Personal, proprietary and payment card data is being routinely compromised to the tune of a Ponemon Institute estimated US$ 194 per lost record and average total breach cost of US$ 5.5 million by loss leading United States-based organizations. Yet for many headlines and statistics seem removed from daily operations in lieu of optimism that such events won’t hit home and legal, public relations safety nets.
According to the Privacy Rights Clearinghouse, 31,110,318 records were breached worldwide in 2011 with 18,739,183 more year-to-date. Given the deep pockets of such high-profile breached organizations as Sony, RSA, Global Payments and LinkedIn, what can your organization do to protect its valuable assets against concerted effort if not human error?
Commit to developing organizational risk management processes by starting small and begin by identifying the data that is most important.
Recognize the Levels of Data Security
Somewhere in your information security policy lurks a data classification policy identifying that confidential data is to be treated differently than information intended for public disclosure. Perhaps an “internal only” category is also included. Confidential data is required to be protected with the most stringent of available controls applied. “Internal only” data is likely required to be protected more than public data, but to a less restrictive extent than confidential data.
So if someone took the time to define categories of information, why are your most valuable assets managed by the same perimeter controls and user ID and password authentication which repeatedly fail organizations?
The benefits of a layered security model are well documented. The use of segmented security zones protected by increasingly restrictive controls appropriate to the sensitivity of information and supporting system components contained therein is of proven effectiveness. However, the reasons for not applying such architecture are far more common than is its actual implementation.
Organizations trust their employees, legacy infrastructure support requirements necessitate the use of insecure protocols, business needs require control compromises, proprietary software configuration limitations do not align with established hardening standards, and so on.
Balancing Risk and Business Needs
In justification up-time and performance rationales are offered. Still, should business leaders come to understand that their organization’s architectural security model is akin to leaving piles of cash in the refrigerator with the doors locked, a list of approved “users” maintained, and a monitored security system protecting entry and exit points and perhaps even recording video of kitchen activity, would any truly believe that the money was safe? Should it at least not be given more safeguards than the milk?
Security controls are weakened with each exception, but exceptions are both common and frequently necessary. A firewall configured to deny all traffic is secure, but also impractical. The trouble, as illustrated in the security zone model example, is that business requirements are often more heavily weighted than risk.
When reviewing enterprise risk, in the course of assessment or change control, the effectiveness of the controls and supporting processes at achieving the appropriate protection of sensitive data should always be considered. To do so, threats must first be identified and factored against probability and impact with the resulting risk ranked and a reasonable mitigation strategy selected. When an exception arises, and it always does, this process should be again completed prior to arriving at a decision, with focus given to the affected data.
Imagine an unorganized filing cabinet. To correct the situation we might apply categorical and alphabetical taxonomies. When done, one can imagine that we could easily find any one category of information therein.
Now, imagine that the same situation were to multiply a thousand fold and require the support of teams of organizers and administrators while new files were steadily being added. Is finding any particular category of information in whole and with surety as easy as it was in the days of the lone file cabinet? Of course not, and this is often the key reason why organization’s lack accurate data inventories.
Organizational Data Classification Policy
If you were to ask three of your colleagues for their understanding of the organizational data classification policy, providing such a policy is indeed formally documented, would they each capably define organizational information classifications? Could they also properly identify and classify an example data record? If the results do not prove three-for-three, your security awareness program is failing to effectively communicate the importance of the data classification policy and its handling requirements.
Decide today to not become the next data breach headline. Start with identifying all data within your organization’s custodianship and assigning a responsible data owner to govern its protection and access. Advance to the implementation and/or configuration of data sensitivity driven controls. Conclude with ongoing risk management processes and supporting security awareness training.
It’s time for a change.