by Kevin Craine
It has happened over and over this year, and the year before that — data breaches of major companies and institutions. The most recent headline-maker was Experian, one of the largest data brokers and credit agencies in the world, hacked by cyber-thieves who gained access to approximately 15 million customer accounts. Among them were customers of cellular company T-Mobile who had applied for Experian credit checks and may have had their private financial information exposed.
The Risk is Pervasive
The Experian hack is just the most recent in a long series of data breaches and we should regard this as another urgent wake-up call that even the best-protected databases are insufficiently defended. Criminals are focusing their efforts primarily on large organizations, but researchers say that breaches are occurring more frequently for organizations of all sizes and across all markets and industries.
There is a long list of recent warnings that cyber-theft is on the rise. The harbinger of the current cyber-theft trend was the breach of systems at retail chain Target just weeks before the 2013 year-end holidays. Cyber-thieves stole personal and financial information from at least 12 million shoppers. More breaches followed. In March 2014, arts-and-crafts chain Michaels suffered a similar data breach and criminals got away with the account information of nearly 3 million customers. At Neiman Marcus, hackers raided information relating to 1.1 million customer accounts.
Most recently stalwart organizations like Sony, BlueCross BlueShield, Harvard University, Yahoo, AT&T, eBay, Google, Home Depot and JP Morgan all joined the list. Indeed, data breaches are becoming so common that we’ve all come to expect them every week or so. As a result, data security is a top concern not only for enterprises and small business, but for everyday consumers as well. With widespread data breaches exposing everything from customer login credentials to credit card information to personal health records, we all must be savvy about data security.
How can you take action to help prevent cyber-theft and boost your organization’s data security? Here are four important action items to consider.
1. Expose Overlooked Information
In any organization there is information that no one ever notices or thinks about. It includes, among other things, information captured in an “image” archive or document management repository. This information can represent a treasure trove of opportunity for computer hackers who are looking to steal sensitive and private data. Things like social security numbers, financial and medical account details, addresses, and phone numbers are all found on document images in your archive, and that information can translate into great prospect and profit for cyber-thieves.
2. Adopt Automatic Redaction
Organizations must design and adopt ever more advanced cyber-threat protection solutions and strategies that leverage new technologies and approaches against this ever-growing risk. One way to do that is through automatic redaction. Advanced capture systems have field-level redaction capability that covers up certain types of content before it is entered into an archive. Some go a step further with the ability to perform a look-back analysis that recaptures and redacts sensitive data that has been overlooked and could result in increased exposure and risk. These automatic redaction capabilities enable more comprehensive privacy and data security strategies that boost information governance overall.
3. Know What You Don't Know
You may want to capture and identify a social security number on a contract or authorization form, but once that information is entered into a line-of-business system it may not make sense to store it in an image repository. Indeed, the social security number may have no remaining value in terms of archive, but it certainly will present a significant risk if a security breach should occur. And an image archive may indeed be a tempting target for hackers. Not every bit of information contained on every document needs to be imaged and archived, and automatic redaction is therefore an important capability because it gives organizations the tools and the ability to effectively address and manage the risk and implement thoughtful strategies to protect that information from data breaches and cyber-attack.
4. Follow the SANS 20 Security professionals use a framework called the “SANS 20” to stay ahead of the rising rate of attacks. This is a list of essential security controls that help define and guide strategies and solutions for effective cyber-defense. The SANS Institute is an international consortium of U.S and international security agencies and is the most trusted source for information security training and security certification in the world. The SANS 20 has become an accepted standard for developing security controls and functions that are effective against the latest cyber-threats. It is a valuable checklist that you can also use to evaluate how your systems and strategies address major threats and vulnerabilities. Download the SANS 20 Critical Security Controls at http://www.sans.org/critical-security-controls/.
As the frequency of cyber-theft continues to grow, so too do the associated costs – even as we speak. One report from the Ponemon Institute sponsored by IBM early this year reported that the average total cost for a data breach was approximately $3.8 million. Yet another report sponsored by HP found the average annualized cost of cyber-crime per organization in the United States was $12.7 million. Either way, that is well over $200 for each stolen record. The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims. But the real impact is found in the business that is lost and damaged goodwill in the market — both customers and Wall Street are wary after a breach.
One good example of how the cost of cyber-theft can quickly escalate is the 2013 breach at Target, which put the company in a tailspin. Indeed, nearly two years later, the company still faces a number of government investigations and more than 80 lawsuits. Target incurred $61 million in costs associated directly with the incident at the time, but the total expense to the company is estimated to be between $500 million and $1 billion — and that’s on top of any sales lost as a result of customers avoiding its stores after the breach. Indeed, Target continues to experience weaker than expected sales and acknowledges that the greatest risk it faces is the negative impact on its reputation and loss of confidence of its customers.
Organizations can no longer afford to overlook the risk of sensitive data housed in an image archive, especially as demands for improved information governance increase. Criminals are becoming increasingly ingenious and sophisticated, and attacks are both more frequent and more complex. What are the best moves forward? Look for solutions that automate the redaction process, both going into the archive and when documents are retrieved. Use the SANS 20 to guide further security actions and strategy design. Use the significant costs and risks to justify new systems and solutions. Look for providers and partners that provide the right mix of experience, vision, and advanced capabilities that leverage the full value of technology to battle cyber-theft.
This article originally appeared in the December 2015 issue of Workflow.