Thursday, 05 February 2015 22:32

Anthem The Latest to Get Breached. Does Compliance Make Us Complacent? Featured

Rate this item
(6 votes)

Yesterday, Anthem, Inc. disclosed that it has been hit by a “very sophisticated cyber-attack” that compromised 80 million customer and employee records. This follows high profile breaches at Home Depot, Sony and Target – to name a few. With the scale and frequency of these breaches, it’s a safe bet that most Americans have some piece of personally identifiable information (PII) in the hands of a cyber-thief somewhere in the world.

In this latest breach, no healthcare records or credit card information appears to be involved. However, names, dates of birth, member ID’s, social security numbers, addresses, phone numbers, email addresses and employment information were all spirited away. In many ways the loss of this kind of PII is worse than credit card data theft. At least with credit cards you can reissue the card with a new number and the cyber-thief is stopped. Not so with other types of PII.

So what are some things that could happen to consumers as a result of this breach? According to ABC news the list includes:

  • File and steal tax refunds
  • Open new credit cards
  • Obtain a payday loan or account (ie. cable, utilities)
  • Apply for a job
  • Pursue medical treatment

According to Forrester, 70% of IT decision makers indicate that compliance is a major driver behind their buying decisions. Anthem, a publicly traded healthcare insurer, is covered by HIPAA as well as PCI (for credit card transactions), SOX and probably a host of lesser known compliance requirements. In this matrix of compliance requirements somehow 80 million PII records weren’t protected. With every month seemingly bringing a new record setting breach, is it appropriate to ask the question; does compliance make us complacent?

IT security is a game of risk management and mitigation. We do not yet have a magic bullet to prevent all breaches from occurring, but, at the same time, a compliance driven approach to security leaves IT leaders in an overly reactive posture against their adversaries. In many cases, the high profile breaches we have heard about over the past year could have been prevented – or at least mitigated – by basic hygiene. Wondering if your organization would pass the test?

Ask yourself the following questions:

  • Protect data – Is your data protected both at rest and in-transit? Is all PII protected or just what the auditors require? Are there any gaps?
  • Control access – Are proper access controls in place? Does this apply to business line users as well as privileged identities? What about your applications and M2M processes?
  • Monitor your environment – Can you monitor the environment to detect policy violations and suspicious activity?
  • Align people – Does your organization have a culture of security? From CEO down, do your employees, partners and contractors understand what risky behavior is or do you just rely on technical policies?

At ROKITT we believe that security involves both getting back to the basics as well as leveraging new technologies. In addition, you have to align people and create a culture of security. If you can protect, control, monitor and align your organization you will be better situated to counter your adversaries, protect your customers and stop data loss. We believe that compliance is an important component of your overall security framework but that being proactive should be the centerpiece of that framework.

Read 379 times Last modified on Thursday, 23 April 2015 07:28