It may be a tired mantra for those dealing with the prospect of data breaches – “It's not if, it's when” – but it's no less true today. Breaches come fast and furiously, often without warning. But, sometimes, it's because organizations are tempting fate by failing to protect themselves before a breach hits…and then the aftermath.
“Every industry is impacted by breaches, without exception,” says Ed Moyle (left), director of emerging business and technology at ISACA, a nonprofit, independent information security trade group. Security flaws, he says, are inevitable as a part of the push for ever-increased networking.
It takes a few generations of a technology to really ‘iron out the kinks' from a security point of view, he says. “Eventually, these issues became less problematic – at the end of the process is a fairly robust, resilient and mature technology. But the road there is a long one for any given technology.”
Rick Betterley, president of Betterley Risk Consultants, a Sterling, Mass.-based insurance risk management consulting firm, and author of industry newsletter The Betterley Report, says that his moment of recognition occurred when he heard that Lockheed-Martin had been successfully breached.
“That was my moment of epiphany,” says Betterley. “Now I know there's nobody out there who can't be breached. I used to sort of accept clients telling me that they were pretty well secured. I didn't have the ability to evaluate that. But after I saw Lockheed-Martin get breached, I couldn't believe that anymore.”
But, if every breach is a colossal headache for the organizations that suffer them, they are also experiences fraught with lessons, most notably: Protect yourself upfront and have a way – including tools, processes and resources – to endure the aftermath.
Risk analysis has been a part of the cybersecurity universe for some time. However, previous risk-analysis approaches endeavoured to protect absolutely everything – rather than identifying and protecting what mattered most to organizations, says Eddie Schwartz (left), international vice president of ISACA and president and chief operating officer of WhiteOps, a New York-based fraud prevention firm.
Today, he says, we're seeing the rise of targeted risk analysis where one essentially interviews people at the levels of the business and ask: What matters most to you? What would cause the most pain to the business if we lost it, or if there was a problem with data integrity, or it was unavailable to you for some period? “That change in focus is different from the idea of building a wall,” he says.