Less than a year off of a massive data security breach, Epsilon Data Management LLC has hirednew security and IT leadership with the hopes of addressing its security lapses and boosting itstarnished image.
My first steps are to revise thesecurity risk management practices, expand the information security team and assess and monitor foropportunities to improve security at Epsilon.Chris Ray, Epsilon CISO
Epsilon CISO Chris Ray, who took over the role in November, said he is assessing the firmssecurity systems and getting a better understanding of its business before making any drasticchanges to bolster security. Ray said he plans to add talented security pros to his team.
My first steps are to revise the security risk management practices, expand the informationsecurity team and assess and monitor for opportunities to improve security at Epsilon, Ray said.It will be critical that the team works closely with the key business stakeholders and ensure theright balance is set to meet all needs while introducing new policies and technologies.
Irving, Texas-based Epsilonsuffered a breach of its systems in March, resulting in the leakage of millions of emails. Thefirm, which handles the messaging for more than 2,000 major banks, retailers and other companiesincluding Best Buy, LL Bean and Walgreens, said an attacker gained access to its email system,stealing names and email addresses. While the breach didnt include more sensitive data, such ascredit cards and account credentials, security experts said the breach was significant because thestolen email addresses could be used in spam and phishing campaigns.
Ray, who served for over 6 years as the vice president of information security and softwarechange management at Aflac Corp., said Epsilons security processes and controls need to bebalanced around the companys business applications without hindering its clients ability to dobusiness with the company. At Aflac, Ray managed vulnerability management, incident response andregulatory compliance.
Epsilons [threat] landscape is similar to that of many other companies, Ray toldSearchSecurity.com in an interview via email. We have a digital presence, thousands ofcustomers and large amounts of data which require diligence and maintaining the utmost level ofsecurity.
The Epsilonbreach is one in a string of high-profile data breaches that included email addresses and insome cases exposed passwords. The problem is hardly new. Monster.comsuffered a breach in 2007 and again in 2009 where millions of user IDs, passwords, emailaddresses, names and phone numbers were exposed. Scammersused the data to target both job seekers and recruiters using Monster.com email addresses.
More recently, Care2, a popular social network, was forced to warnits 15 million members that their email addresses were exposed. The latest massive breach wasat Amazon-owned online shoe retailer ZapposInc., which affected 24 million customers. In addition to disrupting customers by resettingtheir passwords and warning them of the potential for spam and phishing attacks, the damage posedby breaches of this nature can tarnish the companys brand, experts say. In an interview last monthwith SearchNetworking.com, Zappos CSO Saffet Ozdemir, said the firm was slowly migratingto a virtual private cloud, using it first for development and backup before moving criticaldata onto virtual servers. The most critical part of Zappos strategy was to maintain segregation ofcritical systems, Ozdemir said.
Graham Cluley, a senior technology consultant at U.K.-based security vendor Sophos, said theproblems stem from companies failing to encrypt email addresses, account credentials and othercustomer data. E-commerce sites especially have to be aware of common website vulnerabilities suchas SQL injectionand cross-sitescripting, which gives attackers a way in to Internet-facing systems, Cluley said.
In Epsilons case, their only job was to manage the email marketing for some very well-knowncompanies who thought a third party would help them do it properly, Cluley said. In this case theexperts failed and as a result we may see some companies bring this kind of data managementin-house to manage their own mailing lists.
Organizations that have suffered high-profile data breaches often wake up and put in placestrong leadership, Cluley said. For one reason or another, the executive staff at breached firmslikely didnt recognize the need to invest more heavily into securing their systems, he said.Giving IT a voice at the table helps communicate the seriousness of security threats. Epsilonis adding that voice. In addition to Ray, Epsilon announced last week that it hired Keith Morrow asexecutive vice president and CIO. Morrow will oversee a staff of more than 200 IT pros. Morrow, whofounded his own IT consultancy, served previously as CIO at Blockbuster Inc. and 7-Eleven Inc.
Epsilons Ray said a new CISO must learn the business and then pick a well-known standardsframework to model the security program on. Frameworks such as ITIL, ISO and COBIT serve as a good startingpoint, he said.
Begin looking at gaps you may have in comparison with that framework and then delve even deeperinto understanding the business before you start trying to address those gaps, Ray said.
0 comments:
Post a Comment