Is it just me, or are there a lot more data breaches in the news these days?
I don’t think it’s my imagination – and some of the breaches are massive. For example, in April 2008, a laptop owned by the Irish Blood Transfusion Board (IBTS) was stolen. That one “little” theft exposed the personal data of 170,000 people who had used the transfusion service.
It goes without saying that the PR aftershocks from such an incident can be devastating to even a well-regarded company.
But let’s be cynical for a moment and look only at the cold, hard financial impact. I’ve read that the average cost to the breached company is $202 per compromised record and $6.6 million per data incident.
In addition, the FDIC may levy fines from $5,000 to $1,000,000 per day, and GLB sections 501 and 503 enable criminal penalties.
Of course, I don’t need to talk you out of having a data security incident. Nobody chooses to have one. But when it comes to prevention, I believe many companies are still dropping the ball.
According to a study conducted by the Verizon Business RISK team, 92% of attacks weren’t highly difficult, 96% of breaches were avoidable through simple or intermediate controls, and 76% of all data was compromised from servers – rather than from endpoints such as laptops and cell phones, which companies often consider riskier and focus more attention on.
Data Privacy Risk: It’s a Growing Concern
How to stop the bleeding? It seems like a tall order. According to an independent Oracle user group, 62% of organizations can’t prevent their super users from reading or tampering with sensitive information. Most are unable even to detect these incidents. And only one out of four organizations believes its data assets are securely configured.
On top of that, we’re still in the growth curve for worldwide internet usage. The number of online transactions is increasing exponentially. Personal financial data is flying around in all directions. As more people gain access to the Internet, the number of criminals online will increase accordingly.
Don’t let your company be their next victim.
Focus on Copies of the Production Database
Partly due to the financial and PR issues described above, partly due to consumer privacy concerns, and partly due to an increasingly stringent regulatory environment, safeguarding data privacy has become a top priority in virtually every industry.
Companies that are serious about preventing incidents should focus on securing any and all copies of their production database (we’ll discuss securing the production database itself in a separate blog post). As we’ve discussed on this blog, it’s not uncommon for large companies to maintain 10 copies of production – full clones used for testing, training, and development purposes.
To make matters worse, the people who have access to these copies of production are often “outsiders” – third-party consultants who you may not have vetted as carefully as your actual employees. Giving them full access to sensitive corporate data creates a significant privacy risk.
Masking Data to Minimize Risk
Where to begin privatizing data? Many organizations struggle just to figure out where all their at-risk data lives in the corporate environment. The next step is to put in place a simple yet reliable mechanism for masking, or scrambling, that data, so that it will still be useful for testing but won’t endanger the privacy of your customers and employees.
IBM Optim Data Privacy is a solution that minimizes risk without slowing down your testing. By masking personal information, IBM Optim protects confidential customer and employee data, and ensures compliance with all levels of privacy regulations.
Of course, masking your data is only part of the game. It’s also a best practice to subset your production database, rather than use full copies of production, for testing and other non-production activities. IBM Optim Test Data Management facilitates that process. And when you use Optim Data Privacy and Optim Test Data Management in tandem, you can actually apply data privacy rules to production data while you’re subsetting it.
It’s a pretty good one-two punch – much more desirable, methinks, than the one-two punch of a costly data breach and the ensuing PR nightmare.
In our next post, we’ll discuss how to achieve consistent data masking across applications. In the meantime, learn more about IBM Optim Data Privacy.
