Guarding the crown jewels: Critical data
Guarding the crown jewels: Critical data

Taming vulnerabilities

There is no one golden application or process that will magically provide protection and compliance for PII. Rather, says Irvine, companies need to establish a series of IT policies, processes and standards to manage their environment and that, in turn, requires a full understanding of the business strategy. 

“These policies need to be developed and supported by the executive team,” he says. “Once determined, a complete IT inventory needs to be completed defining core systems, applications and data and the potential risks of loss of these IT assets.”

The next step companies should consider, says Irvine, is investment in three areas. First, an application scanner (fusers, web crawlers, and more) which searches for the existence of vulnerabilities (i.e., SQL injections, cross-site scripting). These flaws can allow systems to be breached or redirected with the consequence of data lost. 

Second, he recommends vulnerability scanners. While application scanners look only at the applications, vulnerability scanner devices search systems for anomalies in configurations, operating systems and applications. Items reviewed include accessibility of systems, missing updates, legacy applications with known vulnerabilities and more.

Finally, Irvine suggests enterprises implement information rights management (IRM) and digital rights management (DRM) processes and applications. These tools aid in the supervision of access control processes. These applications have the ability to encrypt data and report on access, including blocking data duplication, printing and transmission.

But, even that still might not be enough. Organizations should look at the wide benefits of encryption in general, says Todd Thiemann (left), senior director of product marketing at Vormetric, a San Jose, Calif.-based provider of enterprise encryption products. “This technology provides a safe haven for companies if there is a breach,” he says. 

ANd, should a company experience a high-profile loss event, they should develop, update and regularly exercise their disaster recovery and crisis contingency plans, says Tom Lambakis, vice president of information security consulting at Control Risks, a global risk consultancy with 34 offices in more than 100 countries.

Another challenge today is that many companies have locked themselves into old spending patterns, says Rachwald. Specifically, they overspend on network firewalls and anti-virus applications, which do little to actually protect data. Rachwald says those technologies are needed, but should be supplemented with employee training and efforts to protect data that are more “intelligent.” 

Fortunately, he says, paying the bill for those additional investments may start to get easier. “Line-of-business owners are taking a greater interest in cyber security,” he says. “More and more, we see budget and ownership being shared between security and business owners.” 

Photo: South Carolina Department of Health and Human Services Director Anthony Keck talks about a major security breach of data in his agency's office.

Alarm: Data leakage

Major breaches of PII in the past few years have included:

  • Heartland Payment Systems had 130 million payment records compromised.
  • TJX Companies had 94 million transactions compromised.
  • Sony had two, the first impacting 77 million and another where 25 million people were effected. 
  • U.S. Department of Veterans Affairs had the data of 26 million people compromised.
  • A former employee of the South Carolina Dept. of Health and Human Services was arrested after allegedly downloading the personal information of more than 228,000 Medicaid beneficiaries. 
  • The Tricare Military Health program and its Business Associate, Science Applications International had a breach which impacted almost five million individuals.