While going through some FAA manuals, I was reminded of a particular term that is highly applicable in the world of cybercrime. It is referred to as the “chain of events” or the “error chain.” These terms simply mean that multiple factors, rather than a single one, lead to an accident. The same can be said for security incidents, such as data leakage. Take, for instance, some of the largest data breaches to date – such as the those experienced by TJX Companies or Heartland Payment Systems (which I've written about in the past here and here).
When the chain of events is unraveled, interesting details begin to unfold – one after another. These are obviously valuable lessons so that the majority of companies can take steps to protect themselves from these severe incidents in the future. But there will always be another way to “get to the goods.”
What are “the goods”? They are, primarily, the unencrypted customer information that resides deep within the core of organizations. In August 2008, I read a Yankee Group analyst research paper by Phil Hochmuth entitled, “Anywhere Data is Powerful, Data Everywhere is Dangerous.” In this paper, Phil discusses the challenge of data security and an increasingly untethered workforce. While that particular paper's focus covered the mobile workforce, it also conveys the key point applicable to all businesses: Customer data is essential to running a business and supporting our customers, but it can also be considered a dangerous liability that must be well-protected.
Three proposed solutions to securing customer data.
Data breach consequences. There are a slew of consequences that can impact companies after a breach occurs. Some of them bandied about by industry experts are noted below:
Regulatory compliance mandates that may impact breached organizations. Of course, many organizations began really paying attention to protecting data as a result not only of some of the consequences noted above, but also because of various industry and government compliance mandates. A sampling includes:
These are but a few points that are relevant to data breaches of all sizes – not only those that potentially revealed more than 100 million customer records in one incident. Keep in mind that at the time of the breaches, the companies I mentioned were PCI compliant. This should reinforce the point that we still have a long way to go to secure our data and reduce the severity of data breaches.
Data security risk is as unlimited as human intelligence, ingenuity and ignorance.