Cyber Attack: How Secure is Your Data
By now I’m sure you’ve heard news about the Anthem data breach, the latest high-profile cyber-attack of the nation’s 2nd largest health insurer. The company announced that hackers stole personal information of as many as 80 million current and former customers and employees. On a positive the company said there was no evidence the theft including patient healthcare information or credit card information.
So what are the hackers looking for? I can sum it up in two words. Identity Theft. Hackers are looking for any type of personal information such as names, social security numbers, birth dates, email addresses, etc. They want to steal your identify for their personal gain. If they know everything about you they can become you.
So how do these types of thefts happen? Companies today store our information in applications, databases, and in data centers across the country and the world in order to make it readily available for processing, archival, and retrieval. For the most part security controls such as firewalls are installed and do a basic job of keeping the bad guys out. Smaller organizations in most cases have the same types of information as large enterprise companies but with much smaller budgets for IT investment and information security management.
Security Awareness
Most of these data breach cases involve the hacker stealing an employee or administrators credentials for accessing internal data systems. Methods of obtaining these credentials include malware, spam, website exploits, password cracking, and more. This is why it is very important to educate and train employees on information security policies and procedures. One of the main security threats for businesses come from inside. Employees’ lack of knowledge on IT security procedures can represent the greatest security risk to an organization. In other words security awareness training programs should be in place to provide ongoing guidance around information security do’s and don’ts.
To Encrypt or Not Encrypt
Although organizations today have the capability to encrypt their data not many are. In the past, speed and performance of applications and systems were impacted by encryption. Today this is usually not the case. Encryption tools and applications are now built into most all operating systems allowing small to large organizations to take advantage of this technology. Is data encryption the only answer? Not hardly, but it adds a significant layer of security to protecting your sensitive information. Many people are surprised to hear that the data in the Anthem breach was not encrypted. The Health Insurance Portability and Accounting Act (HIPAA) states that health insurance companies such as Anthem are not required to encrypt the data stored on their servers but it is strongly encouraged. Healthcare organizations who opt not to encrypt their information are supposed to document why they are not and provide an alternate means for protecting their sensitive patient information. My recommendation? Encrypt your data at rest and in transit. This just adds another layer of protection to discourage hackers.
The Bottom Line
IT security is not only having a firewall in place. IT security is a continual process of managing and monitoring the protection of your sensitive information. There is no perfect security solution but with the implementation of IT security policies, IT security awareness training, best of breed security products, and encryption technologies you can reduce the risk of security breach within your organization.