Aug 24, 2016
It seems every week we hear about another large organisation that has lost confidential customer data. In the US alone, since 2009, 30.1 million patients have been affected by health data breaches. Earlier in August it was reported that a russian gang has hacked 1.2 billion username and password combinations, belonging to more than 500 million email addresses. Back in March, eBay suffered a data breach which affected the majority of its 145 million members, requiring many to change passwords. But why do these breaches keep happening? There's a number of key reasons, today I share 5.
1) Lack of Developer Training
Large organisations are continually developing new applications. Many use custom applications for hundreds of different tasks, and this is resulting in an unprecedented level of security risk. With so many applications being developed and rolled out within so many different departments, it's a challenge to keep on top of security.To compound this problem, many organisations do not adequately invest in training their software developers in security best practices. This results in thousands of vulnerabilities making it into deployed applications, a risk which is often difficult to scope.Just implementing basic developer training would help to eliminate a lot of these vulnerabilities (like SQL injection attacks -- the type of attack that led to the famous heartland breach).
2) Lack of Security Awareness Training
People are the biggest risk to information security.The careless IT manager who takes 100 computers to the dump, without wiping all the hard disks. The receptionist that lets any man with a clipboard into the server room. The senior executive that takes confidential documents home on a USB stick, and plugs them into his malware infected computer.That makes security awareness training more important than ever. Security awareness training is all about making staff aware that security is cause for concern, that loss of data is an ever increasing threat, and teaching them best practices to minimise the risks. Without awareness training and clear security policies, an organisation cannot be secure.
3) Not Accepting Security As a Core Business Practice
Many large organisations still view security as an after thought, rather than a core business practice. Due to being considered purely as an overhead, many companies are resistant to developing effective security departments, and under-invest.If large organisations are serious about preventing data loss, security needs to be made a priority. That means treating security as a core part of doing business.
4) Lack of Security Accountability
Following on from my previous point, another common problem within large organisations is a lack of security accountability. If an organisation doesn't have an individual who is completely accountable for the organisation's security, it's never going to be taken seriously.Accountability is required to ensure that security becomes a core business practice, and continues to be considered as part of all key business decisions.
5) Conflicts of Interest
It's common for security to be a function within IT, or another department as an organisation grows. Whilst it may seem sensible to place security in IT or engineering's responsibilities, it can often create a conflict of interest.Now don't get me wrong, it's unlikely that your IT department or development team are likely trying to sabotage the company's security -- the problem is that often what's best for security is different to what's easiest for either your IT or development teams to implement.This leads to situations where an IT department may sacrifice security best practices in order to get a job done quicker, or a development team rushing through security protocols in order to meet their project deadlines. Security needs to be its own individual department, with its own priorities. This reduces the risk of other departments skipping on their responsibilities, as they know their work will be reviewed from a security standpoint. Why else do large organisations keep losing data?