What We Can Learn from the Sony Hack

<< back Page 2 of 2

“Data used to be considered critical to the business. Today, data is at the very core of the business.  Eventually, data will find its way on to balance sheets with tangible asset value,” pointed out Munshani.  Increasingly, he said, large corporations are motivated more by the extraordinary possibilities of monetizing the data they possess than they are by fear of the reputational risk associated with that data getting into the wrong hands. As the speed of innovation with what can be done with data spikes, data security gaps are being created.

What is Needed Now to Better Protect Data

What is needed today is a renewed commitment to data security, the data security experts agree. “Businesses cannot afford to get sloppy with security,” noted Spruill. Observing that any company in any industry and of any size, can be a victim of an attack, Spruill said, “Everyone from the C-level executives to the IT team to all other employees need to keep security best practices at the top of their mind at all times. They need to implement a security plan that consists of multiple layers - performing risk assessments to identify where their valuable data lives and moves, vulnerability scanning and penetration testing to help identify and remediate security weakness on a regular basis, deploying technologies to protect all attack vectors and testing an incident response readiness plan so that if there is a breach everyone in the company knows what to do to quickly respond and get back on their feet.”

 According to Spruill, “Companies should also perform regular security awareness education training so that employees understand best practices like what constitutes a strong password and how to flag if a link is potentially malicious. Finally, security technologies are only as effective as the people who manage them. If businesses struggle with a lack of resources in-house to manage their security, they should augment their staff and partner with a third party team of experts whose sole responsibility is to focus on security.”

The only way to truly protect data today is to adopt security measures that move with the data—whether inside or outside of the corporate network, across borders and enterprises, and throughout its lifecycle, said Munshani. “Data-centric security technologies such as tokenization have been developed to protect data at a highly granular-level, without limiting the data’s value potential in analytics and other business processes.”

Organizations should also establish a strict data security policy and educate business users about data security and enforce a consistent message across the enterprise. According to Munshani, “Such a policy needs to address several key factors, including: which information needs security, who can access it, where and when it can be accessed, how it’s protected, and keeping thorough logs on all access attempts. It is also essential to ensure that your data access policy is driven at the enterprise-level, versus a traditional system-by-system silo approach.”

To triumph against the wide range of adversaries targeting U.S. networks, what is needed is a grass-roots effort aimed at getting companies to invest responsibly in cyber-security, added Westin. “Companies need to adopt strong security frameworks that have already been established, like NIST or CIS. Given the steady escalation of successful cyber-attacks, it is inexcusable for any organization to neglect the implementation of security policies and controls that limit the damage and scope of these attacks.”

<< back Page 2 of 2

Related Articles

No matter what the causes, a series of unfortunate events added up to a lot of bad news for data security and availability during one week in early July. In addition to an outage at the New York Stock Exchange, IT issues resulted in the grounding of United Airlines planes for 2 hours on the same day, and new revelations surfaced about a data breach at the U.S. Office of Personnel Management.

Posted July 10, 2015