In 2007 and 2008 the industry has seen an upsurge in data breaches affecting millions of consumers and causing corporations to pay heavily in fines.

Data breaches can lead to exposure of consumer information through a number of different ways that vary in complexity. The common perception associated with a data breach is the difference between data being extracted from physical assets stolen and actual breaches in perimeter security (electronic).

While there is certainly a number of cases in which stolen assets account for the breach at hand, however; we are seeing a number of electronic breaches that have accounted for some of the most famous incidents of 2007 and 2008.

1. TJ Maxx
2. Monster.com
3. Hannaford Bros

In fact the financial community has experienced twice the many incidents in 2008 then all of 2007 according to a study conducted by the Identity Theft Resource Center (ITRC). These incidents go hand in hand with regulatory laws that were supposedly designed to mitigate and reduce the risk window in an attempt to avoid such embarrassing situations.

Take for example an organization that has been PCI compliant for years, but suffered a data breach that involved hackers placing targeted malware on credit card processing servers at a major retailer. The question the security team has to ask themselves”Why didn’t my current anti-virus solution detect the threat”? I have an interesting hypothesis on this subject that can be found in the article “Regulatory Compliance and the Real Risk of Undetected Malware.”

In 2008 implementing measures to protect against data breaches will be critical to the survival of any corporation in the long term. It’s not a matter of if you will be breached, but a matter of when, therefore; it’s important that the primary goal is to significantly reduce the acceptable loss and mitigate the window of risk.

The risk window can be significantly reduced by implementing better information assurance standards that at minimum address the following:

1. Security audits to include more then just a vulnerability assessment or a penetration test when verifying if controls are adequate. Rather assessing for existing breaches relating to undetected malicious code.
2. Don’t just use anti-virus as that will protect you against a small fraction of potential threats and will not detect targeted attacks. Take advantage of best of breed proactive security (HIPS or Anomaly Detection Systems).
3. Use a multilayer approach when protecting assets (perimeter, messaging and end-point layer).