You will be surprised why most corporate data gets hacked. This video identifies some of the (more…) common ways data breaches occur, and how to defend against them.
Text from the Video:
It seems like almost every week there is another major announcement about some organization being hacked and millions of sensitive personal records getting into the wrong hands. When I hear things like that on the TV, I imagine some computer genius in his basement skillfully navigating the organizations maze safety measures. But the sad part is many data breaches happen without a whole lot of hacking skills at all. Rather they are the result of internal organizational negligence. In other words, the organization inadvertently gives your data away. Let me share with you two scenarios on how this can occur. Then later we’ll talk about ways to stave off those glaring vulnerabilities.
In the first scenario a disgruntled employee decides to access records for malicious purposes. This is probably the most difficult scenario to combat. All the employee has to do is log in and retrieve records they have access to. And all too often this data also includes columns of data like social security numbers and credit card numbers. Like I mentioned before, without any real technical hacking, the employee can access sensitive information. We’ll talk about some ways to stave off this type of attack a little later.
The second scenario however, is far more preventable as it involves the organization literally giving the data away. Let me explain how. Imagine that an organization is launching a new integrated application that allows for a call center rep to pull up a customer record while they’re talking on the phone. Now since this is a large effort, much of the testing is happening through a tier one services vendor offshore. One of the key requirements to accurately test this new application is to obtain data from the underlying production systems. Since the organization is working with “trusted” partner, a production copy for testing purposes is made available to enable the development of the application.
What the organization may not be aware of, is that the “trusted” partner is partially made up of 3rd party contractors. And in this case, they don’t necessarily have the customers and partner’s best interests in mind, and the organizations data is literally given to these 3rd parties with no strings attached.
Now these two scenarios may be made up, but get this… The Ponemon Institute estimates that 88% of all security breaches involve insider negligence. So these types of scenarios happen all the time. Now there’s no silver bullet to data security, let’s admit that. But I’d like to highlight 2 practices that every organization should be engaging in. These two practices will provide a safeguard against the internally vulnerabilities that I referenced in this video.
The first practice that I’d like to call out, is something called Dynamic Data Masking. This practice can help address the scenario of the disgruntled employee and other data breaches. You see, organizations have to strike a balance between data security and business enablement. Too much security and the business users are unable to make decisions and inform customers. Too much access opens the organization up to a data breach of sensitive records. Dynamic Data Masking delivers a balance. What it consists of is a proxy server in front of the production database. If you want to talk to the database you have to go through the proxy server. What this proxy server is doing is checking if any sensitive columns have been requested. If you don’t have the rights to see a column of data it will still deliver the column but it will change the content to keep it protected.
The second practice that I’d like to share is called Persistent Data Masking. This method helps us avoid the test data scenario we shared. Making copies of production data is a very common practice. Testing against production copies is essentially how IT departments ensure they are successful in standing up applications. However, creating all these copies of production data creates an obvious risk of data breach. So in Persistent Data Masking we still deliver a copy of production. But in the columns that are sensitive, we apply different rules to those columns to randomize the records. This allows the various testing and development teams to continue their work, without literally giving away the data.
Data security will never not be an issue; it will always be something we have to stay on top of. However, with some of these practices in place we can avoid the at least giving the data away.
At Intricity we partner with our customers to deliver actionable solutions to complex data problems. I recommend you visit our website and talk with one of our specialists. We can help you build a data strategy that keeps your data safe and you’re customers loyal.
-Jared Hillam, EIM Practice Director