Late last year, data thieves stole millions of South Carolinians’ Social Security numbers from the state’s Department of Revenue. The crime generated massive media coverage and prompted discussions among experts in the world of information security. One such expert, ISACA International Vice President Ramsés Gallego, discussed the incident and illuminated how breaches like this create opportunities to educate.
ISACA: Why do major breaches like the South Carolina incident occur?
Ramsés: A combination of technology and process failures. Organizations need to protect sensitive information from both the technology and processes standpoints to ensure that technical controls (like encryption and identity management) are in place.
It is critical that companies embrace the world of risk management and understand that the risk equation exists if there are threats exploiting vulnerabilities, and that the results can have devastating impacts. This is exactly what happened in South Carolina: a threat (the hacker) exploited a vulnerability (a failure in the processes), resulting in a huge impact on the lives of many people.
ISACA: What are some precautions that organizations and individuals can take to be more secure?
Ramsés: Organizations must protect their two most important assets, in this order: people and data. By providing a robust security-management program, prioritizing security-awareness training, and focusing on precautions on the technology and processes side of things, they will be protecting these two assets—people and data—that are uniquely linked.
The foundations of risk and security management are about asking the right questions to the right people at the right time. The Internet and the digital age just amplify the possibility of something bad happening. Thus, we have to ask questions about who has access to what, how, when, from where and to where. We must have processes that are geared toward knowing and discovering potential vulnerabilities (whether human or machine-driven).
A good approach, from my point of view, is just playing out “What if?” scenarios. As we answer those questions, we discover the impact of data leakage, the public-image impact, etc.
We can also do that as individuals, when we post things online and when we deal with sensitive information like health records, taxes, anything that can present a profile of ourselves. We can also ask companies about retention policies—How long will that company have this kind of data? Does it share it with any other services/organizations? What are their terms of security and privacy?
ISACA: What does this kind of breach mean for the future of the financial industry as we move toward fully cyber personal finances?
Ramsés: This kind of breach—and the many others that, unfortunately, happen every single day—mean that we need a shift in perception. We must consider the “extended” world we live in and that much of our private information is up there, in the cloud, somewhere in a server...sometimes even in another region or continent.
For the financial industry, this means we are talking about reliability, customer expectations and trust. Compensating with additional services after sensitive data is leaked is not enough. The moment to take action is before incidents happen.
Ramsés Gallego, CISM, CGEIT
Security Strategist and Evangelist at Dell
ISACA International Vice President
Continue the conversation…engage with your peers in the Cybersecurity section in ISACA’s Knowledge Center.