Data breach prevention Is dead

It’s time that executives and information security professionals accept the fact that their companies will be breached and start thinking outside the box when it comes to data security.  To be in denial of this truth is to not accept reality.

Indeed, based on what happened last year, 2014 should go down as a tipping point for how companies approach data security for years to come.  Some of the biggest companies in nearly every major industry were breached in 2014, and just this week, Anthem, one of the largest health care providers, disclosed a data breach involving more than 80 million customer data records.  According to the Breach Level Index, there were 1,540 reported data breaches worldwide last year, nearly a 50 percent increase compared to 2013.  What’s even more troubling is that the amount of information being stolen has increased dramatically.  Nearly one billion data records were either lost or stolen last year, representing a 71 percent increase compared to 2013.

The reality is that no matter how much money and time is spent protecting information and assets, cybercriminals will always find a way past perimeter defenses.   Last year, we had more than 1,500 examples of this.  They targeted vendors in order to insert malware in retail companies’ point-of-sale systems.  They went after employees with social engineering attacks and stole corporate log-in credentials. The list goes on and on, with breaches increasing in frequency and effect.  Here is a statistic to consider.  The number of data breaches involving 100 million customer data records or more doubled in 2014.

Yet, despite the growing size of data breaches, the vast majority of companies still continue to rely on breach prevention as the foundation of their information security strategies.  This means they focus on building walls around the data with perimeter security technologies and monitoring those walls for intruders.  Unfortunately, this approach has not been working very well.  Maybe it’s time for a change.

How do we change the status quo and usher in a new era where it is possible to have a secure breach with an approach to security that keeps valuable assets secure even when hostile intruders have penetrated the perimeter?

First, companies need to understand why they are not winning the war against hackers and cybercriminals. Because they stubbornly adhere to Einstein's definition of insanity: doing the same thing over and over again and expecting a different outcome. In this case, that same thing is responding to breaches by investing disproportionate sums of money in perimeter defenses in a futile attempt to prevent breaches.

Second, companies should stop pretending they can prevent a perimeter breach.  They should accept this reality and build their security strategies accordingly.  Admitting a problem is the first step in the road to recovery.  It’s very likely that companies are spending 90% of their security budgets the same way they did back in 2005, which undoubtedly focuses on perimeter and network defenses.

Now, this isn't to suggest that organizations should stop investing in key breach prevention tools. What they need to do is place their bets on strategies that protect their most valuable assets. Just like the military, IT should always presume to be functioning in a compromised state.

The third step is protecting your company by making it so difficult to access what they crave that they give up and move on to someone else. In business terms, you create a very poor return on their investment in trying to steal your data.  But you don't do this by building a bigger wall around your house.  Cybercriminals will simply build a bigger ladder.

So, how do companies better protect their valuable information? First, you put yourself in the mindset of your adversary and understand what they want to steal from you – and this is always your data. From there, you'll quickly realize that security must be moved closer to what really matters – the users who access the data and the data itself. Obviously, this means stronger user access controls and data encryption.

Multi-factor authentication and user access controls ensure the identity of the user and restrict access to data only to those individuals who have the rights to it.  Ultimately, however, it is encryption that is the real ROI killer for any would-be attacker. By attaching the protection to the data, you're killing the value of the data once a breach has taken place, and you've made the breach largely benign since no data has truly been compromised.  If more companies moved away from breach prevention focused more on securing the breach with encryption, then more consumer data and sensitive information would be safer and breaches would not be so serious a matter.

This is a dramatic shift in mindset for companies and security professionals and it needs broader discussion if there is to be positive change in data security.  On February 13, the White House will convene its Summit on Cybersecurity where it will assemble executives from major industries and experts from the security industry to discuss its recent cybersecurity proposals and new approaches to protect data and privacy.  Let’s hope it includes a new mindset for data security.

Gonen is chief strategy officer for Identity & Data Protection, Gemalto.