month and as seen during my experiences at events like the CISO Summit, there are more conversations taking place on how C-Suite executives and federal agencies can not only spread awareness, but also mentor companies or governing bodies in need or that have been affected by a breach.
Additionally, more organizations are starting to create awareness about best practices, ensuring that the information gets passed along to someone that has either suffered a breach or is at risk. This information Similar to the concept of threat intelligence, executives are sharing information to companies in need on how to properly implement security into existing infrastructure and maintain composed cybersecurity posture.
After the Target breach, there is now a larger emphasis on government and state roles to ensure that public companies are properly securing data and infrastructure, keeping them accountable beyond simple measures of compliance. This new level of mentorship will continue to rise in the coming months.
It’s my hope that we continue to focus on providing improved guidance and tools to protect U.S. data and infrastructure. For now, we’re heading in the right direction.
What else do you think has gone right since the Target breach? What other ways are we becoming cyber-aware? Would love to hear from you. Tweet to me, @solcates.