How can this be mitigated?
According to the first three Quarterly Reports from BreachLevelIndex.com, less than 1 percent of all breaches between January and September 2014 were for cases where “secure encryption” was in use. While there is no info in their First Quarter report, their Second and Third Quarter reports show that no encryption was used at all for 537 of the 557 reported breaches – that’s an encryption rate (even if it’s trivial encryption) of only 3.59 percent.
This suggests that most of the data out there are improperly protected.
While it’s bad to be breached, at least if the data are unusable to those who acquire them, it’s much less of a nightmare. Lesson learned here? Encrypt all your data!
What should we be focusing on in 2015, besides — obviously — encrypting all data? In a 2014 TechValidate survey commissioned by ESET , respondents replied that in the next 12 months their biggest challenges are:
- to protect student and organization data and intellectual property , and
- to balance employee and student productivity with strong protection
Allow me to quote Vince Spiars, Administrative User Services Manager at Wesleyan University, when asked his concerns in the upcoming year:
More attacks in 2015: targeting and looking for IT personnel and administrators, looking for certain things to get into back end systems. For example, hackers are targeting people in the Registrar’s and Admissions offices. They are of interest because the attackers want to get credentials and ultimately gain access to systems to steal these data. They can also drop a bot to gain remote control, and then can see what is on systems, and scan for PII and SS information. There is a pick-up in this type of attack because data are increasingly valuable.
To combat this, Wesleyan plans several ways to “secure the user,” including security training videos for students and staff, in-person staff training by IT personnel, and continuing education efforts to report suspicious emails. In addition to educating the user – your true first line of defense – there are all kinds of technical solutions, like , for example that help institutions like Wesleyan stay protected.
During my 20-plus years in higher-ed security, I often heard that security education is futile. That may be true in other markets, but I can attest that if done properly, it is a very cost-effective tool. Make the most of the fact that you are in an environment where education is the focus!
Computer security is no easy row to hoe; it’s not a matter of if a breach will occur, but of when. Whether or not that breach has already occurred in your workplace, an emphasis on data encryption and education of your populace will pay big dividends for relatively little cost – a particularly welcome combination in the educational realm.
Bruce P. Burrell is a former University of Michigan IT/security team lead, and a current security researcher at ESET, a global cybersecurity company.