Data breaches in California exposed more than 2.5 million residents to the risk of identity theft in 2012, according to a data breach report by the California Attorney General's Office.
In the future, the default data state needs to be encrypted.
John Kindervag, vice president and principal analyst, Forrester Research
Failure to use basic security measures -- such as encrypting sensitive personal information, including social security numbers, credit card and bank account information, medical and insurance data, and driver's license numbers -- is cited for putting 1.4 million Californians at risk with these breaches.
Of the state's 131 data breaches in 2012, most were reported by the retail industry, followed by the finance and insurance industries. More than half of these breaches involved social security numbers, which are targeted because they can be sold on the open market and then used to steal identities and gain access to financial accounts.
What's behind this failure to encrypt? "Cryptofear," said John Kindervag, vice president and principal analyst for Cambridge, Mass.-based Forrester Research Inc. "People are afraid of encryption because they think they need to understand the actual encryption part of it, when in fact you don't. You just need to understand the processes and the management. The word 'encryption' still scares people, even though it's a mature technology and can solve a lot of problems."
Movies, such as Skyfall, don't do encryption any favors by making it look as if it can be easily broken, when in reality "there's no good evidence that good encryption programs can be broken -- even by the NSA," Kindervag said. "In the future, the default data state needs to be encrypted."
One more reason to encrypt personal data is that it can protect you from financially painful lawsuits. California's data security breach notification law, SB 1386, Civil Code sections 1798.29 and 1798.82, "essentially say that by encrypting personal data, you're shielded from data breach privacy laws even if it's stolen or lost," Kindervag said.
And odds are good companies will continue to pay dearly for unencrypted personal data breaches in California or any of the other states with similar breach notification laws. "Data breaches, in my experience, start at $10 [million] -- the table stakes of getting breached are high," Kindervag noted. "If you're smart and thinking long term, you'd pay $1 [million] for encryption rather than pay a minimum of $10 [million] for a breach. That probably doesn't even cover legal fees."
Better ways to protect against insider data breaches?
More than half (55%) of the California data breaches were the result of deliberate intrusions by outsiders or unauthorized insiders, which begs the question: Is there a better way to protect against insiders in these breaches?
The California breach report is "a wake-up call to every company and government organization that stronger security is needed to protect against both insider threats and breaches," said Eric Chiu, president and founder of HyTrust, a Mountain View, Calif.-based cloud control company. "As we just saw in the Snowden incident, the stakes are high and can ultimately damage the company's brand, impact shareholder value and put jobs on the line."
Breaches frequently target stealing valuable, embarrassing, confidential or customer data to sell on the open market or to go to the public with. These attacks "generally involve insider threats or attackers posing as insiders," Chiu said. "Most companies do an appalling job of securing access to data once you're inside the organization. This needs to change. Companies should assume the bad guys are already inside and put in place fine-grained access controls to restrict access to sensitive data, as well as role-based monitoring to detect when bad things are happening."
Immediately after the Snowden incident, "NSA put in place a new 'two-man rule' requirement across their more than 1,000 systems administrators to ensure oversight over access to sensitive data. This is a great first step, but more is needed around access controls and role-based monitoring to secure data and protect against breaches," Chiu said.
And the virtual and cloud infrastructure security element should also be considered. "Administrators with access to the virtual infrastructure can make copies of any virtual machine, as well as potentially delete the entire cloud environment in a matter of minutes," Chiu pointed out. "This is scary since most systems are now virtualized and access to virtualized infrastructure means access to all of the confidential and customer data in those virtual machines."