When conducting business, either online or face-to-face, individuals trust that every reasonable step will be taken to ensure the privacy of their data. Corporations have a responsibility to protect that trust by extending robust protections and security best practices throughout their IT infrastructure. But with nearly 100 million personal records — including credit/debit card numbers and social security numbers — compromised through theft or mishandling in the past two years, it would seem perhaps that trust is misplaced.
Or is it? It's a complicated question. Over time, organizations have responded to threats against consumer privacy with substantial increases in IT perimeter security. Without a doubt, security systems have become more sophisticated. But hackers have too. And the nature of the threat has changed.
No longer satisfied with defacing websites and grabbing individual records in transit, hackers are actively targeting corporate databases from which they can harvest personal records en mass. In fact, databases, those lucrative repositories of customer and sales data, are often the most highly prized targets for a hacker. As a result, focusing efforts exclusively on perimeter security is insufficient. In short, more needs to be done to protect data at its source - before it's too late.
Compliance is Part of the Security Puzzle
In recognition of this real and growing threat against data privacy, governments and leading industry organizations have focused on establishing various compliance initiatives to focus attention on the risks. There continues to be talk of a national law to address consumer privacy protections — a step that is sorely needed and long over due as 33 separate state laws are becoming unmanageable.
Compliance regulations serve a handful of goals that ensure the privacy, integrity and confidentiality of data, and establish accountability for change. When properly implemented, compliance requirements support corporate security efforts and can aid in the prevention of data leaks, improper disclosures and breaches.
However, while sweeping reforms and initiatives are an essential part of the puzzle, organizations also have an obligation to focus on securing their greatest vulnerability — the database — first. With the database hardened against attack, when the perimeter security fails or the company falls prey to an insider threat (say, a disgruntled employee or malicious privileged user), the prized corporate data assets are better protected. Corporations should move quickly to adopt database security solutions that extend the vulnerability management lifecycle - an established IT security best practice in place for over a decade — to the database.
Ninety-five percent of the time, sensitive information lives on the database. Information within the database is prized for its value — both by the entities tasked to protect it and the thieves trying to access to it. Marshalling the people, processes and technology that come in contact with that data is of paramount importance to protect data privacy. Corporations genuinely concerned with consumer privacy protection must extend security best practices to the database level. In doing so, organizations can meet the requirements for corporate stewardship of consumer privacy, reduce the occurrence of data theft and protect the trusted customer relationship that is so essential to business.
—Jack Hembrough is CEO of Application Security, Inc.