MIT Sloan School of Management carried out a study which used a data breach simulation to observe how different groups respond to security incidents. The simulation involved comparing the decisions made by a group of inexperienced students, to a team of security experts.
Interestingly, there was little significant difference in the success rates between the two groups. This is not meant to imply that security professionals are irrelevant, more that they are bound by limitations that are beyond their control – an issue that obviously needs to be addressed.
The problem is that there is a disconnect between the security teams, business executives, staff members and stakeholders, regarding the policies and procedures used to protect their sensitive data. Most CISOs are already aware of this problem, and as many as 78% of CISO are concerned that they may not be able to detect a data breach before it enters their network.
As IT environments evolve and become more complex, the threat landscape broadens. These days we have more companies adopting the BYOD trend, taking advantage of cloud services, and incorporating IoT devices into their network. Each of these trends and technologies comes with an additionally layer of complexity, which makes it increasingly difficult for CISOs to keep track of how data flows through their network.
Over the years data has become increasingly more valuable, with some referring to it as “the new currency”. Yet, your average CISO is still not treated with the same respect as your average CFO. Most business executives closely monitor balance sheets, cash flows, profit forecasts, and any other financial data that can help them maximize their profits and grow their business. Were they to keep track of their valuable data in the same way, we would no doubt see a significant decline in the number of security incidents. There are three main steps that organizations can take to improve the way they manage their critical assets.
1. Implement an Intuitive and Standardized Classification Policy
Organizations should agree on a standardized system for classifying their sensitive data. A typical classification schema would include: Public, Internal and Restricted. These categories could be extended to include other sub-categories such as PII, PCI, PHI, and so on. Without an intuitive classification schema, it will be very difficult for organizations to apply the appropriate security controls to their data.
2. Restrict and Monitor Access Permissions
It is imperative that organizations adhere to the “Principal of Least Privilege” to ensure that employees and stakeholders only have access to the data they need to adequately perform their duties. Advance change auditing solutions such as LepideAuditor enable organizations to review current access permissions and receive real-time alerts when they change.
3. Track and Record Changes Made to all Critical Assets
Organizations need to know exactly who, what, where and when changes are made to their sensitive data. They must be able to detect, alert, report and respond to suspicious file and folder activity, inactive user accounts and privileged mailbox access. Likewise, they will need to automate the process of responding to events that match a pre-defined threshold condition. Doing so will enable that to detect anomalous login attempts or bulk file encryption – to help prevent the spread of ransomware. Given that hackers often attempt to crack weak passwords, organizations should automate the process of reminding users to reset their passwords in order to minimize the chance of a break-in.
Finally, they need to ensure that nobody is able to tamper with the event logs, as that would enable them to cover their tracks – should they attempt to access, edit, move or delete sensitive data without authorization. The combination of real-time alerts and snapshots of historical events will serve as a suitable reference to prevent such eventualities.