You have to think like a thief to protect your data
Data theft is the number one motive for intentional data breaches. It is a lucrative business for organized crime and sometimes it is a crime of opportunity for insiders with access to valuable information. In either case, the motivation is the same: personal financial gain.
What criminals would find lucrative for their business within your enterprise is not necessarily the information you would normally associate with your enterprise's main line of business. However, that does not mean that your business would not sustain serious damage as a result.
A company such as TJX never thought of itself as being in the customer data business, yet now it unfortunately is famous for losing its customers' private data. That TJX is in the retail business is completely irrelevant – it could have been a bank, a media company or a utilities provider. Unfortunately, what TJX is now best known for is not retail but having had the largest data breach in history.
Valuable data is usable data
A large pharmaceutical company may have a lot of valuable intellectual property (IP) relating to drug development, clinical trials and FDA approvals. Such IP may be valued in billions of dollars, and the company invests many millions of dollars protecting it, and justifiably so.
However, who might benefit from stealing such information? Who would be able to understand it and use it? Most probably only the competition – i.e. , other pharmaceutical companies. Industrial espionage exists, of course, but it is far less common that other types of data theft, and is not a replicable, repeatable business. It is a bit like stealing a rare piece of art – unless you already have a buyer, you are not likely to get one on the open market without getting caught.
Of course pharmaceutical companies should guard their drug data, and banks should guard their financial data, and so forth. However, all enterprises hold other types of data that is a lucrative target for thieves.
Gaining access to employee data, for example, may prove very profitable for organized crime – the personal data of individuals can serve as the basis for fraud and identity theft, and, in the case of employees, specifically can also serve as a first step in a more elaborate scheme, where employee data is used for social engineering or for gaining access into other systems. Since all companies have employees and keep the same types of data about them, this is a replicable process.
Opportunistic data theft is more difficult to predict. However, it would similarly target data that is accessible to the would-be perpetrator on the one hand, as well as sellable or tradable on the other hand. In other words, it is market demand that drives data theft, so you should familiarize yourself with that demand.
Know the market for stolen data
The best way of knowing which types of data need protecting is to follow the trends – what data breaches are occurring elsewhere? What are criminals peddling?
Certainly the theft of credit card details has become a global epidemic, which is why the credit card companies acted and put together their data security standard PCI DSS.
Credit card data is a key target for data theft because it is immediately usable, and on a global scale. The people stealing the information are not necessarily the ones using it or selling it to the “end users”. There is a network of online trading markets for this kind of information, with credit card information sold for as little as $5 per card (including security codes!).
With PCI DSS slowly putting the lid on CC details (this process will take a few years to complete), criminals will be looking to other targets, including bank accounts, share trading accounts, pension plans and savings.
Corporate information also can be useful. For example, knowing the quarterly results of a publicly traded company before they are published can be used for stock market fraud. This goes well beyond the measure mandated by the Sarbanes-Oxley Act (SOX) which was intended to verify the integrity of such data and prevent insider trading.
Data theft can occur without affecting data integrity at all – unlike physical burglary, data theft can be committed without leaving a trace because while physical goods go missing when stolen, data can remain seemingly untouched.
It is therefore essential that companies have their fingers on the pulse (following the press and ongoing statistics such as can be found on www.privacyrights.org or www.pogowasright.org), as this gives an indication of trends and of the type of data that is being stolen.
It is equally important to monitor all access to data that is commonly targeted by criminals, even if seemingly it is not central to the company's business. Because data can be stolen without disappearing, monitoring is the only way to track events in a way that allows a quick response and mitigation.