The year of 2015 became notorious for data breaches compromising on average more data than ever before. Any security breach is a result of security gap, negligence, or underestimation of human factor. Some of them could have been prevented, if employees had better followed security policies or organizations had taken minor security issues more seriously. Even so, every cloud has a silver lining. Breached companies cannot go back in time and fix what needed to be fixed, but give us a valuable lesson and an opportunity to become smarter and avoid same mistakes.
Here are three apply-to-everyone lessons:
Address discovered vulnerabilities.
Almost 11 million records of Premera Blue Cross customers were breached a few weeks after a routine audit revealed some network security issues. Unfortunately, they were not addressed in time. Lessons learnt? Audits are there for a reason. Deal with discovered vulnerabilities ASAP – don’t wait for hackers to exploit them.
Monitor privileged user activities and apply the least privileged principle.
Access to sensitive data and malicious intentions is the most dangerous mix. A recent example is a case where 350,000 client records were stolen from Morgan Stanley by an employee, more over 900 of them were later published online. Protecting against insider misuse is a real challenge. Still, some helpful measures can be taken. First, establish the least privileged principle. It implies that employees have access only to the information they need for their duties. Second, monitor all privileged user activities to track someone too curious.
Take human factor into account.
Bank of Manhattan Mortgage Lending surely has strong security policies and systems. Yet they didn’t help them to avert the risk of a human negligence. Failure of an employee to follow established policies resulted in a data leak, however the bank hasn’t yet announced the exact number of compromised records stored on a removable disk drive. Even though it is not possible to completely eliminate the human factor, make sure it is included in the security policies. Conduct regular trainings on corporate security policies and new threats. Employees have to understand their personal responsibility for data security. Ideally, employees should perceive security measures as a must, not just as a bureaucratic or life-complicating exercise.
Data breaches of 2015 have served as a wake-up call, signaling that traditional security methods don’t protect against sophisticated attacks. IT department should keep certain level of control over IT infrastructure and be aware of possible vulnerabilities in order to react immediately to any cyber attack of data leak.