Data can be a competitive differentiator for a company, says Craig Spiezle of the Online Trust Alliance. But knowing when to dump no-longer-needed information can help prevent a breach.
The Online Trust Alliance recently issued its Data Protection and Breach Readiness Guide, claiming its research verifies that more than 740 million records were exposed in data breaches worldwide during 2013.
The takeaway: Organizations need to ask what data is completely necessary for them to store.
"If you think of transactional data, someone like Amazon, it makes sense that they maintain your purchases for a few years," Spiezle says in an interview with Information Security Media Group [transcript below]. "You may have a question, there may be a problem or there may be a recall. There are legitimate business reasons [for] collecting data for several years."
But if an organization e-mails a user 20 times over the span of two years and they fail to respond, "maybe you should then delete that customer from your database," Spiezle says.
A key issue when it comes to data protection is how organizations handle their data management strategy.
"Who has access to that data, how do you track that, what provisions do they have and how do you encrypt [it]?" Spiezle asks.
In the interview, Spiezle discusses:
- Responsibilities of organizations to be stewards of data;
- Cybercriminals exploiting weaknesses in how users employ passwords; and
- Methods the alliance used in reaching its findings on data breaches.
Spiezle has headed the Online Trust Alliance for nearly 10 years. Before joining the alliance, he spent more than a decade at Microsoft in several management roles, including director of security and privacy product management.
Records Exposed Hit New High
ERIC CHABROW: Do the record numbers of breaches that you report reflect more organizations knowing they have been breached, or are more breaches occurring?
CRAIG SPIEZLE: It's a combination. Of course we don't know what we don't know and there is always the companies that either have not had a breach, don't know they've had it, or haven't disclosed one. The point is that the cybercriminal is becoming more and more precise, focused, and innovative in many areas, and it just underscores the challenges that businesses are in a big data economy.
CHABROW: How did you determine that 740 million plus records were exposed in 2013, and is this a worldwide number or just the U.S.?
SPIEZLE: So this is a worldwide number and our data sources come from multiple ones that we actually hear about directly by working with organizations like the Open Security Foundation and the Privacy Rights Clearinghouse, who track these reports as well. We take their data, again the records exposed, and then dig down into each one of those instances based on what has been publically shared.
CHABROW: How big of an increase was 2013 [in terms of data breaches]?
SPIEZLE: If you're looking at, it's increased in many different areas. For example, if we look at just credit cards and social security numbers, the increase is over five-fold last year and that is very concerning. But what's also concerning is the number of breaches of user accounts, credentials and passwords, which in many ways are some of the most challenging areas for compromising identity theft. Look all across the spectrum, the number of incidents right now are about the same as last year but what's [increased] is the number of records. What that is really telling us is, the cyber criminals are being more focused after going to big targets, no pun intended, obviously we're now looking at Target over a hundred million [records stolen]. That is roughly 50 percent of adults in the U.S.
Breaches: Five Years Ago
CHABROW: What is different today with breaches then five years ago and what is different today than a year ago?
SPIEZLE: I think the cybercriminals are getting very smart. They recognize that consumers are sometimes lazy and reuse passwords or user names. They find if they are able to compromise a very large target, they may be able to use those to compromise other accounts downstream. This is my point of why user names and passwords are equally, if not more, damaging then a bank card number. We're also seeing, and this is observed through monitoring the chats and discussion groups of the criminal underlines, giving more jobs of sharing and trading data. If you think about data brokers in the business economy, there are data brokers in the underworld economy.
CHABROW: You determine that nearly 90 percent of all breach incidents were avoidable if basic security controls and best practices had been enforced. How do you know that?
SPIEZLE: We're basing our data on reviewing line item by line item of the breaches that are disclosed and what happened. An example [would be] an employee inadvertently disposing of a hard drive that would have been avoidable. It's very easy to do that. The things that aren't avoidable would be for example, Zero Day Patch. Things that we look at because we don't feel a company can be held accountable in that respect. There is a physical theft, a determined criminal coming in and stealing your server, hard drives or computers.
Conversely, an employee leaving a notebook in their car that had a million records, we would say that is avoidable in the perspective that employee data needs to be kept secure when being used, stored or transported. So it's really looking through those criteria of what is listed and disclosed. We were being conservative in our 89 percent; Verizon and others had reported a 95 to 97 percent in past years. Whether it's 90 or 95 percent, it still underscores the critical importance that businesses take a holistic view of the data they collect, store, and their policies of the use of such data.
CHABROW: Do organizations just have too much data they don't really need to keep?
SPIEZLE: Data can be a competitive differentiator for a company, and as a marketer I think you need to ask that question: What is essentially necessary for your business operations, and how long do you keep it for? One of the more concerning parts is your whole data management strategy. Who has access to that data, how do you track that, what provisions do they have, and how do you encrypt that data? Part of that might mean you need to make sure your data is encrypted at all times. It's not just when you send it to someone and make sure you're eliminating access, because again if you have user rights that allows anyone in your company to have access to it. That's clearly an example that you're setting yourself up for data loss incident. It's everything from collection to controlling, and then also how and when do you dispose of it.
Disposing of Data
CHABROW: Do you find that most organizations don't examine how to dispose of data?
SPIEZLE: There is a big debate at times in the privacy community. What is reasonable? How long should you collect data? There are different types of data, so if you think of transactional data, someone like Amazon, it makes sense that they maintain your purchases for a few years. You may have a question, there may be a problem, or there may be a recall. There are legitimate business reasons [for] collecting data for several years. On the other hand, if you have a profile of a user, and you've mailed them twenty times over the past two years and they've never responded, maybe you should then take that and delete that customer from your database. Obviously, they are not engaged. It depends, so it ranges. The range is there [and] just underscores the importance [of] looking at your data collection procedures holistically [to see if they] are still valid based on your current business practices.
CHABROW: How about other steps organizations take?
SPIEZLE: That is some of the discussion about both encryption of, hashing of and de-identifying [of] data. Those are all practices that companies do. I certainly can't comment specifically about Target, their problems seem to indicate much more than credit cards, it appears to be their data storage; the data has been shared as user names and profiles. Clearly there are some broader issues, and you would [ask]: Why is that data maintained? Why is it kept encrypted?
CHABROW: Any final thoughts?
SPIEZLE: I think at the end of the day, as you start the conversation that businesses need to recognize [that] they're stewards of data, we need to move beyond a compliance mindset. Compliance is the minimum amount you need to do. I always comment [that], stewardship is what your mother expects you to be doing. We're stewards of data is the first point. The second point is: you will have a data loss incident. So how are you prepared? I think just like in the case of any catastrophe, you need to look at that, have your plans in place, and have a thought out strategy.