As a security professional, published author, and frequent speaker about information security, I’ve observed that there is a relatively consistent role that denial plays in all data breaches. It begins long before there is ever any data stolen and persists well through the discovery and resolution of the breach. In my heart of hearts, I do not believe this denial is a conscious decision, rooted in a lazy attitude about security, but rather that denial is the path of least resistance.
How do we change the tenor of the discussion around information security such that it is easier to choose action over inaction? Or funding over non-funding? Or staffing over non-staffing?
Many who have attempted to answer these questions have buried the reader in statistics and anecdotal stories about how inaction, non-funding or non-staffing has ultimately lead to an organizations’ public humiliation. Let me take a different tack: begging.
Please, please, please! Please take seriously the trust your company and customers have put in you to protect sensitive data.
Please employ column-based database encryption to protect my Social Security Number, credit card number and other private data.
Please implement east-west packet filtering to protect data centers from insider threats.
Please employ SIEM systems to help identify anomalous events on your data systems and infrastructure, so an attack can be properly identified.
Please prepare the procedures and plans necessary to efficiently and effectively respond to a data breach.
Please invest in vulnerability scanning and patch management systems to help keep your systems up to date, to prevent the exploitation of sensitive systems, or the lateral movement from non-sensitive systems to sensitive systems.
I make these pleas first as a consumer whose card data has been stolen on numerous occasions, and second as a security consultant charged with helping prevent and/or recover from the breaches that such a denial creates.
Never think you’re too small a target. Never think you have nothing a hacker would want. Never think that its impossible you could be targeted, or that you have been breached.
Denial is the mother of demise; take your charge seriously and don’t be in denial.
Corey Steele, Network and Security Engineer