Employees at MTV Networks are watching their credit reports more closely after the company acknowledged that the personal information of 5,000 employees was stolen late last week.
The attack took place via a laptop Internet connection, according to a report in The Wall Street Journal. Viacom Inc., which owns MTV Networks, did not release further details of the attack.
In an email to employees, Viacom said employee names, Social Security numbers and dates of birth had been stolen. Viacom said in a statement that law enforcement had been contacted and a criminal investigation is ongoing.
Companies are under increased pressure to guard against data security breaches. Security experts say it takes a mixture of strict security policies, end-user education and security technologies to help thwart an attack.
"This is one of those classic problems where people are so confused and when it happens, they get frozen into inaction," said Prat Moghe, founder and chief technology officer of database security vendor, Tizor Systems Inc. Rather than going into areas where they're weak on protection, they end up spending more and more money in areas they're already protecting."
A study by the Elk Rapids, Mich.-based Ponemon Institute found that the total average cost of a data breach grew to $197 per compromised record.
Companies tend to spend money on expanded use of encryption technologies, according to Ponemon. They also invest in new data loss prevention and identity and access management products; and deploy new technology for endpoint security and perimeter control, and event management.
Once the dust settles after a breach, Moghe recommends looking internally at where sensitive data resides on the company systems and how it is accessed. That would help to find the channel of where the data was lost and in plugging those holes, Moghe said.
Companies should also take an inventory to determine the most valuable data and figure out the security protections that are most appropriate to protect the data, said Ted Julian, vice president of marketing at database security vendor, Application Security, Inc. Julian said he's seen many firms discover databases they didn't even know they had, usually as a result of a merger or acquisition. In some cases, the role of IT is decentralized and many business units are free to create databases or implement the latest technologies.
"Yesterday's teenage hackers have figured out that they could make money doing this stuff and that change in motivation has changed the nature of their attacks," said Julian, who was a founder and chief strategist of Arbor Networks. "They're no longer defacing a website to show they can compromise a server, so yesterday's defenses are becoming meaningless."
More than half of corporate endpoints assessed by antimalware vendor Sophos fail to be secured, said Mike Haro, a senior security consultant at Sophos Inc. In many cases client firewalls have been disabled and antivirus definitions are not up to date, Haro said.
"It's just that enterprises just don't have the right policies in place for managing policy and patch assessment and we see that network access control (NAC) is still not widely deployed," Haro said. "NAC as a solution is still perceived as a complex technology and people are still not exactly sure what issue would be solved with it."