Another day, another breach. It’s getting as though it’s actually hard to come up with a non-repetitive way to start these sort of blog posts since data breaches are always in the news. There’s only so many witty ways and catchy puns to make and the reality is, it’s no joke. The latest I just learned about last week was the Stanford Hospital laptop that was stolen, which contained patient data as written about in SC Magazine. The day before, I’d read about the breach at the EPA in Network world. Same old use cases, either someone gets their hands on a device and accesses data as in the case of the stolen laptop, or someone tricks an end user (either by clicking on a virus or other means) into giving them their password and credentials. Then if their data is not behind another layer of security, that’s often all they need.
A colleague forwarded me an article in the NY Times about security companies to keep an eye on. It was an interesting read and being a small world, I immediately recognized Patrick Morley in the photo as I used to work for him before he became CEO of Bit9. Though the article’s focus was on the up and comers in a list of vendors offering security protection against hackers, breaches and various types of attacks, it got me thinking about another angle. Bear with me for a minute as I lay out my thought process here, but several years ago, I used to live in a rough end of town and my car was constantly broken into. After my first break in, my initial reaction was to increase my external security! I went out and had an alarm installed in my car, I had a flashing light on the dash to show everyone that I did indeed have an alarm, so best not break into my car. It did not work. My car alarm went off with so many false triggers that often times, I’d just turn it off automatically as it was like the boy who cried wolf. Eventually it came to the point where I didn’t bother even arming it and just set it so the little light flashed giving the illusion that it was armed. I’m sure you aren’t surprised to hear that it didn’t work and my car was broken into again. Fed up, I got my window replaced again, and I emptied anything valuable at all from my car, and I mean everything. From then on, when I parked the car outside my place at night, I left the doors unlocked, the glove box wide open to show that nothing was in it, the change holder empty etc. If you wanted to get into my car to rob me, go right ahead, the door was unlocked, but there was NOTHING of value in the car. So I really didn’t care because truth be told, my car was not of value either so it was very unlikely that anyone was going to steal a 10 year old base model Saturn, held together by duct tape.
So here’s the important part and I’m about to make a point… I agree it's important to look at external security, BUT I think if we look at the internal data that the “thieves” are actually after, and focus on removing that from any availability, we may be able to turn a bit of a corner on this. Take the case of the stolen laptop, if there was nothing on that laptop but rather it was just used to access the data which was stored elsewhere, in a secure manner, then that wouldn’t be a big deal if it was taken. The case for the stolen credentials and passwords is obviously a bit trickier, but you can take it farther and use other means to protect the valuable data that people are after. So start with looking at who in your organization has access to sensitive data that someone may want. Does everyone actually need that access? Is everyone on that list even using that access? Right away, you can likely eliminate some risk there by refining that list. Additionally, there is obviously other methods you can employ to protect your data but the point I’m trying to make is we should focus on protecting the internal access to the data itself, as opposed to only worrying about the external access into our organization. It’s still a challenge, but by looking at the problem in a different way, you may be able to eliminate some risk, and isn’t that what we’re all after these days?