The Telegraph reports a paradigm shift taking place among IT industry leaders: more data security consultants are realizing that merely complying with security regulations isn't enough to protect data.
Before we get into what IT security professionals need to do differently, let's take a look at the current data security landscape. When it comes to compliance, there are two issues at play:
- There are very few data security regulations – most laws only govern what you should do after a breach, not what you need to do to prevent one.
- The regulations and industry guidelines that do exist are usually barebones and often demand only minimal requirements for data security.
The recent attack on celebrity iCloud accounts provides a perfect example of how these issues come into play. After Jennifer Lawrence and other celebrities' cloud storage accounts were hacked, Apple threw its hands in the air and argued it wasn't responsible. But critics pointed out that Apple's default security settings were weak. (For a full write-up on this security flaw, read the post, "Nude Photo Leak Raises Question of What a Data Breach Is.”)
While Apple generally prioritizes security, its lax response to this breach is typical of the way many companies think about data security. The good news? These ideas may be changing.
Data Security 2.0: There Is No Security Minimum
In the aftermath of security breaches at Target, Home Depot, and JP Morgan Chase, executives are reexamining their data breach risks. Hacksurfer reports on a recent survey of IT professionals that found 53 percent of organizations were investing more in data security after these high-profile cyber attacks.
As your clients warm up to the idea of devoting more resources to security, remind them that merely meeting industry standards won't be sufficient to protect the company's data.
For example, the PCI Security Standards Council outlines best practices for a POS system (i.e., credit card processing systems). The PCI standards have been around for a long time. They're endorsed by Visa, MasterCard, and other payment companies. But there's a problem…
We've already seen numerous major retailers hacked through their POS system this year. While PCI standards are undoubtedly helpful, they aren't sufficient to prevent serious data breaches. Just ask the 375 million customers whose records were stolen in the first six months of 2014.
Client Education: Make Sure Your Clients Don't Share These Misconceptions
As you navigate clients through upgrades and investments, you'll probably have to dispel a few myths they have about data security. In particular, make sure your clients understand the following three data security myths are completely bogus:
- Hackers won't target my business. Most data breaches are crimes of opportunity. A hacker attacks a business because it has weak security. Hackers have dramatically increased the rate of spear phishing campaigns against small businesses over the last three years (for more on this, read the post, "Re: Your Recent Spear Phishing Attack"). As soon as an employee opens an email with malware, the hacker has a way in to that business.
- Encrypted data is safe. Encrypted data is safe, but data won't always remain encrypted. Hackers find ways to steal data before it is encrypted or while it is unencrypted (like when it's transferred between servers or being read). As we recently explored in "Banking Trojans: Not Just for Banks Anymore," hackers were using man-in-the-middle attacks to steal data from browsers before it was encrypted and transmitted to a server.
- Security software will protect me from an attack. In our article, "Survey: Most Businesses Still Counting Too Much on Antivirus Software," we profiled how businesses mistakenly assume that antivirus software is enough to stop a cyber attack. There are more tools in the IT toolbox than just antivirus protection. Security experts are expanding their security software portfolio to include exfiltration monitoring software and other programs better suited to catching a breach after it has made it past the security perimeter.
As you work with clients on new projects, take time to make sure everyone's on the same page. Because you can be sued for miscommunications, it's important to dispel any misunderstandings about data security and the IT solutions you install.