By Terry Ray
One year after the Cambridge Analytica breach came to light, the world learned of the Facebook Messenger bug. No, Facebook isn’t done with the news yet. This past week saw their services off-line for hours and at the time of this writing, they have not yet announced the cause, though they claim it was not due to hacking. Regardless, the past year has been a rough one for the company starting with the sharing of user data with Cambridge Analytica and proceeding to a breach affecting 30 million accounts at the last tally.
Facebook can only be given partial credit for the changes occurring in data security today. Breaches of varying sizes occur every day. Over the years, we have seen many high profile data loss breaches like Facebook’s loss of 30 million user records cause corporate executives and boards to ask their security teams, “What are we doing to avoid this?” A significant data security shift began several years ago, in large part, due to these major breaches in the news. The shift is one of responsibility within an organization.
Traditionally, volumes of data reside in a few primary technologies within organizations, the most common of which are e-mail servers, file servers and databases. E-mail server breaches are typically only relevant to corporate property, like what employees say or do. Remember the 2016 elections or the e-mails in a major Hollywood studio breach? Often, somewhat more damaging breaches result from insecurities around files which can hold vast amounts of data in what is called an unstructured method. This means the data could be in just about any format and sometimes makes it harder for the attacker to get to volumes of valuable data quickly. You might recall the Mossack Fonseca or Panama Papers breach. However, as much as we might remember e-mail and file server breaches, databases are the most common target of attackers since they store vast amounts of data, and by virtue of the need to get from them quickly and efficiently, that data is stored in a structured, easy to find and easy to gather way. There are too many to list, but a simple search online for ‘database breaches’ will yield more than you need to get the picture. Facebook is a large, notable, household name example of this which brings such breaches home for us all.
Going back to the shift, if you go back five years, very few corporate security teams took responsibility for the security of databases. Databases were the responsibility of database administrators and often highly sensitive to possible impacts from security controls utilized in other parts of a corporate infrastructure. Today the security landscape around data has begun to change, such that many companies have assigned data security responsibility to the Chief Information Security Office, meaning someone and often a team is responsible. Though to be honest, many of them are still trying to figure out what needs to be done to affect security in the data space.
Most companies have security strategies, as well as, regulations per industry, country or type of data stored. Security teams commonly operate using various security frameworks in whole or part, like NIST and CIS, designed as best practice guidelines on how to operate a security function before, during and after a breach. These systems and regulations do provide some instruction for data controls, but industry experts are quick to point out that the frameworks and regulations provide the ‘What to do’, but almost none provide the “How to do it”. The result is that there is more activity around data security in organizations, but how companies go about defining what data security means to them and more importantly, how they go about providing this security, varies wildly from company to company.
Data breaches of the Facebook magnitude are certain to happen again. Data security is not only a new responsibility to security teams; it’s also a new discipline in the world of cybersecurity. Sure, there are some of us in the industry who have lived data security for almost two decades, but consider how hard it is to hire a data security expert. A search of LinkedIn for “Data security” yields 170,000 people who claim to have the skill. This is in comparison to a search for “Network security” which yields 1.8 million results. Experts are hard to find for data security, so companies either have to learn as they go, pay for an expert service or more commonly look toward AI and machine learning to supplement their human manual expertise.
Terry Ray is SVP of Imperva and an Imperva Fellow