A New World
2014 taught us that massive security breaches are the new normal for U.S. companies, government agencies, and universities. Some of the most prominent were Target, Home Depot, Neiman Marcus, Apple’s iCloud, Michaels, the U.S. Postal Service, the IRS, Community Health Services, UPS, Staples, the State Department, Sands Casinos, USIS, eBay, PF Chang’s, JP Morgan Chase, and, to sum up the year, Sony Pictures. The sobering reality is that it is now no longer a matter of if but when and how often that we’re going to be breached. In 2014, we witnessed CEOs being fired, CIOs let go, boards of directors personally sued, and company data stolen or sabotaged on a grand scale. What will the extent of the damage be to our company, shareholders, and customers? What are the bad actors really after?
Innovation is the primary engine that has driven the U.S. economy over the past 100 years. Our innovation has evolved over decades of extensive and compounded investment in trade secrets, technology, and processes, including personally identifiable information (PII). Today, companies have untold trillions of dollars invested in U.S. innovation. It is precisely our innovation that is of superior value to data thieves. An estimated $500 billion is stolen from U.S. companies and the U.S. economy each year. It is much faster, cheaper, and more effective for bad actors to steal our innovations than to make their own investments in dollars, people, and time. Nearly all of our innovation is converted and stored electronically as data.
A more frightening fact is that most of the breaches reported in 2014 were from retailers – which account for only 20 percent of breaches. Publicly held companies are required to report all breaches and that is especially true for retailers when it involves consumer PII. Conversely, 80 percent of (non-retailer) companies either choose not to report the breach due to a potential stock hit or, worse, don’t know that they have been breached. Innovation and trade secrets are more nebulous than PII and therefore more difficult to protect and notice when breached or stolen. This fact is sobering.
The data protection strategy on which most companies focus today is defending the “perimeter” or “castle walls.” This strategy has evolved over the past two decades with a collage of products to address an array of security issues. By definition, individual products have inherent limitations and quickly become obsolete. When mapping numerous vendors’ products together into a security solution, gaps in coverage appear. These gaps are further widened by the assault on access points by smartphones, apps, and pervasive free Wi-Fi. In 2014, we became painfully aware that the perimeter strategy is no longer effective.
Today, security strategies must quickly evolve into a hybrid model that critically focuses on the data itself. Data must be classified as to its importance, with emphasis placed on carefully controlling and vetting access all the way through the supply chain. A hybrid model must also address all aspects of the human element, including insider threats, external spies, disgruntled, separated, or careless employees, contractors, and suppliers.
A vacuum exists in nearly every company between the tactical and strategic views of information security. Those career-focused employees who take the initiative to take personal ownership of the 360-degree view will become indispensable to their company executives and fellow employees. Employees who become experts in both perimeter and hybrid data-centric models of defense and the current intelligence that drives them can expect to advance rapidly as they fill important gaps in their companies. There are also opportunities for C-level executives to engage their boards of directors in providing relevant intelligence and solutions.
Data and information security is the responsibility of every employee, executive, board member, contractor, and supplier. Each individual must be trained and certified each year with the latest intelligence-driven and research-based tools. Training raises the awareness level among all employees to maintain a higher level of data security for the protection of everyone’s jobs. Awareness creates and maintains vigilance. Data security is everyone’s responsibility, because stolen data may mean lost jobs.