When hearing the term opportunity when dealing with data breaches, many people would think that it is only lawyers who benefit in such a situation. But in Data Breaches: Crisis and Opportunity (Addison-Wesley 978-0134506784), author Sherri Davidoff writes that as devastating as a massive data breach can be, if lessons are learned, they can be a catalyst to create an effective and highly secure information security program.
In the book, Davidoff details numerous data breach cases and shows how some firms dealt with them disastrously (Target), and how others used effective incident response techniques (Home Depot) to come out relatively unscathed. This is an excellent guide to deal with the crisis of a data breach effectively.
Many organizations have long captured as much data as they can. In the past decade, storage prices have dropped significantly, especially with cloud storage. At the personal level, you can buy a 1TB thumb drive today for $29. With such a paradigm, there has been no reason not to store as much data as possible.
But Davidoff sets the context early on when she writes that data is a hazardous material. The more you have, the higher your risk of a data breach. And to effectively manage the risk, you have to understand the factors that contribute to the risk of a data breach. The book provides a practical approach to understanding the data risks and avoiding being the victim of a data breach.
Davidoff writes that the biggest mistake of data breach management and response is the assumption that a data breach is an information security incident. But she writes that it is usually much more than that. A data breach is a crisis and must be treated accordingly. It is not just a matter of semantics. As she shows from the Target breach, the failure to treat it as a crisis resulted in Target being the poster child for how not to respond to an incident.
With that approach, the book does a superb job of creating the framework in which to prepare for the inevitable data breach. The book is heavy on concepts such as crisis preparation, communication plans and more.
There is very little theory in the book and extensive use of real-world examples that the reader can use to craft their program. Davidoff deals with the massive data breach incidents from ChoicePoint, Target and Equifax in great detail.
Discussing payment card breaches in chapter 6, she provides a good overview of how credit card payments work and how they are ripe for fraud. She also rails a bit on the PCI DSS standard, of which many of her complaints are valid. When detailing the costly multi-billion dollar rollout of EMV terminals some years ago, she notes that by not using the chip and PIN feature, which affords the highest security level, these rollouts primarily served to protect banks, and incur considerable risk on the part of the merchants.
Data breaches are inevitable. It is said that there are two types of companies: those that have had a data breach and those that don’t yet know they have had one.
In preparing for that inevitability, Data Breaches: Crisis and Opportunity is an invaluable guide to the history of some of the most significant data breaches, to what you can do to ensure your firm does not become another statistic and, in the event it does happen, to minimize the damage of that breach.