Hacked federal files couldn’t be encrypted because government computers are too old
A great deal of attention has been given to the recent government data breach, which put a reported 14 million current and former government workers’ sensitive data at risk. While the details continue to be sorted out, this incident—along with other highly-publicized breaches—hammer home the fact that strategies that focus on “keeping the bad guys out” or on monitoring data crossing a network perimeter alone are not enough anymore to protect an organization’s sensitive data.
The telltale evidence supporting this assertion is that despite the growth in traditional security spending, breach sizes and frequencies are on the rise. Consider data from the recent IBM-sponsored 2015 Cost of Data Breach study by Ponemon:
- 65 percent of organizations surveyed say the attack evaded existing preventive security controls
- 95 percent of organizations surveyed did not discover even their breaches for at least three months
Despite best efforts to keep intruders at bay, organizations recognize that blockading their networks is only one part of a larger data protection strategy. The study also suggests that the average breach in the US costs $6.5M, with catastrophic breaches well exceeding the largest loss amount of $29M that the study had sampled.
What’s clear is that a holistic approach that addresses sensitive data management is just as important as traditional security concerns—encryption, prevention, etc. Only focusing on security strategies that prevent infiltration and/or exfiltration leaves a critical flank unguarded, and can lead to a false sense of security. If the locations of sensitive data are precisely known and preventive measures to protect such sensitive data are taken, such as quarantining, destroying or redacting data, there is nothing for them to find or steal should they make it “past the gate.”
The end result is a significant reduction in the post-breach losses associated with sensitive data breaches. Further, sensitive data management strategies don’t require a complete redo of an organization’s security strategy. While not all breaches are “mega breaches,” every organization has sensitive data it wishes to protect. Making sure that this critical data is where it should be and eliminating all sensitive data that should no longer be present is an important key to overall data risk management.