Software Monetization Featured Article

SafeNet's Five Lessons Learned about Data Security

November 18, 2014

It may seem like a bit of a reach given the focus of this channel on software monetization, but a big part of licensing and entitlement management is protecting the integrity of the data whether it is on the move or stored. This is true in regards to passwords for accessing data and all aspects of compliance including proper use/abuse of licenses and transactional information regarding such things as renewals and upgrades. In short, security matters as part of a monetization solution.

The above is context for the latest findings from the third quarter 2014 Breach Level Index (BLI) released today by data protection and software monetization solutions provider SafeNet, Inc. The BLI looks at what we all know from reading the headlines about recent data breaches. To sum up, they have become very large scale, more frequent and more sophisticated with hackers successfully attacking in particular financial services and retail companies as well as consumers’ personal online accounts and identities. 

A panel from an infographic from the BLI tells the story. 

Source (News - Alert): SafeNet Third Quarter 2014 Breach Level Index (BLI) (click to enlarge)

The numbers are unfortunately impressive. Between July and September of 2014, there were 320 breaches reported worldwide. This represents an increase of nearly 25 percent compared to the same period last year, and as can be seen more than 183 million customer accounts and data records containing personal or financial information were either stolen or lost.

As SafeNet (News - Alert) notes in its explanation of the findings: Consumers saw their information compromised in three major areas:

  • Financial Services (42 percent)
  • Retail (31 percent)
  • Technology and Personal Online Accounts (20 percent) which included email, gaming and other cloud-based services. 
  • Identity Theft also took the top spot among the types of data breaches, accounting for 46 percent of the total.

Tsion Gonen, chief strategy officer at SafeNet commenting on the findings said: “Consumers’ heads must be spinning as criminals are easily getting access to their credit card, banking and personal information at every turn…Companies should assume a breach and plan accordingly. They need to implement technologies and programs that minimize the impact of a breach on top of the traditional prevention. As it is, these technologies are just not being used by to the fullest extent by either consumers or companies.”

He added that “While it’s not surprising that sophisticated cybercriminals are continuing to attempt these breaches, what is surprising is that again only 1% of breached records had been encrypted. Now is the time for customers to demand that their personal information be encrypted by companies.”

The report contains a significant amount of detail about the nature of breaches including not just by industry, but also by region and type of attack. And, if there is a silver lining in the release of the BLI it would be in the form of SafeNet’s recommendations about five areas where companies can shore up their defenses, which hopefully leads to a bend of the curve on breaches. These are:

Passwords are just not enough - From the Target (News - Alert) breach to the iCloud photo hack scandal, a lot of damage could have been prevented if all companies and consumers used multi-factor authentication instead of simple passwords. The Target breach was traced back to a third-party vendor and Apple (News - Alert) did not enable multi–factor authentication with iCloud. Multi–factor authentication is also a highly–effective method for thwarting spear phishing attacks that prey on consumer naiveté about sharing passwords.

 Compliance does not equal security – Target was certified as PCI (News - Alert)–compliant before its data breach. Companies need to invest strategically in technologies that go beyond things such as PCI compliance and institute stronger defense––depth security measures, such as IPS, strong authentication, SIEM, etc.

Everything should be encrypted – Companies place too much faith in perimeter security and its ability to protect data stores. Most companies only encrypt small subsets of their data, and this is mostly financial information, valuable intellectual property, and customer data, like patient healthcare information, about which regulations mandate an extra level of security. The best way to protect the data is to make it useless if stolen, and that is done with encryption.  

Not all breaches are created equal – The Breach Level Index was created to help decipher the relative magnitude of breach damage. The greatest number of breached records does not always directly correlate to the most damage. If organizations are encrypting their data, a breach of millions of records could actually be relatively harmless. We call this a Secure Breach. On the other hand, the loss of unencrypted data, including patient health records or social security numbers, could be extremely damaging even if lost in smaller numbers. Organizations that understand this dynamic will be better prepared to deal with a breach when it happens.

Breaches are inevitable and companies need a new approach to data security – In 2014, even the largest enterprises with sophisticated security infrastructures can fall victim to cyberattacks. Organizations should be changing their mindset and spending less time discussing how to keep intruders out and more time examining their specific risk profile and planning for how to Secure the Breach, which will protect customers and partners from breach fallout.

About the BLI

One thing to know about the BLI is that this is not just a documentation of activity, but also a calculation on data breach severity. This severity ranking is based on multiple dimensions, including the type of data and the number of records stolen, the source of the breach, whether or not the data was encrypted, and if the high-value data remained secure after the breach was discovered. These inputs are then processed through a proprietary algorithm, developed in collaboration with industry analyst firm IT-Harvest, which produces an index number, with 1 being least severe and 10 being most severe.

As with other industry reports from the security industry coming out, it appears the bad guys are having a really good year. Plus, that good year is directed at the place we as consumers like to visit most. With the world becoming more software-centric every day, and organizations of all types looking to monetize activities relating to the Internet of Things (IoT), securing the data so its proper use can be trusted is at the hearts of so much of not just how we interact with our preferred vendors and their people and process, but also with each other and the apps we rely on.

The two big pullouts from the recommendations that should resonate are the ones about password protection and encryption. Every IT security expert will tell you that no system is perfect in protecting against a skilled and determined attack. The real goal is to make it very hard for them so they look elsewhere to create havoc. This means that every aspect of the software creation, delivery and consumption cycle needs to include security as part of design considerations. That is optimizing software monetization both in terms of opportunities to be gained from trust and opportunities lost when trust is broken.

Edited by Maurice Nagle