Thursday, December 19, 2013

Wasted Energy: How Info Purges and a Third-Party Test Could Have Helped the DOE

cost, cleanup, data breach, security breachThere’s been a lot of online chatter this week about last summer’s Department of Energy breach—and rightly so. 150,000 affected employees is nothing to sneeze at. The worst part? All the affected employees may not even know yet.

The Real Cost of Data Breach Cleanup

In our experience, there is not a deep enough respect in the market for how difficult and expensive the notification requirements for data breaches can be. Not only can this cause public embarrassment, but it can also put the organization at serious legal and financial risk. Many organizations are mostly worried mostly about the intrinsic dangers of losing the actual data but do not demonstrate fear or motivation to invest in preventing the process of notification and remediation.

This particular breach is also teaching the world more about just what PII is being saved—and what is most valuable to hackers. More and more often, the information leaks from these breaches exceed the standard “names, dates, and numbers.” In this case, lost PII extended to include bank account numbers, security answers, disability information, and more.

pen test, security auditOrganizations need to assess their true need for storing such sensitive information long term. In our audits, we’ve discovered companies that store HIGHLY sensitive information on consumers and employees for no real reason. They don’t use the information, and they don’t need it. In many cases, a good healthy "purge" may be the best idea.

The Value of Second Security Opinion

This seems to be a classic instance in which a third-party test might have uncovered weaknesses before it was too late. We have frequently be asked by government agencies to perform a third-party test because of 1) a lack of faith in the methods of the Inspector General or 2) an uneasiness about whether or not the real threats will be uncovered.

On numerous occasions we’ve come in and identified real-world, imminent threats that were not deemed serious by the IG. In some cases the department and the IG are just at odds because the IG has given a poor security grade to the department.

The IG certainly provides valuable insight to its agencies, but sometimes there is a disconnect between the IG and the agency that renders some results void. The best course of action is for any organization to ensure that its risk assessment is both unbiased and accounts for current real-world threats.

More About Data Breaches