Data breaches and hacks often don’t make the list of ‘disruptive tech trends’, but they should. Here’s why.

DATA BREACHES IN NUMBERS

Robert Mueller, ex FBI Director, has quite an astute view on hacking and data breaches.

There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again.

To truly understand the scale is difficult – not all companies report them. And, this doesn’t include individuals who have lost their data.

This is so extensive, that there are dedicated websites to track them. One example is Breach Level Index. The site includes numerous statistics about the nature of date breaches, such as the ones below.

Also, infographics, such as this one by Information is Beautiful, illustrate just how widespread they are.

2016 – 2017

2004-2005

In the last decade there were so many data breaches, that there isn’t enough space on the infographic!

THE CAUSE

Broadly speaking, data breaches occur because of human error or if security measures fail. More often than not, it’s because of the former. But, it’s much more than that.

For example, let’s say you wanted to test a web application. The Open Web Application Security Project (OWASP) has a checklist on this Wiki link. It has over 100+ items on its checklists! If one application has so many nuances with its security, at an enterprise level, the security of all systems, tools and technologies are significantly difficult to manage.

Securing all of it (hardware, software, and not only developed code) is a factor of good processes. And, such processes need to be all encompassing.

THE PROCESS

As with many enterprise processes, security starts as a management directive. While many businesses choose to get security professionals to set this up, management objectives may get overlooked. It’s best that the starting point remain management driven.

Once the management’s objectives and security expectations are aligned, the next step is to have someone (such as a security professional) translate this into actionables. The process, at this point, moves from strategy to execution. Typical steps could include:

  • Establish how the organisation wants to protect its information
  • Develop information classification system along with processes for each business unit
  • Include mechanisms to react to incidents
  • Get executive/management consensus on the process
  • Once this has been achieved, a framework will be the foundation of the enteprise’s security program
  • Such a framework could also be developed using existing frameworks. Such as
  • However, such frameworks are generic, and may not reflect the specifics of the management’s objectives
  • Further, given diversity in business units, it’s also advisable to create sub-policies that cater to such units

With the policy in place, the management needs to promote its enforcement through process checklists, training and open discussions. And, most importantly stress that it is a process, and needs to be in effect continously.