5 Data Breach Lessons

According to the Identity Theft Resource Center, there have been a total of 679 reported data breaches this year alone. The largest industry hit was healthcare, accounting for 288 of the 679 total breaches and compromising over 7 million personal records.

Companies need to be prepared to deal with a breach thoroughly and promptly, while offering its customers the highest available transparency possible. If we learn from our mistakes, we can make 2015 a landmark year for information security achievement.

Here are some tips:

1) The Biggest Security Flaw, May Not Be Technical At All…

Have you ever attended a concert with the intent to stare at the instruments on stage? Of course not, that’s because it’s the musicians that play those instruments who are the ones you go see. The same goes for security software and applications. What good is big data if there is no one there to apply it?

Jacob West, CTO of Hewlett Packard’s Enterprise Security Products, recently stated “roughly 40% of security roles are vacant in 2014, and when you look at senior security roles, that vacancy rate is nearly 49%.” He is citing research from a study performed by the Ponemon Institute which found that 70% of respondents claimed that their security organizations were understaffed. Why? According to 43% of respondents, turns out the organizations weren’t offering competitive enough salaries.

Considering the overall cost of a data breach in 2014 is $3.5 million, a 15% increase from 2013, companies might want to offer higher wages to those responsible for keeping their most important asset (data) secure and out of harm’s way.

2) Understanding Software & Applications

Organizations and their employees need to start fully understanding what software they are using, where they are using it, and how it’s being executed. Although many security organizations have adopted best practices over the past decade, the truth is those practices only apply to the software those companies code themselves. With the rise of BYOD and the “Remote-Worker”, employees are finding new applications daily, and using them for work without a second-thought of the security implications that can come along with it.

Remember when Heartbleed and Shellshock hit the news? Many organizations had to spend countless hours and resources trying to figure out where they used software or code that contained the vulnerabilities. According to HP’s Jacob West, that is because “enterprises don’t write majority of the software themselves; software is in fact composed rather than written, we take commercial & open source components to build a little bit of proprietary over that.”

3) Penetration Tests Are Limited

Penetration tests are required by law under the Payment Card Industry Data Security Standard; and, are a common part of most security audits.

Companies undergo penetration tests to determine how secure their data is, where any vulnerabilities may occur, and take their findings to increase their security systems based on the reports.

However, most penetration tests don’t expose all vulnerabilities…why?

Simple. That is because security firms still abide by the law while criminal hackers don’t. So while your data might be safe from “legal” public domain, that doesn’t protect you against the illegal activities that make up the majority of reported data-breaches. White-hat security firms won’t impersonate people with fake social profiles, or send your employees an email from a fake account in the name of a co-worker; but, these are the methods being used today by hackers and they will only get more advanced as time goes on.

4) Hybridization of Security

“There’s a blending together of physical-security and cyber-security,” says John Cohen, a former anti-terrorism coordinator at the Department of Homeland Security.

He is referring to a case in which foreign hackers targeted a specific business on the East Coast of the United States. They by-passed firewalls, extracted data from the company’s leadership team, and obtained information on upcoming company events. Given this scenario, the hackers could fake their identities in order to try and obtain valuable information on the company or sensitive data only an administrator would have access to.

It could go the other way as well. By physically breaking into a company and accessing their network, hackers can plant malicious software on the network that could potentially go undetected and perform a plethora of damaging actions on your business and your employees’ both personal and professional lives.

5) Start Putting A Plan In Place

5 years ago, if I were to ask a small business owner what his or her thoughts were on cybersecurity for their network, he or she would probably respond with “What do you mean, cybersecurity?”, “I don’t have any sensitive data on my network” or “My computer came with anti-virus installed so I’m already protected.”

Fast-forward 5 years, and cybersecurity is on EVERYONE’s mind, from the enterprise-level to small-to-medium sized businesses, even down to the consumer. With this switch in mentality comes an opportunity for change and awareness, and companies are already starting to take the necessary steps.

These steps include processes such as encryption on hard-drives, servers, even individual employee emails. The most significant stride in recent years has been the encryption of payment processing through more secure methods offered by SoftCard (formally Isis), Google Wallet and most recently, Apple Pay.


There’s an old saying: give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime. This rings true even to this day when it comes to information security in regards to business. What good are having systems in place if no one can make use of them? 

If your security-software identifies a problem, do you have the resources available to act?