Data breaches happen for all kinds of reasons, from employee sabotage to human error. But the past week or so has been a big one for security disasters caused by hackers, according to Risk Management.
Two of them involve hackers who infiltrated a third party a corporation had hired to do email marketing. At McDonald's, a company managing the franchisor's email campaigns used another firm to send out the promotions. Hackers stole data from that last firm, including names, phone numbers, and addresses.
A hacker stole email marketing data from a company used by Walgreens, sending out kosher-looking messages asking people to enter information onto a web site-a site that was controlled by the hackers.
Then, a group of hackers calling itself Gnosis attacked Gawker Media. The collective got its mitts on more than 200,000 readers' email addresses and passwords. Someone claiming to represent the group recently told the blog Mediaite the collective did what it did because of Gawker's "outright arrogance." Another comment: Gawker Media "has possibly the worst security I have ever seen." The FBI is said to have been called in.
It's somewhat stunning that Gawker, the purveyor of famously snarky comments, would have such primitive security. And it's also stunning that corporations the likes of McDonald's and Walgreens would allow themselves to be so vulnerable.
But the incidents also point to just how vulnerable companies of all stripes and sizes are to hacking--and how far we have to go to having comprehensive data security. A recent survey from The Ponemon Institute found that 57 percent of respondents said collaboration among such areas as IT and compliance isn't happening, although that's key to having a real security system.
What should companies do? David Newell, a security expert and practice manager with CTG Security, suggests that when companies outsource email marketing to third parties, they need to evaluate their vendors and their vendors' vendors security systems. "You can outsource the work, but you can't outsource the risk," he says.
According to Ulf Mattsson, CTO of Protegrity, that evaluation should include such questions as: Where will the data be stored? What precautions do you take to protect against security breaches? Are you replicating data and how is that data secured?
Newell also recommends that companies understand what data they have and where it is-creating a data map. Then it's possible to create security measures appropriate to where the data resides.
In previous posts , I've also cited other measures, such as:
--Identifying your important information assets and making a list of which ones are most vital.
--Determining where each of these information assets can be found.
--Rating your information assets according to such categories as public or sensitive information.
--Rating the threats that important information assets face and making a plan for how to deal with them, starting with the most severe.
Most important, however, is that C-level executives take all this seriously and not wait until a security calamity forces them to do something.