Making data breach prevention a matter of policy

By

At the rate data breaches occur, it might be easier for everyone to just post their private information straight to the web.


This way, you can avoid worrying whether personal and private information is among the next to be breached. Though I say this in jest, daily it seems a new breach is in the headlines.

Though many states have adopted data breach notification laws, notification is a far cry from prevention. In fact, a recent state-by-state analysis published by researchers at Carnegie Mellon University showed that notification laws have not reduced identity theft.

This fits with the current reactive model of governance, risk and compliance (GRC) that most organisations are leaning on to solve data breach issues. The current mindset seems to be:

Step 1 – Wait for a data breach to occur, hoping it doesn't happen to your organisation;
Step 2 – Get breached and notify consumers;
Step 3 – Get money and get focused post-breach, and try to catch up and fix the problem.
This reactive model towards security and compliance is not just a lawsuit waiting to happen, it's not cost effective.

Consider the recent LendingTree incident. This breach occurred for many of the same reasons behind the massive Société Générale breach and the multitude of celebrity medical records breaches – lack of control over access to information.

At LendingTree, this occurred through a common breach in control known as orphaned accounts – an access point to proprietary data and applications belonging to a user who no longer is employed by a company.

According to a letter LendingTree released following the breach, some of the company's former employees shared passwords and access to proprietary data with friends in the mortgage lending industry.

This occurred as much as six months after the employees stopped working at the company. When someone no longer works at a company, common sense says that their access to privileged information should be terminated as well.

If you think that your company is safe, as yourself two questions:

“Can I reliably connect all system, application and data credentials to a specific individual (employee, contractor, partner or customer)?”

“Do our systems, application and data owners reliably know when a relationship changes with any one of these individuals?”

If the answer to either question is “no,” then you have an orphaned account problem and your company is a perfect example of reactive GRC – you may sense that there are risks, you might even have policies for disabling access on termination, but without control, you will never have governance or compliance.

There has been a proliferation of detective GRC capabilities, including data loss prevention (DLP), segregation of duties (SOD), regulation analysis, and security and incident event management (SIEM).

While these technologies are important, they're reactive to the threats facing organisations today, much like intrusion detection solutions. These technologies are great at telling you what happened, but on their own, cannot be solely responsible for stopping the threats facing corporate data.

Companies must break free from the reactive model of GRC and move towards a preventive model of GRC that focuses on evaluating the risks associated with sensitive data and establishing a set of clear and enforceable IT controls around all user access.

Preventive GRC pulls together the detective GRC solutions like SOD and DLP and combines it with the management of the complete lifecycle of business and access policy, ensuring that people, access and actions are all consistent with business policy.

Through the practice of preventive GRC, organisations are able to:

Define policy to manage corporate data;
Apply policy evenly throughout an organisation;
Detect any and all actions or access rights that are inconsistent with policy;
Remediate any misuse or non-compliance with policy;
Assure that policy is appropriate and has been implemented effectively.
Implementing a preventive approach to governance risk and compliance may not stop every nefarious insider who schemes to steal data from your organisation. But it will ensure that you have control over access and automatically enforce business policy evenly across your organisation – a huge leap forward in stopping the careless breaches plaguing businesses today.

See original article on SC Magazine US
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?