Skip to main content

NEW YORK (TheStreet) -- Many U.S. companies aren't doing enough to secure their sensitive data and could easily face the same kind of hacking problem now bedeviling Sony (SNE) - Get SONY GROUP CORPORATION SPONSORED ADR Report , experts say.

"The problem is that many companies don't understand the absolute necessity to spend money to secure their assets properly," says Craig Williams, head cyber-threat researcher for Cisco (CSCO) - Get Cisco Systems, Inc. Report . "Events like this put the need in perspective."

New technology is helping to deal with the problem, but experts say much of the threat stems from companies failing to take the issue seriously enough.

"Someone needs to have a serious discussion about industry best practices," Williams says. "The reality is that some of the data the hackers were able to get out of Sony should have been encrypted and not accessible."

Even President Obama expressed concern, saying Friday that the U.S. has to do more to help protect private and public assets.

Williams says there are a number of steps companies should be taking -- but aren't.

"Best practices require that sensitive data, such as salary spreadsheets, should always be encrypted and kept on networks with limited access, separate from other internal networks," he explains.

Companies, however, face an enormous security challenge because they share information with multiple destinations, including people outside a company's control. For that reason, companies can't protect such things as email from hacking, says Jay Heir, an analyst at Gartner.

TheStreet Recommends

"Sensitive data shouldn't be put in email. Email is designed to share and disseminate, not protect data." Heir says. "At the very least, companies should use programs that generate passwords randomly, rather than passwords rooted in dictionary words."

There are a couple of relatively new security practices that corporate America is starting to implement. One is the use of the cloud-where information is stored remotely on a common server rather than a computer.

"We've been using the cloud for a few years," says Cisco's Williams, "because it allows us to scan files for malware, to backstop anti-virus systems individuals have on their computers."

Williams expects the applications of big data analytics to become more wide spread over the next year or so, in order to automate some aspects of security and response.

"We pair Ph.D.s with security experts to capitalize on big data analytics and perfect machine learning algorithms, to predict and stop patterns of malicious behavior to better protect our customers' networks."

There also are a number software programs called network intrusion prevention systems, or IPS. Vendors include Cisco, Intel's (INTC) - Get Intel Corporation (INTC) Report McAfee, IBM (IBM) - Get International Business Machines (IBM) Report , Hewlett-Packard (HPQ) - Get HP Inc. (HPQ) Report , Dell, Checkpoint (CKP) and Fortinet (FTNT) - Get Fortinet, Inc. (FTNT) Report .

This software inspects traffic to detect malicious activities and anomalies. IPS systems are sold as stand-alone devices as well as a part of firewalls.

Most IPS devices block malware by default. They also can be configured to block activities that are contrary to company policies, such as employees going to certain Web sites or participating in instant messaging.

The latest next-generation firewalls have combined features to appeal to budget-conscious companies.

This article is commentary by an independent contributor. At the time of publication, the author held no positions in the stocks mentioned.