iDefense’s Dunham agrees that a stringent security mind-set on the part of top management goes a long way toward preventing situations similar to the one at LexisNexis. “There is no magic bullet for security. It’s complicated, but it’s all about lowering risk from a managerial perspective. Once CEOs realize that they are at risk for violating laws, losing consumer confidence, getting involved in costly litigation, a drop in stock price — suddenly security is not a soft cost anymore. It’s the cost of doing business,” Dunham says.
Limit data lifecycles and retention
Is your enterprise retaining data that is no longer useful and just sits around as a liability waiting to happen?
The security breach at fashion outlet Polo Ralph Lauren in April involved the company’s credit card processing or point-of-sale system. Polo apparently kept too much of the credit card data and kept it longer than required, leaving the information open to hacking. Polo has had no indication of illegal access to the information, according to the company.
The Polo incident shines a light on data life cycle management, BindView’s Loveless says. “With data retention you have to ask, ‘How long do I retain it,’ and with this kind of data you really don’t want to keep it around for no reason at all. It becomes a liability,” Loveless says.
“Dead-in-place storage” is how Savvis’ Hancock sums up Polo’s problem.
Trace Security’s Stickley may be speaking off the cuff when he says, “No one has ever created a patch for human stupidity,” but let’s keep an eye on the news. After all, there’s no substitute for experience, bad or otherwise.