With breaches inevitable, companies must pursue data loss prevention
Occurrence of a major data leakage incident may now be a matter of "when" rather than "if" for U.S. companies, due to the convergence of new risks inherent in data-intensive applications, fragmented endpoint strategies and cloud computing. Too frequently, companies ignore or inadequately address known vulnerabilities, and the persistence of aging, unsecured IT assets eventually attracts the attention of cybercriminals.
Data breaches occur at an alarming rate. In 2011 alone, 855 breaches resulted in the loss of 174 million records, according to a report from the Verizon RISK Team. For companies that handle personally identifiable information (PII), the stakes are particularly high, since insufficient endpoint data protection measures and lack of employee compliance education can result in costly legal action.
Writing for Mondaq, legal expert Jeffrey Vagle stated that "[t]he likelihood of a data breach or privacy issue occurring in any business has become a virtual certainty," and he advised record keepers to rethink their approaches to device and network security, administration of PII information and employee data access controls. However, data leak prevention may be more difficult due to rising usage of cloud services, which permit the storage and exchange of massive amounts of information at a time. Even one incident could result in the loss of thousands or millions of files.
Focusing on known vulnerabilities
IT departments frequently worry about zero-day attacks that can catch them off-guard and result in data leakage. For example, Network World's Dirk Smith chronicled the recent emergence of a Adobe Acrobat exploit that could let hackers conduct advanced surveillance. However, IT vulnerabilities may more often stem from unpatched old software, and even many zero-day threats arise from weaknesses in legacy code, including a Windows bug which Smith said targeted features first implemented 20 years ago.
"[O]ne thing that I have found is that many of the breaches and intrusions which succeeded did so by attacking known vulnerabilities that had been identified and had been around for years: not from some sophisticated 'zero-day' attack which was unidentified and unknown until only yesterday by the security community at large," wrote security expert Jim Kennedy in a recent Continuity Central article. "And, even more disturbing, social engineering continues to be a most successful way to begin and/precipitate an attack."
Additionally, hackers now have access to a wide range of prepackaged malware. These tools can often perform complex analytics of a computer or network and then suggest an optimal line of attack. Aside from literal tools, attackers also take advantage of employees who are not trained to screen out calls or messages from individuals who falsely claim to be a security provider's technical support team.
While it is imperative to proactively guard against zero-day attacks with robust endpoint protection software, companies also need to pair effective processes and training with their software and hardware solutions. Organizations often have multiple security policies in place, but the issue is enforcement. As a result, risky fluctuations in traffic or data movement, though nominally identified for security review, are not quickly and efficiently addressed.