3 Security Lessons Learned From 2014’s Data Breaches

  1. 3 Lessons from 2014's Data Breaches

That sound you heard at the end of 2014 wasn’t just champagne corks popping. It was also a collected sigh of relief from IT leaders whose organizations managed to avoid a data breach. 2014 earned its title as “Year of the Hack” with three of the all-time worst data breaches occurring over the past 12 months.

  • 173 million records from the NYC Taxi & Limousine Commission
  • 145 million records at eBay
  • 104 million records from the Korea Credit Bureau.

If 2014 was the Year of the Hack then 2015 should be the Year of Security. Following are some key lessons IT leaders can leverage to improve their organization’s security posture.

Invest in your security team

Investing in world-class hardware and applications is only part of the security equation. Having a solid security posture also requires having a strong team of security and compliance experts in place. However, according to a recent study by Hewlett-Packard and the Ponemon Institute, approximately 40 percent of security roles were vacant in 2014. Seventy percent of respondents said that their security organizations were understaffed. Why such a gap? Top-tier security experts want organizations to show them the money. According to 43 percent of survey respondents, organizations didn’t offer competitive salaries in 2014.

In light of another study by IBM and the Ponemon Institute, companies may want to loosen their purse strings.

  • The average cost of a data breach increased 15 percent to $3.5 million.
  • The average cost paid for each lost or stolen record containing sensitive and confidential information increased more than 9 percent – from $136.00 in 2013 to $145.00 in 2014.

Encrypt everything

Got an extra $1.7 million lying around? Neither did Concentra Health Services. The national health care company agreed to pay $1,775,200 to the Office of Civil Rights (OCR) after an unencrypted laptop containing medical records from 148 individuals was stolen from an employee’s car. Concentra also had to adopt a corrective action plan that included encryption of all “laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI).”

According to a recent data breach report, 46% of data breaches stem from physical theft or loss of unencrypted devices – with healthcare being the biggest offender. Concentra’s failure to encrypt electronic protected health information (ePHI) across all of its devices resulted in one of the largest fines levied for HIPAA (Health Insurance Portability and Accountability Act) violations. It also brought to light the need for IT organizations to ensure that all data is encrypted – at rest and in transit. As part of an overall security assessment, IT teams need to address the following questions.

  • What happens if an employee forgets their password to an encrypted device?
  • What happens if a former employee refuses to provide the latest password to an encrypted device?
  • What do you do about employees who write their passwords on a sticky note and leave it in their desk drawer or on the bottom of their laptop?
  • What happens to data that is backed up to Dropbox, iCloud and Box?

Don’t ignore the small stuff

The data breach experienced  by JPMorgan Chase this past summer was the largest intrusion of an American bank to date – compromising account information for 83 million households and small businesses. It also may have been preventable. According to sources briefed on the incident, the breach might have been avoided had the bank installed a simple security fix to an overworked server in its network. That’s small potatoes for a company that spends approximately $250 million on computer security every year.

Most large banks use a double-authentication system, also known as a two-factor authentication, which requires a second one-time password to gain access to a protected system. JPMorgan’s security team had apparently failed to upgrade one of its network servers with dual-authentication, leaving the bank vulnerable to intrusion.

Cyberattacks are increasingly becoming a matter of “when,” not “if,” leading IT professionals to seek robust security solutions to incorporate into their overall security gameplan. Join Tricia Pattee, Product Manager at HOSTING, for a 30-minute webinar, Scary Facts about Online Security You Need to Know, and prepare for a secure 2015.

Leave a Reply

Your email address will not be published. Required fields are marked *