Firms don't have a handle on the amount of data they have - Steve Ragan reported that to date more than 230GB of data was leaked by the attackers. Based on that, the attackers likely have over a terabyte of data. The truth be told, it's not just the amount of data, but what kind of data has been breached. In the Sony breach, it was quantitatively and qualitatively massive -- a perfect storm. Overall, the amount of data stored and the amount of people that have access to that data in a large enterprise is simply too large a beast to effectively control.
What does this mean for 2015?
If the Farmer's Almanac did data breach predictions; then it would certainly forecast 2015 as a devastating year. With that, there is a lot firms can do to weather the storm. Consider the following:
- A good CISO is important; great security architects are critical -- while a CISO may get the glory; security architects are what most organizations need. About 95% of the firms in the US are SMBs. These small firms with even smaller IT departments can't afford to burn an FTE slot on a CISO. They need a security architect or engineer, who can also hopefully provide leadership. The bottom line is that good security design goes a very long way.
- Don't throw good money after bad - even though management often doesn't like to spend money on security, it's important to realize that blindly throwing money and consultants at security problems will result in the very problems noted by Frederick Brooks in The Mythical Man-Month nearly 40 years ago. He observed that adding manpower to a late software project makes it later. Brooks also wrote that when it comes to systems development, there is no one silver bullet. The situations he detailed in the book holds true in information security.
- Use a two-prong approach to information security -- follow standard security guidelines combined with a customized risk-based approach, which will ensure your information security program is adapted to mitigate the unique risks your firm faces.
- Hire the best information security team you can afford. Consider this: it doesn't cost to hire good security people; it pays.
- Consider a plan to retire old data. Significant amounts of old data should be moved to tape. Most firms have far too much data available on-line that can easily be moved off-line.
- Application security -- there is a lot that needs to be done in this area. Behind every security vulnerability is an insecure piece of software. Application security has long been neglected at the cost of network security. Firms need to ensure they have a formal program in place for secure applications development and testing.
- Vendor risk -- organizations that share data with third-party vendors and/or allow connectivity to their network from third-parties need to have a vendor risk management process to identify and manage vendor access.