All organizations have data they want to keep private. Different types of data attract thieves for different reasons. Most of the time, data thieves are looking to make quick cash by selling sensitive data on the black market or using it for fraud schemes. Given the ease of monetizing this data, it’s no surprise that cardholder data continues to be stolen more often (61 percent of cases) than any other type, according to the Verizon 2013 Data Breach Investigations Report. It’s not always about money, though; sometimes thieves are politically motivated. For example, some attacks are carried out to publicly embarrass or humiliate the target. As we say in this year’s report – the reasons for being attacked are myriad, and everyone from small retailers to giant public agencies regularly fall victim to cyberattacks.
However, nobody gets a free pass when it comes to data theft. If your organization has data it values, it’s almost certain someone else will value it too. Take the first step toward protecting the data you have by identifying where it ‘lives’ which is no small task.
One way to get at data discovery is to hire a third party that specializes in this type of audit. For example, Verizon offers its DDISC (Data Discovery, Identification, & Security Classification) service, which is designed to help a client identify the data they value most. This might be cardholder data, Personal Identity Information (PII), Protected Health Information (PHI), financial reports or intellectual property. This helps establish the likely motivation of an attacker. One of the interesting things we find from having delivered DDISC engagements is that 30-50 percent of the data we find in any given environment has no business reason for existing at all. For example, this could include remnant data in a development environment or extra “backups” that the security team does not know exist and therefore, it is likely not protected. DDISC is a great mechanism for understanding whether or not Data Loss Prevention (DLP) would be effective in your environment.
Another example of data that needs to be protected is cardholder data. Organizations need to comply with the payment card industry data security standards (PCI DSS). Find out more in this short video:
About the author: Omar Khawaja has spent over a decade delivering, developing and managing enterprise security solutions. Recently, Khawaja has been building solutions around data protection, mobility and cloud security. In the past year, Khawaja has advised executives of the Global 1000 and spoken at industry conferences (RSA, CSA, ISF, MWC) on the topic of making security more business-centric, on five continents. Khawaja has been quoted in media outlets such as Financial Times, NY Times and CNBC. Khawaja is a CCSK and CISSP; has a BS in electrical engineering from Georgia Tech and an MBA from University of Virginia’s Darden School of Business.
PR Archives: Latest, By Company, By Date