When it comes to protecting critical data, legacy processes are just as vulnerable as legacy software.

Jeff Schilling, Chief Security Officer, Armor

January 6, 2016

3 Min Read

Are data breaches caused by flawed security or outdated business processes? If we want to truly shift the momentum in the cybersecurity fight, as an industry we need to drastically change how we conduct business and think about securing business processes first. Only then can we focus on the IT systems in which they reside.

To be clear, this is more than implementing a few processes. Getting to the crux of this global problem will require a top-down audit of how a specific business operates. From there, we will need to undertake a complete overhaul of each and every function. The reason: in many cases, when business processes were “automated” the process was not altered -- just transformed into digits.

A real-world problem

At a recent healthcare conference I attended, one insurance company compliance executive admitted that his organization found eight copies of their main patient record database in their enterprise environment. Even more shocking? Those were just the copies he knew about. And that’s likely what troubled him most.

To me, this sounds like a symptom of a flawed business process. At some point, a legacy procedure required this database to become stored in multiple locations — and likely in areas not properly protected. You can easily see how this situation could be replicated or identified in enterprises across the globe.

‘But that’s the way we’ve always done it’

The payment industry is an another good example of this problem. Using a credit card requires numerous legacy steps — from the point of purchase back to the point of sale. Each brings an array of complexity to transactions that remain based on the legacy methods used when paper-swipe machines were required.

From swiping your card to getting “approved,” there are about 16 steps. That’s an amazing number of potential attack vectors for threat actors to exploit. In today’s digital environment, a consumer should not be required to carry plastic cards — holding exploitable account numbers — to pay for goods and services at the point of sale. This technology has outlived its practicality in a modern, hyper-connected world.

A better idea

Staying with the payment theme, other economies have proven that evolving process can achieve security. In my opinion, countries in Africa have advanced their payment systems further than those in the Western hemisphere. A prime example is Kenya’s M-Pesa payment system, which is phone-based and simply requires texting an amount to the person you want to pay. The process is streamlined; no sensitive user data is required so there’s nothing to be compromised unless they lose control of their phone.   

It’s smart, simple, and actual proof that changing the process helped improve security. The technology (i.e., the phone itself) does not require any additional feature sets to be secure. The process secures itself.

So instead of getting out your pen to write a multimillion dollar check for the latest big data or artificial intelligence security tool, a smarter play may be to take a precursor step and re-assess your business processes and how they affect or hinder security. You may find you don’t need that complex security tool, but just sound segmentation and role-based access.

About the Author(s)

Jeff Schilling

Chief Security Officer, Armor

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance risk and compliance, cloud operations, client relations, and customer engineering support.

Previous to joining Armor, Schilling was the director of the global incident response practice for Dell SecureWorks, where his team supported over 300 customers with incident-response planning, capabilities development, digital forensics investigations and active incident management. In his last military assignment, Schilling was the director of the U.S. Army's global security operations center under the U.S. Army Cyber Command.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights