Last updated: 19 March 2014
When it comes to computer hackers going after corporate data networks, “we’re not winning,” FBI executive assistant director Shawn Henry told Devlin Barrett of the Wall Street Journal last week.
The comment is true, considering that 2011 brought us 535 breaches, with 30.4 million sensitive records involved. The biggest breaches included Sony, Epsilon and NASDAQ. We’re only a few months into 2012, and still seeing “data breach” in the news at least weekly – there are enough that SC Magazine has dedicated an entire blog to tracking them, The Data Breach Blog.
What are businesses doing wrong? According to Henry, “Too many companies, from major multinationals to small start-ups, fail to recognize the financial and legal risks they are taking—or the costs they may have already suffered unknowingly—by operating vulnerable networks.”
Because they don’t recognize the risks, they simply react when breaches occur, instead of putting plans in place to prevent attacks in the first place. We know this is not working. Henry said that the plan needs to start with leadership: “If leadership doesn’t say, ‘This is important, let’s sit down and come up with a plan right now in our organization; let’s have a strategy,’ then it’s never going to happen.”
But while we are not winning the war against hackers, we can still turn it around. Being proactive instead of reactive is the key to better overall security. It is a fact that weak passwords and stolen identity credentials are the reason for most breaches. It’s time to throw this method away; strong security does not start with weak and hacker-friendly usernames and passwords.
Instead, companies of all sizes need to get on board with the fact that, at this point in the war, they need strong, multi-factor authentication (something you know, something you have, something you are) as the basis to their security plan.