Business security is not a new concept. Storeowners have alarms, video, and guards to keep the ne'er-do-wells of the world at bay. Corporations that handle money have to worry about embezzlers (does the fact that it is “white-collar crime” mean it is more sanitary as a crime?). And all who handle data must address the business of securing their data.
The number of data breaches and compromises over the past twelve months has been staggering. The efforts of a few cybercriminals, who displayed the willingness to patiently identify and then exploit weaknesses within the retail POS ecosystem's security architecture, resulted in the most glaring of the breaches, affecting millions. Where were the business security processes and protocols? Simply assuming that a third-party vendor or service provider understands, implements, and monitors the security in their product or service offering often proves to be a grave mistake.
Securing data from both the inadvertent exposure caused by a well-meaning employee and the potential theft by a less well-meaning employee may prove difficult. The healthcare sector provides a seemingly ever-present flow of data breaches. These entities may be in the health industry, but they must also think about business security to protect their data. The inadvertent exposure of sensitive data—perhaps caused by a well-meaning employee who copies controlled personal information or protected health information onto a storage device to work offline—is as common as those unwilling or unable to encrypt sensitive data when at rest. When control of the device is lost, the data is compromised.
Then there is the insider who may be interested in the provision of goods and services, but also has their own agenda or is proxy for the agenda of another (wittingly or unwittingly). These insiders know they are "breaking the rules," but have rationalized their actions away. For those who have fully broken trust, they are exploiting the holes they see or perceive in the security architecture surrounding what they wish to steal. The individual who has been manipulated, or socially engineered, has been duped to take an action, provide information, or otherwise remove a piece of the security architecture for exploitation by a third party.
Every entity is using and relying on technology. Technology ranging from those that are essential to keep the business responsive and functional, to those technologies designed to protect the business. All companies, regardless of size, should understand how their data is secured and how the company engages securely with their customers. This understanding must extend to all third-party applications and services used by the company to ensure the level of security and the level of service exceeds or is on par with the company's own policies and procedures.
Trust, But Verify
What can one do? "Trust, but verify," a famous quote from President Ronald Reagan, rooted in a Russian proverb, "Доверяй, но проверяй" (doveryai, no proveryai) which he used with Soviet General Secretary Mikhail Gorbachev in 1987 when they signed the Intermediate Range Nuclear Forces Treaty, is applicable to every entity's business security.
A threat program is a must. During the 2014 RSA Conference, Dawn Cappelli and Randall Trzeciak presented, "Keeping Up with the Joneses: How Does Your Insider Threat Program Stack Up?" In their hour-long presentation, Cappelli and Trzeciak presented the results of a 26-company survey focused on insider threat programs, providing sufficient food for thought to get any company's leadership engaged in strategic discussion to determine: What are we implementing? What must we implement? What resource shortfalls are present?
All businesses, regardless of industry, need to think about business security to protect their data. Threats are present from both inside and outside the organization. Without having the proper protocols in place, anyone is susceptible to a breach.