It’s Like Déjà Vu All Over Again: Yogi Berra On Information Security
As of April 29, 2014, the Identify Theft Resource Center (ITRC) has identified 260 breaches (affecting over 8 million records) that have taken place in 2014 alone. Likewise, the ITRC recorded 614 breaches in 2013, a 30% increase over the 470 breaches it reported in 2012. Each new major data breach (think Target) is reminiscent of those that have come before it (Citibank, Sony, Heartland, Countrywide, etc.).
MLB Hall of Fame catcher Yogi Berra, during his more than 50 years as a Major League player, manager and coach, offered (unwittingly or otherwise) baseball and its reading and listening public a great deal of wit and wisdom. In the spirit of the season, several of Berra’s “Yogi-isms” also offer guidance for businesses facing the challenges of protecting information.
“You can observe a lot by watching.” (Know Your Information and How and Where You Store It and Send It)
Information is an asset. You cannot protect information or use it effectively until you can locate and identify it, categorize it (determine its value), and track it:
“If you don’t know where you are going, you might end up somewhere else.” (Take Responsibility and Plan for Information Risks)
Every business needs to be prepared to respond to an event that could compromise its information or information systems (computers and computer networks):
“Never answer an anonymous letter.” (Train Your Employees to Detect Phishing Emails and Other Security Threats)
The threat to computer networks caused by “phishing” -- attempts to acquire sensitive information by pretending to be a reputable entity in an email -- is significant. According to the latest Verizon Business Data Breach Report, over 95% of targeted attacks start with a phishing email. The same Verizon Report makes a more startling observation: a phishing campaign that sends 20 emails has almost a 100% probability of getting at least one click.
All organizations must train their employees to be skeptical of suspicious emails, and to report suspected phishing messages. Employee training and awareness is a necessary component of an information security program, as are “layered security” or “defense-in-depth” mechanisms that may prevent or limit a system compromise brought about by clicking on a phishing email.
“If people don’t want to come to the ballpark, nobody’s going to stop them.” (Protecting Information is Good Business)
The damage that results when sensitive information is disclosed without authorization can take several forms. In addition to the financial and regulatory losses and burdens a company faces in the wake of a breach, the damage to its reputation may be the most significant and lasting. Losing a customer’s information compromises trust, a very valuable asset in a competitive market. Protecting information assets protects the value of the company.
Conclusion: “The future ain’t what it used to be.”
Effective information security is a moving target and an ongoing process that requires a combination of people, processes, and technology. As the last several years have demonstrated over and over again, hackers and other threat actors continue to become more sophisticated and pervasive. As a result, standing still is not an option, and instead an organization must evaluate and update its security policies, training, and technology on a regular basis.