Data breach defense: Response ability
When a breach occurs, customers expect more than an apology, says Bob Maley, Pennsylvania's CISO. Dan Kaplan reports.
Bob Maley, chief information security officer for the state of Pennsylvania, was about two weeks on the job when he had to deal with his first data breach.
Nearing midnight on a Tuesday in November 2006, thieves broke into the Pennsylvania Department of Transportation driver's license center in Wilkes-Barre and walked out with two computers containing the personal information of 11,000 state residents. The incident, which happened just months after Gov. Edward Rendell signed a law that required data owners to notify consumers in the event of a breach, served as a watershed moment for the state, Maley says.
"I don't want to say that there were breaches before that were not reported, but this got everyone's attention to how serious [data loss] was," he says.
Maley did not say how much that particular incident cost the state, but looking back, it is hard to dispute the government's concerns. A recent PGP-sponsored study from the Ponemon Institute, based on the losses incurred by 43 organizations that suffered a data breach in 2008, determined that the average cost per compromised record is $202. That translates to an average spend of $6.6 million per breach. Much of the expense, the study found, was related to lost business.
"It seems that as awareness of the issue increases, tolerance for breaches seems to be less," says Mike Spinney, a senior privacy analyst at Ponemon.
If a compromise does occur, victims have certain expectations of how a company should respond, says John Scanlon, executive vice president and chief operating officer of Intersections, which provides corporate identity risk management services. That response includes the timely delivery of a notification letter, extending credit monitoring services and setting up a call center to answer questions from worried clients.
But, more and more, the most forward-thinking organizations are expanding their responses toward fixing the underlying weakness that caused a breach. These entities are responding to the organized and targeted nature of cybercrime and are prodded by regulations and an increased push to map risk as it relates to information assets. And, ideally, they are discovering problems before an attack can take place.
Of course, as any security professional knows, sealing off every vulnerability in an organization – never mind the countless third parties with which most entities deal – is impossible. In other words, when it comes to breaches, they are a "when," not an "if" proposition. As a result, the most successful responders are those businesses that look at a compromise as an impetus to do better, says Rich Baich (right), a principal for security and privacy at Deloitte and Touche.
"The organizations that have more effective programs have gone over the hurdle of the reactive and are on their way up the hill to being proactive," he says. "The root cause analysis is really the most important thing. An organization that has an incident has to have the vigilance and fortitude to want to get to the root cause. It allows you to make the appropriate changes and response to prevent that from happening in the future, as well as truly understand the impact of the breach."
A few weeks after the break-in at the Pennsylvania driver's license facility, the calendar turned to 2007, but the incidents kept on coming in the state. Some 500,000 records were compromised that year, punctuated by another burglary, this time at the state's Department of Welfare, where the bandits made off with computers containing the mental health histories of a few hundred thousand medical-assistance recipients.
By now, the individual state agencies were well versed in dealing with the alerting end - the state had developed a comprehensive breach notification checklist. So Maley, 53, a former police officer in a suburb of Harrisburg, got busy working on his own response: Develop a statewide strategy to eliminate the possibility of another rampant run of breaches.
"I'm very big on intelligence gathering, knowing what the bad guys are doing ahead of time," he says. "We developed a multifaceted program that has a lot to do with being very proactive. Anybody who believes they're never going to have a potential breach is kidding themselves. Data is so ubiquitous today."
It seems Maley's approach to finding the problem and fixing it – while being as transparent as possible along the way – is becoming increasingly embraced by the victims of major breaches. Take the case of Princeton, N.J.-based payment processor Heartland Payment Systems. Shortly after disclosing in January that it had suffered potentially the worst data-loss incident on record, when thieves sniffed tens of millions of credit card records traversing its private network, CEO Robert Carr announced that the company would implement an end-to-end encryption solution, while also serve as a leading voice in the industry's fight against cybercrime.
"That's a good response," says Mary Monahan, managing partner and research director at Javelin Strategy and Research. "I think they're taking the bull by the horns. They're saying, 'We got breached, but we're going to make sure it never happens again.'"
In Maley's case, he and his team analyzed the threat landscape to determine what posed the most risk to the state's confidential records. The undertaking included encrypting any computers not housed in a secure facility, mainly laptops. But given Pennsylvania's investment in electronic government services – Maley likes to point out that the Keystone State was the first in the nation to advertise the state's web address on its license plates – the main thrust of the project was testing web applications for vulnerabilities to hackers.
As it turned out, the state was focusing its resources in a critical area: the external attacker. Since Maley began work on the program, web applications have emerged as a top security concern for most organizations. The 2009 Data Breach Investigations Report from Verizon Business, which studied 90 incidents last year resulting in 285 million compromised records, found that 99 percent of all breached records could be linked to hacked servers and applications.
So in 2008, armed with penetration testing and scanning tools, the state discovered vulnerabilities in its web applications that could have exposed the data of more than 400,000 people, Maley says. In one case, engineers uncovered that the website where residents could view state job openings was vulnerable to an SQL injection attack. A successful exploit would have garnered the attacker privileges to empty a database and extract 210,000 records on state employees.
"Eventually, the bad guys would've found exactly what we found, and there would have been a breach," he says.
As part of the plan, the state also invoked a security certification and accreditation process that software developers must follow at the start of every project. By all accounts, Maley's new security strategy proved to be a resounding success. In 2008, he says, the state only exposed 200 records, down from a half-million the year prior.
Response and accountability
Of course, organizations cannot be expected to have such foresight to prevent a breach if they have not grasped proper response protocols.
If organizations are continuing to fall short in the area of breach response, accountability may be the reason why, says Spinney of the Ponemon Institute. Many of today's organizations still lack someone who is charged with answering for an incident.
"There is nobody on the hook when the call comes in at 2 a.m.," Spinney says. "I think it needs to be on a C-level. It needs to be somebody who is high enough on the food chain that they have some budgeting authority and the means to make things happen, rather than just go begging every quarter for the resources they need."
This could also be why some organizations still are struggling in making the shift toward viewing information security as part of the overall business strategy, he says. When someone other than a corner office type is in charge, it lends the impression that security spending is more discretionary than necessary.
"Data security and privacy needs to be addressed as a strategic initiative," Spinney says. "If you look at it on a tactical level, you're probably not going to be as effective."
And now, at least one state – Massachusetts – is forcing organizations to do just that, says John Moynihan (left), president and managing director of Massachusetts-based Minuteman Governance, which provides data protection and regulatory compliance services. The new data security regulations, set to take effect Jan. 1, 2010, cover all businesses that maintain personal information about a Bay State resident – so even smaller businesses are being forced to take action. Some observers believe other states soon will follow suit with similar measures.
Moynihan says he recently was commissioned by the owner of a two-person technology firm to craft a written information security program for him – a sign of the law's breadth.
“This company is in Warren, Mass.,” he says. “This guy works out of his house. He said, ‘I know this sounds crazy, but I need you to create a program for me.' The public is demanding it.”
The regulations not only require businesses to notify victims in the event of a breach, but also require that these organizations document any actions taken in response to the incident. Then, they must conduct a review of these actions to determine if they need to adjust their overall business strategy in any way.
Deloitte's Baich was in charge of security at ChoicePoint when the data aggregator and credentialing service, now owned by Reed Elsevier, revealed in 2005 that criminals, posing as customers, swiped the records on some 160,000 people. He says ChoicePoint failed not because it didn't have an IT security program, but because it didn't recognize the incident as a data breach. As a result, the company responded slower than it ultimately would have liked.
"I think organizations have used what happened to ChoicePoint to not only improve their programs, but also to broaden the spectrum to understand what could be defined as a breach," Baich says. "A data breach could be caused by a lot of things. It's fair to say honestly that as ugly as the ChoicePoint incident was, it was actually extremely helpful. What it basically did was bring this issue of a data breach to everyone's kitchen table. But more importantly, it actually brought it to the board level."
Implementing a robust employee awareness program is one way to rectify the possibility that an event falls through the cracks, Baich says.
User education is key
User education also is critical to avoid breaches, says Minuteman's Moynihan. Controlling access and training users are two of the most important controls to implement across organizations. "A lot of these hacks are because employees have opened up the network [to outsiders]," he says. Experts also warn that the down economy could give rise to data theft orchestrated by trusted insiders who fear job loss.
Either way, Moynihan, the former CISO at the Massachusetts Department of Revenue, says that if the workers "willfully violate" an organization's information security policies, they should be punished. "I think they'll try to avoid that consequence," he says.
Maley agrees that user education is paramount but, in the end, the protection of taxpayer data ultimately rests with him. Even if the state doesn't risk losing customers in the event of a breach as might a compromised bank, obtaining the trust of its citizenry transcends any risk-reward scenario. "They're still going to pay taxes," Maley jokes.
"This is my responsibility as a public servant," he says. "I was out there to serve and protect when I was a cop. As the CISO, my ultimate responsibility is to ensure the security and integrity that we're entrusted with by our citizens. And guess what? I'm one of those citizens, too. So there's a little bit of self-preservation as well, because my data is there too."
Be prepared: Breach checklist
Before a breach happens…
- Write a policy – This should detail how an organization would respond in the event of a breach.
- Teach end-users – Don't just teach employees how to avoid threats, but also educate them on how to distinguish when a breach has occurred – and who they should tell about it.
- Management must get it – Business leaders should recognize the risk potential of a breach to a company's bottom line.
- Prepare for federal legislation – It's coming. States should ensure they have their IT procedures in place so they are not rushing to fix any holes when Congress finally passes a law. Use the state notification laws as guidance.
- Don't rush to judgment – Depending on what was exposed, notification may not be required. But if it is, don't try to keep the situation quiet. Fines could result.
- Tap into a team of experts – Because a data-loss incident is wide ranging in its effect, a representative from each business division should be tapped. That includes legal, IT and human resources.
- Care about the customer – The most successful organizations have been as up front as possible with their clients after an incident, offering remedies, such as free credit monitoring and following up with them months later.
- Learn from your mistakes – If they didn't have effective security in place to start, organizations should use a breach as an opportunity to improve their posture.
– Based on an interview with Gary Kibel, partner at the law firm of Davis & Gilbert, New York