Author: Mark Ciampa
Imagine that you were the king or small nation hundreds of years ago. An enemy has grown angry with you and threatened to attack your castle and invade it. Your workers spend months building a moat around the castle and strengthening the castle walls by raising them. Your enemy can attack your castle and break through your defenses, allowing him to enter your castle. What should you do? Continue to prevent the enemy entering your castle by digging deeper moats. You could spend your resources instead on managing that invasion into your castle.
What would you do in this case?
Imagine your family and friends gathering at the home in the country where one your relatives lives for the holidays. Blue is a dog owned by a relative. Blue will be outside the house while the festivities continue. Everyone has been warned that Blue might try to get in, so make sure all doors are closed. Blue can get in if a child accidentally opens a door. What should you do? Keep the doors locked to stop Blue from entering the house. Instead, capture Blue and take him outside.
This is it:
Imagine that you have a major research paper due to a class. You mistakenly write the due date on your calendar for the next week. The paper is not due until you turn it in. Late assignments will not be accepted. What do you do? You can record the due date in your calendar, and make notes to remind you when the research paper is due. To ensure the highest grade possible, you can work hard on the remaining assignments.
How can you prevent or manage the situation?
These examples show that preventing something bad from happening -a king attacking, a dog entering the house, forgetting when a paper due -is very different from dealing with the fact it has already occurred -the king is at the castle, the dog is inside the house, and a zero for the research paper. Once the bad event occurs, the focus shifts to managing it rather than putting resources into preventing it from happening again.
There is a growing chorus among security professionals that says our security approach must change. Instead of focusing on the prevention of attacks, we need to realize that attacks have already taken place and that our data is at the disposal of the attackers. We need to think about managing, not preventing.
However, prevention is not useless. Prevention continues to play a vital role. It simply means that we should not focus on preventing data loss, but how to manage it.
The numbers surrounding lost data are staggering. Marriott announced late November 2018 that half a million potential victims had the following stolen data:
Credit card numbers
Destinations for travel
But that’s nothing when you consider the three billion Yahoo accounts that were hacked in 2013. According to Risk Based Security, Inc., over 24 billion credentials were stolen or exposed. Attackers can buy your data for such low prices.
Your social security number is available for sale for $3 today
Your medical record can be sold for $5
your credit card number for $7
Your complete credit report for $100
If you have $6,000 in a bank account, your username and password can be purchased for $270.
Your Personal Data is Out There – Whether You Like It Or Not
Today, security professionals say that we must realize that our data has been stolen. According to a supervisory special agent from the FBI, who investigates these online attacks, we shouldn’t worry about whether our data has been stolen. Instead,
Every American should assume that all their data is available.
Another security professional stated that we now have to face two harsh realities.
All data that you consider to be important has been compromised.
All data that you provide to a company starting today will also be stolen.
Now, the primary focus shifts to managing stolen data rather than preventing it from being leaked. Now, we must prevent attackers using and abused our stolen data.
Here’s what you can accomplish:
To ensure that your stolen data is safe, freeze your credit files at all major credit bureaus. You can also order free copies of your credit reports every quarter.
Register for your own account at Internal Revenue Service (IRS), Social Security Administra