First it was Sony, then it was Target - two major companies hacked and millions of consumers alarmed about the theft of their personal information, passwords, and credit card numbers. Now, it's the Internet at large -- or at least a good portion of it -- thanks to the so-called Heartbleed bug which involves a vulnerability in the open-source OpenSSL cryptography library. If data breaches and hacking can happen to the likes of Sony and Target, it can happen to virtually any business. Now that the Heartbleed bug has been exposed, preventing data breaches and hacking is on everyone's mind.
So, what can you do to prevent data breaches and hacking? Obviously, if your site uses OpenSSL and has been affected by Heartbleed, you'll want to patch it ASAP if you haven't already.
Next, you'll need to shore up your defenses on multiple fronts. According to Verizon's 2013 Data Breach Investigations Report, 78 percent of initial intrusions were rated as "low difficulty." This means hackers had an easy time getting past security measures most of the time. In addition, 75 percent of breaches were considered opportunistic attacks. Shoring up your defenses makes it harder for hackers to get in. If you make it hard enough, those looking for easy targets may simply move on to the next opportunity.
Verizon recommends numerous strategies to prevent data breaches and hacking including a continued emphasis on prevention and focusing on "better and faster detection through a blend of people, processes, and technology." It also suggests eliminating unnecessary data and monitoring what's left. In Target's case, over 70 million past and present customers were affected and their PINs stolen. Was it necessary to store customers' PINs? Some say no.
In general, the more sensitive information you store, the more damage you can expect should a data breach occur. Remember when businesses routinely used Social Security numbers as "account numbers"? Though this practice has largely disappeared, some businesses still use and/or store their customers' Social Security numbers. If your business stores sensitive information like this, ask yourself if it is necessary. If it's not, consider purging it from your system.
Another way to reduce risk is by using data encryption such as Dolphin's SAP data encryption solutions which are part of its Data Management Cockpit for SAP Database Security. Encryption can be used to "mask" sensitive information so that it is unreadable to hackers or unauthorized individuals.
The United States has been slow to embrace chip-based debit and credit cards which are popular in other countries and far more secure than their magnetic card counterparts. Retailers and financial institutions have resisted transitioning to these secure cards because doing so requires investments in new equipment. Sentiment appears to be changing and Target reportedly now supports chip-based cards.
No security measure will ever completely rid the economy of theft and fraud. However, companies can do a lot more to protect data including shoring up their defenses, storing less unnecessary data, using data encryption, and adopting smarter, more secure payment processing technologies.
- "The 2013 Data Breach Investigations Report" from Verizon Enterprise: http://www.verizonenterprise.com/DBIR/2013/
- "Target Says Up to 70 Million Customers Affected By Hacking" from Entrepreneur: http://www.entrepreneur.com/article/230762
- "Sony Hacked Again: How to Avoid a Giant Data Breach" from IT Insider: http://www.itinsideronline.com/frontline/sony_hacked_again/index.html
- "Archive and Data Management to Support SAP Solution Data" from Dolphin Corporation: http://www.dolphin-corp.com/information-lifecycle-management/sap-data-security-management/
James Hadley is a father, husband and IT consultant. He lives in San Francisco and enjoys exploring around town. To learn more about the author, connect with him on Google+.