If you suspect that a breach has occurred, CERT says it's important to act quickly in order to minimize the chance of information being disseminated and to give law enforcement agencies a chance to start investigating the case.
Companies should also implement role-based access-control tools to maintain a high level of accountability over who is accessing valuable assets, Lazar says. Databases containing customer or employee information should allow very limited access. "How many people, on a daily basis, need to review Social Security numbers and addresses without permission?" he says. "Personal information should be protected at the same level as trade secrets."
Muller recommends using data loss prevention tools to restrict personal data from being e-mailed, printed, or copied onto laptops or external storage devices. Some of these tools provide alerts that inform administrators when someone tries to copy personal data and create a log file of such an event. "In a lot of cases, companies don't have proper audit trails in place," he says.
It's also important to strengthen internal controls and audit measures by, for example, implementing iterative checks on network and database activity logs, Semple says. It's not enough to keep detailed logs; you also need audit measures in place to see if anyone has modified a log or illegally accessed it. "Unless there's some way to verify the log information wasn't tampered with, it's hard to know it's of value," he says.
But in the end, technology isn't enough. "You need to find a way to ensure users you trust are worthy of that trust," Semple says.
3. External intrusion
In January 2007, retailer The TJX Companies reported that its customer transaction systems had been hacked. The intrusions -- which occurred between 2003 and December 2006 -- gave hackers access to 94 million customer accounts. Stolen information was found to have been used in an $8 million gift-card scheme and in a counterfeit credit card scheme. In the summer of 2008, 11 people were indicted on charges related to the incident, which was the largest hacking and identity theft case the U.S. Department of Justice has ever prosecuted.
Costs: TJX has estimated the cost of the breach at $256 million. That includes the cost of fixing computer systems and dealing with litigation, investigations, fines and more. It also includes payments to Visa ($41 million) and MasterCard ($24 million) for losses they incurred. The Federal Trade Commission has mandated that the company undergo independent third-party security audits every other year for the next 20 years.