John-Philip Galinski

Cybersecurity - How to avoid data breaches

September 04, 2015
With increasingly sophisticated attacks being carried out and health care getting targeted more and more often, it’s vital that facilities take the steps necessary to ensure their data remain secure.

Usernames and passwords are not even close to enough
Social engineering, phishing, key loggers and a host of other malware and password theft tactics are alive and well. Regardless of the method, the number of data thefts worldwide has grown from “insignificant” to “devastating and frequent” in the past 10 years. By themselves, user credentials have become effectively meaningless.

The only way to combat password theft is to utilize a physical token that is required in addition to the user credentials: a prox card, a challenge/ response passcode, or ideally a biometric. Access to particularly sensitive data should use a combination of physical tokens.

Data security functions need to be separated from IT
As a CIO for the majority of my career, I can guarantee you that it’s human nature, and especially so for IT people, to try to make their work lives as effective and efficient as possible. Unfortunately that often translates to providing both themselves as well as the users that they support with streamlined access to data. If they don’t provide streamlined access, they become “those guys that make our lives miserable.”

Not only is this unfair to your IT staff, it’s completely unrealistic. Network and data security are not part time jobs. Hackers are hackers full time. They don’t just dabble. Hackers are passionate and driven. Therefore, you need security staff that are just as passionate, driven, and dedicated as the hackers that they’re defending you from.

Security staff should be separated from the rest of your IT team and should report directly to the head of your IT operation, either the CIO or CTO. In fact, there is a strong case for having your chief of information security report directly to the COO. And here’s why: Your IT organization is tasked with the 24x7 job of ensuring that everything runs smoothly and without any downtime. When presented with a project that may result in a short-term security risk but will get the project done more quickly, it’s far too easy to rationalize the risk away.

Data security policies and procedures need to be elevated to a primary function even ahead of project completion. Is continual progress important? Absolutely! But one data breach can wipe out several years of successful project completion. Your security team should be running usage reports, auditing activities, and performing usage and trend analysis, down to individual users, to really understand the data flow within your organization.

The Anthem breach occurred on Dec. 10, 2014, but it wasn’t until Jan. 27, 2015, that suspicious activity (an unaccounted database query) was spotted by a database administrator. During that time, a majority of the 80 million records contained in the compromised database were exposed.

The hackers had access to Anthem’s systems for nearly seven weeks before the breach was discovered. During that time, the hackers must have been running many queries that went unnoticed. One can only speculate, but if Anthem had a team and process in place looking for unaccounted-for queries, the breach might have been spotted right away. I would be shocked if such a team and process aren’t in place going forward.

Embrace audits and penetration tests by outside security experts
Albert Einstein once said “We cannot solve our problems with the same thinking we used when we created them.” No matter how regimented and advanced your internal IT systems are, it’s unavoidable that over time, your staff will develop blind spots. Beyond even that, business needs to continue to drive the need for ever more data collaboration, which drives the need for ever more new technology, which drives new avenues for attack vectors.

A hacker, or as is becoming far more common, an organized team of hackers, only needs to learn one new attack vector then use it on multiple companies. Conversely, your security staff needs to defend against multiple hackers using multiple tactics across multiple technologies. It’s no longer possible to actually perform all of your security analysis internally. Your chief information security officer (or equivalent) must view external experts not as threats, but as resources hired to deliberately highlight and help fix data security threats.

Identifying those threats should be applauded and celebrated, because you can only remedy issues that you’re actually aware of. Senior business management must learn to be highly supportive of receiving external feedback. Conversely, passing an external security audit with “flying colors” or without at least some remediation suggestions must be viewed as highly suspicious. Data security requires an ecosystem of the correct tools, policies, procedures, audits and expertise. Ultimately, senior business leadership must embrace data security requirements as a core requirement for performing business in the 21st century.

About the author: John-Philip Galinski is the CEO and co-founder of Global Data Sentinel (GDS), an end-to-end proactive cyber security platform designed for the enterprise. GDS dramatically increases the security of corporate data across any network and cloud, while proprietary hardware integrates with GDS software to secure data streaming to and from any device.