We’re most likely to hear about the largest data breaches, the ones that affect big companies and lots of consumers, or the ones that involve nefarious hacking exploits to invade IT systems and exploit vulnerabilities. Those are the breaches that make headlines, that can be used to generate clicks and page views. And of course it’s important for consumers and IT pros to know what’s going on with these attacks. In the past year, we’ve seen stories about the Heartbleed vulnerability, the big Target breach, and many, many others.
But plenty of data breaches simply aren’t large enough to garner attention, or they occur from internal error, or employee malfeasance, and might not wind up in the spotlight. Take a look at a few stories from the SC Magazine Data Breach Blog:
- Stanford Federal Credit Union email error exposes 18K members’ data
- Hackers access data on more than 160K Butler University students and staffers
- Employee accesses nearly 100K patient files in NRAD Medical Associates breach
Although the Butler University breach came by way of hacking, the other two were from internal sources, one intentional and one accidental. In these cases, your traditional perimeter security isn’t going to protect against the loss of sensitive data because the individuals at fault have access to the network, including passwords where necessary. However, you can still institute appropriate internal security measures, through tracking and auditing, that will help spot violations before they become problems.
Another point these three stories highlight is that data breaches can occur in any size and any type of organization. It’s not just large, high-profile companies that are at risk, and it’s not just organizations in specific verticals, such as financial or medical institutions. Every organization deals with some type of sensitive data, even if it’s only its own employees’ personal information and payroll. You might not have to uphold HIPAA standards in your IT department, but data security should still be a high priority.
The final point that’s interesting to note from these three data breaches comes in each institution’s response. After the problem is detected, what do they do? They take steps to increase their security: they institute better data handling policies and procedures or they upgrade their systems and install new software. Essentially, they learn from the mistake and harden the system.
You want to applaud their efforts, which after all should lead to safer systems. But I can’t help wondering, if these changes are so easy to implement once a breach has happened, why didn’t the organizations have stronger measures in place sooner to prevent the problems? Something to think about. And if you’re reading this and are fortunate enough to run an organization that hasn’t suffered a data breach, maybe it’s a good time to take a few minutes to think about what measures you might take to harden your own environment against future problems.