Following the Target Store breach last December, eBay has been the next recent victim of data theft. While Target is still dealing with the fallout from its massive data breach, eBay has asked its 128 million active users to change their passwords. One thing that both of these breaches have in common is that when they occur, the victim comes under scrutiny and is always asked the question, "What were the security and response systems in place that allowed this to happen?"
These instances act as a wake-up call, and remind us that we need to do a reality check for disaster preparedness in our organizations. Do you have your guard up against attempts of unauthorized entities? Are the required security controls in place?
One statement that stands strong for all security incidents is– Simple security best practices help you prepare for when things go wrong.
Based on the nature, diversity, complexity, volume, and size of an organization’s business transactions, it’s high time that companies take a proactive stance to counter unexpected cyber threats and breach attempts. Enforcement of these controls is not enough. It’s also mandatory to conduct continuous monitoring and improvements of security policies.
A key aspect of being prepared for bad times is to ensure that external regulatory standards are applied and continuously monitored for conformance. Companies like eBay that deal with credit/debit card transactions, must implement or revisit their existing PCI compliance strategy. To achieve compliance with externally imposed polices, ensure compliance with internal systems of control. Automation and use of software to continuously monitor and quickly configure network elements helps accomplish effective enforcement of security policies. This saves time and helps administrators stay watchful and ensure that the network is secure.
In spite of enforcing protective controls, there’s still no assurance that you will not be a victim of a breach. Given the ever evolving talent of cyber criminals, organizations, in addition to protecting their network and data, must have a feasible response system. Pointing to the recent Heartbleed bug incident, organizations should have a plan and the means to quickly recover and guard from incidents that are not in their control. It’s critical to have the necessary tools to implement the recovery plan without delays caused by factors like resource availability, device complexity/number, up-to-date device/network information, and so on.
Even more than the millions of dollars lost due to interruption in operations, organizations suffer the most on loss of reputation and credibility. The price paid for not being vigilant cannot be gauged and differs from industry to industry. Are you doing everything you can to avoid putting your organization at such risk?