Is it Time to Rethink How We Protect Our Information from Data Breaches.
Another week, another data breach.
This time the US Government’s Office of Personnel Management (OPM) was targeted and the information of approximately 4 million current or former federal employees were exposed. Regardless of who the perpetrators were (some fingers are pointing towards a State sponsored breach) this is yet another reminder to revaluate our own safety and security that we have applied to protecting our most valuable information assets.
Why revaluate? Most, if not all, organizations have some form of security in place for protecting their IT information management systems but increasingly we need to examine whether we have the correct resources in the correct places. A recent study by RSA showed that three quarters of those surveyed believed that their organisation did not possess the maturity to deal with today’s cybersecurity threat landscape. The greatest area of concern was their ability to detect and measure the impact of a breach or to mitigate against a breach. This ties in with a report from Infosecurity Magazine that showed 67% of IT professionals thought that their security spending was not aligned to the current threat landscape. The majority of resources were focused on protecting against external attacks while mitigating and resolving the issues associated with the rise and impact of an internal data breach, or Insider Threat as they are commonly becoming known, were not adequately being addressed.
What can we do to address the cybersecurity threats that we face today—particularly against data breaches from insider threats, the majority of which are a result of compromised credentials.
There is no silver bullet but there are some steps that we can take to protect our sensitive information assets as much as possible or at least mitigate against the severity of the damage that such a breach can cause.
Decide what types of information you should be storing and also how it should be stored
In other words ensure you have a policy in place for storing certain types of information. As part of this you should ensure that you are aware of any legal or regulatory obligations that you have for certain types of sensitive content. This sounds like an obvious step but it never fails to surprise me how many organizations are still in the early phase of defining this type of policy. This also establishes important criteria required for some of the following steps in the process.
Identify the types of sensitive information that you are currently storing
Data breaches involving credit card details have made quite a few headlines recently but a Ponemon Institute study shows that the cost of losing personally identifiable information (PII) or health records (PHI) is actually greater - $363 per record lost versus the average of $154 per record lost. The rationale is that banks are (relatively) quick to detect and act against credit card fraud therefore the window of opportunity to exploit the stolen data is smaller. Identity theft leveraging stolen PII or PHI has a much longer shelf life and is therefore more costly to the organisation that has been breached. It is therefore important that we understand the nature of the information that we have within our systems. All of it is important and ideally we want to protect it all but the reality of limited resources may mean some hard choices deciding that some information is more important than others.
Identify exactly where sensitive information is being stored
Even if you have a policy for storing sensitive content in place it is not unusual to find that certain types of data currently resides in a variety of locations that violate said policy. You should ask the question “do you truly know where all your PII, PHI or PCI data is being stored?” 71% of employees admitted to having access to information within their corporate networks that they knew they should not have access to, much of which is information of the type that we are concerned with here. There are many contributing factors to why this is such as the rise of “Shadow IT” particularly related to the use of cloud based file sync and share systems. It’s therefore important to identify all the places where people are storing (and sharing) content. Two other common reasons for this data exposure are that the information has not been adequately secured within the system that it resides or that the data has been placed in a location that it should not be. Both of these factors can be attributed to relying purely on location based security and access controls for protecting sensitive data as opposed to also employing a level “content awareness” within our systems to detect when something is not how or where it should be.
Have a Data Breach Response Plan
Sad to say but it is becoming increasingly apparent that our mind-set should be assume that we are going to suffer a data breach therefore we should be appropriately prepared to respond when it does. We no longer live in a world where it is acceptable to think this this is something that will happen to someone else. The response plan will vary depending on the nature of information that has been exposed and your organization. A hospital suffering a data breach of patient records has a different set of issues to deal with than a grocery store losing user names and passwords to their loyalty scheme. Multiple elements of your organization will need to mobilize quickly to deal with both the immediate ramifications, such as IT identifying and closing the breach and PR readying a response to the media and implementing a customer outreach program, through to longer term impact of potential legal and financial implications.
Ensure that you have REAL plans, policies and technologies in place
This is the point at which it should start to become obvious, if it wasn’t already, that perhaps a realignment of resources is needed. Are the policies, procedures and technologies that you have in place for steps 1 to 4 ready to deal with the current threat landscape or are we merely checking the box and phoning it in? Would they really stand up to scrutiny if a breach prompted an investigation by a regulatory body responsible for your particular industry? No-one likes to hear that they are possibly going to have to spend more money but think of it like car insurance. Yes, we’d all like it to be less expensive than it is but what would be the (personal) cost of having a major vehicular accident without it?
This is by no means an exhaustive list of steps to protect our sensitive content and mitigate against the damage that a data breach can cause. There are many more elements, for example protecting employee credentials in the first place - the source for the vast majority of breaches - with antimalware or two factor authentication and educating users on the various policies for sharing and storing sensitive data. We are also dealing with a moving target with respect to both new IT security threats but also the dynamic nature of content. New information is being created, stored and shared within your organization on a daily basis and your policies, procedures and technologies must be equipped to handle this. These steps do however present some of the fundamentals that we should be considering. Data breaches are no joke, they are stressful and costly and if we are not even doing the basics then the impact of the breach will be much, much worse.
And let’s face it we could all do with a little less stress in our lives.
- How vulnerable is your organization to a data breach? Here’s a free tool to help analyze your environment:
Get the Insider Threat Index
- And here’s more info on protecting your sensitive content:
Sensitive Content Manager Tech Preview
Dr. Marsh is Director of Product Marketing with Metalogix and is an expert in SharePoint migration and management technologies. Prior to Metalogix, Dr. Marsh spent over five years working at Microsoft UK Ltd where he held a number of roles, including SharePoint Server Product Manager, in which he was responsible for business and marketing strategy, as well as awareness of Microsoft's SharePoint technologies. He holds a PhD in Microelectronics and Physics from the University of Dundee where he worked on the research and development of novel semiconductor memory and flat-panel display technology.