The Anthem saga is certainly not music to anyone’s ears, and this broken record isn’t just aggravating to all affected, it’s costly too. So why do businesses tolerate the dirge of breach after breach? Why is it so hard to protect sensitive data?
Until we can answer these questions, all the benefits of the internet of things, smart grid, big data, mobility and other technological advances may be held hostage by their vulnerabilities.
Anthem, like Sony and countless others before that, was a target because of the massive amount of data it stores. It’s a victim of its own success. With increased growth, it has more patient and customer data on file. That puts it in the crosshairs of insiders and external hackers who prey on the vulnerability of computer networks, stealing trade secrets and financial data for profit.
Are hacks such as those perpetrated on Anthem and Sony impossible to prevent? Many security experts argue as much. But this argument is more nuanced than a mere acceptance of the inevitability of a hack. As many network threat prevention experts have said, the bad guys only have to be successful one time. So breaches are, indeed, very difficult to prevent.
However, what if the perpetrators (either insiders or outsiders) could not take anything of value? What if anything stolen was rendered useless? If Sony was breached but its data was so well protected that it could not be exfiltrated, what would the headlines have looked like?
There is no silver bullet solution for data security, but there are different ways to spend the massive resources that currently go into the security technology stack. And investing in protecting the data, not just the perimeter, must be among the options considered. Just because bad guys can get through the door, doesn’t mean they have to escape with the company jewels.
“Can you imagine how much Anthem and Sony would prefer inconvenience to what they faced after their breaches?”
If companies like Anthem and Sony protect the data first, there wouldn’t be stolen medical records, movies, scripts and career-ending emails leaked. Proven solutions do exist that specifically address data loss. They require businesses to classify their data, put a data usage policy in place and strictly enforce it.
But some businesses have been slow to adopt solutions widely, largely because of legacy concerns about implementation difficultly and inconvenience to employees. But, can you imagine how much Anthem and Sony would prefer inconvenience to what they faced after their breaches?
We’ve passed the point where inconvenience can outweigh responsibility to customers and policy holders. It’s time to rethink the way businesses approach security. Anything businesses can do to make it even marginally harder to steal sensitive data, or render the data useless once outside the network, is worth consideration as the threat landscape expands.
If you’re looking at Anthem and wondering what you can do, I’d suggest an approach that focuses on two things: a smart strategy for protecting the network, but a smarter strategy for protecting the data.
A smart strategy for the network is important, and I’d never suggest that an enterprise not do all it can to protect its perimeter. Keep doing that, but don’t stop there. We purposely plug holes in the network every day to conduct business, and these holes will mean the network will always be vulnerable to attackers.
Data exfiltration is absolutely not inevitable – but the protections must be with the data itself, wherever that data exists, whether that’s on the server, a laptop/desktop, or in the cloud. True data loss prevention belongs on the endpoint, and unlike the more widely deployed network data loss prevention devices, has been proven as an effective way to prevent data breaches.
However, it is deployed in a fraction of corporations. The good news is this means we have not tried everything. There is no reason to accept data loss as an inevitable result of the inevitable hack, because we have some heavy firepower sitting on the sidelines.
Data protection doesn’t require a time-consuming classification project that touches every piece of data in an organization. It can be much more strategic, starting with the data that’s most valuable and therefore most attractive to threats from insiders and outsiders. Anthem has petabytes of valuable data, but it too must start somewhere.
It’s a simple concept to start with the data, but not simple enough to become security priority number one. Let’s hope that Anthem’s breach is that final bad note that leads to a much-needed new tune in cybersecurity. Speaking of music, I can hear endpoint data protection singing to the industry, in the words of John Fogerty: “Put me in, coach, I’m ready to play. Today.”
About the Author
Ken Levine is president and CEO of Digital Guardian, bringing over 20 years of startup and business leadership experience to his role. He previously served as SVP and general manager at McAfee (now Intel Security) and before that co-founded Brookline Venture Partners LLC in 2004. Before that, he was a key member of the startup team at Cabletron Systems, where he spent 15 years.