• Join our Communities!

  • Twitter Updates

    Error: Twitter did not respond. Please wait a few minutes and refresh this page.

  • Disclaimer:

    The information in this weblog is provided "AS IS" with no warranties, and confers no rights. The opinions and interests expressed on this employee blog are the employees' own and don't necessarily represent EMC's positions, strategies or views. Inappropriate comments will be deleted at the authors discretion.
  • Advertisements

Security By Another Name

Sony Corp is the latest to suffer public embarrassment — and potentially lawsuits — for a security breach.  Reportedly,

Jim Shook, Director, E-Discovery and Compliance Practice EMC Corporation

Jim Shook, Director, E-Discovery and Compliance Practice EMC Corporation

information on over 77 million customers were stolen, including credit card numbers – although Sony says that credit card information was encrypted.  (One report on this story can be found at http://reut.rs/lqSey2).

Everyone is vulnerable to security threats.  Is the answer always that you should have

better security?  In many cases, yes.  But with ever more complex systems interacting, more money at stake and ever more sophisticated threats, successful attacks cannot be completely prevented.  Security remains only as strong as the weakest link in the chain, and when people are included in that chain, can take just one person being tricked, confused, or letting their guard down to enable a breach.

What else can be done about security?  One approach is to look at security issues as part of a bigger picture, such as within a Governance, Risk and Compliance (GRC) program.  In that bigger picture, for example, companies often find that they are retaining useless — but sensitive — data.  Policies which eliminate that data after its useful life can also eliminate the risk that the data can be stolen.  For sensitive data that still has a business purpose, knowing where that data resides and who needs access to it can help to protect it from attacks.  And giving management high-level insight into this data can insure that action is taken in a timely manner.

GRC cannot avoid every security issue.  In fact, Sony didn’t even rely solely upon its network security — the credit card numbers were encrypted.  But apparently nothing was done to further protect customer information, such as names, addresses and email addresses.  Perhaps another company with a complete GRC-view might have had enough information to handle its sensitive data in a different manner and preempt the attack.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: