republished from law.com
With news that Dropbox and Kmart, owned by Sears Holdings, became the latest retailer to suffer a security breach to its payment data systems something has to change with how data is being accessed. Cybersecurity within a company is becoming more important with the increased usage and associated value of data and analytics. While companies can restrict access to data, there is not much to stop employees, contractors or malware from walking out the door with enterprise data. This is due to the fact that the fortress model of keeping company assets behind firewalls is inherently and irreparably broken.
Despite having copious intelligence and information, and a wealth of other data, security software isn’t able to effectively anticipate security threat events….yet. More data will need to have more security so that the IT team can be empowered handle threats. However, this doesn’t equal the ability to protect against and predict data breaches. Increasing a team’s confidence doesn’t mean that they will be able to predict breaches with any more accuracy.
As more organizations virtualize their computing needs with cloud-computing services, their tech staffers are being bombarded with data and are often unable to make sense of all the information that comes through the door. If a software bug that could cause a big issue were to exist within the infrastructure, it’s likely that the looming problem could be lost amid the excess noise.
It’s not enough for a company to say they will use their ‘best efforts’ to protect against a breach by putting a moat around data. The concept behind the traditional security model is that there is a massive system that keeps people out to protect data. However, what is needed is a system that anticipates attacks and responds rapidly to intrusions. Some companies believe that if they have a strong enough firewall, then all their troubles will be over.
So how do you entice an organization to take steps to change behavior? Either you let the market take care of it by continuing with the data breaches or let the government implement harsher regulations or let the judiciary take the step of civil penalties so that companies will face massive penalties to their bottom line. 2014 was a year where we saw companies completely unprepared for securing the data that they are supposed to protect. At the moment, there are procedures on how you should be treating data but with the rise of BYOD, contractors and third party software, companies need to be pushed to do more or breaches will become commonplace.