While companies recognize the value of their data, protecting against sophisticated cyber attacks at all hours of the day seems impossible. Earlier this month, tech writer Mat Honan made headlines when his entire digital life was hijacked and deleted on a hacker’s whim. Even IT security executives lack confidence in their ability to protect against security threats.
“Hackers are very good and very patient,” warns Carolyn Holcomb, leader of the data protection and privacy practice at PwC. “And they are in most organizations’ systems.”
A survey released by PwC last week noted that there were 1,037 publicly reported incidents of loss, theft or exposure of personally identifiable data last year, up 30% from 2010.
Richard Stiennon, chief research analyst at cybersecurity analyst firm IT-Harvest, says that number is only “the tip of the iceberg,” because most companies only report data breaches when required to do so by law. “If you’re in banking, oil and gas, or any natural resources, or any legal firm, then you’re probably being targeted,” he says.
Hackers are still hunting for financial data, but they’re also getting more sophisticated. “They are now looking for the person in the organization who authorizes payroll checks through ACH, or payments through accounts payable,” Stiennon says. Phishing is still one of the most common ways that data breaches occur, with hackers targeting employees with access to confidential information, like system administrators and executive assistants, with phony e-mails.
“There are a lot of companies that are either getting attacked [or being hit by] data breaches,” says Janis Parthun, a senior technical manager at the American Institute of Certified Public Accountants. The AICPA’s Generally Accepted Privacy Principles provide a framework that businesses can use to develop their own privacy practices. Breaches of customer information like those that occurred earlier this year at LinkedIn and Zappos “can impact the company’s image and their brand,” Parthun says, noting that companies can also find themselves facing fines or regulatory sanctions.
Most IT executives don’t feel confident that they can protect sensitive data from attack, according to a survey of 100 companies that Stiennon put together with cybersecurity solution provider CounterTack. One-third of those whose companies had already been attacked were skeptical that they could defend themselves against a second attack, and a fifth of respondents didn’t think their organization would be able to tell if a file or process had been modified by a cyberattack.
The PwC study emphasizes the importance of management and internal audit to protect against data breaches.
“Everyone is implementing data loss prevention tools,” Holcomb notes, but security risks can still slip through the cracks if there is no final responsibility for it at the management level. It’s essential to put good governance structures in place and have the audit committee of the board ensure that processes are being followed.
“I’ve seen organizations who have organized privacy committees” or established risk committees that deal with privacy at the board level, Holcomb says. The best organizations establish key controls for privacy and security just as they do for financial processes. A defined list of controls with specific people in charge of each helps everyone know what their responsibilities are and understand what internal audit is monitoring, she says.
And it’s not just a once-a-year task. “They should be doing ideally a risk assessment and review of policies continuously,” Holcomb says. Data security has become a 24/7 job, Stiennon agrees, and notes that some hackers even target their attacks for the weekend, when everyone has left the office.
According to CounterTack’s survey, 19% of companies are currently revamping their internal processes and strategies to deal with targeted cyber attacks. Stiennon says one of the easiest ways to protect your company is simply to make sure you’re updating your systems. All applications and operating systems announce new vulnerabilities each month. “If you were doing patch management perfectly, you would have no holes in your system other than very obscure [threats].”