From Adobe to Facebook, security breaches continue to be top-of-mind for both companies and users, and organizations around the globe are all wondering if they are next in line to deal with a breach of their own. Hackers may always be a few steps ahead of companies when it comes to cracking codes and stealing information, but as we dissect breach after breach, it's clear that companies are not helping their security cause – they are actually jeopardizing it in more ways than one. With a few simple steps, companies can take back control of their infrastructure and assure that their next breach is merely an inconvenience rather than a multi-million dollar catastrophe.
Data collection
Why do companies need to know a user's mother's maiden name, the date their father was born and their favorite color when they were in kindergarten? Organizations that collect numerous forms of identifying information think they are creating a more secure user experience when in fact they are putting themselves at greater risk for security breaches. Users expect that when answering those levels of questions that their data is going to remain private; however because of the way the information is stored, they are at greater risk of their online identities becoming compromised.
There are few solutions when considering the collection of data. For those organizations that choose to continue asking for identifying information, they should reduce the number of questions asked and turn to data encryption to store the user's information. Please realize that data encryption is a well understood science, as is the analysis of encryption with the intent of breaking it. You cannot simply apply basic obfuscation to your data, and expect it to be secure in the event of a real hacking attempt. Instead organizations should use proven and reliable encryption implementations and techniques, utilizing salt and other entropy to make it more secure. When encrypting the data, organizations need to collect less information to ensure that in the event that there is a security breach, passwords will not be jeopardized and online identities will remain private.
Two-factor authentication
But, the truth of the matter is that storing passwords – even those that are encrypted – is simply one step. Although it can be a bit more cumbersome, two-factor authentication is the approach that all companies should consider when offering users the options of using their services online. With an extra layer of security, two-factor authentication allows for usernames and passwords to serve as the first point of entry, requiring an additional secure code that has been sent to them via another device, like a mobile phone, to complete their login. The drawback? It's another step that users must take to access their information, and it may deter them from wanting to leverage that site or application because of the extra step. As more people experience the impact of data breaches and personal online information being compromised, and the conversation about two-factor authentication continues, organizations of all sizes will be forced to implement this simple solution to prevent the theft of data and personal identifying information during breaches.
The bigger issue
To truly understand the heart of the problem, organizations must take a step back and evaluate the core of their IT infrastructure. Let's face it, when it comes to developing and managing an IT infrastructure, the security layer is the least glamorous. Administrators and developers would prefer to focus their time on the parts that get the most positive recognition and attention. The security layer is likely only capturing someone's attention when there is a problem, so it's not nearly as fun to work on as designing and managing a homepage. But, as any company that has recently experienced a security breach knows, even though security may not be the most glamorous of jobs, it is certainly one of the most high profile and critical.
Outside of finding a crew of administrators and developers who have the passion and knowledge to balance sexy with mission critical, it's important to have a team that has complete visibility into the infrastructure. With all of the breaches happening, it's easy to ask why companies aren't implementing stricter policies for securing user data. Honestly, many companies aren't really aware of what is happening in their underlying systems. As a result of utilizing off-the-shelf third party software, companies don't truly understand what is happening within the depths of their infrastructure. The good news? The fix is simple. Instead of utilizing third-party software, companies can choose open source solutions. Unlike the third-party solutions, open source products offer full transparency, giving companies a clear picture of how the software is interacting with other layers, allowing for administrators to identify issues almost immediately.
Yes, hackers may always be one step ahead in the security race, but it's important for organizations to take ownership – knowing that with a few small adjustments to their security policies and management that they can prevent the next breach from turning into a major catastrophe. From the basics of spending adequate time and resources focusing on the security level of your infrastructure and knowing what is happening at all layers, to reducing liability by collecting limited information and encrypting data, the steps needed to secure your infrastructure and protect your customer, partners and employees' data are minimal compared to the inevitable consequences.
If the keys to the front door are left under the mat, it does not matter how secure the fort is! The same metaphor applies to protecting data and identities. Security is everyone's responsibility.