Attacks/Breaches

4/25/2014
07:00 AM
Jeff Rubin
Jeff Rubin
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

Data Security: Think Outside The Box

What the public and private sector can learn from each other's data security priorities is an exercise in nuance that is well worth the effort. Here's why.

The public and private sector approaches to data security are fundamentally different. Politics drive the public sector (it is the government, after all) just as profits steer decision making in the private. These different priorities, understandably, result in different security tactics.

The public sector needs to protect data at all costs, which leads to conservative security policies, while the private sector uses more aggressive policies because its primary aim is to maximize profitability. However, just because the two sectors do security differently doesn't mean they can't learn from each other. Organizations in each sector should be careful not to pigeonhole themselves into one strategy solely based on the guiding philosophies of their larger sectors.

When these motivations are applied in each sector generally to all matters -- not just to data security -- they can quickly become guiding philosophies that structure all decisions, rather than just priorities to keep in mind. Governments try to protect against any negative possibility, and businesses pursue profits to the expense of all else. It can be easy for these leanings to become automatic choices. When that happens, they get applied without nuance or consideration for how those policies will (or won't) further the intentions of the policy.

What each sector can learn from the other's priorities-turned-philosophical-tenet is an exercise in remembering nuance. Keeping differing priorities in mind forces public and private to jolt themselves out of automated routines. Through this exercise, they may find that other strategies -- strategies that might more closely align with the other sector -- better suits their objectives.

For instance, the public sector can re-imagine some of its policies with business practices in mind, thinking beyond the usual, more conservative strategies it employs. Instead of attempting to appease all constituencies all the time, they should attempt to increase efficiency and reduce waste to maximize value -- and maybe end up with more resources for more projects in the process. In terms of technology adoption, this shift may come in the form of initiatives similar to the attempts to consolidate government data centers.

Government agencies would be better served not just thinking of businesses as profit-driven entities. Businesses are also the masters of cost savings. These cost-cutting motivations could be applied to all agencies. For example, reducing waste and increasing efficiency on the HealthCare.gov website saves money (not to mention minimizes constituent ire) for the Department of Health and Human Services. These measures not only improve the experience for users, but they also save the agency time and money. Fewer resources being directed at managing the fallout of a frustrating user experience means those resources can be directed towards other projects such as data security.

For the private sector, this exercise would task companies to imagine what completely foolproof data security would look like without considering costs. Removing the specter of cost might spur new ideas or strategies. Of course, those ideas may not be cost-effective once they're evaluated after the fact, but the exercise does not require that all the ideas be implemented, only to find potential ideas that may not have been considered previously.

The premium invested into security pales in comparison to the cost of a breach. The Ponemon Institute calculates that the average cost of a US data breach in 2013 is at $5.4M. Not every company will suffer a breach, so probabilities and risks must be factored into the equation, but even then, most businesses are suffering losses due to lapses in security. To get a better sense of this scale, imagining perfect security allows a business to tally up all their losses due to breaches to consider exactly what their security is worth to them. Or, taking time to research additional security measures and tallying the costs to compare to losses may be a valuable perspective-granting exercise.

Finally, just because an organization falls into a particular sector, that doesn't mean its policies fit best with the policies of its sector. Not all public sector agencies look alike just as not all private sector entities look alike, and the line between public and private may not be completely clear. Some public agencies don't handle highly sensitive data and could apply security practices that are more closely associated with profitability. Alternatively, some private sector firms are in fields where data is highly regulated. For these firms, like those in the medical industry, their practices may need to align more closely with public sector protocols.

Data security is an issue every sector contends with, but regardless of sector, when it comes to security, the data should be at the center of the conversation on security. Instead of just applying cookie cutter solutions or being bound by the traditional mindsets of their sectors, each firm should consider an expansive, and possibly amalgamated, approach to their policies. 

Jeff Rubin is co-founder and Vice President of Product Strategy at Beachhead Solutions, a company that designs cloud-managed mobile device security tools. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jeffrub1
50%
50%
Jeffrub1,
User Rank: Apprentice
4/29/2014 | 12:31:16 AM
Re: More about consolidation
As with many government initiatives, it could be further along than it is! I think we can all agree that data center consolidation is, point blank, a good idea (not just with cost cutting, but for environmental impact) and certainly a strategy that seems more private sector-esque (versus the usually more conservative, agency-specific IT policies of the government). The initial goals of the data center consolidation program were lofty: save $3 billion and shutter 40% of government data centers by 2015. It appears that won't happen. But I would say enough progress has been made to call it a modest success given the far-reaching goals.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/28/2014 | 3:51:53 PM
Re: More about consolidation
Thanks, Jeff. Another question: How far along is the federal government datacenter consolidation effort at this juncture? I've read several blogs and news articles, such as this one from Bob Otto, former CIO & CTO for the United States Postal Service. in InformationWeek, that the experience has been mixed? 
Jeffrub1
100%
0%
Jeffrub1,
User Rank: Apprentice
4/25/2014 | 1:21:10 PM
Re: More about consolidation
The prevailing security wisdom in the private sector - that all sensitive data should be kept within company-owned and operated data centers - is now changing along the lines of the federal government's data center consolidation initiative.  Specifically, it is often unnecessary and inefficient, particularly from an economies of scale perspective, to maintain separate physical data centers just to ensure data security.  Increasingly, companies are accepting cloud-managed applications and facilities to handle these once unthinkably risky data transactions.  The rationale goes beyond simple cost advantages; because these third parties are expert at data handling and security, they can actually improve the quality of the security.  Scale advantages include a deeper and broader experience with threat vectors and security breach possibilities, so security can be enhanced in ways that most smaller enterprises couldn't possibly be able to predict and react.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
4/25/2014 | 11:02:59 AM
More about consolidation
Jeff, you make an interesting point about what the private sector can learn from the public sector with respect to consolidation of government datacenters. Can you give an example? 

 

 
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.