The U.S. Census Bureau confirmed that they suffered a data breach involving compromised “non-confidential” data, such as employee names, email addresses, phone numbers, etc. This, of course, is a big deal. However, against the backdrop of the Office of Personnel Management incident or last week’s breach of Ashley Madison, the news seems less significant by comparison (we would assert that it’s not).
But let’s stop and think about this for a moment: a person or a group made their way into a governmental agency’s network and started plucking data at will, and it barely registers a shrug of the shoulders?
There was a time when any breach of a governmental office would be front page news, but we now live in an era when only so-called “mega breaches” grab our collective attention, and even then we’re only paying attention until the next big one. And typically the wait isn’t long. So what does that say about the state of things?
It hammers home a point we’ve been voicing for some time now: Data breaches are a matter of time, not a matter of money. Traditional security initiatives will eventually be bypassed. It may be several years, but it will happen. No amount of preparation, no matter the size of an organization and no level of attentiveness will result in a 100% success rate.
The unfortunate acceptance that data breaches are simply a price of doing business will hopefully force industries to rethink their strategy. Should they abandon traditional security strategies? Of course not. However, the winning mindset requires doing everything you can to reduce the risk of a data breach and to reduce the associated post-breach damage (customer churn, reputation, regulatory fines, stock deflation, law suits, etc.).
Part of that risk reduction requires organizations to scrutinize how they manage sensitive data prior to a breach. Are they carrying only the minimum amount of data, is it all where it should be, is it properly classified, are they able to easily detect anomalies and quickly remediate the problem? These questions must be answered with a “yes” to ensure that your data risk is at its lowest possible level.
As breaches move from mole hills to mountains and become a near-certainty, the old mindset seems more and more outdated. Sensitive data management must have an equal part in a company’s overall security strategy. You can’t remove the possibility, but you can reduce the risk.
Keep up with Identity Finder: