How much are you at risk of being held hostage by loss of your own information? What steps have you taken to make sure it doesn’t happen? This week we were given something to think about when hackers claiming ties to the group Anonymous hacked a U.S. government website in response to the death of Aaron Swartz, a well-known internet rights activist. Swartz’s recent suicide is widely thought to be linked to his financial burdens and the likelihood of prison time due to his publicly sharing copy-written academic journals.
Avoiding a Threat
In retaliation for what was perceived as overzealous prosecution, the activists from Anonymous embedded a video statement on the homepage of the United States Sentencing Commission. Among other things the hackers threatened the release of sensitive information relating to a number of U.S. judges.
These events, along with numerous widely publicized corporate hackings over the last few years highlight the importance of taking information security seriously. Companies that don’t, run the risk of being held hostage over the loss of their data.
Complying for Security
While there is no shortage of security regulations and guidelines, one of the most important is the Payment Card Industry (PCI) Data Security Standard (DSS). PCI DSS lays out 12 requirements, all focused on ensuring the security of cardholder information (debit, credit, prepaid, etc.).
Many of the PCI DSS requirements have been in place at most organizations for years, like installing and maintaining a firewall, avoiding defaults for password or security settings, and other basic levels of security. However, there are a number of basic requirements that many organizations need to look at closer for proper levels of security.
These requirements are to:
- Encrypt sensitive stored data. This addresses information stored on corporate servers as well as devices usedby the individual employees. It is critical that information taken out of the corporate environment be encrypted. When a device is lost or stolen, it is critical the data remain inaccessible to people who can potentially hold it hostage.
- Encrypt transmission of sensitive data. This is often overlooked, because even when there is a breach during transmission, your data is not actually missing. Many business applications still make use of the FTP protocol that fails to protect data and credentials. Organizations need to establish a corporate standard that address the confidentiality, integrity, and availability requirements around how data is transmitted within the organization, as well as over public networks. The standard should include an enterprise messaging system and a managed file transfer system to track what information is being transmitted to whom and when.
- Track and monitor all access to network resources and sensitive data. Many think of this as Log Management and the challenges of dealing with the large volumes of computer-generated log messages. There are a number of applications that will address the collecting of logs, centralized aggregation, long-term retention, analysis, search and reporting. However, log data may be only part of the story. In order to do this to leverage standard enterprise messaging systems, data needs to be integrated across machines, systems, applications, and people. With access to all the relevant data comes the ability to make truly informed business decisions to answer pressing questions, uncover answers to unasked questions, and even anticipate.
The events earlier this week highlight the importance of developing and maintaining solid security policies that addresses information security and regular testing of security systems and processes. In a big data-saturated, cloud-enabled and globalized world, technology is a necessary piece for maintaining vigilance and avoiding threats by the agendas of people you do not control.
Learn how organizations are tackling their Big Data challenges in this information-packed eBook.