Today’s business users are nothing if not productive, but too often they don’t think about if they are working with confidential data or if they are protecting it appropriately. The fact is, employees regularly save patient records to thumb drives, transfer customer data to personal devices, and email unreleased product plans to personal webmail. Although well-intentioned, their actions can expose sensitive business information to unnecessary risk. Add advanced threats by external attackers to the mix plus malicious insiders, who are intent on stealing corporate data for their own gain, and it becomes clear that data loss prevention (DLP) is no longer a nice-to-have, but a need-to-have.

CISOs are turning to DLP solutions to effectively protect valuable intellectual property (IP) and personally identifiable information (PII) and keep their organizations from becoming the next headline.  Symantec recently published a research paper examining how DLP programs impact the effectiveness of security executives while also protecting corporate data. We surveyed more than 130 CISOs, VPs, directors and managers responsible for the evaluation, selection, deployment and governance of their organization’s DLP solution.

The Symantec Internet Security Threat Report (ISTR) 2013 reveals how the threat landscape is evolving, compiling information from more than 69 million attack sensors in 157 countries around the world. This year’s report shows more targeted attacks, inceasing focus on smaller businesses, and the continued development of new threats.

Targeted attacks, hacktivism, and data breaches

Targeted attacks saw a 42 percent increase in 2012, to 116 per day on average, with a corresponding increase in data theft and incidents of industrial espionage. Attackers are changing their targets, as well. Small businesses make up a larger percentage of those targeted for attack then in 2011—a threefold increase–with 31 percent of all targeted attacks directed at companies with less than 250 employees. Attackers are finding valuable data to steal from small companies and fewer defenses in place to stop them. Manufacturing is now the most targeted business sector, making up 24 percent of targeted attacks. One of the most significant innovations in targeted attacks is the emergence of watering hole attacks. The attackers compromise the security of a website that an intended target is likely to visit, once the target visits the website their computer becomes infected with malware. This successful tactic, popularized by a group known as the Elderwood Gang, has infected up to 500 companies in a single day.

I read with great interest The New York Times’ “Room for Debate” that discussed whether companies should disclose when they get hacked. When brands big and small suffer a data breach and lose customer data, they are required to disclose the breach based on various state privacy laws that mandate disclosure when personally identifiable information (PII) is lost. But, when hackers get in the backdoor and make off with other valuable IP, we typically don’t hear about it. Opinions on the matter of disclosure run the gamut. Some think mandatory disclosure of security breaches will telegraph weaknesses while others think disclosing cyber-risks is material and investors should know if a company can keep its crown jewels secret.

There’s plenty to debate on this front, but by focusing so much attention on hackers pilfering sensitive corporate data we’re ignoring one of the biggest threats to IP that companies face everyday – our own trusted employees. We need to consider to whom more corporate secrets are lost – the external attacker or the insider?

I came across this article not too long ago and it really got me thinking about not only the places where I put my information on the Internet, but the reasons I put my information out there.  Most sites we put our information seem really innocuous and quasi-safe because we don’t think the site is very interesting to anyone but ourselves and a hand full of others with similar interests.  It seems like it almost becomes a “second nature” activity to just blindly assume that Internet sites that don’t ask for your credit card are okay cause well, it’s just my name, and maybe my phone number and/or address.

I frequently present on security threats and the Symantec Internet Security Threat Report.  There are many great statistics from the current report, 403M unique variants of malware, 5.5B web attacks blocked, 4,597 web attacks per day, etc.   I frequently describe the different types of attackers, Malicious Outsiders, Insiders, Organized Crime, etc.  The question that is frequently posed after the presentation is “How big of a target are we?”

Many security professionals are looking for the input to the risk formula for the probability of being attacked by one of the attacker types.  Unfortunately, this hard quantitative data does not exist, we can only do our best to estimate it based upon the data and information we have about the current threat landscape, as well as industry and company trends.

Over a century ago, individuals had to protect themselves with a gun, whether at home or walking in the streets.  We thought we were getting civilized when our law enforcement agencies became able to handle this level of criminality to protect the citizenry of our state and local areas.  Now with the growth in activity of the cybercriminal who is an unseen and an unknown assailant, what are we to do?  Throughout history, citizens would, at times, take on the role of vigilante and conduct their own form of justice to stop the criminal element.  Is this what we can expect these days in light of the ever growing spate of attacks from cybercriminals?

When news broke that passwords may have been compromised at some very popular web sites, I immediately thought “Where else am I using that same password?” I, like many others, sometimes reuse passwords even though I know better.  The last 48 hours of password leaks should serve as a wake-up call for consumers and businesses alike.

The fact is that, even in the workplace, users are likely to utilize the same password to access any number of personal and business resources. It’s a big problem and businesses can lose millions of dollars if just one employees’ account is compromised, leading to the loss of sensitive corporate data.

So, what are we to do? Rather than dive into salted hashes, see my colleagues post on What’s @ Stake for information on that, for this post I think it’s important to focus on best practices to protect your information.

What makes the healthcare industry such a hot target for hackers? The answer lies in the records that they keep. Medical records contain some of the most valuable personal information — social security numbers, birth and death dates, family information, billing information including credit card data — that allow hackers to gain full reign on a person’s identity and do some major damage. Just like any other business, even in hacking it boils down to the bottom line, and hackers want the most payout for their efforts. Healthcare organizations are the latest gold mine.

Yet, so many organizations are doing a poor job of protecting patient data. According to the Identity Theft Resource Center 2011 Breach Stats Report, 20 percent of all data breaches reported in 2011 were in the healthcare industry; the Privacy Rights Clearinghouse pegged this number at 33 percent in 2011. So, anywhere from one-fifth to one-third of data breaches last year were at healthcare organizations – that’s significant.

Can data breaches be stopped, really? This was the question posed by Larry Ponemon, chairman and founder of the Ponemon Institute, at the start of a panel discussion I attended at the RSA Conference last month. Experts on this panel seemed to agree on one answer – No.

The tongue-in-cheek response from James Christiansen, Evantix CEO and CISO, brought a room full of laughter when he said, “Yes, you just need to put the computer in a safe and bury it 30 feet underground.”

Jon Oltsik, an analyst at Enterprise Strategy Group, equated the situation to the war on drugs, “Border control may be able to capture some on the borders, but the problem continues to escalate and keeps getting bigger.”   John Townsend, Manager of Information Protection and Security, DTE Energy commented, “If we use the wall analogy, rather than having a brick fence what we now have is a chain link fence. While we have made some inroads, people are still not taking security seriously enough.”

Internet connectivity is turning up in every product we see: phones, video game systems, video cameras, televisions, coffee machines, home lighting, vehicle alarms and soon refrigerators, ovens, and heck, maybe toilets.

What a great world it will be when my refrigerator sends me a text message or posts to my favourite social network that I need to buy milk and salami. It will be even better when I can log into my oven and tell it to turn on and cook a pot roast at 350 degrees for 4 hours so I come home to a great slow cooked meal, or when my oven contacts the fire department when it lights my house on fire. I’m sure over time this great technology will be adopted by supermarkets to manage their nationwide chains remotely to ensure proper temperatures are maintained in their coolers and freezers.