Data breaches, confidentiality and privacy will remain key areas of concern in 2011, and these topics fuel many of Ipswitch’s 2011 security predictions.
2011 will be the year that smart companies shift their focus away from tactical (and often reactive) security tools and instead focus strategically on policy creation, management and enforcement. More organizations will shift their approach from quick-fix to preventative.
Four more 2011 predictions:
- Enterprises will start monitoring and managing the information flowing to and from personal email, IM and cloud-based services.
- The largest data breach of 2011 will hit the retail sector.
- A major data breach with further reaching diplomatic consequences than WikiLeaks will be the direct result of a lost smart phone or USB drive.
- Organizations in the financial, media and health sectors will gain larger market share by leveraging company investments in MFT, specifically those that offer visibility, analysis and analytics.
I’ve blogged a bunch on Ipswitch’s 2010 research that unveiled startling trends about employee access and use of company information. Our 2011 predictions are in part fueled by some of these facts:
And here is a fun video by Frank Kenney on top IT policies that WILL BE INGORED by employees:
Okay we get it. WikiLeaks had the gumption to collect private cables sent to and from the United States State Department, and actually publish them on a website accessible by anyone with Internet access. But the United States State Department blaming USB thumb drives and/or WikiLeaks for their failure to properly mitigate the risks associated with sensitive communications between government officials and ambassadors is just ridiculous.
I remember shortly after the 9/11 terrorist attacks the country waged all-out war on white box vans at U-Haul trucks, because those might have been the means in which terrorists would conduct future attacks. Creating an immediate policy that bans the use of USB thumb drives by United States government officials is not only overkill, but it also doesn’t make sense and it won’t work unless we also start banning iPhone’s, blackberries, digital cameras, portable scanners, wristwatches, necklaces, belts, laptops, fax machines, e-mail and all the other ways that individuals are storing and moving information.
Here’s an opportunity for our government to start to consider not just classifying data but generally making an effort to enforce policies around access and usage. Of the hundreds of thousands of tables that have been reportedly sent to Wikileaks, some news agencies are reporting over 3 million individuals have access. Let’s put that into perspective. If one of the world’s largest financial institutions decided to give 3 million individuals access to Social Security numbers, bank accounts and credit card numbers that financial institution would be run out of business and subject to fines, penalties and the mundane congressional hearing. It just doesn’t happen.
Just like any company or institution that stores and shares data on its customers and/or constituents, the US government, specifically the US State Department needs to be held accountable for access control policies, the enforcement of those policies and visibility into both the access of and usage of sensitive information. But clearly there is an issue of way too many ungoverned pipes connected to critical data stores and sources. Managed file transfer is certainly part of the answer. Consolidating all of those ungoverned pipes can help as well. A little content management and DLP may likely be valuable too. Or maybe just a good old reclassification and risk mitigation of sensitive data so that it isn’t accessible by 3 million people.
Over the last 9 1/4 years we stopped a lot of white box vans but I’ve yet to see a security report or an intelligence report (provided by the news media, I am not one of the 3 million who have access to that type of information) that says we’ve significantly mitigated our risk of terror attacks because we don’t allow white box vans.
I just read an interesting article on MarketingWeek written by Richard Lees, chairman of dbg (The Database Group). Richard has spent the better part of 20+ years combining two of my passions: marketing and data. So I’m instantly interested in his opinion on data security.
So why are we so scared of data security? Probably because we see the aftermath of data scandals and know how debilitating to a brand they can be. Bad PR does not even come close.
So true! Not only have data breaches resulted in billions of dollars in damages, they have also single-handedly destroyed brands and killed entire businesses, and big ones at that. And trust me, organizations like TJX will be feeling the ramifications of their data breach for decades.
Richard sheds light on the growing perception of “inevitability” surrounding data breaches: “It’s so easy to get data processes wrong and everyone is always waiting for the real clanger to happen…The number of diverse touchpoints that are relatively loosely controlled means it’s far too probable that this can happen.”
And here’s one more soundbite that that drives home the point that many organizations aren’t yet taking even minimal precautions:
“It amazes me how some people still fail to do the basics such as merely password protecting data they are sending offsite, using secure file transfer protocols (SFTP)…It is remarkable how much customer data still moves around the internet every single day with very little control.”
Oh, and if you want more proof that sensitive files, data and documents aren’t safe, check out the WikiLeaks website that Richard references. Take a look at a few of the anonymous submissions of confidential documents and communications from governments and organizations around the world that we can all get to with just a few mouse clicks.